2 files changed, 46 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/fix-CVE-2018-14404.patch b/meta/recipes-core/libxml/libxml2/fix-CVE-2018-14404.patch
new file mode 100644
index 0000000000..21668e25ad
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/fix-CVE-2018-14404.patch
@@ -0,0 +1,45 @@
+libxml2-2.9.8: Fix CVE-2018-14404
+[No upstream tracking] -- https://gitlab.gnome.org/GNOME/libxml2/issues/5
+ -- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817
+ -- https://bugzilla.redhat.com/show_bug.cgi?id=1595985
+xpath: Fix nullptr deref with XPath logic ops
+If the XPath stack is corrupted, for example by a misbehaving extension
+function, the "and" and "or" XPath operators could dereference NULL
+pointers. Check that the XPath stack isn't empty and optimize the
+logic operators slightly.
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/commit/a436374994c47b12d5de1b8b1d191a098fa23594]
+CVE: CVE-2018-14404
+Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
+diff --git a/xpath.c b/xpath.c
+index f440696..75cac5c 100644
+--- a/xpath.c
+++ b/xpath.c
+@@ -13297,9 +13297,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
+                return(0);
+            }
+             xmlXPathBooleanFunction(ctxt, 1);
+-            arg1 = valuePop(ctxt);
+-            arg1->boolval &= arg2->boolval;
+-            valuePush(ctxt, arg1);
+           if (ctxt->value != NULL)
+               ctxt->value->boolval &= arg2->boolval;
+            xmlXPathReleaseObject(ctxt->context, arg2);
+             return (total);
+         case XPATH_OP_OR:
+@@ -13323,9 +13322,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
+                return(0);
+            }
+             xmlXPathBooleanFunction(ctxt, 1);
+-            arg1 = valuePop(ctxt);
+-            arg1->boolval |= arg2->boolval;
+-            valuePush(ctxt, arg1);
+           if (ctxt->value != NULL)
+               ctxt->value->boolval |= arg2->boolval;
+            xmlXPathReleaseObject(ctxt->context, arg2);
+             return (total);
+         case XPATH_OP_EQUAL:
diff --git a/meta/recipes-core/libxml/libxml2_2.9.8.bb b/meta/recipes-core/libxml/libxml2_2.9.8.bb
index 27a648e97a..4ebd2ef383 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.8.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.8.bb
@@ -21,6 +21,7 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \
           file://0001-Make-ptest-run-the-python-tests-if-python-is-enabled.patch \
           file://fix-execution-of-ptests.patch \
           file://fix-CVE-2017-8872.patch \
+           file://fix-CVE-2018-14404.patch \
           "
 SRC_URI[libtar.md5sum] = "b786e353e2aa1b872d70d5d1ca0c740d"

diff --git a/meta/recipes-core/libxml/libxml2/fix-CVE-2018-14404.patch b/meta/recipes-core/libxml/libxml2/fix-CVE-2018-14404.patch new file mode 100644 index 0000000000..21668e25ad --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/fix-CVE-2018-14404.patch
@@ -0,0 +1,45 @@
		1	libxml2-2.9.8: Fix CVE-2018-14404
		2
		3	[No upstream tracking] -- https://gitlab.gnome.org/GNOME/libxml2/issues/5
		4	-- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817
		5	-- https://bugzilla.redhat.com/show_bug.cgi?id=1595985
		6
		7	xpath: Fix nullptr deref with XPath logic ops
		8
		9	If the XPath stack is corrupted, for example by a misbehaving extension
		10	function, the "and" and "or" XPath operators could dereference NULL
		11	pointers. Check that the XPath stack isn't empty and optimize the
		12	logic operators slightly.
		13
		14	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/commit/a436374994c47b12d5de1b8b1d191a098fa23594]
		15	CVE: CVE-2018-14404
		16	Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
		17
		18	diff --git a/xpath.c b/xpath.c
		19	index f440696..75cac5c 100644
		20	--- a/xpath.c
		21	+++ b/xpath.c
		22	@@ -13297,9 +13297,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
		23	return(0);
		24	}
		25	xmlXPathBooleanFunction(ctxt, 1);
		26	- arg1 = valuePop(ctxt);
		27	- arg1->boolval &= arg2->boolval;
		28	- valuePush(ctxt, arg1);
		29	+ if (ctxt->value != NULL)
		30	+ ctxt->value->boolval &= arg2->boolval;
		31	xmlXPathReleaseObject(ctxt->context, arg2);
		32	return (total);
		33	case XPATH_OP_OR:
		34	@@ -13323,9 +13322,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
		35	return(0);
		36	}
		37	xmlXPathBooleanFunction(ctxt, 1);
		38	- arg1 = valuePop(ctxt);
		39	- arg1->boolval \|= arg2->boolval;
		40	- valuePush(ctxt, arg1);
		41	+ if (ctxt->value != NULL)
		42	+ ctxt->value->boolval \|= arg2->boolval;
		43	xmlXPathReleaseObject(ctxt->context, arg2);
		44	return (total);
		45	case XPATH_OP_EQUAL:


diff --git a/meta/recipes-core/libxml/libxml2_2.9.8.bb b/meta/recipes-core/libxml/libxml2_2.9.8.bb index 27a648e97a..4ebd2ef383 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.8.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.8.bb
@@ -21,6 +21,7 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \
21	file://0001-Make-ptest-run-the-python-tests-if-python-is-enabled.patch \	21	file://0001-Make-ptest-run-the-python-tests-if-python-is-enabled.patch \
22	file://fix-execution-of-ptests.patch \	22	file://fix-execution-of-ptests.patch \
23	file://fix-CVE-2017-8872.patch \	23	file://fix-CVE-2017-8872.patch \
		24	file://fix-CVE-2018-14404.patch \
24	"	25	"
25		26
26	SRC_URI[libtar.md5sum] = "b786e353e2aa1b872d70d5d1ca0c740d"	27	SRC_URI[libtar.md5sum] = "b786e353e2aa1b872d70d5d1ca0c740d"