Update to 4.9.1

Fix for CVE-2022-2309

Resolves: rhbz#2107571, rhbz#2110131

.gitignore

@@ -57,3 +57,4 @@ lxml-2.2.7.tar.gz.asc
 /lxml-4.6.2.tar.gz
 /lxml-4.6.3.tar.gz
 /lxml-4.7.1.tar.gz
+/lxml-4.9.1.tar.gz

fix-namespace-count.patch

@@ -0,0 +1,53 @@
+From c742576c105f40fc8b754fcae56fee4aa35840a3 Mon Sep 17 00:00:00 2001
+From: Stefan Behnel <stefan_ml@behnel.de>
+Date: Tue, 19 Jul 2022 08:25:20 +0200
+Subject: [PATCH] Work around libxml2 bug in affected versions that failed to
+ reset the namespace count in the parser context.
+
+See https://gitlab.gnome.org/GNOME/libxml2/-/issues/378
+---
+ src/lxml/includes/xmlparser.pxd | 1 +
+ src/lxml/parser.pxi             | 3 +++
+ src/lxml/tests/test_etree.py    | 3 +--
+ 3 files changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/src/lxml/includes/xmlparser.pxd b/src/lxml/includes/xmlparser.pxd
+index a196e34bd..45acfc846 100644
+--- a/src/lxml/includes/xmlparser.pxd
++++ b/src/lxml/includes/xmlparser.pxd
+@@ -144,6 +144,7 @@ cdef extern from "libxml/parser.h":
+         void* userData
+         int* spaceTab
+         int spaceMax
++        int nsNr
+         bint html
+         bint progressive
+         int inSubset
+diff --git a/src/lxml/parser.pxi b/src/lxml/parser.pxi
+index f5baf29b9..f0c8c6b64 100644
+--- a/src/lxml/parser.pxi
++++ b/src/lxml/parser.pxi
+@@ -569,6 +569,9 @@ cdef class _ParserContext(_ResolverContext):
+                 self._c_ctxt.disableSAX = 0 # work around bug in libxml2
+             else:
+                 xmlparser.xmlClearParserCtxt(self._c_ctxt)
++                # work around bug in libxml2 [2.9.10 .. 2.9.14]:
++                # https://gitlab.gnome.org/GNOME/libxml2/-/issues/378
++                self._c_ctxt.nsNr = 0
+ 
+     cdef int prepare(self, bint set_document_loader=True) except -1:
+         cdef int result
+diff --git a/src/lxml/tests/test_etree.py b/src/lxml/tests/test_etree.py
+index 8bf82c084..0339796d6 100644
+--- a/src/lxml/tests/test_etree.py
++++ b/src/lxml/tests/test_etree.py
+@@ -1491,8 +1491,7 @@ def test_walk_after_parse_failure(self):
+             # This would be the expected result, because there was no namespace
+             pass
+         else:
+-            # This is a bug in libxml2
+-            assert not ns, repr(ns)
++            assert False, "Found unexpected namespace '%s'" % ns
+ 
+     def test_itertext_comment_pi(self):
+         # https://bugs.launchpad.net/lxml/+bug/1844674

python-lxml.spec

@@ -1,6 +1,6 @@
 Name:           python-lxml
-Version:        4.7.1
-Release:        6%{?dist}
+Version:        4.9.1
+Release:        1%{?dist}
 Summary:        XML processing library combining libxml2/libxslt with the ElementTree API
 
 # The lxml project is licensed under BSD-3-Clause
@@ -11,6 +11,11 @@ License:        BSD-3-Clause AND MIT-CMU AND MIT
 URL:            https://github.com/lxml/lxml
 Source:         %{pypi_source lxml}
 
+# Work around libxml2 bug in affected versions that failed to reset the
+# namespace count in the parser context.
+# Resolved upstream: https://github.com/lxml/lxml/commit/c742576c105f40fc8b754fcae56fee4aa35840a3
+Patch:          fix-namespace-count.patch
+
 BuildRequires:  gcc
 BuildRequires:  libxml2-devel
 BuildRequires:  libxslt-devel
@@ -66,6 +71,11 @@ cp -a build/lib.%{python3_platform}-*/* src/
 %doc README.rst src/lxml/isoschematron/resources/xsl/iso-schematron-xslt1/readme.txt
 
 %changelog
+* Wed Sep 14 2022 Charalampos Stratakis <cstratak@redhat.com> - 4.9.1-1
+- Update to 4.9.1
+- Fix for CVE-2022-2309
+- Resolves: rhbz#2107571, rhbz#2110131
+
 * Wed Aug 31 2022 Miro Hrončok <mhroncok@redhat.com> - 4.7.1-6
 - Use SPDX license identifiers
 - The schematron files are not Zlib licensed, but MIT

sources

@@ -1 +1 @@
-SHA512 (lxml-4.7.1.tar.gz) = dd0d421e10db6c9084cf5b2c04a4fc54d74bd62b4dfa83efcf92dd46cd1c5f043c47613521b2de04c450b83eb1161d197b017c53e615e5785e97e7afe106b6cf
+SHA512 (lxml-4.9.1.tar.gz) = d7ec55c7db2c63a716ca5f4d833706d90fc76c944885e010fcdb96786bcfe796994e438450cf4e8e6e75d702e21fb16971f28f854d7a1f76c34e4ae315414d84