diff --git a/.gitignore b/.gitignore index f717fde..ccd3204 100644 --- a/.gitignore +++ b/.gitignore @@ -35,3 +35,4 @@ libxml2-2.7.7.tar.gz /libxml2-2.9.3.tar.gz /libxml2-2.9.4.tar.gz /libxml2-2.9.5.tar.gz +/libxml2-2.9.7.tar.gz diff --git a/libxml2-2.9.5-Report-undefined-XPath-variable-error-message.patch b/libxml2-2.9.5-Report-undefined-XPath-variable-error-message.patch deleted file mode 100644 index 1b62d69..0000000 --- a/libxml2-2.9.5-Report-undefined-XPath-variable-error-message.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 3157cf4e53c03bc3da604472c015c63141907db8 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Wed, 20 Sep 2017 16:13:29 +0200 -Subject: [PATCH] Report undefined XPath variable error message -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Commit c851970 removed a redundant error message if XPath evaluation -failed. This uncovered a case where an undefined XPath variable error -wasn't reported correctly. - -Thanks to Petr Pisar for the report. - -Fixes bug 787941. - -Signed-off-by: Petr Písař ---- - xpath.c | 12 ++++-------- - 1 file changed, 4 insertions(+), 8 deletions(-) - -diff --git a/xpath.c b/xpath.c -index 2c1b2681..94815075 100644 ---- a/xpath.c -+++ b/xpath.c -@@ -13531,10 +13531,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) - xmlXPathCompOpEval(ctxt, &comp->steps[op->ch1]); - if (op->value5 == NULL) { - val = xmlXPathVariableLookup(ctxt->context, op->value4); -- if (val == NULL) { -- ctxt->error = XPATH_UNDEF_VARIABLE_ERROR; -- return(0); -- } -+ if (val == NULL) -+ XP_ERROR0(XPATH_UNDEF_VARIABLE_ERROR); - valuePush(ctxt, val); - } else { - const xmlChar *URI; -@@ -13549,10 +13547,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op) - } - val = xmlXPathVariableLookupNS(ctxt->context, - op->value4, URI); -- if (val == NULL) { -- ctxt->error = XPATH_UNDEF_VARIABLE_ERROR; -- return(0); -- } -+ if (val == NULL) -+ XP_ERROR0(XPATH_UNDEF_VARIABLE_ERROR); - valuePush(ctxt, val); - } - return (total); --- -2.13.5 - diff --git a/libxml2-CVE-2016-9597.patch b/libxml2-CVE-2016-9597.patch new file mode 100644 index 0000000..43f0243 --- /dev/null +++ b/libxml2-CVE-2016-9597.patch @@ -0,0 +1,191 @@ +Make the XML entity recursion check more precise. + +libxml doesn't detect entity recursion specifically but has a variety +of related checks, such as entities not expanding too deeply or +producing exponential blow-ups in content. + +Because entity declarations are parsed in a separate context with +their own element recursion budget, a recursive entity can overflow +the stack using a lot of open elements (but within the per-context +limit) as it slowly consumes (but does not exhaust) the entity depth +budget. + +This adds a specific, precise check for recursive entities that +detects entity recursion specifically and fails immediately. + +The existing entity expansion depth checks are still relevant for long +chains of different entities. + +BUG=628581 + +Review-Url: https://codereview.chromium.org/2539003002 +Cr-Commit-Position: refs/heads/master@{#436899} + + +Index: libxml2-2.9.4/entities.c +=================================================================== +--- libxml2-2.9.4.orig/entities.c ++++ libxml2-2.9.4/entities.c +@@ -159,6 +159,7 @@ xmlCreateEntity(xmlDictPtr dict, const x + memset(ret, 0, sizeof(xmlEntity)); + ret->type = XML_ENTITY_DECL; + ret->checked = 0; ++ ret->guard = XML_ENTITY_NOT_BEING_CHECKED; + + /* + * fill the structure. +@@ -931,6 +932,7 @@ xmlCopyEntity(xmlEntityPtr ent) { + cur->orig = xmlStrdup(ent->orig); + if (ent->URI != NULL) + cur->URI = xmlStrdup(ent->URI); ++ cur->guard = 0; + return(cur); + } + +Index: libxml2-2.9.4/include/libxml/entities.h +=================================================================== +--- libxml2-2.9.4.orig/include/libxml/entities.h ++++ libxml2-2.9.4/include/libxml/entities.h +@@ -30,6 +30,11 @@ typedef enum { + XML_INTERNAL_PREDEFINED_ENTITY = 6 + } xmlEntityType; + ++typedef enum { ++ XML_ENTITY_NOT_BEING_CHECKED, ++ XML_ENTITY_BEING_CHECKED /* entity check is in progress */ ++} xmlEntityRecursionGuard; ++ + /* + * An unit of storage for an entity, contains the string, the value + * and the linkind data needed for the linking in the hash table. +@@ -60,6 +65,7 @@ struct _xmlEntity { + /* this is also used to count entities + * references done from that entity + * and if it contains '<' */ ++ xmlEntityRecursionGuard guard; + }; + + /* +Index: libxml2-2.9.4/parser.c +=================================================================== +--- libxml2-2.9.4.orig/parser.c ++++ libxml2-2.9.4/parser.c +@@ -133,6 +133,10 @@ xmlParserEntityCheck(xmlParserCtxtPtr ct + if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP) + return (1); + ++ if ((ent != NULL) && (ent->guard == XML_ENTITY_BEING_CHECKED)) { ++ xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL); ++ return (1); ++ } + /* + * This may look absurd but is needed to detect + * entities problems +@@ -143,12 +147,14 @@ xmlParserEntityCheck(xmlParserCtxtPtr ct + unsigned long oldnbent = ctxt->nbentities; + xmlChar *rep; + ++ ent->guard = XML_ENTITY_BEING_CHECKED; + ent->checked = 1; + + ++ctxt->depth; + rep = xmlStringDecodeEntities(ctxt, ent->content, + XML_SUBSTITUTE_REF, 0, 0, 0); + --ctxt->depth; ++ ent->guard = XML_ENTITY_NOT_BEING_CHECKED; + if (ctxt->errNo == XML_ERR_ENTITY_LOOP) { + ent->content[0] = 0; + } +@@ -7337,23 +7343,28 @@ xmlParseReference(xmlParserCtxtPtr ctxt) + * if its replacement text matches the production labeled + * content. + */ +- if (ent->etype == XML_INTERNAL_GENERAL_ENTITY) { +- ctxt->depth++; +- ret = xmlParseBalancedChunkMemoryInternal(ctxt, ent->content, +- user_data, &list); +- ctxt->depth--; +- +- } else if (ent->etype == XML_EXTERNAL_GENERAL_PARSED_ENTITY) { +- ctxt->depth++; +- ret = xmlParseExternalEntityPrivate(ctxt->myDoc, ctxt, ctxt->sax, +- user_data, ctxt->depth, ent->URI, +- ent->ExternalID, &list); +- ctxt->depth--; +- } else { +- ret = XML_ERR_ENTITY_PE_INTERNAL; +- xmlErrMsgStr(ctxt, XML_ERR_INTERNAL_ERROR, +- "invalid entity type found\n", NULL); +- } ++ if (ent->guard == XML_ENTITY_BEING_CHECKED) { ++ ret = XML_ERR_ENTITY_LOOP; ++ } else { ++ ent->guard = XML_ENTITY_BEING_CHECKED; ++ if (ent->etype == XML_INTERNAL_GENERAL_ENTITY) { ++ ctxt->depth++; ++ ret = xmlParseBalancedChunkMemoryInternal(ctxt, ent->content, ++ user_data, &list); ++ ctxt->depth--; ++ } else if (ent->etype == XML_EXTERNAL_GENERAL_PARSED_ENTITY) { ++ ctxt->depth++; ++ ret = xmlParseExternalEntityPrivate(ctxt->myDoc, ctxt, ctxt->sax, ++ user_data, ctxt->depth, ent->URI, ++ ent->ExternalID, &list); ++ ctxt->depth--; ++ } else { ++ ret = XML_ERR_ENTITY_PE_INTERNAL; ++ xmlErrMsgStr(ctxt, XML_ERR_INTERNAL_ERROR, ++ "invalid entity type found\n", NULL); ++ } ++ ent->guard = XML_ENTITY_NOT_BEING_CHECKED; ++ } + + /* + * Store the number of entities needing parsing for this entity +@@ -7456,23 +7467,29 @@ xmlParseReference(xmlParserCtxtPtr ctxt) + else + user_data = ctxt->userData; + +- if (ent->etype == XML_INTERNAL_GENERAL_ENTITY) { +- ctxt->depth++; +- ret = xmlParseBalancedChunkMemoryInternal(ctxt, +- ent->content, user_data, NULL); +- ctxt->depth--; +- } else if (ent->etype == +- XML_EXTERNAL_GENERAL_PARSED_ENTITY) { +- ctxt->depth++; +- ret = xmlParseExternalEntityPrivate(ctxt->myDoc, ctxt, +- ctxt->sax, user_data, ctxt->depth, +- ent->URI, ent->ExternalID, NULL); +- ctxt->depth--; +- } else { +- ret = XML_ERR_ENTITY_PE_INTERNAL; +- xmlErrMsgStr(ctxt, XML_ERR_INTERNAL_ERROR, +- "invalid entity type found\n", NULL); +- } ++ if (ent->guard == XML_ENTITY_BEING_CHECKED) { ++ ret = XML_ERR_ENTITY_LOOP; ++ } else { ++ ent->guard = XML_ENTITY_BEING_CHECKED; ++ if (ent->etype == XML_INTERNAL_GENERAL_ENTITY) { ++ ctxt->depth++; ++ ret = xmlParseBalancedChunkMemoryInternal(ctxt, ++ ent->content, user_data, NULL); ++ ctxt->depth--; ++ } else if (ent->etype == ++ XML_EXTERNAL_GENERAL_PARSED_ENTITY) { ++ ctxt->depth++; ++ ret = xmlParseExternalEntityPrivate(ctxt->myDoc, ctxt, ++ ctxt->sax, user_data, ctxt->depth, ++ ent->URI, ent->ExternalID, NULL); ++ ctxt->depth--; ++ } else { ++ ret = XML_ERR_ENTITY_PE_INTERNAL; ++ xmlErrMsgStr(ctxt, XML_ERR_INTERNAL_ERROR, ++ "invalid entity type found\n", NULL); ++ } ++ ent->guard = XML_ENTITY_NOT_BEING_CHECKED; ++ } + if (ret == XML_ERR_ENTITY_LOOP) { + xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL); + return; diff --git a/libxml2.spec b/libxml2.spec index d269666..3740918 100644 --- a/libxml2.spec +++ b/libxml2.spec @@ -1,29 +1,24 @@ -%global with_python3 1 +Name: libxml2 +Version: 2.9.7 +Release: 1%{?dist} +Summary: Library providing XML and HTML support -Summary: Library providing XML and HTML support -Name: libxml2 -Version: 2.9.5 -Release: 2%{?dist}%{?extra_release} -License: MIT -Group: Development/Libraries -Source: ftp://xmlsoft.org/libxml2/libxml2-%{version}.tar.gz -BuildRoot: %{_tmppath}/%{name}-%{version}-root -BuildRequires: python-devel -%if 0%{?with_python3} -BuildRequires: python3-devel -%endif # with_python3 -BuildRequires: zlib-devel -BuildRequires: pkgconfig -BuildRequires: xz-devel -URL: http://xmlsoft.org/ -Patch0: libxml2-multilib.patch -Patch1: libxml2-2.9.0-do-not-check-crc.patch +License: MIT +URL: http://xmlsoft.org/ +Source: ftp://xmlsoft.org/libxml2/libxml2-%{version}.tar.gz +Patch0: libxml2-multilib.patch +# workaround for #877567 - Very weird bug gzip decompression bug in "recent" libxml2 