Compare commits

..

1 Commits
rawhide ... f36

Author SHA1 Message Date
Charalampos Stratakis 24fb39e652 Security fix for CVE-2022-2309
Resolves: rhbz#2107571
2022-09-15 19:25:12 +02:00
10 changed files with 226 additions and 148 deletions

View File

@ -1 +0,0 @@
1

1
.gitignore vendored
View File

@ -57,4 +57,3 @@ lxml-2.2.7.tar.gz.asc
/lxml-4.6.2.tar.gz
/lxml-4.6.3.tar.gz
/lxml-4.7.1.tar.gz
/lxml-4.9.1.tar.gz

186
CVE-2022-2309.patch Normal file
View File

@ -0,0 +1,186 @@
From 85b664e506d73780232c256b6dfbaf1f266cdabd Mon Sep 17 00:00:00 2001
From: Stefan Behnel <stefan_ml@behnel.de>
Date: Fri, 1 Jul 2022 21:06:10 +0200
Subject: [PATCH 1/3] Fix a crash when incorrect parser input occurs together
with usages of iterwalk() on trees generated by the same parser.
---
src/lxml/apihelpers.pxi | 7 ++++---
src/lxml/iterparse.pxi | 11 ++++++-----
src/lxml/tests/test_etree.py | 20 ++++++++++++++++++++
3 files changed, 30 insertions(+), 8 deletions(-)
diff --git a/src/lxml/apihelpers.pxi b/src/lxml/apihelpers.pxi
index 5eb3416..88a031d 100644
--- a/src/lxml/apihelpers.pxi
+++ b/src/lxml/apihelpers.pxi
@@ -246,9 +246,10 @@ cdef dict _build_nsmap(xmlNode* c_node):
while c_node is not NULL and c_node.type == tree.XML_ELEMENT_NODE:
c_ns = c_node.nsDef
while c_ns is not NULL:
- prefix = funicodeOrNone(c_ns.prefix)
- if prefix not in nsmap:
- nsmap[prefix] = funicodeOrNone(c_ns.href)
+ if c_ns.prefix or c_ns.href:
+ prefix = funicodeOrNone(c_ns.prefix)
+ if prefix not in nsmap:
+ nsmap[prefix] = funicodeOrNone(c_ns.href)
c_ns = c_ns.next
c_node = c_node.parent
return nsmap
diff --git a/src/lxml/iterparse.pxi b/src/lxml/iterparse.pxi
index 4c20506..3da7485 100644
--- a/src/lxml/iterparse.pxi
+++ b/src/lxml/iterparse.pxi
@@ -419,7 +419,7 @@ cdef int _countNsDefs(xmlNode* c_node):
count = 0
c_ns = c_node.nsDef
while c_ns is not NULL:
- count += 1
+ count += (c_ns.href is not NULL)
c_ns = c_ns.next
return count
@@ -430,9 +430,10 @@ cdef int _appendStartNsEvents(xmlNode* c_node, list event_list) except -1:
count = 0
c_ns = c_node.nsDef
while c_ns is not NULL:
- ns_tuple = (funicode(c_ns.prefix) if c_ns.prefix is not NULL else '',
- funicode(c_ns.href))
- event_list.append( (u"start-ns", ns_tuple) )
- count += 1
+ if c_ns.href:
+ ns_tuple = (funicodeOrEmpty(c_ns.prefix),
+ funicode(c_ns.href))
+ event_list.append( (u"start-ns", ns_tuple) )
+ count += 1
c_ns = c_ns.next
return count
diff --git a/src/lxml/tests/test_etree.py b/src/lxml/tests/test_etree.py
index ef5c54b..7b85596 100644
--- a/src/lxml/tests/test_etree.py
+++ b/src/lxml/tests/test_etree.py
@@ -1459,6 +1459,26 @@ class ETreeOnlyTestCase(HelperTestCase):
[1,2,1,4],
counts)
+ def test_walk_after_parse_failure(self):
+ # This used to be an issue because libxml2 can leak empty namespaces
+ # between failed parser runs. iterwalk() failed to handle such a tree.
+ try:
+ etree.XML('''<anot xmlns="1">''')
+ except etree.XMLSyntaxError:
+ pass
+ else:
+ assert False, "invalid input did not fail to parse"
+
+ et = etree.XML('''<root> </root>''')
+ try:
+ ns = next(etree.iterwalk(et, events=('start-ns',)))
+ except StopIteration:
+ # This would be the expected result, because there was no namespace
