main/libxml2: fix for CVE-2017-5969

fixes #6852
author: Natanael Copa <ncopa@alpinelinux.org> 2017-06-16 14:25:25 +0000
committer: Natanael Copa <ncopa@alpinelinux.org> 2017-06-16 16:30:51 +0200
commit: 4e7a6efe3f60338f70ade314e9bc46474c7fff9a (patch)
tree: 626eea1e3b39e44e38b358823ee560de3dc93203
parent: dab0364651fea7158196224398355ee204826bf0 (diff)
download: alpine_aports-4e7a6efe3f60338f70ade314e9bc46474c7fff9a.tar.bz2
alpine_aports-4e7a6efe3f60338f70ade314e9bc46474c7fff9a.tar.xz
alpine_aports-4e7a6efe3f60338f70ade314e9bc46474c7fff9a.zip
2 files changed, 69 insertions, 2 deletions
diff --git a/main/libxml2/APKBUILD b/main/libxml2/APKBUILD
index 48afac511a..8d3d0531f1 100644
--- a/main/libxml2/APKBUILD
+++ b/main/libxml2/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Carlo Landmeter <clandmeter@gmail.com>
 pkgname=libxml2
 pkgver=2.9.4
-pkgrel=3
+pkgrel=4
 pkgdesc="XML parsing library, version 2"
 url="http://www.xmlsoft.org/"
 arch="all"
@@ -16,6 +16,7 @@ options="!strip"
 source="ftp://ftp.xmlsoft.org/${pkgname}/${pkgname}-${pkgver}.tar.gz
        CVE-2016-5131.patch
        CVE-2016-9318.patch
+        CVE-2017-5969.patch
        "
 builddir="$srcdir/$pkgname-$pkgver"
@@ -24,6 +25,8 @@ builddir="$srcdir/$pkgname-$pkgver"
 #     - CVE-2016-5131
 #   2.9.4-r2:
 #     - CVE-2016-9318
+#   2.9.4-r4:
+#     - CVE-2017-5969
 build() {
        cd "$builddir"
@@ -70,4 +73,5 @@ utils() {
 sha512sums="f5174ab1a3a0ec0037a47f47aa47def36674e02bfb42b57f609563f84c6247c585dbbb133c056953a5adb968d328f18cbc102eb0d00d48eb7c95478389e5daf9  libxml2-2.9.4.tar.gz
 c92cda9851fdf8af6cb21aa80f39b474cddef8c749298f5b51f76f871160ac9749fdaac3fa406cc0c75a666f7627983fce0e90fb2919f3a8c778e1148583be33  CVE-2016-5131.patch
-508550f2f3489954abceee5404722dc7a8dcf6590219561a1ab36c2c14b1d1bfc2bad0403577db4e20c2c4e8c9114beb6bd80b165bb8e02c6cc52e6c5fb6e1ee  CVE-2016-9318.patch"
+508550f2f3489954abceee5404722dc7a8dcf6590219561a1ab36c2c14b1d1bfc2bad0403577db4e20c2c4e8c9114beb6bd80b165bb8e02c6cc52e6c5fb6e1ee  CVE-2016-9318.patch
+c1ce2284bdd874bd6eb1b2bef0e2c8d561861f82b5f03c4b7155e3ed11e2c56743d2f624530f0c7672d65329a13199e534f51ec19f06d4b6941b861dda50ef67  CVE-2017-5969.patch"
diff --git a/main/libxml2/CVE-2017-5969.patch b/main/libxml2/CVE-2017-5969.patch
new file mode 100644
index 0000000000..367ad730d0
--- /dev/null
+++ b/main/libxml2/CVE-2017-5969.patch
@@ -0,0 +1,63 @@
+From 94691dc884d1a8ada39f073408b4bb92fe7fe882 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Wed, 7 Jun 2017 16:47:36 +0200
+Subject: Fix NULL pointer deref in xmlDumpElementContent
+Can only be triggered in recovery mode.
+Fixes bug 758422 (CVE-2017-5969).
