nokogiri 1.6.7.1 → 1.6.7.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: c62a0f60246bbc73ddbbb0f0ab78fb0ee835e7e0
-  data.tar.gz: ae8e6b78fefbbee6c0e69abab11aae9ed8f140ef
+  metadata.gz: 44efc9ecb420ea82808bccb3a6483a4c3c495800
+  data.tar.gz: bbe9d9ba340c51db36cd4434b111f983b80c125c
 SHA512:
-  metadata.gz: 89b94ebfe4326b45ebc6938c79c9fe2286ea73309d35aaf31a78e6a11e563b9dcf0ac43669d20570412ab77ce379aa55d1daa07891cbac2ae9c0933754caa0e2
-  data.tar.gz: e7761aaa4a148d41c0aa1eba705325557c336dbed1218e21a582eb34351cc1495dd1b967a289ccbaf815801deceff95fe21f80d76fce6f0242c82a106852a99a
+  metadata.gz: ce0a7761046a3b8d4dca66efee40a71bec7014dd59f47c006592cd7d54bed65483c0a1ea914ce59796a72d4a389f9aeba24c96c96c7aabf4391ae2d52682dee7
+  data.tar.gz: 11783290520f44642955123ae8b5ae241f6e3d4ec51ad170fb8994a6cee5f79c39de92cd4fd18bf0778f383124164a8b750e398ca6db872a070c421ae1a22132

data/CHANGELOG.rdoc

@@ -1,3 +1,14 @@
+=== 1.6.7.2 / 2015-01-20
+
+This version pulls in several upstream patches to the vendored libxml2 and libxslt to address:
+
+  CVE-2015-7499
+
+Ubuntu classifies this as "Priority: Low", RedHat classifies this as "Impact: Moderate", and NIST classifies this as "Severity: 5.0 (MEDIUM)".
+
+MITRE record is https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7499
+
+
 === 1.6.7.1 / 2015-12-16
 
 This version pulls in several upstream patches to the vendored libxml2 and libxslt to address:
@@ -11,6 +22,8 @@ This version pulls in several upstream patches to the vendored libxml2 and libxs
   CVE-2015-8242
   CVE-2015-8317
 
+These CVEs are all low or medium priority according to Canonical, however NIST NVD gives CVE-2015-5312 a high severity score.
+
 See also http://www.ubuntu.com/usn/usn-2834-1/
 
 

data/lib/nokogiri/version.rb

@@ -1,6 +1,6 @@
 module Nokogiri
   # The version of Nokogiri you are using
-  VERSION = '1.6.7.1'
+  VERSION = '1.6.7.2'
 
   class VersionInfo # :nodoc:
     def jruby?

data/patches/libxml2/0019-Do-not-print-error-context-when-there-is-none.patch

@@ -0,0 +1,28 @@
+From ce0b0d0d81fdbb5f722a890432b52d363e4de57b Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Fri, 20 Nov 2015 15:01:22 +0800
+Subject: Do not print error context when there is none
+
+Which now happens more frequently du to xmlHaltParser use
+---
+ error.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/error.c b/error.c
+index cbcf5c9..9c45040 100644
+--- a/error.c
++++ b/error.c
+@@ -177,7 +177,9 @@ xmlParserPrintFileContextInternal(xmlParserInputPtr input ,
+     xmlChar  content[81]; /* space for 80 chars + line terminator */
+     xmlChar *ctnt;
+ 
+-    if (input == NULL) return;
++    if ((input == NULL) || (input->cur == NULL) ||
++        (*input->cur == 0)) return;
++
+     cur = input->cur;
+     base = input->base;
+     /* skip backwards over any end-of-lines */
+-- 
+cgit v0.11.2
+

data/patches/libxml2/0020-xmlStopParser-reset-errNo.patch

@@ -0,0 +1,41 @@
+From 53ac9c9649fa091377dfea9511f012171f08972d Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Mon, 9 Nov 2015 18:16:00 +0800
+Subject: xmlStopParser reset errNo
+
+I had used it in contexts where that information ought to be preserved
+---
+ parser.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/parser.c b/parser.c
+index c79b4e8..b7b6668 100644
+--- a/parser.c
++++ b/parser.c
+@@ -6782,6 +6782,7 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+ 	if (RAW != '[') {
+ 	    xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
+ 	    xmlStopParser(ctxt);
++	    ctxt->errNo = XML_ERR_CONDSEC_INVALID;
+ 	    return;
+ 	} else {
+ 	    if (ctxt->input->id != id) {
+@@ -6844,6 +6845,7 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+ 	if (RAW != '[') {
+ 	    xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
+ 	    xmlStopParser(ctxt);
++	    ctxt->errNo = XML_ERR_CONDSEC_INVALID;
+ 	    return;
+ 	} else {
+ 	    if (ctxt->input->id != id) {
+@@ -6901,6 +6903,7 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+     } else {
+ 	xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL);
+ 	xmlStopParser(ctxt);
++	ctxt->errNo = XML_ERR_CONDSEC_INVALID_KEYWORD;
+ 	return;
+     }
+ 
+-- 
+cgit v0.11.2
+

