~alpine/aports

[alpine-aports] [PATCH] main/libxml2: upgrade to 2.9.9

Details
Message ID
<20190116223051.4042-1-clandmeter@alpinelinux.org>
Sender timestamp
1547677851
DKIM signature
missing
Download raw message
Patch: +3 -210
---
 main/libxml2/APKBUILD                         | 12 +---
 main/libxml2/CVE-2018-14404.patch             | 54 ----------------
 .../CVE-2018-9251-CVE-2018-14567.patch        | 50 ---------------
 .../Length-related-XHTML-parsing-errors.patch | 63 -------------------
 main/libxml2/fix-utf8-error-message.patch     | 34 ----------
 5 files changed, 3 insertions(+), 210 deletions(-)
 delete mode 100644 main/libxml2/CVE-2018-14404.patch
 delete mode 100644 main/libxml2/CVE-2018-9251-CVE-2018-14567.patch
 delete mode 100644 main/libxml2/Length-related-XHTML-parsing-errors.patch
 delete mode 100644 main/libxml2/fix-utf8-error-message.patch

diff --git a/main/libxml2/APKBUILD b/main/libxml2/APKBUILD
index 29a8a0ca83..120fab4118 100644
--- a/main/libxml2/APKBUILD
+++ b/main/libxml2/APKBUILD
@@ -1,8 +1,8 @@
# Contributor: Carlo Landmeter <clandmeter@gmail.com>
# Maintainer: Carlo Landmeter <clandmeter@gmail.com>
pkgname=libxml2
pkgver=2.9.8
pkgrel=2
pkgver=2.9.9
pkgrel=0
pkgdesc="XML parsing library, version 2"
url="http://www.xmlsoft.org/"
arch="all"
@@ -14,9 +14,6 @@ subpackages="$pkgname-dbg $pkgname-doc $pkgname-dev $pkgname-utils
	py-$pkgname:_py py2-$pkgname:_py py3-$pkgname:_py"
options="!strip"
source="http://xmlsoft.org/sources/$pkgname-$pkgver.tar.gz
	CVE-2018-9251-CVE-2018-14567.patch
	CVE-2018-14404.patch
	Length-related-XHTML-parsing-errors.patch
	"
builddir="$srcdir/$pkgname-$pkgver"

@@ -111,7 +108,4 @@ utils() {
	mv "$pkgdir"/usr/bin "$subpkgdir"/usr/
}

sha512sums="28903282c7672206effa1362fd564cbe4cf5be44264b083a7d14e383f73bccd1b81bcafb5f4f2f56f5e7e05914c660e27668c9ce91b1b9f256ef5358d55ba917  libxml2-2.9.8.tar.gz
31f6cd6650b05cdd95455fd72927ef6b1f1d23ca4d8d5f776ee83277d670363dfe6bdd2c1330e8f9131212456dece2595b16868fc01f0ab750009b0a007eb513  CVE-2018-9251-CVE-2018-14567.patch
c273b88d26e475e8a7f73e92ce9a77b1025f3704f11aa129c867e08424d32f1d7d81f4a2991d0cef28db4b8e122c6b356097be24b4651ef1b5a040a466bdcd13  CVE-2018-14404.patch
939a7acd13014766b218d61256b7ac72279618f8831095f708f4713e080f45ab9d922846479d01f9995b8799bc24c38b5b73548968764d7315b6ffc9d3dc547a  Length-related-XHTML-parsing-errors.patch"
sha512sums="cb7784ba4e72e942614e12e4f83f4ceb275f3d738b30e3b5c1f25edf8e9fa6789e854685974eed95b362049dbf6c8e7357e0327d64c681ed390534ac154e6810  libxml2-2.9.9.tar.gz"
diff --git a/main/libxml2/CVE-2018-14404.patch b/main/libxml2/CVE-2018-14404.patch
deleted file mode 100644
index aa25662e94..0000000000
--- a/main/libxml2/CVE-2018-14404.patch
@@ -1,54 +0,0 @@
From a436374994c47b12d5de1b8b1d191a098fa23594 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Mon, 30 Jul 2018 12:54:38 +0200
Subject: [PATCH] Fix nullptr deref with XPath logic ops

If the XPath stack is corrupted, for example by a misbehaving extension
function, the "and" and "or" XPath operators could dereference NULL
pointers. Check that the XPath stack isn't empty and optimize the
logic operators slightly.

Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/5

Also see
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817
https://bugzilla.redhat.com/show_bug.cgi?id=1595985

This is CVE-2018-14404.

Thanks to Guy Inbar for the report.
---
 xpath.c | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/xpath.c b/xpath.c
index 3fae0bf4..5e3bb9ff 100644
--- a/xpath.c
+++ b/xpath.c
@@ -13234,9 +13234,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
 		return(0);
 	    }
             xmlXPathBooleanFunction(ctxt, 1);
-            arg1 = valuePop(ctxt);
-            arg1->boolval &= arg2->boolval;
-            valuePush(ctxt, arg1);
+            if (ctxt->value != NULL)
+                ctxt->value->boolval &= arg2->boolval;
 	    xmlXPathReleaseObject(ctxt->context, arg2);
             return (total);
         case XPATH_OP_OR:
@@ -13252,9 +13251,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
 		return(0);
 	    }
             xmlXPathBooleanFunction(ctxt, 1);
-            arg1 = valuePop(ctxt);
-            arg1->boolval |= arg2->boolval;
-            valuePush(ctxt, arg1);
+            if (ctxt->value != NULL)
+                ctxt->value->boolval |= arg2->boolval;
 	    xmlXPathReleaseObject(ctxt->context, arg2);
             return (total);
         case XPATH_OP_EQUAL:
--- 
2.18.1

diff --git a/main/libxml2/CVE-2018-9251-CVE-2018-14567.patch b/main/libxml2/CVE-2018-9251-CVE-2018-14567.patch
deleted file mode 100644
index 46c0c0e808..0000000000
--- a/main/libxml2/CVE-2018-9251-CVE-2018-14567.patch
@@ -1,50 +0,0 @@
From 2240fbf5912054af025fb6e01e26375100275e74 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Mon, 30 Jul 2018 13:14:11 +0200
Subject: [PATCH] Fix infinite loop in LZMA decompression
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Check the liblzma error code more thoroughly to avoid infinite loops.

Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/13
Closes: https://bugzilla.gnome.org/show_bug.cgi?id=794914

This is CVE-2018-9251 and CVE-2018-14567.

Thanks to Dongliang Mu and Simon Wörner for the reports.
---
 xzlib.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/xzlib.c b/xzlib.c
index a839169e..0ba88cfa 100644
--- a/xzlib.c
+++ b/xzlib.c
@@ -562,6 +562,10 @@ xz_decomp(xz_statep state)
                          "internal error: inflate stream corrupt");
                 return -1;
             }
+            /*
+             * FIXME: Remapping a couple of error codes and falling through
+             * to the LZMA error handling looks fragile.
+             */
             if (ret == Z_MEM_ERROR)
                 ret = LZMA_MEM_ERROR;
             if (ret == Z_DATA_ERROR)
@@ -587,6 +591,11 @@ xz_decomp(xz_statep state)
             xz_error(state, LZMA_PROG_ERROR, "compression error");
             return -1;
         }
+        if ((state->how != GZIP) &&
+            (ret != LZMA_OK) && (ret != LZMA_STREAM_END)) {
+            xz_error(state, ret, "lzma error");
+            return -1;
+        }
     } while (strm->avail_out && ret != LZMA_STREAM_END);
 
     /* update available output and crc check value */
--- 
2.18.1

diff --git a/main/libxml2/Length-related-XHTML-parsing-errors.patch b/main/libxml2/Length-related-XHTML-parsing-errors.patch
deleted file mode 100644
index 7a4363198e..0000000000
--- a/main/libxml2/Length-related-XHTML-parsing-errors.patch
@@ -1,63 +0,0 @@
From 7a1bd7f6497ac33a9023d556f6f47a48f01deac0 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Sat, 17 Mar 2018 00:03:24 +0100
Subject: [PATCH] Revert "Change calls to xmlCharEncInput to set flush false"

This reverts commit 6e6ae5daa6cd9640c9a83c1070896273e9b30d14 which
broke decoding of larger documents with ICU.

