2 files changed, 59 insertions, 0 deletions
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2018-14404.patch b/meta/recipes-core/libxml/libxml2/CVE-2018-14404.patch
new file mode 100644
index 0000000000..af3e7b2af9
--- /dev/null
+++ b/meta/recipes-core/libxml/libxml2/CVE-2018-14404.patch
@@ -0,0 +1,58 @@
+From 29115868c92c81a4119b05ea95b3c91608a0b6e8 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Mon, 30 Jul 2018 12:54:38 +0200
+Subject: [PATCH] Fix nullptr deref with XPath logic ops
+If the XPath stack is corrupted, for example by a misbehaving extension
+function, the "and" and "or" XPath operators could dereference NULL
+pointers. Check that the XPath stack isn't empty and optimize the
+logic operators slightly.
+Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/5
+Also see
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817
+https://bugzilla.redhat.com/show_bug.cgi?id=1595985
+This is CVE-2018-14404.
+Thanks to Guy Inbar for the report.
+CVE: CVE-2018-14404
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/commit/a436374994c47b12d5de1b8b1d191a098fa23594]
+Signed-off-by: Sinan Kaya <okaya@kernel.org>
+---
+ xpath.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+diff --git a/xpath.c b/xpath.c
+index 35274731..3fcdc9e1 100644
+--- a/xpath.c
+++ b/xpath.c
+@@ -13337,9 +13337,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
+                return(0);
+            }
+             xmlXPathBooleanFunction(ctxt, 1);
+-            arg1 = valuePop(ctxt);
+-            arg1->boolval &= arg2->boolval;
+-            valuePush(ctxt, arg1);
+            if (ctxt->value != NULL)
+                ctxt->value->boolval &= arg2->boolval;
+            xmlXPathReleaseObject(ctxt->context, arg2);
+             return (total);
+         case XPATH_OP_OR:
+@@ -13363,9 +13362,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
+                return(0);
+            }
+             xmlXPathBooleanFunction(ctxt, 1);
+-            arg1 = valuePop(ctxt);
+-            arg1->boolval |= arg2->boolval;
+-            valuePush(ctxt, arg1);
+            if (ctxt->value != NULL)
+                ctxt->value->boolval |= arg2->boolval;
+            xmlXPathReleaseObject(ctxt->context, arg2);
+             return (total);
+         case XPATH_OP_EQUAL:
+-- 
+2.19.0
diff --git a/meta/recipes-core/libxml/libxml2_2.9.7.bb b/meta/recipes-core/libxml/libxml2_2.9.7.bb
index deb3488a7a..c749a81657 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.7.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.7.bb
@@ -21,6 +21,7 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \
           file://libxml-m4-use-pkgconfig.patch \
           file://0001-Make-ptest-run-the-python-tests-if-python-is-enabled.patch \
           file://fix-execution-of-ptests.patch \
+           file://CVE-2018-14404.patch \
           "
 SRC_URI[libtar.md5sum] = "896608641a08b465098a40ddf51cefba"

diff --git a/meta/recipes-core/libxml/libxml2/CVE-2018-14404.patch b/meta/recipes-core/libxml/libxml2/CVE-2018-14404.patch new file mode 100644 index 0000000000..af3e7b2af9 --- /dev/null +++ b/meta/recipes-core/libxml/libxml2/CVE-2018-14404.patch
@@ -0,0 +1,58 @@
		1	From 29115868c92c81a4119b05ea95b3c91608a0b6e8 Mon Sep 17 00:00:00 2001
		2	From: Nick Wellnhofer <wellnhofer@aevum.de>
		3	Date: Mon, 30 Jul 2018 12:54:38 +0200
		4	Subject: [PATCH] Fix nullptr deref with XPath logic ops
		5
		6	If the XPath stack is corrupted, for example by a misbehaving extension
		7	function, the "and" and "or" XPath operators could dereference NULL
		8	pointers. Check that the XPath stack isn't empty and optimize the
		9	logic operators slightly.
		10
		11	Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/5
		12
		13	Also see
		14	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817
		15	https://bugzilla.redhat.com/show_bug.cgi?id=1595985
		16
		17	This is CVE-2018-14404.
		18
		19	Thanks to Guy Inbar for the report.
		20
		21	CVE: CVE-2018-14404
		22	Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/commit/a436374994c47b12d5de1b8b1d191a098fa23594]
		23	Signed-off-by: Sinan Kaya <okaya@kernel.org>
		24	---
		25	xpath.c \| 10 ++++------
		26	1 file changed, 4 insertions(+), 6 deletions(-)
		27
		28	diff --git a/xpath.c b/xpath.c
		29	index 35274731..3fcdc9e1 100644
		30	--- a/xpath.c
		31	+++ b/xpath.c
		32	@@ -13337,9 +13337,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
		33	return(0);
		34	}
		35	xmlXPathBooleanFunction(ctxt, 1);
		36	- arg1 = valuePop(ctxt);
		37	- arg1->boolval &= arg2->boolval;
		38	- valuePush(ctxt, arg1);
		39	+ if (ctxt->value != NULL)
		40	+ ctxt->value->boolval &= arg2->boolval;
		41	xmlXPathReleaseObject(ctxt->context, arg2);
		42	return (total);
		43	case XPATH_OP_OR:
		44	@@ -13363,9 +13362,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
		45	return(0);
		46	}
		47	xmlXPathBooleanFunction(ctxt, 1);
		48	- arg1 = valuePop(ctxt);
		49	- arg1->boolval \|= arg2->boolval;
		50	- valuePush(ctxt, arg1);
		51	+ if (ctxt->value != NULL)
		52	+ ctxt->value->boolval \|= arg2->boolval;
		53	xmlXPathReleaseObject(ctxt->context, arg2);
		54	return (total);
		55	case XPATH_OP_EQUAL:
		56	--
		57	2.19.0
		58


diff --git a/meta/recipes-core/libxml/libxml2_2.9.7.bb b/meta/recipes-core/libxml/libxml2_2.9.7.bb index deb3488a7a..c749a81657 100644 --- a/meta/recipes-core/libxml/libxml2_2.9.7.bb +++ b/meta/recipes-core/libxml/libxml2_2.9.7.bb
@@ -21,6 +21,7 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \
21	file://libxml-m4-use-pkgconfig.patch \	21	file://libxml-m4-use-pkgconfig.patch \
22	file://0001-Make-ptest-run-the-python-tests-if-python-is-enabled.patch \	22	file://0001-Make-ptest-run-the-python-tests-if-python-is-enabled.patch \
23	file://fix-execution-of-ptests.patch \	23	file://fix-execution-of-ptests.patch \
		24	file://CVE-2018-14404.patch \
24	"	25	"
25		26
26	SRC_URI[libtar.md5sum] = "896608641a08b465098a40ddf51cefba"	27	SRC_URI[libtar.md5sum] = "896608641a08b465098a40ddf51cefba"