Package: libxml2
Version: 2.7.6.dfsg-1
Severity: important
The new version of zlib, 1.2.3.5, contains a new implementation of gzio
(the gzopen() and related API calls) which are used by libxml2. Sadly
it looks like these break libxml2. It contains (in xmlIO.c) the
following code:
if (((z_stream *)context)->avail_in > 4) {
char *cptr, buff4[4];
cptr = (char *) ((z_stream *)context)->next_in;
if (gzread(context, buff4, 4) == 4) {
if (strncmp(buff4, cptr, 4) == 0)
ret->compressed = 0;
else
ret->compressed = 1;
gzrewind(context);
}
where context boils down to a gzFile returned by zlib. The code here is
assuming that the first memeber of this structure is a zlib stream which
is true for current zlib versions but is no longer true for this new
implementation. Since gzFile is a void * in the public API (the
structure is defined file local in the zlib source) this is a case of
libxml peering into the implementaiton of zlib in a way it isn't
supposed to.
The code also appears to be assuming that gzopen() does an initial read
from the file (this is in the open path and I can't find any following
code which does the same check) which is also no longer the case but
that is less harmful since the avail_in check will just fail.
I'm discussing this with zlib upstream at the minute but I expect that
whatever happens libxml is going to need to be fixed to stop peering
inside the zlib internals here. We may be able to use symbol
versioning to maintain existing binary compatibility but that'll still
cause breakage as soon as libxml is rebuilt, and due to the casting from
void there's nothing I can see zlib can do to catch this itself.
I'll upload my current zlib 1.2.3.5 package to experimental later for
you to take a look at.
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-trunk-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages libxml2 depends on:
ii libc6 2.10.2-5 Embedded GNU C Library: Shared lib
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
Versions of packages libxml2 recommends:
ii xml-core 0.13 XML infrastructure and XML catalog
libxml2 suggests no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
