diff options
author | Mark H Weaver <mhw@netris.org> | 2015-11-15 14:16:57 -0500 |
---|---|---|
committer | Mark H Weaver <mhw@netris.org> | 2015-11-18 17:47:40 -0500 |
commit | ee6bb0cc763507b165674dbe03c6ae5d26c8da5c (patch) | |
tree | 34c4d1d29b5428f83113af81bc4464b432669c85 | |
parent | 328a14e869c01ae4e33120a08a5d60c719263684 (diff) | |
download | patches-ee6bb0cc763507b165674dbe03c6ae5d26c8da5c.tar patches-ee6bb0cc763507b165674dbe03c6ae5d26c8da5c.tar.gz |
gnu: libxml2: Add fixes for CVE-2015-{1819,7941,7942,8035} and other bugs.
* gnu/packages/patches/libxml2-CVE-2015-1819.patch,
gnu/packages/patches/libxml2-CVE-2015-7941-pt1.patch,
gnu/packages/patches/libxml2-CVE-2015-7941-pt2.patch,
gnu/packages/patches/libxml2-CVE-2015-7942-pt1.patch,
gnu/packages/patches/libxml2-CVE-2015-7942-pt2.patch,
gnu/packages/patches/libxml2-CVE-2015-8035.patch,
gnu/packages/patches/libxml2-bug-737840.patch,
gnu/packages/patches/libxml2-bug-738805.patch,
gnu/packages/patches/libxml2-bug-746048.patch,
gnu/packages/patches/libxml2-bug-747437.patch,
gnu/packages/patches/libxml2-bug-751603.patch,
gnu/packages/patches/libxml2-bug-751631.patch,
gnu/packages/patches/libxml2-bug-754946.patch,
gnu/packages/patches/libxml2-bug-754947.patch,
gnu/packages/patches/libxml2-bug-755857.patch,
gnu/packages/patches/libxml2-fix-catalog-corruption.patch,
gnu/packages/patches/libxml2-id-attrs-in-xmlSetTreeDoc.patch,
gnu/packages/patches/libxml2-node-sort-order-pt1.patch,
gnu/packages/patches/libxml2-node-sort-order-pt2.patch: New files.
* gnu-system.am (dist_patch_DATA): Add them.
* gnu/packages/xml.scm (libxml2)[source]: Add patches.
21 files changed, 1105 insertions, 1 deletions
diff --git a/gnu-system.am b/gnu-system.am index 60f16bf8fc..b49ddf0525 100644 --- a/gnu-system.am +++ b/gnu-system.am @@ -571,6 +571,25 @@ dist_patch_DATA = \ gnu/packages/patches/libwmf-CVE-2015-0848+CVE-2015-4588.patch \ gnu/packages/patches/libwmf-CVE-2015-4695.patch \ gnu/packages/patches/libwmf-CVE-2015-4696.patch \ + gnu/packages/patches/libxml2-CVE-2015-1819.patch \ + gnu/packages/patches/libxml2-CVE-2015-7941-pt1.patch \ + gnu/packages/patches/libxml2-CVE-2015-7941-pt2.patch \ + gnu/packages/patches/libxml2-CVE-2015-7942-pt1.patch \ + gnu/packages/patches/libxml2-CVE-2015-7942-pt2.patch \ + gnu/packages/patches/libxml2-CVE-2015-8035.patch \ + gnu/packages/patches/libxml2-bug-737840.patch \ + gnu/packages/patches/libxml2-bug-738805.patch \ + gnu/packages/patches/libxml2-bug-746048.patch \ + gnu/packages/patches/libxml2-bug-747437.patch \ + gnu/packages/patches/libxml2-bug-751603.patch \ + gnu/packages/patches/libxml2-bug-751631.patch \ + gnu/packages/patches/libxml2-bug-754946.patch \ + gnu/packages/patches/libxml2-bug-754947.patch \ + gnu/packages/patches/libxml2-bug-755857.patch \ + gnu/packages/patches/libxml2-fix-catalog-corruption.patch \ + gnu/packages/patches/libxml2-id-attrs-in-xmlSetTreeDoc.patch \ + gnu/packages/patches/libxml2-node-sort-order-pt1.patch \ + gnu/packages/patches/libxml2-node-sort-order-pt2.patch \ gnu/packages/patches/lirc-localstatedir.patch \ gnu/packages/patches/libpthread-glibc-preparation.patch \ gnu/packages/patches/lm-sensors-hwmon-attrs.patch \ diff --git a/gnu/packages/patches/libxml2-CVE-2015-1819.patch b/gnu/packages/patches/libxml2-CVE-2015-1819.patch new file mode 100644 index 0000000000..58461c73b2 --- /dev/null +++ b/gnu/packages/patches/libxml2-CVE-2015-1819.patch @@ -0,0 +1,176 @@ +From 213f1fe0d76d30eaed6e5853057defc43e6df2c9 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard <veillard@redhat.com> +Date: Tue, 14 Apr 2015 17:41:48 +0800 +Subject: [PATCH] CVE-2015-1819 Enforce the reader to run in constant memory + +One of the operation on the reader could resolve entities +leading to the classic expansion issue. Make sure the +buffer used for xmlreader operation is bounded. +Introduce a new allocation type for the buffers for this effect. +--- + buf.c | 43 ++++++++++++++++++++++++++++++++++++++++++- + include/libxml/tree.h | 3 ++- + xmlreader.c | 20 +++++++++++++++++++- + 3 files changed, 63 insertions(+), 3 deletions(-) + +diff --git a/buf.c b/buf.c +index 6efc7b6..07922ff 100644 +--- a/buf.c ++++ b/buf.c +@@ -27,6 +27,7 @@ + #include <libxml/tree.h> + #include <libxml/globals.h> + #include <libxml/tree.h> ++#include <libxml/parserInternals.h> /* for XML_MAX_TEXT_LENGTH */ + #include "buf.h" + + #define WITH_BUFFER_COMPAT +@@ -299,7 +300,8 @@ xmlBufSetAllocationScheme(xmlBufPtr buf, + if ((scheme == XML_BUFFER_ALLOC_DOUBLEIT) || + (scheme == XML_BUFFER_ALLOC_EXACT) || + (scheme == XML_BUFFER_ALLOC_HYBRID) || +- (scheme == XML_BUFFER_ALLOC_IMMUTABLE)) { ++ (scheme == XML_BUFFER_ALLOC_IMMUTABLE) || ++ (scheme == XML_BUFFER_ALLOC_BOUNDED)) { + buf->alloc = scheme; + if (buf->buffer) + buf->buffer->alloc = scheme; +@@ -458,6 +460,18 @@ xmlBufGrowInternal(xmlBufPtr buf, size_t len) { + size = buf->use + len + 100; + #endif + ++ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { ++ /* ++ * Used to provide parsing limits ++ */ ++ if ((buf->use + len >= XML_MAX_TEXT_LENGTH) || ++ (buf->size >= XML_MAX_TEXT_LENGTH)) { ++ xmlBufMemoryError(buf, "buffer error: text too long\n"); ++ return(0); ++ } ++ if (size >= XML_MAX_TEXT_LENGTH) ++ size = XML_MAX_TEXT_LENGTH; ++ } + if ((buf->alloc == XML_BUFFER_ALLOC_IO) && (buf->contentIO != NULL)) { + size_t start_buf = buf->content - buf->contentIO; + +@@ -739,6 +753,15 @@ xmlBufResize(xmlBufPtr buf, size_t size) + CHECK_COMPAT(buf) + + if (buf->alloc == XML_BUFFER_ALLOC_IMMUTABLE) return(0); ++ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { ++ /* ++ * Used to provide parsing limits ++ */ ++ if (size >= XML_MAX_TEXT_LENGTH) { ++ xmlBufMemoryError(buf, "buffer error: text too long\n"); ++ return(0); ++ } ++ } + + /* Don't resize if we don't have to */ + if (size < buf->size) +@@ -867,6 +890,15 @@ xmlBufAdd(xmlBufPtr buf, const xmlChar *str, int len) { + + needSize = buf->use + len + 2; + if (needSize > buf->size){ ++ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { ++ /* ++ * Used to provide parsing limits ++ */ ++ if (needSize >= XML_MAX_TEXT_LENGTH) { ++ xmlBufMemoryError(buf, "buffer error: text too long\n"); ++ return(-1); ++ } ++ } + if (!xmlBufResize(buf, needSize)){ + xmlBufMemoryError(buf, "growing buffer"); + return XML_ERR_NO_MEMORY; +@@ -938,6 +970,15 @@ xmlBufAddHead(xmlBufPtr buf, const xmlChar *str, int len) { + } + needSize = buf->use + len + 2; + if (needSize > buf->size){ ++ if (buf->alloc == XML_BUFFER_ALLOC_BOUNDED) { ++ /* ++ * Used to provide parsing limits ++ */ ++ if (needSize >= XML_MAX_TEXT_LENGTH) { ++ xmlBufMemoryError(buf, "buffer error: text too long\n"); ++ return(-1); ++ } ++ } + if (!xmlBufResize(buf, needSize)){ + xmlBufMemoryError(buf, "growing buffer"); + return XML_ERR_NO_MEMORY; +diff --git a/include/libxml/tree.h b/include/libxml/tree.h +index 2f90717..4a9b3bc 100644 +--- a/include/libxml/tree.h ++++ b/include/libxml/tree.h +@@ -76,7 +76,8 @@ typedef enum { + XML_BUFFER_ALLOC_EXACT, /* grow only to the minimal size */ + XML_BUFFER_ALLOC_IMMUTABLE, /* immutable buffer */ + XML_BUFFER_ALLOC_IO, /* special allocation scheme used for I/O */ +- XML_BUFFER_ALLOC_HYBRID /* exact up to a threshold, and doubleit thereafter */ ++ XML_BUFFER_ALLOC_HYBRID, /* exact up to a threshold, and doubleit thereafter */ ++ XML_BUFFER_ALLOC_BOUNDED /* limit the upper size of the buffer */ + } xmlBufferAllocationScheme; + + /** +diff --git a/xmlreader.c b/xmlreader.c +index f19e123..471e7e2 100644 +--- a/xmlreader.c ++++ b/xmlreader.c +@@ -2091,6 +2091,9 @@ xmlNewTextReader(xmlParserInputBufferPtr input, const char *URI) { + "xmlNewTextReader : malloc failed\n"); + return(NULL); + } ++ /* no operation on a reader should require a huge buffer */ ++ xmlBufSetAllocationScheme(ret->buffer, ++ XML_BUFFER_ALLOC_BOUNDED); + ret->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler)); + if (ret->sax == NULL) { + xmlBufFree(ret->buffer); +@@ -3616,6 +3619,7 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) { + return(((xmlNsPtr) node)->href); + case XML_ATTRIBUTE_NODE:{ + xmlAttrPtr attr = (xmlAttrPtr) node; ++ const xmlChar *ret; + + if ((attr->children != NULL) && + (attr->children->type == XML_TEXT_NODE) && +@@ -3629,10 +3633,21 @@ xmlTextReaderConstValue(xmlTextReaderPtr reader) { + "xmlTextReaderSetup : malloc failed\n"); + return (NULL); + } ++ xmlBufSetAllocationScheme(reader->buffer, ++ XML_BUFFER_ALLOC_BOUNDED); + } else + xmlBufEmpty(reader->buffer); + xmlBufGetNodeContent(reader->buffer, node); +- return(xmlBufContent(reader->buffer)); ++ ret = xmlBufContent(reader->buffer); ++ if (ret == NULL) { ++ /* error on the buffer best to reallocate */ ++ xmlBufFree(reader->buffer); ++ reader->buffer = xmlBufCreateSize(100); ++ xmlBufSetAllocationScheme(reader->buffer, ++ XML_BUFFER_ALLOC_BOUNDED); ++ ret = BAD_CAST ""; ++ } ++ return(ret); + } + break; + } +@@ -5131,6 +5146,9 @@ xmlTextReaderSetup(xmlTextReaderPtr reader, + "xmlTextReaderSetup : malloc failed\n"); + return (-1); + } ++ /* no operation on a reader should require a huge buffer */ ++ xmlBufSetAllocationScheme(reader->buffer, ++ XML_BUFFER_ALLOC_BOUNDED); + if (reader->sax == NULL) + reader->sax = (xmlSAXHandler *) xmlMalloc(sizeof(xmlSAXHandler)); + if (reader->sax == NULL) { +-- +2.6.3 + diff --git a/gnu/packages/patches/libxml2-CVE-2015-7941-pt1.patch b/gnu/packages/patches/libxml2-CVE-2015-7941-pt1.patch new file mode 100644 index 0000000000..4ca49039b2 --- /dev/null +++ b/gnu/packages/patches/libxml2-CVE-2015-7941-pt1.patch @@ -0,0 +1,32 @@ +From a7dfab7411cbf545f359dd3157e5df1eb0e7ce31 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard <veillard@redhat.com> +Date: Mon, 23 Feb 2015 11:17:35 +0800 +Subject: [PATCH] Stop parsing on entities boundaries errors + +For https://bugzilla.gnome.org/show_bug.cgi?id=744980 + +There are times, like on unterminated entities that it's preferable to +stop parsing, even if that means less error reporting. Entities are +feeding the parser on further processing, and if they are ill defined +then it's possible to get the parser to bug. Also do the same on +Conditional Sections if the input is broken, as the structure of +the document can't be guessed. +--- + parser.