Commit 4e7a6efe authored by Natanael Copa's avatar Natanael Copa

main/libxml2: fix for CVE-2017-5969

fixes #6852
parent dab03646
......@@ -2,7 +2,7 @@
# Maintainer: Carlo Landmeter <clandmeter@gmail.com>
pkgname=libxml2
pkgver=2.9.4
pkgrel=3
pkgrel=4
pkgdesc="XML parsing library, version 2"
url="http://www.xmlsoft.org/"
arch="all"
......@@ -16,6 +16,7 @@ options="!strip"
source="ftp://ftp.xmlsoft.org/${pkgname}/${pkgname}-${pkgver}.tar.gz
CVE-2016-5131.patch
CVE-2016-9318.patch
CVE-2017-5969.patch
"
builddir="$srcdir/$pkgname-$pkgver"
......@@ -24,6 +25,8 @@ builddir="$srcdir/$pkgname-$pkgver"
# - CVE-2016-5131
# 2.9.4-r2:
# - CVE-2016-9318
# 2.9.4-r4:
# - CVE-2017-5969
build() {
cd "$builddir"
......@@ -70,4 +73,5 @@ utils() {
sha512sums="f5174ab1a3a0ec0037a47f47aa47def36674e02bfb42b57f609563f84c6247c585dbbb133c056953a5adb968d328f18cbc102eb0d00d48eb7c95478389e5daf9 libxml2-2.9.4.tar.gz
c92cda9851fdf8af6cb21aa80f39b474cddef8c749298f5b51f76f871160ac9749fdaac3fa406cc0c75a666f7627983fce0e90fb2919f3a8c778e1148583be33 CVE-2016-5131.patch
508550f2f3489954abceee5404722dc7a8dcf6590219561a1ab36c2c14b1d1bfc2bad0403577db4e20c2c4e8c9114beb6bd80b165bb8e02c6cc52e6c5fb6e1ee CVE-2016-9318.patch"
508550f2f3489954abceee5404722dc7a8dcf6590219561a1ab36c2c14b1d1bfc2bad0403577db4e20c2c4e8c9114beb6bd80b165bb8e02c6cc52e6c5fb6e1ee CVE-2016-9318.patch
c1ce2284bdd874bd6eb1b2bef0e2c8d561861f82b5f03c4b7155e3ed11e2c56743d2f624530f0c7672d65329a13199e534f51ec19f06d4b6941b861dda50ef67 CVE-2017-5969.patch"
From 94691dc884d1a8ada39f073408b4bb92fe7fe882 Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Wed, 7 Jun 2017 16:47:36 +0200
Subject: Fix NULL pointer deref in xmlDumpElementContent
Can only be triggered in recovery mode.
Fixes bug 758422 (CVE-2017-5969).
---
valid.c | 24 ++++++++++++++----------
1 file changed, 14 insertions(+), 10 deletions(-)
diff --git a/valid.c b/valid.c
index 9b2df56..8075d3a 100644
--- a/valid.c
+++ b/valid.c
@@ -1172,29 +1172,33 @@ xmlDumpElementContent(xmlBufferPtr buf, xmlElementContentPtr content, int glob)
xmlBufferWriteCHAR(buf, content->name);
break;
case XML_ELEMENT_CONTENT_SEQ:
- if ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
- (content->c1->type == XML_ELEMENT_CONTENT_SEQ))
+ if ((content->c1 != NULL) &&
+ ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
+ (content->c1->type == XML_ELEMENT_CONTENT_SEQ)))
xmlDumpElementContent(buf, content->c1, 1);
else
xmlDumpElementContent(buf, content->c1, 0);
xmlBufferWriteChar(buf, " , ");
- if ((content->c2->type == XML_ELEMENT_CONTENT_OR) ||
- ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) &&
- (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))
+ if ((content->c2 != NULL) &&
+ ((content->c2->type == XML_ELEMENT_CONTENT_OR) ||
+ ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) &&
+ (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))))
xmlDumpElementContent(buf, content->c2, 1);
else
xmlDumpElementContent(buf, content->c2, 0);
break;
case XML_ELEMENT_CONTENT_OR:
- if ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
- (content->c1->type == XML_ELEMENT_CONTENT_SEQ))
+ if ((content->c1 != NULL) &&
+ ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
+ (content->c1->type == XML_ELEMENT_CONTENT_SEQ)))
xmlDumpElementContent(buf, content->c1, 1);
else
xmlDumpElementContent(buf, content->c1, 0);
xmlBufferWriteChar(buf, " | ");
- if ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) ||
- ((content->c2->type == XML_ELEMENT_CONTENT_OR) &&
- (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))
+ if ((content->c2 != NULL) &&
+ ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) ||
+ ((content->c2->type == XML_ELEMENT_CONTENT_OR) &&
+ (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))))
xmlDumpElementContent(buf, content->c2, 1);
else
xmlDumpElementContent(buf, content->c2, 0);
--
cgit v0.12
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment