RHEL 9.0.0 Alpha bootstrap

The content of this branch was automatically imported from Fedora ELN
with the following as its source:
https://src.fedoraproject.org/rpms/libxml2#cfc15dfe1a449af07eb17ef9451c09ccafd7f76a

libxml2-2.9.10-CVE-2020-24977.patch

@@ -1,41 +1,36 @@
-From 8e7c20a1af8776677d7890f30b7a180567701a49 Mon Sep 17 00:00:00 2001
+From 50f06b3efb638efb0abd95dc62dca05ae67882c2 Mon Sep 17 00:00:00 2001
 From: Nick Wellnhofer <wellnhofer@aevum.de>
-Date: Mon, 3 Aug 2020 17:30:41 +0200
-Subject: [PATCH] Fix integer overflow when comparing schema dates
+Date: Fri, 7 Aug 2020 21:54:27 +0200
+Subject: [PATCH] Fix out-of-bounds read with 'xmllint --htmlout'
 
-Found by OSS-Fuzz.
+Make sure that truncated UTF-8 sequences don't cause an out-of-bounds
+array access.
+
+Thanks to @SuhwanSong and the Agency for Defense Development (ADD) for
+the report.
+
+Fixes #178.
 ---
- xmlschemastypes.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
+ xmllint.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
 
-diff --git a/xmlschemastypes.c b/xmlschemastypes.c
-index 4249d700..d6b9f924 100644
---- a/xmlschemastypes.c
-+++ b/xmlschemastypes.c
-@@ -3691,6 +3691,8 @@ xmlSchemaCompareDurations(xmlSchemaValPtr x, xmlSchemaValPtr y)
- 	minday = 0;
- 	maxday = 0;
-     } else {
-+        if (myear > LONG_MAX / 366)
-+            return -2;
-         /* FIXME: This doesn't take leap year exceptions every 100/400 years
-            into account. */
- 	maxday = 365 * myear + (myear + 3) / 4;
-@@ -4079,6 +4081,14 @@ xmlSchemaCompareDates (xmlSchemaValPtr x, xmlSchemaValPtr y)
-     if ((x == NULL) || (y == NULL))
-         return -2;
+diff --git a/xmllint.c b/xmllint.c
+index f6a8e463..c647486f 100644
+--- a/xmllint.c
++++ b/xmllint.c
+@@ -528,6 +528,12 @@ static void
+ xmlHTMLEncodeSend(void) {
+     char *result;
  
-+    if ((x->value.date.year > LONG_MAX / 366) ||
-+        (x->value.date.year < LONG_MIN / 366) ||
-+        (y->value.date.year > LONG_MAX / 366) ||
-+        (y->value.date.year < LONG_MIN / 366)) {
-+        /* Possible overflow when converting to days. */
-+        return -2;
-+    }
-+
-     if (x->value.date.tz_flag) {
- 
-         if (!y->value.date.tz_flag) {
++    /*
++     * xmlEncodeEntitiesReentrant assumes valid UTF-8, but the buffer might
++     * end with a truncated UTF-8 sequence. This is a hack to at least avoid
++     * an out-of-bounds read.
++     */
++    memset(&buffer[sizeof(buffer)-4], 0, 4);
+     result = (char *) xmlEncodeEntitiesReentrant(NULL, BAD_CAST buffer);
+     if (result) {
+ 	xmlGenericError(xmlGenericErrorContext, "%s", result);
 -- 
 2.28.0.rc2
 

libxml2-2.9.10-fix-integer-overflow.patch

@@ -0,0 +1,41 @@
+From 8e7c20a1af8776677d7890f30b7a180567701a49 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Mon, 3 Aug 2020 17:30:41 +0200
+Subject: [PATCH] Fix integer overflow when comparing schema dates
+
+Found by OSS-Fuzz.
+---
+ xmlschemastypes.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/xmlschemastypes.c b/xmlschemastypes.c
+index 4249d700..d6b9f924 100644
+--- a/xmlschemastypes.c
++++ b/xmlschemastypes.c
+@@ -3691,6 +3691,8 @@ xmlSchemaCompareDurations(xmlSchemaValPtr x, xmlSchemaValPtr y)
+ 	minday = 0;
+ 	maxday = 0;
+     } else {
++        if (myear > LONG_MAX / 366)
++            return -2;
+         /* FIXME: This doesn't take leap year exceptions every 100/400 years
+            into account. */
+ 	maxday = 365 * myear + (myear + 3) / 4;
+@@ -4079,6 +4081,14 @@ xmlSchemaCompareDates (xmlSchemaValPtr x, xmlSchemaValPtr y)
+     if ((x == NULL) || (y == NULL))
+         return -2;
+ 
++    if ((x->value.date.year > LONG_MAX / 366) ||
++        (x->value.date.year < LONG_MIN / 366) ||
++        (y->value.date.year > LONG_MAX / 366) ||
++        (y->value.date.year < LONG_MIN / 366)) {
++        /* Possible overflow when converting to days. */
++        return -2;
++    }
++
+     if (x->value.date.tz_flag) {
+ 
+         if (!y->value.date.tz_flag) {
+-- 
+2.28.0.rc2
+

libxml2.spec

@@ -1,6 +1,6 @@
 Name:           libxml2
 Version:        2.9.10
-Release:        7%{?dist}
+Release:        9%{?dist}
 Summary:        Library providing XML and HTML support
 
 License:        MIT
@@ -17,8 +17,11 @@ Patch3:         libxml2-2.9.10-CVE-2019-20388.patch
 Patch4:         libxml2-2.9.10-CVE-2020-7595.patch
 # https://gitlab.gnome.org/GNOME/libxml2/merge_requests/71
 Patch5:         libxml2-2.9.10-parenthesize-type-checks.patch
+Patch6:         libxml2-2.9.10-fix-integer-overflow.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1877788
-Patch6:         libxml2-2.9.10-CVE-2020-24977.patch
+Patch7:         libxml2-2.9.10-CVE-2020-24977.patch
+# https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/87
+Patch8:         python-py_ssize_t.patch
 
 BuildRequires:  gcc
 BuildRequires:  make
@@ -83,6 +86,9 @@ at parse time or later once the document has been modified.
 %autosetup -p1
 find doc -type f -executable -print -exec chmod 0644 {} ';'
 
+# Remove files generated by python/generator.py to force regenerating them
+rm python/{libxml2-py.c,libxml2-py.h,libxml2-export.c}
+
 %build
 mkdir py3
 %global _configure ../configure
@@ -147,6 +153,14 @@ gzip -9 -c doc/libxml2-api.xml > doc/libxml2-api.xml.gz
 %{python3_sitearch}/libxml2mod.so
 
 %changelog
+* Thu Nov 12 11:57:41 CET 2020 Victor Stinner <vstinner@python.org> - 2.9.10-9
+- Build the Python extension with the PY_SSIZE_T_CLEAN macro to make it
+  compatible with Python 3.10.
+- Fixes: rhbz#1890878.
+
+* Wed Nov 11 2020 Richard W.M. Jones <rjones@redhat.com> - 2.9.10-8
+- Add correct fix for CVE-2020-24977 (RHBZ#1877788), thanks: Jan de Groot.
+
 * Fri Sep 11 2020 Richard W.M. Jones <rjones@redhat.com> - 2.9.10-7
 - Add fix for CVE-2020-24977 (RHBZ#1877788).
 

