Opened 20 months ago

Closed 20 months ago

Last modified 20 months ago

#16914 closed enhancement (fixed)

libxml2-2.10.0

Reported by: Douglas R. Reno Owned by: Bruce Dubbs
Priority: elevated Milestone: 11.2
Component: BOOK Version: git
Severity: normal Keywords:
Cc:

Description

New minor version

Change History (8)

comment:1 by Bruce Dubbs, 20 months ago

Owner: changed from blfs-book to Bruce Dubbs
Status: newassigned

comment:2 by Xi Ruoyao, 20 months ago

CVE-2022-2309:

NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered.

comment:3 by Xi Ruoyao, 20 months ago

Security

  • [CVE-2022-2309] Reset nsNr in xmlCtxtReset
  • Reserve byte for NUL terminator and report errors consistently in xmlBuf and xmlBuffer (David Kilzer)
  • Fix missing NUL terminators in xmlBuf and xmlBuffer functions (David Kilzer)
  • Fix integer overflow in xmlBufferDump() (David Kilzer)
  • xmlBufAvail() should return length without including a byte for NUL terminator (David Kilzer)
  • Fix ownership of xmlNodePtr & xmlAttrPtr fields in xmlSetTreeDoc() (David Kilzer)
  • Use xmlNewDocText in xmlXIncludeCopyRange
  • Fix use-after-free bugs when calling xmlTextReaderClose() before xmlFreeTextReader() on post-validating parser (David Kilzer)
  • Use UPDATE_COMPAT() consistently in buf.c (David Kilzer)
  • fix: xmlXPathParserContext could be double-delete in OOM case. (jinsub ahn)

Removals and deprecations

  • Disable XPointer location support by default
  • Remove outdated xml2Conf.sh
  • Deprecate module init and cleanup functions
  • Remove obsolete XML Software Autoupdate (XSA) file
  • Remove DOCBparser
  • Remove obsolete Python test framework
  • Remove broken VxWorks support
  • Remove broken Mac OS 9 support
  • Remove broken bakefile support
  • Remove broken Visual Studio 2010 support
  • Remove broken Windows CE support
  • Deprecate IDREF-related functions in valid.h
  • Deprecate legacy functions
  • Disable legacy support by default
  • Deprecate all functions in nanoftp.h
  • Disable FTP support by default
  • Add XML_DEPRECATED macro
  • Remove elfgcchack.h

Regressions

  • Skip incorrectly opened HTML comments
  • Restore behavior of htmlDocContentDumpFormatOutput() (David Kilzer)

Bug fixes

  • Fix memory leak with invalid XSD
  • Make XPath depth check work with recursive invocations
  • Fix memory leak in xmlLoadEntityContent error path
  • Avoid double-free if malloc fails in inputPush
  • Properly fold whitespace around the QName value when validating an XSD schema. (Damjan Jovanovic)
  • Add whitespace folding for some atomic data types that it's missing on. (Damjan Jovanovic)
  • Don't add IDs containing unexpanded entity references

Improvements

  • Avoid calling xmlSetTreeDoc
  • Simplify xmlFreeNode
  • Don't reset nsDef when changing node content
  • Fix unintended fall-through in xmlNodeAddContentLen
  • Remove unused xmlBuf functions (David Kilzer)
  • Implement xpath1() XPointer scheme
  • Add configuration flag for XPointer locations support
  • Fix compiler warnings in Python code
  • Mark more static data as const (David Kilzer)
  • Make xmlStaticCopyNode non-recursive
  • Clean up encoding switching code
  • Simplify recursive pthread mutex
  • Use non-recursive mutex in dict.c
  • Fix parser progress checks
  • Avoid arithmetic on freed pointers
  • Improve buffer allocation scheme
  • Remove unneeded #includes
  • Add support for some non-standard escapes in regular expressions. (Damjan Jovanovic)
  • htmlParseComment: handle abruptly-closed comments (Mike Dalessio)
  • Add let variable tag support (Oliver Diehl)
  • Add value-of tag support (Oliver Diehl)
  • Remove useless call to xmlRelaxNGCleanupTypes
  • Don't include ICU headers in public headers
  • Update xmlStrlen() to use POSIX / ISO C strlen() (Mike Dalessio)
  • Fix unused variable warnings with disabled features
  • Only warn on invalid redeclarations of predefined entities
  • Remove unneeded code in xmlreader.c
  • Rework validation context flags

Portability

  • Use NAN/INFINITY if available to init XPath NaN/Inf (Sergey Kosukhin)
  • Fix Python tests on macOS
  • Fix xmlCleanupThreads on Windows
  • Fix reinitialization of library on Windows
  • Don't mix declarations and code in runtest.c
  • Use portable python shebangs (David Seifert)
  • Use critical sections as mutex on Windows
  • Don't set HAVE_WIN32_THREADS in win32config.h
  • Use stdint.h with newer MSVC
  • Remove cruft from win32config.h
  • Remove isinf/isnan emulation in win32config.h
  • Always fopen files with "rb"
  • Remove __DJGPP__ checks
  • Remove useless __CYGWIN__ checks

Build system

  • Don't autogenerate doc/examples/Makefile.am
  • cmake: Install libxml.m4 on UNIX-like platforms (Daniel E)
  • cmake: Use symbol versioning on UNIX-like platforms (Daniel E)
  • Port genUnicode.py to Python 3
  • Port gentest.py to Python 3
  • cmake: Fix build without thread support
  • cmake: Install documentation in CMAKE_INSTALL_DOCDIR
  • cmake: Remove non needed files in docs dir (Daniel E)
  • configure: move XML_PRIVATE_LIBS after WIN32_EXTRA_LIBADD is set (Christopher Degawa)
  • Move local Autoconf macros into m4 directory
  • Use XML_PRIVATE_LIBS in libxml2_la_LIBADD
  • Update libxml-2.0-uninstalled.pc.in
  • Remove LIBS from XML_PRIVATE_LIBS
  • Add WIN32_EXTRA_LIBADD to XML_PRIVATE_LIBS
  • Don't overlink executables
  • cmake: Adjust paths for UNIX or UNIX-like target systems (Daniel Engberg)
  • build: Make use of variables in libxml's pkg-config file (Daniel Engberg)
  • Avoid obsolescent test -a constructs (David Seifert)
  • Move AM_MAINTAINER_MODE to AM section
  • configure.ac: make AM_SILENT_RULES([yes]) unconditional (David Seifert)
  • Streamline documentation installation
  • Don't try to recreate COPYING symlink
  • Detect libm using libtool's macros (David Seifert)
  • configure.ac: disable static libraries by default (David Seifert)
  • python/Makefile.am: nest python docs in $(docdir) (David Seifert)
  • python/Makefile.am: rely on global AM_INIT_AUTOMAKE (David Seifert)
  • Makefile.am: install examples more idiomatically (David Seifert)
  • configure.ac: remove useless AC_SUBST (David Seifert)
  • Respect --sysconfdir in source files (David Seifert)
  • Ignore configure backup file created by recent autoreconf too (Vadim Zeitlin)
  • Only install *.html and *.c example files
  • Remove --with-html-dir option
  • Rework documentation build system
  • Remove old website
  • Use AM_PATH_PYTHON/PKG_CHECK_MODULES for python bindings (David Seifert)
  • Update genChRanges.py
  • Update build_glob.py
  • Remove ICONV_CONST test
  • Remove obsolete AC_HEADER checks
  • Don't check for standard C89 library functions
  • Don't check for standard C89 headers
  • Remove special configuration for certain maintainers

Test suite, CI

  • Disable network in API tests
  • testapi: remove leading slash from "/missing.xml" (Mike Gilbert)
  • Build Autotools CI tests out of source tree (VPATH)
  • Add --with-minimum build to CI tests
  • Fix warnings when testing --with-minimum build
  • cmake: Run all tests when threads are disabled
  • Also build CI tests with -Werror
  • Move doc/examples tests to new test suite
  • Simplify 'make check' targets
  • Fix schemas and relaxng tests
  • Remove unused result files
  • Allow missing result files in runtest
  • Move regexp tests to runtest
  • Move SVG tests to runtest.c
  • Move testModule to new test suite
  • Move testThreads to new test suite
  • Remove major parts of old test suite
  • Make testchar return an error on failure (Tony Tascioglu)
  • Add CI job for static build
  • python/tests: open() relative to test scripts (David Seifert)
  • Port some test scripts to Python 3

Documentation

  • Improve documentation of tree manipulation API
  • Update xml2-config man page
  • Consolidate man pages
  • Rename xmlcatalog_man.xml
  • Make examples a standalone HTML page
  • Fix documentation in entities.c
  • Add note about optimization flags

comment:4 by Xi Ruoyao, 20 months ago

"configure: error: Package requirements (python-3.1) were not met" :(.

in reply to:  4 comment:5 by Xi Ruoyao, 20 months ago

Replying to Xi Ruoyao:

"configure: error: Package requirements (python-3.1) were not met" :(.

A simple autoreconf fixes the issue. I guess the release tarball is generated with an old autoconf release which is not adapted for Python 3.10.

Last edited 20 months ago by Xi Ruoyao (previous) (diff)

comment:7 by Bruce Dubbs, 20 months ago

Resolution: fixed
Status: assignedclosed

Fixed at commits 

50a92eee77 Update to fribidi-1.0.12.
f80ff31fb7 Update to btrfs-progs-v5.19.
df301d239c node-16.17.0.
b4282bdbfe Update to libxml2-2.10.0.
f93706f8b8 Update to libxslt-1.1.36.

in reply to:  3 comment:8 by Xi Ruoyao, 20 months ago

Replying to Xi Ruoyao:

  • Respect --sysconfdir in source files (David Seifert)

Retrospectively: we need to add --sysconfdir=/etc or it will try to find /usr/etc/xml/catalog and fail to render the LFS book.

Note: See TracTickets for help on using tickets.