nokogiri 1.8.4-java → 1.8.5-java

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 89365a54954eca0ebe751dcc006dd77a601940d7
-  data.tar.gz: fe3cc54b01faa92e10e14686da63092a5fd4282e
+  metadata.gz: e9727f93d46220b9a004551304a4ec6cba2243ac
+  data.tar.gz: 41168fc5b0521a0d28c06790cfc9c33b4ec0d37c
 SHA512:
-  metadata.gz: 445eefd9f3c2681b119c8c68fa6acbe52b3299fcc914c08c5d74e3533c3e95bcafa58f8124559ed93aea8544d4983c21ad0d0e78be047cfae73dbc03f3c5a9e9
-  data.tar.gz: a4c40ea7f308c5dcc9214a88adb7364a9fbebef95248d7aa472f255e84155f816ed8719f37719dd86566fd99ff3e0016bb3dff069c75725b60e81a480643239b
+  metadata.gz: 737c5fa0fff34cb9f8976f57c0b5b5dfe465b288b420f60af77159ca95c4b7d7dce7c990f1ef692fc0eccf94bcfed468ea483a377ca5784858fbfa3893585f0b
+  data.tar.gz: 88d8fbfe169eff929bc5fca87a5316c5d2a42f56bf07263e8a63e48a893ee4edd3c3292f144f36044ac53d321338dbd668912ded2077d962e0637d4c43936b01

data/CHANGELOG.md

@@ -1,3 +1,16 @@
+# 1.8.5 / 2018-10-04
+
+## Security Notes
+
+[MRI] Pulled in upstream patches from libxml2 that address CVE-2018-14404 and CVE-2018-14567. Full details are available in [#1785](https://github.com/sparklemotion/nokogiri/issues/1785). Note that these patches are not yet (as of 2018-10-04) in an upstream release of libxml2.
+
+
+## Bug fixes
+
+* [MRI] Fix regression in installation when building against system libraries, where some systems would not be able to find libxml2 or libxslt when present. (Regression introduced in v1.8.3.) [#1722]
+* [JRuby] Fix node reparenting when the destination doc is empty. [#1773]
+
+
 # 1.8.4 / 2018-07-03
 
 ## Bug fixes

data/Manifest.txt

@@ -251,6 +251,8 @@ lib/xercesImpl.jar
 lib/xml-apis.jar
 lib/xsd/xmlparser/nokogiri.rb
 patches/libxml2/0001-Revert-Do-not-URI-escape-in-server-side-includes.patch
+patches/libxml2/0002-Fix-nullptr-deref-with-XPath-logic-ops.patch
+patches/libxml2/0003-Fix-infinite-loop-in-LZMA-decompression.patch
 patches/sort-patches-by-date
 suppressions/README.txt
 suppressions/nokogiri_ruby-2.supp

data/build_all

@@ -17,27 +17,27 @@ fi
 
 set -o errexit
 
-rm -rf tmp pkg
-bundle exec rake clean clobber
+# rm -rf tmp pkg
+# bundle exec rake clean clobber
 
-# holding pen
-rm -rf gems
-mkdir -p gems
+# # holding pen
+# rm -rf gems
+# mkdir -p gems
 
-# windows
-bundle exec rake gem:windows
-cp -v pkg/nokogiri*{x86,x64}-mingw32*.gem gems
+# # windows
+# bundle exec rake gem:windows
+# cp -v pkg/nokogiri*{x86,x64}-mingw32*.gem gems
 
-# MRI
-bundle exec rake clean
-bundle exec rake gem
-cp -v pkg/nokogiri*.gem gems
+# # MRI
+# bundle exec rake clean
+# bundle exec rake gem
+# cp -v pkg/nokogiri*.gem gems
 
 # jruby
 bundle exec rake clean clobber
 bundle exec rake generate
 
-rvm jruby
+rvm jruby-9.1
 gem install bundler --conservative
 bundle install --quiet --local || bundle install
 bundle exec ruby -S rake gem

data/ext/java/nokogiri/XmlNode.java

@@ -33,7 +33,16 @@
 package nokogiri;
 
 import static java.lang.Math.max;
-import static nokogiri.internals.NokogiriHelpers.*;
+import static nokogiri.internals.NokogiriHelpers.clearXpathContext;
+import static nokogiri.internals.NokogiriHelpers.convertEncoding;
+import static nokogiri.internals.NokogiriHelpers.convertString;
+import static nokogiri.internals.NokogiriHelpers.getCachedNodeOrCreate;
+import static nokogiri.internals.NokogiriHelpers.getNokogiriClass;
+import static nokogiri.internals.NokogiriHelpers.isBlank;
+import static nokogiri.internals.NokogiriHelpers.nodeArrayToRubyArray;
+import static nokogiri.internals.NokogiriHelpers.nonEmptyStringOrNil;
+import static nokogiri.internals.NokogiriHelpers.rubyStringToString;
+import static nokogiri.internals.NokogiriHelpers.stringOrNil;
 
 import java.io.ByteArrayInputStream;
 import java.io.InputStream;
@@ -43,18 +52,12 @@ import java.util.ArrayList;
 import java.util.Iterator;
 import java.util.List;
 