+---
+ valid.c | 24 ++++++++++++++----------
+ 1 file changed, 14 insertions(+), 10 deletions(-)
+diff --git a/valid.c b/valid.c
+index 9b2df56..8075d3a 100644
+--- a/valid.c
+++ b/valid.c
+@@ -1172,29 +1172,33 @@ xmlDumpElementContent(xmlBufferPtr buf, xmlElementContentPtr content, int glob)
+            xmlBufferWriteCHAR(buf, content->name);
+            break;
+        case XML_ELEMENT_CONTENT_SEQ:
+-           if ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
+-               (content->c1->type == XML_ELEMENT_CONTENT_SEQ))
+           if ((content->c1 != NULL) &&
+               ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
+                (content->c1->type == XML_ELEMENT_CONTENT_SEQ)))
+                xmlDumpElementContent(buf, content->c1, 1);
+            else
+                xmlDumpElementContent(buf, content->c1, 0);
+             xmlBufferWriteChar(buf, " , ");
+-           if ((content->c2->type == XML_ELEMENT_CONTENT_OR) ||
+-               ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) &&
+-                (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))
+           if ((content->c2 != NULL) &&
+               ((content->c2->type == XML_ELEMENT_CONTENT_OR) ||
+                ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) &&
+                 (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))))
+                xmlDumpElementContent(buf, content->c2, 1);
+            else
+                xmlDumpElementContent(buf, content->c2, 0);
+            break;
+        case XML_ELEMENT_CONTENT_OR:
+-           if ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
+-               (content->c1->type == XML_ELEMENT_CONTENT_SEQ))
+           if ((content->c1 != NULL) &&
+               ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
+                (content->c1->type == XML_ELEMENT_CONTENT_SEQ)))
+                xmlDumpElementContent(buf, content->c1, 1);
+            else
+                xmlDumpElementContent(buf, content->c1, 0);
+             xmlBufferWriteChar(buf, " | ");
+-           if ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) ||
+-               ((content->c2->type == XML_ELEMENT_CONTENT_OR) &&
+-                (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))
+           if ((content->c2 != NULL) &&
+               ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) ||
+                ((content->c2->type == XML_ELEMENT_CONTENT_OR) &&
+                 (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))))
+                xmlDumpElementContent(buf, content->c2, 1);
+            else
+                xmlDumpElementContent(buf, content->c2, 0);
+-- 
+cgit v0.12
author	Natanael Copa <ncopa@alpinelinux.org>	2017-06-16 14:25:25 +0000
committer	Natanael Copa <ncopa@alpinelinux.org>	2017-06-16 16:30:51 +0200
commit	4e7a6efe3f60338f70ade314e9bc46474c7fff9a (patch)
tree	626eea1e3b39e44e38b358823ee560de3dc93203
parent	dab0364651fea7158196224398355ee204826bf0 (diff)
download	alpine_aports-4e7a6efe3f60338f70ade314e9bc46474c7fff9a.tar.bz2 alpine_aports-4e7a6efe3f60338f70ade314e9bc46474c7fff9a.tar.xz alpine_aports-4e7a6efe3f60338f70ade314e9bc46474c7fff9a.zip

diff --git a/main/libxml2/APKBUILD b/main/libxml2/APKBUILD index 48afac511a..8d3d0531f1 100644 --- a/main/libxml2/APKBUILD +++ b/main/libxml2/APKBUILD
@@ -2,7 +2,7 @@
2	# Maintainer: Carlo Landmeter <clandmeter@gmail.com>	2	# Maintainer: Carlo Landmeter <clandmeter@gmail.com>
3	pkgname=libxml2	3	pkgname=libxml2
4	pkgver=2.9.4	4	pkgver=2.9.4
5	pkgrel=3	5	pkgrel=4
6	pkgdesc="XML parsing library, version 2"	6	pkgdesc="XML parsing library, version 2"
7	url="http://www.xmlsoft.org/"	7	url="http://www.xmlsoft.org/"
8	arch="all"	8	arch="all"
@@ -16,6 +16,7 @@ options="!strip"
16	source="ftp://ftp.xmlsoft.org/${pkgname}/${pkgname}-${pkgver}.tar.gz	16	source="ftp://ftp.xmlsoft.org/${pkgname}/${pkgname}-${pkgver}.tar.gz
17	CVE-2016-5131.patch	17	CVE-2016-5131.patch
18	CVE-2016-9318.patch	18	CVE-2016-9318.patch
		19	CVE-2017-5969.patch
19	"	20	"
20	builddir="$srcdir/$pkgname-$pkgver"	21	builddir="$srcdir/$pkgname-$pkgver"
21		22
@@ -24,6 +25,8 @@ builddir="$srcdir/$pkgname-$pkgver"
