Update to libxml2-2.13.3

kiyolee · Aug 3, 2024 · bd7992d · bd7992d
1 parent 5e54af5
commit bd7992d
Show file tree

Hide file tree

Showing 15 changed files with 88 additions and 22 deletions.
diff --git a/NEWS b/NEWS
@@ -1,5 +1,25 @@
 NEWS file for libxml2
 
+v2.13.3: Jul 24 2024
+
+### Security
+
+- [CVE-2024-40896] Fix XXE protection in downstream code
+
+### Regressions
+
+- autotools: Use AC_CHECK_DECL to check for getentropy
+- xinclude: Fix fallback for text includes
+- io: Don't call getcwd in xmlParserGetDirectory
+- io: Fix return value of xmlFileRead
+- parser: Fix error return of xmlParseBalancedChunkMemory
+
+### Improvements
+
+- xinclude: Set error handler when parsing text
+- Undeprecate xmlKeepBlanksDefault
+
+
 v2.13.2: Jul 4 2024
 
 ### Regressions

diff --git a/README.md b/README.md
@@ -2,7 +2,7 @@
 
 libxml2 Windows build with Visual Studio.
 
-This version is libxml2-2.13.2.
+This version is libxml2-2.13.3.
 
 Note that LZMA support is only available for VS2013 or later.
 

diff --git a/THIS_VERSION_IS_2.13.2 → THIS_VERSION_IS_2.13.3 b/THIS_VERSION_IS_2.13.2 → THIS_VERSION_IS_2.13.3
diff --git a/distfiles/download.url b/distfiles/download.url
@@ -1 +1 @@
-https://download.gnome.org/sources/libxml2/2.13/libxml2-2.13.2.tar.xz
+https://download.gnome.org/sources/libxml2/2.13/libxml2-2.13.3.tar.xz
diff --git a/distfiles/libxml2-2.13.2.tar.xz b/distfiles/libxml2-2.13.2.tar.xz
diff --git a/distfiles/libxml2-2.13.2-import.lst → distfiles/libxml2-2.13.3-import.lst b/distfiles/libxml2-2.13.2-import.lst → distfiles/libxml2-2.13.3-import.lst
diff --git a/distfiles/libxml2-2.13.2-import.md5 → distfiles/libxml2-2.13.3-import.md5 b/distfiles/libxml2-2.13.2-import.md5 → distfiles/libxml2-2.13.3-import.md5
@@ -2,7 +2,7 @@ f437ed9058e8e5135e47c01e973376ba  Copyright
 799d00dfaca59a88a1ddcb7e564e6476  HTMLparser.c
 24211653eb3b5d6752f5eb91d6ecc3ef  HTMLtree.c
 dd63184811cb2ff705c3e466364d3773  INSTALL
-fe33b193822d5fb2d92b436f2547d765  NEWS
+e9216f2f1d1f18c7e15bf6bf86e20c80  NEWS
 5f32c16a4eccf442197b65fa65f3c7b8  README.libxml2.md
 7283878f36a935a3c00df077cf45af54  SAX.c
 f2edb7da1ddb9093de9841519b68f576  SAX2.c
@@ -33,7 +33,7 @@ bc51344e21f8d3b7f0fc93cc9d554243  include/libxml/globals.h
 90371c7017be1221a0c4d20089ade92a  include/libxml/list.h
 d5c907a6d7d205e286168e007f32504c  include/libxml/nanoftp.h
 95b1e4eadd008ebd16424f0f47213062  include/libxml/nanohttp.h
-731e8b4519b21e29136613b0f6c5d5b9  include/libxml/parser.h
+d502bff9a863243db03445264fe5dea0  include/libxml/parser.h
 b0d1746c566f0a4e1c368d6b1f734564  include/libxml/parserInternals.h
 dfa0e955ce14744df32c8a050c5ee84a  include/libxml/pattern.h
 d752e41ee40c2b028d0adb34ffc38810  include/libxml/relaxng.h
@@ -86,7 +86,7 @@ cdbcf52ea11b6ee99454e3b9a3adeaac  legacy.c
 62f33a8621e3442770fd15a540a7eba0  list.c
 040942573dbd47e7188991ab3c9c9a99  nanoftp.c
 4c676ca8672af9c242eab69fb9e2056f  nanohttp.c
-53c1f20bdbb724031dadb506e6683ff2  parser.c
+c2cd66a9e3acf9e891a9454f5a7bc147  parser.c
 7a70d4383a870b265ca14cd498b37c85  parserInternals.c
 fc88d174a7b70de62c609c32ce3f55f8  pattern.c
 06b7f056c759cff032979e0075c5b318  relaxng.c
@@ -101,7 +101,7 @@ c48cacc169fbe69e961ceafbfb92ee71  testModule.c
 8efef0b6535d6c069678e9f6750d3742  testdict.c
 6a3e7cbf9864c04639a1a8ac0c388ea2  testdso.c
 e7f8098f4a9e147624c3cf7d652a70c0  testlimits.c
-6010c3c335e3369385618d022aade84a  testparser.c
+b6224e455a78abefae0a5a1d128ed789  testparser.c
 71ea68a83739869caba574c1725fba96  testrecurse.c
 d746403de87ca28dbb43a4a76e63a3d6  threads.c
 1bcb15667ab695cdd2cc8d5b1bc05169  timsort.h
@@ -110,9 +110,9 @@ f8bea8ace4ec3a2d89543da6b91ab630  uri.c
 46d56681c3541150ee29b33f77e76bb8  valid.c
 8ab2045fb3bb5553449a93c85ebbb58a  win32/config.h
 9ca0965eeabe09b4f8d9a1c6c5d8c3b0  win32/libxml2.rc
-a9b815153157403c75b2c9abf687e97e  xinclude.c
+98e142c0d1c661f7604934d31f6cc0ec  xinclude.c
 0a034450d155e35ec8ba99ee2005b695  xlink.c
-6fea46801cfbcfc142146f3bbf05a90b  xmlIO.c
+c38f958da8d204477b58955c69c206a2  xmlIO.c
 28bb81f9966d3ec48c510dd56fa10b94  xmlcatalog.c
 7eeb0736114d53f08e4be4d611e579dd  xmllint.c
 9a191c58eb3f035c795898caea8e689b  xmlmemory.c

diff --git a/distfiles/libxml2-2.13.3.tar.xz b/distfiles/libxml2-2.13.3.tar.xz
diff --git a/include/libxml/parser.h b/include/libxml/parser.h
@@ -948,7 +948,7 @@ XML_DEPRECATED XMLPUBFUN int
 		xmlSubstituteEntitiesDefault(int val);
 XML_DEPRECATED XMLPUBFUN int
                 xmlThrDefSubstituteEntitiesDefaultValue(int v);
-XML_DEPRECATED XMLPUBFUN int
+XMLPUBFUN int
 		xmlKeepBlanksDefault	(int val);
 XML_DEPRECATED XMLPUBFUN int
 		xmlThrDefKeepBlanksDefaultValue(int v);

diff --git a/include/libxml/xmlversion.h b/include/libxml/xmlversion.h
@@ -15,21 +15,21 @@
  *
  * the version string like "1.2.3"
  */
-#define LIBXML_DOTTED_VERSION "2.13.2"
+#define LIBXML_DOTTED_VERSION "2.13.3"
 
 /**
  * LIBXML_VERSION:
  *
  * the version number: 1.2.3 value is 10203
  */
-#define LIBXML_VERSION 21302
+#define LIBXML_VERSION 21303
 
 /**
  * LIBXML_VERSION_STRING:
  *
  * the version number string, 1.2.3 value is "10203"
  */
-#define LIBXML_VERSION_STRING "21302"
+#define LIBXML_VERSION_STRING "21303"
 
 /**
  * LIBXML_VERSION_EXTRA:
@@ -44,7 +44,7 @@
  * Macro to check that the libxml version in use is compatible with
  * the version the software has been compiled against
  */
-#define LIBXML_TEST_VERSION xmlCheckVersion(21302);
+#define LIBXML_TEST_VERSION xmlCheckVersion(21303);
 
 /**
  * LIBXML_THREAD_ENABLED:

diff --git a/parser.c b/parser.c
@@ -7382,6 +7382,14 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
 	return;
     }
 
+    /*
+     * Some users try to parse entities on their own and used to set
+     * the renamed "checked" member. Fix the flags to cover this
+     * case.
+     */
+    if (((ent->flags & XML_ENT_PARSED) == 0) && (ent->children != NULL))
+        ent->flags |= XML_ENT_PARSED;
+
     /*
      * The first reference to the entity trigger a parsing phase
      * where the ent->children is filled with the result from
@@ -12535,7 +12543,10 @@ xmlParseBalancedChunkMemoryRecover(xmlDocPtr doc, xmlSAXHandlerPtr sax,
     else
         xmlFreeNodeList(list);
 
-    ret = ctxt->errNo;
+    if (!ctxt->wellFormed)
+        ret = ctxt->errNo;
+    else
+        ret = XML_ERR_OK;
 
     xmlFreeInputStream(input);
     xmlFreeParserCtxt(ctxt);

diff --git a/testparser.c b/testparser.c
@@ -4,6 +4,8 @@
  * See Copyright for the status of this software.
  */
 
+#define XML_DEPRECATED
+
 #include <libxml/parser.h>
 #include <libxml/uri.h>
 #include <libxml/xmlreader.h>
@@ -95,6 +97,34 @@ testNodeGetContent(void) {
     return err;
 }
 
+static int
+testCFileIO(void) {
+    xmlDocPtr doc;
+    int err = 0;
+
+    /* Deprecated FILE-based API */
+    xmlRegisterInputCallbacks(xmlFileMatch, xmlFileOpen, xmlFileRead,
+                              xmlFileClose);
+    doc = xmlReadFile("test/ent1", NULL, 0);
+
+    if (doc == NULL) {
+        err = 1;
+    } else {
+        xmlNodePtr root = xmlDocGetRootElement(doc);
+
+        if (root == NULL || !xmlStrEqual(root->name, BAD_CAST "EXAMPLE"))
+            err = 1;
+    }
+
+    xmlFreeDoc(doc);
+    xmlPopInputCallbacks();
+
+    if (err)
+        fprintf(stderr, "xmlReadFile failed with FILE input callbacks\n");
+
+    return err;
+}
+
 #ifdef LIBXML_SAX1_ENABLED
 static int
 testBalancedChunk(void) {
@@ -540,6 +570,7 @@ main(void) {
     err |= testStandaloneWithEncoding();
     err |= testUnsupportedEncoding();
     err |= testNodeGetContent();
+    err |= testCFileIO();
 #ifdef LIBXML_SAX1_ENABLED
     err |= testBalancedChunk();
 #endif

diff --git a/win32/rcVersion.h b/win32/rcVersion.h
@@ -1,4 +1,4 @@
 #define LIBXML_MAJOR_VERSION 2
 #define LIBXML_MINOR_VERSION 13
-#define LIBXML_MICRO_VERSION 2
-#define LIBXML_DOTTED_VERSION "2.13.2"
+#define LIBXML_MICRO_VERSION 3
+#define LIBXML_DOTTED_VERSION "2.13.3"
diff --git a/xinclude.c b/xinclude.c
@@ -1653,11 +1653,18 @@ xmlXIncludeLoadTxt(xmlXIncludeCtxtPtr ctxt, xmlXIncludeRefPtr ref) {
         xmlXIncludeErrMemory(ctxt);
         goto error;
     }
+    if (ctxt->errorHandler != NULL)
+        xmlCtxtSetErrorHandler(pctxt, ctxt->errorHandler, ctxt->errorCtxt);
     inputStream = xmlLoadExternalEntity((const char*)url, NULL, pctxt);
     if (inputStream == NULL) {
+        /*
+         * ENOENT only produces a warning which isn't reflected in errNo.
+         */
         if (pctxt->errNo == XML_ERR_NO_MEMORY)
             xmlXIncludeErrMemory(ctxt);
-        else
+        else if ((pctxt->errNo != XML_ERR_OK) &&
+                 (pctxt->errNo != XML_IO_ENOENT) &&
+                 (pctxt->errNo != XML_IO_UNKNOWN))
             xmlXIncludeErr(ctxt, NULL, pctxt->errNo, "load error", NULL);
 	goto error;
     }

diff --git a/xmlIO.c b/xmlIO.c
@@ -794,7 +794,7 @@ xmlFileRead(void * context, char * buffer, int len) {
     if ((bytes < (size_t) len) && (ferror(file)))
         return(-xmlIOErr(0, "fread()"));
 
-    return(len);
+    return(bytes);
 }
 
 #ifdef LIBXML_OUTPUT_ENABLED
@@ -2922,10 +2922,7 @@ xmlParserGetDirectory(const char *filename) {
 	else *cur = 0;
 	ret = xmlMemStrdup(dir);
     } else {
-        if (getcwd(dir, 1024) != NULL) {
-	    dir[1023] = 0;
-	    ret = xmlMemStrdup(dir);
-	}
+        ret = xmlMemStrdup(".");
     }
     return(ret);
 #undef IS_XMLPGD_SEP
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		https://download.gnome.org/sources/libxml2/2.13/libxml2-2.13.2.tar.xz
		https://download.gnome.org/sources/libxml2/2.13/libxml2-2.13.3.tar.xz