v2.9.3: Nov 20 2015
Security:
CVE-2015-8242 Buffer overead with HTML parser in push mode (Hugh Davenport),
CVE-2015-7500 Fix memory access error due to incorrect entities boundaries (Daniel Veillard),
CVE-2015-7499-2 Detect incoherency on GROW (Daniel Veillard),
CVE-2015-7499-1 Add xmlHaltParser() to stop the parser (Daniel Veillard),
CVE-2015-5312 Another entity expansion issue (David Drysdale),
CVE-2015-7497 Avoid an heap buffer overflow in xmlDictComputeFastQKey (David Drysdale),
CVE-2015-7498 Avoid processing entities after encoding conversion failures (Daniel Veillard),
CVE-2015-8035 Fix XZ compression support loop (Daniel Veillard),
CVE-2015-7942-2 Fix an error in previous Conditional section patch (Daniel Veillard),
CVE-2015-7942 Another variation of overflow in Conditional sections (Daniel Veillard),
CVE-2015-1819 Enforce the reader to run in constant memory (Daniel Veillard)
CVE-2015-7941_2 Cleanup conditional section error handling (Daniel Veillard),
CVE-2015-7941_1 Stop parsing on entities boundaries errors (Daniel Veillard),
Documentation:
Correct spelling of "calling" (Alex Henrie),
Fix a small error in xmllint --format description (Fabien Degomme),
Avoid XSS on the search of xmlsoft.org (Daniel Veillard)
Portability:
threads: use forward declarations only for glibc (Michael Heimpold),
Update Win32 configure.js to search for configure.ac (Daniel Veillard)
Bug Fixes:
Bug on creating new stream from entity (Daniel Veillard),
Fix some loop issues embedding NEXT (Daniel Veillard),
Do not print error context when there is none (Daniel Veillard),
Avoid extra processing of MarkupDecl when EOF (Hugh Davenport),
Fix parsing short unclosed comment uninitialized access (Daniel Veillard),
Add missing Null check in xmlParseExternalEntityPrivate (Gaurav Gupta),
Fix a bug in CData error handling in the push parser (Daniel Veillard),
Fix a bug on name parsing at the end of current input buffer (Daniel Veillard),
Fix the spurious ID already defined error (Daniel Veillard),
Fix previous change to node sort order (Nick Wellnhofer),
Fix a self assignment issue raised by clang (Scott Graham),
Fail parsing early on if encoding conversion failed (Daniel Veillard),
Do not process encoding values if the declaration if broken (Daniel Veillard),
Silence clang's -Wunknown-attribute (Michael Catanzaro),
xmlMemUsed is not thread-safe (Martin von Gagern),
Fix support for except in nameclasses (Daniel Veillard),
Fix order of root nodes (Nick Wellnhofer),
Allow attributes on descendant-or-self axis (Nick Wellnhofer),
Fix the fix to Windows locking (Steve Nairn),
Fix timsort invariant loop re: Envisage article (Christopher Swenson),
Don't add IDs in xmlSetTreeDoc (Nick Wellnhofer),
Account for ID attributes in xmlSetTreeDoc (Nick Wellnhofer),
Remove various unused value assignments (Philip Withnall),
Fix missing entities after CVE-2014-3660 fix (Daniel Veillard),
Revert "Missing initialization for the catalog module" (Daniel Veillard)
Improvements:
Reuse xmlHaltParser() where it makes sense (Daniel Veillard),
xmlStopParser reset errNo (Daniel Veillard),
Reenable xz support by default (Daniel Veillard),
Recover unescaped less-than character in HTML recovery parsing (Daniel Veillard),
Allow HTML serializer to output HTML5 DOCTYPE (Shaun McCance),
Regression test for bug #695699 (Nick Wellnhofer),
Add a couple of XPath tests (Nick Wellnhofer),
Add Python 3 rpm subpackage (Tomas Radej),
libxml2-config.cmake.in: update include directories (Samuel Martin),
Adding example from bugs 738805 to regression tests (Daniel Veillard)
Problems found locating distfiles:
Package cabocha: missing distfile cabocha-0.68.tar.bz2
Package convertlit: missing distfile clit18src.zip
Package php-enchant: missing distfile php-enchant/enchant-1.1.0.tgz
Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden). All existing
SHA1 digests retained for now as an audit trail.
