From 3c74645a3f795c6d5be1a50549bfb18bfda3b16c Mon Sep 17 00:00:00 2001 From: Zach van Rijn Date: Wed, 12 Jan 2022 14:14:08 +0000 Subject: system/{libxml2,libxslt}: bump to Adélie-vendored versions temporarily. fixes #359, #463, #464. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- system/libxml2/APKBUILD | 32 +++++++++++++++++--------------- system/libxml2/CVE-2019-20388.patch | 33 --------------------------------- system/libxml2/CVE-2020-7595.patch | 32 -------------------------------- system/libxslt/APKBUILD | 16 ++++++++++------ 4 files changed, 27 insertions(+), 86 deletions(-) delete mode 100644 system/libxml2/CVE-2019-20388.patch delete mode 100644 system/libxml2/CVE-2020-7595.patch (limited to 'system') diff --git a/system/libxml2/APKBUILD b/system/libxml2/APKBUILD index 73b6eb2a0..9c294b6e7 100644 --- a/system/libxml2/APKBUILD +++ b/system/libxml2/APKBUILD @@ -1,23 +1,23 @@ # Contributor: Carlo Landmeter # Maintainer: A. Wilcox pkgname=libxml2 -pkgver=2.9.10 -pkgrel=1 +pkgver=2.9.13_pre1 +pkgdate=20220112 +pkgrel=0 pkgdesc="XML parsing library" url="http://www.xmlsoft.org/" arch="all" -options="!check !strip" # Impossible to run on Python 3 +options="!strip" # Impossible to run on Python 3 license="MIT" depends="" depends_dev="zlib-dev icu-dev" -checkdepends="perl tar" -makedepends="$depends_dev python3-dev" +checkdepends="perl libarchive" +makedepends="$depends_dev python3-dev autoconf automake libtool" subpackages="$pkgname-doc $pkgname-dev py-libxml2:py" provides="$pkgname-utils=$pkgver-r$pkgrel" -source="ftp://ftp.xmlsoft.org/${pkgname}/${pkgname}-${pkgver}.tar.gz +#source="ftp://ftp.xmlsoft.org/${pkgname}/${pkgname}-${pkgver}.tar.gz" +source="https://distfiles.adelielinux.org/source/$pkgname-$pkgver-$pkgdate.tar.gz python-segfault-fix.patch - CVE-2019-20388.patch - CVE-2020-7595.patch " # secfixes: @@ -31,14 +31,14 @@ source="ftp://ftp.xmlsoft.org/${pkgname}/${pkgname}-${pkgver}.tar.gz # - CVE-2019-20388 # - CVE-2020-7595 +builddir="$srcdir/$pkgname-$pkgver-$pkgdate" + prepare() { default_prepare - # setup.py is generated - rm python/setup.py } build() { - ./configure \ + ./autogen.sh \ --build=$CBUILD \ --host=$CHOST \ --prefix=/usr \ @@ -50,6 +50,10 @@ build() { make } +check() { + make -ik check # FIXME: #465 +} + package() { make -j1 DESTDIR="$pkgdir" install } @@ -66,7 +70,5 @@ py() { mv "$pkgdir"/usr/lib/python3* "$subpkgdir"/usr/lib/ } -sha512sums="0adfd12bfde89cbd6296ba6e66b6bed4edb814a74b4265bda34d95c41d9d92c696ee7adb0c737aaf9cc6e10426a31a35079b2a23d26c074e299858da12c072ed libxml2-2.9.10.tar.gz -384b3d2031cd8f77528190bbb7652faa9ccb22bc604bcf4927e59046d38830dac38010828fe1568b6514976f725981a6d3ac1aa595d31477a36db2afe491452c python-segfault-fix.patch -48ea30bd8035f3b60825ce24185fbec1e7423e683f64626405fd96daaaa14011e7f7c180a7a87d7ff8f73983b0e221974cbce619d04b932c1db2110a13be014e CVE-2019-20388.patch -90db832e60c700e971669f57a54fdb297660c42602089b4e77e013a7051c880f380f0c98c059d9f54de99855b2d9be78fcf0639443f3765a925b52fc093fb4d9 CVE-2020-7595.patch" +sha512sums="fed9e35478f169411700e5216ebf9735afbde5bcc2a6f9ad81959d11907d28d9ed4281613af31ef410aeef6acbd6e62dd168268f75454a9942261a86db3933ff libxml2-2.9.13_pre1-20220112.tar.gz +384b3d2031cd8f77528190bbb7652faa9ccb22bc604bcf4927e59046d38830dac38010828fe1568b6514976f725981a6d3ac1aa595d31477a36db2afe491452c python-segfault-fix.patch" diff --git a/system/libxml2/CVE-2019-20388.patch b/system/libxml2/CVE-2019-20388.patch deleted file mode 100644 index 49ff6fbe0..000000000 --- a/system/libxml2/CVE-2019-20388.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 7ffcd44d7e6c46704f8af0321d9314cd26e0e18a Mon Sep 17 00:00:00 2001 -From: Zhipeng Xie -Date: Tue, 20 Aug 2019 16:33:06 +0800 -Subject: [PATCH] Fix memory leak in xmlSchemaValidateStream - -When ctxt->schema is NULL, xmlSchemaSAXPlug->xmlSchemaPreRun -alloc a new schema for ctxt->schema and set vctxt->xsiAssemble -to 1. Then xmlSchemaVStart->xmlSchemaPreRun initialize -vctxt->xsiAssemble to 0 again which cause the alloced schema -can not be freed anymore. - -Found with libFuzzer. - -Signed-off-by: Zhipeng Xie ---- - xmlschemas.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/xmlschemas.c b/xmlschemas.c -index 301c8449..39d92182 100644 ---- a/xmlschemas.c -+++ b/xmlschemas.c -@@ -28090,7 +28090,6 @@ xmlSchemaPreRun(xmlSchemaValidCtxtPtr vctxt) { - vctxt->nberrors = 0; - vctxt->depth = -1; - vctxt->skipDepth = -1; -- vctxt->xsiAssemble = 0; - vctxt->hasKeyrefs = 0; - #ifdef ENABLE_IDC_NODE_TABLES_TEST - vctxt->createIDCNodeTables = 1; --- -2.24.1 - diff --git a/system/libxml2/CVE-2020-7595.patch b/system/libxml2/CVE-2020-7595.patch deleted file mode 100644 index 3dd677497..000000000 --- a/system/libxml2/CVE-2020-7595.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 0e1a49c8907645d2e155f0d89d4d9895ac5112b5 Mon Sep 17 00:00:00 2001 -From: Zhipeng Xie -Date: Thu, 12 Dec 2019 17:30:55 +0800 -Subject: [PATCH] Fix infinite loop in xmlStringLenDecodeEntities - -When ctxt->instate == XML_PARSER_EOF,xmlParseStringEntityRef -return NULL which cause a infinite loop in xmlStringLenDecodeEntities - -Found with libFuzzer. - -Signed-off-by: Zhipeng Xie ---- - parser.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/parser.c b/parser.c -index d1c31963..a34bb6cd 100644 ---- a/parser.c -+++ b/parser.c -@@ -2646,7 +2646,8 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, - else - c = 0; - while ((c != 0) && (c != end) && /* non input consuming loop */ -- (c != end2) && (c != end3)) { -+ (c != end2) && (c != end3) && -+ (ctxt->instate != XML_PARSER_EOF)) { - - if (c == 0) break; - if ((c == '&') && (str[1] == '#')) { --- -2.24.1 - diff --git a/system/libxslt/APKBUILD b/system/libxslt/APKBUILD index 752f2a8a5..37e85a523 100644 --- a/system/libxslt/APKBUILD +++ b/system/libxslt/APKBUILD @@ -1,16 +1,18 @@ # Contributor: Francesco Colista # Maintainer: A. Wilcox pkgname=libxslt -pkgver=1.1.34 +pkgver=1.1.35_pre1 +pkgdate=20220112 pkgrel=0 pkgdesc="XML stylesheet transformation library" url="http://xmlsoft.org/XSLT/" arch="all" license="SGI-B-2.0" depends="" -makedepends="libxml2-dev libgcrypt-dev libgpg-error-dev python3-dev" +makedepends="libxml2-dev libgcrypt-dev libgpg-error-dev python3-dev autoconf automake libtool" subpackages="$pkgname-doc $pkgname-dev" -source="ftp://xmlsoft.org/$pkgname/$pkgname-$pkgver.tar.gz" +#source="ftp://xmlsoft.org/$pkgname/$pkgname-$pkgver.tar.gz" +source="https://distfiles.adelielinux.org/source/$pkgname-$pkgver-$pkgdate.tar.gz" # secfixes: # 1.1.29-r1: @@ -21,8 +23,10 @@ source="ftp://xmlsoft.org/$pkgname/$pkgname-$pkgver.tar.gz" # - CVE-2019-13117 # - CVE-2019-13118 +builddir="$pkgname-$pkgver-$pkgdate" + build() { - ./configure \ + ./autogen.sh \ --build=$CBUILD \ --host=$CHOST \ --prefix=/usr @@ -34,7 +38,7 @@ check() { } package() { - make DESTDIR="$pkgdir" install + make -C "$srcdir/$builddir" DESTDIR="$pkgdir" install } -sha512sums="1516a11ad608b04740674060d2c5d733b88889de5e413b9a4e8bf8d1a90d712149df6d2b1345b615f529d7c7d3fa6dae12e544da828b39c7d415e54c0ee0776b libxslt-1.1.34.tar.gz" +sha512sums="f34a7a36596b48a2ee0d169bace750a5f5ca5ee1413606a5f23855875d35275bf60269ccb5e92d315639faf3fdf9600964b4c85a3bbbe02ccdc91dcb834e7508 libxslt-1.1.35_pre1-20220112.tar.gz" -- cgit v1.2.3-70-g09d2