rpms/libxml2
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Merge branch 'master' into f27

Browse Source 
Signed-off-by: Igor Gnatenko <ignatenkobrain@fedoraproject.org>
This commit is contained in:
Igor Gnatenko 2018-01-24 07:50:32 +01:00
commit aa4af68ced
No known key found for this signature in database
GPG Key ID: 695714BD1BBC5F4C
5 changed files with 285 additions and 186 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -35,3 +35,4 @@ libxml2-2.7.7.tar.gz
/libxml2-2.9.3.tar.gz
/libxml2-2.9.4.tar.gz
/libxml2-2.9.5.tar.gz
/libxml2-2.9.7.tar.gz

54
libxml2-2.9.5-Report-undefined-XPath-variable-error-message.patch
View File

@ -1,54 +0,0 @@
From 3157cf4e53c03bc3da604472c015c63141907db8 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Wed, 20 Sep 2017 16:13:29 +0200
Subject: [PATCH] Report undefined XPath variable error message
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Commit c851970 removed a redundant error message if XPath evaluation
failed. This uncovered a case where an undefined XPath variable error
wasn't reported correctly.
Thanks to Petr Pisar for the report.
Fixes bug 787941.
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
xpath.c | 12 ++++--------
1 file changed, 4 insertions(+), 8 deletions(-)
diff --git a/xpath.c b/xpath.c
index 2c1b2681..94815075 100644
--- a/xpath.c
+++ b/xpath.c
@@ -13531,10 +13531,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
xmlXPathCompOpEval(ctxt, &comp->steps[op->ch1]);
if (op->value5 == NULL) {
val = xmlXPathVariableLookup(ctxt->context, op->value4);
- if (val == NULL) {
- ctxt->error = XPATH_UNDEF_VARIABLE_ERROR;
- return(0);
- }
+ if (val == NULL)
+ XP_ERROR0(XPATH_UNDEF_VARIABLE_ERROR);
valuePush(ctxt, val);
} else {
const xmlChar *URI;
@@ -13549,10 +13547,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
}
val = xmlXPathVariableLookupNS(ctxt->context,
op->value4, URI);
- if (val == NULL) {
- ctxt->error = XPATH_UNDEF_VARIABLE_ERROR;
- return(0);
- }
+ if (val == NULL)
+ XP_ERROR0(XPATH_UNDEF_VARIABLE_ERROR);
valuePush(ctxt, val);
}
return (total);
--
2.13.5

