From 19047cf7457c49ef09b3ec2207b6007ecc6e8cac Mon Sep 17 00:00:00 2001
From: maxice8 <thinkabit.ukim@gmail.com>
Date: Mon, 1 Oct 2018 23:45:07 -0300
Subject: [PATCH] libxml2: fix CVE-2018-14404 CVE-2018-9251 CVE-2018-14567

---
 srcpkgs/libxml2/patches/CVE-2018-14404.patch  | 55 +++++++++++++++++++
 ...-infinite-loop-in-lzma-decompression.patch | 51 +++++++++++++++++
 srcpkgs/libxml2/template                      |  7 ++-
 3 files changed, 110 insertions(+), 3 deletions(-)
 create mode 100644 srcpkgs/libxml2/patches/CVE-2018-14404.patch
 create mode 100644 srcpkgs/libxml2/patches/fix-infinite-loop-in-lzma-decompression.patch

diff --git a/srcpkgs/libxml2/patches/CVE-2018-14404.patch b/srcpkgs/libxml2/patches/CVE-2018-14404.patch
new file mode 100644
index 00000000000..8db0578728b
--- /dev/null
+++ b/srcpkgs/libxml2/patches/CVE-2018-14404.patch
@@ -0,0 +1,55 @@
+From a436374994c47b12d5de1b8b1d191a098fa23594 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Mon, 30 Jul 2018 12:54:38 +0200
+Subject: [PATCH] Fix nullptr deref with XPath logic ops
+
+If the XPath stack is corrupted, for example by a misbehaving extension
+function, the "and" and "or" XPath operators could dereference NULL
+pointers. Check that the XPath stack isn't empty and optimize the
+logic operators slightly.
+
+Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/5
+
+Also see
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817
+https://bugzilla.redhat.com/show_bug.cgi?id=1595985
+
+This is CVE-2018-14404.
+
+Thanks to Guy Inbar for the report.
+---
+ xpath.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/xpath.c b/xpath.c
+index 3fae0bf4..5e3bb9ff 100644
+--- a/xpath.c
++++ b/xpath.c
+@@ -13234,9 +13234,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
+ 		return(0);
+ 	    }
+             xmlXPathBooleanFunction(ctxt, 1);
+-            arg1 = valuePop(ctxt);
+-            arg1->boolval &= arg2->boolval;
+-            valuePush(ctxt, arg1);
++            if (ctxt->value != NULL)
++                ctxt->value->boolval &= arg2->boolval;
+ 	    xmlXPathReleaseObject(ctxt->context, arg2);
+             return (total);
+         case XPATH_OP_OR:
+@@ -13252,9 +13251,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
+ 		return(0);
+ 	    }
+             xmlXPathBooleanFunction(ctxt, 1);
+-            arg1 = valuePop(ctxt);
+-            arg1->boolval |= arg2->boolval;
+-            valuePush(ctxt, arg1);
++            if (ctxt->value != NULL)
++                ctxt->value->boolval |= arg2->boolval;
+ 	    xmlXPathReleaseObject(ctxt->context, arg2);
+             return (total);
+         case XPATH_OP_EQUAL:
+-- 
+2.18.0
+
+
diff --git a/srcpkgs/libxml2/patches/fix-infinite-loop-in-lzma-decompression.patch b/srcpkgs/libxml2/patches/fix-infinite-loop-in-lzma-decompression.patch
new file mode 100644
index 00000000000..69830ccfc4e
--- /dev/null
+++ b/srcpkgs/libxml2/patches/fix-infinite-loop-in-lzma-decompression.patch
@@ -0,0 +1,51 @@
+From 2240fbf5912054af025fb6e01e26375100275e74 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Mon, 30 Jul 2018 13:14:11 +0200
+Subject: [PATCH] Fix infinite loop in LZMA decompression
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Check the liblzma error code more thoroughly to avoid infinite loops.
+
+Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/13
+Closes: https://bugzilla.gnome.org/show_bug.cgi?id=794914
+
+This is CVE-2018-9251 and CVE-2018-14567.
+
+Thanks to Dongliang Mu and Simon Wörner for the reports.
+---
+ xzlib.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/xzlib.c b/xzlib.c
+index a839169e..0ba88cfa 100644
+--- a/xzlib.c
++++ b/xzlib.c
+@@ -562,6 +562,10 @@ xz_decomp(xz_statep state)
+                          "internal error: inflate stream corrupt");
+                 return -1;
+             }
++            /*
++             * FIXME: Remapping a couple of error codes and falling through
++             * to the LZMA error handling looks fragile.
++             */
+             if (ret == Z_MEM_ERROR)
+                 ret = LZMA_MEM_ERROR;
+             if (ret == Z_DATA_ERROR)
+@@ -587,6 +591,11 @@ xz_decomp(xz_statep state)
+             xz_error(state, LZMA_PROG_ERROR, "compression error");
+             return -1;
+         }
++        if ((state->how != GZIP) &&
++            (ret != LZMA_OK) && (ret != LZMA_STREAM_END)) {
++            xz_error(state, ret, "lzma error");
++            return -1;
++        }
+     } while (strm->avail_out && ret != LZMA_STREAM_END);
+ 
+     /* update available output and crc check value */
+-- 
+2.18.0
+
+
diff --git a/srcpkgs/libxml2/template b/srcpkgs/libxml2/template
index b77de76d1fe..82a2b9ada26 100644
--- a/srcpkgs/libxml2/template
+++ b/srcpkgs/libxml2/template
@@ -1,7 +1,8 @@
-# Template build file for 'libxml2'.
+# Template file for 'libxml2'
 pkgname=libxml2
 version=2.9.8
-revision=3
+revision=4
+patch_args="-Np1"
 build_style=gnu-configure
 configure_args="--disable-static --with-threads --with-history --with-icu"
 hostmakedepends="automake libtool gettext-devel pkg-config python-devel"
@@ -11,7 +12,7 @@ short_desc="Library providing XML and HTML support"
 maintainer="Juan RP <xtraeme@voidlinux.eu>"
 homepage="http://www.xmlsoft.org/"
 license="MIT"
-distfiles="http://xmlsoft.org/sources/$pkgname-$version.tar.gz"
+distfiles="http://xmlsoft.org/sources/${pkgname}-${version}.tar.gz"
 checksum=0b74e51595654f958148759cfef0993114ddccccbb6f31aee018f3558e8e2732
 
 LDFLAGS="-lz -llzma -lpthread"