Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libxml2 for openSUSE:Factory checked in at 2021-06-04 22:42:27 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libxml2 (Old) and /work/SRC/openSUSE:Factory/.libxml2.new.1898 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libxml2" Fri Jun 4 22:42:27 2021 rev:106 rq:896773 version:2.9.12 Changes: -------- --- /work/SRC/openSUSE:Factory/libxml2/libxml2.changes 2021-05-13 22:18:04.339691059 +0200 +++ /work/SRC/openSUSE:Factory/.libxml2.new.1898/libxml2.changes 2021-06-04 22:42:32.535061663 +0200 @@ -1,0 +2,50 @@ +Tue Jun 1 11:04:14 UTC 2021 - Pedro Monreal <pmonr...@suse.com> + +- Fix python-lxml regression with libxml2 2.9.12: + * Work around lxml API abuse: + gitlab.gnome.org/GNOME/libxml2/issues/255 +- Add upstream patches: + * libxml2-fix-lxml-corrupted-subtree-structures.patch + * libxml2-fix-regression-in-xmlNodeDumpOutputInternal.patch + +------------------------------------------------------------------- +Tue Jun 1 03:02:25 UTC 2021 - Ferdinand Thiessen <r...@fthiessen.de> + +- Update to version 2.9.12 + * Fix CVE-2021-3541, CVE-2021-3537, CVE-2021-3518, CVE-2021-3517, + CVE-2021-3516, CVE-2020-7595, CVE-2019-20388, CVE-2020-24977, + and CVE-2019-19956 + * Fix null deref in legacy SAX1 parser + * Fix handling of unexpected EOF in xmlParseContent + * Fix user-after-free + * Validate UTF8 in xmlEncodeEntities + * Fix memory leak in xmlParseElementMixedContentDecl + * Fix integer overflow in xmlSchemaGetParticleTotalRangeMin + * Fix SEGV in xmlSAXParseFileWithData + * Don't process siblings of root in xmlXIncludeProcess + * Full changes: http://xmlsoft.org/news.html +- Drop upstream fixed + * libxml2-CVE-2021-3541.patch + * libxml2-CVE-2021-3537.patch + * libxml2-CVE-2021-3518.patch + * libxml2-CVE-2021-3517.patch + * libxml2-CVE-2021-3516.patch + * libxml2-CVE-2020-7595.patch + * libxml2-CVE-2019-20388.patch + * libxml2-CVE-2020-24977.patch + * libxml2-CVE-2019-19956.patch + * libxml2-python39.patch + * libxml2-Avoid-quadratic-checking-of-identity-constraints.patch +- Drop since 2.9.10 merged libxml2-xmlFreeNodeList-recursive.patch +- Drop since 2.8.0 merged fix-perl.diff +- Refresh libxml2-make-XPATH_MAX_NODESET_LENGTH-configurable.patch + +------------------------------------------------------------------- +Wed May 19 11:14:13 UTC 2021 - Pedro Monreal <pmonr...@suse.com> + +- Security fix: [bsc#1186015, CVE-2021-3541] + * Exponential entity expansion attack bypasses all existing + protection mechanisms. +- Add libxml2-CVE-2021-3541.patch + +------------------------------------------------------------------- Old: ---- fix-perl.diff libxml2-2.9.10.tar.gz libxml2-2.9.10.tar.gz.asc libxml2-Avoid-quadratic-checking-of-identity-constraints.patch libxml2-CVE-2019-19956.patch libxml2-CVE-2019-20388.patch libxml2-CVE-2020-24977.patch libxml2-CVE-2020-7595.patch libxml2-CVE-2021-3516.patch libxml2-CVE-2021-3517.patch libxml2-CVE-2021-3518.patch libxml2-CVE-2021-3537.patch libxml2-python39.patch libxml2-xmlFreeNodeList-recursive.patch New: ---- libxml2-2.9.12.tar.gz libxml2-2.9.12.tar.gz.asc libxml2-fix-lxml-corrupted-subtree-structures.patch libxml2-fix-regression-in-xmlNodeDumpOutputInternal.