libxml2 and python-lxml: fix CVE-2022-2309 (#3583)

* libxml2 and python-lxml: fix CVE-2022-2309 * libxml2 and python-lxml: fix CVE-2022-2309 * address PR comments Co-authored-by: Nicolas Guibourge <nicolasg@microsoft.com>
2022-08-24 10:06:43 +02:00 · 2022-08-24 10:06:43 +02:00 · 72240a461b
--- a/SPECS/libxml2/libxml2.signatures.json
+++ b/SPECS/libxml2/libxml2.signatures.json
@ -1,5 +1,5 @@
 {
 "Signatures": {
- "libxml2-v2.9.14.tar.gz": "80efe9e6b48f8aa7b9b0c47be427e2ef2dbfb2999124220ffbc0f43ca6adb98c"
+ "libxml2-v2.10.0.tar.gz": "03365d9d4a6e086c213ed52a917f057838d70d54d080c12390084603c40dbb3d"
 }
 }
--- a/SPECS/libxml2/libxml2.spec
+++ b/SPECS/libxml2/libxml2.spec
@ -1,12 +1,12 @@
 Summary:        Libxml2
 Name:           libxml2
-Version:        2.9.14
+Version:        2.10.0
 Release:        1%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Group:          System Environment/General Libraries
-URL:            https://www.xmlsoft.org/
+URL:            https://gitlab.gnome.org/GNOME/libxml2/-/wikis/home
 Source0:        https://gitlab.gnome.org/GNOME/%{name}/-/archive/v%{version}/%{name}-v%{version}.tar.gz
 BuildRequires:  python3-devel
 BuildRequires:  python3-xml
@ -59,10 +59,9 @@ find %{buildroot} -type f -name "*.la" -delete -print

 %files
 %defattr(-,root,root)
-%license COPYING
+%license Copyright
 %{_docdir}/*
 %{_libdir}/libxml*
-%{_libdir}/xml2Conf.sh
 %{_bindir}/*
 %{_datadir}/aclocal/*
 %{_datadir}/gtk-doc/*
@ -75,11 +74,13 @@ find %{buildroot} -type f -name "*.la" -delete -print
 %files devel
 %defattr(-,root,root)
 %{_includedir}/*
-%{_mandir}/man3/*
 %{_libdir}/pkgconfig/libxml-2.0.pc
 %{_libdir}/cmake/libxml2/libxml2-config.cmake

 %changelog
+* Mon Aug 22 2022 Nicolas Guibourge <nicolasg@microsoft.com> - 2.10.0-1
+- Updating to version 2.10.0 to fix CVE-2022-2309.
+
 * Mon May 23 2022 Cameron Baird <cameronbaird@microsoft.com> - 2.9.14-1
 - Updating to version 2.9.14 to fix CVE-2022-29824.

--- a/SPECS/python-lxml/python-lxml.signatures.json
+++ b/SPECS/python-lxml/python-lxml.signatures.json
@ -1,5 +1,5 @@
 {
 "Signatures": {
-  "lxml-4.8.0.tar.gz": "f63f62fc60e6228a4ca9abae28228f35e1bd3ce675013d1dfb828688d50c6e23"
+  "lxml-4.9.1.tar.gz": "fe749b052bb7233fe5d072fcb549221a8cb1a16725c47c37e42b0b9cb3ff2c3f"
 }
 }
--- a/SPECS/python-lxml/python-lxml.spec
+++ b/SPECS/python-lxml/python-lxml.spec
@ -2,7 +2,7 @@

 Summary:        XML and HTML with Python
 Name:           python-lxml
-Version:        4.8.0
+Version:        4.9.1
 Release:        1%{?dist}
 # Test suite (and only the test suite) is GPLv2+
 License:        BSD and GPLv2+
@ -53,6 +53,9 @@ make test
 %{python3_sitelib}/*

 %changelog
+* Mon Aug 22 2022 Nicolas Guibourge <nicolasg@microsoft.com> - 4.9.1-1
+- Upgrade to to fix CVE-2022-2309
+
 * Wed Apr 20 2022 Olivia Crain <oliviacrain@microsoft.com> - 4.8.0-1
 - Upgrade to latest upstream version
 - Fixes CVE-2018-19787, CVE-2020-27783, CVE-2021-28957, CVE-2021-43818
--- a/cgmanifest.json
+++ b/cgmanifest.json
@ -10581,8 +10581,8 @@
        "type": "other",
        "other": {
          "name": "libxml2",
-          "version": "2.9.14",
-          "downloadUrl": "https://gitlab.gnome.org/GNOME/libxml2/-/archive/v2.9.14/libxml2-v2.9.14.tar.gz"
+          "version": "2.10.0",
+          "downloadUrl": "https://gitlab.gnome.org/GNOME/libxml2/-/archive/v2.10.0/libxml2-v2.10.0.tar.gz"
        }
      }
    },
@ -20984,8 +20984,8 @@
        "type": "other",
        "other": {
          "name": "python-lxml",
-          "version": "4.8.0",
-          "downloadUrl": "https://github.com/lxml/lxml/releases/download/lxml-4.8.0/lxml-4.8.0.tar.gz"
+          "version": "4.9.1",
+          "downloadUrl": "https://github.com/lxml/lxml/releases/download/lxml-4.9.1/lxml-4.9.1.tar.gz"
        }
      }
    },
--- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
+++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
@ -197,8 +197,8 @@ tdnf-cli-libs-3.2.2-4.cm2.aarch64.rpm
 tdnf-devel-3.2.2-4.cm2.aarch64.rpm
 tdnf-plugin-repogpgcheck-3.2.2-4.cm2.aarch64.rpm
 createrepo_c-0.17.5-1.cm2.aarch64.rpm
-libxml2-2.9.14-1.cm2.aarch64.rpm
-libxml2-devel-2.9.14-1.cm2.aarch64.rpm
+libxml2-2.10.0-1.cm2.aarch64.rpm
+libxml2-devel-2.10.0-1.cm2.aarch64.rpm
 libsepol-3.2-2.cm2.aarch64.rpm
 glib-2.71.0-1.cm2.aarch64.rpm
 libltdl-2.4.6-8.cm2.aarch64.rpm
--- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
+++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
@ -197,8 +197,8 @@ tdnf-cli-libs-3.2.2-4.cm2.x86_64.rpm
 tdnf-devel-3.2.2-4.cm2.x86_64.rpm
 tdnf-plugin-repogpgcheck-3.2.2-4.cm2.x86_64.rpm
 createrepo_c-0.17.5-1.cm2.x86_64.rpm
-libxml2-2.9.14-1.cm2.x86_64.rpm
-libxml2-devel-2.9.14-1.cm2.x86_64.rpm
+libxml2-2.10.0-1.cm2.x86_64.rpm
+libxml2-devel-2.10.0-1.cm2.x86_64.rpm
 libsepol-3.2-2.cm2.x86_64.rpm
 glib-2.71.0-1.cm2.x86_64.rpm
 libltdl-2.4.6-8.cm2.x86_64.rpm
--- a/toolkit/resources/manifests/package/toolchain_aarch64.txt
+++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt
@ -203,9 +203,9 @@ libtasn1-debuginfo-4.18.0-2.cm2.aarch64.rpm
 libtasn1-devel-4.18.0-2.cm2.aarch64.rpm
 libtool-2.4.6-8.cm2.aarch64.rpm
 libtool-debuginfo-2.4.6-8.cm2.aarch64.rpm
-libxml2-2.9.14-1.cm2.aarch64.rpm
-libxml2-debuginfo-2.9.14-1.cm2.aarch64.rpm
-libxml2-devel-2.9.14-1.cm2.aarch64.rpm
+libxml2-2.10.0-1.cm2.aarch64.rpm
+libxml2-debuginfo-2.10.0-1.cm2.aarch64.rpm
+libxml2-devel-2.10.0-1.cm2.aarch64.rpm
 libxslt-1.1.34-7.cm2.aarch64.rpm
 libxslt-debuginfo-1.1.34-7.cm2.aarch64.rpm
 libxslt-devel-1.1.34-7.cm2.aarch64.rpm
@ -510,8 +510,8 @@ python3-gpg-1.16.0-1.cm2.aarch64.rpm
 python3-jinja2-3.0.3-2.cm2.noarch.rpm
 python3-libcap-ng-0.8.2-2.cm2.aarch64.rpm
 python3-libs-3.9.13-3.cm2.aarch64.rpm
-python3-libxml2-2.9.14-1.cm2.aarch64.rpm
-python3-lxml-4.8.0-1.cm2.aarch64.rpm
+python3-libxml2-2.10.0-1.cm2.aarch64.rpm
+python3-lxml-4.9.1-1.cm2.aarch64.rpm
 python3-magic-5.40-2.cm2.noarch.rpm
 python3-markupsafe-2.1.0-1.cm2.aarch64.rpm
 python3-newt-0.52.21-4.cm2.aarch64.rpm
--- a/toolkit/resources/manifests/package/toolchain_x86_64.txt
+++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt
@ -203,9 +203,9 @@ libtasn1-debuginfo-4.18.0-2.cm2.x86_64.rpm
 libtasn1-devel-4.18.0-2.cm2.x86_64.rpm
 libtool-2.4.6-8.cm2.x86_64.rpm
 libtool-debuginfo-2.4.6-8.cm2.x86_64.rpm
-libxml2-2.9.14-1.cm2.x86_64.rpm
-libxml2-debuginfo-2.9.14-1.cm2.x86_64.rpm
-libxml2-devel-2.9.14-1.cm2.x86_64.rpm
+libxml2-2.10.0-1.cm2.x86_64.rpm
+libxml2-debuginfo-2.10.0-1.cm2.x86_64.rpm
+libxml2-devel-2.10.0-1.cm2.x86_64.rpm
 libxslt-1.1.34-7.cm2.x86_64.rpm
 libxslt-debuginfo-1.1.34-7.cm2.x86_64.rpm
 libxslt-devel-1.1.34-7.cm2.x86_64.rpm
@ -510,8 +510,8 @@ python3-gpg-1.16.0-1.cm2.x86_64.rpm
 python3-jinja2-3.0.3-2.cm2.noarch.rpm
 python3-libcap-ng-0.8.2-2.cm2.x86_64.rpm
 python3-libs-3.9.13-3.cm2.x86_64.rpm
-python3-libxml2-2.9.14-1.cm2.x86_64.rpm
-python3-lxml-4.8.0-1.cm2.x86_64.rpm
+python3-libxml2-2.10.0-1.cm2.x86_64.rpm
+python3-lxml-4.9.1-1.cm2.x86_64.rpm
 python3-magic-5.40-2.cm2.noarch.rpm
 python3-markupsafe-2.1.0-1.cm2.x86_64.rpm
 python3-newt-0.52.21-4.cm2.x86_64.rpm