From 23d8a02f00886f2a44c9e69a8cce588e4f81ed18 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Apr 28 2020 09:34:37 +0000 Subject: import libxml2-2.9.7-7.el8 --- diff --git a/SOURCES/libxml2-CVE-2018-14404.patch b/SOURCES/libxml2-CVE-2018-14404.patch new file mode 100644 index 0000000..0b64b4e --- /dev/null +++ b/SOURCES/libxml2-CVE-2018-14404.patch @@ -0,0 +1,54 @@ +From a436374994c47b12d5de1b8b1d191a098fa23594 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Mon, 30 Jul 2018 12:54:38 +0200 +Subject: [PATCH] Fix nullptr deref with XPath logic ops + +If the XPath stack is corrupted, for example by a misbehaving extension +function, the "and" and "or" XPath operators could dereference NULL +pointers. Check that the XPath stack isn't empty and optimize the +logic operators slightly. + +Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/5 + +Also see +https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817 +https://bugzilla.redhat.com/show_bug.cgi?id=1595985 + +This is CVE-2018-14404. + +Thanks to Guy Inbar for the report. +--- + xpath.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/xpath.c b/xpath.c +index 3fae0bf4..5e3bb9ff 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -13234,9 +13234,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) + return(0); + } + xmlXPathBooleanFunction(ctxt, 1); +- arg1 = valuePop(ctxt); +- arg1->boolval &= arg2->boolval; +- valuePush(ctxt, arg1); ++ if (ctxt->value != NULL) ++ ctxt->value->boolval &= arg2->boolval; + xmlXPathReleaseObject(ctxt->context, arg2); + return (total); + case XPATH_OP_OR: +@@ -13252,9 +13251,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) + return(0); + } + xmlXPathBooleanFunction(ctxt, 1); +- arg1 = valuePop(ctxt); +- arg1->boolval |= arg2->boolval; +- valuePush(ctxt, arg1); ++ if (ctxt->value != NULL) ++ ctxt->value->boolval |= arg2->boolval; + xmlXPathReleaseObject(ctxt->context, arg2); + return (total); + case XPATH_OP_EQUAL: +-- +2.22.0 + diff --git a/SOURCES/libxml2-CVE-2018-9251.patch b/SOURCES/libxml2-CVE-2018-9251.patch new file mode 100644 index 0000000..150637a --- /dev/null +++ b/SOURCES/libxml2-CVE-2018-9251.patch @@ -0,0 +1,50 @@ +From 2240fbf5912054af025fb6e01e26375100275e74 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Mon, 30 Jul 2018 13:14:11 +0200 +Subject: [PATCH] Fix infinite loop in LZMA decompression +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Check the liblzma error code more thoroughly to avoid infinite loops. + +Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/13 +Closes: https://bugzilla.gnome.org/show_bug.cgi?id=794914 + +This is CVE-2018-9251 and CVE-2018-14567. + +Thanks to Dongliang Mu and Simon Wörner for the reports. +--- + xzlib.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/xzlib.c b/xzlib.c +index a839169e..0ba88cfa 100644 +--- a/xzlib.c ++++ b/xzlib.c +@@ -562,6 +562,10 @@ xz_decomp(xz_statep state) + "internal error: inflate stream corrupt"); + return -1; + } ++ /* ++ * FIXME: Remapping a couple of error codes and falling through ++ * to the LZMA error handling looks fragile. ++ */ + if (ret == Z_MEM_ERROR) + ret = LZMA_MEM_ERROR; + if (ret == Z_DATA_ERROR) +@@ -587,6 +591,11 @@ xz_decomp(xz_statep state) + xz_error(state, LZMA_PROG_ERROR, "compression error"); + return -1; + } ++ if ((state->how != GZIP) && ++ (ret != LZMA_OK) && (ret != LZMA_STREAM_END)) { ++ xz_error(state, ret, "lzma error"); ++ return -1; ++ } + } while (strm->avail_out && ret != LZMA_STREAM_END); + + /* update available output and crc check value */ +-- +2.22.0 + diff --git a/SPECS/libxml2.spec b/SPECS/libxml2.spec index 0fefbe4..ab17729 100644 --- a/SPECS/libxml2.spec +++ b/SPECS/libxml2.spec @@ -7,7 +7,7 @@ Name: libxml2 Version: 2.9.7 -Release: 5%{?dist} +Release: 7%{?dist} Summary: Library providing XML and HTML support License: MIT @@ -24,6 +24,10 @@ Patch3: libxml2-CVE-2016-9597.patch # Fix some crashes under Python 3 # https://bugzilla.gnome.org/show_bug.cgi?id=789714 Patch4: libxml2-python3-unicode-errors.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1565322 +Patch5: libxml2-CVE-2018-9251.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1595989 +Patch6: libxml2-CVE-2018-14404.patch BuildRequires: gcc BuildRequires: cmake-rpm-macros @@ -195,6 +199,12 @@ gzip -9 -c doc/libxml2-api.xml > doc/libxml2-api.xml.gz %{python3_sitearch}/libxml2mod.so %changelog +* Thu Oct 24 2019 David King - 2.9.7-7 +- Fix CVE-2018-14404 (#1595989) + +* Thu Oct 24 2019 David King - 2.9.7-6 +- Fix CVE-2018-9251 (#1565322) + * Fri Aug 03 2018 Charalampos Stratakis - 2.9.7-5 - Fix some crashes under Python 3 - Conditionalize the python2 subpackage