Author: ken
Date: 2011-01-07 14:14:15 -0700 (Fri, 07 Jan 2011)
New Revision: 2269
Added:
trunk/libxml2/libxml2-2.7.8-fixes-1.patch
Log:
Fix the current version of libxml2 for CVE-2010-4494.
Added: trunk/libxml2/libxml2-2.7.8-fixes-1.patch
===================================================================
--- trunk/libxml2/libxml2-2.7.8-fixes-1.patch (rev 0)
+++ trunk/libxml2/libxml2-2.7.8-fixes-1.patch 2011-01-07 21:14:15 UTC (rev
2269)
@@ -0,0 +1,34 @@
+Submitted By: Ken Moffat <ken at linuxfromscratch dot org>
+Date: 2011-01-07
+Initial Package Version: 2.7.8
+Upstream Status: Applied
+Origin: Upstream
+Description: Fix for CVE-2010-4494 (double free in xpath).
+
+Commits df83c17e5a2646bd923f75e5e507bc80d73c9722 and
+fec31bcd452e77c10579467ca87a785b41115de6 by Daniel Veillard,
+
+diff -Naur libxml2-2.7.8.orig/xpath.c libxml2-2.7.8/xpath.c
+--- libxml2-2.7.8.orig/xpath.c 2010-11-03 19:18:27.000000000 +0000
++++ libxml2-2.7.8/xpath.c 2011-01-07 13:21:33.000000000 +0000
+@@ -11763,11 +11763,16 @@
+
+ if ((ctxt->error != XPATH_EXPRESSION_OK) || (res == -1)) {
+ xmlXPathObjectPtr tmp;
+- /* pop the result */
++ /* pop the result if any */
+ tmp = valuePop(ctxt);
+- xmlXPathReleaseObject(xpctxt, tmp);
+- /* then pop off contextObj, which will be freed later */
+- valuePop(ctxt);
++ if (tmp != contextObj) {
++ /*
++ * Free up the result
++ * then pop off contextObj, which will be freed later
++ */
++ xmlXPathReleaseObject(xpctxt, tmp);
++ valuePop(ctxt);
++ }
+ goto evaluation_error;
+ }
+
--
http://linuxfromscratch.org/mailman/listinfo/patches
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page