191
libxml2-CVE-2016-9597.patch Normal file
View File

@ -0,0 +1,191 @@
Make the XML entity recursion check more precise.
libxml doesn't detect entity recursion specifically but has a variety
of related checks, such as entities not expanding too deeply or
producing exponential blow-ups in content.
Because entity declarations are parsed in a separate context with
their own element recursion budget, a recursive entity can overflow
the stack using a lot of open elements (but within the per-context
limit) as it slowly consumes (but does not exhaust) the entity depth
budget.
This adds a specific, precise check for recursive entities that
detects entity recursion specifically and fails immediately.
The existing entity expansion depth checks are still relevant for long
chains of different entities.
BUG=628581
Review-Url: https://codereview.chromium.org/2539003002
Cr-Commit-Position: refs/heads/master@{#436899}
Index: libxml2-2.9.4/entities.c
===================================================================
--- libxml2-2.9.4.orig/entities.c
+++ libxml2-2.9.4/entities.c
@@ -159,6 +159,7 @@ xmlCreateEntity(xmlDictPtr dict, const x
memset(ret, 0, sizeof(xmlEntity));
ret->type = XML_ENTITY_DECL;
ret->checked = 0;
+ ret->guard = XML_ENTITY_NOT_BEING_CHECKED;
/*
* fill the structure.
@@ -931,6 +932,7 @@ xmlCopyEntity(xmlEntityPtr ent) {
cur->orig = xmlStrdup(ent->orig);
if (ent->URI != NULL)
cur->URI = xmlStrdup(ent->URI);
+ cur->guard = 0;
return(cur);
}
Index: libxml2-2.9.4/include/libxml/entities.h
===================================================================
--- libxml2-2.9.4.orig/include/libxml/entities.h
+++ libxml2-2.9.4/include/libxml/entities.h
@@ -30,6 +30,11 @@ typedef enum {
XML_INTERNAL_PREDEFINED_ENTITY = 6
} xmlEntityType;
+typedef enum {
+ XML_ENTITY_NOT_BEING_CHECKED,
+ XML_ENTITY_BEING_CHECKED /* entity check is in progress */
+} xmlEntityRecursionGuard;
+
/*
* An unit of storage for an entity, contains the string, the value
* and the linkind data needed for the linking in the hash table.
@@ -60,6 +65,7 @@ struct _xmlEntity {
/* this is also used to count entities
* references done from that entity
* and if it contains '<' */
+ xmlEntityRecursionGuard guard;
};
/*
Index: libxml2-2.9.4/parser.c
===================================================================
--- libxml2-2.9.4.orig/parser.c
+++ libxml2-2.9.4/parser.c
@@ -133,6 +133,10 @@ xmlParserEntityCheck(xmlParserCtxtPtr ct
if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP)
return (1);
+ if ((ent != NULL) && (ent->guard == XML_ENTITY_BEING_CHECKED)) {
+ xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
+ return (1);
+ }
/*
* This may look absurd but is needed to detect
* entities problems
@@ -143,12 +147,14 @@ xmlParserEntityCheck(xmlParserCtxtPtr ct
unsigned long oldnbent = ctxt->nbentities;
xmlChar *rep;
+ ent->guard = XML_ENTITY_BEING_CHECKED;
ent->checked = 1;
++ctxt->depth;
rep = xmlStringDecodeEntities(ctxt, ent->content,
XML_SUBSTITUTE_REF, 0, 0, 0);
--ctxt->depth;