This kind of build problem should probably be handled centrally in
"pkgsrc/mk/wrapper/transform-gcc". But I'm not sure how to check
for the platform in that file.
Features:
Support for Python3,
Add xmlXPathSetContextNode and xmlXPathNodeEval
Documentation:
Add documentation for xmllint --xpath
Fix the URL of the SAX documentation from James
Fix spelling of "length"
Portability:
Fix python bindings with versions older than 2.7
rebuild docs:Makefile.am
elfgcchack.h after rebuild in doc
elfgcchack for buf module
Fix a uneeded and wrong extra link parameter
Few cleanup patches for Windows
Fix rpmbuild --nocheck
Fix for win32/configure.js and WITH_THREAD_ALLOC
Fix Broken multi-arch support in xml2-config
Fix a portability issue for GCC < 3.4.0
Windows build fixes
Fix a thread portability problem
Downgrade autoconf requirement to 2.63
Bug Fixes:
Fix a linking error for python bindings
Fix a couple of return without value
Improve the hashing functions
Improve handling of xmlStopParser()
Remove risk of lockup in dictionary initialization
Activate detection of encoding in external subset
Fix an output buffer flushing conversion bug
Fix an old bug in xmlSchemaValidateOneElement
Fix configure cannot remove messages
fix schema validation in combination with xsi:nil
xmlCtxtReadFile doesn't work with literal IPv6 URLs
Fix a few problems with setEntityLoader
Detect excessive entities expansion upon replacement
Fix the flushing out of raw buffers on encoding conversions
Fix some buffer conversion issues
When calling xmlNodeDump make sure we grow the buffer quickly
Fix an error in the progressive DTD parsing code
xmllint should not load DTD by default when using the reader
Try IBM-037 when looking for EBCDIC handlers
Fix potential out of bound access
Fix large parse of file from memory
Fix a bug in the nsclean option of the parser
Fix a regression in 2.9.0 breaking validation while streaming
Remove potential calls to exit()
Improvements:
Regenerated API, and testapi, rebuild documentation
Fix tree iterators broken by 2to3 script
update all tests for Python3 and Python2
A few more fixes for python 3 affecting libxml2.py
Fix compilation on Python3
Converting apibuild.py to python3
First pass at starting porting to python3
updated configure.in for python3
Add support for xpathRegisterVariable in Python
Added a regression tests from bug 694228 data
Cache presence of '<' in entities content
Avoid extra processing on entities
Python binding for xmlRegisterInputCallback
Python bindings: DOM casts everything to xmlNode
Define LIBXML_THREAD_ALLOC_ENABLED via xmlversion.h
Adding streaming validation to runtest checks
Add a --pushsmall option to xmllint
Cleanups:
Switched comment in file to UTF-8 encoding
Extend gitignore
Silent the new python test on input
Cleanup of a duplicate test
Cleanup on duplicate test expressions
Fix compiler warning after 153cf15905cf4ec080612ada6703757d10caba1e
Spec cleanups and a fix for multiarch support
Silence a clang warning
Cleanup the Copyright to be pure MIT Licence wording
rand_seed should be static in dict.c
Fix typos in parser comments
2.8.0: May 23 2012
Features: - add lzma compression support (Anders F Bjorklund)
Documentation: xmlcatalog: Add uri and delegateURI to possible
add types in man page. (Ville Skyttä), Update README.tests
(Daniel Veillard), URI handling code is not OOM resilient
(Daniel Veillard), Fix an error in comment (Daniel Veillard),
Fixed bug #617016 (Daniel Mustieles), Fixed two typos in the
README document (Daniel Neel), add generated html files (Anders
F Bjorklund), Clarify the need to use xmlFreeNode after
xmlUnlinkNode (Daniel Veillard), Improve documentation a bit
(Daniel Veillard), Updated URL for lxml python bindings (Daniel
Veillard)
Portability: Restore code for Windows compilation (Daniel
Veillard), Remove git error message during configure (Christian
Dywan), xmllint: Build fix for endTimer if !defined(HAVE_GETTIMEOFDAY)
(Patrick R. Gansterer), remove a bashism in confgure.in (John
Hein), undef ERROR if already defined (Patrick R. Gansterer),
Fix library problems with mingw-w64 (Michael Cronenworth), fix
