[libxml2/f14/master] fix a double free in XPath CVE-2010-4494 bug 665965

Daniel Veillard veillard at fedoraproject.org
Fri Mar 4 13:43:16 UTC 2011 

commit 9a08b1c70c98ab21ec1abdba80e43538375a5989
Author: Daniel Veillard <veillard at redhat.com>
Date:   Fri Mar 4 21:42:23 2011 +0800

    fix a double free in XPath CVE-2010-4494 bug 665965
    
    also cleanup sources
    Daniel

 libxml2-2.7.7-xpath-double-free.patch |   22 ++++++++++++++++++++++
 libxml2.spec                          |    7 ++++++-
 sources                               |    1 -
 3 files changed, 28 insertions(+), 2 deletions(-)
---
diff --git a/libxml2-2.7.7-xpath-double-free.patch b/libxml2-2.7.7-xpath-double-free.patch
new file mode 100644
index 0000000..c5dbbee
--- /dev/null
+++ b/libxml2-2.7.7-xpath-double-free.patch
@@ -0,0 +1,22 @@
+--- a/xpath.c	
++++ a/xpath.c	
+@@ -11763,11 +11763,16 @@ xmlXPathCompOpEvalPositionalPredicate(xmlXPathParserContextPtr ctxt,
+ 
+ 	    if ((ctxt->error != XPATH_EXPRESSION_OK) || (res == -1)) {
+ 	        xmlXPathObjectPtr tmp;
+-		/* pop the result */
++		/* pop the result if any */
+ 		tmp = valuePop(ctxt);
+-		xmlXPathReleaseObject(xpctxt, tmp);
+-		/* then pop off contextObj, which will be freed later */
+-		valuePop(ctxt);
++                if (tmp != contextObj) {
++                    /*
++                     * Free up the result
++                     * then pop off contextObj, which will be freed later
++                     */
++                    xmlXPathReleaseObject(xpctxt, tmp);
++                    valuePop(ctxt);
++                }
+ 		goto evaluation_error;
+ 	    }
diff --git a/libxml2.spec b/libxml2.spec
index 430b40c..3c04599 100644
--- a/libxml2.spec
+++ b/libxml2.spec
@@ -1,7 +1,7 @@
 Summary: Library providing XML and HTML support
 Name: libxml2
 Version: 2.7.7
-Release: 2%{?dist}%{?extra_release}
+Release: 3%{?dist}%{?extra_release}
 License: MIT
 Group: Development/Libraries
 Source: ftp://xmlsoft.org/libxml2/libxml2-%{version}.tar.gz
@@ -9,6 +9,7 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-root
 BuildRequires: python python-devel zlib-devel pkgconfig
 URL: http://xmlsoft.org/
 Patch0: libxml2-multilib.patch
+Patch1: libxml2-2.7.7-xpath-double-free.patch
 
 %description
 This library allows to manipulate XML files. It includes support 
@@ -67,6 +68,7 @@ at parse time or later once the document has been modified.
 %prep
 %setup -q
 %patch0 -p1
+%patch1 -p1
 
 %build
 %configure
@@ -141,6 +143,9 @@ rm -fr %{buildroot}
 %doc doc/python.html
 
 %changelog
+* Fri Mar  4 2011 Daniel Veillard <veillard at redhat.com> - 2.7.7-3
+- fix a double free in XPath CVE-2010-4494 bug 665965
+
 * Wed Jul 21 2010 David Malcolm <dmalcolm at redhat.com> - 2.7.7-2
 - Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild
 
diff --git a/sources b/sources
index 9952f73..5f6cd0e 100644
--- a/sources
+++ b/sources
@@ -1,2 +1 @@
-7740a8ec23878a2f50120e1faa2730f2  libxml2-2.7.6.tar.gz
 9abc9959823ca9ff904f1fbcf21df066  libxml2-2.7.7.tar.gz

More information about the scm-commits mailing list