patch to update bundled libxml2 to version 2.9.8 and libxslt to version 1.1.32

Don Lewis Thu, 23 Aug 2018 21:57:02 -0700

We currently bundle libxml2 version 2.9.4 with trunk.  That version of
libxml2 has four CVEs.  Fortunately they can only be used to cause a
crash (DoS) instead of something worse.


There is one CVE for version 2.9.8, but the vulnerability (an infinite
loop DoS) can only be triggered if libxml2 is built with lzma support,
which we do not.

While here also upgrade libxslt to the latest version since both
libraries come from the same upstream and work together.

Light testing on Windows and CentOS 6 didn't turn up any problems.

OpenOffice on FreeBSD uses the system versions of libxml, version 2.9.7,
and libxslt, version 1.1.32.  No problems have been reported with those
versions.

Index: main/external_deps.lst
===================================================================
--- main/external_deps.lst	(revision 1838688)
+++ main/external_deps.lst	(working copy)
@@ -170,14 +170,14 @@
     URL2 = $(OOO_EXTRAS)$(MD5)-$(name)
 
 if (SYSTEM_LIBXML != YES)
-    MD5 = ae249165c173b1ff386ee8ad676815f5
-    name = libxml2-2.9.4.tar.gz
+    MD5 = b786e353e2aa1b872d70d5d1ca0c740d
+    name = libxml2-2.9.8.tar.gz
     URL1 = http://xmlsoft.org/sources/$(name)
     URL2 = $(OOO_EXTRAS)$(MD5)-$(name)
 
 if (SYSTEM_LIBXSLT != YES)
-    MD5 = a129d3c44c022de3b9dcf6d6f288d72e
-    name = libxslt-1.1.29.tar.gz
+    MD5 = 1fc72f98e98bf4443f1651165f3aa146
+    name = libxslt-1.1.32.tar.gz
     URL1 = http://xmlsoft.org/sources/$(name)
     URL2 = $(OOO_EXTRAS)$(MD5)-$(name)
 
Index: main/libxml2/libxml2-c99.patch
===================================================================
--- main/libxml2/libxml2-c99.patch	(revision 1838688)
+++ main/libxml2/libxml2-c99.patch	(nonexistent)
@@ -1,48 +0,0 @@
-From d77e5fc4bcdb7da748c9cca116a601ae4df60d21 Mon Sep 17 00:00:00 2001
-From: Chun-wei Fan <[email protected]>
-Date: Tue, 31 May 2016 21:04:50 +0800
-Subject: relaxng.c, xmlschemas.c: Fix build on pre-C99 compilers
-
-Make sure that the variables are declared at the top of the block.
-
-https://bugzilla.gnome.org/show_bug.cgi?id=767063
- ---
- relaxng.c    | 3 ++-
- xmlschemas.c | 2 +-
- 2 files changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/relaxng.c b/relaxng.c
-index 56a3344..3d3e69c 100644
-diff -ur misc/libxml2-2.9.4/relaxng.c misc/build/libxml2-2.9.4/relaxng.c
---- misc/libxml2-2.9.4/relaxng.c	2016-05-23 00:25:25.000000000 -0700
-+++ misc/build/libxml2-2.9.4/relaxng.c	2016-08-28 00:37:26.017097000 -0700
-@@ -2088,6 +2088,7 @@
-                          const xmlChar * arg2)
- {
-     char msg[1000];
-+    xmlChar *result;
- 
-     if (arg1 == NULL)
-         arg1 = BAD_CAST "";
-@@ -2215,7 +2216,7 @@
-         snprintf(msg, 1000, "Unknown error code %d\n", err);
-     }
-     msg[1000 - 1] = 0;
--    xmlChar *result = xmlCharStrdup(msg);
-+    result = xmlCharStrdup(msg);
-     return (xmlEscapeFormatString(&result));
- }
- 
-diff -ur misc/libxml2-2.9.4/xmlschemas.c misc/build/libxml2-2.9.4/xmlschemas.c
---- misc/libxml2-2.9.4/xmlschemas.c	2016-05-23 00:25:25.000000000 -0700
-+++ misc/build/libxml2-2.9.4/xmlschemas.c	2016-08-28 00:37:26.025519000 -0700
-@@ -3168,8 +3168,8 @@
- 		"valid.");
- 	}
- 	if (expected) {
--	    msg = xmlStrcat(msg, BAD_CAST " Expected is '");
- 	    xmlChar *expectedEscaped = xmlCharStrdup(expected);
-+	    msg = xmlStrcat(msg, BAD_CAST " Expected is '");
- 	    msg = xmlStrcat(msg, xmlEscapeFormatString(&expectedEscaped));
- 	    FREE_AND_NULL(expectedEscaped);
- 	    msg = xmlStrcat(msg, BAD_CAST "'.\n");
Index: main/libxml2/libxml2-configure.patch
===================================================================
--- main/libxml2/libxml2-configure.patch	(revision 1838688)
+++ main/libxml2/libxml2-configure.patch	(working copy)
@@ -1,6 +1,6 @@
-diff -ur misc/libxml2-2.9.4/include/libxml/xmlversion.h misc/build/libxml2-2.9.4/include/libxml/xmlversion.h
---- misc/libxml2-2.9.4/include/libxml/xmlversion.h	2015-11-20 01:49:39.000000000 -0800
-+++ misc/build/libxml2-2.9.4/include/libxml/xmlversion.h	2016-03-26 09:46:21.124032000 -0700
+diff -ur misc/libxml2-2.9.8/include/libxml/xmlversion.h misc/build/libxml2-2.9.8/include/libxml/xmlversion.h
+--- misc/libxml2-2.9.8/include/libxml/xmlversion.h	2018-03-05 07:54:29.000000000 -0800
++++ misc/build/libxml2-2.9.8/include/libxml/xmlversion.h	2018-08-22 22:53:15.488158000 -0700
 @@ -273,7 +273,7 @@
   *
   * Whether iconv support is available
@@ -19,9 +19,9 @@
  #define LIBXML_DEBUG_ENABLED
  #endif
  
-diff -ur misc/libxml2-2.9.4/xml2-config.in misc/build/libxml2-2.9.4/xml2-config.in
---- misc/libxml2-2.9.4/xml2-config.in	2015-05-06 05:04:36.000000000 -0700
-+++ misc/build/libxml2-2.9.4/xml2-config.in	2016-03-26 10:00:17.756184000 -0700
+diff -ur misc/libxml2-2.9.8/xml2-config.in misc/build/libxml2-2.9.8/xml2-config.in
+--- misc/libxml2-2.9.8/xml2-config.in	2016-06-07 03:04:14.000000000 -0700
++++ misc/build/libxml2-2.9.8/xml2-config.in	2018-08-22 22:53:15.489086000 -0700
 @@ -1,9 +1,14 @@
  #! /bin/sh
  
Index: main/libxml2/libxml2-long-path.patch
===================================================================
--- main/libxml2/libxml2-long-path.patch	(revision 1838688)
+++ main/libxml2/libxml2-long-path.patch	(nonexistent)
@@ -1,18 +0,0 @@
---- misc/libxml2-2.9.4/uri.c	2015-11-02 23:28:09.000000000 -0800
-+++ misc/build/libxml2-2.9.4/uri.c	2016-03-26 10:19:45.838472000 -0700
-@@ -2412,6 +2412,15 @@
- 	return xmlStrdup((const xmlChar *) path);
- #endif
- 
-+#if defined(_WIN32)
-+	//We must not change the backslashes to slashes if the the path starts with
-+	// \\?\
-+	//Those paths can be up to 32k characters long.
-+	len = xmlStrlen(path);
-+	if ((len > 3) && (path[0] == '\\') && (path[1] == '\\') && (path[2] == '?') && (path[3] == '\\') )
-+		return xmlStrdup((const xmlChar *) path);
-+#endif
-+
- 	/* sanitize filename starting with // so it can be used as URI */
-     if ((path[0] == '/') && (path[1] == '/') && (path[2] != '/'))
-         path++;

Property changes on: main/libxml2/libxml2-long-path.patch
___________________________________________________________________
Deleted: svn:eol-style
## -1 +0,0 ##
-native
\ No newline at end of property
Index: main/libxml2/libxml2-nan-inf-fix.patch
===================================================================
--- main/libxml2/libxml2-nan-inf-fix.patch	(nonexistent)
+++ main/libxml2/libxml2-nan-inf-fix.patch	(working copy)
@@ -0,0 +1,60 @@
+From 7abec671473b837f99181442d59edd0cc2ee01d1 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <[email protected]>
+Date: Thu, 15 Mar 2018 19:33:52 +0100
+Subject: [PATCH] NaN and Inf fixes for pre-C99 compilers
+
+On some pre-C99 compilers, the NAN and INFINITY macros don't expand to
+constant expressions.
+
+Some MSVC versions complain about floating point division by zero in
+constants.
+
+Thanks to Fabrice Manfroi for the report.
+---
+ xpath.c | 19 ++++++++++---------
+ 1 file changed, 10 insertions(+), 9 deletions(-)
+
+diff -ur misc/libxml2-2.9.8/xpath.c misc/build/libxml2-2.9.8/xpath.c
+--- misc/libxml2-2.9.8/xpath.c	2017-12-02 00:58:10.000000000 -0800
++++ misc/build/libxml2-2.9.8/xpath.c	2018-08-23 15:05:24.276900000 -0700
+@@ -477,27 +477,28 @@ int wrap_cmp( xmlNodePtr x, xmlNodePtr y );
+  *									*
+  ************************************************************************/
+ 
+-#ifndef NAN
+-#define NAN (0.0 / 0.0)
++#ifndef INFINITY
++#define INFINITY (DBL_MAX * DBL_MAX)
+ #endif
+ 
+-#ifndef INFINITY
+-#define INFINITY HUGE_VAL
++#ifndef NAN
++#define NAN (INFINITY / INFINITY)
+ #endif
+ 
+-double xmlXPathNAN = NAN;
+-double xmlXPathPINF = INFINITY;
+-double xmlXPathNINF = -INFINITY;
++double xmlXPathNAN;
++double xmlXPathPINF;
++double xmlXPathNINF;
+ 
+ /**
+  * xmlXPathInit:
+  *
+  * Initialize the XPath environment
+- *
+- * Does nothing but must be kept as public function.
+  */
+ void
+ xmlXPathInit(void) {
++    xmlXPathNAN = NAN;
++    xmlXPathPINF = INFINITY;
++    xmlXPathNINF = -INFINITY;
+ }
+ 
+ /**
+-- 
+2.18.0
+
Index: main/libxml2/makefile.mk
===================================================================
--- main/libxml2/makefile.mk	(revision 1838688)
+++ main/libxml2/makefile.mk	(working copy)
@@ -38,19 +38,18 @@
 
 # --- Files --------------------------------------------------------
 
-LIBXML2VERSION=2.9.4
+LIBXML2VERSION=2.9.8
 
 TARFILE_NAME=$(PRJNAME)-$(LIBXML2VERSION)
-TARFILE_MD5=ae249165c173b1ff386ee8ad676815f5
+TARFILE_MD5=b786e353e2aa1b872d70d5d1ca0c740d
 
-PATCH_FILES=libxml2-configure.patch \
-	libxml2-c99.patch
+PATCH_FILES=libxml2-configure.patch
 
 # libxml2-global-symbols: #i112480#: Solaris ld won't export non-listed symbols
 #            libxml2-global-symbols.patch
 
 .IF "$(OS)" == "WNT"
-PATCH_FILES+= libxml2-long-path.patch
+PATCH_FILES+= libxml2-nan-inf-fix.patch
 .ENDIF
 