+ pass
+ else:
+ # This is a bug in libxml2
+ assert not ns, repr(ns)
+
def test_itertext_comment_pi(self):
# https://bugs.launchpad.net/lxml/+bug/1844674
XML = self.etree.XML
--
2.37.2
From c26503461af4c250fc6e771887fae7f9dd208e9b Mon Sep 17 00:00:00 2001
From: Stefan Behnel <stefan_ml@behnel.de>
Date: Fri, 1 Jul 2022 21:19:44 +0200
Subject: [PATCH 2/3] Prevent parse failure in new test from leaking into later
test runs.
---
src/lxml/tests/test_etree.py | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/lxml/tests/test_etree.py b/src/lxml/tests/test_etree.py
index 7b85596..8171e03 100644
--- a/src/lxml/tests/test_etree.py
+++ b/src/lxml/tests/test_etree.py
@@ -1462,14 +1462,16 @@ class ETreeOnlyTestCase(HelperTestCase):
def test_walk_after_parse_failure(self):
# This used to be an issue because libxml2 can leak empty namespaces
# between failed parser runs. iterwalk() failed to handle such a tree.
+ parser = etree.XMLParser()
+
try:
- etree.XML('''<anot xmlns="1">''')
+ etree.XML('''<anot xmlns="1">''', parser=parser)
except etree.XMLSyntaxError:
pass
else:
assert False, "invalid input did not fail to parse"
- et = etree.XML('''<root> </root>''')
+ et = etree.XML('''<root> </root>''', parser=parser)
try:
ns = next(etree.iterwalk(et, events=('start-ns',)))
except StopIteration:
--
2.37.2
From 2e37fbe5c54a188394aa066c3074ab974f6b9f61 Mon Sep 17 00:00:00 2001
From: Stefan Behnel <stefan_ml@behnel.de>
Date: Tue, 19 Jul 2022 08:25:20 +0200
Subject: [PATCH 3/3] Work around libxml2 bug in affected versions that failed
to reset the namespace count in the parser context.
See https://gitlab.gnome.org/GNOME/libxml2/-/issues/378
---
src/lxml/includes/xmlparser.pxd | 1 +
src/lxml/parser.pxi | 3 +++
src/lxml/tests/test_etree.py | 3 +--
3 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/src/lxml/includes/xmlparser.pxd b/src/lxml/includes/xmlparser.pxd
index a196e34..45acfc8 100644
--- a/src/lxml/includes/xmlparser.pxd
+++ b/src/lxml/includes/xmlparser.pxd
@@ -144,6 +144,7 @@ cdef extern from "libxml/parser.h":
void* userData
int* spaceTab
int spaceMax
+ int nsNr
bint html
bint progressive
int inSubset
diff --git a/src/lxml/parser.pxi b/src/lxml/parser.pxi
index 35b5145..3187a38 100644
--- a/src/lxml/parser.pxi
+++ b/src/lxml/parser.pxi
@@ -569,6 +569,9 @@ cdef class _ParserContext(_ResolverContext):
self._c_ctxt.disableSAX = 0 # work around bug in libxml2
else:
xmlparser.xmlClearParserCtxt(self._c_ctxt)
+ # work around bug in libxml2 [2.9.10 .. 2.9.14]:
+ # https://gitlab.gnome.org/GNOME/libxml2/-/issues/378
+ self._c_ctxt.nsNr = 0
cdef int prepare(self, bint set_document_loader=True) except -1:
cdef int result
diff --git a/src/lxml/tests/test_etree.py b/src/lxml/tests/test_etree.py
index 8171e03..d767cfb 100644
--- a/src/lxml/tests/test_etree.py
+++ b/src/lxml/tests/test_etree.py
@@ -1478,8 +1478,7 @@ class ETreeOnlyTestCase(HelperTestCase):
# This would be the expected result, because there was no namespace
pass
else:
- # This is a bug in libxml2
- assert not ns, repr(ns)
+ assert False, "Found unexpected namespace '%s'" % ns
def test_itertext_comment_pi(self):
# https://bugs.launchpad.net/lxml/+bug/1844674
--
2.37.2

