summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--gnu/local.mk1
-rw-r--r--gnu/packages/patches/libxml2-CVE-2017-15412.patch47
-rw-r--r--gnu/packages/xml.scm3
3 files changed, 50 insertions, 1 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index fb4babfdbc..b89077e876 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -862,6 +862,7 @@ dist_patch_DATA = \
%D%/packages/patches/libxml2-CVE-2017-7376.patch \
%D%/packages/patches/libxml2-CVE-2017-9047+CVE-2017-9048.patch \
%D%/packages/patches/libxml2-CVE-2017-9049+CVE-2017-9050.patch \
+ %D%/packages/patches/libxml2-CVE-2017-15412.patch \
%D%/packages/patches/libxslt-generated-ids.patch \
%D%/packages/patches/libxslt-CVE-2016-4738.patch \
%D%/packages/patches/libxslt-CVE-2017-5029.patch \
diff --git a/gnu/packages/patches/libxml2-CVE-2017-15412.patch b/gnu/packages/patches/libxml2-CVE-2017-15412.patch
new file mode 100644
index 0000000000..07fe190ed1
--- /dev/null
+++ b/gnu/packages/patches/libxml2-CVE-2017-15412.patch
@@ -0,0 +1,47 @@
+Fix CVE-2017-15412:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15412
+https://bugs.chromium.org/p/chromium/issues/detail?id=727039
+https://bugzilla.redhat.com/show_bug.cgi?id=1523128
+https://bugzilla.gnome.org/show_bug.cgi?id=783160
+
+Patch copied from upstream source repository:
+
+https://git.gnome.org/browse/libxml2/commit/?id=0f3b843b3534784ef57a4f9b874238aa1fda5a73
+
+From 0f3b843b3534784ef57a4f9b874238aa1fda5a73 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Thu, 1 Jun 2017 23:12:19 +0200
+Subject: [PATCH] Fix XPath stack frame logic
+
+Move the calls to xmlXPathSetFrame and xmlXPathPopFrame around in
+xmlXPathCompOpEvalPositionalPredicate to make sure that the context
+object on the stack is actually protected. Otherwise, memory corruption
+can occur when calling sloppily coded XPath extension functions.
+
+Fixes bug 783160.
+---
+ xpath.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/xpath.c b/xpath.c
+index 94815075..b816bd36 100644
+--- a/xpath.c
++++ b/xpath.c
+@@ -11932,11 +11932,11 @@ xmlXPathCompOpEvalPositionalPredicate(xmlXPathParserContextPtr ctxt,
+ }
+ }
+
+- frame = xmlXPathSetFrame(ctxt);
+ valuePush(ctxt, contextObj);
++ frame = xmlXPathSetFrame(ctxt);
+ res = xmlXPathCompOpEvalToBoolean(ctxt, exprOp, 1);
+- tmp = valuePop(ctxt);
+ xmlXPathPopFrame(ctxt, frame);
++ tmp = valuePop(ctxt);
+
+ if ((ctxt->error != XPATH_EXPRESSION_OK) || (res == -1)) {
+ while (tmp != contextObj) {
+--
+2.15.1
+
diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index 23b447502b..ce0d13a999 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -155,7 +155,8 @@ project (but it is usable outside of the Gnome platform).")
"libxml2-CVE-2017-7375.patch"
"libxml2-CVE-2017-7376.patch"
"libxml2-CVE-2017-9047+CVE-2017-9048.patch"
- "libxml2-CVE-2017-9049+CVE-2017-9050.patch")))))))
+ "libxml2-CVE-2017-9049+CVE-2017-9050.patch"
+ "libxml2-CVE-2017-15412.patch")))))))
(define-public python-libxml2
(package (inherit libxml2)