python-lxml: Upgrade to 4.8.0 to fix CVE-2018-19787, CVE-2020-27783, CVE-2021-28957, CVE-2021-43818 (#2762)

SPECS/python-lxml/lxml-make-check-fix.patch

@@ -1,14 +0,0 @@
---- a/src/lxml/tests/test_threading.py	2018-11-28 23:02:48.320893543 +0530
-+++ b/src/lxml/tests/test_threading.py	2018-11-28 23:05:49.620897165 +0530
-@@ -153,9 +153,9 @@ class ThreadingTestCase(HelperTestCase):
-             self.assertTrue(len(log))
-             if last_log is not None:
-                 self.assertEqual(len(last_log), len(log))
--            self.assertEqual(4, len(log))
-+            self.assertTrue(len(log) >= 2, len(log))
-             for error in log:
--                self.assertTrue(':ERROR:XSLT:' in str(error))
-+                self.assertTrue(':ERROR:XSLT:' in str(error), str(error))
-             last_log = log
- 
-     def test_thread_xslt_apply_error_log(self):

SPECS/python-lxml/python-lxml.signatures.json

@@ -1,5 +1,5 @@
 {
  "Signatures": {
-  "lxml-4.2.4.tar.gz": "e2afbe403090f5893e254958d02875e0732975e73c4c0cdd33c1f009a61963ca"
+  "lxml-4.8.0.tar.gz": "f63f62fc60e6228a4ca9abae28228f35e1bd3ce675013d1dfb828688d50c6e23"
  }
 }

SPECS/python-lxml/python-lxml.spec

@@ -2,37 +2,38 @@
 
 Summary:        XML and HTML with Python
 Name:           python-lxml
-Version:        4.2.4
-Release:        11%{?dist}
+Version:        4.8.0
+Release:        1%{?dist}
 # Test suite (and only the test suite) is GPLv2+
 License:        BSD and GPLv2+
-URL:            https://lxml.de
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
-
-# Source0:      https://files.pythonhosted.org/packages/ca/63/139b710671c1655aed3b20c1e6776118c62e9f9311152f4c6031e12a0554/lxml-%{version}.tar.gz
-Source0:        lxml-%{version}.tar.gz
-Patch0:         lxml-make-check-fix.patch
-
-BuildRequires:  libxslt
+URL:            https://lxml.de
+Source0:        https://github.com/lxml/lxml/releases/download/lxml-%{version}/lxml-%{version}.tar.gz
 BuildRequires:  libxslt-devel
+BuildRequires:  libxml2-devel
 BuildRequires:  python3-Cython
 BuildRequires:  python3-devel
+BuildRequires:  python3-setuptools
 
 %description
-The lxml XML toolkit is a Pythonic binding for the C libraries libxml2 and libxslt. It is unique in that it combines the speed and XML feature completeness of these libraries with the simplicity of a native Python API, mostly compatible but superior to the well-known ElementTree API.
+The lxml XML toolkit is a Pythonic binding for the C libraries libxml2 and libxslt.
 
 %package -n     python3-lxml
 Summary:        python-lxml
 Requires:       libxslt
+Requires:       libxml2
 Requires:       python3
 
 %description -n python3-lxml
-Python 3 version.
+The lxml XML toolkit is a Pythonic binding for the C libraries libxml2 and libxslt.
+It is unique in that it combines the speed and XML feature completeness of these libraries
+with the simplicity of a native Python API, mostly compatible but superior to the well-known
+ElementTree API.
+
 
 %prep
-%setup -q -n lxml-%{version}
-%patch0 -p1
+%autosetup -n lxml-%{version}
 find -type f -name "*.c" -delete -print
 
 %build
@@ -52,6 +53,10 @@ make test
 %{python3_sitelib}/*
 
 %changelog
+* Wed Apr 20 2022 Olivia Crain <oliviacrain@microsoft.com> - 4.8.0-1
+- Upgrade to latest upstream version
+- Fixes CVE-2018-19787, CVE-2020-27783, CVE-2021-28957, CVE-2021-43818
+
 * Thu Apr 14 2022 Daniel McIlvaney <damcilva@microsoft.com> - 4.2.4-11
 - Disable the debuginfo package here since it is not being built in the toolchain
 
@@ -64,33 +69,46 @@ make test
 * Fri Dec 03 2021 Thomas Crain <thcrain@microsoft.com> - 4.2.4-8
 - Regenerate C sources at build-time to fix build break with Python 3.9
 
-*   Wed Aug 26 2020 Thomas Crain <thcrain@microsoft.com> 4.2.4-7
--   Remove python2 support.
--   License verified.
-*   Sat May 09 2020 Nick Samson <nisamson@microsoft.com> 4.2.4-6
--   Added %%license line automatically
-*   Wed Apr 29 2020 Emre Girgin <mrgirgin@microsoft.com> 4.2.4-5
--   Renaming cython to Cython
-*   Mon Apr 13 2020 Nick Samson <nisamson@microsoft.com> 4.2.4-4
--   Updated Source0 and URL, removed %%define sha1, License verified
-*   Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 4.2.4-3
--   Initial CBL-Mariner import from Photon (license: Apache2).
-*   Wed Nov 28 2018 Tapas Kundu <tkundu@vmware.com> 4.2.4-2
--   Fix make check
--   moved build requires from subpackage
-*   Sun Sep 09 2018 Tapas Kundu <tkundu@vmware.com> 4.2.4-1
--   Update to version 4.2.4
-*   Mon Aug 07 2017 Dheeraj Shetty <dheerajs@vmware.com> 3.7.3-3
--   set LC_ALL and LANGUAGE for the tests to pass
-*   Thu Jun 01 2017 Dheeraj Shetty <dheerajs@vmware.com> 3.7.3-2
--   Use python2_sitelib
-*   Mon Apr 03 2017 Sarah Choi <sarahc@vmware.com> 3.7.3-1
--   Update to 3.7.3
-*   Wed Feb 08 2017 Xiaolin Li <xiaolinl@vmware.com> 3.5.0b1-4
--   Added python3 site-packages.
-*   Tue Oct 04 2016 ChangLee <changlee@vmware.com> 3.5.0b1-3
--   Modified %check
-*   Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 3.5.0b1-2
--   GA - Bump release of all rpms
-*   Wed Oct 28 2015 Divya Thaluru <dthaluru@vmware.com> 3.5.0b1-1
--   Initial build.
+* Wed Aug 26 2020 Thomas Crain <thcrain@microsoft.com> - 4.2.4-7
+- Remove python2 support.
+- License verified.
+
+* Sat May 09 2020 Nick Samson <nisamson@microsoft.com> - 4.2.4-6
+- Added %%license line automatically
+
+* Wed Apr 29 2020 Emre Girgin <mrgirgin@microsoft.com> - 4.2.4-5
+- Renaming cython to Cython
+
+* Mon Apr 13 2020 Nick Samson <nisamson@microsoft.com> - 4.2.4-4
+- Updated Source0 and URL, removed %%define sha1, License verified
+
+* Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> - 4.2.4-3
+- Initial CBL-Mariner import from Photon (license: Apache2).
+
+* Wed Nov 28 2018 Tapas Kundu <tkundu@vmware.com> - 4.2.4-2
+- Fix make check
+- moved build requires from subpackage
+
+* Sun Sep 09 2018 Tapas Kundu <tkundu@vmware.com> - 4.2.4-1
+- Update to version 4.2.4
+
+* Mon Aug 07 2017 Dheeraj Shetty <dheerajs@vmware.com> - 3.7.3-3
+- set LC_ALL and LANGUAGE for the tests to pass
+
+* Thu Jun 01 2017 Dheeraj Shetty <dheerajs@vmware.com> - 3.7.3-2
+- Use python2_sitelib
+
+* Mon Apr 03 2017 Sarah Choi <sarahc@vmware.com> - 3.7.3-1
+- Update to 3.7.3
+
+* Wed Feb 08 2017 Xiaolin Li <xiaolinl@vmware.com> - 3.5.0b1-4
+- Added python3 site-packages.
+
+* Tue Oct 04 2016 ChangLee <changlee@vmware.com> - 3.5.0b1-3
+- Modified %check
+
+* Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> - 3.5.0b1-2
+- GA - Bump release of all rpms
+
+* Wed Oct 28 2015 Divya Thaluru <dthaluru@vmware.com> - 3.5.0b1-1
+- Initial build.

cgmanifest.json

@@ -20294,8 +20294,8 @@
         "type": "other",
         "other": {
           "name": "python-lxml",
-          "version": "4.2.4",
-          "downloadUrl": "https://files.pythonhosted.org/packages/ca/63/139b710671c1655aed3b20c1e6776118c62e9f9311152f4c6031e12a0554/lxml-4.2.4.tar.gz"
+          "version": "4.8.0",
+          "downloadUrl": "https://github.com/lxml/lxml/releases/download/lxml-4.8.0/lxml-4.8.0.tar.gz"
         }
       }
     },

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -514,7 +514,7 @@ python3-gpg-1.16.0-1.cm2.aarch64.rpm
 python3-jinja2-3.0.3-2.cm2.noarch.rpm
 python3-libs-3.9.10-1.cm2.aarch64.rpm
 python3-libxml2-2.9.13-1.cm2.aarch64.rpm
-python3-lxml-4.2.4-11.cm2.aarch64.rpm
+python3-lxml-4.8.0-1.cm2.aarch64.rpm
 python3-magic-5.40-2.cm2.noarch.rpm
 python3-markupsafe-2.1.0-1.cm2.aarch64.rpm
 python3-newt-0.52.21-4.cm2.aarch64.rpm

toolkit/resources/manifests/package/toolchain_x86_64.txt

@@ -514,7 +514,7 @@ python3-gpg-1.16.0-1.cm2.x86_64.rpm
 python3-jinja2-3.0.3-2.cm2.noarch.rpm
 python3-libs-3.9.10-1.cm2.x86_64.rpm
 python3-libxml2-2.9.13-1.cm2.x86_64.rpm
-python3-lxml-4.2.4-11.cm2.x86_64.rpm
+python3-lxml-4.8.0-1.cm2.x86_64.rpm
 python3-magic-5.40-2.cm2.noarch.rpm
 python3-markupsafe-2.1.0-1.cm2.x86_64.rpm
 python3-newt-0.52.21-4.cm2.x86_64.rpm