NEWS:
v2.9.13: Feb 19 2022:
- Security:
[CVE-2022-23308] Use-after-free of ID and IDREF attributes
(Thanks to Shinji Sato for the report)
Use-after-free in xmlXIncludeCopyRange (David Kilzer)
Fix Null-deref-in-xmlSchemaGetComponentTargetNs (huangduirong)
Fix memory leak in xmlXPathCompNodeTest
Fix null pointer deref in xmlStringGetNodeList
Fix several memory leaks found by Coverity (David King)
- Fixed regressions:
Fix regression in RelaxNG pattern matching
Properly handle nested documents in xmlFreeNode
Fix regression with PEs in external DTD
Fix random dropping of characters on dumping ASCII encoded XML (Mohammad Razavi)
Revert "Make schema validation fail with multiple top-level elements"
Fix regression when parsing invalid HTML tags in push mode
Fix regression parsing public IDs literals in HTML
Fix buffering in xmlOutputBufferWrite
Fix whitespace when serializing empty HTML documents
Fix XPath recursion limit
Fix regression in xmlNodeDumpOutputInternal
Work around lxml API abuse
- Bug fixes:
Fix xmlSetTreeDoc with entity references
Fix double counting of CRLF in comments
Make sure to grow input buffer in xmlParseMisc
Don't ignore xmllint options after "-"
Don't normalize namespace URIs in XPointer xmlns() scheme
Fix handling of XSD with empty namespace
Also register HTML document nodes
Make xmllint return an error if arguments are missing
Fix handling of ctxt->base in xmlXPtrEvalXPtrPart
Fix xmllint --maxmem
Fix htmlReadFd, which was using a mix of xml and html context functions (Finn Barber)
Move current position before possible calling of ctxt->sax->characters (Yulin Li)
Fix parse failure when 4-byte character in UTF-16 BE is split across a chunk (David Kilzer)
Patch to forbid epsilon-reduction of final states (Arne Becker)
Avoid segfault at exit when using custom memory functions (Mike Dalessio)
- Tests, code quality, fuzzing:
Remove .travis.yml
Make xmlFuzzReadString return a zero size in error case
Fix unused function warning in testapi.c
Update NewsML DTD in test suite
Add more checks for malloc failures in xmllint.c
Avoid potential integer overflow in xmlstring.c
Run CI tests with UBSan implicit-conversion checks
Fix casting of line numbers in SAX2.c
Fix integer conversion warnings in hash.c
Add explicit casts in runtest.c
Fix integer conversion warning in xmlIconvWrapper
Add suffix to unsigned constant in xmlmemory.c
Add explicit casts in testchar.c
Fix integer conversion warnings in xmlstring.c
Add explicit cast in xmlURIUnescapeString
Remove unused variable in xmlCharEncOutFunc (David King)
- Build system, portability:
Remove xmlwin32version.h
Fix fuzzer test with VPATH build
Support custom prefix when installing Python module
Remove Makefile.win
Remove CVS and SVN-related code
Port python 3.x module to Windows and improve distutils (Chun-wei Fan)
Correctly install the HTML examples into their subdirectory (Mattia Rizzolo)
Refactor the settings of $docdir (Mattia Rizzolo)
Remove unused configure checks (Ben Boeckel)
python/Makefile.am: use *_LIBADD, not *_LDFLAGS for LIBS (Sam James)
Fix check for libtool in autogen.sh
Use version in configure.ac for CMake (Timothy Lyanguzov)
Add CMake alias targets for embedded projects (Markus Rickert)
- Documentation:
Remove SVN keyword anchors
Rework README
Remove README.cvs-commits
Remove old ChangeLog
Update hyperlinks
Remove README.docs
Remove MAINTAINERS
Remove xmltutorial.pdf
Upload documentation to GitLab pages
Document how to escape XML_CATALOG_FILES
Fix libxml2.doap
Update URL for libxml++ C++ binding (Kjell Ahlstedt)
Generate devhelp2 index file (Emmanuele Bassi)
Mention XML_CATALOG_FILES is space-separated (Jan Tojnar)
Add documentaiton for xmllint exit code 10 (Rainer Canavan)
Fix some validation errors in the FAQ (David King)
Add instructions on how to use CMake to compile libxml (Markus Rickert)
All checksums have been double-checked against existing RMD160 and
SHA512 hashes
Unfetchable distfiles (fetched conditionally?):
./textproc/convertlit/distinfo clit18src.zip
Restore part of a patch lost in the last libxml2 update which is still
relevant. Reapplying it fixes segfaults caused by itstool, e.g., when
building editors/pluma, which is PR pkg/56229 from Andrius V.
Quoting from wiz@'s original commit from Jan 9, 2019, which covers
everything else:
"In some cases, invalid UTF-8 strings were returned which caused
Python interpreter crashes. See
itstool/itstool#22
Use a variant of the patch that was used in Fedora.
