libxml2: CVE-2018-14404

* CVE-2018-14404 A null pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 when parsing invalid XPath expression. Applications processing untrusted XSL format inputs with the use of libxml2 library may be vulnerable to denial of service attack due to crash of the application. Affects libxml <= 2.9.8 CVE: CVE-2018-14404 Ref: https://access.redhat.com/security/cve/cve-2018-14404 (From OE-Core rev: 06d7f9039b005c2112e28336ac1c30e5120ec815) Signed-off-by: Sinan Kaya <okaya@kernel.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Sinan Kaya <okaya@kernel.org> 2018-10-05 00:39:07 +0000
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-10-18 11:08:53 +0100
commit: 536412ec4d1eccd1e7b7cc5fbf239bf34cbcbca5 (patch)
tree: 565f8a1510546f79d794f8690e396ad9afe3d934 /meta/recipes-core
parent: 967d42170e079a065f6088ba21032e0b1cf734d9 (diff)
download: poky-536412ec4d1eccd1e7b7cc5fbf239bf34cbcbca5.tar.gz
2 files changed, 59 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2018-14404.patch b/meta/recipes-core/libxml/libxml2/CVE-2018-14404.patch
new file mode 100644
index 0000000000..af3e7b2af9
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2018-14404.patch
@@ -0,0 +1,58 @@
+From 29115868c92c81a4119b05ea95b3c91608a0b6e8 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Mon, 30 Jul 2018 12:54:38 +0200
+Subject: [PATCH] Fix nullptr deref with XPath logic ops
+If the XPath stack is corrupted, for example by a misbehaving extension
+function, the "and" and "or" XPath operators could dereference NULL
+pointers. Check that the XPath stack isn't empty and optimize the
+logic operators slightly.
+Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/5
+Also see
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817
+https://bugzilla.redhat.com/show_bug.cgi?id=1595985
+This is CVE-2018-14404.
+Thanks to Guy Inbar for the report.
+CVE: CVE-2018-14404
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/commit/a436374994c47b12d5de1b8b1d191a098fa23594]
+Signed-off-by: Sinan Kaya <okaya@kernel.org>
+---
+ xpath.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+diff --git a/xpath.c b/xpath.c
+index 35274731..3fcdc9e1 100644
+--- a/xpath.c
+++ b/xpath.c
+@@ -13337,9 +13337,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
+                return(0);
+            }
+             xmlXPathBooleanFunction(ctxt, 1);
+-            arg1 = valuePop(ctxt);
+-            arg1->boolval &= arg2->boolval;
+-            valuePush(ctxt, arg1);
+            if (ctxt->value != NULL)
+                ctxt->value->boolval &= arg2->boolval;
+            xmlXPathReleaseObject(ctxt->context, arg2);
+             return (total);
+         case XPATH_OP_OR:
+@@ -13363,9 +13362,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
+                return(0);
+            }
+             xmlXPathBooleanFunction(ctxt, 1);
+-            arg1 = valuePop(ctxt);
+-            arg1->boolval |= arg2->boolval;
+-            valuePush(ctxt, arg1);
+            if (ctxt->value != NULL)
+                ctxt->value->boolval |= arg2->boolval;
+            xmlXPathReleaseObject(ctxt->context, arg2);
+             return (total);
+         case XPATH_OP_EQUAL:
+-- 
+2.19.0
diff --git a/meta/recipes-core/libxml/libxml2_2.9.7.bb b/meta/recipes-core/libxml/libxml2_2.9.7.bb
index deb3488a7a..c749a81657 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.7.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.7.bb
@@ -21,6 +21,7 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \
           file://libxml-m4-use-pkgconfig.patch \
           file://0001-Make-ptest-run-the-python-tests-if-python-is-enabled.patch \
           file://fix-execution-of-ptests.patch \
+           file://CVE-2018-14404.patch \
           "
 SRC_URI[libtar.md5sum] = "896608641a08b465098a40ddf51cefba"
author	Sinan Kaya <okaya@kernel.org>	2018-10-05 00:39:07 +0000
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2018-10-18 11:08:53 +0100
commit	536412ec4d1eccd1e7b7cc5fbf239bf34cbcbca5 (patch)
tree	565f8a1510546f79d794f8690e396ad9afe3d934 /meta/recipes-core
parent	967d42170e079a065f6088ba21032e0b1cf734d9 (diff)
download	poky-536412ec4d1eccd1e7b7cc5fbf239bf34cbcbca5.tar.gz