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/parser.c b/parser.c +index a8d1b67..bbe97eb 100644 +--- a/parser.c ++++ b/parser.c +@@ -5658,6 +5658,7 @@ xmlParseEntityDecl(xmlParserCtxtPtr ctxt) { + if (RAW != '>') { + xmlFatalErrMsgStr(ctxt, XML_ERR_ENTITY_NOT_FINISHED, + "xmlParseEntityDecl: entity %s not terminated\n", name); ++ xmlStopParser(ctxt); + } else { + if (input != ctxt->input) { + xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY, +-- +2.6.3 + diff --git a/gnu/packages/patches/libxml2-CVE-2015-7941-pt2.patch b/gnu/packages/patches/libxml2-CVE-2015-7941-pt2.patch new file mode 100644 index 0000000000..30563a46b6 --- /dev/null +++ b/gnu/packages/patches/libxml2-CVE-2015-7941-pt2.patch @@ -0,0 +1,49 @@ +From 9b8512337d14c8ddf662fcb98b0135f225a1c489 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard <veillard@redhat.com> +Date: Mon, 23 Feb 2015 11:29:20 +0800 +Subject: [PATCH] Cleanup conditional section error handling + +For https://bugzilla.gnome.org/show_bug.cgi?id=744980 + +The error handling of Conditional Section also need to be +straightened as the structure of the document can't be +guessed on a failure there and it's better to stop parsing +as further errors are likely to be irrelevant. +--- + parser.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/parser.c b/parser.c +index bbe97eb..fe603ac 100644 +--- a/parser.c ++++ b/parser.c +@@ -6770,6 +6770,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { + SKIP_BLANKS; + if (RAW != '[') { + xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL); ++ xmlStopParser(ctxt); ++ return; + } else { + if (ctxt->input->id != id) { + xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY, +@@ -6830,6 +6832,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { + SKIP_BLANKS; + if (RAW != '[') { + xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL); ++ xmlStopParser(ctxt); ++ return; + } else { + if (ctxt->input->id != id) { + xmlValidityError(ctxt, XML_ERR_ENTITY_BOUNDARY, +@@ -6885,6 +6889,8 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { + + } else { + xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL); ++ xmlStopParser(ctxt); ++ return; + } + + if (RAW == 0) +-- +2.6.3 + diff --git a/gnu/packages/patches/libxml2-CVE-2015-7942-pt1.patch b/gnu/packages/patches/libxml2-CVE-2015-7942-pt1.patch new file mode 100644 index 0000000000..bd9077d7c4 --- /dev/null +++ b/gnu/packages/patches/libxml2-CVE-2015-7942-pt1.patch @@ -0,0 +1,32 @@ +From bd0526e66a56e75a18da8c15c4750db8f801c52d Mon Sep 17 00:00:00 2001 +From: Daniel Veillard <veillard@redhat.com> +Date: Fri, 23 Oct 2015 19:02:28 +0800 +Subject: [PATCH] Another variation of overflow in Conditional sections + +Which happen after the previous fix to +https://bugzilla.gnome.org/show_bug.cgi?id=756456 + +But stopping the parser and exiting we didn't pop the intermediary entities +and doing the SKIP there applies on an input which may be too small +--- + parser.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/parser.c b/parser.c +index a65e4cc..b9217ff 100644 +--- a/parser.c ++++ b/parser.c +@@ -6915,7 +6915,9 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { + "All markup of the conditional section is not in the same entity\n", + NULL, NULL); + } +- SKIP(3); ++ if ((ctxt-> instate != XML_PARSER_EOF) && ++ ((ctxt->input->cur + 3) < ctxt->input->end)) ++ SKIP(3); + } + } + +-- +2.6.3 + diff --git a/gnu/packages/patches/libxml2-CVE-2015-7942-pt2.patch b/gnu/packages/patches/libxml2-CVE-2015-7942-pt2.patch new file mode 100644 index 0000000000..115d369ac3 --- /dev/null +++ b/gnu/packages/patches/libxml2-CVE-2015-7942-pt2.patch @@ -0,0 +1,28 @@ +From 41ac9049a27f52e7a1f3b341f8714149fc88d450 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard <veillard@redhat.com> +Date: Tue, 27 Oct 2015 10:53:44 +0800 +Subject: [PATCH] Fix an error in previous Conditional section patch + +an off by one mistake in the change, led to error on correct +document where the end of the included entity was exactly +the end of the conditional section, leading to regtest failure +--- + parser.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/parser.c b/parser.c +index b9217ff..d67b300 100644 +--- a/parser.c ++++ b/parser.c +@@ -6916,7 +6916,7 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) { + NULL, NULL); + } + if ((ctxt-> instate != XML_PARSER_EOF) && +- ((ctxt->input->cur + 3) < ctxt->input->end)) ++ ((ctxt->input->cur + 3) <= ctxt->input->end)) + SKIP(3); + } + } +-- +2.6.3 + diff --git a/gnu/packages/patches/libxml2-CVE-2015-8035.patch b/gnu/packages/patches/libxml2-CVE-2015-8035.patch new file mode 100644 index 0000000000..d29c96228e --- /dev/null +++ b/gnu/packages/patches/libxml2-CVE-2015-8035.patch @@ -0,0 +1,31 @@ +From f0709e3ca8f8947f2d91ed34e92e38a4c23eae63 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard <veillard@redhat.com> +Date: Tue, 3 Nov 2015 15:31:25 +0800 +Subject: [PATCH] CVE-2015-8035 Fix XZ compression support loop + +For https://bugzilla.gnome.org/show_bug.cgi?id=757466 +DoS when parsing specially crafted XML document if XZ support +is compiled in (which wasn't the case for 2.9.2 and master since +Nov 2013, fixed in next commit !) +--- + xzlib.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/xzlib.c b/xzlib.c +index 0dcb9f4..1fab546 100644 +--- a/xzlib.c ++++ b/xzlib.c +@@ -581,6 +581,10 @@ xz_decomp(xz_statep state) + xz_error(state, LZMA_DATA_ERROR, "compressed data error"); + return -1; + } ++ if (ret == LZMA_PROG_ERROR) { ++ xz_error(state, LZMA_PROG_ERROR, "compression error"); ++ return -1; ++ } + } while (strm->avail_out && ret != LZMA_STREAM_END); + + /* update available output and crc check value */ +-- +2.6.3 + diff --git a/gnu/packages/patches/libxml2-bug-737840.patch b/gnu/packages/patches/libxml2-bug-737840.patch new file mode 100644 index 0000000000..2a2d62c583 --- /dev/null +++ b/gnu/packages/patches/libxml2-bug-737840.patch @@ -0,0 +1,88 @@ +From ef709ce2f7b792d5fb69ed142796d743fb1eb388 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard <veillard@redhat.com> +Date: Thu, 10 Sep 2015 19:41:41 +0800 +Subject: [PATCH] Fix the spurious ID already defined error + +For https://bugzilla.gnome.org/show_bug.cgi?id=737840 +the fix for 724903 introduced a regression on external entities carrying +IDs, revert that patch in part and add a specific test to avoid readding it +--- + result/valid/737840.xml | 10 ++++++++++ + result/valid/737840.xml.err | 0 + result/valid/737840.xml.err.rdr | 0 + test/valid/737840.xml | 10 ++++++++++ + test/valid/dtds/737840.ent | 1 + + valid.c | 6 ++++-- + 6 files changed, 25 insertions(+), 2 deletions(-) + create mode 100644 result/valid/737840.xml + create mode 100644 result/valid/737840.xml.err + create mode 100644 result/valid/737840.xml.err.rdr + create mode 100644 test/valid/737840.xml + create mode 100644 test/valid/dtds/737840.ent + +diff --git a/result/valid/737840.xml b/result/valid/737840.xml +new file mode 100644 +index 0000000..433c6d6 +--- /dev/null ++++ b/result/valid/737840.xml +@@ -0,0 +1,10 @@ ++<?xml version="1.0"?> ++<!DOCTYPE root [ ++<!ELEMENT root (elem)> ++<!ELEMENT elem (#PCDATA)> ++<!ATTLIST elem id ID #IMPLIED> ++<!ENTITY target SYSTEM "dtds/737840.ent"> ++]> ++<root> ++ ⌖ ++</root> +diff --git a/result/valid/737840.xml.err b/result/valid/737840.xml.err +new file mode 100644 +index 0000000..e69de29 +diff --git a/result/valid/737840.xml.err.rdr b/result/valid/737840.xml.err.rdr +new file mode 100644 +index 0000000..e69de29 +diff --git a/test/valid/737840.xml b/test/valid/737840.xml +new file mode 100644 +index 0000000..2d27b73 +--- /dev/null ++++ b/test/valid/737840.xml +@@ -0,0 +1,10 @@ ++<!DOCTYPE root [ ++<!ELEMENT root (elem)> ++<!ELEMENT elem (#PCDATA)> ++<!ATTLIST elem id ID #IMPLIED> ++<!ENTITY target SYSTEM "dtds/737840.ent"> ++]> ++ ++<root> ++ ⌖ ++</root> +diff --git a/test/valid/dtds/737840.ent b/test/valid/dtds/737840.ent +new file mode 100644 +index 0000000..e972132 +--- /dev/null ++++ b/test/valid/dtds/737840.ent +@@ -0,0 +1 @@ ++<elem id="id0"/> +\ No newline at end of file +diff --git a/valid.c b/valid.c +index 409aa81..45a3f70 100644 +--- a/valid.c ++++ b/valid.c +@@ -2634,8 +2634,10 @@ xmlAddID(xmlValidCtxtPtr ctxt, xmlDocPtr doc, const xmlChar *value, + /* + * The id is already defined in this DTD. + */ +- xmlErrValidNode(ctxt, attr->parent, XML_DTD_ID_REDEFINED, +- "ID %s already defined\n", value, NULL, NULL); ++ if (ctxt != NULL) { ++ xmlErrValidNode(ctxt, attr->parent, XML_DTD_ID_REDEFINED, ++ "ID %s already defined\n", value, NULL, NULL); ++ } + #endif /* LIBXML_VALID_ENABLED */ + xmlFreeID(ret); + return(NULL); +-- +2.6.3 + diff --git a/gnu/packages/patches/libxml2-bug-738805.patch b/gnu/packages/patches/libxml2-bug-738805.patch new file mode 100644 index 0000000000..16163bb941 --- /dev/null +++ b/gnu/packages/patches/libxml2-bug-738805.patch @@ -0,0 +1,31 @@ +From 72a46a519ce7326d9a00f0b6a7f2a8e958cd1675 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard <veillard@redhat.com> +Date: Thu, 23 Oct 2014 11:35:36 +0800 +Subject: [PATCH] Fix missing entities after CVE-2014-3660 fix + +For https://bugzilla.gnome.org/show_bug.cgi?id=738805 + +The fix for CVE-2014-3660 introduced a regression in some case +where entity substitution is required and the entity is used +first in anotther entity referenced from an attribute value +--- + parser.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/parser.c b/parser.c +index 67c9dfd..a8d1b67 100644 +--- a/parser.c ++++ b/parser.c +@@ -7235,7 +7235,8 @@ xmlParseReference(xmlParserCtxtPtr ctxt) { + * far more secure as the parser will only process data coming from + * the document entity by default. + */ +- if ((ent->checked == 0) && ++ if (((ent->checked == 0) || ++ ((ent->children == NULL) && (ctxt->options & XML_PARSE_NOENT))) && + ((ent->etype != XML_EXTERNAL_GENERAL_PARSED_ENTITY) || + (ctxt->options & (XML_PARSE_NOENT | XML_PARSE_DTDVALID)))) { + unsigned long oldnbent = ctxt->nbentities; +-- +2.6.3 + diff --git a/gnu/packages/patches/libxml2-bug-746048.patch b/gnu/packages/patches/libxml2-bug-746048.patch new file mode 100644 index 0000000000..450b8d3ab3 --- /dev/null +++ b/gnu/packages/patches/libxml2-bug-746048.patch @@ -0,0 +1,65 @@ +From e724879d964d774df9b7969fc846605aa1bac54c Mon Sep 17 00:00:00 2001 +From: Daniel Veillard <veillard@redhat.com> +Date: Fri, 30 Oct 2015 21:14:55 +0800 +Subject: [PATCH] Fix parsing short unclosed comment uninitialized access + +For https://bugzilla.gnome.org/show_bug.cgi?id=746048 +The HTML parser was too optimistic when processing comments and +didn't check for the end of the stream on the first 2 characters +--- + HTMLparser.c | 21 ++++++++++++++------- + 1 file changed, 14 insertions(+), 7 deletions(-) + +diff --git a/HTMLparser.c b/HTMLparser.c +index 19c10c3..bdf7807 100644 +--- a/HTMLparser.c ++++ b/HTMLparser.c +@@ -3264,12 +3264,17 @@ htmlParseComment(htmlParserCtxtPtr ctxt) { + ctxt->instate = state; + return; + } ++ len = 0; ++ buf[len] = 0; + q = CUR_CHAR(ql); ++ if (!IS_CHAR(q)) ++ goto unfinished; + NEXTL(ql); + r = CUR_CHAR(rl); ++ if (!IS_CHAR(r)) ++ goto unfinished; + NEXTL(rl); + cur = CUR_CHAR(l); +- len = 0; + while (IS_CHAR(cur) && + ((cur != '>') || + (r != '-') || (q != '-'))) { +@@ -3300,18 +3305,20 @@ htmlParseComment(htmlParserCtxtPtr ctxt) { + } + } + buf[len] = 0; +- if (!IS_CHAR(cur)) { +- htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED, +- "Comment not terminated \n<!--%.50s\n", buf, NULL); +- xmlFree(buf); +- } else { ++ if (IS_CHAR(cur)) { + NEXT; + if ((ctxt->sax != NULL) && (ctxt->sax->comment != NULL) && + (!ctxt->disableSAX)) + ctxt->sax->comment(ctxt->userData, buf); + xmlFree(buf); ++ ctxt->instate = state; ++ return; + } +- ctxt->instate = state; ++ ++unfinished: ++ htmlParseErr(ctxt, XML_ERR_COMMENT_NOT_FINISHED, ++ "Comment not terminated \n<!--%.50s\n", buf, NULL); ++ xmlFree(buf); + } + + /** +-- +2.6.3 + diff --git a/gnu/packages/patches/libxml2-bug-747437.patch b/gnu/packages/patches/libxml2-bug-747437.patch new file mode 100644 index 0000000000..ea2ef0ff53 --- /dev/null +++ b/gnu/packages/patches/libxml2-bug-747437.patch @@ -0,0 +1,46 @@ +From 8985cde70901c62d3f0f04da225e73b7344a52d7 Mon Sep 17 00:00:00 2001 +From: Martin von Gagern <Martin.vGagern@gmx.net> +Date: Mon, 13 Apr 2015 16:32:14 +0800 +Subject: [PATCH] xmlMemUsed is not thread-safe + +For https://bugzilla.gnome.org/show_bug.cgi?id=747437 +just use the mutex to protect access to those variables +--- + xmlmemory.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/xmlmemory.c b/xmlmemory.c +index a3dc737..f24fd6d 100644 +--- a/xmlmemory.c ++++ b/xmlmemory.c +@@ -554,7 +554,12 @@ xmlMemoryStrdup(const char *str) { + + int + xmlMemUsed(void) { +- return(debugMemSize); ++ int res; ++ ++ xmlMutexLock(xmlMemMutex); ++ res = debugMemSize; ++ xmlMutexUnlock(xmlMemMutex); ++ return(res); + } + + /** +@@ -567,7 +572,12 @@ xmlMemUsed(void) { + + int + xmlMemBlocks(void) { +- return(debugMemBlocks); ++ int res; ++ ++ xmlMutexLock(xmlMemMutex); ++ res = debugMemBlocks; ++ xmlMutexUnlock(xmlMemMutex); ++ return(res); + } + + #ifdef MEM_LIST +-- +2.6.3 + diff --git a/gnu/packages/patches/libxml2-bug-751603.patch b/gnu/packages/patches/libxml2-bug-751603.patch new file mode 100644 index 0000000000..f27767f6b5 --- /dev/null +++ b/gnu/packages/patches/libxml2-bug-751603.patch @@ -0,0 +1,38 @@ +From 9aa37588ee78a06ca1379a9d9356eab16686099c Mon Sep 17 00:00:00 2001 +From: Daniel Veillard <veillard@redhat.com> +Date: Mon, 29 Jun 2015 09:08:25 +0800 +Subject: [PATCH] Do not process encoding values if the declaration if broken + +For https://bugzilla.gnome.org/show_bug.cgi?id=751603 + +If the string is not properly terminated do not try to convert +to the given encoding. +--- + parser.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/parser.c b/parser.c +index fe603ac..a3a9568 100644 +--- a/parser.c ++++ b/parser.c +@@ -10404,6 +10404,8 @@ xmlParseEncodingDecl(xmlParserCtxtPtr ctxt) { + encoding = xmlParseEncName(ctxt); + if (RAW != '"') { + xmlFatalErr(ctxt, XML_ERR_STRING_NOT_CLOSED, NULL); ++ xmlFree((xmlChar *) encoding); ++ return(NULL); + } else + NEXT; + } else if (RAW == '\''){ +@@ -10411,6 +10413,8 @@ xmlParseEncodingDecl(xmlParserCtxtPtr ctxt) { + encoding = xmlParseEncName(ctxt); + if (RAW != '\'') { + xmlFatalErr(ctxt, XML_ERR_STRING_NOT_CLOSED, NULL); ++ xmlFree((xmlChar *) encoding); ++ return(NULL); + } else + NEXT; + } else { +-- +2.6.3 + diff --git a/gnu/packages/patches/libxml2-bug-751631.patch b/gnu/packages/patches/libxml2-bug-751631.patch new file mode 100644 index 0000000000..33344e35d2 --- /dev/null +++ b/gnu/packages/patches/libxml2-bug-751631.patch @@ -0,0 +1,35 @@ +From 709a952110e98621c9b78c4f26462a9d8333102e Mon Sep 17 00:00:00 2001 +From: Daniel Veillard <veillard@redhat.com> +Date: Mon, 29 Jun 2015 16:10:26 +0800 +Subject: [PATCH] Fail parsing early on if encoding conversion failed + +For https://bugzilla.gnome.org/show_bug.cgi?id=751631 + +If we fail conversing the current input stream while +processing the encoding declaration of the XMLDecl +then it's safer to just abort there and not try to +report further errors. +--- + parser.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/parser.c b/parser.c +index a3a9568..0edd53b 100644 +--- a/parser.c ++++ b/parser.c +@@ -10471,7 +10471,11 @@ xmlParseEncodingDecl(xmlParserCtxtPtr ctxt) { + + handler = xmlFindCharEncodingHandler((const char *) encoding); + if (handler != NULL) { +- xmlSwitchToEncoding(ctxt, handler); ++ if (xmlSwitchToEncoding(ctxt, handler) < 0) { ++ /* failed to convert */ ++ ctxt->errNo = XML_ERR_UNSUPPORTED_ENCODING; ++ return(NULL); ++ } + } else { + xmlFatalErrMsgStr(ctxt, XML_ERR_UNSUPPORTED_ENCODING, + "Unsupported encoding %s\n", encoding); +-- +2.6.3 + diff --git a/gnu/packages/patches/libxml2-bug-754946.patch b/gnu/packages/patches/libxml2-bug-754946.patch new file mode 100644 index 0000000000..3b9223efe5 --- /dev/null +++ b/gnu/packages/patches/libxml2-bug-754946.patch @@ -0,0 +1,132 @@ +From 51f02b0a03ea1fa6c65b3f9fd88cf60fb5803783 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard <veillard@redhat.com> +Date: Tue, 15 Sep 2015 16:50:32 +0800 +Subject: [PATCH] Fix a bug on name parsing at the end of current input buffer + +For https://bugzilla.gnome.org/show_bug.cgi?id=754946 + +When hitting the end of the current input buffer while parsing +a name we could end up loosing the beginning of the name, which +led to various issues. +--- + parser.c | 29 ++++++++++++++++++++--------- + result/errors/754946.xml | 0 + result/errors/754946.xml.err | 16 ++++++++++++++++ + result/errors/754946.xml.str | 4 ++++ + test/errors/754946.xml | 1 + + 5 files changed, 41 insertions(+), 9 deletions(-) + create mode 100644 result/errors/754946.xml + create mode 100644 result/errors/754946.xml.err + create mode 100644 result/errors/754946.xml.str + create mode 100644 test/errors/754946.xml + +diff --git a/parser.c b/parser.c +index 0edd53b..fd29a39 100644 +--- a/parser.c ++++ b/parser.c +@@ -3491,7 +3491,14 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { + c = CUR_CHAR(l); + if (c == 0) { + count = 0; ++ /* ++ * when shrinking to extend the buffer we really need to preserve ++ * the part of the name we already parsed. Hence rolling back ++ * by current lenght. ++ */ ++ ctxt->input->cur -= l; + GROW; ++ ctxt->input->cur += l; + if (ctxt->instate == XML_PARSER_EOF) + return(NULL); + end = ctxt->input->cur; +@@ -3523,7 +3530,7 @@ xmlParseNCNameComplex(xmlParserCtxtPtr ctxt) { + + static const xmlChar * + xmlParseNCName(xmlParserCtxtPtr ctxt) { +- const xmlChar *in; ++ const xmlChar *in, *e; + const xmlChar *ret; + int count = 0; + +@@ -3535,16 +3542,19 @@ xmlParseNCName(xmlParserCtxtPtr ctxt) { + * Accelerator for simple ASCII names + */ + in = ctxt->input->cur; +- if (((*in >= 0x61) && (*in <= 0x7A)) || +- ((*in >= 0x41) && (*in <= 0x5A)) || +- (*in == '_')) { ++ e = ctxt->input->end; ++ if ((((*in >= 0x61) && (*in <= 0x7A)) || ++ ((*in >= 0x41) && (*in <= 0x5A)) || ++ (*in == '_')) && (in < e)) { + in++; +- while (((*in >= 0x61) && (*in <= 0x7A)) || +- ((*in >= 0x41) && (*in <= 0x5A)) || +- ((*in >= 0x30) && (*in <= 0x39)) || +- (*in == '_') || (*in == '-') || +- (*in == '.')) ++ while ((((*in >= 0x61) && (*in <= 0x7A)) || ++ ((*in >= 0x41) && (*in <= 0x5A)) || ++ ((*in >= 0x30) && (*in <= 0x39)) || ++ (*in == '_') || (*in == '-') || ++ (*in == '.')) && (in < e)) + in++; ++ if (in >= e) ++ goto complex; + if ((*in > 0) && (*in < 0x80)) { + count = in - ctxt->input->cur; + if ((count > XML_MAX_NAME_LENGTH) && +@@ -3562,6 +3572,7 @@ xmlParseNCName(xmlParserCtxtPtr ctxt) { + return(ret); + } + } ++complex: + return(xmlParseNCNameComplex(ctxt)); + } + +diff --git a/result/errors/754946.xml b/result/errors/754946.xml +new file mode 100644 +index 0000000..e69de29 +diff --git a/result/errors/754946.xml.err b/result/errors/754946.xml.err +new file mode 100644 +index 0000000..423dff5 +--- /dev/null ++++ b/result/errors/754946.xml.err +@@ -0,0 +1,16 @@ ++Entity: line 1: parser error : internal error: xmlParseInternalSubset: error detected in Markup declaration ++ ++ %SYSTEM; ++ ^ ++Entity: line 1: ++A<lbbbbbbbbbbbbbbbbbbb_ ++^ ++Entity: line 1: parser error : DOCTYPE improperly terminated ++ %SYSTEM; ++ ^ ++Entity: line 1: ++A<lbbbbbbbbbbbbbbbbbbb_ ++^ ++./test/errors/754946.xml:1: parser error : Extra content at the end of the document ++<!DOCTYPEA[<!ENTITY % ++ ^ +diff --git a/result/errors/754946.xml.str b/result/errors/754946.xml.str +new file mode 100644 +index 0000000..3b748cc +--- /dev/null ++++ b/result/errors/754946.xml.str +@@ -0,0 +1,4 @@ ++./test/errors/754946.xml:1: parser error : Extra content at the end of the document ++<!DOCTYPEA[<!ENTITY % ++ ^ ++./test/errors/754946.xml : failed to parse +diff --git a/test/errors/754946.xml b/test/errors/754946.xml +new file mode 100644 +index 0000000..6b5f9b0 +--- /dev/null ++++ b/test/errors/754946.xml +@@ -0,0 +1 @@ ++<!DOCTYPEA[<!ENTITY %
SYSTEM "A<lbbbbbbbbbbbbbbbbbbb_"
>%SYSTEM;<![ +\ No newline at end of file +-- +2.6.3 + diff --git a/gnu/packages/patches/libxml2-bug-754947.patch b/gnu/packages/patches/libxml2-bug-754947.patch new file mode 100644 index 0000000000..5edbc5fcc1 --- /dev/null +++ b/gnu/packages/patches/libxml2-bug-754947.patch @@ -0,0 +1,103 @@ +From 4a5d80aded1da94cd55294e7207109712201b75b Mon Sep 17 00:00:00 2001 +From: Daniel Veillard <veillard@redhat.com> +Date: Fri, 18 Sep 2015 15:06:46 +0800 +Subject: [PATCH] Fix a bug in CData error handling in the push parser + +For https://bugzilla.gnome.org/show_bug.cgi?id=754947 + +The checking function was returning incorrect args in some cases +Adds the test to teh reg suite and fix one of the existing test output +--- + parser.c | 6 +++--- + result/errors/754947.xml | 0 + result/errors/754947.xml.err | 7 +++++++ + result/errors/754947.xml.str | 5 +++++ + result/errors/cdata.xml.str | 4 ++-- + test/errors/754947.xml | 1 + + 6 files changed, 18 insertions(+), 5 deletions(-) + create mode 100644 result/errors/754947.xml + create mode 100644 result/errors/754947.xml.err + create mode 100644 result/errors/754947.xml.str + create mode 100644 test/errors/754947.xml + +diff --git a/parser.c b/parser.c +index fd29a39..f1724a9 100644 +--- a/parser.c ++++ b/parser.c +@@ -11192,7 +11192,7 @@ xmlCheckCdataPush(const xmlChar *utf, int len) { + else + return(-ix); + } else if ((c & 0xe0) == 0xc0) {/* 2-byte code, starts with 110 */ +- if (ix + 2 > len) return(ix); ++ if (ix + 2 > len) return(-ix); + if ((utf[ix+1] & 0xc0 ) != 0x80) + return(-ix); + codepoint = (utf[ix] & 0x1f) << 6; +@@ -11201,7 +11201,7 @@ xmlCheckCdataPush(const xmlChar *utf, int len) { + return(-ix); + ix += 2; + } else if ((c & 0xf0) == 0xe0) {/* 3-byte code, starts with 1110 */ +- if (ix + 3 > len) return(ix); ++ if (ix + 3 > len) return(-ix); + if (((utf[ix+1] & 0xc0) != 0x80) || + ((utf[ix+2] & 0xc0) != 0x80)) + return(-ix); +@@ -11212,7 +11212,7 @@ xmlCheckCdataPush(const xmlChar *utf, int len) { + return(-ix); + ix += 3; + } else if ((c & 0xf8) == 0xf0) {/* 4-byte code, starts with 11110 */ +- if (ix + 4 > len) return(ix); ++ if (ix + 4 > len) return(-ix); + if (((utf[ix+1] & 0xc0) != 0x80) || + ((utf[ix+2] & 0xc0) != 0x80) || + ((utf[ix+3] & 0xc0) != 0x80)) +diff --git a/result/errors/754947.xml b/result/errors/754947.xml +new file mode 100644 +index 0000000..e69de29 +diff --git a/result/errors/754947.xml.err b/result/errors/754947.xml.err +new file mode 100644 +index 0000000..f45cb5a +--- /dev/null ++++ b/result/errors/754947.xml.err +@@ -0,0 +1,7 @@ ++./test/errors/754947.xml:1: parser error : Input is not proper UTF-8, indicate encoding ! ++Bytes: 0xEE 0x5D 0x5D 0x3E ++<d><![CDATA[0000000000000î]]> ++ ^ ++./test/errors/754947.xml:1: parser error : Premature end of data in tag d line 1 ++<d><![CDATA[0000000000000î]]> ++ ^ +diff --git a/result/errors/754947.xml.str b/result/errors/754947.xml.str +new file mode 100644 +index 0000000..4d2f52e +--- /dev/null ++++ b/result/errors/754947.xml.str +@@ -0,0 +1,5 @@ ++./test/errors/754947.xml:1: parser error : Input is not proper UTF-8, indicate encoding ! ++Bytes: 0xEE 0x5D 0x5D 0x3E ++<d><![CDATA[0000000000000î]]> ++ ^ ++./test/errors/754947.xml : failed to parse +diff --git a/result/errors/cdata.xml.str b/result/errors/cdata.xml.str +index e043441..cf83d2b 100644 +--- a/result/errors/cdata.xml.str ++++ b/result/errors/cdata.xml.str +@@ -1,5 +1,5 @@ + ./test/errors/cdata.xml:2: parser error : Input is not proper UTF-8, indicate encoding ! +-Bytes: 0x5B 0x43 0xE1 0x72 ++Bytes: 0xE1 0x72 0x5D 0x5D + <A><![CDATA[Cár]]></A> +- ^ ++ ^ + ./test/errors/cdata.xml : failed to parse +diff --git a/test/errors/754947.xml b/test/errors/754947.xml +new file mode 100644 +index 0000000..bd9997e +--- /dev/null ++++ b/test/errors/754947.xml +@@ -0,0 +1 @@ ++<d><![CDATA[0000000000000î]]> +\ No newline at end of file +-- +2.6.3 + diff --git a/gnu/packages/patches/libxml2-bug-755857.patch b/gnu/packages/patches/libxml2-bug-755857.patch new file mode 100644 index 0000000000..3f1efd3806 --- /dev/null +++ b/gnu/packages/patches/libxml2-bug-755857.patch @@ -0,0 +1,43 @@ +From cf77e60515045bdd66f2c59c69a06e603b470eae Mon Sep 17 00:00:00 2001 +From: Gaurav Gupta <g.gupta@samsung.com> +Date: Wed, 30 Sep 2015 14:46:29 +0200 +Subject: [PATCH] Add missing Null check in xmlParseExternalEntityPrivate + +For https://bugzilla.gnome.org/show_bug.cgi?id=755857 + +a case where we check for NULL but not everywhere +--- + parser.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/parser.c b/parser.c +index f1724a9..a65e4cc 100644 +--- a/parser.c ++++ b/parser.c +@@ -13367,7 +13367,7 @@ xmlParseExternalEntityPrivate(xmlDocPtr doc, xmlParserCtxtPtr oldctxt, + /* + * Also record the size of the entity parsed + */ +- if (ctxt->input != NULL) { ++ if (ctxt->input != NULL && oldctxt != NULL) { + oldctxt->sizeentities += ctxt->input->consumed; + oldctxt->sizeentities += (ctxt->input->cur - ctxt->input->base); + } +@@ -13379,9 +13379,11 @@ xmlParseExternalEntityPrivate(xmlDocPtr doc, xmlParserCtxtPtr oldctxt, + + if (sax != NULL) + ctxt->sax = oldsax; +- oldctxt->node_seq.maximum = ctxt->node_seq.maximum; +- oldctxt->node_seq.length = ctxt->node_seq.length; +- oldctxt->node_seq.buffer = ctxt->node_seq.buffer; ++ if (oldctxt != NULL) { ++ oldctxt->node_seq.maximum = ctxt->node_seq.maximum; ++ oldctxt->node_seq.length = ctxt->node_seq.length; ++ oldctxt->node_seq.buffer = ctxt->node_seq.buffer; ++ } + ctxt->node_seq.maximum = 0; + ctxt->node_seq.length = 0; + ctxt->node_seq.buffer = NULL; +-- +2.6.3 + diff --git a/gnu/packages/patches/libxml2-fix-catalog-corruption.patch b/gnu/packages/patches/libxml2-fix-catalog-corruption.patch new file mode 100644 index 0000000000..b75ee300d3 --- /dev/null +++ b/gnu/packages/patches/libxml2-fix-catalog-corruption.patch @@ -0,0 +1,29 @@ +From f65128f38289d77ff322d63aef2858cc0a819c34 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard <veillard@redhat.com> +Date: Fri, 17 Oct 2014 17:13:41 +0800 +Subject: [PATCH] Revert "Missing initialization for the catalog module" + +This reverts commit 054c716ea1bf001544127a4ab4f4346d1b9947e7. +As this break xmlcatalog command +https://bugzilla.redhat.com/show_bug.cgi?id=1153753 +--- + parser.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/parser.c b/parser.c +index 1d93967..67c9dfd 100644 +--- a/parser.c ++++ b/parser.c +@@ -14830,9 +14830,6 @@ xmlInitParser(void) { + #ifdef LIBXML_XPATH_ENABLED + xmlXPathInit(); + #endif +-#ifdef LIBXML_CATALOG_ENABLED +- xmlInitializeCatalog(); +-#endif + xmlParserInitialized = 1; + #ifdef LIBXML_THREAD_ENABLED + } +-- +2.6.3 + diff --git a/gnu/packages/patches/libxml2-id-attrs-in-xmlSetTreeDoc.patch b/gnu/packages/patches/libxml2-id-attrs-in-xmlSetTreeDoc.patch new file mode 100644 index 0000000000..a87f79bf84 --- /dev/null +++ b/gnu/packages/patches/libxml2-id-attrs-in-xmlSetTreeDoc.patch @@ -0,0 +1,36 @@ +From f54d6a929af2a570396f0595a0e29064c908c12e Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer <wellnhofer@aevum.de> +Date: Fri, 19 Dec 2014 00:08:35 +0100 +Subject: [PATCH] Account for ID attributes in xmlSetTreeDoc + +--- + tree.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/tree.c b/tree.c +index 6ec9223..c6323b4 100644 +--- a/tree.c ++++ b/tree.c +@@ -2799,8 +2799,19 @@ xmlSetTreeDoc(xmlNodePtr tree, xmlDocPtr doc) { + if(tree->type == XML_ELEMENT_NODE) { + prop = tree->properties; + while (prop != NULL) { ++ if (prop->atype == XML_ATTRIBUTE_ID) { ++ xmlRemoveID(tree->doc, prop); ++ } ++ + prop->doc = doc; + xmlSetListDoc(prop->children, doc); ++ ++ if (xmlIsID(doc, tree, prop)) { ++ xmlChar *idVal = xmlNodeListGetString(doc, prop->children, ++ 1); ++ xmlAddID(NULL, doc, idVal, prop); ++ } ++ + prop = prop->next; + } + } +-- +2.6.3 + diff --git a/gnu/packages/patches/libxml2-node-sort-order-pt1.patch b/gnu/packages/patches/libxml2-node-sort-order-pt1.patch new file mode 100644 index 0000000000..181a0727ec --- /dev/null +++ b/gnu/packages/patches/libxml2-node-sort-order-pt1.patch @@ -0,0 +1,33 @@ +From ba58f23c60862f2158b457f4d30031761bf4dde1 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer <wellnhofer@aevum.de> +Date: Sun, 8 Mar 2015 16:44:11 +0100 +Subject: [PATCH] Fix order of root nodes + +Make sure root nodes are sorted before other nodes. +--- + xpath.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/xpath.c b/xpath.c +index ffd2a48..e9f5bf9 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -361,13 +361,13 @@ turtle_comparison: + /* + * compute depth to root + */ +- for (depth2 = 0, cur = node2;cur->parent != NULL;cur = cur->parent) { ++ for (depth2 = 0, cur = node2; cur != NULL; cur = cur->parent) { + if (cur == node1) + return(1); + depth2++; + } + root = cur; +- for (depth1 = 0, cur = node1;cur->parent != NULL;cur = cur->parent) { ++ for (depth1 = 0, cur = node1; cur != NULL; cur = cur->parent) { + if (cur == node2) + return(-1); + depth1++; +-- +2.6.3 + diff --git a/gnu/packages/patches/libxml2-node-sort-order-pt2.patch b/gnu/packages/patches/libxml2-node-sort-order-pt2.patch new file mode 100644 index 0000000000..d0077137fb --- /dev/null +++ b/gnu/packages/patches/libxml2-node-sort-order-pt2.patch @@ -0,0 +1,37 @@ +From 3eaedba1b64180668fdab7ad2eba549586017bf3 Mon Sep 17 00:00:00 2001 +From: Nick Wellnhofer <wellnhofer@aevum.de> +Date: Sat, 11 Jul 2015 14:27:34 +0200 +Subject: [PATCH] Fix previous change to node sort order + +Commit ba58f23 broke comparison of nodes from different documents. +Thanks to Olli Pottonen for the report. +--- + xpath.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/xpath.c b/xpath.c +index e9f5bf9..935fcff 100644 +--- a/xpath.c ++++ b/xpath.c +@@ -361,14 +361,14 @@ turtle_comparison: + /* + * compute depth to root + */ +- for (depth2 = 0, cur = node2; cur != NULL; cur = cur->parent) { +- if (cur == node1) ++ for (depth2 = 0, cur = node2; cur->parent != NULL; cur = cur->parent) { ++ if (cur->parent == node1) + return(1); + depth2++; + } + root = cur; +- for (depth1 = 0, cur = node1; cur != NULL; cur = cur->parent) { +- if (cur == node2) ++ for (depth1 = 0, cur = node1; cur->parent != NULL; cur = cur->parent) { ++ if (cur->parent == node2) + return(-1); + depth1++; + } +-- +2.6.3 + diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm index d9c92d6d93..90ad521c3d 100644 --- a/gnu/packages/xml.scm +++ b/gnu/packages/xml.scm @@ -70,7 +70,28 @@ things the parser might find in the XML document (like start tags).") version ".tar.gz")) (sha256 (base32 - "1g6mf03xcabmk5ing1lwqmasr803616gb2xhn7pll10x2l5w6y2i")))) + "1g6mf03xcabmk5ing1lwqmasr803616gb2xhn7pll10x2l5w6y2i")) + (patches + (map search-patch + '("libxml2-fix-catalog-corruption.patch" + "libxml2-bug-738805.patch" + "libxml2-id-attrs-in-xmlSetTreeDoc.patch" + "libxml2-CVE-2015-7941-pt1.patch" + "libxml2-CVE-2015-7941-pt2.patch" + "libxml2-node-sort-order-pt1.patch" + "libxml2-bug-747437.patch" + "libxml2-CVE-2015-1819.patch" + "libxml2-bug-751603.patch" + "libxml2-bug-751631.patch" + "libxml2-node-sort-order-pt2.patch" + "libxml2-bug-737840.patch" + "libxml2-bug-754946.patch" + "libxml2-bug-754947.patch" + "libxml2-bug-755857.patch" + "libxml2-CVE-2015-7942-pt1.patch" + "libxml2-CVE-2015-7942-pt2.patch" + "libxml2-bug-746048.patch" + "libxml2-CVE-2015-8035.patch"))))) (build-system gnu-build-system) (home-page "http://www.xmlsoft.org/") (synopsis "C parser for XML") |