From 7c3f22e9c3311dcb27e9b8bd31c6fa6eb0a549d8 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Sat, 13 Jan 2018 09:16:07 -0800 Subject: gnu: libxml2: Fix CVE-2017-15412. * gnu/packages/patches/libxml2-CVE-2017-15412.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/xml.scm (libxml2/fixed)[source]: Use it. --- gnu/local.mk | 1 + gnu/packages/patches/libxml2-CVE-2017-15412.patch | 47 +++++++++++++++++++++++ gnu/packages/xml.scm | 3 +- 3 files changed, 50 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/libxml2-CVE-2017-15412.patch (limited to 'gnu') diff --git a/gnu/local.mk b/gnu/local.mk index fb4babfdbc..b89077e876 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -862,6 +862,7 @@ dist_patch_DATA = \ %D%/packages/patches/libxml2-CVE-2017-7376.patch \ %D%/packages/patches/libxml2-CVE-2017-9047+CVE-2017-9048.patch \ %D%/packages/patches/libxml2-CVE-2017-9049+CVE-2017-9050.patch \ + %D%/packages/patches/libxml2-CVE-2017-15412.patch \ %D%/packages/patches/libxslt-generated-ids.patch \ %D%/packages/patches/libxslt-CVE-2016-4738.patch \ %D%/packages/patches/libxslt-CVE-2017-5029.patch \ diff --git a/gnu/packages/patches/libxml2-CVE-2017-15412.patch b/gnu/packages/patches/libxml2-CVE-2017-15412.patch new file mode 100644 index 0000000000..07fe190ed1 --- /dev/null +++ b/gnu/packages/patches/libxml2-CVE-2017-15412.patch @@ -0,0 +1,47 @@ +Fix CVE-2017-15412: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15412 +https://bugs.chromium.org/p/chromium/issues/detail?id=727039 +https://bugzilla.redhat.com/show_bug.cgi?id=1523128 +https://bugzilla.gnome.org/show_bug.cgi?id=783160 + +Patch copied from upstream source repository: + +https://git.gnome.org/browse/libxml2/commit/?id=0f3b843b3534784ef57a4f9b874238aa1fda5a73 + +From 0f3b843b3534784ef57a4f9b874238aa1fda5a73 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Thu, 1 Jun 2017 23:12:19 +0200 +Subject: [PATCH] Fix XPath stack frame logic + +Move the calls to xmlXPathSetFrame and xmlXPathPopFrame around in +xmlXPathCompOpEvalPositionalPredicate to make sure that the context +object on the stack is actually protected. Otherwise, memory corruption +can occur when calling sloppily coded XPath extension functions. + +Fixes bug 783160. +--- + xpath.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/xpath.c b/xpath.c +index 94815075..b816bd36 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -11932,11 +11932,11 @@ xmlXPathCompOpEvalPositionalPredicate(xmlXPathParserContextPtr ctxt, + } + } + +- frame = xmlXPathSetFrame(ctxt); + valuePush(ctxt, contextObj); ++ frame = xmlXPathSetFrame(ctxt); + res = xmlXPathCompOpEvalToBoolean(ctxt, exprOp, 1); +- tmp = valuePop(ctxt); + xmlXPathPopFrame(ctxt, frame); ++ tmp = valuePop(ctxt); + + if ((ctxt->error != XPATH_EXPRESSION_OK) || (res == -1)) { + while (tmp != contextObj) { +-- +2.15.1 + diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm index 23b447502b..ce0d13a999 100644 --- a/gnu/packages/xml.scm +++ b/gnu/packages/xml.scm @@ -155,7 +155,8 @@ (define libxml2/fixed "libxml2-CVE-2017-7375.patch" "libxml2-CVE-2017-7376.patch" "libxml2-CVE-2017-9047+CVE-2017-9048.patch" - "libxml2-CVE-2017-9049+CVE-2017-9050.patch"))))))) + "libxml2-CVE-2017-9049+CVE-2017-9050.patch" + "libxml2-CVE-2017-15412.patch"))))))) (define-public python-libxml2 (package (inherit libxml2) -- cgit v1.2.3