versions +Patch1: libxml2-2.9.0-do-not-check-crc.patch # In python3.6 _PyVerify_fd is no more # http://bugs.python.org/issue23524 -Patch2: libxml2-2.9.4-remove-pyverify_fd.patch -# Fix reporting error about undefined XPath variables, bug #1493613, -# Gnome bug #787941, fixed in upstream after 2.9.5 -Patch3: libxml2-2.9.5-Report-undefined-XPath-variable-error-message.patch +Patch2: libxml2-2.9.4-remove-pyverify_fd.patch +# https://codereview.chromium.org/2539003002 +Patch3: libxml2-CVE-2016-9597.patch + +BuildRequires: gcc +BuildRequires: cmake-rpm-macros +BuildRequires: pkgconfig(zlib) +BuildRequires: pkgconfig(liblzma) %description This library allows to manipulate XML files. It includes support @@ -37,12 +32,10 @@ available, with existing HTTP and FTP modules and combined to an URI library. %package devel -Summary: Libraries, includes, etc. to develop XML and HTML applications -Group: Development/Libraries -Requires: libxml2 = %{version}-%{release} -Requires: zlib-devel -Requires: xz-devel -Requires: pkgconfig +Summary: Libraries, includes, etc. to develop XML and HTML applications +Requires: %{name}%{?_isa} = %{version}-%{release} +Requires: zlib-devel%{?_isa} +Requires: xz-devel%{?_isa} %description devel Libraries, include files, etc you can use to develop XML applications. @@ -57,22 +50,21 @@ available, with existing HTTP and FTP modules and combined to an URI library. %package static -Summary: Static library for libxml2 -Group: Development/Libraries -Requires: libxml2 = %{version}-%{release} +Summary: Static library for libxml2 %description static Static library for libxml2 provided for specific uses or shaving a few microseconds when parsing, do not link to them for generic purpose packages. -%package -n python-%{name} -Summary: Python bindings for the libxml2 library -Group: Development/Libraries -Requires: libxml2 = %{version}-%{release} -Obsoletes: %{name}-python < %{version}-%{release} -Provides: %{name}-python = %{version}-%{release} +%package -n python2-%{name} +%{?python_provide:%python_provide python2-%{name}} +Summary: Python bindings for the libxml2 library +BuildRequires: python2-devel +Requires: %{name}%{?_isa} = %{version}-%{release} +Obsoletes: %{name}-python < %{version}-%{release} +Provides: %{name}-python = %{version}-%{release} -%description -n python-%{name} +%description -n python2-%{name} The libxml2-python package contains a Python 2 module that permits applications written in the Python programming language, version 2, to use the interface supplied by the libxml2 library to manipulate XML files. @@ -82,13 +74,12 @@ to read, modify and write XML and HTML files. There is DTDs support this includes parsing and validation even with complex DTDs, either at parse time or later once the document has been modified. -%if 0%{?with_python3} %package -n python3-%{name} -Summary: Python 3 bindings for the libxml2 library -Group: Development/Libraries -Requires: libxml2 = %{version}-%{release} -Obsoletes: %{name}-python3 < %{version}-%{release} -Provides: %{name}-python3 = %{version}-%{release} +Summary: Python 3 bindings for the libxml2 library +BuildRequires: python3-devel +Requires: %{name}%{?