libxml2 package update

Signed-off-by: basebuilder_pel7ppc64lebuilder0 <basebuilder@powerel.org>

SOURCES/libxml2-2.9.1-CVE-2015-8035.patch

@@ -0,0 +1,31 @@
+From f0709e3ca8f8947f2d91ed34e92e38a4c23eae63 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Tue, 3 Nov 2015 15:31:25 +0800
+Subject: [PATCH] CVE-2015-8035 Fix XZ compression support loop
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=757466
+DoS when parsing specially crafted XML document if XZ support
+is compiled in (which wasn't the case for 2.9.2 and master since
+Nov 2013, fixed in next commit !)
+---
+ xzlib.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/xzlib.c b/xzlib.c
+index 0dcb9f48..1fab5463 100644
+--- a/xzlib.c
++++ b/xzlib.c
+@@ -581,6 +581,10 @@ xz_decomp(xz_statep state)
+             xz_error(state, LZMA_DATA_ERROR, "compressed data error");
+             return -1;
+         }
++        if (ret == LZMA_PROG_ERROR) {
++            xz_error(state, LZMA_PROG_ERROR, "compression error");
++            return -1;
++        }
+     } while (strm->avail_out && ret != LZMA_STREAM_END);
+ 
+     /* update available output and crc check value */
+-- 
+2.22.0
+

SOURCES/libxml2-2.9.1-CVE-2016-5131.patch

@@ -0,0 +1,131 @@
+commit 3189fa5b5d1cce13e70cf282936736b2e7889a46
+Author: Nick Wellnhofer <wellnhofer@aevum.de>
+Date:   Tue Jun 28 14:22:23 2016 +0200
+
+    Fix XPointer paths beginning with range-to
+    
+    The old code would invoke the totally broken xmlXPtrRangeToFunction.
+    range-to isn't really a function but a special kind of location step.
+    Remove this function and always handle range-to in the XPath code.
+    
+    The old xmlXPtrRangeToFunction could also be abused to trigger a
+    use-after-free error with the potential for remote code execution.
+
+diff --git a/xpath.c b/xpath.c
+index 751665b..7c24a82 100644
+--- a/xpath.c
++++ b/xpath.c
+@@ -10691,13 +10691,16 @@ xmlXPathCompPathExpr(xmlXPathParserContextPtr ctxt) {
+ 		    lc = 1;
+ 		    break;
+ 		} else if ((NXT(len) == '(')) {
+-		    /* Note Type or Function */
++		    /* Node Type or Function */
+ 		    if (xmlXPathIsNodeType(name)) {
+ #ifdef DEBUG_STEP
+ 		        xmlGenericError(xmlGenericErrorContext,
+ 				"PathExpr: Type search\n");
+ #endif
+ 			lc = 1;
++                    } else if (ctxt->xptr &&
++                               xmlStrEqual(name, BAD_CAST "range-to")) {
++                        lc = 1;
+ 		    } else {
+ #ifdef DEBUG_STEP
+ 		        xmlGenericError(xmlGenericErrorContext,
+diff --git a/xpointer.c b/xpointer.c
+index 676c510..d74174a 100644
+--- a/xpointer.c
++++ b/xpointer.c
+@@ -1332,8 +1332,6 @@ xmlXPtrNewContext(xmlDocPtr doc, xmlNodePtr here, xmlNodePtr origin) {
+     ret->here = here;
+     ret->origin = origin;
+ 
+-    xmlXPathRegisterFunc(ret, (xmlChar *)"range-to",
+-	                 xmlXPtrRangeToFunction);
+     xmlXPathRegisterFunc(ret, (xmlChar *)"range",
+ 	                 xmlXPtrRangeFunction);
+     xmlXPathRegisterFunc(ret, (xmlChar *)"range-inside",
+@@ -2243,76 +2241,14 @@ xmlXPtrRangeInsideFunction(xmlXPathParserContextPtr ctxt, int nargs) {
+  * @nargs:  the number of args
+  *
+  * Implement the range-to() XPointer function
++ *
++ * Obsolete. range-to is not a real function but a special type of location
++ * step which is handled in xpath.c.
+  */
+ void
+-xmlXPtrRangeToFunction(xmlXPathParserContextPtr ctxt, int nargs) {
+-    xmlXPathObjectPtr range;
+-    const xmlChar *cur;
+-    xmlXPathObjectPtr res, obj;
+-    xmlXPathObjectPtr tmp;
+-    xmlLocationSetPtr newset = NULL;
+-    xmlNodeSetPtr oldset;
+-    int i;
+-
+-    if (ctxt == NULL) return;
+-    CHECK_ARITY(1);
+-    /*
+-     * Save the expression pointer since we will have to evaluate
+-     * it multiple times. Initialize the new set.
+-     */
+-    CHECK_TYPE(XPATH_NODESET);
+-    obj = valuePop(ctxt);
+-    oldset = obj->nodesetval;
+-    ctxt->context->node = NULL;
+-
+-    cur = ctxt->cur;
+-    newset = xmlXPtrLocationSetCreate(NULL);
+-
+-    for (i = 0; i < oldset->nodeNr; i++) {
+-	ctxt->cur = cur;
+-
+-	/*
+-	 * Run the evaluation with a node list made of a single item
+-	 * in the nodeset.
+-	 */
+-	ctxt->context->node = oldset->nodeTab[i];
+-	tmp = xmlXPathNewNodeSet(ctxt->context->node);
+-	valuePush(ctxt, tmp);
+-
+-	xmlXPathEvalExpr(ctxt);
+-	CHECK_ERROR;
+-
+-	/*
+-	 * The result of the evaluation need to be tested to
+-	 * decided whether the filter succeeded or not
+-	 */
+-	res = valuePop(ctxt);
+-	range = xmlXPtrNewRangeNodeObject(oldset->nodeTab[i], res);
+-	if (range != NULL) {
+-	    xmlXPtrLocationSetAdd(newset, range);
+-	}
+-
+-	/*
+-	 * Cleanup
+-	 */
+-	if (res != NULL)
+-	    xmlXPathFreeObject(res);
+-	if (ctxt->value == tmp) {
+-	    res = valuePop(ctxt);
+-	    xmlXPathFreeObject(res);
+-	}
+-
+-	ctxt->context->node = NULL;
+-    }
+-
+-    /*
+-     * The result is used as the new evaluation set.
+-     */
+-    xmlXPathFreeObject(obj);
+-    ctxt->context->node = NULL;
+-    ctxt->context->contextSize = -1;
+-    ctxt->context->proximityPosition = -1;
+-    valuePush(ctxt, xmlXPtrWrapLocationSet(newset));
++xmlXPtrRangeToFunction(xmlXPathParserContextPtr ctxt,
++                       int nargs ATTRIBUTE_UNUSED) {
++    XP_ERROR(XPATH_EXPR_ERROR);
+ }
+ 
+ /**

