mirror of
https://git.yoctoproject.org/poky
synced 2026-02-12 11:43:04 +01:00
536412ec4d
* CVE-2018-14404 A null pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 when parsing invalid XPath expression. Applications processing untrusted XSL format inputs with the use of libxml2 library may be vulnerable to denial of service attack due to crash of the application. Affects libxml <= 2.9.8 CVE: CVE-2018-14404 Ref: https://access.redhat.com/security/cve/cve-2018-14404 (From OE-Core rev: 06d7f9039b005c2112e28336ac1c30e5120ec815) Signed-off-by: Sinan Kaya <okaya@kernel.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
59 lines
2.0 KiB
Diff
59 lines
2.0 KiB
Diff
From 29115868c92c81a4119b05ea95b3c91608a0b6e8 Mon Sep 17 00:00:00 2001
|
|
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
|
Date: Mon, 30 Jul 2018 12:54:38 +0200
|
|
Subject: [PATCH] Fix nullptr deref with XPath logic ops
|
|
|
|
If the XPath stack is corrupted, for example by a misbehaving extension
|
|
function, the "and" and "or" XPath operators could dereference NULL
|
|
pointers. Check that the XPath stack isn't empty and optimize the
|
|
logic operators slightly.
|
|
|
|
Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/5
|
|
|
|
Also see
|
|
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817
|
|
https://bugzilla.redhat.com/show_bug.cgi?id=1595985
|
|
|
|
This is CVE-2018-14404.
|
|
|
|
Thanks to Guy Inbar for the report.
|
|
|
|
CVE: CVE-2018-14404
|
|
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/commit/a436374994c47b12d5de1b8b1d191a098fa23594]
|
|
Signed-off-by: Sinan Kaya <okaya@kernel.org>
|
|
---
|
|
xpath.c | 10 ++++------
|
|
1 file changed, 4 insertions(+), 6 deletions(-)
|
|
|
|
diff --git a/xpath.c b/xpath.c
|
|
index 35274731..3fcdc9e1 100644
|
|
--- a/xpath.c
|
|
+++ b/xpath.c
|
|
@@ -13337,9 +13337,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
|
|
return(0);
|
|
}
|
|
xmlXPathBooleanFunction(ctxt, 1);
|
|
- arg1 = valuePop(ctxt);
|
|
- arg1->boolval &= arg2->boolval;
|
|
- valuePush(ctxt, arg1);
|
|
+ if (ctxt->value != NULL)
|
|
+ ctxt->value->boolval &= arg2->boolval;
|
|
xmlXPathReleaseObject(ctxt->context, arg2);
|
|
return (total);
|
|
case XPATH_OP_OR:
|
|
@@ -13363,9 +13362,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
|
|
return(0);
|
|
}
|
|
xmlXPathBooleanFunction(ctxt, 1);
|
|
- arg1 = valuePop(ctxt);
|
|
- arg1->boolval |= arg2->boolval;
|
|
- valuePush(ctxt, arg1);
|
|
+ if (ctxt->value != NULL)
|
|
+ ctxt->value->boolval |= arg2->boolval;
|
|
xmlXPathReleaseObject(ctxt->context, arg2);
|
|
return (total);
|
|
case XPATH_OP_EQUAL:
|
|
--
|
|
2.19.0
|
|
|