From b7870ea71125311c24095a7bfd9be717b563ef7b Mon Sep 17 00:00:00 2001 From: Rosen Penev Date: Tue, 21 Aug 2018 13:57:28 -0700 Subject: [PATCH] libxml2: Fix CVE-2018-14404 Embarrasingly, I missed this one last time. Signed-off-by: Rosen Penev --- libs/libxml2/Makefile | 2 +- libs/libxml2/patches/010-CVE-2018-14404.patch | 54 +++++++++++++++++++ ...018-9251.patch => 020-CVE-2018-9251.patch} | 0 3 files changed, 55 insertions(+), 1 deletion(-) create mode 100644 libs/libxml2/patches/010-CVE-2018-14404.patch rename libs/libxml2/patches/{010-CVE-2018-9251.patch => 020-CVE-2018-9251.patch} (100%) diff --git a/libs/libxml2/Makefile b/libs/libxml2/Makefile index 96c3235ad..345dec0aa 100644 --- a/libs/libxml2/Makefile +++ b/libs/libxml2/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=libxml2 PKG_VERSION:=2.9.8 -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=http://xmlsoft.org/sources/ diff --git a/libs/libxml2/patches/010-CVE-2018-14404.patch b/libs/libxml2/patches/010-CVE-2018-14404.patch new file mode 100644 index 000000000..a8bcdaf46 --- /dev/null +++ b/libs/libxml2/patches/010-CVE-2018-14404.patch @@ -0,0 +1,54 @@ +From a436374994c47b12d5de1b8b1d191a098fa23594 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Mon, 30 Jul 2018 12:54:38 +0200 +Subject: [PATCH 12/13] Fix nullptr deref with XPath logic ops + +If the XPath stack is corrupted, for example by a misbehaving extension +function, the "and" and "or" XPath operators could dereference NULL +pointers. Check that the XPath stack isn't empty and optimize the +logic operators slightly. + +Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/5 + +Also see +https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817 +https://bugzilla.redhat.com/show_bug.cgi?id=1595985 + +This is CVE-2018-14404. + +Thanks to Guy Inbar for the report. +--- + xpath.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/xpath.c b/xpath.c +index 3fae0bf4..5e3bb9ff 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -13297,9 +13297,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) + return(0); + } + xmlXPathBooleanFunction(ctxt, 1); +- arg1 = valuePop(ctxt); +- arg1->boolval &= arg2->boolval; +- valuePush(ctxt, arg1); ++ if (ctxt->value != NULL) ++ ctxt->value->boolval &= arg2->boolval; + xmlXPathReleaseObject(ctxt->context, arg2); + return (total); + case XPATH_OP_OR: +@@ -13323,9 +13322,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) + return(0); + } + xmlXPathBooleanFunction(ctxt, 1); +- arg1 = valuePop(ctxt); +- arg1->boolval |= arg2->boolval; +- valuePush(ctxt, arg1); ++ if (ctxt->value != NULL) ++ ctxt->value->boolval |= arg2->boolval; + xmlXPathReleaseObject(ctxt->context, arg2); + return (total); + case XPATH_OP_EQUAL: +-- +2.18.0 + diff --git a/libs/libxml2/patches/010-CVE-2018-9251.patch b/libs/libxml2/patches/020-CVE-2018-9251.patch similarity index 100% rename from libs/libxml2/patches/010-CVE-2018-9251.patch rename to libs/libxml2/patches/020-CVE-2018-9251.patch