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libxml2.spec ++++++ --- /var/tmp/diff_new_pack.c3H35e/_old 2021-06-04 22:42:33.143062334 +0200 +++ /var/tmp/diff_new_pack.c3H35e/_new 2021-06-04 22:42:33.143062334 +0200 @@ -1,5 +1,5 @@ # -# spec file for package python-libxml2 +# spec file # # Copyright (c) 2021 SUSE LLC # @@ -31,7 +31,7 @@ %define bname libxml2 %define lname libxml2-2 Name: %{pprefix}%{bname} -Version: 2.9.10 +Version: 2.9.12 Release: 0 %if !%{with python} Summary: A Library to Manipulate XML Files @@ -45,35 +45,15 @@ Source1: ftp://xmlsoft.org/libxml2/%{bname}-%{version}.tar.gz.asc Source2: baselibs.conf Source3: libxml2.keyring -Patch0: fix-perl.diff Patch1: libxml2-python3-unicode-errors.patch # PATCH-FIX-UPSTREAM libxml2-python3-string-null-check.patch bsc#1065270 mgo...@suse.com -# don't return a NULL string for an invalid UTF-8 conversion. +# https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/15 Patch2: libxml2-python3-string-null-check.patch # PATCH-FIX-SUSE bsc#1135123 Added a new configurable variable XPATH_DEFAULT_MAX_NODESET_LENGTH to avoid nodeset limit Patch3: libxml2-make-XPATH_MAX_NODESET_LENGTH-configurable.patch -# PATCH-FIX-UPSTREAM bsc#1157450 This commit breaks perl-XML-LibXSLT -Patch4: libxml2-xmlFreeNodeList-recursive.patch -# PATCH-FIX-UPSTREAM bsc#1161517 CVE-2020-7595 Infinite loop in xmlStringLenDecodeEntities -Patch5: libxml2-CVE-2020-7595.patch -# PATCH-FIX-UPSTREAM bsc#1159928 CVE-2019-19956 Revert usptream commit -Patch6: libxml2-CVE-2019-19956.patch -# PATCH-FIX-UPSTREAM bsc#1176179 CVE-2020-24977 xmllint: global-buffer-overflow in xmlEncodeEntitiesInternal -Patch7: libxml2-CVE-2020-24977.patch -# PATCH-FIX-SUSE bsc#1178823 Avoid quadratic checking of identity-constraints -Patch8: libxml2-Avoid-quadratic-checking-of-identity-constraints.patch -# PATCH-FIX-UPSTREAM bsc#1161521 CVE-2019-20388 Memory leak in xmlSchemaPreRun -Patch9: libxml2-CVE-2019-20388.patch -# PATCH-FIX-UPSTREAM Fix building against Python 3.9 -Patch10: libxml2-python39.patch -# PATCH-FIX-UPSTREAM bsc#1185409 CVE-2021-3516 use-after-free in entities.c:xmlEncodeEntitiesInternal() -Patch11: libxml2-CVE-2021-3516.patch -# PATCH-FIX-UPSTREAM bsc#1185410 CVE-2021-3517 heap-based buffer overflow entities.c:xmlEncodeEntitiesInternal() -Patch12: libxml2-CVE-2021-3517.patch -# PATCH-FIX-UPSTREAM bsc#1185408 CVE-2021-3518 use-after-free in xinclude.c:xmlXIncludeDoProcess() -Patch13: libxml2-CVE-2021-3518.patch -# PATCH-FIX-UPSTREAM bsc#1185698 CVE-2021-3537 NULL pointer dereference in valid.c:xmlValidBuildAContentModel -Patch14: libxml2-CVE-2021-3537.patch +# PATCH-FIX-UPSTREAM https://gitlab.gnome.org/GNOME/libxml2/-/issues/255 +Patch4: libxml2-fix-lxml-corrupted-subtree-structures.patch +Patch5: libxml2-fix-regression-in-xmlNodeDumpOutputInternal.patch BuildRequires: fdupes BuildRequires: pkgconfig BuildRequires: python-rpm-macros @@ -169,21 +149,11 @@ %prep %setup -q -n libxml2-%{version} -%patch0 %patch1 -p1 %patch2 -p1 %patch3 -p1 -%patch4 -p1 -R +%patch4 -p1 %patch5 -p1 -%patch6 -p1 -R -%patch7 -p1 -%patch8 -p1 -%patch9 -p1 -%patch10 -p1 -%patch11 -p1 -%patch12 -p1 -%patch13 -p1 -%patch14 -p1 %build %if !