See https://bugs.chromium.org/p/chromium/issues/detail?id=820163
---
 HTMLparser.c      | 2 +-
 parserInternals.c | 2 +-
 xmlIO.c           | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/HTMLparser.c b/HTMLparser.c
index 9adeb174..7e243e60 100644
--- a/HTMLparser.c
+++ b/HTMLparser.c
@@ -3635,7 +3635,7 @@ htmlCheckEncodingDirect(htmlParserCtxtPtr ctxt, const xmlChar *encoding) {
 	     */
 	    processed = ctxt->input->cur - ctxt->input->base;
 	    xmlBufShrink(ctxt->input->buf->buffer, processed);
-	    nbchars = xmlCharEncInput(ctxt->input->buf, 0);
+	    nbchars = xmlCharEncInput(ctxt->input->buf, 1);
 	    if (nbchars < 0) {
 		htmlParseErr(ctxt, XML_ERR_INVALID_ENCODING,
 		             "htmlCheckEncoding: encoder error\n",
diff --git a/parserInternals.c b/parserInternals.c
index 8c0cd57a..09876ab4 100644
--- a/parserInternals.c
+++ b/parserInternals.c
@@ -1214,7 +1214,7 @@ xmlSwitchInputEncodingInt(xmlParserCtxtPtr ctxt, xmlParserInputPtr input,
                 /*
                  * convert as much as possible of the buffer
                  */
-                nbchars = xmlCharEncInput(input->buf, 0);
+                nbchars = xmlCharEncInput(input->buf, 1);
             } else {
                 /*
                  * convert just enough to get
diff --git a/xmlIO.c b/xmlIO.c
index 82543477..f61dd05a 100644
--- a/xmlIO.c
+++ b/xmlIO.c
@@ -3157,7 +3157,7 @@ xmlParserInputBufferPush(xmlParserInputBufferPtr in,
 	 * convert as much as possible to the parser reading buffer.
 	 */
 	use = xmlBufUse(in->raw);
-	nbchars = xmlCharEncInput(in, 0);
+	nbchars = xmlCharEncInput(in, 1);
 	if (nbchars < 0) {
 	    xmlIOErr(XML_IO_ENCODER, NULL);
 	    in->error = XML_IO_ENCODER;
@@ -3273,7 +3273,7 @@ xmlParserInputBufferGrow(xmlParserInputBufferPtr in, int len) {
 	 * convert as much as possible to the parser reading buffer.
 	 */
 	use = xmlBufUse(in->raw);
-	nbchars = xmlCharEncInput(in, 0);
+	nbchars = xmlCharEncInput(in, 1);
 	if (nbchars < 0) {
 	    xmlIOErr(XML_IO_ENCODER, NULL);
 	    in->error = XML_IO_ENCODER;
\ No newline at end of file
diff --git a/main/libxml2/fix-utf8-error-message.patch b/main/libxml2/fix-utf8-error-message.patch
deleted file mode 100644
index e87dcdedf8..0000000000
--- a/main/libxml2/fix-utf8-error-message.patch
@@ -1,34 +0,0 @@
Index: libxml2-2.9.5/python/libxml.c
===================================================================
--- libxml2-2.9.5.orig/python/libxml.c
+++ libxml2-2.9.5/python/libxml.c
@@ -1620,6 +1620,7 @@ libxml_xmlErrorFuncHandler(ATTRIBUTE_UNU
     PyObject *message;
     PyObject *result;
     char str[1000];
+    unsigned char *ptr = (unsigned char *)str;
 
 #ifdef DEBUG_ERROR
     printf("libxml_xmlErrorFuncHandler(%p, %s, ...) called\n", ctx, msg);
@@ -1636,12 +1637,20 @@ libxml_xmlErrorFuncHandler(ATTRIBUTE_UNU
 	    str[999] = 0;
         va_end(ap);
 
+#if PY_MAJOR_VERSION >= 3
+        /* Ensure the error string doesn't start at UTF8 continuation. */
+        while (*ptr && (*ptr & 0xc0) == 0x80)
+            ptr++;
+#endif
+
         list = PyTuple_New(2);
         PyTuple_SetItem(list, 0, libxml_xmlPythonErrorFuncCtxt);
         Py_XINCREF(libxml_xmlPythonErrorFuncCtxt);
-        message = libxml_charPtrConstWrap(str);
+        message = libxml_charPtrConstWrap(ptr);
         PyTuple_SetItem(list, 1, message);
         result = PyEval_CallObject(libxml_xmlPythonErrorFuncHandler, list);
+        /* Forget any errors caused in the error handler. */
+        PyErr_Clear();
         Py_XDECREF(list);
         Py_XDECREF(result);
     }
-- 
2.20.1



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---
Reply to thread Export thread (mbox)