diff options
author | Pellegrino Prevete | 2023-07-03 13:27:48 +0200 |
---|---|---|
committer | Pellegrino Prevete | 2023-07-03 13:27:48 +0200 |
commit | a62b3f996c9fd65c53f4360defc96ee4834004b8 (patch) | |
tree | 6ffa3a715f2111c8bc48598546924c1db2b3eae8 | |
parent | b8d2044ffde8b7b1007e8605c7440bc5e6f0c3f3 (diff) | |
download | aur-a62b3f996c9fd65c53f4360defc96ee4834004b8.tar.gz |
publish
-rw-r--r-- | PKGBUILD | 2 | ||||
-rw-r--r-- | fix-relaxed-approach-to-nested-documents.patch | 33 | ||||
-rw-r--r-- | libxml2-2.9.10-CVE-2019-20388.patch | 33 | ||||
-rw-r--r-- | libxml2-2.9.10-CVE-2020-24977.patch | 36 | ||||
-rw-r--r-- | libxml2-2.9.10-CVE-2020-7595.patch | 32 | ||||
-rw-r--r-- | libxml2-2.9.10-fix-integer-overflow.patch | 41 | ||||
-rw-r--r-- | libxml2-2.9.10-icu68.patch | 28 | ||||
-rw-r--r-- | libxml2-2.9.10-parenthesize-type-checks.patch | 92 | ||||
-rw-r--r-- | libxml2-2.9.8-python3-unicode-errors.patch | 34 |
9 files changed, 331 insertions, 0 deletions
@@ -87,6 +87,7 @@ build() { --libdir="/usr/lib/${pkgbase}" --includedir="/usr/include/${pkgbase}" --with-history + --without-docbook --with-icu --without-python --with-threads @@ -115,6 +116,7 @@ package_libxml2-2.9() { mkdir -p ../doc/usr/share mv "${pkgdir}/usr/share/"{doc,gtk-doc} -t ../doc/usr/share + mv "${pkgdir}/usr/share/aclocal/libxml.m4" "${pkgdir}/usr/share/aclocal/libxml-${pkgver}.m4" install -Dm644 Copyright -t "${pkgdir}/usr/share/licenses/${pkgname}" } diff --git a/fix-relaxed-approach-to-nested-documents.patch b/fix-relaxed-approach-to-nested-documents.patch new file mode 100644 index 000000000000..0a636362c2b6 --- /dev/null +++ b/fix-relaxed-approach-to-nested-documents.patch @@ -0,0 +1,33 @@ +From 0815302dee2b78139832c2080348086a0564836b Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer <wellnhofer@aevum.de> +Date: Fri, 6 Dec 2019 12:27:29 +0100 +Subject: [PATCH] Fix freeing of nested documents + +Apparently, some libxslt RVTs can contain nested document nodes, see +issue #132. I'm not sure how this happens exactly but it can cause a +segfault in xmlFreeNodeList after the changes in commit 0762c9b6. + +Make sure not to touch the (nonexistent) `content` member of xmlDocs. +--- + tree.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/tree.c b/tree.c +index 070670f1..0d7fc98c 100644 +--- a/tree.c ++++ b/tree.c +@@ -3708,6 +3708,11 @@ xmlFreeNodeList(xmlNodePtr cur) { + (cur->type != XML_XINCLUDE_START) && + (cur->type != XML_XINCLUDE_END) && + (cur->type != XML_ENTITY_REF_NODE) && ++ (cur->type != XML_DOCUMENT_NODE) && ++#ifdef LIBXML_DOCB_ENABLED ++ (cur->type != XML_DOCB_DOCUMENT_NODE) && ++#endif ++ (cur->type != XML_HTML_DOCUMENT_NODE) && + (cur->content != (xmlChar *) &(cur->properties))) { + DICT_FREE(cur->content) + } +-- +2.22.0 + diff --git a/libxml2-2.9.10-CVE-2019-20388.patch b/libxml2-2.9.10-CVE-2019-20388.patch new file mode 100644 index 000000000000..3763354b8308 --- /dev/null +++ b/libxml2-2.9.10-CVE-2019-20388.patch @@ -0,0 +1,33 @@ +From 6088a74bcf7d0c42e24cff4594d804e1d3c9fbca Mon Sep 17 00:00:00 2001 +From: Zhipeng Xie <xiezhipeng1@huawei.com> +Date: Tue, 20 Aug 2019 16:33:06 +0800 +Subject: [PATCH] Fix memory leak in xmlSchemaValidateStream + +When ctxt->schema is NULL, xmlSchemaSAXPlug->xmlSchemaPreRun +alloc a new schema for ctxt->schema and set vctxt->xsiAssemble +to 1. Then xmlSchemaVStart->xmlSchemaPreRun initialize +vctxt->xsiAssemble to 0 again which cause the alloced schema +can not be freed anymore. + +Found with libFuzzer. + +Signed-off-by: Zhipeng Xie <xiezhipeng1@huawei.com> +--- + xmlschemas.