libxml2: Rebuild with ICU 68, fix CVE

2021-01-12 22:43:17 +03:00 · 2021-01-12 22:43:17 +03:00 · 9f0f6f3cee
commit 9f0f6f3cee
parent fefb563625
9 changed files with 373 additions and 13 deletions
--- a/libxml2/PKGBUILD
+++ b/libxml2/PKGBUILD
@ -1,21 +1,38 @@
 # Maintainer: Alexey Pavlov <alexpux@gmail.com>
 pkgbase=libxml2
 pkgname=('libxml2' 'libxml2-devel' 'libxml2-python')
 pkgver=2.9.10
-pkgrel=6
+pkgrel=7
 pkgdesc="XML parsing library, version 2"
 arch=(i686 x86_64)
 license=('MIT')
-makedepends=('python-devel' 'icu-devel>=67.1' 'libreadline-devel' 'ncurses-devel' 'liblzma-devel' 'zlib-devel')
+makedepends=('python-devel' 'icu-devel>=68.1' 'libreadline-devel' 'ncurses-devel' 'liblzma-devel' 'zlib-devel')
 url="http://www.xmlsoft.org/"
-source=(http://xmlsoft.org/sources/${pkgname}-${pkgver}.tar.gz
+source=(http://xmlsoft.org/sources/${pkgbase}-${pkgver}.tar.gz
        https://www.w3.org/XML/Test/xmlts20130923.tar.gz
        libxml2-2.9.8-python3-unicode-errors.patch
        fix-relaxed-approach-to-nested-documents.patch
        libxml2-2.9.10-CVE-2019-20388.patch
        libxml2-2.9.10-CVE-2020-7595.patch
        libxml2-2.9.10-parenthesize-type-checks.patch
        libxml2-2.9.10-CVE-2020-24977.patch
        libxml2-2.9.10-fix-integer-overflow.patch
        libxml2-2.9.10-icu68.patch
        libxml2-2.9.0-do-not-check-crc.patch
        libxml2-2.7.3-doc-install.patch
        libxml2-cygwin-reentrant.patch
        libxml2-2.9.1-msys2.patch)
 sha256sums=('aafee193ffb8fe0c82d4afef6ef91972cbaf5feea100edc2f262750611b4be1f'
            '9b61db9f5dbffa545f4b8d78422167083a8568c59bd1129f94138f936cf6fc1f'
            '37eb81a8ec6929eed1514e891bff2dd05b450bcf0c712153880c485b7366c17c'
            '50f04807b86a179d051fb86755e82f55ba7aac9d0c005eefea93d2599a911d01'
            'cfe1b3e0f026df6f979dbd77c1dcd1268e60acf3d7a8ff3f480b4e67bfcc19d6'
            'c6105ff40d7b1b140fcd821b5d64ab8c7b596708071c26964727e7352b07ac7e'
            'b63c161e4c8a6f0a65ba091c3d3ed09d3110d21f997ee61077c782b311fd4b33'
            '62eafffc2b4949489c261c63883d27c2e83d688f1d4c899000b283e4c2a682be'
            'fd227780ad5699bebca7ef412d2d50fb1d21a54f6e3fdcad0bda5bdc8f8b2525'
            'f02a435761f26ff664041d49f9d05924dc627bf103c7f542feee891f69aa84a2'
            '5a53d640ebce5a96e35fbdf5f644c37642dfa3345a1dc4fc355728897c19b7e7'
            'bff6790eadec6d7b3affd2d3a7385ce7f80cec2cf4abbd2ed83e9cb297a614a9'
            'fbd5ddb92e3cd0ab0f1f058436ca73b677f12fa00f65d634be7ef791e3706e33'
@ -43,10 +60,23 @@ del_file_exists() {
 prepare() {
  cd ${srcdir}
-  del_file_exists ${pkgname}-${pkgver}/xmlconf
+  del_file_exists ${pkgbase}-${pkgver}/xmlconf
-  mv xmlconf -t ${pkgname}-${pkgver}
+  mv xmlconf -t ${pkgbase}-${pkgver}
-  cd ${pkgname}-${pkgver}
+  cd ${pkgbase}-${pkgver}
  # From https://src.fedoraproject.org/rpms/libxml2/tree/master
  apply_patch_with_msg \
    libxml2-2.9.8-python3-unicode-errors.patch \