 # This is only for UNX environment now
Index: main/libxslt/libxslt-configure.patch
===================================================================
--- main/libxslt/libxslt-configure.patch	(revision 1838688)
+++ main/libxslt/libxslt-configure.patch	(working copy)
@@ -1,7 +1,7 @@
-diff -ur misc/libxslt-1.1.29/configure misc/build/libxslt-1.1.29/configure
---- misc/libxslt-1.1.29/configure	2016-05-23 18:49:13.000000000 -0700
-+++ misc/build/libxslt-1.1.29/configure	2016-08-11 11:06:10.448691000 -0700
-@@ -6691,7 +6691,7 @@
+diff -ur misc/libxslt-1.1.32/configure misc/build/libxslt-1.1.32/configure
+--- misc/libxslt-1.1.32/configure	2017-11-02 13:34:22.000000000 -0700
++++ misc/build/libxslt-1.1.32/configure	2018-08-22 23:00:50.689433000 -0700
+@@ -6698,7 +6698,7 @@
  
  cygwin*)
    # func_win32_libid is a shell function defined in ltmain.sh
@@ -10,9 +10,9 @@
    lt_cv_file_magic_cmd='func_win32_libid'
    ;;
  
-diff -ur misc/libxslt-1.1.29/xslt-config.in misc/build/libxslt-1.1.29/xslt-config.in
---- misc/libxslt-1.1.29/xslt-config.in	2015-05-10 07:11:30.000000000 -0700
-+++ misc/build/libxslt-1.1.29/xslt-config.in	2016-08-11 11:06:10.442201000 -0700
+diff -ur misc/libxslt-1.1.32/xslt-config.in misc/build/libxslt-1.1.32/xslt-config.in
+--- misc/libxslt-1.1.32/xslt-config.in	2015-05-10 07:11:30.000000000 -0700
++++ misc/build/libxslt-1.1.32/xslt-config.in	2018-08-22 23:00:50.689988000 -0700
 @@ -1,10 +1,15 @@
  #! /bin/sh
  
Index: main/libxslt/libxslt-win_manifest.patch
===================================================================
--- main/libxslt/libxslt-win_manifest.patch	(revision 1838688)
+++ main/libxslt/libxslt-win_manifest.patch	(working copy)
@@ -1,7 +1,7 @@
-diff -ur misc/libxslt-1.1.29/win32/configure.js misc/build/libxslt-1.1.29/win32/configure.js
---- misc/libxslt-1.1.29/win32/configure.js	2012-09-04 07:26:23.000000000 -0700
-+++ misc/build/libxslt-1.1.29/win32/configure.js	2016-08-11 12:06:45.212750000 -0700
-@@ -52,7 +52,7 @@
+diff -ur misc/libxslt-1.1.32/win32/configure.js misc/build/libxslt-1.1.32/win32/configure.js
+--- misc/libxslt-1.1.32/win32/configure.js	2017-10-26 00:55:47.000000000 -0700
++++ misc/build/libxslt-1.1.32/win32/configure.js	2018-08-22 23:07:38.152976000 -0700
+@@ -51,7 +51,7 @@
  var dirSep = "\\";
  var compiler = "msvc";
  var cruntime = "/MD";
Index: main/libxslt/libxsltversion.mk
===================================================================
--- main/libxslt/libxsltversion.mk	(revision 1838688)
+++ main/libxslt/libxsltversion.mk	(working copy)
@@ -25,5 +25,5 @@
 # minor 
 LIBXSLT_MINOR=1
 # micro 
-LIBXSLT_MICRO=29
+LIBXSLT_MICRO=32
 
Index: main/libxslt/makefile.mk
===================================================================
--- main/libxslt/makefile.mk	(revision 1838688)
+++ main/libxslt/makefile.mk	(working copy)
@@ -45,7 +45,7 @@
 LIBXSLTVERSION=$(LIBXSLT_MAJOR).$(LIBXSLT_MINOR).$(LIBXSLT_MICRO)
 
 TARFILE_NAME=$(PRJNAME)-$(LIBXSLTVERSION)
-TARFILE_MD5=a129d3c44c022de3b9dcf6d6f288d72e
+TARFILE_MD5=1fc72f98e98bf4443f1651165f3aa146
 
 # libxslt-internal-symbols: #i112480#: Solaris ld requires symbols to be defined
 PATCH_FILES=libxslt-configure.patch \

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

patch to update bundled libxml2 to version 2.9.8 and libxslt to version 1.1.32

Reply via email to