fix a double free in XPath CVE-2010-4494 bug 665965

libxml2-2.7.7-xpath-double-free.patch

@@ -0,0 +1,22 @@
+--- a/xpath.c	
++++ a/xpath.c	
+@@ -11763,11 +11763,16 @@ xmlXPathCompOpEvalPositionalPredicate(xmlXPathParserContextPtr ctxt,
+ 
+ 	    if ((ctxt->error != XPATH_EXPRESSION_OK) || (res == -1)) {
+ 	        xmlXPathObjectPtr tmp;
+-		/* pop the result */
++		/* pop the result if any */
+ 		tmp = valuePop(ctxt);
+-		xmlXPathReleaseObject(xpctxt, tmp);
+-		/* then pop off contextObj, which will be freed later */
+-		valuePop(ctxt);
++                if (tmp != contextObj) {
++                    /*
++                     * Free up the result
++                     * then pop off contextObj, which will be freed later
++                     */
++                    xmlXPathReleaseObject(xpctxt, tmp);
++                    valuePop(ctxt);
++                }
+ 		goto evaluation_error;
+ 	    }

libxml2.spec

@@ -1,7 +1,7 @@
 Summary: Library providing XML and HTML support
 Name: libxml2
 Version: 2.7.8
-Release: 5%{?dist}%{?extra_release}
+Release: 6%{?dist}%{?extra_release}
 License: MIT
 Group: Development/Libraries
 Source: ftp://xmlsoft.org/libxml2/libxml2-%{version}.tar.gz
@@ -10,6 +10,7 @@ BuildRequires: python python-devel zlib-devel pkgconfig
 URL: http://xmlsoft.org/
 Patch0: libxml2-multilib.patch
 Patch1: libxml2-2.7.8-reactivate-versionning-script.patch
+Patch2: libxml2-2.7.7-xpath-double-free.patch
 
 %description
 This library allows to manipulate XML files. It includes support 
@@ -69,6 +70,7 @@ at parse time or later once the document has been modified.
 %setup -q
 %patch0 -p1
 %patch1 -p1
+%patch2 -p1
 
 %build
 %configure
@@ -143,6 +145,9 @@ rm -fr %{buildroot}
 %doc doc/python.html
 
 %changelog
+* Fri Mar  4 2011 Daniel Veillard <veillard@redhat.com> - 2.7.8-6
+- fix a double free in XPath CVE-2010-4494 bug 665965
+
 * Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.7.8-5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild