libxml2 package update

Signed-off-by: basebuilder_pel7ppc64lebuilder0 <basebuilder@powerel.org>
5 years ago · 5cf9fb2158
7 changed files with 564 additions and 226 deletions
--- a/SOURCES/libxml2-2.9.1-CVE-2015-8035.patch
+++ b/SOURCES/libxml2-2.9.1-CVE-2015-8035.patch
@ -0,0 +1,31 @@
 From f0709e3ca8f8947f2d91ed34e92e38a4c23eae63 Mon Sep 17 00:00:00 2001
 From: Daniel Veillard <veillard@redhat.com>
 Date: Tue, 3 Nov 2015 15:31:25 +0800
 Subject: [PATCH] CVE-2015-8035 Fix XZ compression support loop
 For https://bugzilla.gnome.org/show_bug.cgi?id=757466
 DoS when parsing specially crafted XML document if XZ support
 is compiled in (which wasn't the case for 2.9.2 and master since
 Nov 2013, fixed in next commit !)
 ---
 xzlib.c | 4 ++++
 1 file changed, 4 insertions(+)
 diff --git a/xzlib.c b/xzlib.c
 index 0dcb9f48..1fab5463 100644
 --- a/xzlib.c
 +++ b/xzlib.c
@@ -581,6 +581,10 @@ xz_decomp(xz_statep state)
             xz_error(state, LZMA_DATA_ERROR, "compressed data error");
             return -1;
         }
 +        if (ret == LZMA_PROG_ERROR) {
 +            xz_error(state, LZMA_PROG_ERROR, "compression error");
 +            return -1;
 +        }
     } while (strm->avail_out && ret != LZMA_STREAM_END);
     /* update available output and crc check value */
 -- 
 2.22.0
--- a/SOURCES/libxml2-2.9.1-CVE-2016-5131.patch
+++ b/SOURCES/libxml2-2.9.1-CVE-2016-5131.patch
@ -0,0 +1,131 @@
 commit 3189fa5b5d1cce13e70cf282936736b2e7889a46
 Author: Nick Wellnhofer <wellnhofer@aevum.de>
 Date:   Tue Jun 28 14:22:23 2016 +0200
    Fix XPointer paths beginning with range-to
    The old code would invoke the totally broken xmlXPtrRangeToFunction.
    range-to isn't really a function but a special kind of location step.
    Remove this function and always handle range-to in the XPath code.
    The old xmlXPtrRangeToFunction could also be abused to trigger a
    use-after-free error with the potential for remote code execution.
 diff --git a/xpath.c b/xpath.c
 index 751665b..7c24a82 100644
 --- a/xpath.c
 +++ b/xpath.c
@@ -10691,13 +10691,16 @@ xmlXPathCompPathExpr(xmlXPathParserContextPtr ctxt) {
 		    lc = 1;
 		    break;
 		} else if ((NXT(len) == '(')) {
 -		    /* Note Type or Function */
 +		    /* Node Type or Function */
 		    if (xmlXPathIsNodeType(name)) {
 #ifdef DEBUG_STEP
 		        xmlGenericError(xmlGenericErrorContext,
 				"PathExpr: Type search\n");
 #endif
 			lc = 1;
 +                    } else if (ctxt->xptr &&
 +                               xmlStrEqual(name, BAD_CAST "range-to")) {
 +                        lc = 1;
 		    } else {
 #ifdef DEBUG_STEP
 		        xmlGenericError(xmlGenericErrorContext,
 diff --git a/xpointer.c b/xpointer.c
 index 676c510..d74174a 100644
 --- a/xpointer.c
 +++ b/xpointer.c
@@ -1332,8 +1332,6 @@ xmlXPtrNewContext(xmlDocPtr doc, xmlNodePtr here, xmlNodePtr origin) {
     ret->here = here;
     ret->origin = origin;
 -    xmlXPathRegisterFunc(ret, (xmlChar *)"range-to",
 -	                 xmlXPtrRangeToFunction);
     xmlXPathRegisterFunc(ret, (xmlChar *)"range",
 	                 xmlXPtrRangeFunction);
     xmlXPathRegisterFunc(ret, (xmlChar *)"range-inside",
@@ -2243,76 +2241,14 @@ xmlXPtrRangeInsideFunction(xmlXPathParserContextPtr ctxt, int nargs) {
  * @nargs:  the number of args
  *
  * Implement the range-to() XPointer function
 + *
 + * Obsolete. range-to is not a real function but a special type of location
 + * step which is handled in xpath.c.
  */
 void
 -xmlXPtrRangeToFunction(xmlXPathParserContextPtr ctxt, int nargs) {
 -    xmlXPathObjectPtr range;
 -    const xmlChar *cur;
 -    xmlXPathObjectPtr res, obj;
 -    xmlXPathObjectPtr tmp;
 -    xmlLocationSetPtr newset = NULL;
 -    xmlNodeSetPtr oldset;
 -    int i;
 -
 -    if (ctxt == NULL) return;
 -    CHECK_ARITY(1);
 -    /*
 -     * Save the expression pointer since we will have to evaluate
 -     * it multiple times. Initialize the new set.
 -     */
 -    CHECK_TYPE(XPATH_NODESET);
 -    obj = valuePop(ctxt);
 -    oldset = obj->nodesetval;
 -    ctxt->context->node = NULL;
 -
 -    cur = ctxt->cur;
 -    newset = xmlXPtrLocationSetCreate(NULL);
 -
 -    for (i = 0; i < oldset->nodeNr; i++) {
 -	ctxt->cur = cur;
 -
 -	/*
 -	 * Run the evaluation with a node list made of a single item
 -	 * in the nodeset.
 -	 */
 -	ctxt->context->node = oldset->nodeTab[i];
 -	tmp = xmlXPathNewNodeSet(ctxt->context->node);
 -	valuePush(ctxt, tmp);
 -
 -	xmlXPathEvalExpr(ctxt);
 -	CHECK_ERROR;
 -
 -	/*
 -	 * The result of the evaluation need to be tested to
 -	 * decided whether the filter succeeded or not
 -	 */
 -	res = valuePop(ctxt);
 -	range = xmlXPtrNewRangeNodeObject(oldset->nodeTab[i], res);
 -	if (range != NULL) {
 -	    xmlXPtrLocationSetAdd(newset, range);
 -	}
 -
 -	/*
 -	 * Cleanup
 -	 */
 -	if (res != NULL)
 -	    xmlXPathFreeObject(res);
 -	if (ctxt->value == tmp) {
 -	    res = valuePop(ctxt);
 -	    xmlXPathFreeObject(res);
 -	}
 -
 -	ctxt->context->node = NULL;
 -    }
 -
 -    /*
 -     * The result is used as the new evaluation set.
 -     */
 -    xmlXPathFreeObject(obj);
 -    ctxt->context->node = NULL;
 -    ctxt->context->contextSize = -1;
 -    ctxt->context->proximityPosition = -1;
 -    valuePush(ctxt, xmlXPtrWrapLocationSet(newset));
 +xmlXPtrRangeToFunction(xmlXPathParserContextPtr ctxt,
 +                       int nargs ATTRIBUTE_UNUSED) {
 +    XP_ERROR(XPATH_EXPR_ERROR);
 }
 /**
--- a/SOURCES/libxml2-2.9.1-CVE-2017-15412.patch
+++ b/SOURCES/libxml2-2.9.1-CVE-2017-15412.patch
@ -0,0 +1,36 @@
 From 0f3b843b3534784ef57a4f9b874238aa1fda5a73 Mon Sep 17 00:00:00 2001
 From: Nick Wellnhofer <wellnhofer@aevum.de>
 Date: Thu, 1 Jun 2017 23:12:19 +0200
 Subject: [PATCH] Fix XPath stack frame logic
 Move the calls to xmlXPathSetFrame and xmlXPathPopFrame around in
 xmlXPathCompOpEvalPositionalPredicate to make sure that the context
 object on the stack is actually protected. Otherwise, memory corruption
 can occur when calling sloppily coded XPath extension functions.
 Fixes bug 783160.
 ---
 xpath.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/xpath.c b/xpath.c
 index 94815075..b816bd36 100644
 --- a/xpath.c
 +++ b/xpath.c
@@ -11932,11 +11932,11 @@ xmlXPathCompOpEvalPositionalPredicate(xmlXPathParserContextPtr ctxt,
 		}
 	    }
 -            frame = xmlXPathSetFrame(ctxt);
 	    valuePush(ctxt, contextObj);
 +            frame = xmlXPathSetFrame(ctxt);
 	    res = xmlXPathCompOpEvalToBoolean(ctxt, exprOp, 1);
 -            tmp = valuePop(ctxt);
             xmlXPathPopFrame(ctxt, frame);
 +            tmp = valuePop(ctxt);
 	    if ((ctxt->error != XPATH_EXPRESSION_OK) || (res == -1)) {
                 while (tmp != contextObj) {
 -- 
 2.22.0
--- a/SOURCES/libxml2-2.9.1-CVE-2017-18258.patch
+++ b/SOURCES/libxml2-2.9.1-CVE-2017-18258.patch
@ -0,0 +1,32 @@
 From e2a9122b8dde53d320750451e9907a7dcb2ca8bb Mon Sep 17 00:00:00 2001
 From: Nick Wellnhofer <wellnhofer@aevum.de>
 Date: Thu, 7 Sep 2017 18:36:01 +0200
 Subject: [PATCH] Set memory limit for LZMA decompression
 Otherwise malicious LZMA compressed files could consume large amounts
 of memory when decompressed.