    fix-relaxed-approach-to-nested-documents.patch \
    libxml2-2.9.10-CVE-2019-20388.patch \
    libxml2-2.9.10-CVE-2020-7595.patch \
    libxml2-2.9.10-parenthesize-type-checks.patch \
    libxml2-2.9.10-CVE-2020-24977.patch \
    libxml2-2.9.10-fix-integer-overflow.patch
  apply_patch_with_msg \
    libxml2-2.9.10-icu68.patch
  apply_patch_with_msg \
    libxml2-2.9.0-do-not-check-crc.patch \
@ -59,7 +89,8 @@ prepare() {
 build() {
  export lt_cv_deplibs_check_method='pass_all'
-  cd ${pkgname}-${pkgver}
+  CFLAGS+=" -fcommon"
  cd ${pkgbase}-${pkgver}
  ./configure \
    --prefix=/usr \
    --sysconfdir=/etc \
@ -77,17 +108,17 @@ build() {
  make DESTDIR=${srcdir}/dest install
  PYTHON_SITELIB="$(python -c 'import site, sys; sys.stdout.write(site.getsitepackages()[0])')"
-  mv ${srcdir}/dest${PYTHON_SITELIB}/${pkgname/lib/msys-}mod.dll ${srcdir}/dest${PYTHON_SITELIB}/${pkgname}mod.dll
+  mv ${srcdir}/dest${PYTHON_SITELIB}/${pkgbase/lib/msys-}mod.dll ${srcdir}/dest${PYTHON_SITELIB}/${pkgbase}mod.dll
-  sed -i -e "s:${pkgname/lib/msys-}mod:${PN}mod:g" ${srcdir}/dest${PYTHON_SITELIB}/${pkgname}mod.la
+  sed -i -e "s:${pkgbase/lib/msys-}mod:${PN}mod:g" ${srcdir}/dest${PYTHON_SITELIB}/${pkgbase}mod.la
 }
 check() {
-  cd ${pkgname}-${pkgver}
+  cd ${pkgbase}-${pkgver}
  make check
 }
 package_libxml2() {
-  depends=('coreutils' 'icu>=67.1' 'liblzma' 'libreadline' 'ncurses' 'zlib')
+  depends=('coreutils' 'icu>=68.1' 'liblzma' 'libreadline' 'ncurses' 'zlib')
  groups=('libraries')
  install=libxml2.install
@ -96,14 +127,14 @@ package_libxml2() {
  rm -f ${pkgdir}/usr/bin/*-config
  mkdir -p ${pkgdir}/usr/share
  cp -rf ${srcdir}/dest/usr/share/man ${pkgdir}/usr/share/
-  install -Dm644 ${srcdir}/${pkgname}-${pkgver}/COPYING "${pkgdir}/usr/share/licenses/${pkgname}/COPYING"
+  install -Dm644 ${srcdir}/${pkgbase}-${pkgver}/COPYING "${pkgdir}/usr/share/licenses/${pkgbase}/COPYING"
 }
 package_libxml2-devel() {
  pkgdesc="Libxml2 headers and libraries"
  groups=('development')
  options=('staticlibs')
-  depends=("libxml2=${pkgver}" 'icu-devel>=59.1' 'libreadline-devel' 'ncurses-devel' 'liblzma-devel' 'zlib-devel')
+  depends=("libxml2=${pkgver}" 'icu-devel>=68.1' 'libreadline-devel' 'ncurses-devel' 'liblzma-devel' 'zlib-devel')
  PYTHON_SITELIB="$(python -c 'import site, sys; sys.stdout.write(site.getsitepackages()[0])')"
  mkdir -p ${pkgdir}/usr/{bin,share}
--- a/libxml2/fix-relaxed-approach-to-nested-documents.patch
+++ b/libxml2/fix-relaxed-approach-to-nested-documents.patch
@ -0,0 +1,33 @@
 From 0815302dee2b78139832c2080348086a0564836b Mon Sep 17 00:00:00 2001
 From: Nick Wellnhofer <wellnhofer@aevum.de>
 Date: Fri, 6 Dec 2019 12:27:29 +0100
 Subject: [PATCH] Fix freeing of nested documents
 Apparently, some libxslt RVTs can contain nested document nodes, see
 issue #132. I'm not sure how this happens exactly but it can cause a
 segfault in xmlFreeNodeList after the changes in commit 0762c9b6.
 Make sure not to touch the (nonexistent) `content` member of xmlDocs.
 ---
 tree.c | 5 +++++
 1 file changed, 5 insertions(+)
 diff --git a/tree.c b/tree.c
 index 070670f1..0d7fc98c 100644
 --- a/tree.c
 +++ b/tree.c
@@ -3708,6 +3708,11 @@ xmlFreeNodeList(xmlNodePtr cur) {
 		(cur->type != XML_XINCLUDE_START) &&
 		(cur->type != XML_XINCLUDE_END) &&
 		(cur->type != XML_ENTITY_REF_NODE) &&
 +		(cur->type != XML_DOCUMENT_NODE) &&
 +#ifdef LIBXML_DOCB_ENABLED
 +		(cur->type != XML_DOCB_DOCUMENT_NODE) &&
 +#endif
 +		(cur->type != XML_HTML_DOCUMENT_NODE) &&
 		(cur->content != (xmlChar *) &(cur->properties))) {
 		DICT_FREE(cur->content)
 	    }
 -- 
 2.22.0
--- a/libxml2/libxml2-2.9.10-CVE-2019-20388.patch
+++ b/libxml2/libxml2-2.9.10-CVE-2019-20388.patch
@ -0,0 +1,33 @@
 From 6088a74bcf7d0c42e24cff4594d804e1d3c9fbca Mon Sep 17 00:00:00 2001
 From: Zhipeng Xie <xiezhipeng1@huawei.com>
 Date: Tue, 20 Aug 2019 16:33:06 +0800
 Subject: [PATCH] Fix memory leak in xmlSchemaValidateStream
 When ctxt->schema is NULL, xmlSchemaSAXPlug->xmlSchemaPreRun
 alloc a new schema for ctxt->schema and set vctxt->xsiAssemble
 to 1. Then xmlSchemaVStart->xmlSchemaPreRun initialize
 vctxt->xsiAssemble to 0 again which cause the alloced schema
 can not be freed anymore.
 Found with libFuzzer.
 Signed-off-by: Zhipeng Xie <xiezhipeng1@huawei.com>
 ---
 xmlschemas.c | 1 -
 1 file changed, 1 deletion(-)
 diff --git a/xmlschemas.c b/xmlschemas.c
 index 301c8449..39d92182 100644
 --- a/xmlschemas.c
 +++ b/xmlschemas.c
@@ -28090,7 +28090,6 @@ xmlSchemaPreRun(xmlSchemaValidCtxtPtr vctxt) {
     vctxt->nberrors = 0;
     vctxt->depth = -1;
     vctxt->skipDepth = -1;
 -    vctxt->xsiAssemble = 0;
     vctxt->hasKeyrefs = 0;
 #ifdef ENABLE_IDC_NODE_TABLES_TEST
     vctxt->createIDCNodeTables = 1;
 -- 
 2.24.1
--- a/libxml2/libxml2-2.9.10-CVE-2020-24977.patch
+++ b/libxml2/libxml2-2.9.10-CVE-2020-24977.patch
@ -0,0 +1,36 @@
 From 50f06b3efb638efb0abd95dc62dca05ae67882c2 Mon Sep 17 00:00:00 2001
 From: Nick Wellnhofer <wellnhofer@aevum.de>
 Date: Fri, 7 Aug 2020 21:54:27 +0200
 Subject: [PATCH] Fix out-of-bounds read with 'xmllint --htmlout'
 Make sure that truncated UTF-8 sequences don't cause an out-of-bounds
 array access.
 Thanks to @SuhwanSong and the Agency for Defense Development (ADD) for
 the report.
 Fixes #178.
 ---
 xmllint.c | 6 ++++++
 1 file changed, 6 insertions(+)
 diff --git a/xmllint.c b/xmllint.c
 index f6a8e463..c647486f 100644
 --- a/xmllint.c
 +++ b/xmllint.c
@@ -528,6 +528,12 @@ static void
 xmlHTMLEncodeSend(void) {
     char *result;
 +    /*
 +     * xmlEncodeEntitiesReentrant assumes valid UTF-8, but the buffer might
 +     * end with a truncated UTF-8 sequence. This is a hack to at least avoid
 +     * an out-of-bounds read.
 +     */
 +    memset(&buffer[sizeof(buffer)-4], 0, 4);
     result = (char *) xmlEncodeEntitiesReentrant(NULL, BAD_CAST buffer);
     if (result) {
 	xmlGenericError(xmlGenericErrorContext, "%s", result);
 -- 
 2.28.0.rc2
--- a/libxml2/libxml2-2.9.10-CVE-2020-7595.patch
+++ b/libxml2/libxml2-2.9.10-CVE-2020-7595.patch
@ -0,0 +1,32 @@
 From 0e1a49c8907645d2e155f0d89d4d9895ac5112b5 Mon Sep 17 00:00:00 2001
 From: Zhipeng Xie <xiezhipeng1@huawei.com>
 Date: Thu, 12 Dec 2019 17:30:55 +0800
 Subject: [PATCH] Fix infinite loop in xmlStringLenDecodeEntities
 When ctxt->instate == XML_PARSER_EOF,xmlParseStringEntityRef
 return NULL which cause a infinite loop in xmlStringLenDecodeEntities
 Found with libFuzzer.
 Signed-off-by: Zhipeng Xie <xiezhipeng1@huawei.com>
 ---
 parser.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
 diff --git a/parser.c b/parser.c
 index d1c31963..a34bb6cd 100644
 --- a/parser.c
 +++ b/parser.c
@@ -2646,7 +2646,8 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len,
     else
         c = 0;
     while ((c != 0) && (c != end) && /* non input consuming loop */
 -	   (c != end2) && (c != end3)) {
 +           (c != end2) && (c != end3) &&
 +           (ctxt->instate != XML_PARSER_EOF)) {
 	if (c == 0) break;
         if ((c == '&') && (str[1] == '#')) {
 -- 
 2.24.1
--- a/libxml2/libxml2-2.9.10-fix-integer-overflow.patch
+++ b/libxml2/libxml2-2.9.10-fix-integer-overflow.patch
@ -0,0 +1,41 @@
 From 8e7c20a1af8776677d7890f30b7a180567701a49 Mon Sep 17 00:00:00 2001
 From: Nick Wellnhofer <wellnhofer@aevum.de>
 Date: Mon, 3 Aug 2020 17:30:41 +0200
 Subject: [PATCH] Fix integer overflow when comparing schema dates
 Found by OSS-Fuzz.
 ---
 xmlschemastypes.c | 10 ++++++++++
 1 file changed, 10 insertions(+)
 diff --git a/xmlschemastypes.c b/xmlschemastypes.c
 index 4249d700..d6b9f924 100644
 --- a/xmlschemastypes.c
 +++ b/xmlschemastypes.c
@@ -3691,6 +3691,8 @@ xmlSchemaCompareDurations(xmlSchemaValPtr x, xmlSchemaValPtr y)
 	minday = 0;
 	maxday = 0;
     } else {
 +        if (myear > LONG_MAX / 366)
 +            return -2;
         /* FIXME: This doesn't take leap year exceptions every 100/400 years
            into account. */
 	maxday = 365 * myear + (myear + 3) / 4;
@@ -4079,6 +4081,14 @@ xmlSchemaCompareDates (xmlSchemaValPtr x, xmlSchemaValPtr y)
     if ((x == NULL) || (y == NULL))
         return -2;
 +    if ((x->value.date.year > LONG_MAX / 366) ||
 +        (x->value.date.year < LONG_MIN / 366) ||
 +        (y->value.date.year > LONG_MAX / 366) ||
 +        (y->value.date.year < LONG_MIN / 366)) {
 +        /* Possible overflow when converting to days. */
 +        return -2;
 +    }
 +
     if (x->value.date.tz_flag) {
         if (!y->value.date.tz_flag) {
 -- 
 2.28.0.rc2
--- a/libxml2/libxml2-2.9.10-icu68.patch
+++ b/libxml2/libxml2-2.9.10-icu68.patch
@ -0,0 +1,28 @@
 From b516ed189eb440e909f36baca1557b98e4d9ffd7 Mon Sep 17 00:00:00 2001
 From: Frederik Seiffert <frederik@algoriddim.com>
 Date: Thu, 12 Nov 2020 12:53:43 +0100
 Subject: [PATCH] Fix building with ICU 68.
 ICU 68 no longer defines the TRUE macro.
 Closes #204.
 ---
 encoding.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/encoding.c b/encoding.c
 index c34aca44..264f60bb 100644
 --- a/encoding.c
 +++ b/encoding.c
@@ -2004,7 +2004,7 @@ xmlEncOutputChunk(xmlCharEncodingHandler *handler, unsigned char *out,
 #ifdef LIBXML_ICU_ENABLED
     else if (handler->uconv_out != NULL) {
         ret = xmlUconvWrapper(handler->uconv_out, 0, out, outlen, in, inlen,
 -                              TRUE);
 +                              1);
     }
 #endif /* LIBXML_ICU_ENABLED */
     else {
 -- 
 GitLab
--- a/libxml2/libxml2-2.9.10-parenthesize-type-checks.patch
+++ b/libxml2/libxml2-2.9.10-parenthesize-type-checks.patch
@ -0,0 +1,92 @@
 From edc7b6abb0c125eeb888748c334897f60aab0854 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= <miro@hroncok.cz>
 Date: Fri, 28 Feb 2020 12:48:14 +0100
 Subject: [PATCH] Parenthesize Py<type>_Check() in ifs
 In C, if expressions should be parenthesized.
 PyLong_Check, PyUnicode_Check etc. happened to expand to a parenthesized
 expression before, but that's not API to rely on.
 Since Python 3.9.0a4 it needs to be parenthesized explicitly.
 Fixes https://gitlab.gnome.org/GNOME/libxml2/issues/149
 ---
 python/libxml.c |  4 ++--
 python/types.c  | 12 ++++++------
 2 files changed, 8 insertions(+), 8 deletions(-)
 diff --git a/python/libxml.c b/python/libxml.c
 index bc676c4e..81e709f3 100644
 --- a/python/libxml.c
 +++ b/python/libxml.c
@@ -294,7 +294,7 @@ xmlPythonFileReadRaw (void * context, char * buffer, int len) {
 	lenread = PyBytes_Size(ret);
 	data = PyBytes_AsString(ret);
 #ifdef PyUnicode_Check
 -    } else if PyUnicode_Check (ret) {
 +    } else if (PyUnicode_Check (ret)) {
 #if PY_VERSION_HEX >= 0x03030000
         Py_ssize_t size;
 	const char *tmp;
@@ -359,7 +359,7 @@ xmlPythonFileRead (void * context, char * buffer, int len) {
 	lenread = PyBytes_Size(ret);
 	data = PyBytes_AsString(ret);
 #ifdef PyUnicode_Check
 -    } else if PyUnicode_Check (ret) {
 +    } else if (PyUnicode_Check (ret)) {
 #if PY_VERSION_HEX >= 0x03030000
         Py_ssize_t size;
 	const char *tmp;
 diff --git a/python/types.c b/python/types.c
 index c2bafeb1..ed284ec7 100644
 --- a/python/types.c
 +++ b/python/types.c
@@ -602,16 +602,16 @@ libxml_xmlXPathObjectPtrConvert(PyObject *obj)
     if (obj == NULL) {
         return (NULL);
     }
 -    if PyFloat_Check (obj) {
 +    if (PyFloat_Check (obj)) {
         ret = xmlXPathNewFloat((double) PyFloat_AS_DOUBLE(obj));
 -    } else if PyLong_Check(obj) {
 +    } else if (PyLong_Check(obj)) {
 #ifdef PyLong_AS_LONG
         ret = xmlXPathNewFloat((double) PyLong_AS_LONG(obj));
 #else
         ret = xmlXPathNewFloat((double) PyInt_AS_LONG(obj));
 #endif
 #ifdef PyBool_Check
 -    } else if PyBool_Check (obj) {
 +    } else if (PyBool_Check (obj)) {
         if (obj == Py_True) {
           ret = xmlXPathNewBoolean(1);
@@ -620,14 +620,14 @@ libxml_xmlXPathObjectPtrConvert(PyObject *obj)
           ret = xmlXPathNewBoolean(0);
         }
 #endif
 -    } else if PyBytes_Check (obj) {
 +    } else if (PyBytes_Check (obj)) {
         xmlChar *str;
         str = xmlStrndup((const xmlChar *) PyBytes_AS_STRING(obj),
                          PyBytes_GET_SIZE(obj));
         ret = xmlXPathWrapString(str);
 #ifdef PyUnicode_Check
 -    } else if PyUnicode_Check (obj) {
 +    } else if (PyUnicode_Check (obj)) {
 #if PY_VERSION_HEX >= 0x03030000
         xmlChar *str;
 	const char *tmp;
@@ -650,7 +650,7 @@ libxml_xmlXPathObjectPtrConvert(PyObject *obj)
 	ret = xmlXPathWrapString(str);
 #endif
 #endif
 -    } else if PyList_Check (obj) {
 +    } else if (PyList_Check (obj)) {
         int i;
         PyObject *node;
         xmlNodePtr cur;
 -- 
 2.24.1
--- a/libxml2/libxml2-2.9.8-python3-unicode-errors.patch
+++ b/libxml2/libxml2-2.9.8-python3-unicode-errors.patch
@ -0,0 +1,34 @@
 Index: libxml2-2.9.5/python/libxml.c
 ===================================================================
 --- libxml2-2.9.5.orig/python/libxml.c
 +++ libxml2-2.9.5/python/libxml.c
@@ -1620,6 +1620,7 @@ libxml_xmlErrorFuncHandler(ATTRIBUTE_UNU
     PyObject *message;
     PyObject *result;
     char str[1000];
 +    unsigned char *ptr = (unsigned char *)str;
 #ifdef DEBUG_ERROR
     printf("libxml_xmlErrorFuncHandler(%p, %s, ...) called\n", ctx, msg);
@@ -1636,12 +1637,20 @@ libxml_xmlErrorFuncHandler(ATTRIBUTE_UNU
 	    str[999] = 0;
         va_end(ap);
 +#if PY_MAJOR_VERSION >= 3
 +        /* Ensure the error string doesn't start at UTF8 continuation. */
 +        while (*ptr && (*ptr & 0xc0) == 0x80)
 +            ptr++;
 +#endif
 +
         list = PyTuple_New(2);
         PyTuple_SetItem(list, 0, libxml_xmlPythonErrorFuncCtxt);
         Py_XINCREF(libxml_xmlPythonErrorFuncCtxt);
 -        message = libxml_charPtrConstWrap(str);
 +        message = libxml_charPtrConstWrap(ptr);
         PyTuple_SetItem(list, 1, message);
         result = PyEval_CallObject(libxml_xmlPythonErrorFuncHandler, list);
 +        /* Forget any errors caused in the error handler. */
 +        PyErr_Clear();
         Py_XDECREF(list);
         Py_XDECREF(result);
     }