From 1c8bae9084b013d9c338d39eb37118a0d10b97bb Mon Sep 17 00:00:00 2001 From: DistroBaker Date: Wed, 2 Dec 2020 13:05:43 +0000 Subject: [PATCH] Merged update from upstream sources This is an automated DistroBaker update from upstream sources. If you do not know what this is about or would like to opt out, contact the OSCI team. Source: https://src.fedoraproject.org/rpms/python-lxml.git#2c9f85992cc370f477615365575d4dcc8e133fcf --- .gitignore | 1 + ...verriding-the-libxml2-external-entit.patch | 277 ------------------ python-lxml.spec | 13 +- sources | 2 +- 4 files changed, 11 insertions(+), 282 deletions(-) delete mode 100644 0001-Avoid-globally-overriding-the-libxml2-external-entit.patch diff --git a/.gitignore b/.gitignore index 7c4d09d..f2073f8 100644 --- a/.gitignore +++ b/.gitignore @@ -54,3 +54,4 @@ lxml-2.2.7.tar.gz.asc /lxml-4.4.0.tgz /lxml-4.4.1.tgz /lxml-4.5.1.tgz +/lxml-4.6.2.tar.gz diff --git a/0001-Avoid-globally-overriding-the-libxml2-external-entit.patch b/0001-Avoid-globally-overriding-the-libxml2-external-entit.patch deleted file mode 100644 index 34f8e6d..0000000 --- a/0001-Avoid-globally-overriding-the-libxml2-external-entit.patch +++ /dev/null @@ -1,277 +0,0 @@ -From fa1d856cad369d0ac64323ddec14b02281491706 Mon Sep 17 00:00:00 2001 -From: Stefan Behnel -Date: Sat, 23 May 2020 09:34:22 +0200 -Subject: [PATCH] Avoid globally overriding the libxml2 external entity - resolver and instead set it for each parser run. This improves the - interoperability with other users of libxml2 in the system, such as - libxmlsec. - ---- - CHANGES.txt | 11 +++++++++++ - src/lxml/dtd.pxi | 6 ++++++ - src/lxml/parser.pxi | 42 ++++++++++++++++++++++++++++++----------- - src/lxml/relaxng.pxi | 2 ++ - src/lxml/schematron.pxi | 4 ++++ - src/lxml/xinclude.pxi | 2 ++ - src/lxml/xmlschema.pxi | 2 ++ - src/lxml/xslt.pxi | 4 ++++ - 8 files changed, 62 insertions(+), 11 deletions(-) - -diff --git a/CHANGES.txt b/CHANGES.txt -index 30e805997..07afb641b 100644 ---- a/CHANGES.txt -+++ b/CHANGES.txt -@@ -2,6 +2,17 @@ - lxml changelog - ============== - -+4.5.2 (2020-0?-??) -+================== -+ -+Bugs fixed -+---------- -+ -+* LP#1880251: Instead of globally overwriting the document loader in libxml2, lxml now -+ sets it per parser run, which improves the interoperability with other users of libxml2 -+ such as libxmlsec. -+ -+ - 4.5.1 (2020-05-19) - ================== - -diff --git a/src/lxml/dtd.pxi b/src/lxml/dtd.pxi -index 595296546..5dcb80c46 100644 ---- a/src/lxml/dtd.pxi -+++ b/src/lxml/dtd.pxi -@@ -277,14 +277,20 @@ cdef class DTD(_Validator): - if _isString(file): - file = _encodeFilename(file) - with self._error_log: -+ orig_loader = _register_document_loader() - self._c_dtd = xmlparser.xmlParseDTD(NULL, _xcstr(file)) -+ _reset_document_loader(orig_loader) - elif hasattr(file, 'read'): -+ orig_loader = _register_document_loader() - self._c_dtd = _parseDtdFromFilelike(file) -+ _reset_document_loader(orig_loader) - else: - raise DTDParseError, u"file must be a filename or file-like object" - elif external_id is not None: - with self._error_log: -+ orig_loader = _register_document_loader() - self._c_dtd = xmlparser.xmlParseDTD(external_id, NULL) -+ _reset_document_loader(orig_loader) - else: - raise DTDParseError, u"either filename or external ID required" - -diff --git a/src/lxml/parser.pxi b/src/lxml/parser.pxi -index 22620373c..3ed223bd5 100644 ---- a/src/lxml/parser.pxi -+++ b/src/lxml/parser.pxi -@@ -502,7 +502,15 @@ cdef xmlparser.xmlParserInput* _local_resolver(const_char* c_url, const_char* c_ - cdef xmlparser.xmlExternalEntityLoader __DEFAULT_ENTITY_LOADER - __DEFAULT_ENTITY_LOADER = xmlparser.xmlGetExternalEntityLoader() - --xmlparser.xmlSetExternalEntityLoader(_local_resolver) -+ -+cdef xmlparser.xmlExternalEntityLoader _register_document_loader() nogil: -+ cdef xmlparser.xmlExternalEntityLoader old = xmlparser.xmlGetExternalEntityLoader() -+ xmlparser.xmlSetExternalEntityLoader(_local_resolver) -+ return old -+ -+cdef void _reset_document_loader(xmlparser.xmlExternalEntityLoader old) nogil: -+ xmlparser.xmlSetExternalEntityLoader(old) -+ - - ############################################################ - ## Parsers -@@ -514,6 +522,7 @@ cdef class _ParserContext(_ResolverContext): - cdef _ErrorLog _error_log - cdef _ParserSchemaValidationContext _validator - cdef xmlparser.xmlParserCtxt* _c_ctxt -+ cdef xmlparser.xmlExternalEntityLoader _orig_loader - cdef python.PyThread_type_lock _lock - cdef _Document _doc - cdef bint _collect_ids -@@ -561,7 +570,7 @@ cdef class _ParserContext(_ResolverContext): - else: - xmlparser.xmlClearParserCtxt(self._c_ctxt) - -- cdef int prepare(self) except -1: -+ cdef int prepare(self, bint set_document_loader=True) except -1: - cdef int result - if config.ENABLE_THREADING and self._lock is not NULL: - with nogil: -@@ -572,19 +581,24 @@ cdef class _ParserContext(_ResolverContext): - self._error_log.clear() - self._doc = None - self._c_ctxt.sax.serror = _receiveParserError -+ self._orig_loader = _register_document_loader() if set_document_loader else NULL - if self._validator is not None: - self._validator.connect(self._c_ctxt, self._error_log) - return 0 - - cdef int cleanup(self) except -1: -- if self._validator is not None: -- self._validator.disconnect() -- self._resetParserContext() -- self.clear() -- self._doc = None -- self._c_ctxt.sax.serror = NULL -- if config.ENABLE_THREADING and self._lock is not NULL: -- python.PyThread_release_lock(self._lock) -+ if self._orig_loader is not NULL: -+ _reset_document_loader(self._orig_loader) -+ try: -+ if self._validator is not None: -+ self._validator.disconnect() -+ self._resetParserContext() -+ self.clear() -+ self._doc = None -+ self._c_ctxt.sax.serror = NULL -+ finally: -+ if config.ENABLE_THREADING and self._lock is not NULL: -+ python.PyThread_release_lock(self._lock) - return 0 - - cdef object _handleParseResult(self, _BaseParser parser, -@@ -1286,7 +1300,7 @@ cdef class _FeedParser(_BaseParser): - pctxt = context._c_ctxt - error = 0 - if not self._feed_parser_running: -- context.prepare() -+ context.prepare(set_document_loader=False) - self._feed_parser_running = 1 - c_filename = (_cstr(self._filename) - if self._filename is not None else NULL) -@@ -1296,6 +1310,7 @@ cdef class _FeedParser(_BaseParser): - # however if we give it all we got, we'll have nothing for - # *mlParseChunk() and things go wrong. - buffer_len = 4 if py_buffer_len > 4 else py_buffer_len -+ orig_loader = _register_document_loader() - if self._for_html: - error = _htmlCtxtResetPush( - pctxt, c_data, buffer_len, c_filename, c_encoding, -@@ -1304,6 +1319,7 @@ cdef class _FeedParser(_BaseParser): - xmlparser.xmlCtxtUseOptions(pctxt, self._parse_options) - error = xmlparser.xmlCtxtResetPush( - pctxt, c_data, buffer_len, c_filename, c_encoding) -+ _reset_document_loader(orig_loader) - py_buffer_len -= buffer_len - c_data += buffer_len - if error: -@@ -1321,7 +1337,9 @@ cdef class _FeedParser(_BaseParser): - buffer_len = py_buffer_len - if self._for_html: - c_node = pctxt.node # last node where the parser stopped -+ orig_loader = _register_document_loader() - error = htmlparser.htmlParseChunk(pctxt, c_data, buffer_len, 0) -+ _reset_document_loader(orig_loader) - # and now for the fun part: move node names to the dict - if pctxt.myDoc: - fixup_error = _fixHtmlDictSubtreeNames( -@@ -1331,7 +1349,9 @@ cdef class _FeedParser(_BaseParser): - pctxt.myDoc.dict = pctxt.dict - xmlparser.xmlDictReference(pctxt.dict) - else: -+ orig_loader = _register_document_loader() - error = xmlparser.xmlParseChunk(pctxt, c_data, buffer_len, 0) -+ _reset_document_loader(orig_loader) - py_buffer_len -= buffer_len - c_data += buffer_len - -diff --git a/src/lxml/relaxng.pxi b/src/lxml/relaxng.pxi -index d161ce46e..6a82a295f 100644 ---- a/src/lxml/relaxng.pxi -+++ b/src/lxml/relaxng.pxi -@@ -64,7 +64,9 @@ cdef class RelaxNG(_Validator): - doc = None - filename = _encodeFilename(file) - with self._error_log: -+ orig_loader = _register_document_loader() - parser_ctxt = relaxng.xmlRelaxNGNewParserCtxt(_cstr(filename)) -+ _reset_document_loader(orig_loader) - elif (_getFilenameForFile(file) or '')[-4:].lower() == '.rnc': - _require_rnc2rng() - rng_data_utf8 = _utf8(_rnc2rng.dumps(_rnc2rng.load(file))) -diff --git a/src/lxml/schematron.pxi b/src/lxml/schematron.pxi -index af4ba7f01..dfd2cc05f 100644 ---- a/src/lxml/schematron.pxi -+++ b/src/lxml/schematron.pxi -@@ -95,7 +95,9 @@ cdef class Schematron(_Validator): - filename = file - filename = _encodeFilename(filename) - with self._error_log: -+ orig_loader = _register_document_loader() - parser_ctxt = schematron.xmlSchematronNewParserCtxt(_cstr(filename)) -+ _reset_document_loader(orig_loader) - else: - raise SchematronParseError, u"No tree or file given" - -@@ -107,7 +109,9 @@ cdef class Schematron(_Validator): - - try: - with self._error_log: -+ orig_loader = _register_document_loader() - self._c_schema = schematron.xmlSchematronParse(parser_ctxt) -+ _reset_document_loader(orig_loader) - finally: - schematron.xmlSchematronFreeParserCtxt(parser_ctxt) - -diff --git a/src/lxml/xinclude.pxi b/src/lxml/xinclude.pxi -index f73afee61..6bac82923 100644 ---- a/src/lxml/xinclude.pxi -+++ b/src/lxml/xinclude.pxi -@@ -49,11 +49,13 @@ cdef class XInclude: - if tree.LIBXML_VERSION < 20704 or not c_context: - __GLOBAL_PARSER_CONTEXT.pushImpliedContext(context) - with nogil: -+ orig_loader = _register_document_loader() - if c_context: - result = xinclude.xmlXIncludeProcessTreeFlagsData( - node._c_node, parse_options, c_context) - else: - result = xinclude.xmlXIncludeProcessTree(node._c_node) -+ _reset_document_loader(orig_loader) - if tree.LIBXML_VERSION < 20704 or not c_context: - __GLOBAL_PARSER_CONTEXT.popImpliedContext() - self._error_log.disconnect() -diff --git a/src/lxml/xmlschema.pxi b/src/lxml/xmlschema.pxi -index cc2c1928d..ab26d935e 100644 ---- a/src/lxml/xmlschema.pxi -+++ b/src/lxml/xmlschema.pxi -@@ -77,7 +77,9 @@ cdef class XMLSchema(_Validator): - # resolve requests to the document's parser - __GLOBAL_PARSER_CONTEXT.pushImpliedContextFromParser(self._doc._parser) - with nogil: -+ orig_loader = _register_document_loader() - self._c_schema = xmlschema.xmlSchemaParse(parser_ctxt) -+ _reset_document_loader(orig_loader) - if self._doc is not None: - __GLOBAL_PARSER_CONTEXT.popImpliedContext() - xmlschema.xmlSchemaFreeParserCtxt(parser_ctxt) -diff --git a/src/lxml/xslt.pxi b/src/lxml/xslt.pxi -index e7b49600c..d483cfa30 100644 ---- a/src/lxml/xslt.pxi -+++ b/src/lxml/xslt.pxi -@@ -397,7 +397,9 @@ cdef class XSLT: - c_doc._private = self._xslt_resolver_context - - with self._error_log: -+ orig_loader = _register_document_loader() - c_style = xslt.xsltParseStylesheetDoc(c_doc) -+ _reset_document_loader(orig_loader) - - if c_style is NULL or c_style.errors: - tree.xmlFreeDoc(c_doc) -@@ -633,8 +635,10 @@ cdef class XSLT: - if self._access_control is not None: - self._access_control._register_in_context(transform_ctxt) - with self._error_log, nogil: -+ orig_loader = _register_document_loader() - c_result = xslt.xsltApplyStylesheetUser( - self._c_style, c_input_doc, params, NULL, NULL, transform_ctxt) -+ _reset_document_loader(orig_loader) - return c_result - - diff --git a/python-lxml.spec b/python-lxml.spec index 216d89a..1b40228 100644 --- a/python-lxml.spec +++ b/python-lxml.spec @@ -1,14 +1,13 @@ %global modname lxml Name: python-%{modname} -Version: 4.5.1 -Release: 2%{?dist} +Version: 4.6.2 +Release: 1%{?dist} Summary: XML processing library combining libxml2/libxslt with the ElementTree API License: BSD URL: https://github.com/lxml/lxml -Source0: https://lxml.de/files/%{modname}-%{version}.tgz -Patch0001: https://github.com/lxml/lxml/commit/fa1d856cad369d0ac64323ddec14b02281491706.patch#/0001-Avoid-globally-overriding-the-libxml2-external-entit.patch +Source0: %{pypi_source %{modname}} BuildRequires: gcc BuildRequires: libxml2-devel @@ -58,6 +57,12 @@ env WITH_CYTHON=true %py3_build %{python3_sitearch}/%{modname}-*.egg-info/ %changelog +* Tue Dec 01 2020 Miro HronĨok - 4.6.2-1 +- Update to 4.6.2 +- Fixes CVE-2020-27783 and another vulnerability in the HTML Cleaner +- Fixes: rhbz#1855415 +- Fixes: rhbz#1901634 + * Wed Jul 29 2020 Fedora Release Engineering - 4.5.1-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild diff --git a/sources b/sources index 6596e80..d710928 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (lxml-4.5.1.tgz) = 5332d2b691b3d0def42b907a013fa814054dcd150ab6d7adf34891b70667b3e907f80c956a58671d7a31c63caa6110b2e007d2ed82b5fc706e6ad7b428742883 +SHA512 (lxml-4.6.2.tar.gz) = 0a99e3f3c95c409d3f336aa6fb7f21527cf75d00ef8b55731d8ae8ba1b90792812b4551cd0751e5296b0007dc6d448fe63990a487993229e26477f087e52e29d