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2018-14404.patch b/meta/recipes-core/libxml/libxml2/CVE-2018-14404.patch new file mode 100644 index 0000000000..af3e7b2af9 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2018-14404.patch
@@ -0,0 +1,58 @@
		1	From 29115868c92c81a4119b05ea95b3c91608a0b6e8 Mon Sep 17 00:00:00 2001
		2	From: Nick Wellnhofer <wellnhofer@aevum.de>
		3	Date: Mon, 30 Jul 2018 12:54:38 +0200
		4	Subject: [PATCH] Fix nullptr deref with XPath logic ops
		5
		6	If the XPath stack is corrupted, for example by a misbehaving extension
		7	function, the "and" and "or" XPath operators could dereference NULL
		8	pointers. Check that the XPath stack isn't empty and optimize the
		9	logic operators slightly.
		10
		11	Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/5
		12
		13	Also see
		14	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817
		15	https://bugzilla.redhat.com/show_bug.cgi?id=1595985
		16
		17	This is CVE-2018-14404.
		18
		19	Thanks to Guy Inbar for the report.
		20
		21	CVE: CVE-2018-14404
		22	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/commit/a436374994c47b12d5de1b8b1d191a098fa23594]
		23	Signed-off-by: Sinan Kaya <okaya@kernel.org>
		24	---
		25	xpath.c \| 10 ++++------
		26	1 file changed, 4 insertions(+), 6 deletions(-)
		27
		28	diff --git a/xpath.c b/xpath.c
		29	index 35274731..3fcdc9e1 100644
		30	--- a/xpath.c
		31	+++ b/xpath.c
		32	@@ -13337,9 +13337,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
		33	return(0);
		34	}
		35	xmlXPathBooleanFunction(ctxt, 1);
		36	- arg1 = valuePop(ctxt);
		37	- arg1->boolval &= arg2->boolval;
		38	- valuePush(ctxt, arg1);
		39	+ if (ctxt->value != NULL)
		40	+ ctxt->value->boolval &= arg2->boolval;
		41	xmlXPathReleaseObject(ctxt->context, arg2);
		42	return (total);
		43	case XPATH_OP_OR:
		44	@@ -13363,9 +13362,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
		45	return(0);
		46	}
		47	xmlXPathBooleanFunction(ctxt, 1);
		48	- arg1 = valuePop(ctxt);
		49	- arg1->boolval \|= arg2->boolval;
		50	- valuePush(ctxt, arg1);
		51	+ if (ctxt->value != NULL)
		52	+ ctxt->value->boolval \|= arg2->boolval;
		53	xmlXPathReleaseObject(ctxt->context, arg2);
		54	return (total);
		55	case XPATH_OP_EQUAL:
		56	--
		57	2.19.0
		58


diff --git a/meta/recipes-core/libxml/libxml2_2.9.7.bb b/meta/recipes-core/libxml/libxml2_2.9.7.bb index deb3488a7a..c749a81657 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.7.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.7.bb
@@ -21,6 +21,7 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \
21	file://libxml-m4-use-pkgconfig.patch \	21	file://libxml-m4-use-pkgconfig.patch \
22	file://0001-Make-ptest-run-the-python-tests-if-python-is-enabled.patch \	22	file://0001-Make-ptest-run-the-python-tests-if-python-is-enabled.patch \
23	file://fix-execution-of-ptests.patch \	23	file://fix-execution-of-ptests.patch \
		24	file://CVE-2018-14404.patch \
24	"	25	"
25		26
26	SRC_URI[libtar.md5sum] = "896608641a08b465098a40ddf51cefba"	27	SRC_URI[libtar.md5sum] = "896608641a08b465098a40ddf51cefba"