+ ent->guard = XML_ENTITY_NOT_BEING_CHECKED;
if (ctxt->errNo == XML_ERR_ENTITY_LOOP) {
ent->content[0] = 0;
}
@@ -7337,23 +7343,28 @@ xmlParseReference(xmlParserCtxtPtr ctxt)
* if its replacement text matches the production labeled
* content.
*/
- if (ent->etype == XML_INTERNAL_GENERAL_ENTITY) {
- ctxt->depth++;
- ret = xmlParseBalancedChunkMemoryInternal(ctxt, ent->content,
- user_data, &list);
- ctxt->depth--;
-
- } else if (ent->etype == XML_EXTERNAL_GENERAL_PARSED_ENTITY) {
- ctxt->depth++;
- ret = xmlParseExternalEntityPrivate(ctxt->myDoc, ctxt, ctxt->sax,
- user_data, ctxt->depth, ent->URI,
- ent->ExternalID, &list);
- ctxt->depth--;
- } else {
- ret = XML_ERR_ENTITY_PE_INTERNAL;
- xmlErrMsgStr(ctxt, XML_ERR_INTERNAL_ERROR,
- "invalid entity type found\n", NULL);
- }
+ if (ent->guard == XML_ENTITY_BEING_CHECKED) {
+ ret = XML_ERR_ENTITY_LOOP;
+ } else {
+ ent->guard = XML_ENTITY_BEING_CHECKED;
+ if (ent->etype == XML_INTERNAL_GENERAL_ENTITY) {
+ ctxt->depth++;
+ ret = xmlParseBalancedChunkMemoryInternal(ctxt, ent->content,
+ user_data, &list);
+ ctxt->depth--;
+ } else if (ent->etype == XML_EXTERNAL_GENERAL_PARSED_ENTITY) {
+ ctxt->depth++;
+ ret = xmlParseExternalEntityPrivate(ctxt->myDoc, ctxt, ctxt->sax,
+ user_data, ctxt->depth, ent->URI,
+ ent->ExternalID, &list);
+ ctxt->depth--;
+ } else {
+ ret = XML_ERR_ENTITY_PE_INTERNAL;
+ xmlErrMsgStr(ctxt, XML_ERR_INTERNAL_ERROR,
+ "invalid entity type found\n", NULL);
+ }
+ ent->guard = XML_ENTITY_NOT_BEING_CHECKED;
+ }
/*
* Store the number of entities needing parsing for this entity
@@ -7456,23 +7467,29 @@ xmlParseReference(xmlParserCtxtPtr ctxt)
else
user_data = ctxt->userData;
- if (ent->etype == XML_INTERNAL_GENERAL_ENTITY) {
- ctxt->depth++;
- ret = xmlParseBalancedChunkMemoryInternal(ctxt,
- ent->content, user_data, NULL);
- ctxt->depth--;
- } else if (ent->etype ==
- XML_EXTERNAL_GENERAL_PARSED_ENTITY) {
- ctxt->depth++;
- ret = xmlParseExternalEntityPrivate(ctxt->myDoc, ctxt,
- ctxt->sax, user_data, ctxt->depth,
- ent->URI, ent->ExternalID, NULL);
- ctxt->depth--;
- } else {
- ret = XML_ERR_ENTITY_PE_INTERNAL;
- xmlErrMsgStr(ctxt, XML_ERR_INTERNAL_ERROR,
- "invalid entity type found\n", NULL);
- }
+ if (ent->guard == XML_ENTITY_BEING_CHECKED) {
+ ret = XML_ERR_ENTITY_LOOP;
+ } else {
+ ent->guard = XML_ENTITY_BEING_CHECKED;
+ if (ent->etype == XML_INTERNAL_GENERAL_ENTITY) {
+ ctxt->depth++;
+ ret = xmlParseBalancedChunkMemoryInternal(ctxt,
+ ent->content, user_data, NULL);
+ ctxt->depth--;
+ } else if (ent->etype ==
+ XML_EXTERNAL_GENERAL_PARSED_ENTITY) {
+ ctxt->depth++;
+ ret = xmlParseExternalEntityPrivate(ctxt->myDoc, ctxt,
+ ctxt->sax, user_data, ctxt->depth,
+ ent->URI, ent->ExternalID, NULL);
+ ctxt->depth--;
+ } else {
+ ret = XML_ERR_ENTITY_PE_INTERNAL;
+ xmlErrMsgStr(ctxt, XML_ERR_INTERNAL_ERROR,
+ "invalid entity type found\n", NULL);
+ }
+ ent->guard = XML_ENTITY_NOT_BEING_CHECKED;
+ }
if (ret == XML_ERR_ENTITY_LOOP) {
xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
return;

