| 1 |
commit: 2acfef7fc1cc4d4ccff0783c4b4fc38dfc989226 |
| 2 |
Author: Micah Morton <mortonm <AT> chromium <DOT> org> |
| 3 |
AuthorDate: Fri Oct 19 18:01:18 2018 +0000 |
| 4 |
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Thu Jan 3 11:21:44 2019 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2acfef7f |
| 7 |
|
| 8 |
dev-libs/libxml2: fix CVE-2018-14567 |
| 9 |
|
| 10 |
Signed-off-by: Micah Morton <mortonm <AT> chromium.org> |
| 11 |
Signed-off-by: Mike Frysinger <vapier <AT> gentoo.org> |
| 12 |
|
| 13 |
.../files/libxml2-2.9.8-CVE-2018-14567.patch | 50 ++++++++++++++++++++++ |
| 14 |
dev-libs/libxml2/libxml2-2.9.8-r1.ebuild | 4 ++ |
| 15 |
2 files changed, 54 insertions(+) |
| 16 |
|
| 17 |
diff --git a/dev-libs/libxml2/files/libxml2-2.9.8-CVE-2018-14567.patch b/dev-libs/libxml2/files/libxml2-2.9.8-CVE-2018-14567.patch |
| 18 |
new file mode 100644 |
| 19 |
index 00000000000..0d289352d2f |
| 20 |
--- /dev/null |
| 21 |
+++ b/dev-libs/libxml2/files/libxml2-2.9.8-CVE-2018-14567.patch |
| 22 |
@@ -0,0 +1,50 @@ |
| 23 |
+From 2240fbf5912054af025fb6e01e26375100275e74 Mon Sep 17 00:00:00 2001 |
| 24 |
+From: Nick Wellnhofer <wellnhofer@×××××.de> |
| 25 |
+Date: Mon, 30 Jul 2018 13:14:11 +0200 |
| 26 |
+Subject: [PATCH] Fix infinite loop in LZMA decompression |
| 27 |
+MIME-Version: 1.0 |
| 28 |
+Content-Type: text/plain; charset=UTF-8 |
| 29 |
+Content-Transfer-Encoding: 8bit |
| 30 |
+ |
| 31 |
+Check the liblzma error code more thoroughly to avoid infinite loops. |
| 32 |
+ |
| 33 |
+Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/13 |
| 34 |
+Closes: https://bugzilla.gnome.org/show_bug.cgi?id=794914 |
| 35 |
+ |
| 36 |
+This is CVE-2018-9251 and CVE-2018-14567. |
| 37 |
+ |
| 38 |
+Thanks to Dongliang Mu and Simon Wörner for the reports. |
| 39 |
+--- |
| 40 |
+ xzlib.c | 9 +++++++++ |
| 41 |
+ 1 file changed, 9 insertions(+) |
| 42 |
+ |
| 43 |
+diff --git a/xzlib.c b/xzlib.c |
| 44 |
+index a839169ef2ec..0ba88cfa849d 100644 |
| 45 |
+--- a/xzlib.c |
| 46 |
++++ b/xzlib.c |
| 47 |
+@@ -562,6 +562,10 @@ xz_decomp(xz_statep state) |
| 48 |
+ "internal error: inflate stream corrupt"); |
| 49 |
+ return -1; |
| 50 |
+ } |
| 51 |
++ /* |
| 52 |
++ * FIXME: Remapping a couple of error codes and falling through |
| 53 |
++ * to the LZMA error handling looks fragile. |
| 54 |
++ */ |
| 55 |
+ if (ret == Z_MEM_ERROR) |
| 56 |
+ ret = LZMA_MEM_ERROR; |
| 57 |
+ if (ret == Z_DATA_ERROR) |
| 58 |
+@@ -587,6 +591,11 @@ xz_decomp(xz_statep state) |
| 59 |
+ xz_error(state, LZMA_PROG_ERROR, "compression error"); |
| 60 |
+ return -1; |
| 61 |
+ } |
| 62 |
++ if ((state->how != GZIP) && |
| 63 |
++ (ret != LZMA_OK) && (ret != LZMA_STREAM_END)) { |
| 64 |
++ xz_error(state, ret, "lzma error"); |
| 65 |
++ return -1; |
| 66 |
++ } |
| 67 |
+ } while (strm->avail_out && ret != LZMA_STREAM_END); |
| 68 |
+ |
| 69 |
+ /* update available output and crc check value */ |
| 70 |
+-- |
| 71 |
+2.19.1 |
| 72 |
+ |
| 73 |
|
| 74 |
diff --git a/dev-libs/libxml2/libxml2-2.9.8-r1.ebuild b/dev-libs/libxml2/libxml2-2.9.8-r1.ebuild |
| 75 |
index 1a798958bcb..43da94cafed 100644 |
| 76 |
--- a/dev-libs/libxml2/libxml2-2.9.8-r1.ebuild |
| 77 |
+++ b/dev-libs/libxml2/libxml2-2.9.8-r1.ebuild |
| 78 |
@@ -88,6 +88,10 @@ src_prepare() { |
| 79 |
# https://bugzilla.gnome.org/show_bug.cgi?id=775200 |
| 80 |
eapply "${FILESDIR}"/${PN}-2.9.8-CVE-2017-8872.patch |
| 81 |
|
| 82 |
+ # CVE-2018-14567 |
| 83 |
+ # https://bugzilla.gnome.org/show_bug.cgi?id=794914 |
| 84 |
+ eapply "${FILESDIR}"/${PN}-2.9.8-CVE-2018-14567.patch |
| 85 |
+ |
| 86 |
if [[ ${CHOST} == *-darwin* ]] ; then |
| 87 |
# Avoid final linking arguments for python modules |
| 88 |
sed -i -e '/PYTHON_LIBS/s/ldflags/libs/' configure.ac || die |
Archives