SOURCES/libxml2-2.9.1-CVE-2017-15412.patch

@@ -0,0 +1,36 @@
+From 0f3b843b3534784ef57a4f9b874238aa1fda5a73 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Thu, 1 Jun 2017 23:12:19 +0200
+Subject: [PATCH] Fix XPath stack frame logic
+
+Move the calls to xmlXPathSetFrame and xmlXPathPopFrame around in
+xmlXPathCompOpEvalPositionalPredicate to make sure that the context
+object on the stack is actually protected. Otherwise, memory corruption
+can occur when calling sloppily coded XPath extension functions.
+
+Fixes bug 783160.
+---
+ xpath.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/xpath.c b/xpath.c
+index 94815075..b816bd36 100644
+--- a/xpath.c
++++ b/xpath.c
+@@ -11932,11 +11932,11 @@ xmlXPathCompOpEvalPositionalPredicate(xmlXPathParserContextPtr ctxt,
+ 		}
+ 	    }
+ 
+-            frame = xmlXPathSetFrame(ctxt);
+ 	    valuePush(ctxt, contextObj);
++            frame = xmlXPathSetFrame(ctxt);
+ 	    res = xmlXPathCompOpEvalToBoolean(ctxt, exprOp, 1);
+-            tmp = valuePop(ctxt);
+             xmlXPathPopFrame(ctxt, frame);
++            tmp = valuePop(ctxt);
+ 
+ 	    if ((ctxt->error != XPATH_EXPRESSION_OK) || (res == -1)) {
+                 while (tmp != contextObj) {
+-- 
+2.22.0
+

SOURCES/libxml2-2.9.1-CVE-2017-18258.patch

@@ -0,0 +1,32 @@
+From e2a9122b8dde53d320750451e9907a7dcb2ca8bb Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Thu, 7 Sep 2017 18:36:01 +0200
+Subject: [PATCH] Set memory limit for LZMA decompression
+
+Otherwise malicious LZMA compressed files could consume large amounts
+of memory when decompressed.
+
+According to the xz man page, files compressed with `xz -9` currently
+require 65 MB to decompress, so set the limit to 100 MB.
+
+Should fix bug 786696.
+---
+ xzlib.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/xzlib.c b/xzlib.c
+index 782957f6..f43632bd 100644
+--- a/xzlib.c
++++ b/xzlib.c
+@@ -408,7 +408,7 @@ xz_head(xz_statep state)
+         state->strm = init;
+         state->strm.avail_in = 0;
+         state->strm.next_in = NULL;
+-        if (lzma_auto_decoder(&state->strm, UINT64_MAX, 0) != LZMA_OK) {
++        if (lzma_auto_decoder(&state->strm, 100000000, 0) != LZMA_OK) {
+             xmlFree(state->out);
+             xmlFree(state->in);
+             state->size = 0;
+-- 
+2.22.0
+

