Browse Source

Merge pull request #6839 from neheb/xml2

libxml2: Fix CVE-2018-14404
lilik-openwrt-22.03
Michael Heimpold 6 years ago
committed by GitHub
parent
commit
8d059948be
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 55 additions and 1 deletions
  1. +1
    -1
      libs/libxml2/Makefile
  2. +54
    -0
      libs/libxml2/patches/010-CVE-2018-14404.patch
  3. +0
    -0
      libs/libxml2/patches/020-CVE-2018-9251.patch

+ 1
- 1
libs/libxml2/Makefile View File

@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=libxml2
PKG_VERSION:=2.9.8
PKG_RELEASE:=2
PKG_RELEASE:=3
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=http://xmlsoft.org/sources/


+ 54
- 0
libs/libxml2/patches/010-CVE-2018-14404.patch View File

@ -0,0 +1,54 @@
From a436374994c47b12d5de1b8b1d191a098fa23594 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Mon, 30 Jul 2018 12:54:38 +0200
Subject: [PATCH 12/13] Fix nullptr deref with XPath logic ops
If the XPath stack is corrupted, for example by a misbehaving extension
function, the "and" and "or" XPath operators could dereference NULL
pointers. Check that the XPath stack isn't empty and optimize the
logic operators slightly.
Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/5
Also see
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817
https://bugzilla.redhat.com/show_bug.cgi?id=1595985
This is CVE-2018-14404.
Thanks to Guy Inbar for the report.
---
xpath.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/xpath.c b/xpath.c
index 3fae0bf4..5e3bb9ff 100644
--- a/xpath.c
+++ b/xpath.c
@@ -13297,9 +13297,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
return(0);
}
xmlXPathBooleanFunction(ctxt, 1);
- arg1 = valuePop(ctxt);
- arg1->boolval &= arg2->boolval;
- valuePush(ctxt, arg1);
+ if (ctxt->value != NULL)
+ ctxt->value->boolval &= arg2->boolval;
xmlXPathReleaseObject(ctxt->context, arg2);
return (total);
case XPATH_OP_OR:
@@ -13323,9 +13322,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
return(0);
}
xmlXPathBooleanFunction(ctxt, 1);
- arg1 = valuePop(ctxt);
- arg1->boolval |= arg2->boolval;
- valuePush(ctxt, arg1);
+ if (ctxt->value != NULL)
+ ctxt->value->boolval |= arg2->boolval;
xmlXPathReleaseObject(ctxt->context, arg2);
return (total);
case XPATH_OP_EQUAL:
--
2.18.0

libs/libxml2/patches/010-CVE-2018-9251.patch → libs/libxml2/patches/020-CVE-2018-9251.patch View File


Loading…
Cancel
Save