 According to the xz man page, files compressed with `xz -9` currently
 require 65 MB to decompress, so set the limit to 100 MB.
 Should fix bug 786696.
 ---
 xzlib.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/xzlib.c b/xzlib.c
 index 782957f6..f43632bd 100644
 --- a/xzlib.c
 +++ b/xzlib.c
@@ -408,7 +408,7 @@ xz_head(xz_statep state)
         state->strm = init;
         state->strm.avail_in = 0;
         state->strm.next_in = NULL;
 -        if (lzma_auto_decoder(&state->strm, UINT64_MAX, 0) != LZMA_OK) {
 +        if (lzma_auto_decoder(&state->strm, 100000000, 0) != LZMA_OK) {
             xmlFree(state->out);
             xmlFree(state->in);
             state->size = 0;
 -- 
 2.22.0
--- a/SOURCES/libxml2-2.9.1-CVE-2018-14404.patch
+++ b/SOURCES/libxml2-2.9.1-CVE-2018-14404.patch
@ -0,0 +1,54 @@
 From a436374994c47b12d5de1b8b1d191a098fa23594 Mon Sep 17 00:00:00 2001
 From: Nick Wellnhofer <wellnhofer@aevum.de>
 Date: Mon, 30 Jul 2018 12:54:38 +0200
 Subject: [PATCH] Fix nullptr deref with XPath logic ops
 If the XPath stack is corrupted, for example by a misbehaving extension
 function, the "and" and "or" XPath operators could dereference NULL
 pointers. Check that the XPath stack isn't empty and optimize the
 logic operators slightly.
 Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/5
 Also see
 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817
 https://bugzilla.redhat.com/show_bug.cgi?id=1595985
 This is CVE-2018-14404.
 Thanks to Guy Inbar for the report.
 ---
 xpath.c | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)
 diff --git a/xpath.c b/xpath.c
 index 3fae0bf4..5e3bb9ff 100644
 --- a/xpath.c
 +++ b/xpath.c
@@ -13234,9 +13234,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
 		return(0);
 	    }
             xmlXPathBooleanFunction(ctxt, 1);
 -            arg1 = valuePop(ctxt);
 -            arg1->boolval &= arg2->boolval;
 -            valuePush(ctxt, arg1);
 +            if (ctxt->value != NULL)
 +                ctxt->value->boolval &= arg2->boolval;
 	    xmlXPathReleaseObject(ctxt->context, arg2);
             return (total);
         case XPATH_OP_OR:
@@ -13252,9 +13251,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
 		return(0);
 	    }
             xmlXPathBooleanFunction(ctxt, 1);
 -            arg1 = valuePop(ctxt);
 -            arg1->boolval |= arg2->boolval;
 -            valuePush(ctxt, arg1);
 +            if (ctxt->value != NULL)
 +                ctxt->value->boolval |= arg2->boolval;
 	    xmlXPathReleaseObject(ctxt->context, arg2);
             return (total);
         case XPATH_OP_EQUAL:
 -- 
 2.22.0
--- a/SOURCES/libxml2-2.9.1-CVE-2018-14567.patch
+++ b/SOURCES/libxml2-2.9.1-CVE-2018-14567.patch
@ -0,0 +1,50 @@
 From 2240fbf5912054af025fb6e01e26375100275e74 Mon Sep 17 00:00:00 2001
 From: Nick Wellnhofer <wellnhofer@aevum.de>
 Date: Mon, 30 Jul 2018 13:14:11 +0200
 Subject: [PATCH] Fix infinite loop in LZMA decompression
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Check the liblzma error code more thoroughly to avoid infinite loops.
 Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/13
 Closes: https://bugzilla.gnome.org/show_bug.cgi?id=794914
 This is CVE-2018-9251 and CVE-2018-14567.
 Thanks to Dongliang Mu and Simon Wörner for the reports.
 ---
 xzlib.c | 9 +++++++++
 1 file changed, 9 insertions(+)
 diff --git a/xzlib.c b/xzlib.c
 index a839169e..0ba88cfa 100644
 --- a/xzlib.c
 +++ b/xzlib.c
@@ -562,6 +562,10 @@ xz_decomp(xz_statep state)
                          "internal error: inflate stream corrupt");
                 return -1;
             }
 +            /*
 +             * FIXME: Remapping a couple of error codes and falling through
 +             * to the LZMA error handling looks fragile.
 +             */
             if (ret == Z_MEM_ERROR)
                 ret = LZMA_MEM_ERROR;
             if (ret == Z_DATA_ERROR)
@@ -587,6 +591,11 @@ xz_decomp(xz_statep state)
             xz_error(state, LZMA_PROG_ERROR, "compression error");
             return -1;
         }
 +        if ((state->how != GZIP) &&
 +            (ret != LZMA_OK) && (ret != LZMA_STREAM_END)) {
 +            xz_error(state, ret, "lzma error");
 +            return -1;
 +        }
     } while (strm->avail_out && ret != LZMA_STREAM_END);
     /* update available output and crc check value */
 -- 
 2.22.0
--- a/SPECS/libxml2.spec
+++ b/SPECS/libxml2.spec
@ -1,60 +1,21 @@
 # for -O3 on ppc64 c.f. 1051068
 %global _performance_build 1
 Summary: Library providing XML and HTML support
 Name:           libxml2
-Version: 2.9.1
+Version:        2.9.10
-Release: 6%{?dist}%{?extra_release}.3
+Release:        1%{?dist}
 Summary:        Library providing XML and HTML support
 License:        MIT
 Group: Development/Libraries
 Source: ftp://xmlsoft.org/libxml2/libxml2-%{version}.tar.gz
 BuildRoot: %{_tmppath}/%{name}-%{version}-root
 BuildRequires: python python-devel zlib-devel pkgconfig xz-devel
 URL:            http://xmlsoft.org/
 Source:         ftp://xmlsoft.org/libxml2/libxml2-%{version}.tar.gz
 Patch0:         libxml2-multilib.patch
-Patch1: libxml2-2.9.0-do-not-check-crc.patch
+# Patch from openSUSE.
-
+# See:  https://bugzilla.gnome.org/show_bug.cgi?id=789714
-Patch100: libxml2-Fix-a-regression-in-xmlGetDocCompressMode.patch
+Patch1:         libxml2-2.9.8-python3-unicode-errors.patch
 Patch101: CVE-2014-3660-rhel7.patch
 Patch102: libxml2-Fix-missing-entities-after-CVE-2014-3660-fix.patch
 Patch103: libxml2-Do-not-fetch-external-parameter-entities.patch
 Patch104: libxml2-Fix-regression-introduced-by-CVE-2014-0191.patch
 Patch105: libxml2-Stop-parsing-on-entities-boundaries-errors.patch
 Patch106: libxml2-Cleanup-conditional-section-error-handling.patch
 Patch107: libxml2-Fail-parsing-early-on-if-encoding-conversion-failed.patch
 Patch108: libxml2-Another-variation-of-overflow-in-Conditional-sections.patch
 Patch109: libxml2-Fix-an-error-in-previous-Conditional-section-patch.patch
 Patch110: libxml2-Fix-parsing-short-unclosed-comment-uninitialized-access.patch
 Patch111: libxml2-Avoid-extra-processing-of-MarkupDecl-when-EOF.patch
 Patch112: libxml2-Avoid-processing-entities-after-encoding-conversion-failures.patch
 Patch113: libxml2-xmlStopParser-reset-errNo.patch
 Patch114: libxml2-CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDictComputeFastQKey.patch
 Patch115: libxml2-CVE-2015-5312-Another-entity-expansion-issue.patch
 Patch116: libxml2-Add-xmlHaltParser-to-stop-the-parser.patch
 Patch117: libxml2-Reuse-xmlHaltParser-where-it-makes-sense.patch
 Patch118: libxml2-Do-not-print-error-context-when-there-is-none.patch
 Patch119: libxml2-Detect-incoherency-on-GROW.patch
 Patch120: libxml2-Fix-some-loop-issues-embedding-NEXT.patch
 Patch121: libxml2-Bug-on-creating-new-stream-from-entity.patch
 Patch122: libxml2-CVE-2015-7500-Fix-memory-access-error-due-to-incorrect-entities-boundaries.patch
 Patch123: libxml2-CVE-2015-8242-Buffer-overead-with-HTML-parser-in-push-mode.patch
 Patch124: libxml2-CVE-2015-1819-Enforce-the-reader-to-run-in-constant-memory.patch
 patch125: libxml2-Add-missing-increments-of-recursion-depth-counter-to-XML-parser.patch
 patch126: libxml2-Avoid-building-recursive-entities.patch
 patch127: libxml2-Bug-757711-heap-buffer-overflow-in-xmlFAParsePosCharGroup-https-bugzilla.gnome.org-show_bug.cgi-id-757711.patch
 patch128: libxml2-Bug-758588-Heap-based-buffer-overread-in-xmlParserPrintFileContextInternal-https-bugzilla.gnome.org-show_bug.cgi-id-758588.patch
 patch129: libxml2-Bug-758605-Heap-based-buffer-overread-in-xmlDictAddString-https-bugzilla.gnome.org-show_bug.cgi-id-758605.patch
 patch130: libxml2-Bug-759398-Heap-use-after-free-in-xmlDictComputeFastKey-https-bugzilla.gnome.org-show_bug.cgi-id-759398.patch
 patch131: libxml2-Bug-763071-heap-buffer-overflow-in-xmlStrncat-https-bugzilla.gnome.org-show_bug.cgi-id-763071.patch
 patch132: libxml2-Fix-inappropriate-fetch-of-entities-content.patch
 patch133: libxml2-Fix-some-format-string-warnings-with-possible-format-string-vulnerability.patch
 patch134: libxml2-Heap-based-buffer-overread-in-htmlCurrentChar.patch
 patch135: libxml2-Heap-based-buffer-overread-in-xmlNextChar.patch
 patch136: libxml2-Heap-based-buffer-underreads-due-to-xmlParseName.patch
 patch137: libxml2-Heap-use-after-free-in-htmlParsePubidLiteral-and-htmlParseSystemiteral.patch
 patch138: libxml2-Heap-use-after-free-in-xmlSAX2AttributeNs.patch
 patch139: libxml2-More-format-string-warnings-with-possible-format-string-vulnerability.patch
 BuildRequires:  gcc
 BuildRequires:  make
 #BuildRequires:  cmake-rpm-macros
 BuildRequires:  pkgconfig(zlib)
 BuildRequires:  pkgconfig(liblzma)
 %description
 This library allows to manipulate XML files. It includes support
@ -69,11 +30,9 @@ URI library.
 %package devel
 Summary:        Libraries, includes, etc. to develop XML and HTML applications
-Group: Development/Libraries
+Requires:       %{name}%{?_isa} = %{version}-%{release}
-Requires: libxml2 = %{version}-%{release}
+Requires:       zlib-devel%{?_isa}
-Requires: zlib-devel
+Requires:       xz-devel%{?_isa}
 Requires: xz-devel
 Requires: pkgconfig
 %description devel
 Libraries, include files, etc you can use to develop XML applications.
@ -89,21 +48,22 @@ URI library.
 %package static
 Summary:        Static library for libxml2
 Group: Development/Libraries
 Requires: libxml2 = %{version}-%{release}
 %description static
 Static library for libxml2 provided for specific uses or shaving a few
 microseconds when parsing, do not link to them for generic purpose packages.
-%package python
+%package -n python2-%{name}
 %{?python_provide:%python_provide python2-%{name}}
 Summary:        Python bindings for the libxml2 library
-Group: Development/Libraries
+BuildRequires:  python2-devel
-Requires: libxml2 = %{version}-%{release}
+Requires:       %{name}%{?_isa} = %{version}-%{release}
-
+Obsoletes:      %{name}-python < %{version}-%{release}
-%description python
+Provides:       %{name}-python = %{version}-%{release}
-The libxml2-python package contains a module that permits applications
+
-written in the Python programming language to use the interface
+%description -n python2-%{name}
 The libxml2-python package contains a Python 2 module that permits applications
 written in the Python programming language, version 2, to use the interface
 supplied by the libxml2 library to manipulate XML files.
 This library allows to manipulate XML files. It includes support
@ -111,187 +71,231 @@ to read, modify and write XML and HTML files. There is DTDs support
 this includes parsing and validation even with complex DTDs, either
 at parse time or later once the document has been modified.
 %package -n python3-%{name}
 Summary:        Python 3 bindings for the libxml2 library
 BuildRequires:  python3-devel
 Requires:       %{name}%{?_isa} = %{version}-%{release}
 Obsoletes:      %{name}-python3 < %{version}-%{release}
 Provides:       %{name}-python3 = %{version}-%{release}
 %description -n python3-%{name}
 The libxml2-python3 package contains a Python 3 module that permits
 applications written in the Python programming language, version 3, to use the
 interface supplied by the libxml2 library to manipulate XML files.
 This library allows to manipulate XML files. It includes support
 to read, modify and write XML and HTML files. There is DTDs support
 this includes parsing and validation even with complex DTDs, either
 at parse time or later once the document has been modified.
 %prep
-%setup -q
+%autosetup -p1
-%patch0 -p1
+find doc -type f -executable -print -exec chmod 0644 {} ';'
 # workaround for #877567 - Very weird bug gzip decompression bug in "recent" libxml2 versions
 %patch1 -p1 -b .do-not-check-crc
 %patch100 -p1
 %patch101 -p1
 %patch102 -p1
 %patch103 -p1
 %patch104 -p1
 %patch105 -p1
 %patch106 -p1
 %patch107 -p1
 %patch108 -p1
 %patch109 -p1
 %patch110 -p1
 %patch111 -p1
 %patch112 -p1
 %patch113 -p1
 %patch114 -p1
 %patch115 -p1
 %patch116 -p1
 %patch117 -p1
 %patch118 -p1
 %patch119 -p1
 %patch120 -p1
 %patch121 -p1
 %patch122 -p1
 %patch123 -p1
 %patch124 -p1
 %patch125 -p1
 %patch126 -p1
 %patch127 -p1
 %patch128 -p1
 %patch129 -p1
 %patch130 -p1
 %patch131 -p1
 %patch132 -p1
 %patch133 -p1
 %patch134 -p1
 %patch135 -p1
 %patch136 -p1
 %patch137 -p1
 %patch138 -p1
 %patch139 -p1
 %build
-%configure
+mkdir py2 py3
-make %{_smp_mflags}
+%global _configure ../configure
 %global _configure_disable_silent_rules 1
 ( cd py2 && %configure --cache-file=../config.cache --with-python=%{__python2} )
 ( cd py3 && %configure --cache-file=../config.cache --with-python=%{__python3} )
 %make_build -C py2
 %make_build -C py3
 %install
-rm -fr %{buildroot}
+%make_install -C py2
-
+%make_install -C py3
 make install DESTDIR=%{buildroot}
 # multiarch crazyness on timestamp differences or Makefile/binaries for examples
-touch -m --reference=$RPM_BUILD_ROOT/%{_includedir}/libxml2/libxml/parser.h $RPM_BUILD_ROOT/%{_bindir}/xml2-config
+touch -m --reference=%{buildroot}%{_includedir}/libxml2/libxml/parser.h %{buildroot}%{_bindir}/xml2-config
-
+
-rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
+find %{buildroot} -type f -name '*.la' -print -delete
-rm -f $RPM_BUILD_ROOT%{_libdir}/python*/site-packages/*.a
+rm -vf %{buildroot}{%{python2_sitearch},%{python3_sitearch}}/*.a
-rm -f $RPM_BUILD_ROOT%{_libdir}/python*/site-packages/*.la
+rm -vrf %{buildroot}%{_datadir}/doc/
-rm -rf $RPM_BUILD_ROOT%{_datadir}/doc/libxml2-%{version}/*
+#(cd doc/examples ; make clean ; rm -rf .deps Makefile)
 rm -rf $RPM_BUILD_ROOT%{_datadir}/doc/libxml2-python-%{version}/*
 (cd doc/examples ; make clean ; rm -rf .deps Makefile)
 gzip -9 -c doc/libxml2-api.xml > doc/libxml2-api.xml.gz
 %check
-make runtests
+%make_build runtests -C py2
-
+%make_build runtests -C py3
 %clean
 rm -fr %{buildroot}
-%post -p /sbin/ldconfig
+%ldconfig_scriptlets
 %postun -p /sbin/ldconfig
 %files
-%defattr(-, root, root)
+%license Copyright
-
+%doc AUTHORS NEWS README TODO
-%doc AUTHORS NEWS README Copyright TODO
+%{_libdir}/libxml2.so.2*
-%doc %{_mandir}/man1/xmllint.1*
+%{_mandir}/man3/libxml.3*
 %doc %{_mandir}/man1/xmlcatalog.1*
 %doc %{_mandir}/man3/libxml.3*
 %{_libdir}/lib*.so.*
 %{_bindir}/xmllint
 %{_mandir}/man1/xmllint.1*
 %{_bindir}/xmlcatalog
 %{_mandir}/man1/xmlcatalog.1*
 %files devel
 %defattr(-, root, root)
 %doc %{_mandir}/man1/xml2-config.1*
 %doc AUTHORS NEWS README Copyright
 %doc doc/*.html doc/html doc/*.gif doc/*.png
 %doc doc/tutorial doc/libxml2-api.xml.gz
 %doc doc/examples
-%doc %dir %{_datadir}/gtk-doc/html/libxml2
+%dir %{_datadir}/gtk-doc
-%doc %{_datadir}/gtk-doc/html/libxml2/*.devhelp
+%dir %{_datadir}/gtk-doc/html
-%doc %{_datadir}/gtk-doc/html/libxml2/*.html
+%{_datadir}/gtk-doc/html/libxml2/
-%doc %{_datadir}/gtk-doc/html/libxml2/*.png
+%{_libdir}/libxml2.so
-%doc %{_datadir}/gtk-doc/html/libxml2/*.css
+%{_libdir}/xml2Conf.sh
-
+%{_includedir}/libxml2/
 %{_libdir}/lib*.so
 %{_libdir}/*.sh
 %{_includedir}/*
 %{_bindir}/xml2-config
 %{_mandir}/man1/xml2-config.1*
 %{_datadir}/aclocal/libxml.m4
 %{_libdir}/pkgconfig/libxml-2.0.pc
 %{_libdir}/cmake/libxml2/
 %files static
-%defattr(-, root, root)
+%license Copyright
 %{_libdir}/libxml2.a
 %files -n python2-%{name}
 %doc python/TODO python/libxml2class.txt
 %doc doc/*.py doc/python.html
 %{python2_sitearch}/libxml2.py*
 %{python2_sitearch}/drv_libxml2.py*
 %{python2_sitearch}/libxml2mod.so
 %files -n python3-%{name}
 %doc python/TODO python/libxml2class.txt
 %doc doc/*.py doc/python.html
 %{python3_sitearch}/libxml2.py
 %{python3_sitearch}/__pycache__/libxml2.*
 %{python3_sitearch}/drv_libxml2.py
 %{python3_sitearch}/__pycache__/drv_libxml2.*
 %{python3_sitearch}/libxml2mod.so
 %changelog
 * Fri Nov 08 2019 David King <amigadave@amigadave.com> - 2.9.10-1
 - Update to 2.9.10 (#1767151)
