Package: libxml2 Version: 2.9.4+dfsg1-5.1 Severity: normal Tags: patch pending
Dear maintainer, I've prepared an NMU for libxml2 (versioned as 2.9.4+dfsg1-5.2). The diff is attached to this message. The package is already uploaded, if you agree/acknowledge the NMU, would be great if you can import the changes into the packaging repository. Regards, Salvatore
diff -Nru libxml2-2.9.4+dfsg1/debian/changelog libxml2-2.9.4+dfsg1/debian/changelog --- libxml2-2.9.4+dfsg1/debian/changelog 2017-11-18 16:39:04.000000000 +0100 +++ libxml2-2.9.4+dfsg1/debian/changelog 2017-12-14 20:36:07.000000000 +0100 @@ -1,3 +1,10 @@ +libxml2 (2.9.4+dfsg1-5.2) unstable; urgency=medium + + * Non-maintainer upload. + * Fix XPath stack frame logic (CVE-2017-15412) (Closes: #883790) + + -- Salvatore Bonaccorso <car...@debian.org> Thu, 14 Dec 2017 20:36:07 +0100 + libxml2 (2.9.4+dfsg1-5.1) unstable; urgency=medium * Non-maintainer upload. diff -Nru libxml2-2.9.4+dfsg1/debian/patches/0018-Fix-XPath-stack-frame-logic.patch libxml2-2.9.4+dfsg1/debian/patches/0018-Fix-XPath-stack-frame-logic.patch --- libxml2-2.9.4+dfsg1/debian/patches/0018-Fix-XPath-stack-frame-logic.patch 1970-01-01 01:00:00.000000000 +0100 +++ libxml2-2.9.4+dfsg1/debian/patches/0018-Fix-XPath-stack-frame-logic.patch 2017-12-14 20:36:07.000000000 +0100 @@ -0,0 +1,39 @@ +From: Nick Wellnhofer <wellnho...@aevum.de> +Date: Thu, 1 Jun 2017 23:12:19 +0200 +Subject: Fix XPath stack frame logic +Origin: https://git.gnome.org/browse/libxml2/commit/?id=0f3b843b3534784ef57a4f9b874238aa1fda5a73 +Bug: https://bugzilla.gnome.org/show_bug.cgi?id=783160 +Bug-Debian: https://bugs.debian.org/883790 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-15412 + +Move the calls to xmlXPathSetFrame and xmlXPathPopFrame around in +xmlXPathCompOpEvalPositionalPredicate to make sure that the context +object on the stack is actually protected. Otherwise, memory corruption +can occur when calling sloppily coded XPath extension functions. + +Fixes bug 783160. +--- + xpath.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/xpath.c b/xpath.c +index 94815075..b816bd36 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -11932,11 +11932,11 @@ xmlXPathCompOpEvalPositionalPredicate(xmlXPathParserContextPtr ctxt, + } + } + +- frame = xmlXPathSetFrame(ctxt); + valuePush(ctxt, contextObj); ++ frame = xmlXPathSetFrame(ctxt); + res = xmlXPathCompOpEvalToBoolean(ctxt, exprOp, 1); +- tmp = valuePop(ctxt); + xmlXPathPopFrame(ctxt, frame); ++ tmp = valuePop(ctxt); + + if ((ctxt->error != XPATH_EXPRESSION_OK) || (res == -1)) { + while (tmp != contextObj) { +-- +2.15.1 + diff -Nru libxml2-2.9.4+dfsg1/debian/patches/series libxml2-2.9.4+dfsg1/debian/patches/series --- libxml2-2.9.4+dfsg1/debian/patches/series 2017-11-18 16:39:04.000000000 +0100 +++ libxml2-2.9.4+dfsg1/debian/patches/series 2017-12-14 20:36:07.000000000 +0100 @@ -15,3 +15,4 @@ 0015-Check-for-integer-overflow-in-memory-debug-code.patch 0016-Fix-copy-paste-errors-in-error-messages.patch 0017-python-remove-single-use-of-_PyVerify_fd.patch +0018-Fix-XPath-stack-frame-logic.patch