_isa} = %{version}-%{release} +Obsoletes: %{name}-python3 < %{version}-%{release} +Provides: %{name}-python3 = %{version}-%{release} %description -n python3-%{name} The libxml2-python3 package contains a Python 3 module that permits @@ -99,135 +90,105 @@ This library allows to manipulate XML files. It includes support to read, modify and write XML and HTML files. There is DTDs support this includes parsing and validation even with complex DTDs, either at parse time or later once the document has been modified. -%endif # with_python3 %prep -%setup -q -%patch0 -p1 -# workaround for #877567 - Very weird bug gzip decompression bug in "recent" libxml2 versions -%patch1 -p1 -b .do-not-check-crc -%if 0%{?fedora} > 25 -%patch2 -p1 -%endif -%patch3 -p1 - -mkdir py3doc -cp doc/*.py py3doc -sed -i 's|#!/usr/bin/python |#!%{__python3} |' py3doc/*.py +%autosetup -p1 +find doc -type f -executable -print -exec chmod 0644 {} ';' %build -%configure -make %{_smp_mflags} - -find doc -type f -exec chmod 0644 \{\} \; +mkdir py2 py3 +%global _configure ../configure +%global _configure_disable_silent_rules 1 +( cd py2 && %configure --cache-file=../config.cache --with-python=%{__python2} ) +( cd py3 && %configure --cache-file=../config.cache --with-python=%{__python3} ) +%make_build -C py2 +%make_build -C py3 %install -rm -fr %{buildroot} - -make install DESTDIR=%{buildroot} - -%if 0%{?with_python3} -make clean -%configure --with-python=%{__python3} -make install DESTDIR=%{buildroot} -%endif # with_python3 +%make_install -C py2 +%make_install -C py3 # multiarch crazyness on timestamp differences or Makefile/binaries for examples -touch -m --reference=$RPM_BUILD_ROOT/%{_includedir}/libxml2/libxml/parser.h $RPM_BUILD_ROOT/%{_bindir}/xml2-config +touch -m --reference=%{buildroot}%{_includedir}/libxml2/libxml/parser.h %{buildroot}%{_bindir}/xml2-config -rm -f $RPM_BUILD_ROOT%{_libdir}/*.la -rm -f $RPM_BUILD_ROOT%{_libdir}/python*/site-packages/*.a -rm -f $RPM_BUILD_ROOT%{_libdir}/python*/site-packages/*.la -rm -rf $RPM_BUILD_ROOT%{_datadir}/doc/libxml2-%{version}/* -rm -rf $RPM_BUILD_ROOT%{_datadir}/doc/libxml2-python-%{version}/* -(cd doc/examples ; make clean ; rm -rf .deps Makefile) +find %{buildroot} -type f -name '*.a' -o -name '*.la' -print -delete +rm -vrf %{buildroot}%{_datadir}/doc/ +#(cd doc/examples ; make clean ; rm -rf .deps Makefile) gzip -9 -c doc/libxml2-api.xml > doc/libxml2-api.xml.gz %check -make runtests - -%clean -rm -fr %{buildroot} +%make_build runtests -C py2 +%make_build runtests -C py3 %post -p /sbin/ldconfig %postun -p /sbin/ldconfig %files -%defattr(-, root, root) - -%{!?_licensedir:%global license %%doc} %license Copyright %doc AUTHORS NEWS README TODO -%doc %{_mandir}/man1/xmllint.1* -%doc %{_mandir}/man1/xmlcatalog.1* -%doc %{_mandir}/man3/libxml.3* - -%{_libdir}/lib*.so.