summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGilles Dartiguelongue <eva@gentoo.org>2017-08-25 00:34:16 +0200
committerGilles Dartiguelongue <eva@gentoo.org>2017-08-25 00:47:44 +0200
commit28aec45d6aa5d68e5de17feae733ec5497d7c0b8 (patch)
tree14da9eca36a7b66da222eae4f68f07b9186c096d
parent821692d22ef707100836b98f17c46e4846a3f5f4 (diff)
downloadgentoo-28aec45d6aa5d68e5de17feae733ec5497d7c0b8.tar.gz
gentoo-28aec45d6aa5d68e5de17feae733ec5497d7c0b8.tar.xz
dev-libs/libxml2: add more security patches
Fix typo in patch changing test target and re-enable running unittests in src_test. Package-Manager: Portage-2.3.8, Repoman-2.3.3
-rw-r--r--dev-libs/libxml2/files/libxml2-2.9.2-disable-tests.patch2
-rw-r--r--dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-0663.patch43
-rw-r--r--dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-7376.patch31
-rw-r--r--dev-libs/libxml2/files/libxml2-2.9.4-fix-root-node-cmp.patch34
-rw-r--r--dev-libs/libxml2/libxml2-2.9.4-r3.ebuild239
5 files changed, 348 insertions, 1 deletions
diff --git a/dev-libs/libxml2/files/libxml2-2.9.2-disable-tests.patch b/dev-libs/libxml2/files/libxml2-2.9.2-disable-tests.patch
index a996bf64a18..a231269b4b8 100644
--- a/dev-libs/libxml2/files/libxml2-2.9.2-disable-tests.patch
+++ b/dev-libs/libxml2/files/libxml2-2.9.2-disable-tests.patch
@@ -25,7 +25,7 @@ do not build test programs as we don't install them
#testOOM_LDADD= $(LDADDS)
-runtests:
-+runtests: check_PROGRAMS
++runtests: $(check_PROGRAMS)
[ -d test ] || $(LN_S) $(srcdir)/test .
[ -d result ] || $(LN_S) $(srcdir)/result .
$(CHECKER) ./runtest$(EXEEXT) && $(CHECKER) ./testrecurse$(EXEEXT) &&$(CHECKER) ./testapi$(EXEEXT) && $(CHECKER) ./testchar$(EXEEXT)&& $(CHECKER) ./testdict$(EXEEXT) && $(CHECKER) ./runxmlconf$(EXEEXT)
diff --git a/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-0663.patch b/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-0663.patch
new file mode 100644
index 00000000000..517e178a533
--- /dev/null
+++ b/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-0663.patch
@@ -0,0 +1,43 @@
+From d815758b6a8c9dee8155268e49b5ef3b80135a14 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 6 Jun 2017 12:56:28 +0200
+Subject: [PATCH 1/3] Fix type confusion in xmlValidateOneNamespace
+
+Comment out code that casts xmlNsPtr to xmlAttrPtr. ID types on
+namespace declarations make no practical sense anyway.
+
+Fixes bug 780228.
+
+Found with libFuzzer and ASan.
+---
+ valid.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/valid.c b/valid.c
+index 8075d3a0..c51ea290 100644
+--- a/valid.c
++++ b/valid.c
+@@ -4627,6 +4627,12 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns, const xmlChar *value) {
+ }
+ }
+
++ /*
++ * Casting ns to xmlAttrPtr is wrong. We'd need separate functions
++ * xmlAddID and xmlAddRef for namespace declarations, but it makes
++ * no practical sense to use ID types anyway.
++ */
++#if 0
+ /* Validity Constraint: ID uniqueness */
+ if (attrDecl->atype == XML_ATTRIBUTE_ID) {
+ if (xmlAddID(ctxt, doc, value, (xmlAttrPtr) ns) == NULL)
+@@ -4638,6 +4644,7 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns, const xmlChar *value) {
+ if (xmlAddRef(ctxt, doc, value, (xmlAttrPtr) ns) == NULL)
+ ret = 0;
+ }
++#endif
+
+ /* Validity Constraint: Notation Attributes */
+ if (attrDecl->atype == XML_ATTRIBUTE_NOTATION) {
+--
+2.14.1
+
diff --git a/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-7376.patch b/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-7376.patch
new file mode 100644
index 00000000000..14ec773608b
--- /dev/null
+++ b/dev-libs/libxml2/files/libxml2-2.9.4-CVE-2017-7376.patch
@@ -0,0 +1,31 @@
+From 43cd3b6222bda2332e963eb1c9ead78f29912b0a Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Fri, 7 Apr 2017 17:13:28 +0200
+Subject: [PATCH 2/3] Increase buffer space for port in HTTP redirect support
+
+For https://bugzilla.gnome.org/show_bug.cgi?id=780690
+
+nanohttp.c: the code wrongly assumed a short int port value.
+---
+ nanohttp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/nanohttp.c b/nanohttp.c
+index 26e4290e..9c17530e 100644
+--- a/nanohttp.c
++++ b/nanohttp.c
+@@ -1423,9 +1423,9 @@ retry:
+ if (ctxt->port != 80) {
+ /* reserve space for ':xxxxx', incl. potential proxy */
+ if (proxy)
+- blen += 12;
++ blen += 17;
+ else
+- blen += 6;
++ blen += 11;
+ }
+ bp = (char*)xmlMallocAtomic(blen);
+ if ( bp == NULL ) {
+--
+2.14.1
+
diff --git a/dev-libs/libxml2/files/libxml2-2.9.4-fix-root-node-cmp.patch b/dev-libs/libxml2/files/libxml2-2.9.4-fix-root-node-cmp.patch
new file mode 100644
index 00000000000..224d60ff052
--- /dev/null
+++ b/dev-libs/libxml2/files/libxml2-2.9.4-fix-root-node-cmp.patch
@@ -0,0 +1,34 @@
+From a1fb9a4f511d89f0738b62cabd6d92bfd9eb94a9 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 28 Jun 2016 14:19:58 +0200
+Subject: [PATCH 3/3] Fix comparison with root node in xmlXPathCmpNodes
+
+This change has already been made in xmlXPathCmpNodesExt but not in
+xmlXPathCmpNodes.
+---
+ xpath.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/xpath.c b/xpath.c
+index 67afbca5..5a01b1b3 100644
+--- a/xpath.c
++++ b/xpath.c
+@@ -3342,13 +3342,13 @@ xmlXPathCmpNodes(xmlNodePtr node1, xmlNodePtr node2) {
+ * compute depth to root
+ */
+ for (depth2 = 0, cur = node2;cur->parent != NULL;cur = cur->parent) {
+- if (cur == node1)
++ if (cur->parent == node1)
+ return(1);
+ depth2++;
+ }
+ root = cur;
+ for (depth1 = 0, cur = node1;cur->parent != NULL;cur = cur->parent) {
+- if (cur == node2)
++ if (cur->parent == node2)
+ return(-1);
+ depth1++;
+ }
+--
+2.14.1
+
diff --git a/dev-libs/libxml2/libxml2-2.9.4-r3.ebuild b/dev-libs/libxml2/libxml2-2.9.4-r3.ebuild
new file mode 100644
index 00000000000..4c2fa243d2a
--- /dev/null
+++ b/dev-libs/libxml2/libxml2-2.9.4-r3.ebuild
@@ -0,0 +1,239 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+PYTHON_COMPAT=( python2_7 python3_{4,5,6} )
+PYTHON_REQ_USE="xml"
+
+inherit libtool flag-o-matic ltprune python-r1 autotools prefix multilib-minimal
+
+DESCRIPTION="Version 2 of the library to manipulate XML files"
+HOMEPAGE="http://www.xmlsoft.org/"
+
+LICENSE="MIT"
+SLOT="2"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~ppc-aix ~x64-cygwin ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris ~x86-winnt"
+IUSE="debug examples icu ipv6 lzma python readline static-libs test"
+REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )"
+
+XSTS_HOME="http://www.w3.org/XML/2004/xml-schema-test-suite"
+XSTS_NAME_1="xmlschema2002-01-16"
+XSTS_NAME_2="xmlschema2004-01-14"
+XSTS_TARBALL_1="xsts-2002-01-16.tar.gz"
+XSTS_TARBALL_2="xsts-2004-01-14.tar.gz"
+XMLCONF_TARBALL="xmlts20080827.tar.gz"
+
+SRC_URI="ftp://xmlsoft.org/${PN}/${PN}-${PV/_rc/-rc}.tar.gz
+ test? (
+ ${XSTS_HOME}/${XSTS_NAME_1}/${XSTS_TARBALL_1}
+ ${XSTS_HOME}/${XSTS_NAME_2}/${XSTS_TARBALL_2}
+ http://www.w3.org/XML/Test/${XMLCONF_TARBALL} )"
+
+RDEPEND="
+ >=sys-libs/zlib-1.2.8-r1:=[${MULTILIB_USEDEP}]