1
ci.fmf
View File

@ -1 +0,0 @@
resultsdb-testcase: separate

View File

@ -1,53 +0,0 @@
From c742576c105f40fc8b754fcae56fee4aa35840a3 Mon Sep 17 00:00:00 2001
From: Stefan Behnel <stefan_ml@behnel.de>
Date: Tue, 19 Jul 2022 08:25:20 +0200
Subject: [PATCH] Work around libxml2 bug in affected versions that failed to
reset the namespace count in the parser context.
See https://gitlab.gnome.org/GNOME/libxml2/-/issues/378
---
src/lxml/includes/xmlparser.pxd | 1 +
src/lxml/parser.pxi | 3 +++
src/lxml/tests/test_etree.py | 3 +--
3 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/src/lxml/includes/xmlparser.pxd b/src/lxml/includes/xmlparser.pxd
index a196e34bd..45acfc846 100644
--- a/src/lxml/includes/xmlparser.pxd
+++ b/src/lxml/includes/xmlparser.pxd
@@ -144,6 +144,7 @@ cdef extern from "libxml/parser.h":
void* userData
int* spaceTab
int spaceMax
+ int nsNr
bint html
bint progressive
int inSubset
diff --git a/src/lxml/parser.pxi b/src/lxml/parser.pxi
index f5baf29b9..f0c8c6b64 100644
--- a/src/lxml/parser.pxi
+++ b/src/lxml/parser.pxi
@@ -569,6 +569,9 @@ cdef class _ParserContext(_ResolverContext):
self._c_ctxt.disableSAX = 0 # work around bug in libxml2
else:
xmlparser.xmlClearParserCtxt(self._c_ctxt)
+ # work around bug in libxml2 [2.9.10 .. 2.9.14]:
+ # https://gitlab.gnome.org/GNOME/libxml2/-/issues/378
+ self._c_ctxt.nsNr = 0
cdef int prepare(self, bint set_document_loader=True) except -1:
cdef int result
diff --git a/src/lxml/tests/test_etree.py b/src/lxml/tests/test_etree.py
index 8bf82c084..0339796d6 100644
--- a/src/lxml/tests/test_etree.py
+++ b/src/lxml/tests/test_etree.py
@@ -1491,8 +1491,7 @@ def test_walk_after_parse_failure(self):
# This would be the expected result, because there was no namespace
pass
else:
- # This is a bug in libxml2
- assert not ns, repr(ns)
+ assert False, "Found unexpected namespace '%s'" % ns
def test_itertext_comment_pi(self):
# https://bugs.launchpad.net/lxml/+bug/1844674

View File

@ -1,8 +0,0 @@
--- !Policy
product_versions:
- fedora-*
decision_contexts:
- bodhi_update_push_testing
- bodhi_update_push_stable
rules:
- !PassingTestCaseRule {test_case_name: fedora-ci.koji-build./plans/smoke.functional}

View File

@ -1,7 +0,0 @@
import lxml.etree as et
s = '<foo><bar baz="xyzzy">a<![CDATA[b]]>c</bar></foo>'
x = et.fromstring(s)
t = x.find('bar').text
print(t)
if t != 'abc':
raise Exception()

View File

@ -1,12 +0,0 @@
summary: Basic smoke test
discover:
how: shell
tests:
- name: /smoke/import-python-module
test: |
python3 -c 'import importlib as il; print(il.import_module("lxml"))'
- name: /smoke/etree-fromstring
test: |
python3 plans/etree-fromstring.py
execute:
how: tmt