SOURCES/libxml2-2.9.1-CVE-2018-14404.patch

@@ -0,0 +1,54 @@
+From a436374994c47b12d5de1b8b1d191a098fa23594 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Mon, 30 Jul 2018 12:54:38 +0200
+Subject: [PATCH] Fix nullptr deref with XPath logic ops
+
+If the XPath stack is corrupted, for example by a misbehaving extension
+function, the "and" and "or" XPath operators could dereference NULL
+pointers. Check that the XPath stack isn't empty and optimize the
+logic operators slightly.
+
+Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/5
+
+Also see
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817
+https://bugzilla.redhat.com/show_bug.cgi?id=1595985
+
+This is CVE-2018-14404.
+
+Thanks to Guy Inbar for the report.
+---
+ xpath.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/xpath.c b/xpath.c
+index 3fae0bf4..5e3bb9ff 100644
+--- a/xpath.c
++++ b/xpath.c
+@@ -13234,9 +13234,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
+ 		return(0);
+ 	    }
+             xmlXPathBooleanFunction(ctxt, 1);
+-            arg1 = valuePop(ctxt);
+-            arg1->boolval &= arg2->boolval;
+-            valuePush(ctxt, arg1);
++            if (ctxt->value != NULL)
++                ctxt->value->boolval &= arg2->boolval;
+ 	    xmlXPathReleaseObject(ctxt->context, arg2);
+             return (total);
+         case XPATH_OP_OR:
+@@ -13252,9 +13251,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
+ 		return(0);
+ 	    }
+             xmlXPathBooleanFunction(ctxt, 1);
+-            arg1 = valuePop(ctxt);
+-            arg1->boolval |= arg2->boolval;
+-            valuePush(ctxt, arg1);
++            if (ctxt->value != NULL)
++                ctxt->value->boolval |= arg2->boolval;
+ 	    xmlXPathReleaseObject(ctxt->context, arg2);
+             return (total);
+         case XPATH_OP_EQUAL:
+-- 
+2.22.0
+

SOURCES/libxml2-2.9.1-CVE-2018-14567.patch

@@ -0,0 +1,50 @@
+From 2240fbf5912054af025fb6e01e26375100275e74 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Mon, 30 Jul 2018 13:14:11 +0200
+Subject: [PATCH] Fix infinite loop in LZMA decompression
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Check the liblzma error code more thoroughly to avoid infinite loops.
+
+Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/13
+Closes: https://bugzilla.gnome.org/show_bug.cgi?id=794914
+
+This is CVE-2018-9251 and CVE-2018-14567.
+
+Thanks to Dongliang Mu and Simon Wörner for the reports.
+---
+ xzlib.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/xzlib.c b/xzlib.c
+index a839169e..0ba88cfa 100644
+--- a/xzlib.c
++++ b/xzlib.c
+@@ -562,6 +562,10 @@ xz_decomp(xz_statep state)
+                          "internal error: inflate stream corrupt");
+                 return -1;
+             }
++            /*
++             * FIXME: Remapping a couple of error codes and falling through
++             * to the LZMA error handling looks fragile.
++             */
+             if (ret == Z_MEM_ERROR)
+                 ret = LZMA_MEM_ERROR;
+             if (ret == Z_DATA_ERROR)
+@@ -587,6 +591,11 @@ xz_decomp(xz_statep state)
+             xz_error(state, LZMA_PROG_ERROR, "compression error");
+             return -1;
+         }
++        if ((state->how != GZIP) &&
++            (ret != LZMA_OK) && (ret != LZMA_STREAM_END)) {
++            xz_error(state, ret, "lzma error");
++            return -1;
++        }
+     } while (strm->avail_out && ret != LZMA_STREAM_END);
+ 
+     /* update available output and crc check value */
+-- 
+2.22.0
+

SPECS/libxml2.spec

@@ -1,60 +1,21 @@
-# for -O3 on ppc64 c.f. 1051068
+Name:           libxml2
-%global _performance_build 1
+Version:        2.9.10
+Release:        1%{?dist}
+Summary:        Library providing XML and HTML support
 
-Summary: Library providing XML and HTML support
+License:        MIT
-Name: libxml2
+URL:            http://xmlsoft.org/
-Version: 2.9.1
+Source:         ftp://xmlsoft.org/libxml2/libxml2-%{version}.tar.gz
-Release: 6%{?dist}%{?extra_release}.3
+Patch0:         libxml2-multilib.patch
-License: MIT
+# Patch from openSUSE.
-Group: Development/Libraries
+# See:  https://bugzilla.gnome.org/show_bug.cgi?id=789714
-Source: ftp://xmlsoft.org/libxml2/libxml2-%{version}.tar.gz
+Patch1:         libxml2-2.9.8-python3-unicode-errors.patch
-BuildRoot: %{_tmppath}/%{name}-%{version}-root
-BuildRequires: python python-devel zlib-devel pkgconfig xz-devel
-URL: http://xmlsoft.org/
-Patch0: libxml2-multilib.patch
-Patch1: libxml2-2.9.0-do-not-check-crc.patch
-
-Patch100: libxml2-Fix-a-regression-in-xmlGetDocCompressMode.patch
-Patch101: CVE-2014-3660-rhel7.patch
-Patch102: libxml2-Fix-missing-entities-after-CVE-2014-3660-fix.patch
-Patch103: libxml2-Do-not-fetch-external-parameter-entities.patch
-Patch104: libxml2-Fix-regression-introduced-by-CVE-2014-0191.patch
-Patch105: libxml2-Stop-parsing-on-entities-boundaries-errors.patch
-Patch106: libxml2-Cleanup-conditional-section-error-handling.patch
-Patch107: libxml2-Fail-parsing-early-on-if-encoding-conversion-failed.patch
-Patch108: libxml2-Another-variation-of-overflow-in-Conditional-sections.patch
-Patch109: libxml2-Fix-an-error-in-previous-Conditional-section-patch.patch
-Patch110: libxml2-Fix-parsing-short-unclosed-comment-uninitialized-access.patch
-Patch111: libxml2-Avoid-extra-processing-of-MarkupDecl-when-EOF.patch
-Patch112: libxml2-Avoid-processing-entities-after-encoding-conversion-failures.patch
-Patch113: libxml2-xmlStopParser-reset-errNo.patch
-Patch114: libxml2-CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDictComputeFastQKey.patch
-Patch115: libxml2-CVE-2015-5312-Another-entity-expansion-issue.patch
-Patch116: libxml2-Add-xmlHaltParser-to-stop-the-parser.patch
-Patch117: libxml2-Reuse-xmlHaltParser-where-it-makes-sense.patch
-Patch118: libxml2-Do-not-print-error-context-when-there-is-none.patch
-Patch119: libxml2-Detect-incoherency-on-GROW.patch
-Patch120: libxml2-Fix-some-loop-issues-embedding-NEXT.patch
-Patch121: libxml2-Bug-on-creating-new-stream-from-entity.patch
-Patch122: libxml2-CVE-2015-7500-Fix-memory-access-error-due-to-incorrect-entities-boundaries.patch
-Patch123: libxml2-CVE-2015-8242-Buffer-overead-with-HTML-parser-in-push-mode.patch
-Patch124: libxml2-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-memory.patch
-patch125: libxml2-Add-missing-increments-of-recursion-depth-counter-to-XML-parser.patch
-patch126: libxml2-Avoid-building-recursive-entities.patch
-patch127: libxml2-Bug-757711-heap-buffer-overflow-in-xmlFAParsePosCharGroup-https-bugzilla.gnome.org-show_bug.cgi-id-757711.patch
-patch128: libxml2-Bug-758588-Heap-based-buffer-overread-in-xmlParserPrintFileContextInternal-https-bugzilla.gnome.org-show_bug.cgi-id-758588.patch
-patch129: libxml2-Bug-758605-Heap-based-buffer-overread-in-xmlDictAddString-https-bugzilla.gnome.org-show_bug.cgi-id-758605.patch
-patch130: libxml2-Bug-759398-Heap-use-after-free-in-xmlDictComputeFastKey-https-bugzilla.gnome.org-show_bug.cgi-id-759398.patch
-patch131: libxml2-Bug-763071-heap-buffer-overflow-in-xmlStrncat-https-bugzilla.gnome.org-show_bug.cgi-id-763071.patch
-patch132: libxml2-Fix-inappropriate-fetch-of-entities-content.patch
-patch133: libxml2-Fix-some-format-string-warnings-with-possible-format-string-vulnerability.patch
-patch134: libxml2-Heap-based-buffer-overread-in-htmlCurrentChar.patch
-patch135: libxml2-Heap-based-buffer-overread-in-xmlNextChar.patch
-patch136: libxml2-Heap-based-buffer-underreads-due-to-xmlParseName.patch
-patch137: libxml2-Heap-use-after-free-in-htmlParsePubidLiteral-and-htmlParseSystemiteral.patch
-patch138: libxml2-Heap-use-after-free-in-xmlSAX2AttributeNs.patch
-patch139: libxml2-More-format-string-warnings-with-possible-format-string-vulnerability.patch
 
+BuildRequires:  gcc
+BuildRequires:  make
+#BuildRequires:  cmake-rpm-macros
+BuildRequires:  pkgconfig(zlib)
+BuildRequires:  pkgconfig(liblzma)
 
 %description
 This library allows to manipulate XML files. It includes support
@@ -68,12 +29,10 @@ available, with existing HTTP and FTP modules and combined to an
 URI library.
 
