commit libxml2 for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libxml2 for openSUSE:Factory checked in at 2024-06-13 15:37:49 Comparing /work/SRC/openSUSE:Factory/libxml2 (Old) and /work/SRC/openSUSE:Factory/.libxml2.new.19518 (New) Package is "libxml2" Thu Jun 13 15:37:49 2024 rev:126 rq:1180224 version:2.12.8 Changes: --- /work/SRC/openSUSE:Factory/libxml2/libxml2.changes 2024-05-16 17:14:56.659419931 +0200 +++ /work/SRC/openSUSE:Factory/.libxml2.new.19518/libxml2.changes 2024-06-13 15:37:59.785923902 +0200 @@ -1,0 +2,6 @@ +Wed Jun 12 11:35:32 UTC 2024 - Dominique Leuenberger + +- Update to version 2.12.8: + + parser: Fix performance regression when parsing namespaces. + +--- Old: libxml2-2.12.7.tar.xz New: libxml2-2.12.8.tar.xz Other differences: -- ++ libxml2.spec ++ --- /var/tmp/diff_new_pack.ZcEZgP/_old 2024-06-13 15:38:01.345980827 +0200 +++ /var/tmp/diff_new_pack.ZcEZgP/_new 2024-06-13 15:38:01.345980827 +0200 @@ -25,7 +25,7 @@ %endif Name: libxml2%{?dash}%{flavor} -Version:2.12.7 +Version:2.12.8 Release:0 License:MIT Summary:A Library to Manipulate XML Files ++ libxml2-2.12.7.tar.xz -> libxml2-2.12.8.tar.xz ++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libxml2-2.12.7/NEWS new/libxml2-2.12.8/NEWS --- old/libxml2-2.12.7/NEWS 2024-05-13 11:33:44.0 +0200 +++ new/libxml2-2.12.8/NEWS 2024-06-12 12:57:16.0 +0200 @@ -1,5 +1,12 @@ NEWS file for libxml2 +v2.12.8: Jun 12 2024 + +### Regressions + +- parser: Fix performance regression when parsing namespaces + + v2.12.7: May 13 2024 ### Security diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libxml2-2.12.7/configure new/libxml2-2.12.8/configure --- old/libxml2-2.12.7/configure2024-05-13 11:34:41.0 +0200 +++ new/libxml2-2.12.8/configure2024-06-12 12:58:11.0 +0200 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.71 for libxml2 2.12.7. +# Generated by GNU Autoconf 2.71 for libxml2 2.12.8. # # # Copyright (C) 1992-1996, 1998-2017, 2020-2021 Free Software Foundation, @@ -618,8 +618,8 @@ # Identity of this package. PACKAGE_NAME='libxml2' PACKAGE_TARNAME='libxml2' -PACKAGE_VERSION='2.12.7' -PACKAGE_STRING='libxml2 2.12.7' +PACKAGE_VERSION='2.12.8' +PACKAGE_STRING='libxml2 2.12.8' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -1547,7 +1547,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures libxml2 2.12.7 to adapt to many kinds of systems. +\`configure' configures libxml2 2.12.8 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1618,7 +1618,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of libxml2 2.12.7:";; + short | recursive ) echo "Configuration of libxml2 2.12.8:";; esac cat <<\_ACEOF @@ -1792,7 +1792,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -libxml2 configure 2.12.7 +libxml2 configure 2.12.8 generated by GNU Autoconf 2.71 Copyright (C) 2021 Free Software Foundation, Inc. @@ -2067,7 +2067,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by libxml2 $as_me 2.12.7, which was +It was created by libxml2 $as_me 2.12.8, which was generated by GNU Autoconf 2.71. Invocation command line was $ $0$ac_configure_args_raw @@ -2905,7 +2905,7 @@ LIBXML_MAJOR_VERSION=2 LIBXML_MINOR_VERSION=12 -LIBXML_MICRO_VERSION=7 +LIBXML_MICRO_VERSION=8 LIBXML_MICRO_VERSION_SUFFIX= LIBXML_VERSION=$LIBXML_MAJOR_VERSION.$LIBXML_MINOR_VERSION.$LIBXML_MICRO_VERSION$LIBXML_MICRO_VERSION_SUFFIX LIBXML_VERSION_INFO=`expr $LIBXML_MAJOR_VERSION + $LIBXML_MINOR_VERSION`:$LIBXML_MICRO_VERSION:$LIBXML_MINOR_VERSION @@ -3444,7 +3444,7 @@ # Define the identity of the package. PACKAGE='libxml2' - VERSION='2.12.7' + VERSION='2.12.8' printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h @@ -17112,7 +17112,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by libxml2 $as_me 2.12.7, which was +This file was extended by libxml2 $as_me 2.12.8, which was generated by GNU Autoconf 2.71. Invocation command line wa
commit libxml2 for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libxml2 for openSUSE:Factory checked in at 2024-02-12 18:49:26 Comparing /work/SRC/openSUSE:Factory/libxml2 (Old) and /work/SRC/openSUSE:Factory/.libxml2.new.1815 (New) Package is "libxml2" Mon Feb 12 18:49:26 2024 rev:123 rq:1145598 version:2.11.6 Changes: --- /work/SRC/openSUSE:Factory/libxml2/libxml2.changes 2023-11-20 21:18:41.508904754 +0100 +++ /work/SRC/openSUSE:Factory/.libxml2.new.1815/libxml2.changes 2024-02-12 18:49:27.744551992 +0100 @@ -1,0 +2,6 @@ +Sat Feb 10 10:56:46 UTC 2024 - David Anes + +- Security fix (CVE-2024-25062, bsc#1219576) use-after-free in XMLReader + * Added libxml2-CVE-2024-25062.patch + +--- New: libxml2-CVE-2024-25062.patch BETA DEBUG BEGIN: New:- Security fix (CVE-2024-25062, bsc#1219576) use-after-free in XMLReader * Added libxml2-CVE-2024-25062.patch BETA DEBUG END: Other differences: -- ++ libxml2.spec ++ --- /var/tmp/diff_new_pack.2Lv6rk/_old 2024-02-12 18:49:28.528580324 +0100 +++ /var/tmp/diff_new_pack.2Lv6rk/_new 2024-02-12 18:49:28.528580324 +0100 @@ -1,7 +1,7 @@ # -# spec file +# spec file for package libxml2 # -# Copyright (c) 2023 SUSE LLC +# Copyright (c) 2024 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -51,6 +51,9 @@ # PATCH-FIX-UPSTREAM CVE-2023-45322 bsc#1216129 # https://gitlab.gnome.org/GNOME/libxml2/-/commit/d39f78069dff496ec865c73aa44d7110e429bce9 Patch4: libxml2-CVE-2023-45322.patch +# PATCH-FIX-UPSTREAM use-after-free in XMLReader bsc#1219576 david.a...@suse.com +# https://gitlab.gnome.org/GNOME/libxml2/-/commit/1a66b176055d25ee635bf328c7b35b381db0b71d +Patch5: libxml2-CVE-2024-25062.patch # ### -- openSUSE patches range from 1000 to 1999 -- ### # PATCH-FIX-OPENSUSE ++ libxml2-CVE-2024-25062.patch ++ >From 1a66b176055d25ee635bf328c7b35b381db0b71d Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer Date: Sat, 14 Oct 2023 22:45:54 +0200 Subject: [PATCH] [CVE-2024-25062] xmlreader: Don't expand XIncludes when backtracking Fixes a use-after-free if XML Reader if used with DTD validation and XInclude expansion. Fixes #604. --- xmlreader.c | 1 + 1 file changed, 1 insertion(+) diff --git a/xmlreader.c b/xmlreader.c index 3bdb8228..6486c7da 100644 --- a/xmlreader.c +++ b/xmlreader.c @@ -1428,6 +1428,7 @@ node_found: * Handle XInclude if asked for */ if ((reader->xinclude) && (reader->in_xinclude == 0) && +(reader->state != XML_TEXTREADER_BACKTRACK) && (reader->node != NULL) && (reader->node->type == XML_ELEMENT_NODE) && (reader->node->ns != NULL) && -- GitLab
commit libxml2 for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libxml2 for openSUSE:Factory checked in at 2023-11-20 21:18:33 Comparing /work/SRC/openSUSE:Factory/libxml2 (Old) and /work/SRC/openSUSE:Factory/.libxml2.new.2521 (New) Package is "libxml2" Mon Nov 20 21:18:33 2023 rev:122 rq:1126869 version:2.11.6 Changes: --- /work/SRC/openSUSE:Factory/libxml2/libxml2.changes 2023-11-15 21:06:34.815809266 +0100 +++ /work/SRC/openSUSE:Factory/.libxml2.new.2521/libxml2.changes 2023-11-20 21:18:41.508904754 +0100 @@ -1,0 +2,10 @@ +Thu Nov 16 12:44:37 UTC 2023 - Bjørn Lie + +- Update to version 2.11.6: + * Regressions: +- threads: Fix --with-thread-alloc +- xinclude: Fix âlastâ pointer in xmlXIncludeCopyNode + * Bug fixes: parser: Fix potential use-after-free in +xmlParseCharDataInternal + +--- Old: libxml2-2.11.5.tar.xz New: libxml2-2.11.6.tar.xz Other differences: -- ++ libxml2.spec ++ --- /var/tmp/diff_new_pack.PYOTxX/_old 2023-11-20 21:18:42.316934575 +0100 +++ /var/tmp/diff_new_pack.PYOTxX/_new 2023-11-20 21:18:42.320934722 +0100 @@ -25,7 +25,7 @@ %endif Name: libxml2%{?dash}%{flavor} -Version:2.11.5 +Version:2.11.6 Release:0 License:MIT Summary:A Library to Manipulate XML Files ++ libxml2-2.11.5.tar.xz -> libxml2-2.11.6.tar.xz ++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libxml2-2.11.5/NEWS new/libxml2-2.11.6/NEWS --- old/libxml2-2.11.5/NEWS 2023-08-09 14:37:24.0 +0200 +++ new/libxml2-2.11.6/NEWS 2023-11-16 12:58:36.0 +0100 @@ -1,5 +1,17 @@ NEWS file for libxml2 +v2.11.6: Nov 16 2023 + +### Regressions + +- threads: Fix --with-thread-alloc +- xinclude: Fix 'last' pointer in xmlXIncludeCopyNode + +### Bug fixes + +- parser: Fix potential use-after-free in xmlParseCharDataInternal + + v2.11.5: Aug 9 2023 ### Regressions diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libxml2-2.11.5/configure new/libxml2-2.11.6/configure --- old/libxml2-2.11.5/configure2023-08-09 14:39:33.0 +0200 +++ new/libxml2-2.11.6/configure2023-11-16 12:59:20.0 +0100 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.71 for libxml2 2.11.5. +# Generated by GNU Autoconf 2.71 for libxml2 2.11.6. # # # Copyright (C) 1992-1996, 1998-2017, 2020-2021 Free Software Foundation, @@ -618,8 +618,8 @@ # Identity of this package. PACKAGE_NAME='libxml2' PACKAGE_TARNAME='libxml2' -PACKAGE_VERSION='2.11.5' -PACKAGE_STRING='libxml2 2.11.5' +PACKAGE_VERSION='2.11.6' +PACKAGE_STRING='libxml2 2.11.6' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -1541,7 +1541,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures libxml2 2.11.5 to adapt to many kinds of systems. +\`configure' configures libxml2 2.11.6 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1612,7 +1612,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of libxml2 2.11.5:";; + short | recursive ) echo "Configuration of libxml2 2.11.6:";; esac cat <<\_ACEOF @@ -1785,7 +1785,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -libxml2 configure 2.11.5 +libxml2 configure 2.11.6 generated by GNU Autoconf 2.71 Copyright (C) 2021 Free Software Foundation, Inc. @@ -2060,7 +2060,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by libxml2 $as_me 2.11.5, which was +It was created by libxml2 $as_me 2.11.6, which was generated by GNU Autoconf 2.71. Invocation command line was $ $0$ac_configure_args_raw @@ -2898,7 +2898,7 @@ LIBXML_MAJOR_VERSION=2 LIBXML_MINOR_VERSION=11 -LIBXML_MICRO_VERSION=5 +LIBXML_MICRO_VERSION=6 LIBXML_MICRO_VERSION_SUFFIX= LIBXML_VERSION=$LIBXML_MAJOR_VERSION.$LIBXML_MINOR_VERSION.$LIBXML_MICRO_VERSION$LIBXML_MICRO_VERSION_SUFFIX LIBXML_VERSION_INFO=`expr $LIBXML_MAJOR_VERSION + $LIBXML_MINOR_VERSION`:$LIBXML_MICRO_VERSION:$LIBXML_MINOR_VERSION @@ -3437,7 +3437,7 @@ # Define the identity of the package. PACKAGE='libxml2' - VERSION='2.11.5' + VERSION='2.11.6' printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h @@ -17034,7 +17034,7 @@ # report actual input values of CONFIG_FIL
