From dc7cbdfa65fd814b3b9aa3c56257da201109e807 Mon Sep 17 00:00:00 2001 From: V3n3RiX Date: Fri, 5 Apr 2019 21:17:31 +0100 Subject: gentoo resync : 05.04.2019 --- .../files/libxml2-2.9.8-CVE-2017-8872.patch | 65 ---------------------- .../files/libxml2-2.9.8-CVE-2018-14404.patch | 54 ------------------ .../files/libxml2-2.9.8-CVE-2018-14567.patch | 50 ----------------- 3 files changed, 169 deletions(-) delete mode 100644 dev-libs/libxml2/files/libxml2-2.9.8-CVE-2017-8872.patch delete mode 100644 dev-libs/libxml2/files/libxml2-2.9.8-CVE-2018-14404.patch delete mode 100644 dev-libs/libxml2/files/libxml2-2.9.8-CVE-2018-14567.patch (limited to 'dev-libs/libxml2/files') diff --git a/dev-libs/libxml2/files/libxml2-2.9.8-CVE-2017-8872.patch b/dev-libs/libxml2/files/libxml2-2.9.8-CVE-2017-8872.patch deleted file mode 100644 index 6062f63df9ea..000000000000 --- a/dev-libs/libxml2/files/libxml2-2.9.8-CVE-2017-8872.patch +++ /dev/null @@ -1,65 +0,0 @@ -https://bugs.gentoo.org/618110 -https://bugzilla.gnome.org/show_bug.cgi?id=775200 -https://gitlab.gnome.org/GNOME/libxml2/issues/26 - -From 123234f2cfcd9e9b9f83047eee1dc17b4c3f4407 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Tue, 11 Sep 2018 14:52:07 +0200 -Subject: [PATCH] Free input buffer in xmlHaltParser - -This avoids miscalculation of available bytes. - -Thanks to Yunho Kim for the report. - -Closes: #26 ---- - parser.c | 5 +++++ - result/errors/759573.xml.err | 17 +++++++---------- - 2 files changed, 12 insertions(+), 10 deletions(-) - -diff --git a/parser.c b/parser.c -index ca9fde2c8758..5813a6643e15 100644 ---- a/parser.c -+++ b/parser.c -@@ -12462,7 +12462,12 @@ xmlHaltParser(xmlParserCtxtPtr ctxt) { - ctxt->input->free((xmlChar *) ctxt->input->base); - ctxt->input->free = NULL; - } -+ if (ctxt->input->buf != NULL) { -+ xmlFreeParserInputBuffer(ctxt->input->buf); -+ ctxt->input->buf = NULL; -+ } - ctxt->input->cur = BAD_CAST""; -+ ctxt->input->length = 0; - ctxt->input->base = ctxt->input->cur; - ctxt->input->end = ctxt->input->cur; - } -diff --git a/result/errors/759573.xml.err b/result/errors/759573.xml.err -index 554039f65b91..38ef5c40b8e3 100644 ---- a/result/errors/759573.xml.err -+++ b/result/errors/759573.xml.err -@@ -21,14 +21,11 @@ Entity: line 1: - ^ - ./test/errors/759573.xml:1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration - -- -Date: Mon, 30 Jul 2018 12:54:38 +0200 -Subject: [PATCH] Fix nullptr deref with XPath logic ops - -If the XPath stack is corrupted, for example by a misbehaving extension -function, the "and" and "or" XPath operators could dereference NULL -pointers. Check that the XPath stack isn't empty and optimize the -logic operators slightly. - -Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/5 - -Also see -https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817 -https://bugzilla.redhat.com/show_bug.cgi?id=1595985 - -This is CVE-2018-14404. - -Thanks to Guy Inbar for the report. ---- - xpath.c | 10 ++++------ - 1 file changed, 4 insertions(+), 6 deletions(-) - -diff --git a/xpath.c b/xpath.c -index 3fae0bf4e0a0..5e3bb9ff6401 100644 ---- a/xpath.c -+++ b/xpath.c -@@ -13234,9 +13234,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) - return(0); - } - xmlXPathBooleanFunction(ctxt, 1); -- arg1 = valuePop(ctxt); -- arg1->boolval &= arg2->boolval; -- valuePush(ctxt, arg1); -+ if (ctxt->value != NULL) -+ ctxt->value->boolval &= arg2->boolval; - xmlXPathReleaseObject(ctxt->context, arg2); - return (total); - case XPATH_OP_OR: -@@ -13252,9 +13251,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) - return(0); - } - xmlXPathBooleanFunction(ctxt, 1); -- arg1 = valuePop(ctxt); -- arg1->boolval |= arg2->boolval; -- valuePush(ctxt, arg1); -+ if (ctxt->value != NULL) -+ ctxt->value->boolval |= arg2->boolval; - xmlXPathReleaseObject(ctxt->context, arg2); - return (total); - case XPATH_OP_EQUAL: --- -2.19.1 - diff --git a/dev-libs/libxml2/files/libxml2-2.9.8-CVE-2018-14567.patch b/dev-libs/libxml2/files/libxml2-2.9.8-CVE-2018-14567.patch deleted file mode 100644 index 0d289352d2f9..000000000000 --- a/dev-libs/libxml2/files/libxml2-2.9.8-CVE-2018-14567.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 2240fbf5912054af025fb6e01e26375100275e74 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Mon, 30 Jul 2018 13:14:11 +0200 -Subject: [PATCH] Fix infinite loop in LZMA decompression -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Check the liblzma error code more thoroughly to avoid infinite loops. - -Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/13 -Closes: https://bugzilla.gnome.org/show_bug.cgi?id=794914 - -This is CVE-2018-9251 and CVE-2018-14567. - -Thanks to Dongliang Mu and Simon Wörner for the reports. ---- - xzlib.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/xzlib.c b/xzlib.c -index a839169ef2ec..0ba88cfa849d 100644 ---- a/xzlib.c -+++ b/xzlib.c -@@ -562,6 +562,10 @@ xz_decomp(xz_statep state) - "internal error: inflate stream corrupt"); - return -1; - } -+ /* -+ * FIXME: Remapping a couple of error codes and falling through -+ * to the LZMA error handling looks fragile. -+ */ - if (ret == Z_MEM_ERROR) - ret = LZMA_MEM_ERROR; - if (ret == Z_DATA_ERROR) -@@ -587,6 +591,11 @@ xz_decomp(xz_statep state) - xz_error(state, LZMA_PROG_ERROR, "compression error"); - return -1; - } -+ if ((state->how != GZIP) && -+ (ret != LZMA_OK) && (ret != LZMA_STREAM_END)) { -+ xz_error(state, ret, "lzma error"); -+ return -1; -+ } - } while (strm->avail_out && ret != LZMA_STREAM_END); - - /* update available output and crc check value */ --- -2.19.1 - -- cgit v1.2.3