aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2018-10-24 16:17:37 +0000
committerNatanael Copa <ncopa@alpinelinux.org>2018-10-24 18:43:50 +0200
commit878af9b6555b9b812151e55fd3294c89cf0f53ba (patch)
tree041a2da22a57d49086d7820b5ad8b067ba5ca40c
parent3d8d16384b56fedf0c7eee6d96e53c0b4d84c259 (diff)
downloadaports-878af9b6555b9b812151e55fd3294c89cf0f53ba.tar.bz2
aports-878af9b6555b9b812151e55fd3294c89cf0f53ba.tar.xz
main/libxml2: backport security fixes
-rw-r--r--main/libxml2/APKBUILD29
-rw-r--r--main/libxml2/CVE-2018-14404.patch54
-rw-r--r--main/libxml2/CVE-2018-9251-CVE-2018-14567.patch50
-rw-r--r--main/libxml2/fix-utf8-error-message.patch34
4 files changed, 157 insertions, 10 deletions
diff --git a/main/libxml2/APKBUILD b/main/libxml2/APKBUILD
index a4a054c12c..2ef4e922f3 100644
--- a/main/libxml2/APKBUILD
+++ b/main/libxml2/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Carlo Landmeter <clandmeter@gmail.com>
pkgname=libxml2
pkgver=2.9.8
-pkgrel=0
+pkgrel=1
pkgdesc="XML parsing library, version 2"
url="http://www.xmlsoft.org/"
arch="all"
@@ -12,18 +12,25 @@ depends_dev="zlib-dev"
makedepends="$depends_dev python2-dev"
subpackages="$pkgname-doc $pkgname-dev py-$pkgname:py $pkgname-utils"
options="!strip"
-source="http://xmlsoft.org/sources/$pkgname-$pkgver.tar.gz"
+source="http://xmlsoft.org/sources/$pkgname-$pkgver.tar.gz
+ CVE-2018-9251-CVE-2018-14567.patch
+ CVE-2018-14404.patch
+ "
builddir="$srcdir/$pkgname-$pkgver"
# secfixes:
-# 2.9.4-r1:
-# - CVE-2016-5131
-# 2.9.4-r2:
-# - CVE-2016-9318
-# 2.9.4-r3:
-# - CVE-2017-5969
+# 2.9.8-r1:
+# - CVE-2018-9251
+# - CVE-2018-14404
+# - CVE-2018-14567
# 2.9.5-r0:
-# - CVE-2017-16931
+# - CVE-2017-16931
+# 2.9.4-r3:
+# - CVE-2017-5969
+# 2.9.4-r2:
+# - CVE-2016-9318
+# 2.9.4-r1:
+# - CVE-2016-5131
options="!strip"
@@ -77,4 +84,6 @@ utils() {
mv "$pkgdir"/usr/bin "$subpkgdir"/usr/
}
-sha512sums="28903282c7672206effa1362fd564cbe4cf5be44264b083a7d14e383f73bccd1b81bcafb5f4f2f56f5e7e05914c660e27668c9ce91b1b9f256ef5358d55ba917 libxml2-2.9.8.tar.gz"
+sha512sums="28903282c7672206effa1362fd564cbe4cf5be44264b083a7d14e383f73bccd1b81bcafb5f4f2f56f5e7e05914c660e27668c9ce91b1b9f256ef5358d55ba917 libxml2-2.9.8.tar.gz
+31f6cd6650b05cdd95455fd72927ef6b1f1d23ca4d8d5f776ee83277d670363dfe6bdd2c1330e8f9131212456dece2595b16868fc01f0ab750009b0a007eb513 CVE-2018-9251-CVE-2018-14567.patch
+c273b88d26e475e8a7f73e92ce9a77b1025f3704f11aa129c867e08424d32f1d7d81f4a2991d0cef28db4b8e122c6b356097be24b4651ef1b5a040a466bdcd13 CVE-2018-14404.patch"
diff --git a/main/libxml2/CVE-2018-14404.patch b/main/libxml2/CVE-2018-14404.patch
new file mode 100644
index 0000000000..aa25662e94
--- /dev/null
+++ b/main/libxml2/CVE-2018-14404.patch
@@ -0,0 +1,54 @@
+From a436374994c47b12d5de1b8b1d191a098fa23594 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Mon, 30 Jul 2018 12:54:38 +0200
+Subject: [PATCH] Fix nullptr deref with XPath logic ops
+
+If the XPath stack is corrupted, for example by a misbehaving extension
+function, the "and" and "or" XPath operators could dereference NULL
+pointers. Check that the XPath stack isn't empty and optimize the
+logic operators slightly.
+
+Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/5
+
+Also see
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817
+https://bugzilla.redhat.com/show_bug.cgi?id=1595985
+
+This is CVE-2018-14404.
+
+Thanks to Guy Inbar for the report.