197
libxml2.spec
View File

@ -1,29 +1,24 @@
%global with_python3 1
Summary: Library providing XML and HTML support
Name: libxml2
Version: 2.9.5
Release: 2%{?dist}%{?extra_release}
Version: 2.9.7
Release: 1%{?dist}
Summary: Library providing XML and HTML support
License: MIT
Group: Development/Libraries
Source: ftp://xmlsoft.org/libxml2/libxml2-%{version}.tar.gz
BuildRoot: %{_tmppath}/%{name}-%{version}-root
BuildRequires: python-devel
%if 0%{?with_python3}
BuildRequires: python3-devel
%endif # with_python3
BuildRequires: zlib-devel
BuildRequires: pkgconfig
BuildRequires: xz-devel
URL: http://xmlsoft.org/
Source: ftp://xmlsoft.org/libxml2/libxml2-%{version}.tar.gz
Patch0: libxml2-multilib.patch
# workaround for #877567 - Very weird bug gzip decompression bug in "recent" libxml2 versions
Patch1: libxml2-2.9.0-do-not-check-crc.patch
# In python3.6 _PyVerify_fd is no more
# http://bugs.python.org/issue23524
Patch2: libxml2-2.9.4-remove-pyverify_fd.patch
# Fix reporting error about undefined XPath variables, bug #1493613,
# Gnome bug #787941, fixed in upstream after 2.9.5
Patch3: libxml2-2.9.5-Report-undefined-XPath-variable-error-message.patch
# https://codereview.chromium.org/2539003002
Patch3: libxml2-CVE-2016-9597.patch
BuildRequires: gcc
BuildRequires: cmake-rpm-macros
BuildRequires: pkgconfig(zlib)
BuildRequires: pkgconfig(liblzma)
%description
This library allows to manipulate XML files. It includes support
@ -38,11 +33,9 @@ URI library.
%package devel
Summary: Libraries, includes, etc. to develop XML and HTML applications
Group: Development/Libraries
Requires: libxml2 = %{version}-%{release}
Requires: zlib-devel
Requires: xz-devel
Requires: pkgconfig
Requires: %{name}%{?_isa} = %{version}-%{release}
Requires: zlib-devel%{?_isa}
Requires: xz-devel%{?_isa}
%description devel
Libraries, include files, etc you can use to develop XML applications.
@ -58,21 +51,20 @@ URI library.
%package static
Summary: Static library for libxml2
Group: Development/Libraries
Requires: libxml2 = %{version}-%{release}
%description static
Static library for libxml2 provided for specific uses or shaving a few
microseconds when parsing, do not link to them for generic purpose packages.
%package -n python-%{name}
%package -n python2-%{name}
%{?python_provide:%python_provide python2-%{name}}
Summary: Python bindings for the libxml2 library
Group: Development/Libraries
Requires: libxml2 = %{version}-%{release}
BuildRequires: python2-devel
Requires: %{name}%{?_isa} = %{version}-%{release}
Obsoletes: %{name}-python < %{version}-%{release}
Provides: %{name}-python = %{version}-%{release}
%description -n python-%{name}
%description -n python2-%{name}
The libxml2-python package contains a Python 2 module that permits applications
written in the Python programming language, version 2, to use the interface
supplied by the libxml2 library to manipulate XML files.
@ -82,11 +74,10 @@ to read, modify and write XML and HTML files. There is DTDs support
this includes parsing and validation even with complex DTDs, either
at parse time or later once the document has been modified.
%if 0%{?with_python3}
%package -n python3-%{name}
Summary: Python 3 bindings for the libxml2 library
Group: Development/Libraries
Requires: libxml2 = %{version}-%{release}
BuildRequires: python3-devel
Requires: %{name}%{?_isa} = %{version}-%{release}
Obsoletes: %{name}-python3 < %{version}-%{release}
Provides: %{name}-python3 = %{version}-%{release}
@ -99,135 +90,105 @@ This library allows to manipulate XML files. It includes support
to read, modify and write XML and HTML files. There is DTDs support
this includes parsing and validation even with complex DTDs, either
at parse time or later once the document has been modified.
%endif # with_python3
%prep
%setup -q
%patch0 -p1
# workaround for #877567 - Very weird bug gzip decompression bug in "recent" libxml2 versions
%patch1 -p1 -b .do-not-check-crc
%if 0%{?fedora} > 25
%patch2 -p1
%endif
%patch3 -p1
mkdir py3doc
cp doc/*.py py3doc
sed -i 's|#!/usr/bin/python |#!%{__python3} |' py3doc/*.py
%autosetup -p1
find doc -type f -executable -print -exec chmod 0644 {} ';'
%build
%configure
make %{_smp_mflags}
find doc -type f -exec chmod 0644 \{\} \;
mkdir py2 py3
%global _configure ../configure
%global _configure_disable_silent_rules 1
( cd py2 && %configure --cache-file=../config.cache --with-python=%{__python2} )
( cd py3 && %configure --cache-file=../config.cache --with-python=%{__python3} )
%make_build -C py2
%make_build -C py3
%install
rm -fr %{buildroot}
make install DESTDIR=%{buildroot}
%if 0%{?with_python3}
make clean
%configure --with-python=%{__python3}
make install DESTDIR=%{buildroot}
