commit: 2acfef7fc1cc4d4ccff0783c4b4fc38dfc989226 Author: Micah Morton <mortonm <AT> chromium <DOT> org> AuthorDate: Fri Oct 19 18:01:18 2018 +0000 Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org> CommitDate: Thu Jan 3 11:21:44 2019 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2acfef7f
dev-libs/libxml2: fix CVE-2018-14567 Signed-off-by: Micah Morton <mortonm <AT> chromium.org> Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org> .../files/libxml2-2.9.8-CVE-2018-14567.patch | 50 ++++++++++++++++++++++ dev-libs/libxml2/libxml2-2.9.8-r1.ebuild | 4 ++ 2 files changed, 54 insertions(+) diff --git a/dev-libs/libxml2/files/libxml2-2.9.8-CVE-2018-14567.patch b/dev-libs/libxml2/files/libxml2-2.9.8-CVE-2018-14567.patch new file mode 100644 index 00000000000..0d289352d2f --- /dev/null +++ b/dev-libs/libxml2/files/libxml2-2.9.8-CVE-2018-14567.patch @@ -0,0 +1,50 @@ +From 2240fbf5912054af025fb6e01e26375100275e74 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer <[email protected]> +Date: Mon, 30 Jul 2018 13:14:11 +0200 +Subject: [PATCH] Fix infinite loop in LZMA decompression +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Check the liblzma error code more thoroughly to avoid infinite loops. + +Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/13 +Closes: https://bugzilla.gnome.org/show_bug.cgi?id=794914 + +This is CVE-2018-9251 and CVE-2018-14567. + +Thanks to Dongliang Mu and Simon Wörner for the reports. +--- + xzlib.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/xzlib.c b/xzlib.c +index a839169ef2ec..0ba88cfa849d 100644 +--- a/xzlib.c ++++ b/xzlib.c +@@ -562,6 +562,10 @@ xz_decomp(xz_statep state) + "internal error: inflate stream corrupt"); + return -1; + } ++ /* ++ * FIXME: Remapping a couple of error codes and falling through ++ * to the LZMA error handling looks fragile. ++ */ + if (ret == Z_MEM_ERROR) + ret = LZMA_MEM_ERROR; + if (ret == Z_DATA_ERROR) +@@ -587,6 +591,11 @@ xz_decomp(xz_statep state) + xz_error(state, LZMA_PROG_ERROR, "compression error"); + return -1; + } ++ if ((state->how != GZIP) && ++ (ret != LZMA_OK) && (ret != LZMA_STREAM_END)) { ++ xz_error(state, ret, "lzma error"); ++ return -1; ++ } + } while (strm->avail_out && ret != LZMA_STREAM_END); + + /* update available output and crc check value */ +-- +2.19.1 + diff --git a/dev-libs/libxml2/libxml2-2.9.8-r1.ebuild b/dev-libs/libxml2/libxml2-2.9.8-r1.ebuild index 1a798958bcb..43da94cafed 100644 --- a/dev-libs/libxml2/libxml2-2.9.8-r1.ebuild +++ b/dev-libs/libxml2/libxml2-2.9.8-r1.ebuild @@ -88,6 +88,10 @@ src_prepare() { # https://bugzilla.gnome.org/show_bug.cgi?id=775200 eapply "${FILESDIR}"/${PN}-2.9.8-CVE-2017-8872.patch + # CVE-2018-14567 + # https://bugzilla.gnome.org/show_bug.cgi?id=794914 + eapply "${FILESDIR}"/${PN}-2.9.8-CVE-2018-14567.patch + if [[ ${CHOST} == *-darwin* ]] ; then # Avoid final linking arguments for python modules sed -i -e '/PYTHON_LIBS/s/ldflags/libs/' configure.ac || die