+ icu? ( >=dev-libs/icu-51.2-r1:=[${MULTILIB_USEDEP}] )
+ lzma? ( >=app-arch/xz-utils-5.0.5-r1:=[${MULTILIB_USEDEP}] )
+ python? ( ${PYTHON_DEPS} )
+ readline? ( sys-libs/readline:= )
+"
+DEPEND="${EDEPEND}
+ dev-util/gtk-doc-am
+ virtual/pkgconfig
+ hppa? ( >=sys-devel/binutils-2.15.92.0.2 )
+"
+
+S="${WORKDIR}/${PN}-${PV%_rc*}"
+
+MULTILIB_CHOST_TOOLS=(
+ /usr/bin/xml2-config
+)
+
+src_unpack() {
+ # ${A} isn't used to avoid unpacking of test tarballs into $WORKDIR,
+ # as they are needed as tarballs in ${S}/xstc instead and not unpacked
+ unpack ${P/_rc/-rc}.tar.gz
+ cd "${S}" || die
+
+ if use test; then
+ cp "${DISTDIR}/${XSTS_TARBALL_1}" \
+ "${DISTDIR}/${XSTS_TARBALL_2}" \
+ "${S}"/xstc/ \
+ || die "Failed to install test tarballs"
+ unpack ${XMLCONF_TARBALL}
+ fi
+}
+
+src_prepare() {
+ default
+
+ DOCS=( AUTHORS ChangeLog NEWS README* TODO* )
+
+ # Patches needed for prefix support
+ eapply "${FILESDIR}"/${PN}-2.7.1-catalog_path.patch
+
+ eprefixify catalog.c xmlcatalog.c runtest.c xmllint.c
+
+ # Fix build for Windows platform
+ # https://bugzilla.gnome.org/show_bug.cgi?id=760456
+ eapply "${FILESDIR}"/${PN}-2.8.0_rc1-winnt.patch
+
+ # Disable programs that we don't actually install.
+ # https://bugzilla.gnome.org/show_bug.cgi?id=760457
+ eapply "${FILESDIR}"/${PN}-2.9.2-disable-tests.patch
+
+ # Fix python detection, bug #567066
+ # https://bugzilla.gnome.org/show_bug.cgi?id=760458
+ eapply "${FILESDIR}"/${PN}-2.9.2-python-ABIFLAG.patch
+
+ # Apply round of security patches wrt bugs
+ # 589816, 597112, 597114, 597116. This will be included
+ # in the next upstream release
+ eapply "${FILESDIR}"/${PN}-2.9.4-CVE-2016-4658.patch
+ eapply "${FILESDIR}"/${PN}-2.9.4-CVE-2016-5131.patch
+ eapply "${FILESDIR}"/${PN}-2.9.4-nullptrderef.patch
+ eapply "${FILESDIR}"/${PN}-2.9.4-nullptrderef2.patch
+
+ # Apply round of security patches wrt bugs:
+ # 599192, 586886, 618604, 622914, 605208, 623206
+ # This will be included in the next upstream release
+ eapply "${FILESDIR}"/${P}-CVE-2017-5969.patch
+ eapply "${FILESDIR}"/${P}-osd-validation.patch
+ eapply "${FILESDIR}"/${P}-CVE-2017-9049-9050.patch
+ eapply "${FILESDIR}"/${P}-CVE-2017-9047-9048.patch
+ eapply "${FILESDIR}"/${P}-heap-buffer-overflow.patch
+ eapply "${FILESDIR}"/${P}-CVE-2016-9318.patch
+ eapply "${FILESDIR}"/${P}-CVE-2017-7375.patch
+ eapply "${FILESDIR}"/${P}-CVE-2017-0663.patch
+
+ # More patche stolen from Debian patch stack
+ eapply "${FILESDIR}"/${P}-CVE-2017-7376.patch
+ eapply "${FILESDIR}"/${P}-fix-root-node-cmp.patch
+
+ # After all the patching this test still fails:
+ rm "${S}"/test/errors10/781205.xml || die
+
+ # Avoid final linking arguments for python modules
+ if [[ ${CHOST} == *-darwin* ]] ; then
+ sed -i -e '/PYTHON_LIBS/s/ldflags/libs/' configure.ac || die
+ fi
+
+ # Please do not remove, as else we get references to PORTAGE_TMPDIR
+ # in /usr/lib/python?.?/site-packages/libxml2mod.la among things.
+ # We now need to run eautoreconf at the end to prevent maintainer mode.