commit libxml2 for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libxml2 for openSUSE:Factory checked in at 2023-11-15 21:06:31 Comparing /work/SRC/openSUSE:Factory/libxml2 (Old) and /work/SRC/openSUSE:Factory/.libxml2.new.17445 (New) Package is "libxml2" Wed Nov 15 21:06:31 2023 rev:121 rq:1125707 version:2.11.5 Changes: --- /work/SRC/openSUSE:Factory/libxml2/libxml2.changes 2023-11-02 20:20:47.538339693 +0100 +++ /work/SRC/openSUSE:Factory/.libxml2.new.17445/libxml2.changes 2023-11-15 21:06:34.815809266 +0100 @@ -1,0 +2,7 @@ +Mon Nov 13 15:02:14 UTC 2023 - David Anes + +- Security fix: CVE-2023-45322 (bsc#1216129) + * use-after-free in xmlUnlinkNode() in tree.c + * Added file libxml2-CVE-2023-45322.patch + +--- New: libxml2-CVE-2023-45322.patch BETA DEBUG BEGIN: New: * use-after-free in xmlUnlinkNode() in tree.c * Added file libxml2-CVE-2023-45322.patch BETA DEBUG END: Other differences: -- ++ libxml2.spec ++ --- /var/tmp/diff_new_pack.9EjLwA/_old 2023-11-15 21:06:35.447832585 +0100 +++ /var/tmp/diff_new_pack.9EjLwA/_new 2023-11-15 21:06:35.451832731 +0100 @@ -48,6 +48,9 @@ # PATCH-FIX-UPSTREAM python312.patch # https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/226 Patch3: python312.patch +# PATCH-FIX-UPSTREAM CVE-2023-45322 bsc#1216129 +# https://gitlab.gnome.org/GNOME/libxml2/-/commit/d39f78069dff496ec865c73aa44d7110e429bce9 +Patch4: libxml2-CVE-2023-45322.patch # ### -- openSUSE patches range from 1000 to 1999 -- ### # PATCH-FIX-OPENSUSE ++ libxml2-CVE-2023-45322.patch ++ >From d39f78069dff496ec865c73aa44d7110e429bce9 Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer Date: Wed, 23 Aug 2023 20:24:24 +0200 Subject: [PATCH] tree: Fix copying of DTDs - Don't create multiple DTD nodes. - Fix UAF if malloc fails. - Skip DTD nodes if tree module is disabled. Fixes #583. --- tree.c | 31 --- 1 file changed, 16 insertions(+), 15 deletions(-) diff --git a/tree.c b/tree.c index 6c8a875b9..02c1b5791 100644 --- a/tree.c +++ b/tree.c @@ -4471,29 +4471,28 @@ xmlNodePtr xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) { xmlNodePtr ret = NULL; xmlNodePtr p = NULL,q; +xmlDtdPtr newSubset = NULL; while (node != NULL) { -#ifdef LIBXML_TREE_ENABLED if (node->type == XML_DTD_NODE ) { - if (doc == NULL) { +#ifdef LIBXML_TREE_ENABLED + if ((doc == NULL) || (doc->intSubset != NULL)) { node = node->next; continue; } - if (doc->intSubset == NULL) { - q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node ); - if (q == NULL) goto error; - q->doc = doc; - q->parent = parent; - doc->intSubset = (xmlDtdPtr) q; - xmlAddChild(parent, q); - } else { - q = (xmlNodePtr) doc->intSubset; - xmlAddChild(parent, q); - } - } else +q = (xmlNodePtr) xmlCopyDtd( (xmlDtdPtr) node ); +if (q == NULL) goto error; +q->doc = doc; +q->parent = parent; +newSubset = (xmlDtdPtr) q; +#else +node = node->next; +continue; #endif /* LIBXML_TREE_ENABLED */ + } else { q = xmlStaticCopyNode(node, doc, parent, 1); - if (q == NULL) goto error; + if (q == NULL) goto error; +} if (ret == NULL) { q->prev = NULL; ret = p = q; @@ -4505,6 +4504,8 @@ xmlStaticCopyNodeList(xmlNodePtr node, xmlDocPtr doc, xmlNodePtr parent) { } node = node->next; } +if (newSubset != NULL) +doc->intSubset = newSubset; return(ret); error: xmlFreeNodeList(ret); -- GitLab
commit libxml2 for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libxml2 for openSUSE:Factory checked in at 2023-11-02 20:20:44 Comparing /work/SRC/openSUSE:Factory/libxml2 (Old) and /work/SRC/openSUSE:Factory/.libxml2.new.17445 (New) Package is "libxml2" Thu Nov 2 20:20:44 2023 rev:120 rq:1121463 version:2.11.5 Changes: --- /work/SRC/openSUSE:Factory/libxml2/libxml2.changes 2023-09-04 13:19:31.315503380 +0200 +++ /work/SRC/openSUSE:Factory/.libxml2.new.17445/libxml2.changes 2023-11-02 20:20:47.538339693 +0100 @@ -1,0 +2,8 @@ +Mon Oct 23 08:26:09 UTC 2023 - Daniel Garcia + +- Add python312.patch to make it compatible with python 3.12 + https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/226 +- Use pyproject_wheel and pyproject_install macros instead of + python_build, python_install + +--- @@ -6,0 +15,91 @@ + +--- +Wed Aug 9 15:34:12 UTC 2023 - Bjørn Lie + +- Update to version 2.11.5: + + Regressions: +- parser: Make xmlSwitchEncoding always skip the BOM +- autotools: Improve iconv check + + Bug fixes: +- valid: Fix c1->parent pointer in xmlCopyDocElementContent +- encoding: Always call ucnv_convertEx with flush set to false + + Portability: autotools: fix Python module file ext for +cygwin/msys2 + + Tests: runtest: Fix compilation without LIBXML_HTML_ENABLED + +--- +Fri May 19 11:51:22 UTC 2023 - Bjørn Lie + +- Update to version 2.11.4: + + Fixes a serious regression: parser: Fix regression when push +parsing UTF-8 sequences. + +--- +Thu May 11 13:42:48 UTC 2023 - Bjørn Lie + +- Update to version 2.11.3: + + xinclude: Fix false positives in inclusion loop detection. + + autotools: Fix ICU detection. + + parser: Fix "huge input lookup" error with push parser. + + xpath: Fix build without LIBXML_XPATH_ENABLED. + + hash: Fix possible startup crash with old libxslt versions. + + autoconf: fix iconv library paths. + +--- +Fri May 5 13:55:31 UTC 2023 - Bjørn Lie + +- Update to version 2.11.2: + + Fix regressions: +- threads: Fix startup crash with weak symbol hack +- win32: Donât depend on removed .def file +- schemas: Fix memory leak in xmlSchemaValidateStream + +--- +Wed May 3 13:17:35 UTC 2023 - David Anes + +- Rebased patches: + * libxml2-make-XPATH_MAX_NODESET_LENGTH-configurable.patch + * libxml2-python3-unicode-errors.patch + +- Update to 2.11.1: + * Fixes build and ABI issues. +- cmake: Fix va_copy detection (Luca Niccoli) +- libxml.m4: Fix quoting +- Link with --undefined-version +- libxml2.syms: Revert removal of version information + +- Update to 2.11.0: + * Major changes +- Protection against entity expansion attacks, also known as + "billion laughs" has been greatly improved. Malicious files + should be detected reliably now and false positives should be + reduced. It is possible though that large documents which make + heavy use of entities are rejected now. +- This release finally fixes symbol visibility on UNIX systems. + Internal symbols will now be hidden. While these symbols were + never declared in public headers, it was still possible to + declare them manually. Now this won't work. +- All symbol information has been removed from the ELF version + script to fix link errors with --no-undefined-version. The + version nodes are kept so it should still be possible to run + binaries linked against older versions. +- About 90 memory errors in code paths handling malloc failures + have been fixed. While these issues shouldn't impact security, + this improves robustness under memory pressure. +- The XInclude engine has been reworked to properly support + nested includes. +- Several cases of quadratic behavior in the XML push parser + have been fixed. +- Refactoring has begun on some buffering and encoding code with + the goal of simplifying this part of the code base and + improving error reporting. + * Other highlights: +- Consolidated private header files. +- Major rework of the autoconf build. +- Deprecated several outdated and internal functions. + * Security +- Fix use-after-free in xmlParseContentInternal() (David Kilzer) +- xmllint: Fix use-after-free with --maxmem +- parser: Fix OOB read when formatting error message +- entities: Rework entity amplification checks + * See the ful
commit libxml2 for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libxml2 for openSUSE:Factory checked in at 2023-09-04 13:19:30 Comparing /work/SRC/openSUSE:Factory/libxml2 (Old) and /work/SRC/openSUSE:Factory/.libxml2.new.1766 (New) Package is "libxml2" Mon Sep 4 13:19:30 2023 rev:119 rq:1108847 version:2.10.4 Changes: --- /work/SRC/openSUSE:Factory/libxml2/libxml2.changes 2023-04-26 17:24:54.265463275 +0200 +++ /work/SRC/openSUSE:Factory/.libxml2.new.1766/libxml2.changes 2023-09-04 13:19:31.315503380 +0200 @@ -1,0 +2,7 @@ +Mon Sep 4 10:36:54 UTC 2023 - David Anes + +- Security fix: CVE-2023-39615 (bsc#1214768) + * crafted xml can cause global buffer overflow + * Added file libxml2-CVE-2023-39615.patch + +--- New: libxml2-CVE-2023-39615.patch Other differences: -- ++ libxml2.spec ++ --- /var/tmp/diff_new_pack.2jibAv/_old 2023-09-04 13:19:33.611585222 +0200 +++ /var/tmp/diff_new_pack.2jibAv/_new 2023-09-04 13:19:33.619585507 +0200 @@ -42,6 +42,9 @@ # PATCH-FIX-UPSTREAM libxml2-python3-string-null-check.patch bsc#1065270 mgo...@suse.com # https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/15 Patch1: libxml2-python3-string-null-check.patch +# PATCH-FIX-UPSTREAM CVE-2023-39615 bsc#1214768 +# https://gitlab.gnome.org/GNOME/libxml2/-/commit/d0c3f01e110d54415611c5fa0040cdf4a56053f9 +Patch2: libxml2-CVE-2023-39615.patch # ### -- openSUSE patches range from 1000 to 1999 -- ### # PATCH-FIX-OPENSUSE ++ libxml2-CVE-2023-39615.patch ++ >From d0c3f01e110d54415611c5fa0040cdf4a56053f9 Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer Date: Sat, 6 May 2023 17:47:37 +0200 Subject: [PATCH] parser: Fix old SAX1 parser with custom callbacks For some reason, xmlCtxtUseOptionsInternal set the start and end element SAX handlers to the internal DOM builder functions when XML_PARSE_SAX1 was specified. This means that custom SAX handlers could never work with that flag because these functions would receive the wrong user data argument and crash immediately. Fixes #535. --- parser.c | 2 -- 1 file changed, 2 deletions(-) Index: libxml2-2.10.4/parser.c === --- libxml2-2.10.4.orig/parser.c +++ libxml2-2.10.4/parser.c @@ -15064,8 +15064,6 @@ xmlCtxtUseOptionsInternal(xmlParserCtxtP } #ifdef LIBXML_SAX1_ENABLED if (options & XML_PARSE_SAX1) { -ctxt->sax->startElement = xmlSAX2StartElement; -ctxt->sax->endElement = xmlSAX2EndElement; ctxt->sax->startElementNs = NULL; ctxt->sax->endElementNs = NULL; ctxt->sax->initialized = 1;
commit libxml2 for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libxml2 for openSUSE:Factory checked in at 2023-04-26 17:24:19 Comparing /work/SRC/openSUSE:Factory/libxml2 (Old) and /work/SRC/openSUSE:Factory/.libxml2.new.1533 (New) Package is "libxml2" Wed Apr 26 17:24:19 2023 rev:118 rq:1082712 version:2.10.4 Changes: --- /work/SRC/openSUSE:Factory/libxml2/libxml2.changes 2023-04-21 14:15:39.798127118 +0200 +++ /work/SRC/openSUSE:Factory/.libxml2.new.1533/libxml2.changes 2023-04-26 17:24:54.265463275 +0200 @@ -1,0 +2,5 @@ +Fri Apr 21 14:50:09 UTC 2023 - David Anes + +- Remove unneeded dependency (bsc#1209918). + +--- Other differences: -- ++ libxml2.spec ++ --- /var/tmp/diff_new_pack.3Xo38Z/_old 2023-04-26 17:24:54.733466005 +0200 +++ /var/tmp/diff_new_pack.3Xo38Z/_new 2023-04-26 17:24:54.737466029 +0200 @@ -134,7 +134,6 @@ Summary:Python Bindings for %{name} Requires: %{libname} = %{version} Requires: python-extras -Requires: python-testtools >= 1.8.0 Provides: %{base_name}-python = %{version}-%{release} Provides: python-libxml2-python = %{version}-%{release} # Use hardcoded version to avoid unwanted behavior in the future.
commit libxml2 for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libxml2 for openSUSE:Factory checked in at 2023-04-21 14:15:35 Comparing /work/SRC/openSUSE:Factory/libxml2 (Old) and /work/SRC/openSUSE:Factory/.libxml2.new.1533 (New) Package is "libxml2" Fri Apr 21 14:15:35 2023 rev:117 rq:1079409 version:2.10.4 Changes: --- /work/SRC/openSUSE:Factory/libxml2/libxml2.changes 2023-02-07 18:47:29.598618359 +0100 +++ /work/SRC/openSUSE:Factory/.libxml2.new.1533/libxml2.changes 2023-04-21 14:15:39.798127118 +0200 @@ -1,0 +2,15 @@ +Tue Apr 11 12:37:32 UTC 2023 - Bjørn Lie + +- Update to version 2.10.4: + + Security: +- [CVE-2023-29469, bsc#1210412] Hashing of empty dict strings + isnât deterministic +- [CVE-2023-28484, bsc#1210411] Fix null deref in + xmlSchemaFixupComplexType +- schemas: Fix null-pointer-deref in + xmlSchemaCheckCOSSTDerivedOK + + Regressions: +- SAX2: Ignore namespaces in HTML documents +- io: Fix âbuffer fullâ error with certain buffer sizes + +--- Old: libxml2-2.10.3.tar.xz New: libxml2-2.10.4.tar.xz Other differences: -- ++ libxml2.spec ++ --- /var/tmp/diff_new_pack.oGE3gK/_old 2023-04-21 14:15:40.750132456 +0200 +++ /var/tmp/diff_new_pack.oGE3gK/_new 2023-04-21 14:15:40.762132523 +0200 @@ -25,7 +25,7 @@ %endif Name: libxml2%{?dash}%{flavor} -Version:2.10.3 +Version:2.10.4 Release:0 License:MIT Summary:A Library to Manipulate XML Files ++ libxml2-2.10.3.tar.xz -> libxml2-2.10.4.tar.xz ++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libxml2-2.10.3/INSTALL new/libxml2-2.10.4/INSTALL --- old/libxml2-2.10.3/INSTALL 1970-01-01 01:00:00.0 +0100 +++ new/libxml2-2.10.4/INSTALL 2022-11-30 12:01:49.0 +0100 @@ -0,0 +1,368 @@ +Installation Instructions +* + + Copyright (C) 1994-1996, 1999-2002, 2004-2017, 2020-2021 Free +Software Foundation, Inc. + + Copying and distribution of this file, with or without modification, +are permitted in any medium without royalty provided the copyright +notice and this notice are preserved. This file is offered as-is, +without warranty of any kind. + +Basic Installation +== + + Briefly, the shell command './configure && make && make install' +should configure, build, and install this package. The following +more-detailed instructions are generic; see the 'README' file for +instructions specific to this package. Some packages provide this +'INSTALL' file but do not implement all of the features documented +below. The lack of an optional feature in a given package is not +necessarily a bug. More recommendations for GNU packages can be found +in *note Makefile Conventions: (standards)Makefile Conventions. + + The 'configure' shell script attempts to guess correct values for +various system-dependent variables used during compilation. It uses +those values to create a 'Makefile' in each directory of the package. +It may also create one or more '.h' files containing system-dependent +definitions. Finally, it creates a shell script 'config.status' that +you can run in the future to recreate the current configuration, and a +file 'config.log' containing compiler output (useful mainly for +debugging 'configure'). + + It can also use an optional file (typically called 'config.cache' and +enabled with '--cache-file=config.cache' or simply '-C') that saves the +results of its tests to speed up reconfiguring. Caching is disabled by +default to prevent problems with accidental use of stale cache files. + + If you need to do unusual things to compile the package, please try +to figure out how 'configure' could check whether to do them, and mail +diffs or instructions to the address given in the 'README' so they can +be considered for the next release. If you are using the cache, and at +some point 'config.cache' contains results you don't want to keep, you +may remove or edit it. + + The file 'configure.ac' (or 'configure.in') is used to create +'configure' by a program called 'autoconf'. You need 'configure.ac' if +you want to change it or regenerate 'configure' using a newer version of +'autoconf'. + + The simplest way to compile this package is: + + 1. 'cd' to the directory containing the package's source code and type + './configure' to configure the package for your system. + + Running 'configure' might take a while. While running, it prints + some messages telling which features it is checking for. + + 2. Type 'make' to compile the packag
commit libxml2 for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libxml2 for openSUSE:Factory checked in at 2023-02-07 18:47:27 Comparing /work/SRC/openSUSE:Factory/libxml2 (Old) and /work/SRC/openSUSE:Factory/.libxml2.new.4462 (New) Package is "libxml2" Tue Feb 7 18:47:27 2023 rev:116 rq:1063336 version:2.10.3 Changes: --- /work/SRC/openSUSE:Factory/libxml2/libxml2.changes 2022-11-02 12:46:48.905468608 +0100 +++ /work/SRC/openSUSE:Factory/.libxml2.new.4462/libxml2.changes 2023-02-07 18:47:29.598618359 +0100 @@ -1,0 +2,5 @@ +Wed Feb 1 09:24:55 UTC 2023 - Dirk Müller + +- remove zlib-devel, pkgconfig(zlib) is sufficient + +--- Other differences: -- ++ libxml2.spec ++ --- /var/tmp/diff_new_pack.1qGtxK/_old 2023-02-07 18:47:30.314622207 +0100 +++ /var/tmp/diff_new_pack.1qGtxK/_new 2023-02-07 18:47:30.326622272 +0100 @@ -1,7 +1,7 @@ # # spec file # -# Copyright (c) 2022 SUSE LLC +# Copyright (c) 2023 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -110,7 +110,6 @@ Requires: libxml2 = %{version} Requires: readline-devel Requires: xz-devel -Requires: zlib-devel Requires: pkgconfig(liblzma) Requires: pkgconfig(zlib)