+---
+ xpath.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/xpath.c b/xpath.c
+index 3fae0bf4..5e3bb9ff 100644
+--- a/xpath.c
++++ b/xpath.c
+@@ -13234,9 +13234,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
+ return(0);
+ }
+ xmlXPathBooleanFunction(ctxt, 1);
+- arg1 = valuePop(ctxt);
+- arg1->boolval &= arg2->boolval;
+- valuePush(ctxt, arg1);
++ if (ctxt->value != NULL)
++ ctxt->value->boolval &= arg2->boolval;
+ xmlXPathReleaseObject(ctxt->context, arg2);
+ return (total);
+ case XPATH_OP_OR:
+@@ -13252,9 +13251,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
+ return(0);
+ }
+ xmlXPathBooleanFunction(ctxt, 1);
+- arg1 = valuePop(ctxt);
+- arg1->boolval |= arg2->boolval;
+- valuePush(ctxt, arg1);
++ if (ctxt->value != NULL)
++ ctxt->value->boolval |= arg2->boolval;
+ xmlXPathReleaseObject(ctxt->context, arg2);
+ return (total);
+ case XPATH_OP_EQUAL:
+--
+2.18.1
+
diff --git a/main/libxml2/CVE-2018-9251-CVE-2018-14567.patch b/main/libxml2/CVE-2018-9251-CVE-2018-14567.patch
new file mode 100644
index 0000000000..46c0c0e808
--- /dev/null
+++ b/main/libxml2/CVE-2018-9251-CVE-2018-14567.patch
@@ -0,0 +1,50 @@
+From 2240fbf5912054af025fb6e01e26375100275e74 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Mon, 30 Jul 2018 13:14:11 +0200
+Subject: [PATCH] Fix infinite loop in LZMA decompression
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Check the liblzma error code more thoroughly to avoid infinite loops.
+
+Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/13
+Closes: https://bugzilla.gnome.org/show_bug.cgi?id=794914
+
+This is CVE-2018-9251 and CVE-2018-14567.
+
+Thanks to Dongliang Mu and Simon W├Ârner for the reports.
+---
+ xzlib.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/xzlib.c b/xzlib.c
+index a839169e..0ba88cfa 100644
+--- a/xzlib.c
++++ b/xzlib.c
+@@ -562,6 +562,10 @@ xz_decomp(xz_statep state)
+ "internal error: inflate stream corrupt");
+ return -1;
+ }
++ /*
++ * FIXME: Remapping a couple of error codes and falling through
++ * to the LZMA error handling looks fragile.
++ */
+ if (ret == Z_MEM_ERROR)
+ ret = LZMA_MEM_ERROR;
+ if (ret == Z_DATA_ERROR)
+@@ -587,6 +591,11 @@ xz_decomp(xz_statep state)
+ xz_error(state, LZMA_PROG_ERROR, "compression error");
+ return -1;
+ }
++ if ((state->how != GZIP) &&
++ (ret != LZMA_OK) && (ret != LZMA_STREAM_END)) {
++ xz_error(state, ret, "lzma error");
++ return -1;
++ }
+ } while (strm->avail_out && ret != LZMA_STREAM_END);
+
+ /* update available output and crc check value */
+--
+2.18.1
+
diff --git a/main/libxml2/fix-utf8-error-message.patch b/main/libxml2/fix-utf8-error-message.patch
new file mode 100644
index 0000000000..e87dcdedf8
--- /dev/null
+++ b/main/libxml2/fix-utf8-error-message.patch
@@ -0,0 +1,34 @@
+Index: libxml2-2.9.5/python/libxml.c
+===================================================================
+--- libxml2-2.9.5.orig/python/libxml.c
++++ libxml2-2.9.5/python/libxml.c
+@@ -1620,6 +1620,7 @@ libxml_xmlErrorFuncHandler(ATTRIBUTE_UNU
+ PyObject *message;
+ PyObject *result;
+ char str[1000];
++ unsigned char *ptr = (unsigned char *)str;
+
+ #ifdef DEBUG_ERROR
+ printf("libxml_xmlErrorFuncHandler(%p, %s, ...) called\n", ctx, msg);
+@@ -1636,12 +1637,20 @@ libxml_xmlErrorFuncHandler(ATTRIBUTE_UNU
+ str[999] = 0;
+ va_end(ap);
+
++#if PY_MAJOR_VERSION >= 3
++ /* Ensure the error string doesn't start at UTF8 continuation. */
++ while (*ptr && (*ptr & 0xc0) == 0x80)
++ ptr++;
++#endif
++
+ list = PyTuple_New(2);
+ PyTuple_SetItem(list, 0, libxml_xmlPythonErrorFuncCtxt);
+ Py_XINCREF(libxml_xmlPythonErrorFuncCtxt);
+- message = libxml_charPtrConstWrap(str);
++ message = libxml_charPtrConstWrap(ptr);
+ PyTuple_SetItem(list, 1, message);
+ result = PyEval_CallObject(libxml_xmlPythonErrorFuncHandler, list);
++ /* Forget any errors caused in the error handler. */
++ PyErr_Clear();
+ Py_XDECREF(list);
+ Py_XDECREF(result);
+ }