+# elibtoolize
+# epunt_cxx # if we don't eautoreconf
+
+ eautoreconf
+}
+
+multilib_src_configure() {
+ # filter seemingly problematic CFLAGS (#26320)
+ filter-flags -fprefetch-loop-arrays -funroll-loops
+
+ # USE zlib support breaks gnome2
+ # (libgnomeprint for instance fails to compile with
+ # fresh install, and existing) - <azarah@gentoo.org> (22 Dec 2002).
+
+ # The meaning of the 'debug' USE flag does not apply to the --with-debug
+ # switch (enabling the libxml2 debug module). See bug #100898.
+
+ # --with-mem-debug causes unusual segmentation faults (bug #105120).
+
+ libxml2_configure() {
+ ECONF_SOURCE="${S}" econf \
+ --with-html-subdir=${PF}/html \
+ $(use_with debug run-debug) \
+ $(use_with icu) \
+ $(use_with lzma) \
+ $(use_enable ipv6) \
+ $(use_enable static-libs static) \
+ $(multilib_native_use_with readline) \
+ $(multilib_native_use_with readline history) \
+ "$@"
+ }
+
+ libxml2_py_configure() {
+ mkdir -p "${BUILD_DIR}" || die # ensure python build dirs exist
+ run_in_build_dir libxml2_configure "--with-python=${ROOT%/}${PYTHON}" # odd build system, also see bug #582130
+ }
+
+ libxml2_configure --without-python # build python bindings separately
+
+ if multilib_is_native_abi && use python; then
+ python_foreach_impl libxml2_py_configure
+ fi
+}
+
+multilib_src_compile() {
+ default
+ if multilib_is_native_abi && use python; then
+ local native_builddir=${BUILD_DIR}
+ python_foreach_impl libxml2_py_emake top_builddir="${native_builddir}" all
+ fi
+}
+
+multilib_src_test() {
+ emake check
+ multilib_is_native_abi && use python && python_foreach_impl libxml2_py_emake test
+}
+
+multilib_src_install() {
+ emake DESTDIR="${D}" \
+ EXAMPLES_DIR="${EPREFIX}"/usr/share/doc/${PF}/examples install
+
+ if multilib_is_native_abi && use python; then
+ python_foreach_impl libxml2_py_emake \
+ DESTDIR="${D}" \
+ docsdir="${EPREFIX}"/usr/share/doc/${PF}/python \
+ exampledir="${EPREFIX}"/usr/share/doc/${PF}/python/examples \
+ install
+ python_foreach_impl python_optimize
+ fi
+}
+
+multilib_src_install_all() {
+ # on windows, xmllint is installed by interix libxml2 in parent prefix.
+ # this is the version to use. the native winnt version does not support
+ # symlinks, which makes repoman fail if the portage tree is linked in
+ # from another location (which is my default). -- mduft
+ if [[ ${CHOST} == *-winnt* ]]; then
+ rm -rf "${ED}"/usr/bin/xmllint
+ rm -rf "${ED}"/usr/bin/xmlcatalog
+ fi
+
+ rm -rf "${ED}"/usr/share/doc/${P}
+ einstalldocs
+
+ if ! use examples; then
+ rm -rf "${ED}"/usr/share/doc/${PF}/examples
+ rm -rf "${ED}"/usr/share/doc/${PF}/python/examples
+ fi
+
+ prune_libtool_files --modules
+}
+
+pkg_postinst() {
+ # We don't want to do the xmlcatalog during stage1, as xmlcatalog will not
+ # be in / and stage1 builds to ROOT=/tmp/stage1root. This fixes bug #208887.
+ if [[ "${ROOT}" != "/" ]]; then
+ elog "Skipping XML catalog creation for stage building (bug #208887)."
+ else
+ # need an XML catalog, so no-one writes to a non-existent one
+ CATALOG="${EROOT}etc/xml/catalog"
+
+ # we dont want to clobber an existing catalog though,
+ # only ensure that one is there
+ # <obz@gentoo.org>
+ if [[ ! -e ${CATALOG} ]]; then
+ [[ -d "${EROOT}etc/xml" ]] || mkdir -p "${EROOT}etc/xml"
+ "${EPREFIX}"/usr/bin/xmlcatalog --create > "${CATALOG}"
+ einfo "Created XML catalog in ${CATALOG}"
+ fi
+ fi
+}
+
+libxml2_py_emake() {
+ pushd "${BUILD_DIR}/python" > /dev/null || die
+ emake "$@"
+ popd > /dev/null
+}