commit libxml2 for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libxml2 for openSUSE:Factory checked in at 2022-11-02 12:46:33 Comparing /work/SRC/openSUSE:Factory/libxml2 (Old) and /work/SRC/openSUSE:Factory/.libxml2.new.2275 (New) Package is "libxml2" Wed Nov 2 12:46:33 2022 rev:115 rq:1032567 version:2.10.3 Changes: --- /work/SRC/openSUSE:Factory/libxml2/libxml2.changes 2022-10-18 12:44:55.393713264 +0200 +++ /work/SRC/openSUSE:Factory/.libxml2.new.2275/libxml2.changes 2022-11-02 12:46:48.905468608 +0100 @@ -1,0 +2,6 @@ +Mon Oct 31 18:12:58 UTC 2022 - David Anes + +- Add W3C conformance tests to the testsuite (bsc#1204585): + * Added file xmlts20080827.tar.gz + +--- New: xmlts20080827.tar.gz Other differences: -- ++ libxml2.spec ++ --- /var/tmp/diff_new_pack.EzwUuj/_old 2022-11-02 12:46:50.041474375 +0100 +++ /var/tmp/diff_new_pack.EzwUuj/_new 2022-11-02 12:46:50.045474395 +0100 @@ -32,7 +32,9 @@ URL:https://gitlab.gnome.org/GNOME/libxml2 Source0: https://download.gnome.org/sources/%{name}/2.10/libxml2-%{version}.tar.xz Source1:baselibs.conf -# +# W3C Conformance tests +Source2:https://www.w3.org/XML/Test/xmlts20080827.tar.gz + ### -- Upstream patches range from 0 to 999 -- ### # PATCH-FIX-UPSTREAM libxml2-python3-unicode-errors.patch bsc#1064286 mc...@suse.com # remove segfault after doc.freeDoc() @@ -205,7 +207,9 @@ %check # qemu-arm can't keep up atm, disabling check for arm %ifnarch %{arm} +tar xzvf %{SOURCE2} # add conformance tests where they are expected %make_build check +rm -rf xmlconf/ # remove the conformance tests afterwards %endif %ldconfig_scriptlets -n %{libname}
commit libxml2 for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libxml2 for openSUSE:Factory checked in at 2022-10-18 12:44:38 Comparing /work/SRC/openSUSE:Factory/libxml2 (Old) and /work/SRC/openSUSE:Factory/.libxml2.new.2275 (New) Package is "libxml2" Tue Oct 18 12:44:38 2022 rev:114 rq:1014116 version:2.10.3 Changes: --- /work/SRC/openSUSE:Factory/libxml2/libxml2.changes 2022-09-15 22:58:40.781128877 +0200 +++ /work/SRC/openSUSE:Factory/.libxml2.new.2275/libxml2.changes 2022-10-18 12:44:55.393713264 +0200 @@ -1,0 +2,12 @@ +Fri Oct 14 15:04:09 UTC 2022 - Bj??rn Lie + +- Update to version 2.10.3 (bsc#1204366, CVE-2022-40303, bsc#1204367, CVE-2022-40304): + + Security: +- [CVE-2022-40304] Fix dict corruption caused by entity + reference cycles +- [CVE-2022-40303] Fix integer overflows with XML_PARSE_HUGE +- Fix overflow check in SAX2.c + + Build system: cmake: Set SOVERSION +- Rebase patches with quilt. + +--- Old: libxml2-2.10.2.tar.xz New: libxml2-2.10.3.tar.xz Other differences: -- ++ libxml2.spec ++ --- /var/tmp/diff_new_pack.yjn0PV/_old 2022-10-18 12:44:56.005714657 +0200 +++ /var/tmp/diff_new_pack.yjn0PV/_new 2022-10-18 12:44:56.009714666 +0200 @@ -25,7 +25,7 @@ %endif Name: libxml2%{?dash}%{flavor} -Version:2.10.2 +Version:2.10.3 Release:0 License:MIT Summary:A Library to Manipulate XML Files ++ libxml2-2.10.2.tar.xz -> libxml2-2.10.3.tar.xz ++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libxml2-2.10.2/CMakeLists.txt new/libxml2-2.10.3/CMakeLists.txt --- old/libxml2-2.10.2/CMakeLists.txt 2022-08-25 13:03:49.0 +0200 +++ new/libxml2-2.10.3/CMakeLists.txt 2022-10-14 14:23:53.0 +0200 @@ -449,6 +449,7 @@ POSITION_INDEPENDENT_CODE ON PREFIX lib VERSION ${PROJECT_VERSION} +SOVERSION ${LIBXML_MAJOR_VERSION} ) if(MSVC) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libxml2-2.10.2/NEWS new/libxml2-2.10.3/NEWS --- old/libxml2-2.10.2/NEWS 2022-08-29 15:20:29.0 +0200 +++ new/libxml2-2.10.3/NEWS 2022-10-14 14:30:33.0 +0200 @@ -1,5 +1,22 @@ NEWS file for libxml2 +v2.10.3: Oct 14 2022 + +### Security + +- [CVE-2022-40304] Fix dict corruption caused by entity reference cycles +- [CVE-2022-40303] Fix integer overflows with XML_PARSE_HUGE +- Fix overflow check in SAX2.c + +### Portability + +- win32: Fix build with VS2013 + +### Build system + +- cmake: Set SOVERSION + + v2.10.2: Aug 29 2022 ### Improvements diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libxml2-2.10.2/SAX2.c new/libxml2-2.10.3/SAX2.c --- old/libxml2-2.10.2/SAX2.c 2022-08-29 15:16:31.0 +0200 +++ new/libxml2-2.10.3/SAX2.c 2022-10-14 14:22:16.0 +0200 @@ -28,11 +28,6 @@ #include #include -/* Define SIZE_T_MAX unless defined through . */ -#ifndef SIZE_T_MAX -# define SIZE_T_MAX ((size_t)-1) -#endif /* !SIZE_T_MAX */ - /* #define DEBUG_SAX2 */ /* #define DEBUG_SAX2_TREE */ @@ -2596,22 +2591,23 @@ xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters: xmlStrdup returned NULL"); return; } -if (((size_t)ctxt->nodelen + (size_t)len > XML_MAX_TEXT_LENGTH) && + if (ctxt->nodelen > INT_MAX - len) { +xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters overflow prevented"); +return; + } +if ((ctxt->nodelen + len > XML_MAX_TEXT_LENGTH) && ((ctxt->options & XML_PARSE_HUGE) == 0)) { xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters: huge text node"); return; } - if ((size_t)ctxt->nodelen > SIZE_T_MAX - (size_t)len || - (size_t)ctxt->nodemem + (size_t)len > SIZE_T_MAX / 2) { -xmlSAX2ErrMemory(ctxt, "xmlSAX2Characters overflow prevented"); -return; - } if (ctxt->nodelen + len >= ctxt->nodemem) { xmlChar *newbuf; - size_t size; + int size; - size = ctxt->nodemem + len; - size *= 2; + size = ctxt->nodemem > INT_MAX - len ? + INT_MAX : + ctxt->nodemem + len; + size = size > INT_MAX / 2 ? INT_MAX : size * 2; newbuf = (xmlChar *) xmlRealloc(lastChild->content,size); if (newbuf == NULL) { xmlSAX2ErrMemory(ctxt, "xmlSAX2Cha
commit libxml2 for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libxml2 for openSUSE:Factory checked in at 2022-09-15 22:58:01 Comparing /work/SRC/openSUSE:Factory/libxml2 (Old) and /work/SRC/openSUSE:Factory/.libxml2.new.2083 (New) Package is "libxml2" Thu Sep 15 22:58:01 2022 rev:113 rq:1003583 version:2.10.2 Changes: --- /work/SRC/openSUSE:Factory/libxml2/libxml2.changes 2022-09-09 18:22:12.244045958 +0200 +++ /work/SRC/openSUSE:Factory/.libxml2.new.2083/libxml2.changes 2022-09-15 22:58:40.781128877 +0200 @@ -5 +5 @@ - deprecated recently. + deprecated recently. (bsc#1202965) Other differences: --
commit libxml2 for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libxml2 for openSUSE:Factory checked in at 2022-09-09 18:22:11 Comparing /work/SRC/openSUSE:Factory/libxml2 (Old) and /work/SRC/openSUSE:Factory/.libxml2.new.2083 (New) Package is "libxml2" Fri Sep 9 18:22:11 2022 rev:112 rq:1000724 version:2.10.2 Changes: --- /work/SRC/openSUSE:Factory/libxml2/libxml2.changes 2022-08-30 14:48:36.827987808 +0200 +++ /work/SRC/openSUSE:Factory/.libxml2.new.2083/libxml2.changes 2022-09-09 18:22:12.244045958 +0200 @@ -1,0 +2,22 @@ +Thu Sep 1 15:13:08 UTC 2022 - Pedro Monreal + +- Build for now with --with-legacy to enable APIs that have been + deprecated recently. + +--- +Tue Aug 30 14:39:42 UTC 2022 - Bj??rn Lie + +- Update to version 2.10.2: + * Improvements: ++ Remove set-but-unused variable in xmlXPathScanName ++ Silence -Warray-bounds warning + * Build system ++ build: require automake-1.16.3 or later ++ Remove generated files from distribution + * Test suite: Don't create missing.xml when running testapi +- Add configure --with-python=%{__python3} inbefore python build, + as upstream no longer ships pre-grenerated files. +- Use sed to fix env-script-interpreter in documentation example. +- Pass with-ftp to configure, build ftp support. + +--- Old: libxml2-2.10.1.tar.xz New: libxml2-2.10.2.tar.xz Other differences: -- ++ libxml2.spec ++ --- /var/tmp/diff_new_pack.BHgjzD/_old 2022-09-09 18:22:13.240048594 +0200 +++ /var/tmp/diff_new_pack.BHgjzD/_new 2022-09-09 18:22:13.248048615 +0200 @@ -25,7 +25,7 @@ %endif Name: libxml2%{?dash}%{flavor} -Version:2.10.1 +Version:2.10.2 Release:0 License:MIT Summary:A Library to Manipulate XML Files @@ -152,6 +152,7 @@ %prep %autosetup -p1 -n libxml2-%{version} +sed -i '1 s|/usr/bin/env python|/usr/bin/python3|' doc/apibuild.py %build %if ! 0%{?buildpython} @@ -170,10 +171,13 @@ --with-regexps \ --with-threads \ --with-reader \ ---with-http +--with-ftp \ +--with-http \ +--with-legacy %make_build BASE_DIR="%{_docdir}" DOC_MODULE="%{base_name}" %else +%configure --with-python=%{__python3} pushd python %python_build popd ++ libxml2-2.10.1.tar.xz -> libxml2-2.10.2.tar.xz ++ 59134 lines of diff (skipped)