windows build. ifdef addition from bug 666491 makes no sense
(Rob Richards), prefer native threads on win32 (Sam Thursfield),
Allow to compile with Visual Studio 2010 (Thomas Lemm), Fix
mingw's snprintf configure check (Andoni Morales), fixed a
64bit big endian issue (Marcus Meissner), Fix portability
failure if netdb.h lacks NO_ADDRESS (Daniel Veillard), Fix
windows build from lzma addition (Rob Richards), autogen: Only
check for libtoolize (Colin Walters), Fix the Windows build
files (Patrick von Reth), 634846 Remove a linking option breaking
Windows VC10 (Daniel Veillard), 599241 fix an initialization
problem on Win64 (Andrew W. Nosenko), fix win build (Rob
Richards)
Bug fixes: Part for rand_r checking missing (Daniel Veillard),
Cleanup on randomization (Daniel Veillard), Fix undefined
reference in python module (Pacho Ramos), Fix a race in
xmlNewInputStream (Daniel Veillard), Fix weird streaming RelaxNG
errors (Noam), Fix various bugs in new code raised by the API
checking (Daniel Veillard), Fix various problems with "make
dist" (Daniel Veillard), Fix a memory leak in the xzlib code
(Daniel Veillard), HTML parser error with <noscript> in the
<head> (Denis Pauk), XSD: optional element in complex type
extension (Remi Gacogne), Fix html serialization error and
htmlSetMetaEncoding() (Daniel Veillard), Fix a wrong return
value in previous patch (Daniel Veillard), Fix an uninitialized
variable use (Daniel Veillard), Fix a compilation problem with
--minimum (Brandon Slack), Remove redundant and ungarded include
of resolv.h (Daniel Veillard), xinclude with parse="text" does
not use the entity loader (Shaun McCance), Allow to parse 1
byte HTML files (Denis Pauk), Patch that fixes the skipping of
the HTML_PARSE_NOIMPLIED flag (Martin Schröder), Avoid memory
leak if xmlParserInputBufferCreateIO fails (Lin Yi-Li), Prevent
an infinite loop when dumping a node with encoding problems
(Timothy Elliott), xmlParseNodeInContext problems with an empty
document (Tim Elliott), HTML element position is not detected
propperly (Pavel Andrejs), Fix an off by one pointer access
(Jüri Aedla), Try to fix a problem with entities in SAX mode
(Daniel Veillard), Fix a crash with xmllint --path on empty
results (Daniel Veillard), Fixed bug #667946 (Daniel Mustieles),
Fix a logic error in Schemas Component Constraints (Ryan Sleevi),
Fix a wrong enum type use in Schemas Types (Nico Weber), Fix
SAX2 builder in case of undefined attributes namespace (Daniel
Veillard), Fix SAX2 builder in case of undefined element
namespaces (Daniel Veillard), fix reference to STDOUT_FILENO
on MSVC (Tay Ray Chuan), fix a pair of possible out of array
char references (Daniel Veillard), Fix an allocation error when
copying entities (Daniel Veillard), Make sure the parser returns
when getting a Stop order (Chris Evans), Fix some potential
problems on reallocation failures(parser.c) (Xia Xinfeng), Fix
a schema type duration comparison overflow (Daniel Veillard),
Fix an unimplemented part in RNG value validation (Daniel
Veillard), Fix missing error status in XPath evaluation (Daniel
Veillard), Hardening of XPath evaluation (Daniel Veillard),
Fix an off by one error in encoding (Daniel Veillard), Fix
RELAX NG include bug #655288 (Shaun McCance), Fix XSD validation
bug #630130 (Toyoda Eizi), Fix some potential problems on
reallocation failures (Chris Evans), __xmlRaiseError: fix use
of the structured callback channel (Dmitry V. Levin),
__xmlRaiseError: fix the structured callback channel's data
initialization (Dmitry V. Levin), Fix memory corruption when
xmlParseBalancedChunkMemoryInternal is called from
xmlParseBalancedChunk (Rob Richards), Small fix for previous
commit (Daniel Veillard), Fix a potential freeing error in
XPath (Daniel Veillard), Fix a potential memory access error
(Daniel Veillard), Reactivate the shared library versionning
script (Daniel Veillard)
Improvements: use mingw C99 compatible functions {v}snprintf
instead those from MSVC runtime (Roumen Petrov), New symbols
added for the next release (Daniel Veillard), xmlTextReader
bails too quickly on error (Andy Lutomirski), Use a hybrid