 %package devel
-Summary: Libraries, includes, etc. to develop XML and HTML applications
+Summary:        Libraries, includes, etc. to develop XML and HTML applications
-Group: Development/Libraries
+Requires:       %{name}%{?_isa} = %{version}-%{release}
-Requires: libxml2 = %{version}-%{release}
+Requires:       zlib-devel%{?_isa}
-Requires: zlib-devel
+Requires:       xz-devel%{?_isa}
-Requires: xz-devel
-Requires: pkgconfig
 
 %description devel
 Libraries, include files, etc you can use to develop XML applications.
@@ -88,22 +47,23 @@ available, with existing HTTP and FTP modules and combined to an
 URI library.
 
 %package static
-Summary: Static library for libxml2
+Summary:        Static library for libxml2
-Group: Development/Libraries
-Requires: libxml2 = %{version}-%{release}
 
 %description static
 Static library for libxml2 provided for specific uses or shaving a few
 microseconds when parsing, do not link to them for generic purpose packages.
 
-%package python
+%package -n python2-%{name}
-Summary: Python bindings for the libxml2 library
+%{?python_provide:%python_provide python2-%{name}}
-Group: Development/Libraries
+Summary:        Python bindings for the libxml2 library
-Requires: libxml2 = %{version}-%{release}
+BuildRequires:  python2-devel
+Requires:       %{name}%{?_isa} = %{version}-%{release}
+Obsoletes:      %{name}-python < %{version}-%{release}
+Provides:       %{name}-python = %{version}-%{release}
 
-%description python
+%description -n python2-%{name}
-The libxml2-python package contains a module that permits applications
+The libxml2-python package contains a Python 2 module that permits applications
-written in the Python programming language to use the interface
+written in the Python programming language, version 2, to use the interface
 supplied by the libxml2 library to manipulate XML files.
 
 This library allows to manipulate XML files. It includes support
@@ -111,187 +71,231 @@ to read, modify and write XML and HTML files. There is DTDs support
 this includes parsing and validation even with complex DTDs, either
 at parse time or later once the document has been modified.
 
-%prep
+%package -n python3-%{name}
-%setup -q
+Summary:        Python 3 bindings for the libxml2 library
-%patch0 -p1
+BuildRequires:  python3-devel
-# workaround for #877567 - Very weird bug gzip decompression bug in "recent" libxml2 versions
+Requires:       %{name}%{?_isa} = %{version}-%{release}
-%patch1 -p1 -b .do-not-check-crc
+Obsoletes:      %{name}-python3 < %{version}-%{release}
+Provides:       %{name}-python3 = %{version}-%{release}
 
-%patch100 -p1
+%description -n python3-%{name}
-%patch101 -p1
+The libxml2-python3 package contains a Python 3 module that permits
-%patch102 -p1
+applications written in the Python programming language, version 3, to use the
-%patch103 -p1
+interface supplied by the libxml2 library to manipulate XML files.
-%patch104 -p1
+
-%patch105 -p1
+This library allows to manipulate XML files. It includes support
-%patch106 -p1
+to read, modify and write XML and HTML files. There is DTDs support
-%patch107 -p1
+this includes parsing and validation even with complex DTDs, either
-%patch108 -p1
+at parse time or later once the document has been modified.
-%patch109 -p1
+
-%patch110 -p1
+%prep
-%patch111 -p1
+%autosetup -p1
-%patch112 -p1
+find doc -type f -executable -print -exec chmod 0644 {} ';'
-%patch113 -p1
-%patch114 -p1
-%patch115 -p1
-%patch116 -p1
-%patch117 -p1
-%patch118 -p1
-%patch119 -p1
-%patch120 -p1
-%patch121 -p1
-%patch122 -p1
-%patch123 -p1
-%patch124 -p1
-%patch125 -p1
-%patch126 -p1
-%patch127 -p1
-%patch128 -p1
-%patch129 -p1
-%patch130 -p1
-%patch131 -p1
-%patch132 -p1
-%patch133 -p1
-%patch134 -p1
-%patch135 -p1
-%patch136 -p1
-%patch137 -p1
-%patch138 -p1
-%patch139 -p1
 
 %build
-%configure
+mkdir py2 py3
-make %{_smp_mflags}
+%global _configure ../configure
+%global _configure_disable_silent_rules 1
+( cd py2 && %configure --cache-file=../config.cache --with-python=%{__python2} )
+( cd py3 && %configure --cache-file=../config.cache --with-python=%{__python3} )
+%make_build -C py2
+%make_build -C py3
 