commit libxml2 for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libxml2 for openSUSE:Factory checked in at 2022-08-30 14:48:30 Comparing /work/SRC/openSUSE:Factory/libxml2 (Old) and /work/SRC/openSUSE:Factory/.libxml2.new.2083 (New) Package is "libxml2" Tue Aug 30 14:48:30 2022 rev:111 rq:35 version:2.10.1 Changes: --- /work/SRC/openSUSE:Factory/libxml2/libxml2.changes 2022-06-29 16:01:46.636656169 +0200 +++ /work/SRC/openSUSE:Factory/.libxml2.new.2083/libxml2.changes 2022-08-30 14:48:36.827987808 +0200 @@ -1,0 +2,191 @@ +Thu Aug 25 15:05:51 UTC 2022 - Bj??rn Lie + +- Update to version 2.10.1: + * Regressions: Fix xmlCtxtReadDoc with encoding + * Bug fixes: Fix HTML parser with threads and --without-legacy + * Build system: ++ Fix build with Python 3.10 ++ cmake: Disable version script on macOS ++ Remove Makefile rule to build testapi.c + * Documentation: ++ Switch back to HTML output for API documentation ++ Port doc/examples/index.py to Python 3 ++ Fix order of exports in libxml2-api.xml ++ Remove libxml2-refs.xml + +--- +Thu Aug 18 11:10:28 UTC 2022 - David Anes + +- Update to 2.10.0: + * Security ++ [CVE-2022-2309] Reset nsNr in xmlCtxtReset ++ Reserve byte for NUL terminator and report errors consistently in xmlBuf and + xmlBuffer ++ Fix missing NUL terminators in xmlBuf and xmlBuffer functions ++ Fix integer overflow in xmlBufferDump() ++ xmlBufAvail() should return length without including a byte for NUL + terminator ++ Fix ownership of xmlNodePtr & xmlAttrPtr fields in xmlSetTreeDoc() ++ Use xmlNewDocText in xmlXIncludeCopyRange ++ Fix use-after-free bugs when calling xmlTextReaderClose() before + xmlFreeTextReader() on post-validating parser ++ Use UPDATE_COMPAT() consistently in buf.c ++ fix: xmlXPathParserContext could be double-delete in OOM case. + + * Removals and deprecations ++ Disable XPointer location support by default ++ Remove outdated xml2Conf.sh ++ Deprecate module init and cleanup functions ++ Remove obsolete XML Software Autoupdate (XSA) file ++ Remove DOCBparser ++ Remove obsolete Python test framework ++ Remove broken VxWorks support ++ Remove broken Mac OS 9 support ++ Remove broken bakefile support ++ Remove broken Visual Studio 2010 support ++ Remove broken Windows CE support ++ Deprecate IDREF-related functions in valid.h ++ Deprecate legacy functions ++ Disable legacy support by default ++ Deprecate all functions in nanoftp.h ++ Disable FTP support by default ++ Add XML_DEPRECATED macro ++ Remove elfgcchack.h + + * Regressions ++ Skip incorrectly opened HTML comments ++ Restore behavior of htmlDocContentDumpFormatOutput() + + * Bug fixes ++ Fix memory leak with invalid XSD ++ Make XPath depth check work with recursive invocations ++ Fix memory leak in xmlLoadEntityContent error path ++ Avoid double-free if malloc fails in inputPush ++ Properly fold whitespace around the QName value when validating an XSD + schema. ++ Add whitespace folding for some atomic data types that it's missing on. ++ Don't add IDs containing unexpanded entity references + + * Improvements ++ Avoid calling xmlSetTreeDoc ++ Simplify xmlFreeNode ++ Don't reset nsDef when changing node content ++ Fix unintended fall-through in xmlNodeAddContentLen ++ Remove unused xmlBuf functions ++ Implement xpath1() XPointer scheme ++ Add configuration flag for XPointer locations support ++ Fix compiler warnings in Python code ++ Mark more static data as `const` ++ Make xmlStaticCopyNode non-recursive ++ Clean up encoding switching code ++ Simplify recursive pthread mutex ++ Use non-recursive mutex in dict.c ++ Fix parser progress checks ++ Avoid arithmetic on freed pointers ++ Improve buffer allocation scheme ++ Remove unneeded #includes ++ Add support for some non-standard escapes in regular expressions. ++ htmlParseComment: handle abruptly-closed comments ++ Add let variable tag support ++ Add value-of tag support ++ Remove useless call to xmlRelaxNGCleanupTypes ++ Don't include ICU headers in public headers ++ Update `xmlStrlen()` to use POSIX / ISO C `strlen()` ++ Fix unused variable warnings with disabled features ++ Only warn on invalid redeclarations of predefined entities ++ Remove unneeded code in xmlreader.c ++ Rework validation context flags + + * Portability ++ Use NAN/INFINITY if available to init XPath NaN/Inf ++ Fix Python tests on macOS ++ Fix xmlCleanupThreads on Windows ++ Fix reinitializat
commit libxml2 for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libxml2 for openSUSE:Factory checked in at 2022-06-29 16:00:54 Comparing /work/SRC/openSUSE:Factory/libxml2 (Old) and /work/SRC/openSUSE:Factory/.libxml2.new.1548 (New) Package is "libxml2" Wed Jun 29 16:00:54 2022 rev:110 rq:985342 version:2.9.14 Changes: --- /work/SRC/openSUSE:Factory/libxml2/libxml2.changes 2022-05-05 23:05:48.465513436 +0200 +++ /work/SRC/openSUSE:Factory/.libxml2.new.1548/libxml2.changes 2022-06-29 16:01:46.636656169 +0200 @@ -94,3 +94,3 @@ - * Fix CVE-2021-3541, CVE-2021-3537, CVE-2021-3518, CVE-2021-3517, -CVE-2021-3516, CVE-2020-7595, CVE-2019-20388, CVE-2020-24977, -and CVE-2019-19956 + * Fix CVE-2021-3541, CVE-2021-3537 (bsc#1185698, bsc#1185879), +CVE-2021-3518, CVE-2021-3517, CVE-2021-3516, CVE-2020-7595, +CVE-2019-20388, CVE-2020-24977, and CVE-2019-19956 (bsc#1159928) Other differences: --
commit libxml2 for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libxml2 for openSUSE:Factory checked in at 2022-05-05 23:05:14 Comparing /work/SRC/openSUSE:Factory/libxml2 (Old) and /work/SRC/openSUSE:Factory/.libxml2.new.1538 (New) Package is "libxml2" Thu May 5 23:05:14 2022 rev:109 rq:974482 version:2.9.14 Changes: --- /work/SRC/openSUSE:Factory/libxml2/libxml2.changes 2022-03-23 20:16:02.930383685 +0100 +++ /work/SRC/openSUSE:Factory/.libxml2.new.1538/libxml2.changes 2022-05-05 23:05:48.465513436 +0200 @@ -1,0 +2,32 @@ +Mon May 2 21:03:25 UTC 2022 - David Anes + +- Update to 2.9.14: + * Security: ++ [CVE-2022-29824] Integer overflow in xmlBuf and xmlBuffer ++ Fix potential double-free in xmlXPtrStringRangeFunction ++ Fix memory leak in xmlFindCharEncodingHandler ++ Normalize XPath strings in-place ++ Prevent integer-overflow in htmlSkipBlankChars() and + xmlSkipBlankChars() ++ Fix leak of xmlElementContent + + * Bug fixes: ++ Fix parsing of subtracted regex character classes ++ Fix recursion check in xinclude.c ++ Reset last error in xmlCleanupGlobals ++ Fix certain combinations of regex range quantifiers ++ Fix range quantifier on subregex + + * Improvements: ++ Fix recovery from invalid HTML start tags + + * Build system, portability: ++ Define LFS macros before including system headers ++ Initialize XPath floating-point globals ++ configure: check for icu DEFS ++ configure.ac: produce tar.xz only (GNOME policy) ++ CMakeLists.txt: Fix LIBXML_VERSION_NUMBER ++ Fix build with older Python versions ++ Fix --without-valid build + +--- Old: libxml2-2.9.13.tar.xz New: libxml2-2.9.14.tar.xz Other differences: -- ++ libxml2.spec ++ --- /var/tmp/diff_new_pack.D2eBdE/_old 2022-05-05 23:05:49.009514115 +0200 +++ /var/tmp/diff_new_pack.D2eBdE/_new 2022-05-05 23:05:49.013514119 +0200 @@ -25,7 +25,7 @@ %endif Name: libxml2%{?dash}%{flavor} -Version:2.9.13 +Version:2.9.14 Release:0 License:MIT Summary:A Library to Manipulate XML Files ++ libxml2-2.9.13.tar.xz -> libxml2-2.9.14.tar.xz ++ 1637 lines of diff (skipped) retrying with extended exclude list diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libxml2-2.9.13/CMakeLists.txt new/libxml2-2.9.14/CMakeLists.txt --- old/libxml2-2.9.13/CMakeLists.txt 2022-02-19 17:23:47.0 +0100 +++ new/libxml2-2.9.14/CMakeLists.txt 2022-05-02 12:52:45.0 +0200 @@ -105,10 +105,13 @@ endif() endforeach() -set(LIBXML_VERSION ${LIBXML_MAJOR_VERSION}0${LIBXML_MINOR_VERSION}0${LIBXML_MICRO_VERSION}) -set(LIBXML_VERSION_STRING "${LIBXML_VERSION}") +set(LIBXML_VERSION ${VERSION}) set(LIBXML_VERSION_EXTRA "") -set(LIBXML_VERSION_NUMBER ${LIBXML_VERSION}) +math(EXPR LIBXML_VERSION_NUMBER " +${LIBXML_MAJOR_VERSION} * 1 + +${LIBXML_MINOR_VERSION} * 100 + +${LIBXML_MICRO_VERSION} +") set(MODULE_EXTENSION "${CMAKE_SHARED_LIBRARY_SUFFIX}") diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libxml2-2.9.13/HTMLparser.c new/libxml2-2.9.14/HTMLparser.c --- old/libxml2-2.9.13/HTMLparser.c 2022-02-12 16:11:04.0 +0100 +++ new/libxml2-2.9.14/HTMLparser.c 2022-05-02 12:52:45.0 +0200 @@ -614,7 +614,8 @@ if (*ctxt->input->cur == 0) xmlParserInputGrow(ctxt->input, INPUT_CHUNK); } - res++; + if (res < INT_MAX) + res++; } return(res); } @@ -3960,26 +3961,6 @@ htmlParseErr(ctxt, XML_ERR_NAME_REQUIRED, "htmlParseStartTag: invalid element name\n", NULL, NULL); -/* - * The recovery code is disabled for now as it can result in - * quadratic behavior with the push parser. htmlParseStartTag - * must consume all content up to the final '>' in order to avoid - * rescanning for this terminator. - * - * For a proper fix in line with HTML5, htmlParseStartTag and - * htmlParseElement should only be called when there's an