View File

@ -1,105 +1,80 @@
Name: python-lxml
Version: 4.9.1
Release: 1%{?dist}
%global modname lxml
Name: python-%{modname}
Version: 4.7.1
Release: 3%{?dist}
Summary: XML processing library combining libxml2/libxslt with the ElementTree API
# The lxml project is licensed under BSD-3-Clause
# The lxml project is licensed under BSD
# Some code is derived from ElementTree and cElementTree
# thus using the MIT-CMU elementtree license
# .xsl schematron files are under the MIT license
License: BSD-3-Clause AND MIT-CMU AND MIT
# thus using the MIT-like elementtree license
# .xsl schematron files are under the MIT and zlib license
License: BSD and MIT and zlib
URL: https://github.com/lxml/lxml
Source: %{pypi_source lxml}
Source0: %{pypi_source %{modname}}
# Work around libxml2 bug in affected versions that failed to reset the
# namespace count in the parser context.
# Resolved upstream: https://github.com/lxml/lxml/commit/c742576c105f40fc8b754fcae56fee4aa35840a3
Patch: fix-namespace-count.patch
# Security fix for CVE-2022-2309
# Resolved upstream:
# https://github.com/lxml/lxml/commit/86368e9cf70a0ad23cccd5ee32de847149af0c6f
# https://github.com/lxml/lxml/commit/d01872ccdf7e1e5e825b6c6292b43e7d27ae5fc4
# https://github.com/lxml/lxml/commit/c742576c105f40fc8b754fcae56fee4aa35840a3
Patch: CVE-2022-2309.patch
BuildRequires: gcc
BuildRequires: libxml2-devel
BuildRequires: libxslt-devel
BuildRequires: python3-devel
# It is a good idea to BuildRequire the runtime requirements of the [extras] we build.
# That way, we ensure all the [extras] we build are installable,
# and we possibly run tests that would otherwise be skipped.
# However, some of the extras here create a dependency loop.
# - [cssselect] Requires cssselect BuildRequires lxml
# - [html5] Requires html5lib BuildRequires lxml
# - [htmlsoup] Requires beautifulsoup4 Requires lxml
# Hence we provide a bcond to disable this buildtime requirement.
%bcond buildrequire_extras 1
%global _description \
lxml is a Pythonic, mature binding for the libxml2 and libxslt libraries. It\
provides safe and convenient access to these libraries using the ElementTree It\
extends the ElementTree API significantly to offer support for XPath, RelaxNG,\
XML Schema, XSLT, C14N and much more.
XML Schema, XSLT, C14N and much more.To contact the project, go to the project\
home page < or see our bug tracker at case you want to use the current ...
%description %{_description}
%package -n python3-lxml
%package -n python3-%{modname}
Summary: %{summary}
Suggests: python3-lxml+cssselect
Suggests: python3-lxml+html5
Suggests: python3-lxml+htmlsoup
BuildRequires: python3-devel
BuildRequires: python3-setuptools
BuildRequires: python3-Cython
Suggests: python%{python3_version}dist(cssselect) >= 0.7
Suggests: python%{python3_version}dist(html5lib)
Suggests: python%{python3_version}dist(beautifulsoup4)
%{?python_provide:%python_provide python3-%{modname}}
%description -n python3-lxml %{_description}
%description -n python3-%{modname} %{_description}
Python 3 version.
%pyproject_extras_subpkg -n python3-lxml cssselect html5 htmlsoup
%prep
%autosetup -n lxml-%{version} -p1
%generate_buildrequires
%pyproject_buildrequires -x source%{?with_buildrequire_extras:,cssselect,html5,htmlsoup}
%autosetup -n %{modname}-%{version} -p1
# Remove pregenerated Cython C sources
# We need to do this after %%pyproject_buildrequires because setup.py errors
# without Cython and without the .c files.
find -type f -name '*.c' -print -delete >&2
find -type f -name '*.c' -print -delete
%build
export WITH_CYTHON=true
%pyproject_wheel
env WITH_CYTHON=true %py3_build
%install
%pyproject_install
%pyproject_save_files lxml
%py3_install
%check
# The tests assume inplace build, so we copy the built library to source-dir.
# If not done that, Python can either import the tests or the extension modules, but not both.
cp -a build/lib.%{python3_platform}-*/* src/
cp -a build/lib.%{python3_platform}-%{python3_version}/* src/
# The options are: verbose, unit, functional
%{python3} test.py -vuf
%files -n python3-lxml -f %{pyproject_files}
%license doc/licenses/BSD.txt doc/licenses/elementtree.txt
%files -n python3-%{modname}
%license LICENSES.txt doc/licenses/BSD.txt doc/licenses/elementtree.txt
%doc README.rst src/lxml/isoschematron/resources/xsl/iso-schematron-xslt1/readme.txt
%{python3_sitearch}/%{modname}/
%{python3_sitearch}/%{modname}-*.egg-info/
%changelog
* Wed Sep 14 2022 Charalampos Stratakis <cstratak@redhat.com> - 4.9.1-1
- Update to 4.9.1
- Fix for CVE-2022-2309
- Resolves: rhbz#2107571, rhbz#2110131
* Wed Aug 31 2022 Miro Hrončok <mhroncok@redhat.com> - 4.7.1-6
- Use SPDX license identifiers
- The schematron files are not Zlib licensed, but MIT
- Package the lxml[cssselect], lxml[html5] and lxml[htmlsoup] extras
* Fri Jul 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 4.7.1-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Wed Jun 22 2022 Charalampos Stratakis <cstratak@redhat.com> - 4.7.1-4
- Fix FTBFS with setuptools >= 62.1
- Resolves: rhbz#2097102
* Mon Jun 13 2022 Python Maint <python-maint@redhat.com> - 4.7.1-3
- Rebuilt for Python 3.11
* Thu Sep 15 2022 Charalampos Stratakis <cstratak@redhat.com> - 4.7.1-3
- Security fix for CVE-2022-2309
- Resolves: rhbz#2107571
* Fri Jan 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 4.7.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild

View File

@ -1 +1 @@
SHA512 (lxml-4.9.1.tar.gz) = d7ec55c7db2c63a716ca5f4d833706d90fc76c944885e010fcdb96786bcfe796994e438450cf4e8e6e75d702e21fb16971f28f854d7a1f76c34e4ae315414d84
SHA512 (lxml-4.7.1.tar.gz) = dd0d421e10db6c9084cf5b2c04a4fc54d74bd62b4dfa83efcf92dd46cd1c5f043c47613521b2de04c450b83eb1161d197b017c53e615e5785e97e7afe106b6cf