From 7523b3ad0248529e3d9a3fd12cb0d6151f33efe7 Mon Sep 17 00:00:00 2001 From: Igor Gnatenko Date: Tue, 3 Apr 2018 15:38:30 +0200 Subject: [PATCH] Update to 2.9.8 Signed-off-by: Igor Gnatenko --- .gitignore | 1 + ...lls-to-xmlCharEncInput-to-set-flush-.patch | 66 ++++++ libxml2-2.9.0-do-not-check-crc.patch | 35 ---- libxml2-2.9.4-remove-pyverify_fd.patch | 12 -- libxml2-CVE-2016-9597.patch | 191 ------------------ libxml2.spec | 16 +- sources | 2 +- 7 files changed, 75 insertions(+), 248 deletions(-) create mode 100644 0001-Revert-Change-calls-to-xmlCharEncInput-to-set-flush-.patch delete mode 100644 libxml2-2.9.0-do-not-check-crc.patch delete mode 100644 libxml2-2.9.4-remove-pyverify_fd.patch delete mode 100644 libxml2-CVE-2016-9597.patch diff --git a/.gitignore b/.gitignore index ccd3204..11528b8 100644 --- a/.gitignore +++ b/.gitignore @@ -36,3 +36,4 @@ libxml2-2.7.7.tar.gz /libxml2-2.9.4.tar.gz /libxml2-2.9.5.tar.gz /libxml2-2.9.7.tar.gz +/libxml2-2.9.8.tar.gz diff --git a/0001-Revert-Change-calls-to-xmlCharEncInput-to-set-flush-.patch b/0001-Revert-Change-calls-to-xmlCharEncInput-to-set-flush-.patch new file mode 100644 index 0000000..8149aab --- /dev/null +++ b/0001-Revert-Change-calls-to-xmlCharEncInput-to-set-flush-.patch @@ -0,0 +1,66 @@ +From 7a1bd7f6497ac33a9023d556f6f47a48f01deac0 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer +Date: Sat, 17 Mar 2018 00:03:24 +0100 +Subject: [PATCH] Revert "Change calls to xmlCharEncInput to set flush false" + +This reverts commit 6e6ae5daa6cd9640c9a83c1070896273e9b30d14 which +broke decoding of larger documents with ICU. + +See https://bugs.chromium.org/p/chromium/issues/detail?id=820163 +--- + HTMLparser.c | 2 +- + parserInternals.c | 2 +- + xmlIO.c | 4 ++-- + 3 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/HTMLparser.c b/HTMLparser.c +index 9adeb174..7e243e60 100644 +--- a/HTMLparser.c ++++ b/HTMLparser.c +@@ -3635,7 +3635,7 @@ htmlCheckEncodingDirect(htmlParserCtxtPtr ctxt, const xmlChar *encoding) { + */ + processed = ctxt->input->cur - ctxt->input->base; + xmlBufShrink(ctxt->input->buf->buffer, processed); +- nbchars = xmlCharEncInput(ctxt->input->buf, 0); ++ nbchars = xmlCharEncInput(ctxt->input->buf, 1); + if (nbchars < 0) { + htmlParseErr(ctxt, XML_ERR_INVALID_ENCODING, + "htmlCheckEncoding: encoder error\n", +diff --git a/parserInternals.c b/parserInternals.c +index 8c0cd57a..09876ab4 100644 +--- a/parserInternals.c ++++ b/parserInternals.c +@@ -1214,7 +1214,7 @@ xmlSwitchInputEncodingInt(xmlParserCtxtPtr ctxt, xmlParserInputPtr input, + /* + * convert as much as possible of the buffer + */ +- nbchars = xmlCharEncInput(input->buf, 0); ++ nbchars = xmlCharEncInput(input->buf, 1); + } else { + /* + * convert just enough to get +diff --git a/xmlIO.c b/xmlIO.c +index 82543477..f61dd05a 100644 +--- a/xmlIO.c ++++ b/xmlIO.c +@@ -3157,7 +3157,7 @@ xmlParserInputBufferPush(xmlParserInputBufferPtr in, + * convert as much as possible to the parser reading buffer. + */ + use = xmlBufUse(in->raw); +- nbchars = xmlCharEncInput(in, 0); ++ nbchars = xmlCharEncInput(in, 1); + if (nbchars < 0) { + xmlIOErr(XML_IO_ENCODER, NULL); + in->error = XML_IO_ENCODER; +@@ -3273,7 +3273,7 @@ xmlParserInputBufferGrow(xmlParserInputBufferPtr in, int len) { + * convert as much as possible to the parser reading buffer. + */ + use = xmlBufUse(in->raw); +- nbchars = xmlCharEncInput(in, 0); ++ nbchars = xmlCharEncInput(in, 1); + if (nbchars < 0) { + xmlIOErr(XML_IO_ENCODER, NULL); + in->error = XML_IO_ENCODER; +-- +2.17.0.rc2 + diff --git a/libxml2-2.9.0-do-not-check-crc.patch b/libxml2-2.9.0-do-not-check-crc.patch deleted file mode 100644 index 3e65077..0000000 --- a/libxml2-2.9.0-do-not-check-crc.patch +++ /dev/null @@ -1,35 +0,0 @@ -diff -up libxml2-2.9.0/xzlib.c.do-not-check-crc libxml2-2.9.0/xzlib.c ---- libxml2-2.9.0/xzlib.c.do-not-check-crc 2012-09-11 05:52:46.000000000 +0200 -+++ libxml2-2.9.0/xzlib.c 2012-11-19 19:28:42.431700534 +0100 -@@ -552,17 +552,20 @@ xz_decomp(xz_statep state) - #ifdef HAVE_ZLIB_H - if (state->how == GZIP) { - if (gz_next4(state, &crc) == -1 || gz_next4(state, &len) == -1) { -- xz_error(state, LZMA_DATA_ERROR, "unexpected end of file"); -- return -1; -- } -- if (crc != state->zstrm.adler) { -- xz_error(state, LZMA_DATA_ERROR, "incorrect data check"); -- return -1; -- } -- if (len != (state->zstrm.total_out & 0xffffffffL)) { -- xz_error(state, LZMA_DATA_ERROR, "incorrect length check"); -- return -1; -- } -+ /* -+ xz_error(state, LZMA_DATA_ERROR, "unexpected end of file"); -+ return -1; -+ */ -+ } else { -+ if (crc != state->zstrm.adler) { -+ xz_error(state, LZMA_DATA_ERROR, "incorrect data check"); -+ return -1; -+ } -+ if (len != (state->zstrm.total_out & 0xffffffffL)) { -+ xz_error(state, LZMA_DATA_ERROR, "incorrect length check"); -+ return -1; -+ } -+ } - state->strm.avail_in = 0; - state->strm.next_in = NULL; - state->strm.avail_out = 0; diff --git a/libxml2-2.9.4-remove-pyverify_fd.patch b/libxml2-2.9.4-remove-pyverify_fd.patch deleted file mode 100644 index d05d4cb..0000000 --- a/libxml2-2.9.4-remove-pyverify_fd.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -Nur libxml2-2.9.4.orig/python/types.c libxml2-2.9.4/python/types.c ---- libxml2-2.9.4.orig/python/types.c 2016-02-09 03:17:33.000000000 -0700 -+++ libxml2-2.9.4/python/types.c 2016-12-21 12:34:06.755650986 -0700 -@@ -31,8 +31,6 @@ - const char *mode; - - fd = PyObject_AsFileDescriptor(f); -- if (!_PyVerify_fd(fd)) -- return(NULL); - /* - * Get the flags on the fd to understand how it was opened - */ diff --git a/libxml2-CVE-2016-9597.patch b/libxml2-CVE-2016-9597.patch deleted file mode 100644 index 43f0243..0000000 --- a/libxml2-CVE-2016-9597.patch +++ /dev/null @@ -1,191 +0,0 @@ -Make the XML entity recursion check more precise. - -libxml doesn't detect entity recursion specifically but has a variety -of related checks, such as entities not expanding too deeply or -producing exponential blow-ups in content. - -Because entity declarations are parsed in a separate context with -their own element recursion budget, a recursive entity can overflow -the stack using a lot of open elements (but within the per-context -limit) as it slowly consumes (but does not exhaust) the entity depth -budget. - -This adds a specific, precise check for recursive entities that -detects entity recursion specifically and fails immediately. - -The existing entity expansion depth checks are still relevant for long -chains of different entities. - -BUG=628581 - -Review-Url: https://codereview.chromium.org/2539003002 -Cr-Commit-Position: refs/heads/master@{#436899} - - -Index: libxml2-2.9.4/entities.c -=================================================================== ---- libxml2-2.9.4.orig/entities.c -+++ libxml2-2.9.4/entities.c -@@ -159,6 +159,7 @@ xmlCreateEntity(xmlDictPtr dict, const x - memset(ret, 0, sizeof(xmlEntity)); - ret->type = XML_ENTITY_DECL; - ret->checked = 0; -+ ret->guard = XML_ENTITY_NOT_BEING_CHECKED; - - /* - * fill the structure. -@@ -931,6 +932,7 @@ xmlCopyEntity(xmlEntityPtr ent) { - cur->orig = xmlStrdup(ent->orig); - if (ent->URI != NULL) - cur->URI = xmlStrdup(ent->URI); -+ cur->guard = 0; - return(cur); - } - -Index: libxml2-2.9.4/include/libxml/entities.h -=================================================================== ---- libxml2-2.9.4.orig/include/libxml/entities.h -+++ libxml2-2.9.4/include/libxml/entities.h -@@ -30,6 +30,11 @@ typedef enum { - XML_INTERNAL_PREDEFINED_ENTITY = 6 - } xmlEntityType; - -+typedef enum { -+ XML_ENTITY_NOT_BEING_CHECKED, -+ XML_ENTITY_BEING_CHECKED /* entity check is in progress */ -+} xmlEntityRecursionGuard; -+ - /* - * An unit of storage for an entity, contains the string, the value - * and the linkind data needed for the linking in the hash table. -@@ -60,6 +65,7 @@ struct _xmlEntity { - /* this is also used to count entities - * references done from that entity - * and if it contains '<' */ -+ xmlEntityRecursionGuard guard; - }; - - /* -Index: libxml2-2.9.4/parser.c -=================================================================== ---- libxml2-2.9.4.orig/parser.c -+++ libxml2-2.9.4/parser.c -@@ -133,6 +133,10 @@ xmlParserEntityCheck(xmlParserCtxtPtr ct - if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP) - return (1); - -+ if ((ent != NULL) && (ent->guard == XML_ENTITY_BEING_CHECKED)) { -+ xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL); -+ return (1); -+ } - /* - * This may look absurd but is needed to detect - * entities problems -@@ -143,12 +147,14 @@ xmlParserEntityCheck(xmlParserCtxtPtr ct - unsigned long oldnbent = ctxt->nbentities; - xmlChar *rep; - -+ ent->guard = XML_ENTITY_BEING_CHECKED; - ent->checked = 1; - - ++ctxt->depth; - rep = xmlStringDecodeEntities(ctxt, ent->content, - XML_SUBSTITUTE_REF, 0, 0, 0); - --ctxt->depth; -+ ent->guard = XML_ENTITY_NOT_BEING_CHECKED; - if (ctxt->errNo == XML_ERR_ENTITY_LOOP) { - ent->content[0] = 0; - } -@@ -7337,23 +7343,28 @@ xmlParseReference(xmlParserCtxtPtr ctxt) - * if its replacement text matches the production labeled - * content. - */ -- if (ent->etype == XML_INTERNAL_GENERAL_ENTITY) { -- ctxt->depth++; -- ret = xmlParseBalancedChunkMemoryInternal(ctxt, ent->content, -- user_data, &list); -- ctxt->depth--; -- -- } else if (ent->etype == XML_EXTERNAL_GENERAL_PARSED_ENTITY) { -- ctxt->depth++; -- ret = xmlParseExternalEntityPrivate(ctxt->myDoc, ctxt, ctxt->sax, -- user_data, ctxt->depth, ent->URI, -- ent->ExternalID, &list); -- ctxt->depth--; -- } else { -- ret = XML_ERR_ENTITY_PE_INTERNAL; -- xmlErrMsgStr(ctxt, XML_ERR_INTERNAL_ERROR, -- "invalid entity type found\n", NULL); -- } -+ if (ent->guard == XML_ENTITY_BEING_CHECKED) { -+ ret = XML_ERR_ENTITY_LOOP; -+ } else { -+ ent->guard = XML_ENTITY_BEING_CHECKED; -+ if (ent->etype == XML_INTERNAL_GENERAL_ENTITY) { -+ ctxt->depth++; -+ ret = xmlParseBalancedChunkMemoryInternal(ctxt, ent->content, -+ user_data, &list); -+ ctxt->depth--; -+ } else if (ent->etype == XML_EXTERNAL_GENERAL_PARSED_ENTITY) { -+ ctxt->depth++; -+ ret = xmlParseExternalEntityPrivate(ctxt->myDoc, ctxt, ctxt->sax, -+ user_data, ctxt->depth, ent->URI, -+ ent->ExternalID, &list); -+ ctxt->depth--; -+ } else { -+ ret = XML_ERR_ENTITY_PE_INTERNAL; -+ xmlErrMsgStr(ctxt, XML_ERR_INTERNAL_ERROR, -+ "invalid entity type found\n", NULL); -+ } -+ ent->guard = XML_ENTITY_NOT_BEING_CHECKED; -+ } - - /* - * Store the number of entities needing parsing for this entity -@@ -7456,23 +7467,29 @@ xmlParseReference(xmlParserCtxtPtr ctxt) - else - user_data = ctxt->userData; - -- if (ent->etype == XML_INTERNAL_GENERAL_ENTITY) { -- ctxt->depth++; -- ret = xmlParseBalancedChunkMemoryInternal(ctxt, -- ent->content, user_data, NULL); -- ctxt->depth--; -- } else if (ent->etype == -- XML_EXTERNAL_GENERAL_PARSED_ENTITY) { -- ctxt->depth++; -- ret = xmlParseExternalEntityPrivate(ctxt->myDoc, ctxt, -- ctxt->sax, user_data, ctxt->depth, -- ent->URI, ent->ExternalID, NULL); -- ctxt->depth--; -- } else { -- ret = XML_ERR_ENTITY_PE_INTERNAL; -- xmlErrMsgStr(ctxt, XML_ERR_INTERNAL_ERROR, -- "invalid entity type found\n", NULL); -- } -+ if (ent->guard == XML_ENTITY_BEING_CHECKED) { -+ ret = XML_ERR_ENTITY_LOOP; -+ } else { -+ ent->guard = XML_ENTITY_BEING_CHECKED; -+ if (ent->etype == XML_INTERNAL_GENERAL_ENTITY) { -+ ctxt->depth++; -+ ret = xmlParseBalancedChunkMemoryInternal(ctxt, -+ ent->content, user_data, NULL); -+ ctxt->depth--; -+ } else if (ent->etype == -+ XML_EXTERNAL_GENERAL_PARSED_ENTITY) { -+ ctxt->depth++; -+ ret = xmlParseExternalEntityPrivate(ctxt->myDoc, ctxt, -+ ctxt->sax, user_data, ctxt->depth, -+ ent->URI, ent->ExternalID, NULL); -+ ctxt->depth--; -+ } else { -+ ret = XML_ERR_ENTITY_PE_INTERNAL; -+ xmlErrMsgStr(ctxt, XML_ERR_INTERNAL_ERROR, -+ "invalid entity type found\n", NULL); -+ } -+ ent->guard = XML_ENTITY_NOT_BEING_CHECKED; -+ } - if (ret == XML_ERR_ENTITY_LOOP) { - xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL); - return; diff --git a/libxml2.spec b/libxml2.spec index af2ee1a..bcf963d 100644 --- a/libxml2.spec +++ b/libxml2.spec @@ -1,19 +1,14 @@ Name: libxml2 -Version: 2.9.7 -Release: 4%{?dist} +Version: 2.9.8 +Release: 1%{?dist} Summary: Library providing XML and HTML support License: MIT URL: http://xmlsoft.org/ Source: ftp://xmlsoft.org/libxml2/libxml2-%{version}.tar.gz Patch0: libxml2-multilib.patch -# workaround for #877567 - Very weird bug gzip decompression bug in "recent" libxml2 versions -Patch1: libxml2-2.9.0-do-not-check-crc.patch -# In python3.6 _PyVerify_fd is no more -# http://bugs.python.org/issue23524 -Patch2: libxml2-2.9.4-remove-pyverify_fd.patch -# https://codereview.chromium.org/2539003002 -Patch3: libxml2-CVE-2016-9597.patch +# https://git.gnome.org/browse/libxml2/commit/?id=7a1bd7f6497ac33a9023d556f6f47a48f01deac0 +Patch1: 0001-Revert-Change-calls-to-xmlCharEncInput-to-set-flush-.patch BuildRequires: gcc BuildRequires: cmake-rpm-macros @@ -170,6 +165,9 @@ gzip -9 -c doc/libxml2-api.xml > doc/libxml2-api.xml.gz %{python3_sitearch}/libxml2mod.so %changelog +* Tue Apr 03 2018 Igor Gnatenko - 2.9.8-1 +- Update to 2.9.8 + * Sat Feb 24 2018 Florian Weimer - 2.9.7-4 - Rebuild with new LDFLAGS from redhat-rpm-config diff --git a/sources b/sources index b2fb4ec..5fc42a0 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (libxml2-2.9.7.tar.gz) = da06cb7c5032ef4b7c8e902fabb9d2c74634c42c161be07a7c66a00d53a68029f89b0d4de32a6b9d4ff338c2d1d9c4e53aefb9cf50cb1c2d6c6b06b442ef42d5 +SHA512 (libxml2-2.9.8.tar.gz) = 28903282c7672206effa1362fd564cbe4cf5be44264b083a7d14e383f73bccd1b81bcafb5f4f2f56f5e7e05914c660e27668c9ce91b1b9f256ef5358d55ba917