commit libxml2 for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libxml2 for openSUSE:Factory checked in at 2022-03-23 20:15:42 Comparing /work/SRC/openSUSE:Factory/libxml2 (Old) and /work/SRC/openSUSE:Factory/.libxml2.new.25692 (New) Package is "libxml2" Wed Mar 23 20:15:42 2022 rev:108 rq:963709 version:2.9.13 Changes: --- /work/SRC/openSUSE:Factory/libxml2/libxml2.changes 2021-10-30 23:14:19.087083542 +0200 +++ /work/SRC/openSUSE:Factory/.libxml2.new.25692/libxml2.changes 2022-03-23 20:16:02.930383685 +0100 @@ -1,0 +2,41 @@ +Fri Mar 18 09:46:03 UTC 2022 - Dominique Leuenberger + +- Build python bindings in a 2nd run, using multibuild: otherwise, + libxml2 requires pkgconfig(libxml-2.0) to build, causing issues + to bootstrap. + +--- +Tue Mar 8 06:32:13 UTC 2022 - Luciano Santos + +- Update to version 2.9.13: + * Security fixes: ++ [CVE-2022-23308] Use-after-free of ID and IDREF attributes + (boo#1196490); ++ Several memory leaks and another issues. + * Many regressions fixes. + * Numerous bug fixes, including, among many others: ++ xmllint's --maxmem option should work as expected now; ++ xmllint now returns an error if arguments are missing. + * Numerous tests and code and fuzzing fixes and improvements. + * Updated documentation. +- The full Libxml2 2.9.13 NEWS can be found here: + https://download.gnome.org/sources/libxml2/2.9/\ + libxml2-2.9.13.news. +- Replace version-release macros in all 3 Obsoletes tag with + plain 2.9.13 to avoid unwanted behaviors in the future. +- Remove dropped upstream AUTHORS file from list of files to be + installed in the documentation location with 'cp' command. +- Update http://xmlsoft.org URL tag to Libxml2's new web home: + https://gitlab.gnome.org/GNOME/libxml2. +- Update ftp://xmlsoft.org Source tag to Libxml2's new download + host: https://download.gnome.org. +- Drop deprecated Python-2-related macro definitions/conditional + statement from spec file. +- Drop merged upstream patches: + libxml2-fix-lxml-corrupted-subtree-structures.patch; + libxml2-fix-regression-in-xmlNodeDumpOutputInternal.patch. +- Drop libxml2.keyring source file as the new download host doesn't + offer GPG signatures. +- Use ldconfig_scriptlets macro for post(un) handling. + +--- Old: libxml2-2.9.12.tar.gz libxml2-2.9.12.tar.gz.asc libxml2-fix-lxml-corrupted-subtree-structures.patch libxml2-fix-regression-in-xmlNodeDumpOutputInternal.patch libxml2.keyring New: _multibuild libxml2-2.9.13.tar.xz Other differences: -- ++ libxml2.spec ++ --- /var/tmp/diff_new_pack.QjlHrJ/_old 2022-03-23 20:16:03.746384147 +0100 +++ /var/tmp/diff_new_pack.QjlHrJ/_new 2022-03-23 20:16:03.750384148 +0100 @@ -1,7 +1,7 @@ # -# spec file for package libxml2 +# spec file # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,53 +16,65 @@ # -%{?!python_module:%define python_module() python-%{**} python3-%{**}} -%define oldpython python -%define bname libxml2 -%define lname libxml2-2 -Name: libxml2 -Version:2.9.12 +%define base_name libxml2 +%define libnamelibxml2-2 +%define flavor @BUILD_FLAVOR@%nil +%if "%{flavor}" == "python" +%define dash - +%define buildpython 1 +%endif + +Name: libxml2%{?dash}%{flavor} +Version:2.9.13 Release:0 License:MIT Summary:A Library to Manipulate XML Files -URL:http://xmlsoft.org -Source: ftp://xmlsoft.org/libxml2/%{bname}-%{version}.tar.gz -Source1:ftp://xmlsoft.org/libxml2/%{bname}-%{version}.tar.gz.asc -Source2:baselibs.conf -Source3:libxml2.keyring +URL:https://gitlab.gnome.org/GNOME/libxml2 +Source0: https://download.gnome.org/sources/%{name}/2.9/libxml2-%{version}.tar.xz +Source1:baselibs.conf +# +### -- Upstream patches range from 0 to 999 -- ### # PATCH-FIX-UPSTREAM libxml2-python3-unicode-errors.patch bsc#1064286 mc...@suse.com # remove segfault after doc.freeDoc() -Patch1: libxml2-python3-unicode-errors.patch +Patch0: libxml2-python3-unicode-errors.patch # PATCH-FIX-UPSTREAM libxml2-python3-string-null-check.patch bsc#1065270 mgo...@suse.com # https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/15 -Patch2: libxml2-python3-string-null-check.patch +Patch1: libxml2-python3-string-null-check.patch +# +### -- openSUSE patches range from 1000
commit libxml2 for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libxml2 for openSUSE:Factory checked in at 2021-10-30 23:13:14 Comparing /work/SRC/openSUSE:Factory/libxml2 (Old) and /work/SRC/openSUSE:Factory/.libxml2.new.1890 (New) Package is "libxml2" Sat Oct 30 23:13:14 2021 rev:107 rq:927311 version:2.9.12 Changes: --- /work/SRC/openSUSE:Factory/libxml2/libxml2.changes 2021-06-04 22:42:32.535061663 +0200 +++ /work/SRC/openSUSE:Factory/.libxml2.new.1890/libxml2.changes 2021-10-30 23:14:19.087083542 +0200 @@ -1,0 +2,6 @@ +Wed Oct 20 17:54:57 UTC 2021 - Matej Cepl + +- Rewrite package to the single-spec %python_subpackage_only style and + eliminate unnecessary multibuild. + +--- Old: _multibuild Other differences: -- ++ libxml2.spec ++ --- /var/tmp/diff_new_pack.e9Kq4l/_old 2021-10-30 23:14:19.519083889 +0200 +++ /var/tmp/diff_new_pack.e9Kq4l/_new 2021-10-30 23:14:19.519083889 +0200 @@ -1,5 +1,5 @@ # -# spec file +# spec file for package libxml2 # # Copyright (c) 2021 SUSE LLC # @@ -17,34 +17,21 @@ %{?!python_module:%define python_module() python-%{**} python3-%{**}} -# Define "python" as a package in _multibuild file -%global flavor @BUILD_FLAVOR@%{nil} -%if "%{flavor}" == "python" -%global pprefix python- %define oldpython python -%bcond_without python -%bcond_without python2 -%else -%global pprefix %{nil} -%bcond_with python -%endif %define bname libxml2 %define lname libxml2-2 -Name: %{pprefix}%{bname} +Name: libxml2 Version:2.9.12 Release:0 -%if !%{with python} -Summary:A Library to Manipulate XML Files License:MIT -%else -Summary:Python Bindings for libxml2 -License:MIT -%endif +Summary:A Library to Manipulate XML Files URL:http://xmlsoft.org Source: ftp://xmlsoft.org/libxml2/%{bname}-%{version}.tar.gz Source1:ftp://xmlsoft.org/libxml2/%{bname}-%{version}.tar.gz.asc Source2:baselibs.conf Source3:libxml2.keyring +# PATCH-FIX-UPSTREAM libxml2-python3-unicode-errors.patch bsc#1064286 mc...@suse.com +# remove segfault after doc.freeDoc() Patch1: libxml2-python3-unicode-errors.patch # PATCH-FIX-UPSTREAM libxml2-python3-string-null-check.patch bsc#1065270 mgo...@suse.com # https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/15 @@ -54,43 +41,23 @@ # PATCH-FIX-UPSTREAM https://gitlab.gnome.org/GNOME/libxml2/-/issues/255 Patch4: libxml2-fix-lxml-corrupted-subtree-structures.patch Patch5: libxml2-fix-regression-in-xmlNodeDumpOutputInternal.patch +BuildRequires: %{python_module devel} +BuildRequires: %{python_module xml} BuildRequires: fdupes BuildRequires: pkgconfig BuildRequires: python-rpm-macros -%if !%{with python} BuildRequires: readline-devel BuildRequires: pkgconfig(liblzma) -BuildRequires: pkgconfig(zlib) -%else -BuildRequires: %{python_module devel} -BuildRequires: %{python_module xml} BuildRequires: pkgconfig(libxml-2.0) -Requires: %{lname} = %{version} -Provides: python-libxml2-python = %{version}-%{release} -Obsoletes: %{bname}-python < %{version}-%{release} -Obsoletes: python-libxml2-python < %{version}-%{release} -%if "%{python_flavor}" == "python2" -Provides: %{bname}-python = %{version}-%{release} -Provides: %{oldpython}-libxml2 = %{version}-%{release} -Obsoletes: %{oldpython}-libxml2 < %{version}-%{release} -%endif -%endif +BuildRequires: pkgconfig(zlib) +# TW: generate subpackages for every python3 flavor +%define python_subpackage_only 1 %python_subpackages %description The XML C library was initially developed for the GNOME project. It is now used by many programs to load and save extensible data structures or manipulate any kind of XML files. -%if %{with python} -This package contains a module that permits -applications written in the Python programming language to use the -interface supplied by the libxml2 library to manipulate XML files. - -This library allows manipulation of XML files. It includes support for -reading, modifying, and writing XML and HTML files. There is DTD -support that includes parsing and validation even with complex DTDs, -either at parse time or later once the document has been modified. -%endif %package -n %{lname} Summary:A Library to Manipulate XML Files @@ -121,9 +88,11 @@ %package devel Summary:Development files for libxml2, an XML manipulation library +Requires: %{bname} = %{version} Requires: %{bname}-tools = %{version} Requires: %{lname} = %{version} Requires: glibc-devel +Requires: lib
commit libxml2 for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libxml2 for openSUSE:Factory checked in at 2021-06-04 22:42:27 Comparing /work/SRC/openSUSE:Factory/libxml2 (Old) and /work/SRC/openSUSE:Factory/.libxml2.new.1898 (New) Package is "libxml2" Fri Jun 4 22:42:27 2021 rev:106 rq:896773 version:2.9.12 Changes: --- /work/SRC/openSUSE:Factory/libxml2/libxml2.changes 2021-05-13 22:18:04.339691059 +0200 +++ /work/SRC/openSUSE:Factory/.libxml2.new.1898/libxml2.changes 2021-06-04 22:42:32.535061663 +0200 @@ -1,0 +2,50 @@ +Tue Jun 1 11:04:14 UTC 2021 - Pedro Monreal + +- Fix python-lxml regression with libxml2 2.9.12: + * Work around lxml API abuse: + gitlab.gnome.org/GNOME/libxml2/issues/255 +- Add upstream patches: + * libxml2-fix-lxml-corrupted-subtree-structures.patch + * libxml2-fix-regression-in-xmlNodeDumpOutputInternal.patch + +--- +Tue Jun 1 03:02:25 UTC 2021 - Ferdinand Thiessen + +- Update to version 2.9.12 + * Fix CVE-2021-3541, CVE-2021-3537, CVE-2021-3518, CVE-2021-3517, +CVE-2021-3516, CVE-2020-7595, CVE-2019-20388, CVE-2020-24977, +and CVE-2019-19956 + * Fix null deref in legacy SAX1 parser + * Fix handling of unexpected EOF in xmlParseContent + * Fix user-after-free + * Validate UTF8 in xmlEncodeEntities + * Fix memory leak in xmlParseElementMixedContentDecl + * Fix integer overflow in xmlSchemaGetParticleTotalRangeMin + * Fix SEGV in xmlSAXParseFileWithData + * Don't process siblings of root in xmlXIncludeProcess + * Full changes: http://xmlsoft.org/news.html +- Drop upstream fixed + * libxml2-CVE-2021-3541.patch + * libxml2-CVE-2021-3537.patch + * libxml2-CVE-2021-3518.patch + * libxml2-CVE-2021-3517.patch + * libxml2-CVE-2021-3516.patch + * libxml2-CVE-2020-7595.patch + * libxml2-CVE-2019-20388.patch + * libxml2-CVE-2020-24977.patch + * libxml2-CVE-2019-19956.patch + * libxml2-python39.patch + * libxml2-Avoid-quadratic-checking-of-identity-constraints.patch +- Drop since 2.9.10 merged libxml2-xmlFreeNodeList-recursive.patch +- Drop since 2.8.0 merged fix-perl.diff +- Refresh libxml2-make-XPATH_MAX_NODESET_LENGTH-configurable.patch + +--- +Wed May 19 11:14:13 UTC 2021 - Pedro Monreal + +- Security fix: [bsc#1186015, CVE-2021-3541] + * Exponential entity expansion attack bypasses all existing +protection mechanisms. +- Add libxml2-CVE-2021-3541.patch + +--- Old: fix-perl.diff libxml2-2.9.10.tar.gz libxml2-2.9.10.tar.gz.asc libxml2-Avoid-quadratic-checking-of-identity-constraints.patch libxml2-CVE-2019-19956.patch libxml2-CVE-2019-20388.patch libxml2-CVE-2020-24977.patch libxml2-CVE-2020-7595.patch libxml2-CVE-2021-3516.patch libxml2-CVE-2021-3517.patch libxml2-CVE-2021-3518.patch libxml2-CVE-2021-3537.patch libxml2-python39.patch libxml2-xmlFreeNodeList-recursive.patch New: libxml2-2.9.12.tar.gz libxml2-2.9.12.tar.gz.asc libxml2-fix-lxml-corrupted-subtree-structures.patch libxml2-fix-regression-in-xmlNodeDumpOutputInternal.patch Other differences: -- ++ libxml2.spec ++ --- /var/tmp/diff_new_pack.c3H35e/_old 2021-06-04 22:42:33.143062334 +0200 +++ /var/tmp/diff_new_pack.c3H35e/_new 2021-06-04 22:42:33.143062334 +0200 @@ -1,5 +1,5 @@ # -# spec file for package python-libxml2 +# spec file # # Copyright (c) 2021 SUSE LLC # @@ -31,7 +31,7 @@ %define bname libxml2 %define lname libxml2-2 Name: %{pprefix}%{bname} -Version:2.9.10 +Version:2.9.12 Release:0 %if !%{with python} Summary:A Library to Manipulate XML Files @@ -45,35 +45,15 @@ Source1:ftp://xmlsoft.org/libxml2/%{bname}-%{version}.tar.gz.asc Source2:baselibs.conf Source3:libxml2.keyring -Patch0: fix-perl.diff Patch1: libxml2-python3-unicode-errors.patch # PATCH-FIX-UPSTREAM libxml2-python3-string-null-check.patch bsc#1065270 mgo...@suse.com -# don't return a NULL string for an invalid UTF-8 conversion. +# https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/15 Patch2: libxml2-python3-string-null-check.patch # PATCH-FIX-SUSE bsc#1135123 Added a new configurable variable XPATH_DEFAULT_MAX_NODESET_LENGTH to avoid nodeset limit Patch3: libxml2-make-XPATH_MAX_NODESET_LENGTH-configurable.patch -# PATCH-FIX-UPSTREAM bsc#1157450 This commit breaks perl-XML-LibXSLT -Patch4: libxml2-xmlFreeNodeList-recursive.patch -# PATCH-FIX-UPSTREAM bsc#1161517 CVE-2020-7595 Infinite loop in xmlStringLenDecodeEntities -Patch5: libxml2-CVE
commit libxml2 for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libxml2 for openSUSE:Factory checked in at 2021-05-13 22:18:02 Comparing /work/SRC/openSUSE:Factory/libxml2 (Old) and /work/SRC/openSUSE:Factory/.libxml2.new.2988 (New) Package is "libxml2" Thu May 13 22:18:02 2021 rev:105 rq:892150 version:2.9.10 Changes: --- /work/SRC/openSUSE:Factory/libxml2/libxml2.changes 2021-05-01 00:46:09.387596940 +0200 +++ /work/SRC/openSUSE:Factory/.libxml2.new.2988/libxml2.changes 2021-05-13 22:18:04.339691059 +0200 @@ -1,0 +2,7 @@ +Mon May 10 11:44:39 UTC 2021 - Pedro Monreal + +- Security fix: [bsc#1185698, CVE-2021-3537] + * NULL pointer dereference in valid.c:xmlValidBuildAContentModel + * Add libxml2-CVE-2021-3537.patch + +--- New: libxml2-CVE-2021-3537.patch Other differences: -- ++ libxml2.spec ++ --- /var/tmp/diff_new_pack.v2xvjD/_old 2021-05-13 22:18:05.115688099 +0200 +++ /var/tmp/diff_new_pack.v2xvjD/_new 2021-05-13 22:18:05.119688083 +0200 @@ -72,6 +72,8 @@ Patch12:libxml2-CVE-2021-3517.patch # PATCH-FIX-UPSTREAM bsc#1185408 CVE-2021-3518 use-after-free in xinclude.c:xmlXIncludeDoProcess() Patch13:libxml2-CVE-2021-3518.patch +# PATCH-FIX-UPSTREAM bsc#1185698 CVE-2021-3537 NULL pointer dereference in valid.c:xmlValidBuildAContentModel +Patch14:libxml2-CVE-2021-3537.patch BuildRequires: fdupes BuildRequires: pkgconfig BuildRequires: python-rpm-macros @@ -181,6 +183,7 @@ %patch11 -p1 %patch12 -p1 %patch13 -p1 +%patch14 -p1 %build %if !%{with python} ++ libxml2-CVE-2021-3537.patch ++ >From babe75030c7f64a37826bb3342317134568bef61 Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer Date: Sat, 1 May 2021 16:53:33 +0200 Subject: [PATCH] Propagate error in xmlParseElementChildrenContentDeclPriv Check return value of recursive calls to xmlParseElementChildrenContentDeclPriv and return immediately in case of errors. Otherwise, struct xmlElementContent could contain unexpected null pointers, leading to a null deref when post-validating documents which aren't well-formed and parsed in recovery mode. Fixes #243. --- parser.c | 7 +++ 1 file changed, 7 insertions(+) Index: libxml2-2.9.10/parser.c === --- libxml2-2.9.10.orig/parser.c +++ libxml2-2.9.10/parser.c @@ -6195,6 +6195,8 @@ xmlParseElementChildrenContentDeclPriv(x SKIP_BLANKS; cur = ret = xmlParseElementChildrenContentDeclPriv(ctxt, inputid, depth + 1); +if (cur == NULL) +return(NULL); SKIP_BLANKS; GROW; } else { @@ -6328,6 +6330,11 @@ xmlParseElementChildrenContentDeclPriv(x SKIP_BLANKS; last = xmlParseElementChildrenContentDeclPriv(ctxt, inputid, depth + 1); +if (last == NULL) { + if (ret != NULL) + xmlFreeDocElementContent(ctxt->myDoc, ret); + return(NULL); +} SKIP_BLANKS; } else { elem = xmlParseName(ctxt);
commit libxml2 for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libxml2 for openSUSE:Factory checked in at 2021-05-01 00:46:07 Comparing /work/SRC/openSUSE:Factory/libxml2 (Old) and /work/SRC/openSUSE:Factory/.libxml2.new.1947 (New) Package is "libxml2" Sat May 1 00:46:07 2021 rev:104 rq:889189 version:2.9.10 Changes: --- /work/SRC/openSUSE:Factory/libxml2/libxml2.changes 2021-03-02 12:25:28.327317030 +0100 +++ /work/SRC/openSUSE:Factory/.libxml2.new.1947/libxml2.changes 2021-05-01 00:46:09.387596940 +0200 @@ -1,0 +2,21 @@ +Wed Apr 28 16:24:13 UTC 2021 - Pedro Monreal + +- Security fix: [bsc#1185408, CVE-2021-3518] + * Fix use-after-free in xinclude.c:xmlXIncludeDoProcess() + * Add libxml2-CVE-2021-3518.patch + +--- +Wed Apr 28 16:23:42 UTC 2021 - Pedro Monreal + +- Security fix: [bsc#1185410, CVE-2021-3517] + * Fix heap-based buffer overflow in entities.c:xmlEncodeEntitiesInternal() + * Add libxml2-CVE-2021-3517.patch + +--- +Wed Apr 28 15:38:46 UTC 2021 - Pedro Monreal + +- Security fix: [bsc#1185409, CVE-2021-3516] + * Fix use-after-free in entities.c:xmlEncodeEntitiesInternal() + * Add libxml2-CVE-2021-3516.patch + +--- New: libxml2-CVE-2021-3516.patch libxml2-CVE-2021-3517.patch libxml2-CVE-2021-3518.patch Other differences: -- ++ libxml2.spec ++ --- /var/tmp/diff_new_pack.WnPs6U/_old 2021-05-01 00:46:10.303592859 +0200 +++ /var/tmp/diff_new_pack.WnPs6U/_new 2021-05-01 00:46:10.307592842 +0200 @@ -1,7 +1,7 @@ # -# spec file for package libxml2 +# spec file for package python-libxml2 # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -66,6 +66,12 @@ Patch9: libxml2-CVE-2019-20388.patch # PATCH-FIX-UPSTREAM Fix building against Python 3.9 Patch10:libxml2-python39.patch +# PATCH-FIX-UPSTREAM bsc#1185409 CVE-2021-3516 use-after-free in entities.c:xmlEncodeEntitiesInternal() +Patch11:libxml2-CVE-2021-3516.patch +# PATCH-FIX-UPSTREAM bsc#1185410 CVE-2021-3517 heap-based buffer overflow entities.c:xmlEncodeEntitiesInternal() +Patch12:libxml2-CVE-2021-3517.patch +# PATCH-FIX-UPSTREAM bsc#1185408 CVE-2021-3518 use-after-free in xinclude.c:xmlXIncludeDoProcess() +Patch13:libxml2-CVE-2021-3518.patch BuildRequires: fdupes BuildRequires: pkgconfig BuildRequires: python-rpm-macros @@ -172,6 +178,9 @@ %patch8 -p1 %patch9 -p1 %patch10 -p1 +%patch11 -p1 +%patch12 -p1 +%patch13 -p1 %build %if !%{with python} @@ -263,6 +272,7 @@ %dir %{_datadir}/gtk-doc/html %else + %files %{python_files} %doc python/TODO %doc python/libxml2class.txt ++ libxml2-CVE-2021-3516.patch ++ >From 1358d157d0bd83be1dfe356a69213df9fac0b539 Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer Date: Wed, 21 Apr 2021 13:23:27 +0200 Subject: [PATCH] Fix use-after-free with `xmllint --html --push` Call htmlCtxtUseOptions to make sure that names aren't stored in dictionaries. Note that this issue only affects xmllint using the HTML push parser. Fixes #230. --- xmllint.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Index: libxml2-2.9.10/xmllint.c === --- libxml2-2.9.10.orig/xmllint.c +++ libxml2-2.9.10/xmllint.c @@ -2204,7 +2204,7 @@ static void parseAndPrintFile(char *file if (res > 0) { ctxt = htmlCreatePushParserCtxt(NULL, NULL, chars, res, filename, XML_CHAR_ENCODING_NONE); -xmlCtxtUseOptions(ctxt, options); +htmlCtxtUseOptions(ctxt, options); while ((res = fread(chars, 1, pushsize, f)) > 0) { htmlParseChunk(ctxt, chars, res, 0); } ++ libxml2-CVE-2021-3517.patch ++ >From bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2 Mon Sep 17 00:00:00 2001 From: Joel Hockey Date: Sun, 16 Aug 2020 17:19:35 -0700 Subject: [PATCH] Validate UTF8 in xmlEncodeEntities Code is currently assuming UTF-8 without validating. Truncated UTF-8 input can cause out-of-bounds array access. Adds further checks to partial fix in 50f06b3e. Fixes #178 --- entities.c | 16 +++- 1 file changed, 15 insertions(+), 1 deletion(-) Index: libxml2-2.9.10/entities.c === --- libxml2-2.9.10.orig/entities.c +++ libxml2-2.9.10/entities.c @@ -66
