# # spec file for package libxml2 # # Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via https://bugs.opensuse.org/ # %define lname libxml2-2 Name: libxml2 Version: 2.9.4 Release: 0 Summary: A Library to Manipulate XML Files License: MIT Group: System/Libraries URL: http://xmlsoft.org Source: ftp://xmlsoft.org/libxml2/%{name}-%{version}.tar.gz Source1: ftp://xmlsoft.org/libxml2/%{name}-%{version}.tar.gz.asc Source2: baselibs.conf Source3: %{name}.keyring Patch0: fix-perl.diff # PATCH-FIX-UPSTREAM bnc#983288 kstreitova@suse.com -- fix attribute decoding during XML schema validation Patch1: libxml2-2.9.4-fix_attribute_decoding.patch # PATCH-FIX-UPSTREAM bnc#1014873 sflees@suse.de -- Fix NULL dereference in xpointer.c when in recovery mode Patch2: libxml2-NULL-deref-xpointer.patch # PATCH-FIX-SUSE bnc#1014873 sflees@suse.de Patch4: libxml2-inf-rec-xmlParseConditionalSections.patch # PATCH-FIX-UPSTREAM bnc#1010675 sflees@suse.de Patch5: libxml2-CVE-2016-9318.patch # PATCH-FIX-UPSTREAM bnc#1005544 psimons@suse.com -- use after free via namespace node in XPointer ranges Patch6: libxml2-2.9.4-CVE-2016-4658.patch # PATCH-FIX-UPSTREAM bnc#1017497 sflees@suse.de Patch7: libxml2-CVE-2016-9597.patch # PATCH-FIX-UPSTREAM bnc#1039063 bnc#1039064 pmonrealgonzalez@suse.com -- Fixes CVE-2017-9047 and CVE-2017-9048 Patch8: libxml2-CVE-2017-9047.patch # PATCH-FIX-UPSTREAM bnc#1039066 bnc#1039661 pmonrealgonzalez@suse.com -- Fixes CVE-2017-9049 and CVE-2017-9050 Patch9: libxml2-CVE-2017-9049.patch # PATCH-FIX-UPSTREAM bnc#1024989 pmonrealgonzalez@suse.com -- CVE-2017-5969 NULL pointer derefence parsing xml file Patch10: libxml2-CVE-2017-5969.patch # PATCH-FIX-UPSTREAM bnc#1044337 pmonrealgonzalez@suse.com -- CVE-2017-0663 Heap buffer overflow in xmlAddID Patch11: libxml2-CVE-2017-0663.patch # PATCH-FIX-UPSTREAM bnc#1044894 pmonrealgonzalez@suse.com -- CVE-2017-7375 Missing validation for external entities in xmlParsePEReference Patch12: libxml2-CVE-2017-7375.patch # PATCH-FIX-UPSTREAM bnc#1044887 pmonrealgonzalez@suse.com -- CVE-2017-7376 Incorrect limit used for port values Patch13: libxml2-CVE-2017-7376.patch # PATCH-FIX-SUSE bsc#1038444 pmonrealgonzalez@suse.com -- CVE-2017-8872 Out-of-bounds read in htmlParseTryOrFinish Patch14: libxml2-2.9.4-CVE-2017-8872.patch # PATCH-FIX-UPSTREAM bsc#1077993 pmonrealgonzalez@suse.com -- CVE-2017-15412 Use-after-free in xmlXPathCompOpEvalPositionalPredicate Patch15: libxml2-2.9.4-CVE-2017-15412.patch # PATCH-FIX-UPSTREAM bsc#1078806 pmonrealgonzalez@suse.com -- CVE-2017-5130 Remote buffer overflow Patch16: libxml2-2.9.4-CVE-2017-5130.patch # PATCH-FIX-UPSTREAM bsc#1078813 pmonrealgonzalez@suse.com -- CVE-2016-5131 Use-after-free Patch17: libxml2-2.9.4-CVE-2016-5131.patch Patch18: libxml2-xmlXPathCmpNodes.patch # PATCH-FIX-UPSTREAM bsc#1088601 CVE-2017-18258 Set memory limit for LZMA decompression Patch19: libxml2-CVE-2017-18258.patch # PATCH-FIX-UPSTREAM bsc#1102046 CVE-2018-14404 NULL pointer dereference in xpath.c:xmlXPathCompOpEval() Patch20: libxml2-CVE-2018-14404.patch # PATCH-FIX-UPSTREAM bsc#1105166 bsc#1088279 CVE-2018-14567 CVE-2018-9251 Fix infinite loop in LZMA decompression Patch21: libxml2-CVE-2018-14567.patch # PATCH-FIX-SUSE bsc#1135123 Added a new configurable variable XPATH_DEFAULT_MAX_NODESET_LENGTH to avoid nodeset limit Patch22: libxml2-make-XPATH_MAX_NODESET_LENGTH-configurable.patch # PATCH-FIX-UPSTREAM bsc#1161517 CVE-2020-7595 Infinite loop in xmlStringLenDecodeEntities Patch24: libxml2-CVE-2020-7595.patch # PATCH-FIX-UPSTREAM bsc#1161521 CVE-2019-20388 Memory leak in xmlSchemaPreRun Patch25: libxml2-CVE-2019-20388.patch # PATCH-FIX-UPSTREAM bsc#1176179 CVE-2020-24977 xmllint: global-buffer-overflow in xmlEncodeEntitiesInternal Patch26: libxml2-CVE-2020-24977.patch # PATCH-FIX-SUSE bsc#1178823 Avoid quadratic checking of identity-constraints Patch27: libxml2-Avoid-quadratic-checking-of-identity-constraints.patch # PATCH-FIX-UPSTREAM bsc#1185409 CVE-2021-3516 use-after-free in entities.c:xmlEncodeEntitiesInternal() Patch28: libxml2-CVE-2021-3516.patch # PATCH-FIX-UPSTREAM bsc#1185410 CVE-2021-3517 heap-based buffer overflow entities.c:xmlEncodeEntitiesInternal() Patch29: libxml2-CVE-2021-3517.patch # PATCH-FIX-UPSTREAM bsc#1185408 CVE-2021-3518 use-after-free in xinclude.c:xmlXIncludeDoProcess() Patch30: libxml2-CVE-2021-3518.patch # PATCH-FIX-UPSTREAM bsc#1185698 CVE-2021-3537 NULL pointer dereference in valid.c:xmlValidBuildAContentModel Patch31: libxml2-CVE-2021-3537.patch # PATCH-FIX-UPSTREAM bsc#1186015 CVE-2021-3541 Exponential entity expansion attack bypasses all existing protection mechanisms Patch32: libxml2-CVE-2021-3541.patch # PATCH-FIX-UPSTREAM bsc#1196490 CVE-2022-23308 Use-after-free of ID and IDREF attributes # - https://gitlab.gnome.org/GNOME/libxml2/-/commit/652dd12a858989b14eed4e84e453059cd3ba340e Patch33: libxml2-CVE-2022-23308.patch # PATCH-FIX-UPSTREAM bsc#1199132 CVE-2022-29824 integer overflow leading to out-of-bounds write in buf.c (xmlBuf*) and tree.c (xmlBuffer*) # - https://gitlab.gnome.org/GNOME/libxml2/-/commit/6c283d83eccd940bcde15634ac8c7f100e3caefd Patch34: libxml2-CVE-2022-29824.patch # PATCH-FIX-UPSTREAM bsc#1069689 CVE-2017-16932 parser.c in libxml2 before 2.9.5 does not prevent infinite recursion inparameter entities. Patch35: libxml2-CVE-2017-16932.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: fdupes BuildRequires: libtool BuildRequires: pkg-config BuildRequires: readline-devel BuildRequires: xz-devel BuildRequires: zlib-devel BuildRoot: %{_tmppath}/%{name}-%{version}-build %description The XML C library was initially developed for the GNOME project. It is now used by many programs to load and save extensible data structures or manipulate any kind of XML files. This library implements a number of existing standards related to markup languages, including the XML standard, name spaces in XML, XML Base, RFC 2396, XPath, XPointer, HTML4, XInclude, SGML catalogs, and XML catalogs. In most cases, libxml tries to implement the specification in a rather strict way. To some extent, it provides support for the following specifications, but does not claim to implement them: DOM, FTP client, HTTP client, and SAX. The library also supports RelaxNG. Support for W3C XML Schemas is in progress. %package -n %{lname} Summary: A Library to Manipulate XML Files Group: System/Libraries %description -n %{lname} The XML C library was initially developed for the GNOME project. It is now used by many programs to load and save extensible data structures or manipulate any kind of XML files. This library implements a number of existing standards related to markup languages, including the XML standard, name spaces in XML, XML Base, RFC 2396, XPath, XPointer, HTML4, XInclude, SGML catalogs, and XML catalogs. In most cases, libxml tries to implement the specification in a rather strict way. To some extent, it provides support for the following specifications, but does not claim to implement them: DOM, FTP client, HTTP client, and SAX. The library also supports RelaxNG. Support for W3C XML Schemas is in progress. %package tools Summary: Tools using libxml Group: System/Libraries Provides: %{name} = %{version}-%{release} Obsoletes: %{name} < %{version}-%{release} %description tools This package contains xmllint, a very useful tool proving libxml's power. %package devel Summary: Include Files and Libraries mandatory for Development Group: Development/Libraries/C and C++ Requires: %{lname} = %{version} Requires: %{name}-tools = %{version} Requires: glibc-devel Requires: readline-devel Requires: xz-devel Requires: zlib-devel # bug437293 %ifarch ppc64 Obsoletes: libxml2-devel-64bit %endif %description devel This package contains all necessary include files and libraries needed to develop applications that require these. %package doc Summary: A Library to Manipulate XML Files Group: System/Libraries Requires: %{lname} = %{version} BuildArch: noarch %description doc The XML C library was initially developed for the GNOME project. It is now used by many programs to load and save extensible data structures or manipulate any kind of XML files. This library implements a number of existing standards related to markup languages, including the XML standard, name spaces in XML, XML Base, RFC 2396, XPath, XPointer, HTML4, XInclude, SGML catalogs, and XML catalogs. In most cases, libxml tries to implement the specification in a rather strict way. To some extent, it provides support for the following specifications, but does not claim to implement them: DOM, FTP client, HTTP client, and SAX. The library also supports RelaxNG. Support for W3C XML Schemas is in progress. %prep %setup -q %patch0 %patch1 -p1 %patch2 -p1 %patch4 -p1 %patch5 -p1 %patch6 -p1 %patch7 -p1 %patch8 -p1 %patch9 -p1 %patch10 -p1 %patch11 -p1 %patch12 -p1 %patch13 -p1 %patch14 -p1 %patch15 -p1 %patch16 -p1 %patch17 -p1 %patch18 -p1 %patch19 -p1 %patch20 -p1 %patch21 -p1 %patch22 -p1 %patch24 -p1 %patch25 -p1 %patch26 -p1 %patch27 -p1 %patch28 -p1 %patch29 -p1 %patch30 -p1 %patch31 -p1 %patch32 -p1 %patch33 -p1 %patch34 -p1 %patch35 -p1 %build autoreconf -fvi %configure --disable-static \ --docdir=%{_docdir}/%{name} \ --with-html-dir=%{_docdir}/%{name}/html \ --with-fexceptions \ --with-history \ --without-python \ --enable-ipv6 \ --with-sax1 \ --with-regexps \ --with-threads \ --with-reader \ --with-http make %{?_smp_mflags} BASE_DIR="%{_docdir}" DOC_MODULE="%{name}" %install make install DESTDIR=%{buildroot} BASE_DIR="%{_docdir}" DOC_MODULE="%{name}" mkdir -p "%{buildroot}/%{_docdir}/%{name}" cp -a AUTHORS NEWS README COPYING* Copyright TODO* %{buildroot}%{_docdir}/%{name}/ ln -s libxml2/libxml %{buildroot}%{_includedir}/libxml %fdupes %{buildroot}%{_datadir} %check # qemu-arm can't keep up atm, disabling check for arm %ifnarch %arm make %{?_smp_mflags} check %endif %post -n %{lname} -p /sbin/ldconfig %postun -n %{lname} -p /sbin/ldconfig %files -n %{lname} %defattr(-, root, root) %{_libdir}/lib*.so.* %doc %dir %{_docdir}/%{name} %doc %{_docdir}/%{name}/[ANRCT]* %files tools %defattr(-, root, root) %{_bindir}/xmllint %{_bindir}/xmlcatalog %{_mandir}/man1/xmllint.1* %{_mandir}/man1/xmlcatalog.1* %files devel %defattr(-, root, root) %{_bindir}/xml2-config %dir %{_datadir}/aclocal %{_datadir}/aclocal/libxml.m4 %{_includedir}/libxml %{_includedir}/libxml2 %{_libdir}/lib*.so # libxml2.la is needed for the python-libxml2 build. Deleting it breaks build of python-libxml2. %{_libdir}/libxml2.la %{_libdir}/*.sh %{_libdir}/pkgconfig/*.pc %{_libdir}/cmake %{_mandir}/man1/xml2-config.1* %{_mandir}/man3/libxml.3* %files doc %defattr(-, root, root) %{_datadir}/gtk-doc/html/* %doc %{_docdir}/%{name}/examples %doc %{_docdir}/%{name}/html # owning these directories prevents gtk-doc <-> libxml2 build loop: %dir %{_datadir}/gtk-doc %dir %{_datadir}/gtk-doc/html %changelog