rpms/libxml2
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import libxml2-2.9.7-7.el8

Browse Source
This commit is contained in:
CentOS Sources 2020-04-28 05:34:37 -04:00 committed by Andrew Lukoshko
parent 9f4d663745
commit 7280c109a3
3 changed files with 115 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
SOURCES/libxml2-CVE-2018-14404.patch Normal file
View File

@ -0,0 +1,54 @@
From a436374994c47b12d5de1b8b1d191a098fa23594 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Mon, 30 Jul 2018 12:54:38 +0200
Subject: [PATCH] Fix nullptr deref with XPath logic ops
If the XPath stack is corrupted, for example by a misbehaving extension
function, the "and" and "or" XPath operators could dereference NULL
pointers. Check that the XPath stack isn't empty and optimize the
logic operators slightly.
Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/5
Also see
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817
https://bugzilla.redhat.com/show_bug.cgi?id=1595985
This is CVE-2018-14404.
Thanks to Guy Inbar for the report.
---
xpath.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/xpath.c b/xpath.c
index 3fae0bf4..5e3bb9ff 100644
--- a/xpath.c
+++ b/xpath.c
@@ -13234,9 +13234,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
return(0);
}
xmlXPathBooleanFunction(ctxt, 1);
- arg1 = valuePop(ctxt);
- arg1->boolval &= arg2->boolval;
- valuePush(ctxt, arg1);
+ if (ctxt->value != NULL)
+ ctxt->value->boolval &= arg2->boolval;
xmlXPathReleaseObject(ctxt->context, arg2);
return (total);
case XPATH_OP_OR:
@@ -13252,9 +13251,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
return(0);
}
xmlXPathBooleanFunction(ctxt, 1);
- arg1 = valuePop(ctxt);
- arg1->boolval |= arg2->boolval;
- valuePush(ctxt, arg1);
+ if (ctxt->value != NULL)
+ ctxt->value->boolval |= arg2->boolval;
xmlXPathReleaseObject(ctxt->context, arg2);
return (total);
case XPATH_OP_EQUAL:
--
2.22.0

50
SOURCES/libxml2-CVE-2018-9251.patch Normal file
View File

@ -0,0 +1,50 @@
From 2240fbf5912054af025fb6e01e26375100275e74 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Mon, 30 Jul 2018 13:14:11 +0200
Subject: [PATCH] Fix infinite loop in LZMA decompression
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Check the liblzma error code more thoroughly to avoid infinite loops.
Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/13
Closes: https://bugzilla.gnome.org/show_bug.cgi?id=794914
This is CVE-2018-9251 and CVE-2018-14567.
Thanks to Dongliang Mu and Simon Wörner for the reports.
---
xzlib.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/xzlib.c b/xzlib.c
index a839169e..0ba88cfa 100644
--- a/xzlib.c
+++ b/xzlib.c
@@ -562,6 +562,10 @@ xz_decomp(xz_statep state)
"internal error: inflate stream corrupt");
return -1;
}
+ /*
+ * FIXME: Remapping a couple of error codes and falling through
+ * to the LZMA error handling looks fragile.
+ */
if (ret == Z_MEM_ERROR)
ret = LZMA_MEM_ERROR;
if (ret == Z_DATA_ERROR)
@@ -587,6 +591,11 @@ xz_decomp(xz_statep state)
xz_error(state, LZMA_PROG_ERROR, "compression error");
return -1;
}
+ if ((state->how != GZIP) &&
+ (ret != LZMA_OK) && (ret != LZMA_STREAM_END)) {
+ xz_error(state, ret, "lzma error");
+ return -1;
+ }
} while (strm->avail_out && ret != LZMA_STREAM_END);
/* update available output and crc check value */
--
2.22.0

12
SPECS/libxml2.spec
View File

@ -7,7 +7,7 @@
Name: libxml2 Name: libxml2
Version: 2.9.7 Version: 2.9.7
Release: 5%{?dist} Release: 7%{?dist}
Summary: Library providing XML and HTML support Summary: Library providing XML and HTML support
License: MIT License: MIT
@ -24,6 +24,10 @@ Patch3: libxml2-CVE-2016-9597.patch
# Fix some crashes under Python 3 # Fix some crashes under Python 3
# https://bugzilla.gnome.org/show_bug.cgi?id=789714 # https://bugzilla.gnome.org/show_bug.cgi?id=789714
Patch4: libxml2-python3-unicode-errors.patch Patch4: libxml2-python3-unicode-errors.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1565322
Patch5: libxml2-CVE-2018-9251.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1595989
Patch6: libxml2-CVE-2018-14404.patch
BuildRequires: gcc BuildRequires: gcc
BuildRequires: cmake-rpm-macros BuildRequires: cmake-rpm-macros
@ -195,6 +199,12 @@ gzip -9 -c doc/libxml2-api.xml > doc/libxml2-api.xml.gz
%{python3_sitearch}/libxml2mod.so %{python3_sitearch}/libxml2mod.so
%changelog %changelog
* Thu Oct 24 2019 David King <dking@redhat.com> - 2.9.7-7
- Fix CVE-2018-14404 (#1595989)
* Thu Oct 24 2019 David King <dking@redhat.com> - 2.9.7-6
- Fix CVE-2018-9251 (#1565322)
* Fri Aug 03 2018 Charalampos Stratakis <cstratak@redhat.com> - 2.9.7-5 * Fri Aug 03 2018 Charalampos Stratakis <cstratak@redhat.com> - 2.9.7-5
- Fix some crashes under Python 3 - Fix some crashes under Python 3
- Conditionalize the python2 subpackage - Conditionalize the python2 subpackage