1 |
commit: 2acfef7fc1cc4d4ccff0783c4b4fc38dfc989226 |
2 |
Author: Micah Morton <mortonm <AT> chromium <DOT> org> |
3 |
AuthorDate: Fri Oct 19 18:01:18 2018 +0000 |
4 |
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org> |
5 |
CommitDate: Thu Jan 3 11:21:44 2019 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2acfef7f |
7 |
|
8 |
dev-libs/libxml2: fix CVE-2018-14567 |
9 |
|
10 |
Signed-off-by: Micah Morton <mortonm <AT> chromium.org> |
11 |
Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org> |
12 |
|
13 |
.../files/libxml2-2.9.8-CVE-2018-14567.patch | 50 ++++++++++++++++++++++ |
14 |
dev-libs/libxml2/libxml2-2.9.8-r1.ebuild | 4 ++ |
15 |
2 files changed, 54 insertions(+) |
16 |
|
17 |
diff --git a/dev-libs/libxml2/files/libxml2-2.9.8-CVE-2018-14567.patch b/dev-libs/libxml2/files/libxml2-2.9.8-CVE-2018-14567.patch |
18 |
new file mode 100644 |
19 |
index 00000000000..0d289352d2f |
20 |
--- /dev/null |
21 |
+++ b/dev-libs/libxml2/files/libxml2-2.9.8-CVE-2018-14567.patch |
22 |
@@ -0,0 +1,50 @@ |
23 |
+From 2240fbf5912054af025fb6e01e26375100275e74 Mon Sep 17 00:00:00 2001 |
24 |
+From: Nick Wellnhofer <wellnhofer@×××××.de> |
25 |
+Date: Mon, 30 Jul 2018 13:14:11 +0200 |
26 |
+Subject: [PATCH] Fix infinite loop in LZMA decompression |
27 |
+MIME-Version: 1.0 |
28 |
+Content-Type: text/plain; charset=UTF-8 |
29 |
+Content-Transfer-Encoding: 8bit |
30 |
+ |
31 |
+Check the liblzma error code more thoroughly to avoid infinite loops. |
32 |
+ |
33 |
+Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/13 |
34 |
+Closes: https://bugzilla.gnome.org/show_bug.cgi?id=794914 |
35 |
+ |
36 |
+This is CVE-2018-9251 and CVE-2018-14567. |
37 |
+ |
38 |
+Thanks to Dongliang Mu and Simon Wörner for the reports. |
39 |
+--- |
40 |
+ xzlib.c | 9 +++++++++ |
41 |
+ 1 file changed, 9 insertions(+) |
42 |
+ |
43 |
+diff --git a/xzlib.c b/xzlib.c |
44 |
+index a839169ef2ec..0ba88cfa849d 100644 |
45 |
+--- a/xzlib.c |
46 |
++++ b/xzlib.c |
47 |
+@@ -562,6 +562,10 @@ xz_decomp(xz_statep state) |
48 |
+ "internal error: inflate stream corrupt"); |
49 |
+ return -1; |
50 |
+ } |
51 |
++ /* |
52 |
++ * FIXME: Remapping a couple of error codes and falling through |
53 |
++ * to the LZMA error handling looks fragile. |
54 |
++ */ |
55 |
+ if (ret == Z_MEM_ERROR) |
56 |
+ ret = LZMA_MEM_ERROR; |
57 |
+ if (ret == Z_DATA_ERROR) |
58 |
+@@ -587,6 +591,11 @@ xz_decomp(xz_statep state) |
59 |
+ xz_error(state, LZMA_PROG_ERROR, "compression error"); |
60 |
+ return -1; |
61 |
+ } |
62 |
++ if ((state->how != GZIP) && |
63 |
++ (ret != LZMA_OK) && (ret != LZMA_STREAM_END)) { |
64 |
++ xz_error(state, ret, "lzma error"); |
65 |
++ return -1; |
66 |
++ } |
67 |
+ } while (strm->avail_out && ret != LZMA_STREAM_END); |
68 |
+ |
69 |
+ /* update available output and crc check value */ |
70 |
+-- |
71 |
+2.19.1 |
72 |
+ |
73 |
|
74 |
diff --git a/dev-libs/libxml2/libxml2-2.9.8-r1.ebuild b/dev-libs/libxml2/libxml2-2.9.8-r1.ebuild |
75 |
index 1a798958bcb..43da94cafed 100644 |
76 |
--- a/dev-libs/libxml2/libxml2-2.9.8-r1.ebuild |
77 |
+++ b/dev-libs/libxml2/libxml2-2.9.8-r1.ebuild |
78 |
@@ -88,6 +88,10 @@ src_prepare() { |
79 |
# https://bugzilla.gnome.org/show_bug.cgi?id=775200 |
80 |
eapply "${FILESDIR}"/${PN}-2.9.8-CVE-2017-8872.patch |
81 |
|
82 |
+ # CVE-2018-14567 |
83 |
+ # https://bugzilla.gnome.org/show_bug.cgi?id=794914 |
84 |
+ eapply "${FILESDIR}"/${PN}-2.9.8-CVE-2018-14567.patch |
85 |
+ |
86 |
if [[ ${CHOST} == *-darwin* ]] ; then |
87 |
# Avoid final linking arguments for python modules |
88 |
sed -i -e '/PYTHON_LIBS/s/ldflags/libs/' configure.ac || die |