v2.9.14: May 02 2022:
- Security:
[CVE-2022-29824] Integer overflow in xmlBuf and xmlBuffer
Fix potential double-free in xmlXPtrStringRangeFunction
Fix memory leak in xmlFindCharEncodingHandler
Normalize XPath strings in-place
Prevent integer-overflow in htmlSkipBlankChars() and xmlSkipBlankChars()
(David Kilzer)
Fix leak of xmlElementContent (David Kilzer)
- Bug fixes:
Fix parsing of subtracted regex character classes
Fix recursion check in xinclude.c
Reset last error in xmlCleanupGlobals
Fix certain combinations of regex range quantifiers
Fix range quantifier on subregex
- Improvements:
Fix recovery from invalid HTML start tags
- Build system, portability:
Define LFS macros before including system headers
Initialize XPath floating-point globals
configure: check for icu DEFS (James Hilliard)
configure.ac: produce tar.xz only (GNOME policy) (David Seifert)
CMakeLists.txt: Fix LIBXML_VERSION_NUMBER
Fix build with older Python versions
Fix --without-valid build
NEWS:
v2.9.13: Feb 19 2022:
- Security:
[CVE-2022-23308] Use-after-free of ID and IDREF attributes
(Thanks to Shinji Sato for the report)
Use-after-free in xmlXIncludeCopyRange (David Kilzer)
Fix Null-deref-in-xmlSchemaGetComponentTargetNs (huangduirong)
Fix memory leak in xmlXPathCompNodeTest
Fix null pointer deref in xmlStringGetNodeList
Fix several memory leaks found by Coverity (David King)
- Fixed regressions:
Fix regression in RelaxNG pattern matching
Properly handle nested documents in xmlFreeNode
Fix regression with PEs in external DTD
Fix random dropping of characters on dumping ASCII encoded XML (Mohammad Razavi)
Revert "Make schema validation fail with multiple top-level elements"
Fix regression when parsing invalid HTML tags in push mode
Fix regression parsing public IDs literals in HTML
Fix buffering in xmlOutputBufferWrite
Fix whitespace when serializing empty HTML documents
Fix XPath recursion limit
Fix regression in xmlNodeDumpOutputInternal
Work around lxml API abuse
- Bug fixes:
Fix xmlSetTreeDoc with entity references
Fix double counting of CRLF in comments
Make sure to grow input buffer in xmlParseMisc
Don't ignore xmllint options after "-"
Don't normalize namespace URIs in XPointer xmlns() scheme
Fix handling of XSD with empty namespace
Also register HTML document nodes
Make xmllint return an error if arguments are missing
Fix handling of ctxt->base in xmlXPtrEvalXPtrPart
Fix xmllint --maxmem
Fix htmlReadFd, which was using a mix of xml and html context functions (Finn Barber)
Move current position before possible calling of ctxt->sax->characters (Yulin Li)
Fix parse failure when 4-byte character in UTF-16 BE is split across a chunk (David Kilzer)
Patch to forbid epsilon-reduction of final states (Arne Becker)
Avoid segfault at exit when using custom memory functions (Mike Dalessio)
- Tests, code quality, fuzzing:
Remove .travis.yml
Make xmlFuzzReadString return a zero size in error case
Fix unused function warning in testapi.c
Update NewsML DTD in test suite
Add more checks for malloc failures in xmllint.c
Avoid potential integer overflow in xmlstring.c
Run CI tests with UBSan implicit-conversion checks
Fix casting of line numbers in SAX2.c
Fix integer conversion warnings in hash.c
Add explicit casts in runtest.c
Fix integer conversion warning in xmlIconvWrapper
Add suffix to unsigned constant in xmlmemory.c
Add explicit casts in testchar.c
Fix integer conversion warnings in xmlstring.c
Add explicit cast in xmlURIUnescapeString
Remove unused variable in xmlCharEncOutFunc (David King)
- Build system, portability:
Remove xmlwin32version.h
Fix fuzzer test with VPATH build
Support custom prefix when installing Python module
Remove Makefile.win
Remove CVS and SVN-related code
Port python 3.x module to Windows and improve distutils (Chun-wei Fan)
Correctly install the HTML examples into their subdirectory (Mattia Rizzolo)
Refactor the settings of $docdir (Mattia Rizzolo)
Remove unused configure checks (Ben Boeckel)
python/Makefile.am: use *_LIBADD, not *_LDFLAGS for LIBS (Sam James)
Fix check for libtool in autogen.sh
Use version in configure.ac for CMake (Timothy Lyanguzov)
Add CMake alias targets for embedded projects (Markus Rickert)
- Documentation:
Remove SVN keyword anchors
Rework README
Remove README.cvs-commits
Remove old ChangeLog
Update hyperlinks
Remove README.docs
Remove MAINTAINERS
Remove xmltutorial.pdf
Upload documentation to GitLab pages
Document how to escape XML_CATALOG_FILES
Fix libxml2.doap
Update URL for libxml++ C++ binding (Kjell Ahlstedt)
Generate devhelp2 index file (Emmanuele Bassi)
Mention XML_CATALOG_FILES is space-separated (Jan Tojnar)
Add documentaiton for xmllint exit code 10 (Rainer Canavan)
Fix some validation errors in the FAQ (David King)
Add instructions on how to use CMake to compile libxml (Markus Rickert)
Restore part of a patch lost in the last libxml2 update which is still
relevant. Reapplying it fixes segfaults caused by itstool, e.g., when
building editors/pluma, which is PR pkg/56229 from Andrius V.
