[pkgsrc/trunk]: pkgsrc/textproc/libxml2 textproc/libxml2: Fix CVE-2018-14404.

[snj <snj%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/aea82ce3d76d
branches:  trunk
changeset: 311398:aea82ce3d76d
user:      snj <snj%pkgsrc.org@localhost>
date:      Thu Aug 09 18:44:13 2018 +0000

description:
textproc/libxml2: Fix CVE-2018-14404.

Bump PKGREVISION.

diffstat:

 textproc/libxml2/Makefile              |   4 ++--
 textproc/libxml2/distinfo              |   3 ++-
 textproc/libxml2/patches/patch-xpath.c |  32 ++++++++++++++++++++++++++++++++
 3 files changed, 36 insertions(+), 3 deletions(-)

diffs (65 lines):

diff -r bed49753b676 -r aea82ce3d76d textproc/libxml2/Makefile
--- a/textproc/libxml2/Makefile Thu Aug 09 17:04:13 2018 +0000
+++ b/textproc/libxml2/Makefile Thu Aug 09 18:44:13 2018 +0000
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.148 2018/06/20 18:22:45 tez Exp $
+# $NetBSD: Makefile,v 1.149 2018/08/09 18:44:13 snj Exp $
 
 .include "../../textproc/libxml2/Makefile.common"
 
-PKGREVISION=   1
+PKGREVISION=   2
 
 COMMENT=       XML parser library from the GNOME project
 LICENSE=       modified-bsd
diff -r bed49753b676 -r aea82ce3d76d textproc/libxml2/distinfo
--- a/textproc/libxml2/distinfo Thu Aug 09 17:04:13 2018 +0000
+++ b/textproc/libxml2/distinfo Thu Aug 09 18:44:13 2018 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.125 2018/06/20 18:22:45 tez Exp $
+$NetBSD: distinfo,v 1.126 2018/08/09 18:44:13 snj Exp $
 
 SHA1 (libxml2-2.9.8.tar.gz) = 66bcefd98a6b7573427cf66f9d3841b59eb5b8c3
 RMD160 (libxml2-2.9.8.tar.gz) = a3bf30ed652cfa2e06c64ae62c95a5ebd889c7a7
@@ -13,4 +13,5 @@
 SHA1 (patch-python_libxml.py) = 869a72ae5ba2e27e6d46552878890acb22337675
 SHA1 (patch-python_libxml2.py) = 209d105b0f3aedb834091390a7c6819705108e34
 SHA1 (patch-python_setup.py) = 7771fd02ee6779463f1d3321f099d7e6d19cd1b1
+SHA1 (patch-xpath.c) = 9b9832e36e947598d8f5dade80181e82bff54a5c
 SHA1 (patch-xzlib.c) = eb20e3ef1504dacf1363f86c662918365306e84c
diff -r bed49753b676 -r aea82ce3d76d textproc/libxml2/patches/patch-xpath.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/textproc/libxml2/patches/patch-xpath.c    Thu Aug 09 18:44:13 2018 +0000
@@ -0,0 +1,32 @@
+$NetBSD: patch-xpath.c,v 1.3 2018/08/09 18:44:13 snj Exp $
+
+Fix CVE-2018-14404.
+
+https://gitlab.gnome.org/GNOME/libxml2/commit/a436374994c47b12d5de1b8b1d191a098fa23594
+
+--- xpath.c.orig       2017-12-02 00:58:10.000000000 -0800
++++ xpath.c    2018-08-09 11:37:59.278508181 -0700
+@@ -13297,9 +13297,8 @@ xmlXPathCompOpEval(xmlXPathParserContext
+               return(0);
+           }
+             xmlXPathBooleanFunction(ctxt, 1);
+-            arg1 = valuePop(ctxt);
+-            arg1->boolval &= arg2->boolval;
+-            valuePush(ctxt, arg1);
++            if (ctxt->value != NULL)
++                ctxt->value->boolval &= arg2->boolval;
+           xmlXPathReleaseObject(ctxt->context, arg2);
+             return (total);
+         case XPATH_OP_OR:
+@@ -13323,9 +13322,8 @@ xmlXPathCompOpEval(xmlXPathParserContext
+               return(0);
+           }
+             xmlXPathBooleanFunction(ctxt, 1);
+-            arg1 = valuePop(ctxt);
+-            arg1->boolval |= arg2->boolval;
+-            valuePush(ctxt, arg1);
++            if (ctxt->value != NULL)
++                ctxt->value->boolval |= arg2->boolval;
+           xmlXPathReleaseObject(ctxt->context, arg2);
+             return (total);
+         case XPATH_OP_EQUAL: