Accepting request 896723 from home:pmonrealgonzalez:branches:devel:libraries:c_c++

- Fix build with libxml2 2.9.12 that removes maxParserDepth XPath limit
- Add upstream patches:
  * libxslt-Stop-using-maxParserDepth-XPath-limit.patch
  * libxslt-Do-not-set-maxDepth-in-XPath-contexts.patch

OBS-URL: https://build.opensuse.org/request/show/896723
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libxslt?expand=0&rev=84

libxslt-Do-not-set-maxDepth-in-XPath-contexts.patch

@@ -0,0 +1,54 @@
+From 77c26bad0433541f486b1e7ced44ca9979376908 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Wed, 26 Aug 2020 00:34:38 +0200
+Subject: [PATCH] Don't set maxDepth in XPath contexts
+
+The maximum recursion depth is hardcoded in libxml2 now.
+---
+ libxslt/functions.c |  2 +-
+ tests/fuzz/fuzz.c   | 11 ++---------
+ 2 files changed, 3 insertions(+), 10 deletions(-)
+
+Index: libxslt-1.1.34/tests/fuzz/fuzz.c
+===================================================================
+--- libxslt-1.1.34.orig/tests/fuzz/fuzz.c
++++ libxslt-1.1.34/tests/fuzz/fuzz.c
+@@ -168,7 +168,6 @@ xsltFuzzXPathInit(int *argc_p ATTRIBUTE_
+     xpctxt = tctxt->xpathCtxt;
+ 
+     /* Resource limits to avoid timeouts and call stack overflows */
+-    xpctxt->maxDepth = 500;
+     xpctxt->opLimit = 500000;
+ 
+     /* Test namespaces used in xpath.xml */
+@@ -299,12 +298,6 @@ xsltFuzzXsltInit(int *argc_p ATTRIBUTE_U
+     return 0;
+ }
+ 
+-static void
+-xsltSetXPathResourceLimits(xmlXPathContextPtr ctxt) {
+-    ctxt->maxDepth = 200;
+-    ctxt->opLimit = 100000;
+-}
+-
+ xmlChar *
+ xsltFuzzXslt(const char *data, size_t size) {
+     xmlDocPtr xsltDoc;
+@@ -334,7 +327,7 @@ xsltFuzzXslt(const char *data, size_t si
+         xmlFreeDoc(xsltDoc);
+         return NULL;
+     }
+-    xsltSetXPathResourceLimits(sheet->xpathCtxt);
++    sheet->xpathCtxt->opLimit = 100000;
+     sheet->xpathCtxt->opCount = 0;
+     if (xsltParseStylesheetUser(sheet, xsltDoc) != 0) {
+         xsltFreeStylesheet(sheet);
+@@ -346,7 +339,7 @@ xsltFuzzXslt(const char *data, size_t si
+     xsltSetCtxtSecurityPrefs(sec, ctxt);
+     ctxt->maxTemplateDepth = 100;
+     ctxt->opLimit = 20000;
+-    xsltSetXPathResourceLimits(ctxt->xpathCtxt);
++    ctxt->xpathCtxt->opLimit = 100000;
+     ctxt->xpathCtxt->opCount = sheet->xpathCtxt->opCount;
+ 
+     result = xsltApplyStylesheetUser(sheet, doc, NULL, NULL, NULL, ctxt);

libxslt-Stop-using-maxParserDepth-XPath-limit.patch

@@ -0,0 +1,37 @@
+From 9ae2f94df1721e002941b40665efb762aefcea1a Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Mon, 17 Aug 2020 03:42:11 +0200
+Subject: [PATCH] Stop using maxParserDepth XPath limit
+
+This will be removed again from libxml2.
+---
+ tests/fuzz/fuzz.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/tests/fuzz/fuzz.c b/tests/fuzz/fuzz.c
+index f502ca2c..75234ad6 100644
+--- a/tests/fuzz/fuzz.c
++++ b/tests/fuzz/fuzz.c
+@@ -183,8 +183,7 @@ xsltFuzzXPathInit(int *argc_p ATTRIBUTE_UNUSED, char ***argv_p,
+     xpctxt = tctxt->xpathCtxt;
+ 
+     /* Resource limits to avoid timeouts and call stack overflows */
+-    xpctxt->maxParserDepth = 15;
+-    xpctxt->maxDepth = 100;
++    xpctxt->maxDepth = 500;
+     xpctxt->opLimit = 500000;
+ 
+     /* Test namespaces used in xpath.xml */
+@@ -317,8 +316,7 @@ xsltFuzzXsltInit(int *argc_p ATTRIBUTE_UNUSED, char ***argv_p,
+ 
+ static void
+ xsltSetXPathResourceLimits(xmlXPathContextPtr ctxt) {
+-    ctxt->maxParserDepth = 15;
+-    ctxt->maxDepth = 100;
++    ctxt->maxDepth = 200;
+     ctxt->opLimit = 100000;
+ }
+ 
+-- 
+GitLab
+

libxslt.changes

@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Tue Jun  1 10:41:44 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
+
+- Fix build with libxml2 2.9.12 that removes maxParserDepth XPath limit
+- Add upstream patches:
+  * libxslt-Stop-using-maxParserDepth-XPath-limit.patch
+  * libxslt-Do-not-set-maxDepth-in-XPath-contexts.patch
+
 -------------------------------------------------------------------
 Wed Nov 20 12:58:31 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
 

libxslt.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package libxslt
 #
-# Copyright (c) 2019 SUSE LLC
+# Copyright (c) 2021 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -22,7 +22,7 @@ Name:           libxslt
 Version:        1.1.34
 Release:        0
 Summary:        XSL Transformation Library
-License:        MIT AND GPL-2.0-or-later
+License:        GPL-2.0-or-later AND MIT
 Group:          Development/Libraries/C and C++
 URL:            http://xmlsoft.org/XSLT/
 Source0:        ftp://xmlsoft.org/libxslt/libxslt-%{version}.tar.gz
@@ -34,10 +34,14 @@ Patch0:         %{name}-1.1.24-no-net-autobuild.patch
 Patch1:         libxslt-config-fixes.patch
 Patch2:         0009-Make-generate-id-deterministic.patch
 Patch3:         libxslt-random-seed.patch
+# PATCH-FIX-UPSTREAM gitlab.gnome.org/GNOME/libxslt/commit/9ae2f94df1721e002941b40665efb762aefcea1a
+Patch4:         libxslt-Stop-using-maxParserDepth-XPath-limit.patch
+# PATCH-FIX-UPSTREAM gitlab.gnome.org/GNOME/libxslt/commit/77c26bad0433541f486b1e7ced44ca9979376908
+Patch5:         libxslt-Do-not-set-maxDepth-in-XPath-contexts.patch
 BuildRequires:  libgcrypt-devel
 BuildRequires:  libgpg-error-devel
 BuildRequires:  libtool
-BuildRequires:  libxml2-devel
+BuildRequires:  libxml2-devel >= 2.9.12
 BuildRequires:  pkgconfig
 Obsoletes:      libxslt-python
 
@@ -88,7 +92,7 @@ applications that want to make use of the XSLT libraries.
 
 %package tools
 Summary:        Extended Stylesheet Language (XSL) Transformation utilities
-License:        MIT AND GPL-2.0-or-later
+License:        GPL-2.0-or-later AND MIT
 Group:          Development/Tools/Other
 Provides:       %{name} = %{version}
 Provides:       xsltproc = %{version}
@@ -103,6 +107,8 @@ xtend the
 %patch1
 %patch2 -p1
 %patch3 -p1
+%patch4 -p1
+%patch5 -p1
 
 %build
 autoreconf -fvi