Opened 3 months ago
Closed 3 months ago
#19246 closed enhancement (fixed)
Change libxml2 to use ICU support and adapt QtWebEngine
| Reported by: | Douglas R. Reno | Owned by: | Douglas R. Reno |
|---|---|---|---|
| Priority: | normal | Milestone: | 12.1 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description
Because of the recent libxml2 security vulnerability ( #19238 ), we really should enable system ICU support in libxml2 so that QtWebEngine can use the system copy of libxml2 instead of it's bundled one. This way QtWebEngine can benefit from security fixes in the system copy of libxml2 before we can apply them in an update from upstream
From IRC this morning:
<xry111> hi, should we raise icu to recommended for libxml2, or in qtwebengine remove libxml2 from the dependencies and patch the bundled libxml2 copy for security fixes? <xry111> IIRC when we discussed this last time we tend to use 1 <xry111> (rasing icu to recommended for libxml2) <Moody> what would be an argument against raising it to recommended? <xry111> otherwise we'll have to use the internal copy of libxml2 building qtwebengine <xry111> and the internal copy is very old with multiple security vulnerabilities <xry111> so we either raise icu to recommended for libxml2 and use system libxml2 for qtwebengine, or patch libxml2 copy in qtwebengine <xry111> raising a dependency is easier <plabs> +1 for raising... Jhalfs would have to build icu in chroot, but I don't think it is a problem <renodr> Even if we bump ICU to recommended in libxml2, we also need to add --with-icu. It's not an option that's turned on by default. <renodr> I was going to say that QtWebEngine has all of the vulnerabilities fixed, but then I checked my email. :) <renodr> So we would need to add --with-icu to configure, run "rm -vf /usr/lib/libxml2.la && sed '/libs=/s/xml2.*/xml2"/' -i /usr/bin/xml2- config", and promote ICU to recommended. In addition, the page will need to be fixed to make QtWebEngine build with the system version of libxml2. <renodr> There is a sed commented out if I remember correctly <renodr> For QtWebEngine in particular there's a lot more to do than just raising the dependency <renodr> I'll file a ticket for that in a little bit and for some other things as well <xry111> (add --with-icu) indeed. <xry111> this is also why ICU-74.2 (built before libxml2-2.12.4) in qtwebengine page makes no sense <xry111> with the book instruction building ICU before or after libxml2 makes no difference <xry111> (I just saw this nonsense today so raised the issue again) <bdubbs> Good morning (US time) guys. <bdubbs> I'm OK with making icu recommended for libxml2.
To do this a few tasks will have to be done:
- Promote ICU to recommended in libxml2
- Add --with-icu to libxml2's configure script
- Move the 'rm' and 'sed' commands for libtool/xml2-config to after 'make install'
- Reinstate the sed in QtWebEngine (and test build)
- Remove "(built before libxml2-2.12.4)" from QtWebEngine's dependencies
Change History (4)
comment:1 by , 3 months ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:2 by , 3 months ago
comment:3 by , 3 months ago
Fixed at ead46579aadaa4c8fc486484c0dbffffb1d8f56c
I think the libxslt dependency should be sufficient since it will pull libxml2 in automatically from there. The reason why it wasn't picked up before was because libxml2 was not built with ICU support, so QtWebEngine would ignore both libxslt and libxml2.
comment:4 by , 3 months ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
And add libxml2 as recommended in QtWebEngine, with some "security caveat" like what we've just done for libpsl.