24	# - CVE-2016-5131	25	# - CVE-2016-5131
25	# 2.9.4-r2:	26	# 2.9.4-r2:
26	# - CVE-2016-9318	27	# - CVE-2016-9318
		28	# 2.9.4-r4:
		29	# - CVE-2017-5969
27		30
28	build() {	31	build() {
29	cd "$builddir"	32	cd "$builddir"
@@ -70,4 +73,5 @@ utils() {
70		73
71	sha512sums="f5174ab1a3a0ec0037a47f47aa47def36674e02bfb42b57f609563f84c6247c585dbbb133c056953a5adb968d328f18cbc102eb0d00d48eb7c95478389e5daf9 libxml2-2.9.4.tar.gz	74	sha512sums="f5174ab1a3a0ec0037a47f47aa47def36674e02bfb42b57f609563f84c6247c585dbbb133c056953a5adb968d328f18cbc102eb0d00d48eb7c95478389e5daf9 libxml2-2.9.4.tar.gz
72	c92cda9851fdf8af6cb21aa80f39b474cddef8c749298f5b51f76f871160ac9749fdaac3fa406cc0c75a666f7627983fce0e90fb2919f3a8c778e1148583be33 CVE-2016-5131.patch	75	c92cda9851fdf8af6cb21aa80f39b474cddef8c749298f5b51f76f871160ac9749fdaac3fa406cc0c75a666f7627983fce0e90fb2919f3a8c778e1148583be33 CVE-2016-5131.patch
73	508550f2f3489954abceee5404722dc7a8dcf6590219561a1ab36c2c14b1d1bfc2bad0403577db4e20c2c4e8c9114beb6bd80b165bb8e02c6cc52e6c5fb6e1ee CVE-2016-9318.patch"	76	508550f2f3489954abceee5404722dc7a8dcf6590219561a1ab36c2c14b1d1bfc2bad0403577db4e20c2c4e8c9114beb6bd80b165bb8e02c6cc52e6c5fb6e1ee CVE-2016-9318.patch
		77	c1ce2284bdd874bd6eb1b2bef0e2c8d561861f82b5f03c4b7155e3ed11e2c56743d2f624530f0c7672d65329a13199e534f51ec19f06d4b6941b861dda50ef67 CVE-2017-5969.patch"


diff --git a/main/libxml2/CVE-2017-5969.patch b/main/libxml2/CVE-2017-5969.patch new file mode 100644 index 0000000000..367ad730d0 --- /dev/null +++ b/main/libxml2/CVE-2017-5969.patch
@@ -0,0 +1,63 @@
		1	From 94691dc884d1a8ada39f073408b4bb92fe7fe882 Mon Sep 17 00:00:00 2001
		2	From: Daniel Veillard <veillard@redhat.com>
		3	Date: Wed, 7 Jun 2017 16:47:36 +0200
		4	Subject: Fix NULL pointer deref in xmlDumpElementContent
		5
		6	Can only be triggered in recovery mode.
		7
		8	Fixes bug 758422 (CVE-2017-5969).
		9	---
		10	valid.c \| 24 ++++++++++++++----------
		11	1 file changed, 14 insertions(+), 10 deletions(-)
		12
		13	diff --git a/valid.c b/valid.c
		14	index 9b2df56..8075d3a 100644
		15	--- a/valid.c
		16	+++ b/valid.c
		17	@@ -1172,29 +1172,33 @@ xmlDumpElementContent(xmlBufferPtr buf, xmlElementContentPtr content, int glob)
		18	xmlBufferWriteCHAR(buf, content->name);
		19	break;
		20	case XML_ELEMENT_CONTENT_SEQ:
		21	- if ((content->c1->type == XML_ELEMENT_CONTENT_OR) \|\|
		22	- (content->c1->type == XML_ELEMENT_CONTENT_SEQ))
		23	+ if ((content->c1 != NULL) &&
		24	+ ((content->c1->type == XML_ELEMENT_CONTENT_OR) \|\|
		25	+ (content->c1->type == XML_ELEMENT_CONTENT_SEQ)))
		26	xmlDumpElementContent(buf, content->c1, 1);
		27	else
		28	xmlDumpElementContent(buf, content->c1, 0);
		29	xmlBufferWriteChar(buf, " , ");
		30	- if ((content->c2->type == XML_ELEMENT_CONTENT_OR) \|\|
		31	- ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) &&
		32	- (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))
		33	+ if ((content->c2 != NULL) &&
		34	+ ((content->c2->type == XML_ELEMENT_CONTENT_OR) \|\|
		35	+ ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) &&
		36	+ (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))))
		37	xmlDumpElementContent(buf, content->c2, 1);
		38	else
		39	xmlDumpElementContent(buf, content->c2, 0);
		40	break;
		41	case XML_ELEMENT_CONTENT_OR:
		42	- if ((content->c1->type == XML_ELEMENT_CONTENT_OR) \|\|
		43	- (content->c1->type == XML_ELEMENT_CONTENT_SEQ))
		44	+ if ((content->c1 != NULL) &&
		45	+ ((content->c1->type == XML_ELEMENT_CONTENT_OR) \|\|
		46	+ (content->c1->type == XML_ELEMENT_CONTENT_SEQ)))
		47	xmlDumpElementContent(buf, content->c1, 1);
		48	else
		49	xmlDumpElementContent(buf, content->c1, 0);
		50	xmlBufferWriteChar(buf, " \| ");
		51	- if ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) \|\|
		52	- ((content->c2->type == XML_ELEMENT_CONTENT_OR) &&
		53	- (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE)))
		54	+ if ((content->c2 != NULL) &&
		55	+ ((content->c2->type == XML_ELEMENT_CONTENT_SEQ) \|\|
		56	+ ((content->c2->type == XML_ELEMENT_CONTENT_OR) &&
		57	+ (content->c2->ocur != XML_ELEMENT_CONTENT_ONCE))))
		58	xmlDumpElementContent(buf, content->c2, 1);
		59	else
		60	xmlDumpElementContent(buf, content->c2, 0);
		61	--
		62	cgit v0.12
		63