%{with python} ++++++ libxml2-2.9.10.tar.gz -> libxml2-2.9.12.tar.gz ++++++ ++++ 24181 lines of diff (skipped) ++++++ libxml2-fix-lxml-corrupted-subtree-structures.patch ++++++ >From 85b1792e37b131e7a51af98a37f92472e8de5f3f Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer <wellnho...@aevum.de> Date: Tue, 18 May 2021 20:08:28 +0200 Subject: [PATCH] Work around lxml API abuse Make xmlNodeDumpOutput and htmlNodeDumpFormatOutput work with corrupted parent pointers. This used to work with the old recursive code but the non-recursive rewrite required parent pointers to be set correctly. Unfortunately, lxml relies on the old behavior and passes subtrees with a corrupted structure. Fall back to a recursive function call if an invalid parent pointer is detected. Fixes #255. --- HTMLtree.c | 46 ++++++++++++++++++++++++++++------------------ xmlsave.c | 31 +++++++++++++++++++++---------- 2 files changed, 49 insertions(+), 28 deletions(-) diff --git a/HTMLtree.c b/HTMLtree.c index 24434d45..bdd639c7 100644 --- a/HTMLtree.c +++ b/HTMLtree.c @@ -744,7 +744,7 @@ void htmlNodeDumpFormatOutput(xmlOutputBufferPtr buf, xmlDocPtr doc, xmlNodePtr cur, const char *encoding ATTRIBUTE_UNUSED, int format) { - xmlNodePtr root; + xmlNodePtr root, parent; xmlAttrPtr attr; const htmlElemDesc * info; @@ -755,6 +755,7 @@ htmlNodeDumpFormatOutput(xmlOutputBufferPtr buf, xmlDocPtr doc, } root = cur; + parent = cur->parent; while (1) { switch (cur->type) { case XML_HTML_DOCUMENT_NODE: @@ -762,13 +763,25 @@ htmlNodeDumpFormatOutput(xmlOutputBufferPtr buf, xmlDocPtr doc, if (((xmlDocPtr) cur)->intSubset != NULL) { htmlDtdDumpOutput(buf, (xmlDocPtr) cur, NULL); } - if (cur->children != NULL) { + /* Always validate cur->parent when descending. */ + if ((cur->parent == parent) && (cur->children != NULL)) { + parent = cur; cur = cur->children; continue; } break; case XML_ELEMENT_NODE: + /* + * Some users like lxml are known to pass nodes with a corrupted + * tree structure. Fall back to a recursive call to handle this + * case. + */ + if ((cur->parent != parent) && (cur->children != NULL)) { + htmlNodeDumpFormatOutput(buf, doc, cur, encoding, format); + break; + } + /* * Get specific HTML info for that node. */ @@ -817,6 +830,7 @@ htmlNodeDumpFormatOutput(xmlOutputBufferPtr buf, xmlDocPtr doc, (cur->name != NULL) && (cur->name[0] != 'p')) /* p, pre, param */ xmlOutputBufferWriteString(buf, "\n"); + parent = cur; cur = cur->children; continue; } @@ -825,9 +839,9 @@ htmlNodeDumpFormatOutput(xmlOutputBufferPtr buf, xmlDocPtr doc, (info != NULL) && (!info->isinline)) { if ((cur->next->type != HTML_TEXT_NODE) && (cur->next->type != HTML_ENTITY_REF_NODE) && - (cur->parent != NULL) && - (cur->parent->name != NULL) && - (cur->parent->name[0] != 'p')) /* p, pre, param */ + (parent != NULL) && + (parent->name != NULL) && + (parent->name[0] != 'p')) /* p, pre, param */ xmlOutputBufferWriteString(buf, "\n"); } @@ -842,9 +856,9 @@ htmlNodeDumpFormatOutput(xmlOutputBufferPtr buf, xmlDocPtr doc, break; if (((cur->name == (const xmlChar *)xmlStringText) || (cur->name != (const xmlChar *)xmlStringTextNoenc)) && - ((cur->parent == NULL) || - ((xmlStrcasecmp(cur->parent->name, BAD_CAST "script")) && - (xmlStrcasecmp(cur->parent->name, BAD_CAST "style"))))) { + ((parent == NULL) || + ((xmlStrcasecmp(parent->name, BAD_CAST "script")) && + (xmlStrcasecmp(parent->name, BAD_CAST "style"))))) { xmlChar *buffer; buffer = xmlEncodeEntitiesReentrant(doc, cur->content); @@ -902,13 +916,9 @@ htmlNodeDumpFormatOutput(xmlOutputBufferPtr buf, xmlDocPtr doc, break; } - /* - * The parent should never be NULL here but we want to handle - * corrupted documents gracefully. - */ - if (cur->parent == NULL) - return; - cur = cur->parent; + cur = parent; + /* cur->parent was validated when descending. */ + parent = cur->parent; if ((cur->type == XML_HTML_DOCUMENT_NODE) || (cur->type == XML_DOCUMENT_NODE)) { @@ -939,9 +949,9 @@ htmlNodeDumpFormatOutput(xmlOutputBufferPtr buf, xmlDocPtr doc, (cur->next != NULL)) { if ((cur->next->type != HTML_TEXT_NODE) && (cur->next->type != HTML_ENTITY_REF_NODE) && - (cur->parent != NULL) && - (cur->parent->name != NULL) && - (cur->parent->name[0] != 'p')) /* p, pre, param */ + (parent != NULL) && + (parent->name != NULL) && + (parent->name[0] != 'p')) /* p, pre, param */ xmlOutputBufferWriteString(buf, "\n"); } } diff --git a/xmlsave.c b/xmlsave.c index 61a40459..aedbd5e7 100644 --- a/xmlsave.c +++ b/xmlsave.c @@ -847,7 +847,7 @@ htmlNodeDumpOutputInternal(xmlSaveCtxtPtr ctxt, xmlNodePtr cur) { static void xmlNodeDumpOutputInternal(xmlSaveCtxtPtr ctxt, xmlNodePtr cur) { int format = ctxt->format; - xmlNodePtr tmp, root, unformattedNode = NULL; + xmlNodePtr tmp, root, unformattedNode = NULL, parent; xmlAttrPtr attr; xmlChar *start, *end; xmlOutputBufferPtr buf; @@ -856,6 +856,7 @@ xmlNodeDumpOutputInternal(xmlSaveCtxtPtr ctxt, xmlNodePtr cur) { buf = ctxt->buf; root = cur; + parent = cur->parent; while (1) { switch (cur->type) { case XML_DOCUMENT_NODE: @@ -868,7 +869,9 @@ xmlNodeDumpOutputInternal(xmlSaveCtxtPtr ctxt, xmlNodePtr cur) { break; case XML_DOCUMENT_FRAG_NODE: - if (cur->children != NULL) { + /* Always validate cur->parent when descending. */ + if ((cur->parent == parent) && (cur->children != NULL)) { + parent = cur; cur = cur->children; continue; } @@ -887,7 +890,18 @@ xmlNodeDumpOutputInternal(xmlSaveCtxtPtr ctxt, xmlNodePtr cur) { break; case XML_ELEMENT_NODE: - if ((cur != root) && (ctxt->format == 1) && (xmlIndentTreeOutput)) + /* + * Some users like lxml are known to pass nodes with a corrupted + * tree structure. Fall back to a recursive call to handle this + * case. + */ + if ((cur->parent != parent) && (cur->children != NULL)) { + xmlNodeDumpOutputInternal(ctxt, cur); + break; + } + + if ((ctxt->level > 0) && (ctxt->format == 1) && + (xmlIndentTreeOutput)) xmlOutputBufferWrite(buf, ctxt->indent_size * (ctxt->level > ctxt->indent_nr ? ctxt->indent_nr : ctxt->level), @@ -942,6 +956,7 @@ xmlNodeDumpOutputInternal(xmlSaveCtxtPtr ctxt, xmlNodePtr cur) { xmlOutputBufferWrite(buf, 1, ">"); if (ctxt->format == 1) xmlOutputBufferWrite(buf, 1, "\n"); if (ctxt->level >= 0) ctxt->level++; + parent = cur; cur = cur->children; continue; } @@ -1058,13 +1073,9 @@ xmlNodeDumpOutputInternal(xmlSaveCtxtPtr ctxt, xmlNodePtr cur) { break; } - /* - * The parent should never be NULL here but we want to handle - * corrupted documents gracefully. - */ - if (cur->parent == NULL) - return; - cur = cur->parent; + cur = parent; + /* cur->parent was validated when descending. */ + parent = cur->parent; if (cur->type == XML_ELEMENT_NODE) { if (ctxt->level > 0) ctxt->level--; -- GitLab ++++++ libxml2-fix-regression-in-xmlNodeDumpOutputInternal.patch ++++++ >From 13ad8736d294536da4cbcd70a96b0a2fbf47070c Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer <wellnho...@aevum.de> Date: Tue, 25 May 2021 10:55:25 +0200 Subject: [PATCH] Fix regression in xmlNodeDumpOutputInternal Commit 85b1792e could cause additional whitespace if xmlNodeDump was called with a non-zero starting level. --- xmlsave.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/xmlsave.c b/xmlsave.c index aedbd5e7..489505f4 100644 --- a/xmlsave.c +++ b/xmlsave.c @@ -890,6 +890,13 @@ xmlNodeDumpOutputInternal(xmlSaveCtxtPtr ctxt, xmlNodePtr cur) { break; case XML_ELEMENT_NODE: + if ((cur != root) && (ctxt->format == 1) && + (xmlIndentTreeOutput)) + xmlOutputBufferWrite(buf, ctxt->indent_size * + (ctxt->level > ctxt->indent_nr ? + ctxt->indent_nr : ctxt->level), + ctxt->indent); + /* * Some users like lxml are known to pass nodes with a corrupted * tree structure. Fall back to a recursive call to handle this @@ -900,13 +907,6 @@ xmlNodeDumpOutputInternal(xmlSaveCtxtPtr ctxt, xmlNodePtr cur) { break; } - if ((ctxt->level > 0) && (ctxt->format == 1) && - (xmlIndentTreeOutput)) - xmlOutputBufferWrite(buf, ctxt->indent_size * - (ctxt->level > ctxt->indent_nr ? - ctxt->indent_nr : ctxt->level), - ctxt->indent); - xmlOutputBufferWrite(buf, 1, "<"); if ((cur->ns != NULL) && (cur->ns->prefix != NULL)) { xmlOutputBufferWriteString(buf, (const char *)cur->ns->prefix); -- GitLab ++++++ libxml2-make-XPATH_MAX_NODESET_LENGTH-configurable.patch ++++++ --- /var/tmp/diff_new_pack.c3H35e/_old 2021-06-04 22:42:34.135063429 +0200 +++ /var/tmp/diff_new_pack.c3H35e/_new 2021-06-04 22:42:34.135063429 +0200 @@ -1,6 +1,6 @@ --- libxml2-2.9.4/xpath.c +++ libxml2-2.9.4/xpath.c -@@ -119,14 +119,32 @@ +@@ -129,14 +129,32 @@ #define XPATH_MAX_STACK_DEPTH 1000000 /* @@ -37,7 +37,7 @@ +} /* - * TODO: + * XPATH_MAX_RECRUSION_DEPTH: @@ -3672,7 +3690,7 @@ xmlXPathNodeSetAddNs(xmlNodeSetPtr cur, } else if (cur->nodeNr == cur->nodeMax) { xmlNodePtr *temp;