libxml2: fix CVE-2018-14404 CVE-2018-9251 CVE-2018-14567
This commit is contained in:
maxice8
Enno Boland
parent
550d5c18d5
commit
19047cf745
3 changed files with 110 additions and 3 deletions
55
srcpkgs/libxml2/patches/CVE-2018-14404.patch
Normal file
55
srcpkgs/libxml2/patches/CVE-2018-14404.patch
Normal file
|
|
@ -0,0 +1,55 @@
|
||||||
|
From a436374994c47b12d5de1b8b1d191a098fa23594 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||||
|
Date: Mon, 30 Jul 2018 12:54:38 +0200
|
||||||
|
Subject: [PATCH] Fix nullptr deref with XPath logic ops
|
||||||
|
|
||||||
|
If the XPath stack is corrupted, for example by a misbehaving extension
|
||||||
|
function, the "and" and "or" XPath operators could dereference NULL
|
||||||
|
pointers. Check that the XPath stack isn't empty and optimize the
|
||||||
|
logic operators slightly.
|
||||||
|
|
||||||
|
Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/5
|
||||||
|
|
||||||
|
Also see
|
||||||
|
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817
|
||||||
|
https://bugzilla.redhat.com/show_bug.cgi?id=1595985
|
||||||
|
|
||||||
|
This is CVE-2018-14404.
|
||||||
|
|
||||||
|
Thanks to Guy Inbar for the report.
|
||||||
|
---
|
||||||
|
xpath.c | 10 ++++------
|
||||||
|
1 file changed, 4 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/xpath.c b/xpath.c
|
||||||
|
index 3fae0bf4..5e3bb9ff 100644
|
||||||
|
--- a/xpath.c
|
||||||
|
+++ b/xpath.c
|
||||||
|
@@ -13234,9 +13234,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
|
||||||
|
return(0);
|
||||||
|
}
|
||||||
|
xmlXPathBooleanFunction(ctxt, 1);
|
||||||
|
- arg1 = valuePop(ctxt);
|
||||||
|
- arg1->boolval &= arg2->boolval;
|
||||||
|
- valuePush(ctxt, arg1);
|
||||||
|
+ if (ctxt->value != NULL)
|
||||||
|
+ ctxt->value->boolval &= arg2->boolval;
|
||||||
|
xmlXPathReleaseObject(ctxt->context, arg2);
|
||||||
|
return (total);
|
||||||
|
case XPATH_OP_OR:
|
||||||
|
@@ -13252,9 +13251,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
|
||||||
|
return(0);
|
||||||
|
}
|
||||||
|
xmlXPathBooleanFunction(ctxt, 1);
|
||||||
|
- arg1 = valuePop(ctxt);
|
||||||
|
- arg1->boolval |= arg2->boolval;
|
||||||
|
- valuePush(ctxt, arg1);
|
||||||
|
+ if (ctxt->value != NULL)
|
||||||
|
+ ctxt->value->boolval |= arg2->boolval;
|
||||||
|
xmlXPathReleaseObject(ctxt->context, arg2);
|
||||||
|
return (total);
|
||||||
|
case XPATH_OP_EQUAL:
|
||||||
|
--
|
||||||
|
2.18.0
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -0,0 +1,51 @@
|
||||||
|
From 2240fbf5912054af025fb6e01e26375100275e74 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
||||||
|
Date: Mon, 30 Jul 2018 13:14:11 +0200
|
||||||
|
Subject: [PATCH] Fix infinite loop in LZMA decompression
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Check the liblzma error code more thoroughly to avoid infinite loops.
|
||||||
|
|
||||||
|
Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/13
|
||||||
|
Closes: https://bugzilla.gnome.org/show_bug.cgi?id=794914
|
||||||
|
|
||||||
|
This is CVE-2018-9251 and CVE-2018-14567.
|
||||||
|
|
||||||
|
Thanks to Dongliang Mu and Simon Wörner for the reports.
|
||||||
|
---
|
||||||
|
xzlib.c | 9 +++++++++
|
||||||
|
1 file changed, 9 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/xzlib.c b/xzlib.c
|
||||||
|
index a839169e..0ba88cfa 100644
|
||||||
|
--- a/xzlib.c
|
||||||
|
+++ b/xzlib.c
|
||||||
|
@@ -562,6 +562,10 @@ xz_decomp(xz_statep state)
|
||||||
|
"internal error: inflate stream corrupt");
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
+ /*
|
||||||
|
+ * FIXME: Remapping a couple of error codes and falling through
|
||||||
|
+ * to the LZMA error handling looks fragile.
|
||||||
|
+ */
|
||||||
|
if (ret == Z_MEM_ERROR)
|
||||||
|
ret = LZMA_MEM_ERROR;
|
||||||
|
if (ret == Z_DATA_ERROR)
|
||||||
|
@@ -587,6 +591,11 @@ xz_decomp(xz_statep state)
|
||||||
|
xz_error(state, LZMA_PROG_ERROR, "compression error");
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
+ if ((state->how != GZIP) &&
|
||||||
|
+ (ret != LZMA_OK) && (ret != LZMA_STREAM_END)) {
|
||||||
|
+ xz_error(state, ret, "lzma error");
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
} while (strm->avail_out && ret != LZMA_STREAM_END);
|
||||||
|
|
||||||
|
/* update available output and crc check value */
|
||||||
|
--
|
||||||
|
2.18.0
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -1,7 +1,8 @@
|
||||||
# Template build file for 'libxml2'.
|
# Template file for 'libxml2'
|
||||||
pkgname=libxml2
|
pkgname=libxml2
|
||||||
version=2.9.8
|
version=2.9.8
|
||||||
revision=3
|
revision=4
|
||||||
|
patch_args="-Np1"
|
||||||
build_style=gnu-configure
|
build_style=gnu-configure
|
||||||
configure_args="--disable-static --with-threads --with-history --with-icu"
|
configure_args="--disable-static --with-threads --with-history --with-icu"
|
||||||
hostmakedepends="automake libtool gettext-devel pkg-config python-devel"
|
hostmakedepends="automake libtool gettext-devel pkg-config python-devel"
|
||||||
|
|
@ -11,7 +12,7 @@ short_desc="Library providing XML and HTML support"
|
||||||
maintainer="Juan RP <xtraeme@voidlinux.eu>"
|
maintainer="Juan RP <xtraeme@voidlinux.eu>"
|
||||||
homepage="http://www.xmlsoft.org/"
|
homepage="http://www.xmlsoft.org/"
|
||||||
license="MIT"
|
license="MIT"
|
||||||
distfiles="http://xmlsoft.org/sources/$pkgname-$version.tar.gz"
|
distfiles="http://xmlsoft.org/sources/${pkgname}-${version}.tar.gz"
|
||||||
checksum=0b74e51595654f958148759cfef0993114ddccccbb6f31aee018f3558e8e2732
|
checksum=0b74e51595654f958148759cfef0993114ddccccbb6f31aee018f3558e8e2732
|
||||||
|
|
||||||
LDFLAGS="-lz -llzma -lpthread"
|
LDFLAGS="-lz -llzma -lpthread"
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue