libxml2 upstream fixes.

[ken@…]

In this week's security fixes mentioned at lwn, my first item is libxml2. Fedora re-fixed CVE-2020-24977 (their first patch was incorrect). Looking at what they have, there are 5 upstream fixes (relaxed approach to nested documents, CVE-2019-20388, CVE-2020-7595, integer overflow, CVE-2020-24977). AFAICS the CVEs are only DOS.

Looking at fedora, they also have a fix to build with python-3.10 which only changes generator.py. They do not hack python/types.c. AFAICS, our sed is a better fix for a patch we used to carry which was apparently for a segfault in itstool.

My initial opinion (after only doing a DESTDIR install) is that we don't need this. I have not yet looked at running the tests to see if that sed is needed (fedora don't use anything, but perhaps do not download the extra file).

Sed for ICU-68.1 still needed (fedora were still building with 67 when I first looked at this a few days ago).

[ken@…]

Tests appear to run to completion without unexpected errors:

Total 3175 tests, no errors Total 9 tests, no errors Total: 1163 functions, 280911 tests, 0 errors Total 2273 tests, 15 errors, 0 leaks 15 errors were expected

But before that there was a python error. Will retry with the sed.

Yeah, I misinterpreted 'disable one test that prevents the tests from completing'. The sed is necessary to suppress that.

Pended until I've installed this and some other fixes, and done run-time testing.

[ken@…]

I rebuilt itstool after updating this, and then used that to rebuild gucharmap, no problems.

[ken@…]

r23921

[ken@…]

It transpired that I'd been testing on an older system. On python-3.9 the first sed is needed. Reinstated in r23922.

[ken@…]

Belatedly marking as High to group with other security items.