Bump PKGREVISION."
Fedora is still carrying this patch as-is.
(Also, evidently distinfo was not regenerated properly after the last
update, so there's a diff applied to it unrelated to this change set.)
2.9.12:
"Brown paper bag release, some recently added sources were missing from
the 2.9.11 tarball."
2.9.11:
"Prompted by CVE-2021-3541, but this includes an awful lot of serious bug
fixes by Nick and others."
v2.9.9:
Security:
CVE-2018-9251 CVE-2018-14567 Fix infinite loop in LZMA decompression
CVE-2018-14404 Fix nullptr deref with XPath logic ops
Documentation:
reader: Fix documentation comment
Portability:
Fix MSVC build with lzma
Variables need 'extern' in static lib on Cygwin
Really declare dllexport/dllimport for Cygwin
Merge branch 'patch-2' into 'master'
Change dir to $THEDIR after ACLOCAL_PATH check autoreconf creates aclocal.m4 in $srcdir
Improve error message if pkg.m4 couldn't be found
NaN and Inf fixes for pre-C99 compilers
Bug Fixes:
Revert "Support xmlTextReaderNextSibling w/o preparsed doc"
Fix building relative URIs
Problem with data in interleave in RelaxNG validation
Fix memory leak in xmlSwitchInputEncodingInt error path
Set doc on element obtained from freeElems
Fix HTML serialization with UTF-8 encoding
Use actual doc in xmlTextReaderRead*Xml
Unlink node before freeing it in xmlSAX2StartElement
Check return value of nodePush in xmlSAX2StartElement
Free input buffer in xmlHaltParser
Reset HTML parser input pointers on encoding failure
Don't run icu_parse_test if EUC-JP is unsupported
Fix xmlSchemaValidCtxtPtr reuse memory leak
Fix xmlTextReaderNext with preparsed document
Remove stray character from comment
Remove a misleading line from xmlCharEncOutput
HTML noscript should not close p
Don't change context node in xmlXPathRoot
Stop using XPATH_OP_RESET
Revert "Change calls to xmlCharEncInput to set flush false"
Improvements:
Fix "Problem with data in interleave in RelaxNG validation"
cleanup: remove some unreachable code
add --relative to testURI
Remove redefined starts and defines inside include elements
Allow choice within choice in nameClass in RELAX NG
Look inside divs for starts and defines inside include
Add compile and libxml2-config.cmake to .gitignore
Stop using doc->charset outside parser code
Add newlines to 'xmllint --xpath' output
Don't include SAX.h from globals.h
Support xmlTextReaderNextSibling w/o preparsed doc
Don't instruct user to run make when autogen.sh failed
Run Travis ASan tests with "sudo: required"
Improve restoring of context size and position
Simplify and harden nodeset filtering
Avoid unnecessary backups of the context node
Fix inconsistency in xmlXPathIsInf
In some cases, invalid UTF-8 strings were returned which caused
python interpreter crashes. See
https://github.com/itstool/itstool/issues/22
Use a variant of the patch that was used in Fedora.
Bump PKGREVISION.
We use INFINITY which is available on C99 and later, so be explicit
that we compile C99 code.
Also tested as compiling fine on netbsd-current.
Fixes PR pkg/53098
$ python3.6
Python 3.6.3 (default, Oct 27 2017, 17:16:29)
[GCC 5.4.0] on netbsd8
Type "help", "copyright", "credits" or "license" for more information.
>>> import libxml2
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/pkg/lib/python3.6/site-packages/libxml2.py", line 1, in <module>
import libxml2mod
ImportError: /usr/pkg/lib/python3.6/site-packages/libxml2mod.so: Undefined PLT symbol "PyCObject_Check" (symnum = 488)
buffer space in two locations.
Fixes bug 781333 (CVE-2017-9047) and bug 781701 (CVE-2017-9048).
From: https://git.gnome.org/browse/libxml2/commit/?id=932cc9896ab41475d4aa429c27d9afd175959d74
There were two bugs where parameter-entity references could lead to an
unexpected change of the input buffer in xmlParseNameComplex and
xmlDictLookup being called with an invalid pointer.
Percent sign in DTD Names
=========================
This fixes bug 766956 initially reported by Wei Lei and independently by
Chromium's ClusterFuzz, Hanno Böck, and Marco Grassi. Thanks to everyone
involved.
xmlParseNameComplex with XML_PARSE_OLD10
========================================
This fixes bugs 781205 (CVE-2017-9049) and 781361 (CVE-2017-9050).
Thanks to Marcel Böhme and Thuan Pham for the report.
Additional hardening
====================
A separate check was added in xmlParseNameComplex to validate the
buffer size.
From: https://git.gnome.org/browse/libxml2/commit/?id=e26630548e7d138d2c560844c43820b6767251e3
MASTER_SITES= site1 \
site2
style continuation lines to be simple repeated
MASTER_SITES+= site1
MASTER_SITES+= site2
lines. As previewed on tech-pkg. With thanks to rillig for fixing pkglint
accordingly.
Pkgsrc changes:
* Add some casts to match types and format strings, plus
fix value range of toupper() operation.
* Merge patch-ag into the new patch-encoding.c.
* Add comments to existing patches which lacked comments.
Upstream changes to libxml2-2.9.4: May 23 2016
Security:
CVE-2016-3627 Avoid building recursive entities
CVE-2016-1833 Heap-based buffer overread in htmlCurrentChar
CVE-2016-1835 Heap use-after-free in xmlSAX2AttributeNs
CVE-2016-1837 Heap use-after-free in htmlParsePubidLiteral
and htmlParseSystemiteral
CVE-2016-1836 Bug 759398: Heap use-after-free in xmlDictComputeFastKey
CVE-2016-1839 Bug 758605: Heap-based buffer overread in xmlDictAddString
CVE-2016-1838 Bug 758588: Heap-based buffer overread in
xmlParserPrintFileContextInternal
CVE-2016-1840 Bug 757711: heap-buffer-overflow in xmlFAParsePosCharGroup
CVE-2016-4483 Avoid an out of bound access when serializing
malformed strings
CVE-2016-1834 Bug 763071: heap-buffer-overflow in xmlStrncat
CVE-2016-3705 Add missing increments of recursion depth counter to
XML parser.
CVE-2016-1762 Heap-based buffer overread in xmlNextChar
More format string warnings with possible format string vulnerability
Heap-based buffer-underreads due to xmlParseName
Fix some format string warnings with possible format string vulnerability
Unsigned addition may overflow in xmlMallocAtomicLoc()
Other bugfixes:
Detect change of encoding when parsing HTML names
Fix inappropriate fetch of entities content
Correct the usage of LDFLAGS
Revert the use of SAVE_LDFLAGS in configure.ac
libxml2 hardcodes -L/lib in zlib/lzma tests which breaks cross-compiles
Add more debugging info to runtest
Implement "runtest -u" mode
Integer signed/unsigned type mismatch in xmlParserInputGrow()
Integer overflow parsing port number in URI
Fix apibuild for a recently added constructv2.9.4-rc2
Use pkg-config to locate zlib when possible
Use pkg-config to locate ICU when possible
Fix an error with regexp on nullable counted char transition
Fix memory leak with XPath namespace nodes
Fix namespace axis traversal
Add a make rule to rebuild for ASAN
Fix null pointer deref in docs with no root element
Portability to non C99 compliant compilers
dict.h: Move xmlDictPtr definition before includes to allow direct
inclusion.
Fix XSD validation of URIs with ampersands
xmlschemastypes.c: accept endOfDayFrag Times set to "24:00:00" mean
"end of day" and should not cause an error. v2.9.4-rc1
os400: tell about xmllint and xmlcatalog in README400.
os400: properly process SGML add in XMLCATALOG command.
os400: implement CL command XMLCATALOG.
os400: compile and install program xmlcatalog (qshell-only).
xmlcatalog: flush stdout before interactive shell input.
os400: expand tabs in sources, strip trailing blanks.
os400: implement CL command XMLLINT.
os400: compile and install program xmllint (qshell-only).
os400: initscript make_module(): Use options instead of
positional parameters.
xmllint: flush stdout before interactive shell input.
os400: c14n.rpgle: allow *omit for nullable reference parameters.
os400: use like() for double type.
os400: use like() for int type.
os400: use like() for unsigned int type.
os400: use like() for enum types.
Add xz to xml2-config --libs output
Don't recurse into OP_VALUEs in xmlXPathOptimizeExpression
Fix namespace::node() XPath expression
Fix OOB write in xmlXPathEmptyNodeSet
Fix parsing of NCNames in XPath
Fix OOB read with invalid UTF-8 in xmlUTF8Strsize
Do normalize string-based datatype value in RelaxNG facet checking
Fix typo: s{ ec -> cr }cipt
Fix typos: dictio{ nn -> n }ar{y,ies}
Fix typos: PATH_{ SEAPARATOR -> SEPARATOR }
Correct a typo.
