From c8a77dfe4d3d307c1d5dd2650b7297447d8b609d Mon Sep 17 00:00:00 2001 From: V3n3RiX Date: Sat, 12 Jan 2019 16:58:08 +0000 Subject: gentoo resync : 12.01.2019 --- .../files/libxml2-2.9.8-CVE-2017-8872.patch | 65 ++++++++++++++++++++++ .../files/libxml2-2.9.8-CVE-2018-14404.patch | 54 ++++++++++++++++++ .../files/libxml2-2.9.8-CVE-2018-14567.patch | 50 +++++++++++++++++ .../files/libxml2-2.9.8-out-of-tree-test.patch | 40 +++++++++++++ 4 files changed, 209 insertions(+) create mode 100644 dev-libs/libxml2/files/libxml2-2.9.8-CVE-2017-8872.patch create mode 100644 dev-libs/libxml2/files/libxml2-2.9.8-CVE-2018-14404.patch create mode 100644 dev-libs/libxml2/files/libxml2-2.9.8-CVE-2018-14567.patch create mode 100644 dev-libs/libxml2/files/libxml2-2.9.8-out-of-tree-test.patch (limited to 'dev-libs/libxml2/files') diff --git a/dev-libs/libxml2/files/libxml2-2.9.8-CVE-2017-8872.patch b/dev-libs/libxml2/files/libxml2-2.9.8-CVE-2017-8872.patch new file mode 100644 index 000000000000..6062f63df9ea --- /dev/null +++ b/dev-libs/libxml2/files/libxml2-2.9.8-CVE-2017-8872.patch @@ -0,0 +1,65 @@ +https://bugs.gentoo.org/618110 +https://bugzilla.gnome.org/show_bug.cgi?id=775200 +https://gitlab.gnome.org/GNOME/libxml2/issues/26 + +From 123234f2cfcd9e9b9f83047eee1dc17b4c3f4407 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Tue, 11 Sep 2018 14:52:07 +0200 +Subject: [PATCH] Free input buffer in xmlHaltParser + +This avoids miscalculation of available bytes. + +Thanks to Yunho Kim for the report. + +Closes: #26 +--- + parser.c | 5 +++++ + result/errors/759573.xml.err | 17 +++++++---------- + 2 files changed, 12 insertions(+), 10 deletions(-) + +diff --git a/parser.c b/parser.c +index ca9fde2c8758..5813a6643e15 100644 +--- a/parser.c ++++ b/parser.c +@@ -12462,7 +12462,12 @@ xmlHaltParser(xmlParserCtxtPtr ctxt) { + ctxt->input->free((xmlChar *) ctxt->input->base); + ctxt->input->free = NULL; + } ++ if (ctxt->input->buf != NULL) { ++ xmlFreeParserInputBuffer(ctxt->input->buf); ++ ctxt->input->buf = NULL; ++ } + ctxt->input->cur = BAD_CAST""; ++ ctxt->input->length = 0; + ctxt->input->base = ctxt->input->cur; + ctxt->input->end = ctxt->input->cur; + } +diff --git a/result/errors/759573.xml.err b/result/errors/759573.xml.err +index 554039f65b91..38ef5c40b8e3 100644 +--- a/result/errors/759573.xml.err ++++ b/result/errors/759573.xml.err +@@ -21,14 +21,11 @@ Entity: line 1: + ^ + ./test/errors/759573.xml:1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration + +- +Date: Mon, 30 Jul 2018 12:54:38 +0200 +Subject: [PATCH] Fix nullptr deref with XPath logic ops + +If the XPath stack is corrupted, for example by a misbehaving extension +function, the "and" and "or" XPath operators could dereference NULL +pointers. Check that the XPath stack isn't empty and optimize the +logic operators slightly. + +Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/5 + +Also see +https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817 +https://bugzilla.redhat.com/show_bug.cgi?id=1595985 + +This is CVE-2018-14404. + +Thanks to Guy Inbar for the report. +--- + xpath.