allocation scheme in xmlNodeSetContent (Conrad Irwin), Use
buffers when constructing string node lists. (Conrad Irwin),
Add HTML parser support for HTML5 meta charset encoding
declaration (Denis Pauk), wrong message for double hyp"whereis"
command to xmllint shell (Ryan), Improve xmllint shell (Ryan),
add function xmlTextReaderRelaxNGValidateCtxt() (Noam Postavsky),
Add --system support to autogen.sh (Daniel Veillard), Add hash
randomization to hash and dict structures (Daniel Veillard),
included xzlib in dist (Anders F Bjorklund), move xz/lzma
helpers to separate included files (Anders F Bjorklund), add
generated devhelp files (Anders F Bjorklund), add XML_WITH_LZMA
to api (Anders F Bjorklund), autogen.sh: Honor NOCONFIGURE
environment variable (Colin Walters), Improve the error report
on undefined REFs (Daniel Veillard), Add exception for new W3C
PI xml-model (Daniel Veillard), Add options to ignore the
internal encoding (Daniel Veillard), testapi: use the right
type for the check (Stefan Kost), various: handle return values
of write calls (Stefan Kost), testWriter:
xmlTextWriterWriteFormatElement wants an int instead of a long
int (Stefan Kost), runxmlconf: update to latest testsuite
version (Stefan Kost), configure: add -Wno-long-long to CFLAGS
(Stefan Kost), configure: support silent automake rules if
possible (Stefan Kost), xmlmemory: add a cast as size_t has no
portable printf modifier (Stefan Kost), __xmlRaiseError: remove
redundant schannel initialization (Dmitry V. Levin), __xmlRaiseError:
do cheap code check early (Dmitry V. Levin)
Cleanups: Cleanups before 2.8.0-rc2 (Daniel Veillard), Avoid
an extra operation (Daniel Veillard), Remove vestigial
de-ANSI-fication support. (Javier Jardón), autogen.sh: Fix
typo (Javier Jardón), Do not use unsigned but unsigned int
(Daniel Veillard), Remove two references to u_short (Daniel
Veillard), Fix -Wempty-body warning from clang (Nico Weber),
Cleanups of lzma support (Daniel Veillard), Augment the list
of ignored files (Daniel Veillard), python: remove unused
variable (Stefan Kost), python: flag two unused args (Stefan
Kost), configure: acconfig.h is deprecated since autoconf-2.50
(Stefan Kost), xpath: remove unused variable (Stefan Kost)
* Disable linkage with pthread for FreeBSD/DragonFly/NetBSD, they have
pthread_* () stubs in libc (it result in same as the previous behavior).
* but NetBSD<4.99.36 does not have pthread_equal() stub in libc,
so define weak reference to it.
* Treat OpenBSD and MirBSD same as Linux to avoid linkage with libpthread.
* Others will be linked with pthread, fixes PR 46254.
tested NetBSD-5.1.2, and confirmed fixed on NetBSD-4.0.1 and OpenBSD-5.0.
Bump PKGREVISION.
Without that, (untrusted) input can fill hash buckets uneven, causing
high CPU load. (CVE-2012-0841)
To get a patch which is simple enough to get pulled up to the stable
pkgsrc branch, I've not touched "configure" but just assumed that
the POSIX functions rand(), srand() and time() are present.
bump PKGREV
link against libpthread. (It doesn't create threads, just uses
locking.) This seems to be wanted by some applications, eg vlc
issues a warning on startup (with no visible consequences afaict,
but anyway).
I hope this works for other OSes too. If not, we should probably
add support for these cases to mk/pthread.bl3.mk.
bump PKGREV
-fix more potential problems on reallocation failures (CVE-2011-1944)
-Fix memory corruption
also replace an error handling which doesn't recover from
integer overflow
bump PKGREV
changes:
-add code to plug in ICU converters by default
-Add xmlSaveOption XML_SAVE_WSNONSIG
-documentation fixes
-portability fixes
-bugfixes, in particular for an XPath problem which can be exploited
to crash the program by a malformed XPath expression (CVE-2010-4008)
-misc improvements, cleanup
changes:
-bugfixes
-portability and documentation improvements
-cleanup
pkgsrc note: added some tweaks to EBCDIC support, both to fix non-
portable assumptions in the code and to work around NetBSD deficiencies;
now it needs only a little fix to CP273 (newline conversion) to make
the selftest succeed on NetBSD