Bug 760921: REGRESSION (8eb55d78): doc/examples/io1 test fails after fix
for "xmlSaveUri() incorrectly recomposes URIs with rootless paths"
Bug 760861: REGRESSION (bf9c1dad): Missing results for
test/schemas/regexp-char-ref_[01].xsd
error.c: *input->cur == 0 does not mean no error
Add missing RNG test files
Bug 760190: configure.ac should be able to build --with-icu without
icu-config tool
Bug 760183: REGRESSION (v2.9.3): XML push parser fails with bogus
UTF-8 encoding error when multi-byte character in large CDATA
section is split across buffer
Bug 758572: ASAN crash in make check
Bug 721158: Missing ICU string when doing --version on xmllint
python 3: libxml2.c wrappers create Unicode str already
win32\VC10\config.h and VS 2015
Add autogen.sh to distrib
Add configure maintainer mode
v2.9.3: Nov 20 2015
Security:
CVE-2015-8242 Buffer overead with HTML parser in push mode (Hugh Davenport),
CVE-2015-7500 Fix memory access error due to incorrect entities boundaries (Daniel Veillard),
CVE-2015-7499-2 Detect incoherency on GROW (Daniel Veillard),
CVE-2015-7499-1 Add xmlHaltParser() to stop the parser (Daniel Veillard),
CVE-2015-5312 Another entity expansion issue (David Drysdale),
CVE-2015-7497 Avoid an heap buffer overflow in xmlDictComputeFastQKey (David Drysdale),
CVE-2015-7498 Avoid processing entities after encoding conversion failures (Daniel Veillard),
CVE-2015-8035 Fix XZ compression support loop (Daniel Veillard),
CVE-2015-7942-2 Fix an error in previous Conditional section patch (Daniel Veillard),
CVE-2015-7942 Another variation of overflow in Conditional sections (Daniel Veillard),
CVE-2015-1819 Enforce the reader to run in constant memory (Daniel Veillard)
CVE-2015-7941_2 Cleanup conditional section error handling (Daniel Veillard),
CVE-2015-7941_1 Stop parsing on entities boundaries errors (Daniel Veillard),
Documentation:
Correct spelling of "calling" (Alex Henrie),
Fix a small error in xmllint --format description (Fabien Degomme),
Avoid XSS on the search of xmlsoft.org (Daniel Veillard)
Portability:
threads: use forward declarations only for glibc (Michael Heimpold),
Update Win32 configure.js to search for configure.ac (Daniel Veillard)
Bug Fixes:
Bug on creating new stream from entity (Daniel Veillard),
Fix some loop issues embedding NEXT (Daniel Veillard),
Do not print error context when there is none (Daniel Veillard),
Avoid extra processing of MarkupDecl when EOF (Hugh Davenport),
Fix parsing short unclosed comment uninitialized access (Daniel Veillard),
Add missing Null check in xmlParseExternalEntityPrivate (Gaurav Gupta),
Fix a bug in CData error handling in the push parser (Daniel Veillard),
Fix a bug on name parsing at the end of current input buffer (Daniel Veillard),
Fix the spurious ID already defined error (Daniel Veillard),
Fix previous change to node sort order (Nick Wellnhofer),
Fix a self assignment issue raised by clang (Scott Graham),
Fail parsing early on if encoding conversion failed (Daniel Veillard),
Do not process encoding values if the declaration if broken (Daniel Veillard),
Silence clang's -Wunknown-attribute (Michael Catanzaro),
xmlMemUsed is not thread-safe (Martin von Gagern),
Fix support for except in nameclasses (Daniel Veillard),
Fix order of root nodes (Nick Wellnhofer),
Allow attributes on descendant-or-self axis (Nick Wellnhofer),
Fix the fix to Windows locking (Steve Nairn),
Fix timsort invariant loop re: Envisage article (Christopher Swenson),
Don't add IDs in xmlSetTreeDoc (Nick Wellnhofer),
Account for ID attributes in xmlSetTreeDoc (Nick Wellnhofer),
Remove various unused value assignments (Philip Withnall),
Fix missing entities after CVE-2014-3660 fix (Daniel Veillard),
Revert "Missing initialization for the catalog module" (Daniel Veillard)
Improvements:
Reuse xmlHaltParser() where it makes sense (Daniel Veillard),
xmlStopParser reset errNo (Daniel Veillard),
Reenable xz support by default (Daniel Veillard),
Recover unescaped less-than character in HTML recovery parsing (Daniel Veillard),
Allow HTML serializer to output HTML5 DOCTYPE (Shaun McCance),
Regression test for bug #695699 (Nick Wellnhofer),
Add a couple of XPath tests (Nick Wellnhofer),
Add Python 3 rpm subpackage (Tomas Radej),
libxml2-config.cmake.in: update include directories (Samuel Martin),
Adding example from bugs 738805 to regression tests (Daniel Veillard)
Problems found locating distfiles:
Package cabocha: missing distfile cabocha-0.68.tar.bz2
Package convertlit: missing distfile clit18src.zip
Package php-enchant: missing distfile php-enchant/enchant-1.1.0.tgz
Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden). All existing
SHA1 digests retained for now as an audit trail.
