git.99rst.org / openwrt-packages.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side (parent: 1b485ef)
libxml2: Fix CVE-2018-14404
authorRosen Penev <redacted>
Tue, 21 Aug 2018 20:57:28 +0000 (13:57 -0700)
committerRosen Penev <redacted>
Tue, 21 Aug 2018 20:59:56 +0000 (13:59 -0700)
Embarrasingly, I missed this one last time.

Signed-off-by: Rosen Penev <redacted>
libs/libxml2/Makefile patch | blob | history
libs/libxml2/patches/010-CVE-2018-14404.patch [new file with mode: 0644] patch | blob
libs/libxml2/patches/020-CVE-2018-9251.patch [moved from libs/libxml2/patches/010-CVE-2018-9251.patch with 100% similarity] patch | blob | history

diff --git a/libs/libxml2/Makefile b/libs/libxml2/Makefile
index 96c3235ad97a57e2ef762ff7f924b3e94739cc96..345dec0aab16a5d525125b464b81bb64e9492935 100644 (file)
--- a/libs/libxml2/Makefile
+++ b/libs/libxml2/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=libxml2
 PKG_VERSION:=2.9.8
-PKG_RELEASE:=2
+PKG_RELEASE:=3
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=http://xmlsoft.org/sources/
diff --git a/libs/libxml2/patches/010-CVE-2018-14404.patch b/libs/libxml2/patches/010-CVE-2018-14404.patch
new file mode 100644 (file)
index 0000000..a8bcdaf
--- /dev/null
+++ b/libs/libxml2/patches/010-CVE-2018-14404.patch
@@ -0,0 +1,54 @@
+From a436374994c47b12d5de1b8b1d191a098fa23594 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Mon, 30 Jul 2018 12:54:38 +0200
+Subject: [PATCH 12/13] Fix nullptr deref with XPath logic ops
+
+If the XPath stack is corrupted, for example by a misbehaving extension
+function, the "and" and "or" XPath operators could dereference NULL
+pointers. Check that the XPath stack isn't empty and optimize the
+logic operators slightly.
+
+Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/5
+
+Also see
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817
+https://bugzilla.redhat.com/show_bug.cgi?id=1595985
+
+This is CVE-2018-14404.
+
+Thanks to Guy Inbar for the report.
+---
+ xpath.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/xpath.c b/xpath.c
+index 3fae0bf4..5e3bb9ff 100644
+--- a/xpath.c
++++ b/xpath.c
+@@ -13297,9 +13297,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
+               return(0);
+           }
+             xmlXPathBooleanFunction(ctxt, 1);
+-            arg1 = valuePop(ctxt);
+-            arg1->boolval &= arg2->boolval;
+-            valuePush(ctxt, arg1);
++            if (ctxt->value != NULL)
++                ctxt->value->boolval &= arg2->boolval;
+           xmlXPathReleaseObject(ctxt->context, arg2);
+             return (total);
+         case XPATH_OP_OR:
+@@ -13323,9 +13322,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
+               return(0);
+           }
+             xmlXPathBooleanFunction(ctxt, 1);
+-            arg1 = valuePop(ctxt);
+-            arg1->boolval |= arg2->boolval;
+-            valuePush(ctxt, arg1);
++            if (ctxt->value != NULL)
++                ctxt->value->boolval |= arg2->boolval;
+           xmlXPathReleaseObject(ctxt->context, arg2);
+             return (total);
+         case XPATH_OP_EQUAL:
+-- 
+2.18.0
+
git clone https://git.99rst.org/PROJECT