diff options
author | Xiaoyong Zhou <xzhou@google.com> | 2018-12-04 14:53:14 -0800 |
---|---|---|
committer | Mike Frysinger <vapier@gentoo.org> | 2019-01-03 06:21:46 -0500 |
commit | 3e81bfb6899b407dba3dca6aa76f4cd2a30d6dd7 (patch) | |
tree | 42831e04aa61a15d6594971fccda35ba25524ea8 /dev-libs | |
parent | dev-libs/libxml2: fix CVE-2018-14567 (diff) | |
download | gentoo-3e81bfb6899b407dba3dca6aa76f4cd2a30d6dd7.tar.gz gentoo-3e81bfb6899b407dba3dca6aa76f4cd2a30d6dd7.tar.bz2 gentoo-3e81bfb6899b407dba3dca6aa76f4cd2a30d6dd7.zip |
dev-libs/libxml2: fix CVE-2018-14404
Signed-off-by: Xiaoyong Zhou <xzhou@google.com>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Diffstat (limited to 'dev-libs')
-rw-r--r-- | dev-libs/libxml2/files/libxml2-2.9.8-CVE-2018-14404.patch | 54 | ||||
-rw-r--r-- | dev-libs/libxml2/libxml2-2.9.8-r1.ebuild | 4 |
2 files changed, 58 insertions, 0 deletions
diff --git a/dev-libs/libxml2/files/libxml2-2.9.8-CVE-2018-14404.patch b/dev-libs/libxml2/files/libxml2-2.9.8-CVE-2018-14404.patch new file mode 100644 index 000000000000..59bfc0fa9b88 --- /dev/null +++ b/dev-libs/libxml2/files/libxml2-2.9.8-CVE-2018-14404.patch @@ -0,0 +1,54 @@ +From a436374994c47b12d5de1b8b1d191a098fa23594 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer <wellnhofer@aevum.de> +Date: Mon, 30 Jul 2018 12:54:38 +0200 +Subject: [PATCH] Fix nullptr deref with XPath logic ops + +If the XPath stack is corrupted, for example by a misbehaving extension +function, the "and" and "or" XPath operators could dereference NULL +pointers. Check that the XPath stack isn't empty and optimize the +logic operators slightly. + +Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/5 + +Also see +https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817 +https://bugzilla.redhat.com/show_bug.cgi?id=1595985 + +This is CVE-2018-14404. + +Thanks to Guy Inbar for the report. +--- + xpath.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/xpath.c b/xpath.c +index 3fae0bf4e0a0..5e3bb9ff6401 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -13234,9 +13234,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) + return(0); + } + xmlXPathBooleanFunction(ctxt, 1); +- arg1 = valuePop(ctxt); +- arg1->boolval &= arg2->boolval; +- valuePush(ctxt, arg1); ++ if (ctxt->value != NULL) ++ ctxt->value->boolval &= arg2->boolval; + xmlXPathReleaseObject(ctxt->context, arg2); + return (total); + case XPATH_OP_OR: +@@ -13252,9 +13251,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) + return(0); + } + xmlXPathBooleanFunction(ctxt, 1); +- arg1 = valuePop(ctxt); +- arg1->boolval |= arg2->boolval; +- valuePush(ctxt, arg1); ++ if (ctxt->value != NULL) ++ ctxt->value->boolval |= arg2->boolval; + xmlXPathReleaseObject(ctxt->context, arg2); + return (total); + case XPATH_OP_EQUAL: +-- +2.19.1 + diff --git a/dev-libs/libxml2/libxml2-2.9.8-r1.ebuild b/dev-libs/libxml2/libxml2-2.9.8-r1.ebuild index 43da94cafedf..86521ab289ae 100644 --- a/dev-libs/libxml2/libxml2-2.9.8-r1.ebuild +++ b/dev-libs/libxml2/libxml2-2.9.8-r1.ebuild @@ -92,6 +92,10 @@ src_prepare() { # https://bugzilla.gnome.org/show_bug.cgi?id=794914 eapply "${FILESDIR}"/${PN}-2.9.8-CVE-2018-14567.patch + # CVE-2018-14404 + # https://gitlab.gnome.org/GNOME/libxml2/issues/5 + eapply "${FILESDIR}"/${PN}-2.9.8-CVE-2018-14404.patch + if [[ ${CHOST} == *-darwin* ]] ; then # Avoid final linking arguments for python modules sed -i -e '/PYTHON_LIBS/s/ldflags/libs/' configure.ac || die |