python-py_ssize_t.patch

@@ -0,0 +1,102 @@
+From 43e946dd497cc6ff0067b8a8f85c620376dfd4cd Mon Sep 17 00:00:00 2001
+From: Victor Stinner <vstinner@python.org>
+Date: Mon, 9 Nov 2020 18:19:31 +0100
+Subject: [PATCH 1/2] Build the Python extension with PY_SSIZE_T_CLEAN
+
+The Python extension module now uses Py_ssize_t rather than int for
+string lengths. This change makes the extension compatible with
+Python 3.10.
+
+Fixes #203.
+---
+ python/generator.py | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+From b3db67629465823f042a5f3303ecdf8e4bd09a76 Mon Sep 17 00:00:00 2001
+From: Victor Stinner <vstinner@python.org>
+Date: Tue, 10 Nov 2020 15:42:36 +0100
+Subject: [PATCH 2/2] Convert python/libxml.c to PY_SSIZE_T_CLEAN
+
+Define PY_SSIZE_T_CLEAN macro in python/libxml.c and cast the string
+length (int len) explicitly to Py_ssize_t when passing a string to a
+function call using PyObject_CallMethod() with the "s#" format.
+---
+ python/libxml.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/python/generator.py b/python/generator.py
+index c0cb3add..59d45e00 100755
+--- a/python/generator.py
++++ b/python/generator.py
+@@ -393,7 +393,7 @@ def print_function_wrapper(name, output, export, include):
+                 format_args = format_args + ", &%s" % (arg[0])
+             if f == 's#':
+                 format_args = format_args + ", &py_buffsize%d" % num_bufs
+-                c_args = c_args + "    int py_buffsize%d;\n" % num_bufs
++                c_args = c_args + "    Py_ssize_t  py_buffsize%d;\n" % num_bufs
+                 num_bufs = num_bufs + 1
+             if c_call != "":
+                 c_call = c_call + ", "
+@@ -555,6 +555,7 @@ def buildStubs():
+     export.write("/* Generated */\n\n")
+     wrapper = open("libxml2-py.c", "w")
+     wrapper.write("/* Generated */\n\n")
++    wrapper.write("#define PY_SSIZE_T_CLEAN\n")
+     wrapper.write("#include <Python.h>\n")
+     wrapper.write("#include <libxml/xmlversion.h>\n")
+     wrapper.write("#include <libxml/tree.h>\n")
+diff --git a/python/libxml.c b/python/libxml.c
+index 81e709f3..3b66bd61 100644
+--- a/python/libxml.c
++++ b/python/libxml.c
+@@ -11,6 +11,7 @@
+  *
+  * daniel@veillard.com
+  */
++#define PY_SSIZE_T_CLEAN
+ #include <Python.h>
+ #include <fileobject.h>
+ /* #include "config.h" */
+@@ -1048,10 +1049,10 @@ pythonCharacters(void *user_data, const xmlChar * ch, int len)
+     if (type != 0) {
+         if (type == 1)
+             result = PyObject_CallMethod(handler, (char *) "characters",
+-                                         (char *) "s#", ch, len);
++                                         (char *) "s#", ch, (Py_ssize_t)len);
+         else if (type == 2)
+             result = PyObject_CallMethod(handler, (char *) "data",
+-                                         (char *) "s#", ch, len);
++                                         (char *) "s#", ch, (Py_ssize_t)len);
+         if (PyErr_Occurred())
+             PyErr_Print();
+         Py_XDECREF(result);
+@@ -1078,11 +1079,11 @@ pythonIgnorableWhitespace(void *user_data, const xmlChar * ch, int len)
+             result =
+                 PyObject_CallMethod(handler,
+                                     (char *) "ignorableWhitespace",
+-                                    (char *) "s#", ch, len);
++                                    (char *) "s#", ch, (Py_ssize_t)len);
+         else if (type == 2)
+             result =
+                 PyObject_CallMethod(handler, (char *) "data",
+-                                    (char *) "s#", ch, len);
++                                    (char *) "s#", ch, (Py_ssize_t)len);
+         Py_XDECREF(result);
+     }
+ }
+@@ -1223,11 +1224,11 @@ pythonCdataBlock(void *user_data, const xmlChar * ch, int len)
+         if (type == 1)
+             result =
+                 PyObject_CallMethod(handler, (char *) "cdataBlock",
+-                                    (char *) "s#", ch, len);
++                                    (char *) "s#", ch, (Py_ssize_t)len);
+         else if (type == 2)
+             result =
+                 PyObject_CallMethod(handler, (char *) "cdata",
+-                                    (char *) "s#", ch, len);
++                                    (char *) "s#", ch, (Py_ssize_t)len);
+         if (PyErr_Occurred())
+             PyErr_Print();
+         Py_XDECREF(result);
+-- 
+2.26.2