data/patches/libxml2/0021-Reuse-xmlHaltParser-where-it-makes-sense.patch

@@ -0,0 +1,175 @@
+From e3b1597421ad7cbeb5939fc3b54f43f141c82366 Mon Sep 17 00:00:00 2001
+From: Daniel Veillard <veillard@redhat.com>
+Date: Fri, 20 Nov 2015 14:59:30 +0800
+Subject: Reuse xmlHaltParser() where it makes sense
+
+Unify the various place where either xmlStopParser was called
+(which resets the error as a side effect) and places where we
+used ctxt->instate = XML_PARSER_EOF to stop further processing
+---
+ parser.c | 37 +++++++++++++++++--------------------
+ 1 file changed, 17 insertions(+), 20 deletions(-)
+
+diff --git a/parser.c b/parser.c
+index b6e99b1..1810f99 100644
+--- a/parser.c
++++ b/parser.c
+@@ -1773,7 +1773,7 @@ nodePush(xmlParserCtxtPtr ctxt, xmlNodePtr value)
+ 	xmlFatalErrMsgInt(ctxt, XML_ERR_INTERNAL_ERROR,
+ 		 "Excessive depth in document: %d use XML_PARSE_HUGE option\n",
+ 			  xmlParserMaxDepth);
+-	ctxt->instate = XML_PARSER_EOF;
++	xmlHaltParser(ctxt);
+ 	return(-1);
+     }
+     ctxt->nodeTab[ctxt->nodeNr] = value;
+@@ -5675,7 +5675,7 @@ xmlParseEntityDecl(xmlParserCtxtPtr ctxt) {
+ 	if (RAW != '>') {
+ 	    xmlFatalErrMsgStr(ctxt, XML_ERR_ENTITY_NOT_FINISHED,
+ 	            "xmlParseEntityDecl: entity %s not terminated\n", name);
+-	    xmlStopParser(ctxt);
++	    xmlHaltParser(ctxt);
+ 	} else {
+ 	    if (input != ctxt->input) {
+ 		xmlFatalErrMsg(ctxt, XML_ERR_ENTITY_BOUNDARY,
+@@ -6787,8 +6787,7 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+ 	SKIP_BLANKS;
+ 	if (RAW != '[') {
+ 	    xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
+-	    xmlStopParser(ctxt);
+-	    ctxt->errNo = XML_ERR_CONDSEC_INVALID;
++	    xmlHaltParser(ctxt);
+ 	    return;
+ 	} else {
+ 	    if (ctxt->input->id != id) {
+@@ -6850,8 +6849,7 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+ 	SKIP_BLANKS;
+ 	if (RAW != '[') {
+ 	    xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID, NULL);
+-	    xmlStopParser(ctxt);
+-	    ctxt->errNo = XML_ERR_CONDSEC_INVALID;
++	    xmlHaltParser(ctxt);
+ 	    return;
+ 	} else {
+ 	    if (ctxt->input->id != id) {
+@@ -6908,8 +6906,7 @@ xmlParseConditionalSections(xmlParserCtxtPtr ctxt) {
+ 
+     } else {
+ 	xmlFatalErr(ctxt, XML_ERR_CONDSEC_INVALID_KEYWORD, NULL);
+-	xmlStopParser(ctxt);
+-	ctxt->errNo = XML_ERR_CONDSEC_INVALID_KEYWORD;
++	xmlHaltParser(ctxt);
+ 	return;
+     }
+ 
+@@ -7120,7 +7117,7 @@ xmlParseExternalSubset(xmlParserCtxtPtr ctxt, const xmlChar *ExternalID,
+ 	    /*
+ 	     * The XML REC instructs us to stop parsing right here
+ 	     */
+-	    ctxt->instate = XML_PARSER_EOF;
++	    xmlHaltParser(ctxt);
+ 	    return;
+ 	}
+     }
+@@ -8107,7 +8104,7 @@ xmlParsePEReference(xmlParserCtxtPtr ctxt)
+ 		     * The XML REC instructs us to stop parsing
+ 		     * right here
+ 		     */
+-		    ctxt->instate = XML_PARSER_EOF;
++		    xmlHaltParser(ctxt);
+ 		    return;
+ 		}
+ 	    }
+@@ -10047,7 +10044,7 @@ xmlParseContent(xmlParserCtxtPtr ctxt) {
+ 	if ((cons == ctxt->input->consumed) && (test == CUR_PTR)) {
+ 	    xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR,
+ 	                "detected an error in element content\n");
+-	    ctxt->instate = XML_PARSER_EOF;
++	    xmlHaltParser(ctxt);
+             break;
+ 	}
+     }
+@@ -10082,7 +10079,7 @@ xmlParseElement(xmlParserCtxtPtr ctxt) {
+ 	xmlFatalErrMsgInt(ctxt, XML_ERR_INTERNAL_ERROR,
+ 		 "Excessive depth in document: %d use XML_PARSE_HUGE option\n",
+ 			  xmlParserMaxDepth);
+-	ctxt->instate = XML_PARSER_EOF;
++	xmlHaltParser(ctxt);
+ 	return;
+     }
+ 
+@@ -11412,7 +11409,7 @@ xmlParseTryOrFinish(xmlParserCtxtPtr ctxt, int terminate) {
+ 			ctxt->sax->setDocumentLocator(ctxt->userData,
+ 						      &xmlDefaultSAXLocator);
+ 		    xmlFatalErr(ctxt, XML_ERR_DOCUMENT_EMPTY, NULL);
