From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 74B34138334 for ; Thu, 3 Jan 2019 11:22:10 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 4D94CE09CE; Thu, 3 Jan 2019 11:22:09 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 1C441E09CE for ; Thu, 3 Jan 2019 11:22:08 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 98151335D0D for ; Thu, 3 Jan 2019 11:22:07 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 56BE0505 for ; Thu, 3 Jan 2019 11:22:05 +0000 (UTC) From: "Mike Frysinger" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Mike Frysinger" Message-ID: <1546514506.3e81bfb6899b407dba3dca6aa76f4cd2a30d6dd7.vapier@gentoo> Subject: [gentoo-commits] repo/gentoo:master commit in: dev-libs/libxml2/, dev-libs/libxml2/files/ X-VCS-Repository: repo/gentoo X-VCS-Files: dev-libs/libxml2/files/libxml2-2.9.8-CVE-2018-14404.patch dev-libs/libxml2/libxml2-2.9.8-r1.ebuild X-VCS-Directories: dev-libs/libxml2/files/ dev-libs/libxml2/ X-VCS-Committer: vapier X-VCS-Committer-Name: Mike Frysinger X-VCS-Revision: 3e81bfb6899b407dba3dca6aa76f4cd2a30d6dd7 X-VCS-Branch: master Date: Thu, 3 Jan 2019 11:22:05 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: 6851bd51-4834-428e-b64c-0411597e58d9 X-Archives-Hash: 52e0217e5ceca2ba8dc9a069f328f287 commit: 3e81bfb6899b407dba3dca6aa76f4cd2a30d6dd7 Author: Xiaoyong Zhou google com> AuthorDate: Tue Dec 4 22:53:14 2018 +0000 Commit: Mike Frysinger gentoo org> CommitDate: Thu Jan 3 11:21:46 2019 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3e81bfb6 dev-libs/libxml2: fix CVE-2018-14404 Signed-off-by: Xiaoyong Zhou google.com> Signed-off-by: Mike Frysinger gentoo.org> .../files/libxml2-2.9.8-CVE-2018-14404.patch | 54 ++++++++++++++++++++++ dev-libs/libxml2/libxml2-2.9.8-r1.ebuild | 4 ++ 2 files changed, 58 insertions(+) diff --git a/dev-libs/libxml2/files/libxml2-2.9.8-CVE-2018-14404.patch b/dev-libs/libxml2/files/libxml2-2.9.8-CVE-2018-14404.patch new file mode 100644 index 00000000000..59bfc0fa9b8 --- /dev/null +++ b/dev-libs/libxml2/files/libxml2-2.9.8-CVE-2018-14404.patch @@ -0,0 +1,54 @@ +From a436374994c47b12d5de1b8b1d191a098fa23594 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Mon, 30 Jul 2018 12:54:38 +0200 +Subject: [PATCH] Fix nullptr deref with XPath logic ops + +If the XPath stack is corrupted, for example by a misbehaving extension +function, the "and" and "or" XPath operators could dereference NULL +pointers. Check that the XPath stack isn't empty and optimize the +logic operators slightly. + +Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/5 + +Also see +https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817 +https://bugzilla.redhat.com/show_bug.cgi?id=1595985 + +This is CVE-2018-14404. + +Thanks to Guy Inbar for the report. +--- + xpath.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/xpath.c b/xpath.c +index 3fae0bf4e0a0..5e3bb9ff6401 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -13234,9 +13234,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) + return(0); + } + xmlXPathBooleanFunction(ctxt, 1); +- arg1 = valuePop(ctxt); +- arg1->boolval &= arg2->boolval; +- valuePush(ctxt, arg1); ++ if (ctxt->value != NULL) ++ ctxt->value->boolval &= arg2->boolval; + xmlXPathReleaseObject(ctxt->context, arg2); + return (total); + case XPATH_OP_OR: +@@ -13252,9 +13251,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) + return(0); + } + xmlXPathBooleanFunction(ctxt, 1); +- arg1 = valuePop(ctxt); +- arg1->boolval |= arg2->boolval; +- valuePush(ctxt, arg1); ++ if (ctxt->value != NULL) ++ ctxt->value->boolval |= arg2->boolval; + xmlXPathReleaseObject(ctxt->context, arg2); + return (total); + case XPATH_OP_EQUAL: +-- +2.19.1 + diff --git a/dev-libs/libxml2/libxml2-2.9.8-r1.ebuild b/dev-libs/libxml2/libxml2-2.9.8-r1.ebuild index 43da94cafed..86521ab289a 100644 --- a/dev-libs/libxml2/libxml2-2.9.8-r1.ebuild +++ b/dev-libs/libxml2/libxml2-2.9.8-r1.ebuild @@ -92,6 +92,10 @@ src_prepare() { # https://bugzilla.gnome.org/show_bug.cgi?id=794914 eapply "${FILESDIR}"/${PN}-2.9.8-CVE-2018-14567.patch + # CVE-2018-14404 + # https://gitlab.gnome.org/GNOME/libxml2/issues/5 + eapply "${FILESDIR}"/${PN}-2.9.8-CVE-2018-14404.patch + if [[ ${CHOST} == *-darwin* ]] ; then # Avoid final linking arguments for python modules sed -i -e '/PYTHON_LIBS/s/ldflags/libs/' configure.ac || die