-%{_libdir}/*a
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.9-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
-%files python
+* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.9-2
-%defattr(-, root, root)
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
-%{_libdir}/python*/site-packages/libxml2.py*
+* Fri Jan 25 2019 David King <amigadave@amigadave.com> - 2.9.9-1
-%{_libdir}/python*/site-packages/drv_libxml2.py*
+- Update to 2.9.9
 %{_libdir}/python*/site-packages/libxml2mod*
 %doc python/TODO
 %doc python/libxml2class.txt
 %doc python/tests/*.py
 %doc doc/*.py
 %doc doc/python.html
-%changelog
+* Sun Jan 06 2019 Björn Esser <besser82@fedoraproject.org> - 2.9.8-5
-* Mon Jun  6 2016 Daniel Veillard <veillard@redhat.com> - libxml2-2.9.1-6.3
+- Add patch to fix crash: xmlParserPrintFileContextInternal mangles utf8
- Heap-based buffer overread in xmlNextChar (CVE-2016-1762)
+
- Bug 763071: Heap-buffer-overflow in xmlStrncat <https://bugzilla.gnome.org/show_bug.cgi?id=763071> (CVE-2016-1834)
+* Thu Aug 02 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 2.9.8-4
- Bug 757711: Heap-buffer-overflow in xmlFAParsePosCharGroup <https://bugzilla.gnome.org/show_bug.cgi?id=757711> (CVE-2016-1840)
+- Backport patches from upstream
- Bug 758588: Heap-based buffer overread in xmlParserPrintFileContextInternal <https://bugzilla.gnome.org/show_bug.cgi?id=758588> (CVE-2016-1838)
+
- Bug 758605: Heap-based buffer overread in xmlDictAddString <https://bugzilla.gnome.org/show_bug.cgi?id=758605> (CVE-2016-1839)
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.8-3
- Bug 759398: Heap use-after-free in xmlDictComputeFastKey <https://bugzilla.gnome.org/show_bug.cgi?id=759398> (CVE-2016-1836)
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
- Fix inappropriate fetch of entities content (CVE-2016-4449)
+
- Heap use-after-free in htmlParsePubidLiteral and htmlParseSystemiteral (CVE-2016-1837)
+* Tue Jun 19 2018 Miro Hrončok <mhroncok@redhat.com> - 2.9.8-2
- Heap use-after-free in xmlSAX2AttributeNs (CVE-2016-1835)
+- Rebuilt for Python 3.7
- Heap-based buffer-underreads due to xmlParseName (CVE-2016-4447)
+
- Heap-based buffer overread in htmlCurrentChar (CVE-2016-1833)
+* Tue Apr 03 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 2.9.8-1
- Add missing increments of recursion depth counter to XML parser. (CVE-2016-3705)
+- Update to 2.9.8
- Avoid building recursive entities (CVE-2016-3627)
+
- Fix some format string warnings with possible format string vulnerability (CVE-2016-4448)
+* Sat Feb 24 2018 Florian Weimer <fweimer@redhat.com> - 2.9.7-4
- More format string warnings with possible format string vulnerability (CVE-2016-4448)
+- Rebuild with new LDFLAGS from redhat-rpm-config
-
+
-* Mon Nov 30 2015 Daniel Veillard <veillard@redhat.com> - 2.9.1-6.2
+* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.7-3
- Fix a series of CVEs (rhbz#1286496)
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
- CVE-2015-7941 Stop parsing on entities boundaries errors
+
- CVE-2015-7941 Cleanup conditional section error handling
+* Tue Jan 30 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 2.9.7-2
- CVE-2015-8317 Fail parsing early on if encoding conversion failed
+- Switch to %%ldconfig_scriptlets
- CVE-2015-7942 Another variation of overflow in Conditional sections
+
- CVE-2015-7942 Fix an error in previous Conditional section patch
+* Wed Jan 24 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 2.9.7-1
- Fix parsing short unclosed comment uninitialized access
+- Update to 2.9.7
- CVE-2015-7498 Avoid processing entities after encoding conversion failures
+- Cleanups in packaging
- CVE-2015-7497 Avoid an heap buffer overflow in xmlDictComputeFastQKey
+
- CVE-2015-5312 Another entity expansion issue
+* Tue Jan 09 2018 Iryna Shcherbina <ishcherb@redhat.com> - 2.9.5-3
- CVE-2015-7499 Add xmlHaltParser() to stop the parser
+- Update Python 2 dependency declarations to new packaging standards
- CVE-2015-7499 Detect incoherency on GROW
+  (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3)
- CVE-2015-7500 Fix memory access error due to incorrect entities boundaries
+
- CVE-2015-8242 Buffer overead with HTML parser in push mode
+* Fri Sep 22 2017 Petr Pisar <ppisar@redhat.com> - 2.9.5-2