%endif # with_python3
%make_install -C py2
%make_install -C py3
# multiarch crazyness on timestamp differences or Makefile/binaries for examples
touch -m --reference=$RPM_BUILD_ROOT/%{_includedir}/libxml2/libxml/parser.h $RPM_BUILD_ROOT/%{_bindir}/xml2-config
touch -m --reference=%{buildroot}%{_includedir}/libxml2/libxml/parser.h %{buildroot}%{_bindir}/xml2-config
rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
rm -f $RPM_BUILD_ROOT%{_libdir}/python*/site-packages/*.a
rm -f $RPM_BUILD_ROOT%{_libdir}/python*/site-packages/*.la
rm -rf $RPM_BUILD_ROOT%{_datadir}/doc/libxml2-%{version}/*
rm -rf $RPM_BUILD_ROOT%{_datadir}/doc/libxml2-python-%{version}/*
(cd doc/examples ; make clean ; rm -rf .deps Makefile)
find %{buildroot} -type f -name '*.a' -o -name '*.la' -print -delete
rm -vrf %{buildroot}%{_datadir}/doc/
#(cd doc/examples ; make clean ; rm -rf .deps Makefile)
gzip -9 -c doc/libxml2-api.xml > doc/libxml2-api.xml.gz
%check
make runtests
%clean
rm -fr %{buildroot}
%make_build runtests -C py2
%make_build runtests -C py3
%post -p /sbin/ldconfig
%postun -p /sbin/ldconfig
%files
%defattr(-, root, root)
%{!?_licensedir:%global license %%doc}
%license Copyright
%doc AUTHORS NEWS README TODO
%doc %{_mandir}/man1/xmllint.1*
%doc %{_mandir}/man1/xmlcatalog.1*
%doc %{_mandir}/man3/libxml.3*
%{_libdir}/lib*.so.*
%{_libdir}/libxml2.so.2*
%{_mandir}/man3/libxml.3*
%{_bindir}/xmllint
%{_mandir}/man1/xmllint.1*
%{_bindir}/xmlcatalog
%{_mandir}/man1/xmlcatalog.1*
%files devel
%defattr(-, root, root)
%doc %{_mandir}/man1/xml2-config.1*
%doc AUTHORS NEWS README Copyright
%doc doc/*.html doc/html doc/*.gif doc/*.png
%doc doc/tutorial doc/libxml2-api.xml.gz
%doc doc/examples
%doc %dir %{_datadir}/gtk-doc/html/libxml2
%doc %{_datadir}/gtk-doc/html/libxml2/*.devhelp
%doc %{_datadir}/gtk-doc/html/libxml2/*.html
%doc %{_datadir}/gtk-doc/html/libxml2/*.png
%doc %{_datadir}/gtk-doc/html/libxml2/*.css
%{_libdir}/lib*.so
%{_libdir}/*.sh
%{_includedir}/*
%dir %{_datadir}/gtk-doc
%dir %{_datadir}/gtk-doc/html
%{_datadir}/gtk-doc/html/libxml2/
%{_libdir}/libxml2.so
%{_libdir}/xml2Conf.sh
%{_includedir}/libxml2/
%{_bindir}/xml2-config
%{_mandir}/man1/xml2-config.1*
%{_datadir}/aclocal/libxml.m4
%{_libdir}/pkgconfig/libxml-2.0.pc
%{_libdir}/cmake/libxml2/libxml2-config.cmake
%{_libdir}/cmake/libxml2/
%files static
%defattr(-, root, root)
%license Copyright
%{_libdir}/libxml2.a
%{_libdir}/*a
%files -n python2-%{name}
%doc python/TODO python/libxml2class.txt
%doc doc/*.py doc/python.html
%{python2_sitearch}/libxml2.py*
%{python2_sitearch}/drv_libxml2.py*
%{python2_sitearch}/libxml2mod.so
%files -n python-%{name}
%defattr(-, root, root)
%{_libdir}/python2*/site-packages/libxml2.py*
%{_libdir}/python2*/site-packages/drv_libxml2.py*
%{_libdir}/python2*/site-packages/libxml2mod*
%doc python/TODO
%doc python/libxml2class.txt
%doc doc/*.py
%doc doc/python.html
%if 0%{?with_python3}
%files -n python3-%{name}
%defattr(-, root, root)
%{_libdir}/python3*/site-packages/libxml2.py*
%{_libdir}/python3*/site-packages/drv_libxml2.py*
%{_libdir}/python3*/site-packages/__pycache__/*py*
%{_libdir}/python3*/site-packages/libxml2mod*
%doc python/TODO
%doc python/libxml2class.txt
%doc py3doc/*.py
%doc doc/python.html
%endif # with_python3
%doc python/TODO python/libxml2class.txt
%doc doc/*.py doc/python.html
%{python3_sitearch}/libxml2.py
%{python3_sitearch}/__pycache__/libxml2.*
%{python3_sitearch}/drv_libxml2.py
%{python3_sitearch}/__pycache__/drv_libxml2.*
%{python3_sitearch}/libxml2mod.so
%changelog
* Wed Jan 24 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 2.9.7-1
- Update to 2.9.7
- Cleanups in packaging
* Tue Jan 09 2018 Iryna Shcherbina <ishcherb@redhat.com> - 2.9.5-3
- Update Python 2 dependency declarations to new packaging standards
(See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3)
* Fri Sep 22 2017 Petr Pisar <ppisar@redhat.com> - 2.9.5-2
- Fix reporting error about undefined XPath variables (bug #1493613)
* Mon Sep 4 2017 Daniel Veillard <veillard@redhat.com> - 2.9.5-1
- update to 2.9.5
* Sat Aug 19 2017 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 2.9.4-5
- Python 2 binary package renamed to python2-libxml2
See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.4-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild

2
sources
View File

@ -1 +1 @@
SHA512 (libxml2-2.9.5.tar.gz) = 197dbd1722e5f90eea43837323352f48d215e198aa6b95685645ef7511e2beba8aadc0dd67e099c945120c5dbe7f8c9da5f376b22f447059e9ffa941c1bfd175
SHA512 (libxml2-2.9.7.tar.gz) = da06cb7c5032ef4b7c8e902fabb9d2c74634c42c161be07a7c66a00d53a68029f89b0d4de32a6b9d4ff338c2d1d9c4e53aefb9cf50cb1c2d6c6b06b442ef42d5