commit: 3e81bfb6899b407dba3dca6aa76f4cd2a30d6dd7 Author: Xiaoyong Zhou <xzhou <AT> google <DOT> com> AuthorDate: Tue Dec 4 22:53:14 2018 +0000 Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org> CommitDate: Thu Jan 3 11:21:46 2019 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3e81bfb6
dev-libs/libxml2: fix CVE-2018-14404 Signed-off-by: Xiaoyong Zhou <xzhou <AT> google.com> Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org> .../files/libxml2-2.9.8-CVE-2018-14404.patch | 54 ++++++++++++++++++++++ dev-libs/libxml2/libxml2-2.9.8-r1.ebuild | 4 ++ 2 files changed, 58 insertions(+) diff --git a/dev-libs/libxml2/files/libxml2-2.9.8-CVE-2018-14404.patch b/dev-libs/libxml2/files/libxml2-2.9.8-CVE-2018-14404.patch new file mode 100644 index 00000000000..59bfc0fa9b8 --- /dev/null +++ b/dev-libs/libxml2/files/libxml2-2.9.8-CVE-2018-14404.patch @@ -0,0 +1,54 @@ +From a436374994c47b12d5de1b8b1d191a098fa23594 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer <[email protected]> +Date: Mon, 30 Jul 2018 12:54:38 +0200 +Subject: [PATCH] Fix nullptr deref with XPath logic ops + +If the XPath stack is corrupted, for example by a misbehaving extension +function, the "and" and "or" XPath operators could dereference NULL +pointers. Check that the XPath stack isn't empty and optimize the +logic operators slightly. + +Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/5 + +Also see +https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817 +https://bugzilla.redhat.com/show_bug.cgi?id=1595985 + +This is CVE-2018-14404. + +Thanks to Guy Inbar for the report. +--- + xpath.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/xpath.c b/xpath.c +index 3fae0bf4e0a0..5e3bb9ff6401 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -13234,9 +13234,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) + return(0); + } + xmlXPathBooleanFunction(ctxt, 1); +- arg1 = valuePop(ctxt); +- arg1->boolval &= arg2->boolval; +- valuePush(ctxt, arg1); ++ if (ctxt->value != NULL) ++ ctxt->value->boolval &= arg2->boolval; + xmlXPathReleaseObject(ctxt->context, arg2); + return (total); + case XPATH_OP_OR: +@@ -13252,9 +13251,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) + return(0); + } + xmlXPathBooleanFunction(ctxt, 1); +- arg1 = valuePop(ctxt); +- arg1->boolval |= arg2->boolval; +- valuePush(ctxt, arg1); ++ if (ctxt->value != NULL) ++ ctxt->value->boolval |= arg2->boolval; + xmlXPathReleaseObject(ctxt->context, arg2); + return (total); + case XPATH_OP_EQUAL: +-- +2.19.1 + diff --git a/dev-libs/libxml2/libxml2-2.9.8-r1.ebuild b/dev-libs/libxml2/libxml2-2.9.8-r1.ebuild index 43da94cafed..86521ab289a 100644 --- a/dev-libs/libxml2/libxml2-2.9.8-r1.ebuild +++ b/dev-libs/libxml2/libxml2-2.9.8-r1.ebuild @@ -92,6 +92,10 @@ src_prepare() { # https://bugzilla.gnome.org/show_bug.cgi?id=794914 eapply "${FILESDIR}"/${PN}-2.9.8-CVE-2018-14567.patch + # CVE-2018-14404 + # https://gitlab.gnome.org/GNOME/libxml2/issues/5 + eapply "${FILESDIR}"/${PN}-2.9.8-CVE-2018-14404.patch + if [[ ${CHOST} == *-darwin* ]] ; then # Avoid final linking arguments for python modules sed -i -e '/PYTHON_LIBS/s/ldflags/libs/' configure.ac || die