- CVE-2015-1819 Enforce the reader to run in constant memory
+- Fix reporting error about undefined XPath variables (bug #1493613)
-
+
-* Mon Mar 23 2015 Daniel Veillard <veillard@redhat.com> - 2.9.1-6
+* Mon Sep  4 2017 Daniel Veillard <veillard@redhat.com> - 2.9.5-1
- Fix missing entities after CVE-2014-3660 fix
+- update to 2.9.5
- CVE-2014-0191 Do not fetch external parameter entities (rhbz#1195650)
+
- Fix regressions introduced by CVE-2014-0191 patch
+* Sat Aug 19 2017 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 2.9.4-5
-
+- Python 2 binary package renamed to python2-libxml2
-* Sat Oct 11 2014 Daniel Veillard <veillard@redhat.com> - 2.9.1-5.1
+  See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3
- CVE-2014-3660 denial of service via recursive entity expansion (rhbz#1149087)
+
-
+* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.4-4
-* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 2.9.1-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
- Mass rebuild 2014-01-24
+
-
+* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.4-3
-* Wed Jan 15 2014 Daniel Veillard <veillard@redhat.com> - 2.9.1-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
- rebuild to activate -O3 on ppc64 rhbz#1051068
+
-
+* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.4-2
-* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 2.9.1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
- Mass rebuild 2013-12-27
+
-
+* Wed Dec 21 2016 Kevin Fenzi <kevin@scrye.com> - 2.9.4-1
-* Fri Nov 15 2013 Daniel Veillard <veillard@redhat.com> - 2.9.1-2
+- Update to 2.9.4.
- Fix a regression in xmlGetDocCompressMode() rhbz#963716
+- Apply very hacky patch that removes the no longer in python-3.6 PyVerify_fd symbol.
 * Mon Dec 12 2016 Charalampos Stratakis <cstratak@redhat.com> - 2.9.3-5
 - Rebuild for Python 3.6
 * Tue Jul 19 2016 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.9.3-4
 - https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages
 * Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.3-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
 * Wed Dec 02 2015 Kalev Lember <klember@redhat.com> - 2.9.3-2
 - Fix obsoletes versions now that F22 has libxml2 2.9.3 (#1287262)
 * Fri Nov 20 2015 Daniel Veillard <veillard@redhat.com> - 2.9.2-1
 - upstream release of 2.9.3
 - Fixes for CVE-2015-8035, CVE-2015-7942, CVE-2015-7941, CVE-2015-1819
  CVE-2015-7497, CVE-2015-7498, CVE-2015-5312, CVE-2015-7499, CVE-2015-7500
  and CVE-2015-8242
 - many other bug fixes
 * Fri Nov 06 2015 Robert Kuska <rkuska@redhat.com> - 2.9.2-9
 - Rebuilt for Python3.5 rebuild
 - Python3.5 has new naming convention for byte compiled files
 * Tue Nov  3 2015 Toshio Kuratomi <toshio@fedoraproject.org> - 2.9.2-8
 - Remove executable permissions from documentation.  Complies with packaging
  guidelines and solves issue of libxml2-python3 package depending on python2
 * Thu Aug 27 2015 Miro Hrončok <mhroncok@redhat.com> - 2.9.2-7
 - Remove dependency on python2 from python3 subpackage, rhbz#1250940
 * Sat Aug 22 2015 Kalev Lember <klember@redhat.com> - 2.9.2-6
 - Rename the Python 3 subpackage to python3-libxml2 as per guidelines
 * Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.9.2-5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
 * Sat Feb 21 2015 Till Maas <opensource@till.name> - 2.9.2-4
 - Rebuilt for Fedora 23 Change
  https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code
 * Wed Jan 21 2015 Tomas Radej <tradej@redhat.com> - 2.9.2-3
 - Added Python 3 subpackage
 * Thu Oct 16 2014 Lubomir Rintel <lkundrak@v3.sk> - 2.9.2-2
 - Avoid corrupting the xml catalogs
 * Thu Oct 16 2014 Daniel Veillard <veillard@redhat.com> - 2.9.2-1
 - upstream release of 2.9.2
 - Fix for CVE-214-3660 billion laugh DOS
 - many other bug fixes
 * Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.9.1-5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
 * Fri Jul 18 2014 Tom Callaway <spot@fedoraproject.org> - 2.9.1-4
 - fix license handling
 * Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.9.1-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
 * Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.9.1-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
 * Fri Apr 19 2013 Daniel Veillard <veillard@redhat.com> - 2.9.1-1
 - upstream release of 2.9.1