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/xmlschemas.c b/xmlschemas.c +index 301c8449..39d92182 100644 +--- a/xmlschemas.c ++++ b/xmlschemas.c +@@ -28090,7 +28090,6 @@ xmlSchemaPreRun(xmlSchemaValidCtxtPtr vctxt) { + vctxt->nberrors = 0; + vctxt->depth = -1; + vctxt->skipDepth = -1; +- vctxt->xsiAssemble = 0; + vctxt->hasKeyrefs = 0; + #ifdef ENABLE_IDC_NODE_TABLES_TEST + vctxt->createIDCNodeTables = 1; +-- +2.24.1 + diff --git a/libxml2-2.9.10-CVE-2020-24977.patch b/libxml2-2.9.10-CVE-2020-24977.patch new file mode 100644 index 000000000000..67ef0acae2fd --- /dev/null +++ b/libxml2-2.9.10-CVE-2020-24977.patch @@ -0,0 +1,36 @@ +From 50f06b3efb638efb0abd95dc62dca05ae67882c2 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer <wellnhofer@aevum.de> +Date: Fri, 7 Aug 2020 21:54:27 +0200 +Subject: [PATCH] Fix out-of-bounds read with 'xmllint --htmlout' + +Make sure that truncated UTF-8 sequences don't cause an out-of-bounds +array access. + +Thanks to @SuhwanSong and the Agency for Defense Development (ADD) for +the report. + +Fixes #178. +--- + xmllint.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/xmllint.c b/xmllint.c +index f6a8e463..c647486f 100644 +--- a/xmllint.c ++++ b/xmllint.c +@@ -528,6 +528,12 @@ static void + xmlHTMLEncodeSend(void) { + char *result; + ++ /* ++ * xmlEncodeEntitiesReentrant assumes valid UTF-8, but the buffer might ++ * end with a truncated UTF-8 sequence. This is a hack to at least avoid ++ * an out-of-bounds read. ++ */ ++ memset(&buffer[sizeof(buffer)-4], 0, 4); + result = (char *) xmlEncodeEntitiesReentrant(NULL, BAD_CAST buffer); + if (result) { + xmlGenericError(xmlGenericErrorContext, "%s", result); +-- +2.28.0.rc2 + diff --git a/libxml2-2.9.10-CVE-2020-7595.patch b/libxml2-2.9.10-CVE-2020-7595.patch new file mode 100644 index 000000000000..3dd677497600 --- /dev/null +++ b/libxml2-2.9.10-CVE-2020-7595.patch @@ -0,0 +1,32 @@ +From 0e1a49c8907645d2e155f0d89d4d9895ac5112b5 Mon Sep 17 00:00:00 2001 +From: Zhipeng Xie <xiezhipeng1@huawei.com> +Date: Thu, 12 Dec 2019 17:30:55 +0800 +Subject: [PATCH] Fix infinite loop in xmlStringLenDecodeEntities + +When ctxt->instate == XML_PARSER_EOF,xmlParseStringEntityRef +return NULL which cause a infinite loop in xmlStringLenDecodeEntities + +Found with libFuzzer. + +Signed-off-by: Zhipeng Xie <xiezhipeng1@huawei.com> +--- + parser.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/parser.c b/parser.c +index d1c31963..a34bb6cd 100644 +--- a/parser.c ++++ b/parser.c +@@ -2646,7 +2646,8 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, + else + c = 0; + while ((c != 0) && (c != end) && /* non input consuming loop */ +- (c != end2) && (c != end3)) { ++ (c != end2) && (c != end3) && ++ (ctxt->instate != XML_PARSER_EOF)) { + + if (c == 0) break; + if ((c == '&') && (str[1] == '#')) { +-- +2.24.1 + diff --git a/libxml2-2.9.10-fix-integer-overflow.patch b/libxml2-2.9.10-fix-integer-overflow.patch new file mode 100644 index 000000000000..b5a7bec1f580 --- /dev/null +++ b/libxml2-2.9.10-fix-integer-overflow.patch @@ -0,0 +1,41 @@ +From 8e7c20a1af8776677d7890f30b7a180567701a49 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer <wellnhofer@aevum.de> +Date: Mon, 3 Aug 2020 17:30:41 +0200 +Subject: [PATCH] Fix integer overflow when comparing schema dates + +Found by OSS-Fuzz. +--- + xmlschemastypes.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/xmlschemastypes.c b/xmlschemastypes.c +index 4249d700..d6b9f924 100644 +--- a/xmlschemastypes.c ++++ b/xmlschemastypes.c +@@ -3691,6 +3691,8 @@ xmlSchemaCompareDurations(xmlSchemaValPtr x, xmlSchemaValPtr y) + minday = 0; + maxday = 0; + } else { ++ if (myear > LONG_MAX / 366) ++ return -2; + /* FIXME: This doesn't take leap year exceptions every 100/400 years + into account. */ + maxday = 365 * myear + (myear + 3) / 4; +@@ -4079,6 +4081,14 @@ xmlSchemaCompareDates (xmlSchemaValPtr x, xmlSchemaValPtr y) + if ((x == NULL) || (y == NULL)) + return -2; + ++ if ((x->value.date.year > LONG_MAX / 366) || ++ (x->value.date.year < LONG_MIN / 366) || ++ (y->value.date.year > LONG_MAX / 366) || ++ (y->value.date.year < LONG_MIN / 366)) { ++ /* Possible overflow when converting to days. */ ++ return -2; ++ } ++ + if (x->value.date.tz_flag) { + + if (!y->value.date.tz_flag) { +-- +2.28.0.rc2 + diff --git a/libxml2-2.9.10-icu68.patch b/libxml2-2.9.10-icu68.patch new file mode 100644 index 000000000000..fc11cceba8ee --- /dev/null +++ b/libxml2-2.9.10-icu68.patch @@ -0,0 +1,28 @@ +From b516ed189eb440e909f36baca1557b98e4d9ffd7 Mon Sep 17 00:00:00 2001 +From: Frederik Seiffert <frederik@algoriddim.com> +Date: Thu, 12 Nov 2020 12:53:43 +0100 +Subject: [PATCH] Fix building with ICU 68. + +ICU 68 no longer defines the TRUE macro. + +Closes #204. +--- + encoding.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/encoding.c b/encoding.c +index c34aca44..264f60bb 100644 +--- a/encoding.c ++++ b/encoding.c +@@ -2004,7 +2004,7 @@ xmlEncOutputChunk(xmlCharEncodingHandler *handler, unsigned char *out, + #ifdef LIBXML_ICU_ENABLED + else if (handler->uconv_out != NULL) { + ret = xmlUconvWrapper(handler->uconv_out, 0, out, outlen, in, inlen, +- TRUE); ++ 1); + } + #endif /* LIBXML_ICU_ENABLED */ + else { +-- +GitLab + diff --git a/libxml2-2.9.10-parenthesize-type-checks.patch b/libxml2-2.9.10-parenthesize-type-checks.patch new file mode 100644 index 000000000000..14f5332f923c --- /dev/null +++ b/libxml2-2.9.10-parenthesize-type-checks.patch @@ -0,0 +1,92 @@ +From edc7b6abb0c125eeb888748c334897f60aab0854 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= <miro@hroncok.cz> +Date: Fri, 28 Feb 2020 12:48:14 +0100 +Subject: [PATCH] Parenthesize Py<type>_Check() in ifs + +In C, if expressions should be parenthesized. +PyLong_Check, PyUnicode_Check etc. happened to expand to a parenthesized +expression before, but that's not API to rely on. + +Since Python 3.9.0a4 it needs to be parenthesized explicitly. + +Fixes https://gitlab.gnome.org/GNOME/libxml2/issues/149 +--- + python/libxml.c | 4 ++-- + python/types.c | 12 ++++++------ + 2 files changed, 8 insertions(+), 8 deletions(-) + +diff --git a/python/libxml.c b/python/libxml.c +index bc676c4e..81e709f3 100644 +--- a/python/libxml.c ++++ b/python/libxml.c +@@ -294,7 +294,7 @@ xmlPythonFileReadRaw (void * context, char * buffer, int len) { + lenread = PyBytes_Size(ret); + data = PyBytes_AsString(ret); + #ifdef PyUnicode_Check +- } else if PyUnicode_Check (ret) { ++ } else if (PyUnicode_Check (ret)) { + #if PY_VERSION_HEX >= 0x03030000 + Py_ssize_t size; + const char *tmp; +@@ -359,7 +359,7 @@ xmlPythonFileRead (void * context, char * buffer, int len) { + lenread = PyBytes_Size(ret); + data = PyBytes_AsString(ret); + #ifdef PyUnicode_Check +- } else if PyUnicode_Check (ret) { ++ } else if (PyUnicode_Check (ret)) { + #if PY_VERSION_HEX >= 0x03030000 + Py_ssize_t size; + const char *tmp; +diff --git a/python/types.c b/python/types.c +index c2bafeb1..ed284ec7 100644 +--- a/python/types.c ++++ b/python/types.c +@@ -602,16 +602,16 @@ libxml_xmlXPathObjectPtrConvert(PyObject *obj) + if (obj == NULL) { + return (NULL); + } +- if PyFloat_Check (obj) { ++ if (PyFloat_Check (obj)) { + ret = xmlXPathNewFloat((double) PyFloat_AS_DOUBLE(obj)); +- } else if PyLong_Check(obj) { ++ } else if (PyLong_Check(obj)) { + #ifdef PyLong_AS_LONG + ret = xmlXPathNewFloat((double) PyLong_AS_LONG(obj)); + #else + ret = xmlXPathNewFloat((double) PyInt_AS_LONG(obj)); + #endif + #ifdef PyBool_Check +- } else if PyBool_Check (obj) { ++ } else if (PyBool_Check (obj)) { + + if (obj == Py_True) { + ret = xmlXPathNewBoolean(1); +@@ -620,14 +620,14 @@ libxml_xmlXPathObjectPtrConvert(PyObject *obj) + ret = xmlXPathNewBoolean(0); + } + #endif +- } else if PyBytes_Check (obj) { ++ } else if (PyBytes_Check (obj)) { + xmlChar *str; + + str = xmlStrndup((const xmlChar *) PyBytes_AS_STRING(obj), + PyBytes_GET_SIZE(obj)); + ret = xmlXPathWrapString(str); + #ifdef PyUnicode_Check +- } else if PyUnicode_Check (obj) { ++ } else if (PyUnicode_Check (obj)) { + #if PY_VERSION_HEX >= 0x03030000 + xmlChar *str; + const char *tmp; +@@ -650,7 +650,7 @@ libxml_xmlXPathObjectPtrConvert(PyObject *obj) + ret = xmlXPathWrapString(str); + #endif + #endif +- } else if PyList_Check (obj) { ++ } else if (PyList_Check (obj)) { + int i; + PyObject *node; + xmlNodePtr cur; +-- +2.24.1 + diff --git a/libxml2-2.9.8-python3-unicode-errors.patch b/libxml2-2.9.8-python3-unicode-errors.patch new file mode 100644 index 000000000000..e87dcdedf88c --- /dev/null +++ b/libxml2-2.9.8-python3-unicode-errors.patch @@ -0,0 +1,34 @@ +Index: libxml2-2.9.5/python/libxml.c +=================================================================== +--- libxml2-2.9.5.orig/python/libxml.c ++++ libxml2-2.9.5/python/libxml.c +@@ -1620,6 +1620,7 @@ libxml_xmlErrorFuncHandler(ATTRIBUTE_UNU + PyObject *message; + PyObject *result; + char str[1000]; ++ unsigned char *ptr = (unsigned char *)str; + + #ifdef DEBUG_ERROR + printf("libxml_xmlErrorFuncHandler(%p, %s, ...) called\n", ctx, msg); +@@ -1636,12 +1637,20 @@ libxml_xmlErrorFuncHandler(ATTRIBUTE_UNU + str[999] = 0; + va_end(ap); + ++#if PY_MAJOR_VERSION >= 3 ++ /* Ensure the error string doesn't start at UTF8 continuation. */ ++ while (*ptr && (*ptr & 0xc0) == 0x80) ++ ptr++; ++#endif ++ + list = PyTuple_New(2); + PyTuple_SetItem(list, 0, libxml_xmlPythonErrorFuncCtxt); + Py_XINCREF(libxml_xmlPythonErrorFuncCtxt); +- message = libxml_charPtrConstWrap(str); ++ message = libxml_charPtrConstWrap(ptr); + PyTuple_SetItem(list, 1, message); + result = PyEval_CallObject(libxml_xmlPythonErrorFuncHandler, list); ++ /* Forget any errors caused in the error handler. */ ++ PyErr_Clear(); + Py_XDECREF(list); + Py_XDECREF(result); + } |