GNU bug report logs -
#30099
[PATCH 1/2] gnu: libxml2: Fix CVE-2017-15412.
Previous Next
Reported by: Leo Famulari <leo <at> famulari.name>
Date: Sat, 13 Jan 2018 18:10:03 UTC
Severity: normal
Tags: patch
Done: Leo Famulari <leo <at> famulari.name>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 30099 in the body.
You can then email your comments to 30099 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#30099; Package
guix-patches.
(Sat, 13 Jan 2018 18:10:03 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Leo Famulari <leo <at> famulari.name>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Sat, 13 Jan 2018 18:10:03 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
* gnu/packages/patches/libxml2-CVE-2017-15412.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/xml.scm (libxml2/fixed)[source]: Use it.
---
gnu/local.mk | 1 +
gnu/packages/patches/libxml2-CVE-2017-15412.patch | 47 +++++++++++++++++++++++
gnu/packages/xml.scm | 3 +-
3 files changed, 50 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/libxml2-CVE-2017-15412.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 6af8bfc4b..bea676c04 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -860,6 +860,7 @@ dist_patch_DATA = \
%D%/packages/patches/libxml2-CVE-2017-7376.patch \
%D%/packages/patches/libxml2-CVE-2017-9047+CVE-2017-9048.patch \
%D%/packages/patches/libxml2-CVE-2017-9049+CVE-2017-9050.patch \
+ %D%/packages/patches/libxml2-CVE-2017-15412.patch \
%D%/packages/patches/libxslt-generated-ids.patch \
%D%/packages/patches/libxslt-CVE-2016-4738.patch \
%D%/packages/patches/libxslt-CVE-2017-5029.patch \
diff --git a/gnu/packages/patches/libxml2-CVE-2017-15412.patch b/gnu/packages/patches/libxml2-CVE-2017-15412.patch
new file mode 100644
index 000000000..07fe190ed
--- /dev/null
+++ b/gnu/packages/patches/libxml2-CVE-2017-15412.patch
@@ -0,0 +1,47 @@
+Fix CVE-2017-15412:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15412
+https://bugs.chromium.org/p/chromium/issues/detail?id=727039
+https://bugzilla.redhat.com/show_bug.cgi?id=1523128
+https://bugzilla.gnome.org/show_bug.cgi?id=783160
+
+Patch copied from upstream source repository:
+
+https://git.gnome.org/browse/libxml2/commit/?id=0f3b843b3534784ef57a4f9b874238aa1fda5a73
+
+From 0f3b843b3534784ef57a4f9b874238aa1fda5a73 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer <at> aevum.de>
+Date: Thu, 1 Jun 2017 23:12:19 +0200
+Subject: [PATCH] Fix XPath stack frame logic
+
+Move the calls to xmlXPathSetFrame and xmlXPathPopFrame around in
+xmlXPathCompOpEvalPositionalPredicate to make sure that the context
+object on the stack is actually protected. Otherwise, memory corruption
+can occur when calling sloppily coded XPath extension functions.
+
+Fixes bug 783160.
+---
+ xpath.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/xpath.c b/xpath.c
+index 94815075..b816bd36 100644
+--- a/xpath.c
++++ b/xpath.c
+@@ -11932,11 +11932,11 @@ xmlXPathCompOpEvalPositionalPredicate(xmlXPathParserContextPtr ctxt,
+ }
+ }
+
+- frame = xmlXPathSetFrame(ctxt);
+ valuePush(ctxt, contextObj);
++ frame = xmlXPathSetFrame(ctxt);
+ res = xmlXPathCompOpEvalToBoolean(ctxt, exprOp, 1);
+- tmp = valuePop(ctxt);
+ xmlXPathPopFrame(ctxt, frame);
++ tmp = valuePop(ctxt);
+
+ if ((ctxt->error != XPATH_EXPRESSION_OK) || (res == -1)) {
+ while (tmp != contextObj) {
+--
+2.15.1
+
diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index 23b447502..ce0d13a99 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -155,7 +155,8 @@ project (but it is usable outside of the Gnome platform).")
"libxml2-CVE-2017-7375.patch"
"libxml2-CVE-2017-7376.patch"
"libxml2-CVE-2017-9047+CVE-2017-9048.patch"
- "libxml2-CVE-2017-9049+CVE-2017-9050.patch")))))))
+ "libxml2-CVE-2017-9049+CVE-2017-9050.patch"
+ "libxml2-CVE-2017-15412.patch")))))))
(define-public python-libxml2
(package (inherit libxml2)
--
2.15.1
Information forwarded
to
guix-patches <at> gnu.org:
bug#30099; Package
guix-patches.
(Tue, 16 Jan 2018 14:32:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 30099 <at> debbugs.gnu.org (full text, mbox):
Leo Famulari <leo <at> famulari.name> skribis:
> * gnu/packages/patches/libxml2-CVE-2017-15412.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> * gnu/packages/xml.scm (libxml2/fixed)[source]: Use it.
[...]
> Previously, python-libxml2 would inherit the ungrafted libxml2, missing
> several patches on the libxml2 source code.
>
> * gnu/packages/xml.scm (python-libxml2, python2-libxml2): Use
> package/inherit.
LGTM, thanks!
Ludo'.
bug closed, send any further explanations to
30099 <at> debbugs.gnu.org and Leo Famulari <leo <at> famulari.name>
Request was from
Leo Famulari <leo <at> famulari.name>
to
control <at> debbugs.gnu.org.
(Tue, 16 Jan 2018 18:39:02 GMT)
Full text and
rfc822 format available.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Wed, 14 Feb 2018 12:24:06 GMT)
Full text and
rfc822 format available.
This bug report was last modified 7 years and 184 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.