libxml-2.9.13 (CVE-2022-23308)

[Xi Ruoyao]

Version 2.9.13 of libxml2 is available at:

​https://download.gnome.org/sources/libxml2/2.9/

Note that starting with this release, libxml2 tarballs are published on download.gnome.org instead of ftp.xmlsoft.org.

# Security

• [CVE-2022-23308] Use-after-free of ID and IDREF attributes
• Use-after-free in xmlXIncludeCopyRange
• Fix null deref in xmlSchemaGetComponentTargetNs
• Fix memory leak in xmlXPathCompNodeTest
• Fix null pointer deref in xmlStringGetNodeList
• Fix several memory leaks found by Coverity

# Fixed regressions

• Fix regression in RelaxNG pattern matching
• Properly handle nested documents in xmlFreeNode
• Fix regression with PEs in external DTD
• Fix random dropping of characters on dumping ASCII encoded XML
• Revert "Make schema validation fail with multiple top-level elements"
• Fix regression when parsing invalid HTML tags in push mode
• Fix regression parsing public IDs literals in HTML
• Fix buffering in xmlOutputBufferWrite
• Fix whitespace when serializing empty HTML documents
• Fix XPath recursion limit
• Fix regression in xmlNodeDumpOutputInternal
• Work around lxml API abuse

# Bug fixes

• Fix xmlSetTreeDoc with entity references
• Fix double counting of CRLF in comments
• Make sure to grow input buffer in xmlParseMisc
• Don't ignore xmllint options after "-"
• Don't normalize namespace URIs in XPointer xmlns() scheme
• Fix handling of XSD with empty namespace
• Also register HTML document nodes
• Make xmllint return an error if arguments are missing
• Fix handling of ctxt->base in xmlXPtrEvalXPtrPart
• Fix xmllint --maxmem
• Fix htmlReadFd, which was using a mix of xml and html context functions
• Move current position before possible calling of ctxt->sax->characters
• Fix parse failure when 4-byte character in UTF-16 BE is split across a chunk
• Patch to forbid epsilon-reduction of final states
• Avoid segfault at exit when using custom memory functions

# Tests, code quality, fuzzing

• Remove .travis.yml
• Make xmlFuzzReadString return a zero size in error case
• Fix unused function warning in testapi.c
• Update NewsML DTD in test suite
• Add more checks for malloc failures in xmllint.c
• Avoid potential integer overflow in xmlstring.c
• Run CI tests with UBSan implicit-conversion checks
• Fix casting of line numbers in SAX2.c
• Fix integer conversion warnings in hash.c
• Add explicit casts in runtest.c
• Fix integer conversion warning in xmlIconvWrapper
• Add suffix to unsigned constant in xmlmemory.c
• Add explicit casts in testchar.c
• Fix integer conversion warnings in xmlstring.c
• Add explicit cast in xmlURIUnescapeString
• Remove unused variable in xmlCharEncOutFunc

# Build system, portability

• Remove xmlwin32version.h
• Fix fuzzer test with VPATH build
• Support custom prefix when installing Python module
• Remove Makefile.win
• Remove CVS and SVN-related code
• Port python 3.x module to Windows and improve distutils
• Correctly install the HTML examples into their subdirectory
• Refactor the settings of $docdir
• Remove unused configure checks
• python/Makefile.am: use *_LIBADD, not *_LDFLAGS for LIBS
• Fix check for libtool in autogen.sh
• Use version in configure.ac for CMake
• Add CMake alias targets for embedded projects

# Documentation

• Remove SVN keyword anchors
• Rework README
• Remove README.cvs-commits
• Remove old ChangeLog
• Update hyperlinks
• Remove README.docs
• Remove MAINTAINERS
• Remove xmltutorial.pdf
• Upload documentation to GitLab pages
• Document how to escape XML_CATALOG_FILES
• Fix libxml2.doap
• Update URL for libxml++ C++ binding
• Generate devhelp2 index file
• Mention XML_CATALOG_FILES is space-separated
• Add documentaiton for xmllint exit code 10
• Fix some validation errors in the FAQ
• Add instructions on how to use CMake to compile libxml

As now both the two main XML parsers in LFS/BLFS (expat and libxml) contain security fixes, I think the only rational way is make rc2.

[Xi Ruoyao]

Download URL is now ​https://download.gnome.org/sources/libxml2/2.9/libxml2-2.9.13.tar.xz.

[Douglas R. Reno]

The following packages use libxml2 (that I am aware of). These were obtained by running a 'grep lxml2 /usr/src/logs/*' (and 'grep libxml2 /usr/src/logs/*'):

at-spi2-atk

bind

bind-utils

docbook-xml

docbook-xsl

ffmpeg

folks

fontforge

grilo

gspell

gst-plugins-bad

gstreamer

gtksourceview3

gtksourceview4

ImageMagick

itstool

libgrss

libical

libgsf

libmusicbrainz5

rest

libsoup

libxklavier

libxkbcommon

libxslt

llvm

mariadb

nghttp2

openbox

php

postgresql

raptor2

sane

shared-mime-info

telepathy-logger

totem-pl-parser

vlc

wayland

webkitgtk

wireshark

httpd

gedit

mesa

libwacom

xcb-proto

xscreensaver

gobject-introspection

GConf

libglade

inkscape

pygtk

[Douglas R. Reno]

Note that I do not have Plasma or most of GNOME installed at this time either, nor do I have XFCE installed. I also do not have most X Applications installed either, nor most of the multimedia applications.

This is just a "what I have" list. There may be more

[Douglas R. Reno]

CVE-2022-23308 is rated as 8.1/10 at Red Hat. High availability, integrity, and confidentiality impact. No user interaction or privileges are required, but the attack complexity is High. Attack vector is Network

[Bruce Dubbs]

Fixed at commit 1a699f7a05839184ca68c7d645be578bf427ba24 but leaving open for now.

[Douglas R. Reno]

Test output for libxml2:

.........
Total 3350 tests, no errors
Total 9 tests, no errors
Total: 1164 functions, 280912 tests, 0 errors
Total 2273 tests, 15 errors, 0 leaks
15 errors were expected

[ken@…]

Failed build of Python xml2 module:

Traceback (most recent call last):
  File "setup.py", line 9, in <module>
    except ModuleNotFoundError:
NameError: name 'ModuleNotFoundError' is not defined

I'm not sure why I still build that module, other than for testing the build. I think it is needed for building the gimp helpfiles, but for that I build gvfs to use the online versions.

Successful builds of postgresql-14.2, httpd-2.4.52.

[Douglas R. Reno]

Security Advisory is SA-11.0-085, will be submitted momentarily

[Douglas R. Reno]

rest, telepathy-logger, totem-pl-parser, gobject-introspection, grilo, libgweather, libpeas, evolution-data-server (seen in the logs), folks, libgrss, libgsf, and libxklavier confirmed good.

[Douglas R. Reno]

Replying to ken@…:

Failed build of Python xml2 module:

Traceback (most recent call last):
  File "setup.py", line 9, in <module>
    except ModuleNotFoundError:
NameError: name 'ModuleNotFoundError' is not defined

I'm not sure why I still build that module, other than for testing the build. I think it is needed for building the gimp helpfiles, but for that I build gvfs to use the online versions.

This could be a problem...

[ken@…]

Successfully built ImageMagick-7.1.0-25, libglade-2.6.4, librsvg-2.52.6, libsoup-2.74.2, libxklavier-5.4, lxml-4.7.1, pygtk-2.24.0, raptor2-2.0.15, xscreensaver-6.02.

[pierre]

Replying to Douglas R. Reno:

Replying to ken@…:

Failed build of Python xml2 module:

Traceback (most recent call last):
  File "setup.py", line 9, in <module>
    except ModuleNotFoundError:
NameError: name 'ModuleNotFoundError' is not defined

I'm not sure why I still build that module, other than for testing the build. I think it is needed for building the gimp helpfiles, but for that I build gvfs to use the online versions.

This could be a problem...

Been hit by this too. Looks like ModuleNotFoundError is a Python3 thing. Could it be that the libxml2 module has been updated for Python3?

[pierre]

Replying to pierre:

Replying to Douglas R. Reno:

Replying to ken@…:

Failed build of Python xml2 module:

Traceback (most recent call last):
  File "setup.py", line 9, in <module>
    except ModuleNotFoundError:
NameError: name 'ModuleNotFoundError' is not defined

I'm not sure why I still build that module, other than for testing the build. I think it is needed for building the gimp helpfiles, but for that I build gvfs to use the online versions.

This could be a problem...

Been hit by this too. Looks like ModuleNotFoundError is a Python3 thing. Could it be that the libxml2 module has been updated for Python3?

Oh, it was already possible to use python3, sorry. But I found this: ​https://gitlab.gnome.org/GNOME/libxml2/-/commit/5bc5f0762f4d4afc39f739ce2693aa2512521daf Guess we can add a sed for libxml2py2...

[pierre]

Libxml2 python2 module fixed at c644c64713

[ken@…]

Replying to Douglas R. Reno:

Replying to ken@…:

Failed build of Python xml2 module:

Traceback (most recent call last):
  File "setup.py", line 9, in <module>
    except ModuleNotFoundError:
NameError: name 'ModuleNotFoundError' is not defined

I'm not sure why I still build that module, other than for testing the build. I think it is needed for building the gimp helpfiles, but for that I build gvfs to use the online versions.

This could be a problem...

Apparently, ModuleNotFoundError is only in python3. At stackoverflow there is a suggestion to use ImportError. It looks as if a sed will work, but my machine is currently maxed out building qtwebengine. Will get to this later.

[ken@…]

Replying to ken@…:

Apparently, ModuleNotFoundError is only in python3. At stackoverflow there is a suggestion to use ImportError. It looks as if a sed will work, but my machine is currently maxed out building qtwebengine. Will get to this later.

Might have helped if I'd read all my mail, and Pierre's post, before making that reply. Sorry for the noise.

[ken@…]

A few more successful builds: inkscape-1.1.2, qtwebengine-5.15.8, vlc-3.0.16 and XML-LibXML-2.0207 (perl)

Please note that my log from ffmpeg-4.4.1 does NOT mention -lxml2.

[Bruce Dubbs]

Consensus is that this can be closed now.