Thu Aug 9 18:44:13 2018 UTC ()

textproc/libxml2: Fix CVE-2018-14404.

Bump PKGREVISION.


(snj)

diff -r1.148 -r1.149 pkgsrc/textproc/libxml2/Makefile
diff -r1.125 -r1.126 pkgsrc/textproc/libxml2/distinfo
diff -r0 -r1.3 pkgsrc/textproc/libxml2/patches/patch-xpath.c

--- pkgsrc/textproc/libxml2/Makefile 2018/06/20 18:22:45 1.148
+++ pkgsrc/textproc/libxml2/Makefile 2018/08/09 18:44:13 1.149

 @@ -1,18 +1,18 @@
-# $NetBSD: Makefile,v 1.148 2018/06/20 18:22:45 tez Exp $
+# $NetBSD: Makefile,v 1.149 2018/08/09 18:44:13 snj Exp $
 .include "../../textproc/libxml2/Makefile.common"
-PKGREVISION=	1
+PKGREVISION=	2
 COMMENT=	XML parser library from the GNOME project
 LICENSE=	modified-bsd
 USE_FEATURES=		glob
 USE_LIBTOOL=		yes
 USE_TOOLS+=		gmake
 GNU_CONFIGURE=		yes
 CONFIGURE_ARGS+=	--with-html-subdir=libxml2
 CONFIGURE_ARGS+=	--with-iconv=${BUILDLINK_PREFIX.iconv}
 CONFIGURE_ARGS+=	--with-zlib=${BUILDLINK_PREFIX.zlib}
 CONFIGURE_ARGS+=	--with-lzma=${BUILDLINK_PREFIX.xz}
 CONFIGURE_ARGS+=	--without-python

--- pkgsrc/textproc/libxml2/distinfo 2018/06/20 18:22:45 1.125
+++ pkgsrc/textproc/libxml2/distinfo 2018/08/09 18:44:13 1.126

 @@ -1,16 +1,17 @@
-$NetBSD: distinfo,v 1.125 2018/06/20 18:22:45 tez Exp $
+$NetBSD: distinfo,v 1.126 2018/08/09 18:44:13 snj Exp $
 SHA1 (libxml2-2.9.8.tar.gz) = 66bcefd98a6b7573427cf66f9d3841b59eb5b8c3
 RMD160 (libxml2-2.9.8.tar.gz) = a3bf30ed652cfa2e06c64ae62c95a5ebd889c7a7
 SHA512 (libxml2-2.9.8.tar.gz) = 28903282c7672206effa1362fd564cbe4cf5be44264b083a7d14e383f73bccd1b81bcafb5f4f2f56f5e7e05914c660e27668c9ce91b1b9f256ef5358d55ba917
 Size (libxml2-2.9.8.tar.gz) = 5469097 bytes
 SHA1 (patch-aa) = e687eaa9805b855b0c8a944ec5c597bd34954472
 SHA1 (patch-ab) = a0df60b1a8609c185ed7d45a015eafdbfb6d6b41
 SHA1 (patch-ac) = 34afe787f6012b460a85be993048e133907a1621
 SHA1 (patch-ad) = d65b7e3be9694147e96ce4bb70a1739e2279ba81
 SHA1 (patch-ae) = 4eede9719724f94402e850ee6d6043a74aaf62b2
 SHA1 (patch-encoding.c) = 6cf0a7d421828b9f40a4079ee85adb791c54d096
 SHA1 (patch-python_libxml.py) = 869a72ae5ba2e27e6d46552878890acb22337675
 SHA1 (patch-python_libxml2.py) = 209d105b0f3aedb834091390a7c6819705108e34
 SHA1 (patch-python_setup.py) = 7771fd02ee6779463f1d3321f099d7e6d19cd1b1
 SHA1 (patch-xpath.c) = 9b9832e36e947598d8f5dade80181e82bff54a5c
 SHA1 (patch-xzlib.c) = eb20e3ef1504dacf1363f86c662918365306e84c

$NetBSD: patch-xpath.c,v 1.3 2018/08/09 18:44:13 snj Exp $

Fix CVE-2018-14404.

https://gitlab.gnome.org/GNOME/libxml2/commit/a436374994c47b12d5de1b8b1d191a098fa23594

--- xpath.c.orig	2017-12-02 00:58:10.000000000 -0800
+++ xpath.c	2018-08-09 11:37:59.278508181 -0700
@@ -13297,9 +13297,8 @@ xmlXPathCompOpEval(xmlXPathParserContext
 		return(0);
 	    }
             xmlXPathBooleanFunction(ctxt, 1);
-            arg1 = valuePop(ctxt);
-            arg1->boolval &= arg2->boolval;
-            valuePush(ctxt, arg1);
+            if (ctxt->value != NULL)
+                ctxt->value->boolval &= arg2->boolval;
 	    xmlXPathReleaseObject(ctxt->context, arg2);
             return (total);
         case XPATH_OP_OR:
@@ -13323,9 +13322,8 @@ xmlXPathCompOpEval(xmlXPathParserContext
 		return(0);
 	    }
             xmlXPathBooleanFunction(ctxt, 1);
-            arg1 = valuePop(ctxt);
-            arg1->boolval |= arg2->boolval;
-            valuePush(ctxt, arg1);
+            if (ctxt->value != NULL)
+                ctxt->value->boolval |= arg2->boolval;
 	    xmlXPathReleaseObject(ctxt->context, arg2);
             return (total);
         case XPATH_OP_EQUAL: