Commit 0434d7dc authored by Natanael Copa's avatar Natanael Copa

main/libxml2: backport security fixes

- CVE-2018-9251
- CVE-2018-14404
- CVE-2018-14567

fixes #9566
parent dbce9a65
......@@ -2,7 +2,7 @@
# Maintainer: Carlo Landmeter <clandmeter@gmail.com>
pkgname=libxml2
pkgver=2.9.8
pkgrel=0
pkgrel=1
pkgdesc="XML parsing library, version 2"
url="http://www.xmlsoft.org/"
arch="all"
......@@ -13,16 +13,25 @@ makedepends="$depends_dev python2-dev python3-dev"
subpackages="$pkgname-dbg $pkgname-doc $pkgname-dev $pkgname-utils
py-$pkgname:_py py2-$pkgname:_py py3-$pkgname:_py"
options="!strip"
source="http://xmlsoft.org/sources/$pkgname-$pkgver.tar.gz"
source="http://xmlsoft.org/sources/$pkgname-$pkgver.tar.gz
CVE-2018-9251-CVE-2018-14567.patch
CVE-2018-14404.patch
"
builddir="$srcdir/$pkgname-$pkgver"
# secfixes:
# 2.9.4-r1:
# - CVE-2016-5131
# 2.9.4-r2:
# - CVE-2016-9318
# 2.9.8-r1:
# - CVE-2018-9251
# - CVE-2018-14404
# - CVE-2018-14567
# 2.9.4-r4:
# - CVE-2017-5969
# - CVE-2017-5969
# 2.9.4-r2:
# - CVE-2016-9318
# 2.9.4-r1:
# - CVE-2016-5131
prepare() {
default_prepare
......@@ -98,4 +107,6 @@ utils() {
mv "$pkgdir"/usr/bin "$subpkgdir"/usr/
}
sha512sums="28903282c7672206effa1362fd564cbe4cf5be44264b083a7d14e383f73bccd1b81bcafb5f4f2f56f5e7e05914c660e27668c9ce91b1b9f256ef5358d55ba917 libxml2-2.9.8.tar.gz"
sha512sums="28903282c7672206effa1362fd564cbe4cf5be44264b083a7d14e383f73bccd1b81bcafb5f4f2f56f5e7e05914c660e27668c9ce91b1b9f256ef5358d55ba917 libxml2-2.9.8.tar.gz
31f6cd6650b05cdd95455fd72927ef6b1f1d23ca4d8d5f776ee83277d670363dfe6bdd2c1330e8f9131212456dece2595b16868fc01f0ab750009b0a007eb513 CVE-2018-9251-CVE-2018-14567.patch
c273b88d26e475e8a7f73e92ce9a77b1025f3704f11aa129c867e08424d32f1d7d81f4a2991d0cef28db4b8e122c6b356097be24b4651ef1b5a040a466bdcd13 CVE-2018-14404.patch"
From a436374994c47b12d5de1b8b1d191a098fa23594 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Mon, 30 Jul 2018 12:54:38 +0200
Subject: [PATCH] Fix nullptr deref with XPath logic ops
If the XPath stack is corrupted, for example by a misbehaving extension
function, the "and" and "or" XPath operators could dereference NULL
pointers. Check that the XPath stack isn't empty and optimize the
logic operators slightly.
Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/5
Also see
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817
https://bugzilla.redhat.com/show_bug.cgi?id=1595985
This is CVE-2018-14404.
Thanks to Guy Inbar for the report.
---
xpath.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/xpath.c b/xpath.c
index 3fae0bf4..5e3bb9ff 100644
--- a/xpath.c
+++ b/xpath.c
@@ -13234,9 +13234,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
return(0);
}
xmlXPathBooleanFunction(ctxt, 1);
- arg1 = valuePop(ctxt);
- arg1->boolval &= arg2->boolval;
- valuePush(ctxt, arg1);
+ if (ctxt->value != NULL)
+ ctxt->value->boolval &= arg2->boolval;
xmlXPathReleaseObject(ctxt->context, arg2);
return (total);
case XPATH_OP_OR:
@@ -13252,9 +13251,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
return(0);
}
xmlXPathBooleanFunction(ctxt, 1);
- arg1 = valuePop(ctxt);
- arg1->boolval |= arg2->boolval;
- valuePush(ctxt, arg1);
+ if (ctxt->value != NULL)
+ ctxt->value->boolval |= arg2->boolval;
xmlXPathReleaseObject(ctxt->context, arg2);
return (total);
case XPATH_OP_EQUAL:
--
2.18.1
From 2240fbf5912054af025fb6e01e26375100275e74 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Mon, 30 Jul 2018 13:14:11 +0200
Subject: [PATCH] Fix infinite loop in LZMA decompression
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Check the liblzma error code more thoroughly to avoid infinite loops.
Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/13
Closes: https://bugzilla.gnome.org/show_bug.cgi?id=794914
This is CVE-2018-9251 and CVE-2018-14567.
Thanks to Dongliang Mu and Simon Wörner for the reports.
---
xzlib.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/xzlib.c b/xzlib.c
index a839169e..0ba88cfa 100644
--- a/xzlib.c
+++ b/xzlib.c
@@ -562,6 +562,10 @@ xz_decomp(xz_statep state)
"internal error: inflate stream corrupt");
return -1;
}
+ /*
+ * FIXME: Remapping a couple of error codes and falling through
+ * to the LZMA error handling looks fragile.
+ */
if (ret == Z_MEM_ERROR)
ret = LZMA_MEM_ERROR;
if (ret == Z_DATA_ERROR)
@@ -587,6 +591,11 @@ xz_decomp(xz_statep state)
xz_error(state, LZMA_PROG_ERROR, "compression error");
return -1;
}
+ if ((state->how != GZIP) &&
+ (ret != LZMA_OK) && (ret != LZMA_STREAM_END)) {
+ xz_error(state, ret, "lzma error");
+ return -1;
+ }
} while (strm->avail_out && ret != LZMA_STREAM_END);
/* update available output and crc check value */
--
2.18.1
Index: libxml2-2.9.5/python/libxml.c
===================================================================
--- libxml2-2.9.5.orig/python/libxml.c
+++ libxml2-2.9.5/python/libxml.c
@@ -1620,6 +1620,7 @@ libxml_xmlErrorFuncHandler(ATTRIBUTE_UNU
PyObject *message;
PyObject *result;
char str[1000];
+ unsigned char *ptr = (unsigned char *)str;
#ifdef DEBUG_ERROR
printf("libxml_xmlErrorFuncHandler(%p, %s, ...) called\n", ctx, msg);
@@ -1636,12 +1637,20 @@ libxml_xmlErrorFuncHandler(ATTRIBUTE_UNU
str[999] = 0;
va_end(ap);
+#if PY_MAJOR_VERSION >= 3
+ /* Ensure the error string doesn't start at UTF8 continuation. */
+ while (*ptr && (*ptr & 0xc0) == 0x80)
+ ptr++;
+#endif
+
list = PyTuple_New(2);
PyTuple_SetItem(list, 0, libxml_xmlPythonErrorFuncCtxt);
Py_XINCREF(libxml_xmlPythonErrorFuncCtxt);
- message = libxml_charPtrConstWrap(str);
+ message = libxml_charPtrConstWrap(ptr);
PyTuple_SetItem(list, 1, message);
result = PyEval_CallObject(libxml_xmlPythonErrorFuncHandler, list);
+ /* Forget any errors caused in the error handler. */
+ PyErr_Clear();
Py_XDECREF(list);
Py_XDECREF(result);
}
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment