Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#7152 closed enhancement (fixed)

libxml2-2.9.3

Reported by: Fernando de Oliveira Owned by: Pierre Labastie
Priority: high Milestone: 7.9
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description (last modified by Pierre Labastie)

Security Update

See Security in the news, below.

http://xmlsoft.org/sources/libxml2-2.9.3.tar.gz

http://xmlsoft.org/sources/libxml2-2.9.3.tar.gz.asc

http://www.xmlsoft.org/news.html

v2.9.3: Nov 20 2015

  • Security:
    ◦ CVE-2015-8242 Buffer overead with HTML parser in push mode (Hugh
      Davenport),
    ◦ CVE-2015-7500 Fix memory access error due to incorrect entities
      boundaries (Daniel Veillard),
    ◦ CVE-2015-7499-2 Detect incoherency on GROW (Daniel Veillard),
    ◦ CVE-2015-7499-1 Add xmlHaltParser() to stop the parser (Daniel
      Veillard),
    ◦ CVE-2015-5312 Another entity expansion issue (David Drysdale),
    ◦ CVE-2015-7497 Avoid an heap buffer overflow in
      xmlDictComputeFastQKey (David Drysdale),
    ◦ CVE-2015-7498 Avoid processing entities after encoding conversion
      failures (Daniel Veillard),
    ◦ CVE-2015-8035 Fix XZ compression support loop (Daniel Veillard),
    ◦ CVE-2015-7942-2 Fix an error in previous Conditional section patch
      (Daniel Veillard),
    ◦ CVE-2015-7942 Another variation of overflow in Conditional
      sections (Daniel Veillard),
    ◦ CVE-2015-1819 Enforce the reader to run in constant memory (Daniel
      Veillard)
    ◦ CVE-2015-7941_2 Cleanup conditional section error handling (Daniel
      Veillard),
    ◦ CVE-2015-7941_1 Stop parsing on entities boundaries errors (Daniel
      Veillard),
  • Documentation:
    ◦ Correct spelling of "calling" (Alex Henrie),
    ◦ Fix a small error in xmllint --format description (Fabien
      Degomme),
    ◦ Avoid XSS on the search of xmlsoft.org (Daniel Veillard)
  • Portability:
    ◦ threads: use forward declarations only for glibc (Michael
      Heimpold),
    ◦ Update Win32 configure.js to search for configure.ac (Daniel
      Veillard)
  • Bug Fixes:
    ◦ Bug on creating new stream from entity (Daniel Veillard),
    ◦ Fix some loop issues embedding NEXT (Daniel Veillard),
    ◦ Do not print error context when there is none (Daniel Veillard),
    ◦ Avoid extra processing of MarkupDecl when EOF (Hugh Davenport),
    ◦ Fix parsing short unclosed comment uninitialized access (Daniel
      Veillard),
    ◦ Add missing Null check in xmlParseExternalEntityPrivate (Gaurav
      Gupta),
    ◦ Fix a bug in CData error handling in the push parser (Daniel
      Veillard),
    ◦ Fix a bug on name parsing at the end of current input buffer
      (Daniel Veillard),
    ◦ Fix the spurious ID already defined error (Daniel Veillard),
    ◦ Fix previous change to node sort order (Nick Wellnhofer),
    ◦ Fix a self assignment issue raised by clang (Scott Graham),
    ◦ Fail parsing early on if encoding conversion failed (Daniel
      Veillard),
    ◦ Do not process encoding values if the declaration if broken
      (Daniel Veillard),
    ◦ Silence clang's -Wunknown-attribute (Michael Catanzaro),
    ◦ xmlMemUsed is not thread-safe (Martin von Gagern),
    ◦ Fix support for except in nameclasses (Daniel Veillard),
    ◦ Fix order of root nodes (Nick Wellnhofer),
    ◦ Allow attributes on descendant-or-self axis (Nick Wellnhofer),
    ◦ Fix the fix to Windows locking (Steve Nairn),
    ◦ Fix timsort invariant loop re: Envisage article (Christopher
      Swenson),
    ◦ Don't add IDs in xmlSetTreeDoc (Nick Wellnhofer),
    ◦ Account for ID attributes in xmlSetTreeDoc (Nick Wellnhofer),
    ◦ Remove various unused value assignments (Philip Withnall),
    ◦ Fix missing entities after CVE-2014-3660 fix (Daniel Veillard),
    ◦ Revert "Missing initialization for the catalog module" (Daniel
      Veillard)
  • Improvements:
    ◦ Reuse xmlHaltParser() where it makes sense (Daniel Veillard),
    ◦ xmlStopParser reset errNo (Daniel Veillard),
    ◦ Reenable xz support by default (Daniel Veillard),
    ◦ Recover unescaped less-than character in HTML recovery parsing
      (Daniel Veillard),
    ◦ Allow HTML serializer to output HTML5 DOCTYPE (Shaun McCance),
    ◦ Regression test for bug #695699 (Nick Wellnhofer),
    ◦ Add a couple of XPath tests (Nick Wellnhofer),
    ◦ Add Python 3 rpm subpackage (Tomas Radej),
    ◦ libxml2-config.cmake.in: update include directories (Samuel
      Martin),
    ◦ Adding example from bugs 738805 to regression tests (Daniel
      Veillard)
  • Cleanups:

Change History (10)

comment:1 by Fernando de Oliveira, 7 years ago

Description: modified (diff)

Sorry.

comment:2 by Pierre Labastie, 7 years ago

Owner: changed from blfs-book@… to Pierre Labastie
Status: newassigned

comment:3 by Fernando de Oliveira, 7 years ago

Description: modified (diff)

Sorry, Pierre, just another typo I committed in the Description. Apologies for intruding in your ticket.

comment:4 by Pierre Labastie, 7 years ago

Tickets are a place for dialog, so thanks for "intruding"! Actually, I took it for helping, but I cannot make it today (will do tonight or tomorrow). So feel free to reassign in the mean-time.

comment:5 by Fernando de Oliveira, 7 years ago

Thanks.

No, it is a pleasure having you doing it.

BTW, I'm trying to take as much as I (think I) can, because there are times tickets get accumulating.

However, any ticket I own, anytime, just ask (you, Ken, Bruce, Igor, ...) if you want.

comment:6 by Pierre Labastie, 7 years ago

In the http://xmlsoft.org/sources/ directory, there are libxml2-tests-version.tar.gz tarballs, which seem to contain a lot of test cases. Also, there is a makefile target "testall", which seems to run more tests than "check", but some of those tests seem to fail.

I do not know if it is worth talking about those.

comment:7 by Pierre Labastie, 7 years ago

Description: modified (diff)
Resolution: fixed
Status: assignedclosed

Fixed at r16680. For now, the supplementary tests are not mentioned. If anybody thinks it would be worthwhile to include them, please reopen.

comment:8 by Fernando de Oliveira, 7 years ago

Sorry, I was going to tell that a few words, similar to what you wrote in comment:6, might be worth.

comment:9 by Pierre Labastie, 7 years ago

Thanks for your answer. I had no time left today (to many things to do this week-end). I'll think of some addition, but my main problem is that the current tests pass, but many supplementary tests don't... And as always with tests, it is never clear why the tests fail: is it because of some forgotten option in the build or is it expected because of the current state of the package? I'll try to look closer during the next days.

comment:10 by Fernando de Oliveira, 7 years ago

Please, I was not suggesting to spend much time. Just mentioning the existence and perhaps the comment that some tests fail.

Note: See TracTickets for help on using tickets.