[oe-commits] [openembedded-core] 02/14: libxml2: CVE-2018-14404
git at git.openembedded.org
git at git.openembedded.org
Thu Oct 18 10:10:16 UTC 2018
This is an automated email from the git hooks/post-receive script.
rpurdie pushed a commit to branch sumo
in repository openembedded-core.
commit 06d7f9039b005c2112e28336ac1c30e5120ec815
Author: Sinan Kaya <okaya at kernel.org>
AuthorDate: Fri Oct 5 00:39:07 2018 +0000
libxml2: CVE-2018-14404
* CVE-2018-14404
A null pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval()
function of libxml2 when parsing invalid XPath expression. Applications processing
untrusted XSL format inputs with the use of libxml2 library may be vulnerable to
denial of service attack due to crash of the application.
Affects libxml <= 2.9.8
CVE: CVE-2018-14404
Ref: https://access.redhat.com/security/cve/cve-2018-14404
Signed-off-by: Sinan Kaya <okaya at kernel.org>
Signed-off-by: Armin Kuster <akuster808 at gmail.com>
---
.../libxml/libxml2/CVE-2018-14404.patch | 58 ++++++++++++++++++++++
meta/recipes-core/libxml/libxml2_2.9.7.bb | 1 +
2 files changed, 59 insertions(+)
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2018-14404.patch b/meta/recipes-core/libxml/libxml2/CVE-2018-14404.patch
new file mode 100644
index 0000000..af3e7b2
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2018-14404.patch
@@ -0,0 +1,58 @@
+From 29115868c92c81a4119b05ea95b3c91608a0b6e8 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer at aevum.de>
+Date: Mon, 30 Jul 2018 12:54:38 +0200
+Subject: [PATCH] Fix nullptr deref with XPath logic ops
+
+If the XPath stack is corrupted, for example by a misbehaving extension
+function, the "and" and "or" XPath operators could dereference NULL
+pointers. Check that the XPath stack isn't empty and optimize the
+logic operators slightly.
+
+Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/5
+
+Also see
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817
+https://bugzilla.redhat.com/show_bug.cgi?id=1595985
+
+This is CVE-2018-14404.
+
+Thanks to Guy Inbar for the report.
+
+CVE: CVE-2018-14404
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/commit/a436374994c47b12d5de1b8b1d191a098fa23594]
+Signed-off-by: Sinan Kaya <okaya at kernel.org>
+---
+ xpath.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/xpath.c b/xpath.c
+index 35274731..3fcdc9e1 100644
+--- a/xpath.c
++++ b/xpath.c
+@@ -13337,9 +13337,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
+ return(0);
+ }
+ xmlXPathBooleanFunction(ctxt, 1);
+- arg1 = valuePop(ctxt);
+- arg1->boolval &= arg2->boolval;
+- valuePush(ctxt, arg1);
++ if (ctxt->value != NULL)
++ ctxt->value->boolval &= arg2->boolval;
+ xmlXPathReleaseObject(ctxt->context, arg2);
+ return (total);
+ case XPATH_OP_OR:
+@@ -13363,9 +13362,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
+ return(0);
+ }
+ xmlXPathBooleanFunction(ctxt, 1);
+- arg1 = valuePop(ctxt);
+- arg1->boolval |= arg2->boolval;
+- valuePush(ctxt, arg1);
++ if (ctxt->value != NULL)
++ ctxt->value->boolval |= arg2->boolval;
+ xmlXPathReleaseObject(ctxt->context, arg2);
+ return (total);
+ case XPATH_OP_EQUAL:
+--
+2.19.0
+
diff --git a/meta/recipes-core/libxml/libxml2_2.9.7.bb b/meta/recipes-core/libxml/libxml2_2.9.7.bb
index deb3488..c749a81 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.7.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.7.bb
@@ -21,6 +21,7 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \
file://libxml-m4-use-pkgconfig.patch \
file://0001-Make-ptest-run-the-python-tests-if-python-is-enabled.patch \
file://fix-execution-of-ptests.patch \
+ file://CVE-2018-14404.patch \
"
SRC_URI[libtar.md5sum] = "896608641a08b465098a40ddf51cefba"
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
More information about the Openembedded-commits
mailing list