Quoting from wiz@'s original commit from Jan 9, 2019, which covers
everything else:
"In some cases, invalid UTF-8 strings were returned which caused
Python interpreter crashes. See
itstool/itstool#22
Use a variant of the patch that was used in Fedora.
Bump PKGREVISION."
Fedora is still carrying this patch as-is.
(Also, evidently distinfo was not regenerated properly after the last
update, so there's a diff applied to it unrelated to this change set.)
2.9.12:
"Brown paper bag release, some recently added sources were missing from
the 2.9.11 tarball."
2.9.11:
"Prompted by CVE-2021-3541, but this includes an awful lot of serious bug
fixes by Nick and others."
v2.9.9:
Security:
CVE-2018-9251 CVE-2018-14567 Fix infinite loop in LZMA decompression
CVE-2018-14404 Fix nullptr deref with XPath logic ops
Documentation:
reader: Fix documentation comment
Portability:
Fix MSVC build with lzma
Variables need 'extern' in static lib on Cygwin
Really declare dllexport/dllimport for Cygwin
Merge branch 'patch-2' into 'master'
Change dir to $THEDIR after ACLOCAL_PATH check autoreconf creates aclocal.m4 in $srcdir
Improve error message if pkg.m4 couldn't be found
NaN and Inf fixes for pre-C99 compilers
Bug Fixes:
Revert "Support xmlTextReaderNextSibling w/o preparsed doc"
Fix building relative URIs
Problem with data in interleave in RelaxNG validation
Fix memory leak in xmlSwitchInputEncodingInt error path
Set doc on element obtained from freeElems
Fix HTML serialization with UTF-8 encoding
Use actual doc in xmlTextReaderRead*Xml
Unlink node before freeing it in xmlSAX2StartElement
Check return value of nodePush in xmlSAX2StartElement
Free input buffer in xmlHaltParser
Reset HTML parser input pointers on encoding failure
Don't run icu_parse_test if EUC-JP is unsupported
Fix xmlSchemaValidCtxtPtr reuse memory leak
Fix xmlTextReaderNext with preparsed document
Remove stray character from comment
Remove a misleading line from xmlCharEncOutput
HTML noscript should not close p
Don't change context node in xmlXPathRoot
Stop using XPATH_OP_RESET
Revert "Change calls to xmlCharEncInput to set flush false"
Improvements:
Fix "Problem with data in interleave in RelaxNG validation"
cleanup: remove some unreachable code
add --relative to testURI
Remove redefined starts and defines inside include elements
Allow choice within choice in nameClass in RELAX NG
Look inside divs for starts and defines inside include
Add compile and libxml2-config.cmake to .gitignore
Stop using doc->charset outside parser code
Add newlines to 'xmllint --xpath' output
Don't include SAX.h from globals.h
Support xmlTextReaderNextSibling w/o preparsed doc
Don't instruct user to run make when autogen.sh failed
Run Travis ASan tests with "sudo: required"
Improve restoring of context size and position
Simplify and harden nodeset filtering
Avoid unnecessary backups of the context node
Fix inconsistency in xmlXPathIsInf
In some cases, invalid UTF-8 strings were returned which caused
python interpreter crashes. See
https://github.com/itstool/itstool/issues/22
Use a variant of the patch that was used in Fedora.
Bump PKGREVISION.
$ python3.6
Python 3.6.3 (default, Oct 27 2017, 17:16:29)
[GCC 5.4.0] on netbsd8
Type "help", "copyright", "credits" or "license" for more information.
>>> import libxml2
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/pkg/lib/python3.6/site-packages/libxml2.py", line 1, in <module>
import libxml2mod
ImportError: /usr/pkg/lib/python3.6/site-packages/libxml2mod.so: Undefined PLT symbol "PyCObject_Check" (symnum = 488)
Problems found locating distfiles:
Package cabocha: missing distfile cabocha-0.68.tar.bz2
Package convertlit: missing distfile clit18src.zip
Package php-enchant: missing distfile php-enchant/enchant-1.1.0.tgz
Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden). All existing
SHA1 digests retained for now as an audit trail.
either because they themselves are not ready or because a
dependency isn't. This is annotated by
PYTHON_VERSIONS_INCOMPATIBLE= 33 # not yet ported as of x.y.z
or
PYTHON_VERSIONS_INCOMPATIBLE= 33 # py-foo, py-bar
respectively, please use the same style for other packages,
and check during updates.
Use versioned_dependencies.mk where applicable.
Use REPLACE_PYTHON instead of handcoded alternatives, where applicable.
Reorder Makefile sections into standard order, where applicable.
Remove PYTHON_VERSIONS_INCLUDE_3X lines since that will be default
with the next commit.
Whitespace cleanups and other nits corrected, where necessary.
2.8.0: May 23 2012
Features: - add lzma compression support (Anders F Bjorklund)
Documentation: xmlcatalog: Add uri and delegateURI to possible add types in man page. (Ville Skyttä), Update README.tests (Daniel Veillard), URI handling code is not OOM resilient (Daniel Veillard), Fix an error in comment (Daniel Veillard), Fixed bug #617016 (Daniel Mustieles), Fixed two typos in the README document (Daniel Neel), add generated html files (Anders F Bjorklund), Clarify the need to use xmlFreeNode after xmlUnlinkNode (Daniel Veillard), Improve documentation a bit (Daniel Veillard), Updated URL for lxml python bindings (Daniel Veillard)
Portability: Restore code for Windows compilation (Daniel Veillard), Remove git error message during configure (Christian Dywan), xmllint: Build fix for endTimer if !defined(HAVE_GETTIMEOFDAY) (Patrick R. Gansterer), remove a bashism in confgure.in (John Hein), undef ERROR if already defined (Patrick R. Gansterer), Fix library problems with mingw-w64 (Michael Cronenworth), fix windows build. ifdef addition from bug 666491 makes no sense (Rob Richards), prefer native threads on win32 (Sam Thursfield), Allow to compile with Visual Studio 2010 (Thomas Lemm), Fix mingw's snprintf configure check (Andoni Morales), fixed a 64bit big endian issue (Marcus Meissner), Fix portability failure if netdb.h lacks NO_ADDRESS (Daniel Veillard), Fix windows build from lzma addition (Rob Richards), autogen: Only check for libtoolize (Colin Walters), Fix the Windows build files (Patrick von Reth), 634846 Remove a linking option breaking Windows VC10 (Daniel Veillard), 599241 fix an initialization problem on Win64 (Andrew W. Nosenko), fix win build (Rob Richards)
Bug fixes: Part for rand_r checking missing (Daniel Veillard), Cleanup on randomization (Daniel Veillard), Fix undefined reference in python module (Pacho Ramos), Fix a race in xmlNewInputStream (Daniel Veillard), Fix weird streaming RelaxNG errors (Noam), Fix various bugs in new code raised by the API checking (Daniel Veillard), Fix various problems with "make dist" (Daniel Veillard), Fix a memory leak in the xzlib code (Daniel Veillard), HTML parser error with <noscript> in the <head> (Denis Pauk), XSD: optional element in complex type extension (Remi Gacogne), Fix html serialization error and htmlSetMetaEncoding() (Daniel Veillard), Fix a wrong return value in previous patch (Daniel Veillard), Fix an uninitialized variable use (Daniel Veillard), Fix a compilation problem with --minimum (Brandon Slack), Remove redundant and ungarded include of resolv.h (Daniel Veillard), xinclude with parse="text" does not use the entity loader (Shaun McCance), Allow to parse 1 byte HTML files (Denis Pauk), Patch that fixes the skipping of the HTML_PARSE_NOIMPLIED flag (Martin Schröder), Avoid memory leak if xmlParserInputBufferCreateIO fails (Lin Yi-Li), Prevent an infinite loop when dumping a node with encoding problems (Timothy Elliott), xmlParseNodeInContext problems with an empty document (Tim Elliott), HTML element position is not detected propperly (Pavel Andrejs), Fix an off by one pointer access (Jüri Aedla), Try to fix a problem with entities in SAX mode (Daniel Veillard), Fix a crash with xmllint --path on empty results (Daniel Veillard), Fixed bug #667946 (Daniel Mustieles), Fix a logic error in Schemas Component Constraints (Ryan Sleevi), Fix a wrong enum type use in Schemas Types (Nico Weber), Fix SAX2 builder in case of undefined attributes namespace (Daniel Veillard), Fix SAX2 builder in case of undefined element namespaces (Daniel Veillard), fix reference to STDOUT_FILENO on MSVC (Tay Ray Chuan), fix a pair of possible out of array char references (Daniel Veillard), Fix an allocation error when copying entities (Daniel Veillard), Make sure the parser returns when getting a Stop order (Chris Evans), Fix some potential problems on reallocation failures(parser.c) (Xia Xinfeng), Fix a schema type duration comparison overflow (Daniel Veillard), Fix an unimplemented part in RNG value validation (Daniel Veillard), Fix missing error status in XPath evaluation (Daniel Veillard), Hardening of XPath evaluation (Daniel Veillard), Fix an off by one error in encoding (Daniel Veillard), Fix RELAX NG include bug #655288 (Shaun McCance), Fix XSD validation bug #630130 (Toyoda Eizi), Fix some potential problems on reallocation failures (Chris Evans), __xmlRaiseError: fix use of the structured callback channel (Dmitry V. Levin), __xmlRaiseError: fix the structured callback channel's data initialization (Dmitry V. Levin), Fix memory corruption when xmlParseBalancedChunkMemoryInternal is called from xmlParseBalancedChunk (Rob Richards), Small fix for previous commit (Daniel Veillard), Fix a potential freeing error in XPath (Daniel Veillard), Fix a potential memory access error (Daniel Veillard), Reactivate the shared library versionning script (Daniel Veillard)
Improvements: use mingw C99 compatible functions {v}snprintf instead those from MSVC runtime (Roumen Petrov), New symbols added for the next release (Daniel Veillard), xmlTextReader bails too quickly on error (Andy Lutomirski), Use a hybrid allocation scheme in xmlNodeSetContent (Conrad Irwin), Use buffers when constructing string node lists. (Conrad Irwin), Add HTML parser support for HTML5 meta charset encoding declaration (Denis Pauk), wrong message for double hyphen in comment XML error (Bryan Henderson), Fix "make tst" to grab lzma lib too (Daniel Veillard), Add "whereis" command to xmllint shell (Ryan), Improve xmllint shell (Ryan), add function xmlTextReaderRelaxNGValidateCtxt() (Noam Postavsky), Add --system support to autogen.sh (Daniel Veillard), Add hash randomization to hash and dict structures (Daniel Veillard), included xzlib in dist (Anders F Bjorklund), move xz/lzma helpers to separate included files (Anders F Bjorklund), add generated devhelp files (Anders F Bjorklund), add XML_WITH_LZMA to api (Anders F Bjorklund), autogen.sh: Honor NOCONFIGURE environment variable (Colin Walters), Improve the error report on undefined REFs (Daniel Veillard), Add exception for new W3C PI xml-model (Daniel Veillard), Add options to ignore the internal encoding (Daniel Veillard), testapi: use the right type for the check (Stefan Kost), various: handle return values of write calls (Stefan Kost), testWriter: xmltefan Kost), xmlmemory: add a cast as size_t has no portable printf modifier (Stefan Kost), __xmlRaiseError: remove redundant schannel initialization (Dmitry V. Levin), __xmlRaiseError: do cheap code check early (Dmitry V. Levin)
Cleanups: Cleanups be Weber), Cleanups of lzma support (Daniel Veillard), Augment the list of ignored files (Daniel Veillard), python: remove unused variable (Stefan Kost), python: flag two unused args (Stefan Kost), configure: acconfig.h is deprecated since autoconf-2.50 (Stefan Kost), xpath: remove unused variable (Stefan Kost)