 %install
-rm -fr %{buildroot}
+%make_install -C py2
-
+%make_install -C py3
-make install DESTDIR=%{buildroot}
 
 # multiarch crazyness on timestamp differences or Makefile/binaries for examples
-touch -m --reference=$RPM_BUILD_ROOT/%{_includedir}/libxml2/libxml/parser.h $RPM_BUILD_ROOT/%{_bindir}/xml2-config
+touch -m --reference=%{buildroot}%{_includedir}/libxml2/libxml/parser.h %{buildroot}%{_bindir}/xml2-config
 
-rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
+find %{buildroot} -type f -name '*.la' -print -delete
-rm -f $RPM_BUILD_ROOT%{_libdir}/python*/site-packages/*.a
+rm -vf %{buildroot}{%{python2_sitearch},%{python3_sitearch}}/*.a
-rm -f $RPM_BUILD_ROOT%{_libdir}/python*/site-packages/*.la
+rm -vrf %{buildroot}%{_datadir}/doc/
-rm -rf $RPM_BUILD_ROOT%{_datadir}/doc/libxml2-%{version}/*
+#(cd doc/examples ; make clean ; rm -rf .deps Makefile)
-rm -rf $RPM_BUILD_ROOT%{_datadir}/doc/libxml2-python-%{version}/*
-(cd doc/examples ; make clean ; rm -rf .deps Makefile)
 gzip -9 -c doc/libxml2-api.xml > doc/libxml2-api.xml.gz
 
 %check
-make runtests
+%make_build runtests -C py2
+%make_build runtests -C py3
 
-%clean
+%ldconfig_scriptlets
-rm -fr %{buildroot}
-
-%post -p /sbin/ldconfig
-
-%postun -p /sbin/ldconfig
 
 %files
-%defattr(-, root, root)
+%license Copyright
-
+%doc AUTHORS NEWS README TODO
-%doc AUTHORS NEWS README Copyright TODO
+%{_libdir}/libxml2.so.2*
-%doc %{_mandir}/man1/xmllint.1*
+%{_mandir}/man3/libxml.3*
-%doc %{_mandir}/man1/xmlcatalog.1*
-%doc %{_mandir}/man3/libxml.3*
-
-%{_libdir}/lib*.so.*
 %{_bindir}/xmllint
+%{_mandir}/man1/xmllint.1*
 %{_bindir}/xmlcatalog
+%{_mandir}/man1/xmlcatalog.1*
 
 %files devel
-%defattr(-, root, root)
-
-%doc %{_mandir}/man1/xml2-config.1*
-%doc AUTHORS NEWS README Copyright
 %doc doc/*.html doc/html doc/*.gif doc/*.png
 %doc doc/tutorial doc/libxml2-api.xml.gz
 %doc doc/examples
-%doc %dir %{_datadir}/gtk-doc/html/libxml2
+%dir %{_datadir}/gtk-doc
-%doc %{_datadir}/gtk-doc/html/libxml2/*.devhelp
+%dir %{_datadir}/gtk-doc/html
-%doc %{_datadir}/gtk-doc/html/libxml2/*.html
+%{_datadir}/gtk-doc/html/libxml2/
-%doc %{_datadir}/gtk-doc/html/libxml2/*.png
+%{_libdir}/libxml2.so
-%doc %{_datadir}/gtk-doc/html/libxml2/*.css
+%{_libdir}/xml2Conf.sh
-
+%{_includedir}/libxml2/
-%{_libdir}/lib*.so
-%{_libdir}/*.sh
-%{_includedir}/*
 %{_bindir}/xml2-config
+%{_mandir}/man1/xml2-config.1*
 %{_datadir}/aclocal/libxml.m4
 %{_libdir}/pkgconfig/libxml-2.0.pc
+%{_libdir}/cmake/libxml2/
 
 %files static
-%defattr(-, root, root)
+%license Copyright
+%{_libdir}/libxml2.a
 
-%{_libdir}/*a
+%files -n python2-%{name}
+%doc python/TODO python/libxml2class.txt
+%doc doc/*.py doc/python.html
+%{python2_sitearch}/libxml2.py*
+%{python2_sitearch}/drv_libxml2.py*
+%{python2_sitearch}/libxml2mod.so
 
-%files python
+%files -n python3-%{name}
-%defattr(-, root, root)
+%doc python/TODO python/libxml2class.txt
-
+%doc doc/*.py doc/python.html
-%{_libdir}/python*/site-packages/libxml2.py*
+%{python3_sitearch}/libxml2.py
-%{_libdir}/python*/site-packages/drv_libxml2.py*
+%{python3_sitearch}/__pycache__/libxml2.*
-%{_libdir}/python*/site-packages/libxml2mod*
+%{python3_sitearch}/drv_libxml2.py
-%doc python/TODO
+%{python3_sitearch}/__pycache__/drv_libxml2.*
-%doc python/libxml2class.txt
+%{python3_sitearch}/libxml2mod.so
-%doc python/tests/*.py
-%doc doc/*.py
-%doc doc/python.html
 
 %changelog
-* Mon Jun  6 2016 Daniel Veillard <veillard@redhat.com> - libxml2-2.9.1-6.3
+* Fri Nov 08 2019 David King <amigadave@amigadave.com> - 2.9.10-1
-- Heap-based buffer overread in xmlNextChar (CVE-2016-1762)
+- Update to 2.9.10 (#1767151)
-- Bug 763071: Heap-buffer-overflow in xmlStrncat <https://bugzilla.gnome.org/show_bug.cgi?id=763071> (CVE-2016-1834)
-- Bug 757711: Heap-buffer-overflow in xmlFAParsePosCharGroup <https://bugzilla.gnome.org/show_bug.cgi?id=757711> (CVE-2016-1840)
-- Bug 758588: Heap-based buffer overread in xmlParserPrintFileContextInternal <https://bugzilla.gnome.org/show_bug.cgi?id=758588> (CVE-2016-1838)
-- Bug 758605: Heap-based buffer overread in xmlDictAddString <https://bugzilla.gnome.org/show_bug.cgi?id=758605> (CVE-2016-1839)
-- Bug 759398: Heap use-after-free in xmlDictComputeFastKey <https://bugzilla.gnome.org/show_bug.cgi?id=759398> (CVE-2016-1836)
-- Fix inappropriate fetch of entities content (CVE-2016-4449)
-- Heap use-after-free in htmlParsePubidLiteral and htmlParseSystemiteral (CVE-2016-1837)
-- Heap use-after-free in xmlSAX2AttributeNs (CVE-2016-1835)
-- Heap-based buffer-underreads due to xmlParseName (CVE-2016-4447)
-- Heap-based buffer overread in htmlCurrentChar (CVE-2016-1833)
-- Add missing increments of recursion depth counter to XML parser. (CVE-2016-3705)
-- Avoid building recursive entities (CVE-2016-3627)
-- Fix some format string warnings with possible format string vulnerability (CVE-2016-4448)
-- More format string warnings with possible format string vulnerability (CVE-2016-4448)
 
-* Mon Nov 30 2015 Daniel Veillard <veillard@redhat.com> - 2.9.1-6.2
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.9-3
-- Fix a series of CVEs (rhbz#1286496)
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
-- CVE-2015-7941 Stop parsing on entities boundaries errors
-- CVE-2015-7941 Cleanup conditional section error handling
-- CVE-2015-8317 Fail parsing early on if encoding conversion failed
-- CVE-2015-7942 Another variation of overflow in Conditional sections
-- CVE-2015-7942 Fix an error in previous Conditional section patch
-- Fix parsing short unclosed comment uninitialized access
-- CVE-2015-7498 Avoid processing entities after encoding conversion failures
-- CVE-2015-7497 Avoid an heap buffer overflow in xmlDictComputeFastQKey
-- CVE-2015-5312 Another entity expansion issue
-- CVE-2015-7499 Add xmlHaltParser() to stop the parser
-- CVE-2015-7499 Detect incoherency on GROW
-- CVE-2015-7500 Fix memory access error due to incorrect entities boundaries
-- CVE-2015-8242 Buffer overead with HTML parser in push mode
-- CVE-2015-1819 Enforce the reader to run in constant memory
 
-* Mon Mar 23 2015 Daniel Veillard <veillard@redhat.com> - 2.9.1-6
+* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.9-2
-- Fix missing entities after CVE-2014-3660 fix
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
-- CVE-2014-0191 Do not fetch external parameter entities (rhbz#1195650)
-- Fix regressions introduced by CVE-2014-0191 patch
 
-* Sat Oct 11 2014 Daniel Veillard <veillard@redhat.com> - 2.9.1-5.1
+* Fri Jan 25 2019 David King <amigadave@amigadave.com> - 2.9.9-1
-- CVE-2014-3660 denial of service via recursive entity expansion (rhbz#1149087)
+- Update to 2.9.9
 
-* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 2.9.1-5
+* Sun Jan 06 2019 Björn Esser <besser82@fedoraproject.org> - 2.9.8-5
-- Mass rebuild 2014-01-24
+- Add patch to fix crash: xmlParserPrintFileContextInternal mangles utf8
 
-* Wed Jan 15 2014 Daniel Veillard <veillard@redhat.com> - 2.9.1-4
+* Thu Aug 02 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 2.9.8-4
-- rebuild to activate -O3 on ppc64 rhbz#1051068
+- Backport patches from upstream
 
-* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 2.9.1-3
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.8-3
-- Mass rebuild 2013-12-27
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 
-* Fri Nov 15 2013 Daniel Veillard <veillard@redhat.com> - 2.9.1-2
+* Tue Jun 19 2018 Miro Hrončok <mhroncok@redhat.com> - 2.9.8-2
-- Fix a regression in xmlGetDocCompressMode() rhbz#963716
+- Rebuilt for Python 3.7
+
+* Tue Apr 03 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 2.9.8-1
+- Update to 2.9.8
+
+* Sat Feb 24 2018 Florian Weimer <fweimer@redhat.com> - 2.9.7-4
+- Rebuild with new LDFLAGS from redhat-rpm-config
+
+* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.7-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Tue Jan 30 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 2.9.7-2
+- Switch to %%ldconfig_scriptlets
+
+* Wed Jan 24 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 2.9.7-1
+- Update to 2.9.7
+- Cleanups in packaging
+
+* Tue Jan 09 2018 Iryna Shcherbina <ishcherb@redhat.com> - 2.9.5-3
+- Update Python 2 dependency declarations to new packaging standards
+  (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3)
+
+* Fri Sep 22 2017 Petr Pisar <ppisar@redhat.com> - 2.9.5-2
+- Fix reporting error about undefined XPath variables (bug #1493613)
+
+* Mon Sep  4 2017 Daniel Veillard <veillard@redhat.com> - 2.9.5-1
+- update to 2.9.5
+
+* Sat Aug 19 2017 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 2.9.4-5
+- Python 2 binary package renamed to python2-libxml2
+  See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3
+
+* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.4-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.4-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.4-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Wed Dec 21 2016 Kevin Fenzi <kevin@scrye.com> - 2.9.4-1
+- Update to 2.9.4.
+- Apply very hacky patch that removes the no longer in python-3.6 PyVerify_fd symbol.
+
+* Mon Dec 12 2016 Charalampos Stratakis <cstratak@redhat.com> - 2.9.3-5
+- Rebuild for Python 3.6
+
+* Tue Jul 19 2016 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.9.3-4
+- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages
+
+* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.3-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Wed Dec 02 2015 Kalev Lember <klember@redhat.com> - 2.9.3-2
+- Fix obsoletes versions now that F22 has libxml2 2.9.3 (#1287262)
+
+* Fri Nov 20 2015 Daniel Veillard <veillard@redhat.com> - 2.9.2-1
+- upstream release of 2.9.3
+- Fixes for CVE-2015-8035, CVE-2015-7942, CVE-2015-7941, CVE-2015-1819
+  CVE-2015-7497, CVE-2015-7498, CVE-2015-5312, CVE-2015-7499, CVE-2015-7500
+  and CVE-2015-8242
+- many other bug fixes
+
+* Fri Nov 06 2015 Robert Kuska <rkuska@redhat.com> - 2.9.2-9
+- Rebuilt for Python3.5 rebuild
+- Python3.5 has new naming convention for byte compiled files
+
+* Tue Nov  3 2015 Toshio Kuratomi <toshio@fedoraproject.org> - 2.9.2-8
+- Remove executable permissions from documentation.  Complies with packaging
+  guidelines and solves issue of libxml2-python3 package depending on python2
+
+* Thu Aug 27 2015 Miro Hrončok <mhroncok@redhat.com> - 2.9.2-7
+- Remove dependency on python2 from python3 subpackage, rhbz#1250940
+
+* Sat Aug 22 2015 Kalev Lember <klember@redhat.com> - 2.9.2-6
+- Rename the Python 3 subpackage to python3-libxml2 as per guidelines
+
+* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.9.2-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Sat Feb 21 2015 Till Maas <opensource@till.name> - 2.9.2-4
+- Rebuilt for Fedora 23 Change
+  https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code
+
+* Wed Jan 21 2015 Tomas Radej <tradej@redhat.com> - 2.9.2-3
+- Added Python 3 subpackage
+
+* Thu Oct 16 2014 Lubomir Rintel <lkundrak@v3.sk> - 2.9.2-2
+- Avoid corrupting the xml catalogs
+
+* Thu Oct 16 2014 Daniel Veillard <veillard@redhat.com> - 2.9.2-1
+- upstream release of 2.9.2
+- Fix for CVE-214-3660 billion laugh DOS
+- many other bug fixes
+
+* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.9.1-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Fri Jul 18 2014 Tom Callaway <spot@fedoraproject.org> - 2.9.1-4
+- fix license handling
+
+* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.9.1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.9.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
 
 * Fri Apr 19 2013 Daniel Veillard <veillard@redhat.com> - 2.9.1-1
 - upstream release of 2.9.1