* +%{_libdir}/libxml2.so.2* +%{_mandir}/man3/libxml.3* %{_bindir}/xmllint +%{_mandir}/man1/xmllint.1* %{_bindir}/xmlcatalog +%{_mandir}/man1/xmlcatalog.1* %files devel -%defattr(-, root, root) - -%doc %{_mandir}/man1/xml2-config.1* -%doc AUTHORS NEWS README Copyright %doc doc/*.html doc/html doc/*.gif doc/*.png %doc doc/tutorial doc/libxml2-api.xml.gz %doc doc/examples -%doc %dir %{_datadir}/gtk-doc/html/libxml2 -%doc %{_datadir}/gtk-doc/html/libxml2/*.devhelp -%doc %{_datadir}/gtk-doc/html/libxml2/*.html -%doc %{_datadir}/gtk-doc/html/libxml2/*.png -%doc %{_datadir}/gtk-doc/html/libxml2/*.css - -%{_libdir}/lib*.so -%{_libdir}/*.sh -%{_includedir}/* +%dir %{_datadir}/gtk-doc +%dir %{_datadir}/gtk-doc/html +%{_datadir}/gtk-doc/html/libxml2/ +%{_libdir}/libxml2.so +%{_libdir}/xml2Conf.sh +%{_includedir}/libxml2/ %{_bindir}/xml2-config +%{_mandir}/man1/xml2-config.1* %{_datadir}/aclocal/libxml.m4 %{_libdir}/pkgconfig/libxml-2.0.pc -%{_libdir}/cmake/libxml2/libxml2-config.cmake +%{_libdir}/cmake/libxml2/ %files static -%defattr(-, root, root) +%license Copyright +%{_libdir}/libxml2.a -%{_libdir}/*a +%files -n python2-%{name} +%doc python/TODO python/libxml2class.txt +%doc doc/*.py doc/python.html +%{python2_sitearch}/libxml2.py* +%{python2_sitearch}/drv_libxml2.py* +%{python2_sitearch}/libxml2mod.so -%files -n python-%{name} -%defattr(-, root, root) - -%{_libdir}/python2*/site-packages/libxml2.py* -%{_libdir}/python2*/site-packages/drv_libxml2.py* -%{_libdir}/python2*/site-packages/libxml2mod* -%doc python/TODO -%doc python/libxml2class.txt -%doc doc/*.py -%doc doc/python.html - -%if 0%{?with_python3} %files -n python3-%{name} -%defattr(-, root, root) - -%{_libdir}/python3*/site-packages/libxml2.py* -%{_libdir}/python3*/site-packages/drv_libxml2.py* -%{_libdir}/python3*/site-packages/__pycache__/*py* -%{_libdir}/python3*/site-packages/libxml2mod* -%doc python/TODO -%doc python/libxml2class.txt -%doc py3doc/*.py -%doc doc/python.html -%endif # with_python3 - +%doc python/TODO python/libxml2class.txt +%doc doc/*.py doc/python.html +%{python3_sitearch}/libxml2.py +%{python3_sitearch}/__pycache__/libxml2.* +%{python3_sitearch}/drv_libxml2.py +%{python3_sitearch}/__pycache__/drv_libxml2.* +%{python3_sitearch}/libxml2mod.so %changelog +* Wed Jan 24 2018 Igor Gnatenko - 2.9.7-1 +- Update to 2.9.7 +- Cleanups in packaging + +* Tue Jan 09 2018 Iryna Shcherbina - 2.9.5-3 +- Update Python 2 dependency declarations to new packaging standards + (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3) + * Fri Sep 22 2017 Petr Pisar - 2.9.5-2 - Fix reporting error about undefined XPath variables (bug #1493613) * Mon Sep 4 2017 Daniel Veillard - 2.9.5-1 - - update to 2.9.5 +* Sat Aug 19 2017 Zbigniew Jędrzejewski-Szmek - 2.9.4-5 +- Python 2 binary package renamed to python2-libxml2 + See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3 + * Thu Aug 03 2017 Fedora Release Engineering - 2.9.4-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild diff --git a/sources b/sources index b340bec..b2fb4ec 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (libxml2-2.9.5.tar.gz) = 197dbd1722e5f90eea43837323352f48d215e198aa6b95685645ef7511e2beba8aadc0dd67e099c945120c5dbe7f8c9da5f376b22f447059e9ffa941c1bfd175 +SHA512 (libxml2-2.9.7.tar.gz) = da06cb7c5032ef4b7c8e902fabb9d2c74634c42c161be07a7c66a00d53a68029f89b0d4de32a6b9d4ff338c2d1d9c4e53aefb9cf50cb1c2d6c6b06b442ef42d5