commit libxml2 for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libxml2 for openSUSE:Factory checked in at 2021-03-02 12:25:26 Comparing /work/SRC/openSUSE:Factory/libxml2 (Old) and /work/SRC/openSUSE:Factory/.libxml2.new.2378 (New) Package is "libxml2" Tue Mar 2 12:25:26 2021 rev:103 rq:874905 version:2.9.10 Changes: --- /work/SRC/openSUSE:Factory/libxml2/libxml2.changes 2020-12-23 14:19:58.249650657 +0100 +++ /work/SRC/openSUSE:Factory/.libxml2.new.2378/libxml2.changes 2021-03-02 12:25:28.327317030 +0100 @@ -1,0 +2,8 @@ +Thu Feb 23 11:00:00 UTC 2021 - Teemu Mannermaa + +- Fails to build against Python 3.9: + * Add upstream commit that fixes the issue + https://github.com/GNOME/libxml2/commit/e4fb36841800038c289997432ca547c9bfef9db1 +- Add patch libxml2-python39.patch + +--- New: libxml2-python39.patch Other differences: -- ++ libxml2.spec ++ --- /var/tmp/diff_new_pack.e0iRxY/_old 2021-03-02 12:25:29.179317833 +0100 +++ /var/tmp/diff_new_pack.e0iRxY/_new 2021-03-02 12:25:29.179317833 +0100 @@ -64,6 +64,8 @@ Patch8: libxml2-Avoid-quadratic-checking-of-identity-constraints.patch # PATCH-FIX-UPSTREAM bsc#1161521 CVE-2019-20388 Memory leak in xmlSchemaPreRun Patch9: libxml2-CVE-2019-20388.patch +# PATCH-FIX-UPSTREAM Fix building against Python 3.9 +Patch10:libxml2-python39.patch BuildRequires: fdupes BuildRequires: pkgconfig BuildRequires: python-rpm-macros @@ -169,6 +171,7 @@ %patch7 -p1 %patch8 -p1 %patch9 -p1 +%patch10 -p1 %build %if !%{with python} ++ libxml2-python39.patch ++ >From e4fb36841800038c289997432ca547c9bfef9db1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= Date: Fri, 28 Feb 2020 12:48:14 +0100 Subject: [PATCH] Parenthesize Py_Check() in ifs In C, if expressions should be parenthesized. PyLong_Check, PyUnicode_Check etc. happened to expand to a parenthesized expression before, but that's not API to rely on. Since Python 3.9.0a4 it needs to be parenthesized explicitly. Fixes https://gitlab.gnome.org/GNOME/libxml2/issues/149 --- python/libxml.c | 4 ++-- python/types.c | 12 ++-- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/python/libxml.c b/python/libxml.c index bc676c4e..81e709f3 100644 --- a/python/libxml.c +++ b/python/libxml.c @@ -294,7 +294,7 @@ xmlPythonFileReadRaw (void * context, char * buffer, int len) { lenread = PyBytes_Size(ret); data = PyBytes_AsString(ret); #ifdef PyUnicode_Check -} else if PyUnicode_Check (ret) { +} else if (PyUnicode_Check (ret)) { #if PY_VERSION_HEX >= 0x0303 Py_ssize_t size; const char *tmp; @@ -359,7 +359,7 @@ xmlPythonFileRead (void * context, char * buffer, int len) { lenread = PyBytes_Size(ret); data = PyBytes_AsString(ret); #ifdef PyUnicode_Check -} else if PyUnicode_Check (ret) { +} else if (PyUnicode_Check (ret)) { #if PY_VERSION_HEX >= 0x0303 Py_ssize_t size; const char *tmp; diff --git a/python/types.c b/python/types.c index c2bafeb1..ed284ec7 100644 --- a/python/types.c +++ b/python/types.c @@ -602,16 +602,16 @@ libxml_xmlXPathObjectPtrConvert(PyObject *obj) if (obj == NULL) { return (NULL); } -if PyFloat_Check (obj) { +if (PyFloat_Check (obj)) { ret = xmlXPathNewFloat((double) PyFloat_AS_DOUBLE(obj)); -} else if PyLong_Check(obj) { +} else if (PyLong_Check(obj)) { #ifdef PyLong_AS_LONG ret = xmlXPathNewFloat((double) PyLong_AS_LONG(obj)); #else ret = xmlXPathNewFloat((double) PyInt_AS_LONG(obj)); #endif #ifdef PyBool_Check -} else if PyBool_Check (obj) { +} else if (PyBool_Check (obj)) { if (obj == Py_True) { ret = xmlXPathNewBoolean(1); @@ -620,14 +620,14 @@ libxml_xmlXPathObjectPtrConvert(PyObject *obj) ret = xmlXPathNewBoolean(0); } #endif -} else if PyBytes_Check (obj) { +} else if (PyBytes_Check (obj)) { xmlChar *str; str = xmlStrndup((const xmlChar *) PyBytes_AS_STRING(obj), PyBytes_GET_SIZE(obj)); ret = xmlXPathWrapString(str); #ifdef PyUnicode_Check -} else if PyUnicode_Check (obj) { +} else if (PyUnicode_Check (obj)) { #if PY_VERSION_HEX >= 0x0303 xmlChar *str; const char *tmp; @@ -650,7 +650,7 @@ libxml_xmlXPathObjectPtrConvert(PyObject *obj) ret = xmlXPathWrapString(str); #endif #endif -} else if PyList_Check (obj) { +} else if (PyList_Check (obj)) { int i; PyObject *node; xmlNodePtr cur;
[opensuse-commit] commit libxml2 for openSUSE:Factory
Hello community, here is the log from the commit of package libxml2 for openSUSE:Factory checked in at 2020-11-29 12:24:53 Comparing /work/SRC/openSUSE:Factory/libxml2 (Old) and /work/SRC/openSUSE:Factory/.libxml2.new.5913 (New) Package is "libxml2" Sun Nov 29 12:24:53 2020 rev:101 rq:850753 version:2.9.10 Changes: --- /work/SRC/openSUSE:Factory/libxml2/libxml2.changes 2020-11-02 09:40:36.669622463 +0100 +++ /work/SRC/openSUSE:Factory/.libxml2.new.5913/libxml2.changes 2020-11-29 12:25:14.397808694 +0100 @@ -1,0 +2,10 @@ +Wed Nov 25 09:07:36 UTC 2020 - Pedro Monreal + +- Avoid quadratic checking of identity-constraints: [bsc#1178823] + * key/unique/keyref schema attributes currently use qudratic loops +to check their various constraints (that keys are unique and that +keyrefs refer to existing keys). + * This fix uses a hash table to avoid the quadratic behaviour. +- Add libxml2-Avoid-quadratic-checking-of-identity-constraints.patch + +--- New: libxml2-Avoid-quadratic-checking-of-identity-constraints.patch Other differences: -- ++ libxml2.spec ++ --- /var/tmp/diff_new_pack.ZgXvkf/_old 2020-11-29 12:25:16.513810834 +0100 +++ /var/tmp/diff_new_pack.ZgXvkf/_new 2020-11-29 12:25:16.517810837 +0100 @@ -60,6 +60,8 @@ Patch6: libxml2-CVE-2019-19956.patch # PATCH-FIX-UPSTREAM bsc#1176179 CVE-2020-24977 xmllint: global-buffer-overflow in xmlEncodeEntitiesInternal Patch7: libxml2-CVE-2020-24977.patch +# PATCH-FIX-SUSE bsc#1178823 Avoid quadratic checking of identity-constraints +Patch8: libxml2-Avoid-quadratic-checking-of-identity-constraints.patch BuildRequires: fdupes BuildRequires: pkgconfig BuildRequires: python-rpm-macros @@ -163,6 +165,7 @@ %patch5 -p1 %patch6 -p1 -R %patch7 -p1 +%patch8 -p1 %build %if !%{with python} ++ libxml2-Avoid-quadratic-checking-of-identity-constraints.patch ++ From 5aab6473018269c10bedf70aaa183c55c20b7ec2 Mon Sep 17 00:00:00 2001 From: Michael Matz Date: Sat, 21 Nov 2020 01:21:56 +0100 Subject: [PATCH] Avoid quadratic checking of identity-constraints key/unique/keyref schema attributes currently use qudratic loops to check their various constraints (that keys are unique and that keyrefs refer to existing keys). That becomes extremely slow if there are many elements with keys. This happens in the wild with e.g. the OVAL XML descriptions of security patches. You need the openscap schemata, and then an example xml file: % zypper in openscap-utils % wget ftp://ftp.suse.com/pub/projects/security/oval/opensuse.leap.15.1.xml % time xmllint --schema /usr/share/openscap/schemas/oval/5.5/oval-definitions-schema.xsd opensuse.leap.15.1.xml > /dev/null opensuse.leap.15.1.xml validates real16m59,857s user16m55,787s sys 0m1,060s This patch makes libxml use a hash table to avoid the quadratic behaviour. The existing hash table only accepts strings as keys, so we're mostly reusing the canonical representation of key values to derive such strings (with the caveat given in a comment). The alternative would be to rework the hash table code to accept either numbers or free functions as hash workers, but the code is fast enough as is. With the patch we have this then: % time LD_LIBRARY_PATH=./libxml2/.libs/ ./libxml2/.libs/xmllint --schema /usr/share/openscap/schemas/oval/5.5/oval-definitions-schema.xsd opensuse.leap.15.1.xml > /dev/null opensuse.leap.15.1.xml validates real0m3,531s user0m3,427s sys 0m0,103s So, a ~300x speedup. This patch survives 'make check' and 'make tests'. --- xmlschemas.c | 189 +-- 1 file changed, 167 insertions(+), 22 deletions(-) diff --git a/xmlschemas.c b/xmlschemas.c index cc200636..c455b4a3 100644 --- a/xmlschemas.c +++ b/xmlschemas.c @@ -860,6 +860,7 @@ struct _xmlSchemaIDCMatcher { int sizeKeySeqs; xmlSchemaItemListPtr targets; /* list of target-node (xmlSchemaPSVIIDCNodePtr) entries */ +xmlHashTablePtr htab; }; /* @@ -1055,6 +1056,18 @@ struct _xmlSchemaSubstGroup { xmlSchemaItemListPtr members; }; +/** + * xmlIDCHashEntry: + * + * an entry in hash tables to quickly look up keys/uniques + */ +typedef struct _xmlIDCHashEntry xmlIDCHashEntry; +typedef xmlIDCHashEntry *xmlIDCHashEntryPtr; +struct _xmlIDCHashEntry { +xmlIDCHashEntryPtr next; /* next item with same hash */ +int index; /* index into associated item list */ +}; + / * * * So