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/xpath.c b/xpath.c +index 3fae0bf4e0a0..5e3bb9ff6401 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -13234,9 +13234,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) + return(0); + } + xmlXPathBooleanFunction(ctxt, 1); +- arg1 = valuePop(ctxt); +- arg1->boolval &= arg2->boolval; +- valuePush(ctxt, arg1); ++ if (ctxt->value != NULL) ++ ctxt->value->boolval &= arg2->boolval; + xmlXPathReleaseObject(ctxt->context, arg2); + return (total); + case XPATH_OP_OR: +@@ -13252,9 +13251,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) + return(0); + } + xmlXPathBooleanFunction(ctxt, 1); +- arg1 = valuePop(ctxt); +- arg1->boolval |= arg2->boolval; +- valuePush(ctxt, arg1); ++ if (ctxt->value != NULL) ++ ctxt->value->boolval |= arg2->boolval; + xmlXPathReleaseObject(ctxt->context, arg2); + return (total); + case XPATH_OP_EQUAL: +-- +2.19.1 + diff --git a/dev-libs/libxml2/files/libxml2-2.9.8-CVE-2018-14567.patch b/dev-libs/libxml2/files/libxml2-2.9.8-CVE-2018-14567.patch new file mode 100644 index 000000000000..0d289352d2f9 --- /dev/null +++ b/dev-libs/libxml2/files/libxml2-2.9.8-CVE-2018-14567.patch @@ -0,0 +1,50 @@ +From 2240fbf5912054af025fb6e01e26375100275e74 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Mon, 30 Jul 2018 13:14:11 +0200 +Subject: [PATCH] Fix infinite loop in LZMA decompression +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Check the liblzma error code more thoroughly to avoid infinite loops. + +Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/13 +Closes: https://bugzilla.gnome.org/show_bug.cgi?id=794914 + +This is CVE-2018-9251 and CVE-2018-14567. + +Thanks to Dongliang Mu and Simon Wörner for the reports. +--- + xzlib.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/xzlib.c b/xzlib.c +index a839169ef2ec..0ba88cfa849d 100644 +--- a/xzlib.c ++++ b/xzlib.c +@@ -562,6 +562,10 @@ xz_decomp(xz_statep state) + "internal error: inflate stream corrupt"); + return -1; + } ++ /* ++ * FIXME: Remapping a couple of error codes and falling through ++ * to the LZMA error handling looks fragile. ++ */ + if (ret == Z_MEM_ERROR) + ret = LZMA_MEM_ERROR; + if (ret == Z_DATA_ERROR) +@@ -587,6 +591,11 @@ xz_decomp(xz_statep state) + xz_error(state, LZMA_PROG_ERROR, "compression error"); + return -1; + } ++ if ((state->how != GZIP) && ++ (ret != LZMA_OK) && (ret != LZMA_STREAM_END)) { ++ xz_error(state, ret, "lzma error"); ++ return -1; ++ } + } while (strm->avail_out && ret != LZMA_STREAM_END); + + /* update available output and crc check value */ +-- +2.19.1 + diff --git a/dev-libs/libxml2/files/libxml2-2.9.8-out-of-tree-test.patch b/dev-libs/libxml2/files/libxml2-2.9.8-out-of-tree-test.patch new file mode 100644 index 000000000000..fcc441d05de2 --- /dev/null +++ b/dev-libs/libxml2/files/libxml2-2.9.8-out-of-tree-test.patch @@ -0,0 +1,40 @@ +https://gitlab.gnome.org/GNOME/libxml2/merge_requests/14 + +From 54878c018af979b20ca1bfbf12599973484cae5b Mon Sep 17 00:00:00 2001 +From: Mike Frysinger +Date: Thu, 3 Jan 2019 05:44:03 -0500 +Subject: [PATCH] fix reader5.py test when building out of tree + +When building out of tree, the relative path this test uses doesn't +work. Resolve the path relative to the test script itself instead. + +Url: https://bugs.gentoo.org/565576 +--- + python/tests/reader5.py | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/python/tests/reader5.py b/python/tests/reader5.py +index 82d0daea474a..da5355ffc4c6 100755 +--- a/python/tests/reader5.py ++++ b/python/tests/reader5.py +@@ -4,6 +4,7 @@ + # this extract the Dragon bibliography entries from the XML specification + # + import libxml2 ++import os + import sys + + # Memory debug specific +@@ -14,7 +15,8 @@ Ravi Sethi, and Jeffrey D. Ullman. + Compilers: Principles, Techniques, and Tools. + Reading: Addison-Wesley, 1986, rpt. corr. 1988.""" + +-f = open('../../test/valid/REC-xml-19980210.xml', 'rb') ++basedir = os.path.dirname(os.path.realpath(__file__)) ++f = open(os.path.join(basedir, '../../test/valid/REC-xml-19980210.xml'), 'rb') + input = libxml2.inputBuffer(f) + reader = input.newTextReader("REC") + res="" +-- +2.19.1 + -- cgit v1.2.3