+-		    ctxt->instate = XML_PARSER_EOF;
++		    xmlHaltParser(ctxt);
+ #ifdef DEBUG_PUSH
+ 		    xmlGenericError(xmlGenericErrorContext,
+ 			    "PP: entering EOF\n");
+@@ -11445,7 +11442,7 @@ xmlParseTryOrFinish(xmlParserCtxtPtr ctxt, int terminate) {
+ 			     * The XML REC instructs us to stop parsing right
+ 			     * here
+ 			     */
+-			    ctxt->instate = XML_PARSER_EOF;
++			    xmlHaltParser(ctxt);
+ 			    return(0);
+ 			}
+ 			ctxt->standalone = ctxt->input->standalone;
+@@ -11501,7 +11498,7 @@ xmlParseTryOrFinish(xmlParserCtxtPtr ctxt, int terminate) {
+ 		cur = ctxt->input->cur[0];
+ 	        if (cur != '<') {
+ 		    xmlFatalErr(ctxt, XML_ERR_DOCUMENT_EMPTY, NULL);
+-		    ctxt->instate = XML_PARSER_EOF;
++		    xmlHaltParser(ctxt);
+ 		    if ((ctxt->sax) && (ctxt->sax->endDocument != NULL))
+ 			ctxt->sax->endDocument(ctxt->userData);
+ 		    goto done;
+@@ -11533,7 +11530,7 @@ xmlParseTryOrFinish(xmlParserCtxtPtr ctxt, int terminate) {
+ 		    goto done;
+ 		if (name == NULL) {
+ 		    spacePop(ctxt);
+-		    ctxt->instate = XML_PARSER_EOF;
++		    xmlHaltParser(ctxt);
+ 		    if ((ctxt->sax) && (ctxt->sax->endDocument != NULL))
+ 			ctxt->sax->endDocument(ctxt->userData);
+ 		    goto done;
+@@ -11700,7 +11697,7 @@ xmlParseTryOrFinish(xmlParserCtxtPtr ctxt, int terminate) {
+ 		if ((cons == ctxt->input->consumed) && (test == CUR_PTR)) {
+ 		    xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR,
+ 		                "detected an error in element content\n");
+-		    ctxt->instate = XML_PARSER_EOF;
++		    xmlHaltParser(ctxt);
+ 		    break;
+ 		}
+ 		break;
+@@ -12021,7 +12018,7 @@ xmlParseTryOrFinish(xmlParserCtxtPtr ctxt, int terminate) {
+ 		    goto done;
+ 		} else {
+ 		    xmlFatalErr(ctxt, XML_ERR_DOCUMENT_END, NULL);
+-		    ctxt->instate = XML_PARSER_EOF;
++		    xmlHaltParser(ctxt);
+ #ifdef DEBUG_PUSH
+ 		    xmlGenericError(xmlGenericErrorContext,
+ 			    "PP: entering EOF\n");
+@@ -12385,7 +12382,7 @@ xmldecl_done:
+ 	res = xmlParserInputBufferPush(ctxt->input->buf, size, chunk);
+ 	if (res < 0) {
+ 	    ctxt->errNo = XML_PARSER_EOF;
+-	    ctxt->disableSAX = 1;
++	    xmlHaltParser(ctxt);
+ 	    return (XML_PARSER_EOF);
+ 	}
+         xmlBufSetInputBaseCur(ctxt->input->buf->buffer, ctxt->input, base, cur);
+@@ -12439,7 +12436,7 @@ xmldecl_done:
+          ((ctxt->input->cur - ctxt->input->base) > XML_MAX_LOOKUP_LIMIT)) &&
+         ((ctxt->options & XML_PARSE_HUGE) == 0)) {
+         xmlFatalErr(ctxt, XML_ERR_INTERNAL_ERROR, "Huge input lookup");
+-        ctxt->instate = XML_PARSER_EOF;
++        xmlHaltParser(ctxt);
+     }
+     if ((ctxt->errNo != XML_ERR_OK) && (ctxt->disableSAX == 1))
+         return(ctxt->errNo);
+-- 
+cgit v0.11.2
+

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: nokogiri
 version: !ruby/object:Gem::Version
-  version: 1.6.7.1
+  version: 1.6.7.2
 platform: ruby
 authors:
 - Aaron Patterson
@@ -12,7 +12,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-12-17 00:00:00.000000000 Z
+date: 2016-01-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: mini_portile2
@@ -429,6 +429,9 @@ files:
 - patches/libxml2/0016-Detect-incoherency-on-GROW.patch
 - patches/libxml2/0017-CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch
 - patches/libxml2/0018-CVE-2015-8242-Buffer-overead-with-HTML-parser-in-pus.patch
+- patches/libxml2/0019-Do-not-print-error-context-when-there-is-none.patch
+- patches/libxml2/0020-xmlStopParser-reset-errNo.patch
+- patches/libxml2/0021-Reuse-xmlHaltParser-where-it-makes-sense.patch
 - patches/libxslt/0001-Adding-doc-update-related-to-1.1.28.patch
 - patches/libxslt/0002-Fix-a-couple-of-places-where-f-printf-parameters-wer.patch
 - patches/libxslt/0003-Initialize-pseudo-random-number-generator-with-curre.patch