-import nokogiri.internals.HtmlDomParserContext;
-import nokogiri.internals.NokogiriHelpers;
-import nokogiri.internals.NokogiriNamespaceCache;
-import nokogiri.internals.SaveContextVisitor;
-import nokogiri.internals.XmlDomParserContext;
-
 import org.apache.xerces.dom.CoreDocumentImpl;
 import org.jruby.Ruby;
 import org.jruby.RubyArray;
 import org.jruby.RubyClass;
-import org.jruby.RubyInteger;
 import org.jruby.RubyFixnum;
+import org.jruby.RubyInteger;
 import org.jruby.RubyModule;
 import org.jruby.RubyObject;
 import org.jruby.RubyString;
@@ -76,6 +79,12 @@ import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;
 import org.w3c.dom.Text;
 
+import nokogiri.internals.HtmlDomParserContext;
+import nokogiri.internals.NokogiriHelpers;
+import nokogiri.internals.NokogiriNamespaceCache;
+import nokogiri.internals.SaveContextVisitor;
+import nokogiri.internals.XmlDomParserContext;
+
 /**
  * Class for Nokogiri::XML::Node
  *
@@ -1542,6 +1551,10 @@ public class XmlNode extends RubyObject {
          try {
             Document prev = otherNode.getOwnerDocument();
             Document doc = thisNode.getOwnerDocument();
+            if (doc == null && thisNode instanceof Document) {
+              // we are adding the new node to a new empty document
+              doc = (Document) thisNode;
+            }
             clearXpathContext(prev);
             clearXpathContext(doc);
             if (doc != null && doc != otherNode.getOwnerDocument()) {

data/ext/nokogiri/extconf.rb

@@ -434,7 +434,7 @@ end
 
 if RbConfig::MAKEFILE_CONFIG['CC'] =~ /gcc/
   $CFLAGS << " -O3" unless $CFLAGS[/-O\d/]
-  $CFLAGS << " -Wall -Wcast-qual -Wwrite-strings -Wextra -Wmissing-noreturn -Winline"
+  $CFLAGS << " -Wall -Wcast-qual -Wwrite-strings -Wmissing-noreturn -Winline"
 end
 
 case

data/lib/nokogiri/version.rb

@@ -1,6 +1,6 @@
 module Nokogiri
   # The version of Nokogiri you are using
-  VERSION = '1.8.4'
+  VERSION = '1.8.5'
 
   class VersionInfo # :nodoc:
     def jruby?

data/patches/libxml2/0002-Fix-nullptr-deref-with-XPath-logic-ops.patch

@@ -0,0 +1,54 @@
+From a436374994c47b12d5de1b8b1d191a098fa23594 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Mon, 30 Jul 2018 12:54:38 +0200
+Subject: [PATCH] Fix nullptr deref with XPath logic ops
+
+If the XPath stack is corrupted, for example by a misbehaving extension
+function, the "and" and "or" XPath operators could dereference NULL
+pointers. Check that the XPath stack isn't empty and optimize the
+logic operators slightly.
+
+Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/5
+
+Also see
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901817
+https://bugzilla.redhat.com/show_bug.cgi?id=1595985
+
+This is CVE-2018-14404.
+
+Thanks to Guy Inbar for the report.
+---
+ xpath.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/xpath.c b/xpath.c
+index 3fae0bf..5e3bb9f 100644
+--- a/xpath.c
++++ b/xpath.c
+@@ -13234,9 +13234,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
+ 		return(0);
+ 	    }
+             xmlXPathBooleanFunction(ctxt, 1);
+-            arg1 = valuePop(ctxt);
+-            arg1->boolval &= arg2->boolval;
+-            valuePush(ctxt, arg1);
++            if (ctxt->value != NULL)
++                ctxt->value->boolval &= arg2->boolval;
+ 	    xmlXPathReleaseObject(ctxt->context, arg2);
+             return (total);
+         case XPATH_OP_OR:
+@@ -13252,9 +13251,8 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
+ 		return(0);
+ 	    }
+             xmlXPathBooleanFunction(ctxt, 1);
+-            arg1 = valuePop(ctxt);
+-            arg1->boolval |= arg2->boolval;
+-            valuePush(ctxt, arg1);
++            if (ctxt->value != NULL)
++                ctxt->value->boolval |= arg2->boolval;
+ 	    xmlXPathReleaseObject(ctxt->context, arg2);
+             return (total);
+         case XPATH_OP_EQUAL:
+-- 
+2.17.1
+

data/patches/libxml2/0003-Fix-infinite-loop-in-LZMA-decompression.patch

@@ -0,0 +1,50 @@
+From 2240fbf5912054af025fb6e01e26375100275e74 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Mon, 30 Jul 2018 13:14:11 +0200
+Subject: [PATCH] Fix infinite loop in LZMA decompression
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Check the liblzma error code more thoroughly to avoid infinite loops.
+
+Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/13
+Closes: https://bugzilla.gnome.org/show_bug.cgi?id=794914
+
+This is CVE-2018-9251 and CVE-2018-14567.
+
+Thanks to Dongliang Mu and Simon Wörner for the reports.
+---
+ xzlib.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/xzlib.c b/xzlib.c
+index a839169..0ba88cf 100644
+--- a/xzlib.c
++++ b/xzlib.c
+@@ -562,6 +562,10 @@ xz_decomp(xz_statep state)
+                          "internal error: inflate stream corrupt");
+                 return -1;
+             }
++            /*
++             * FIXME: Remapping a couple of error codes and falling through
++             * to the LZMA error handling looks fragile.
++             */
+             if (ret == Z_MEM_ERROR)
+                 ret = LZMA_MEM_ERROR;
+             if (ret == Z_DATA_ERROR)
+@@ -587,6 +591,11 @@ xz_decomp(xz_statep state)
+             xz_error(state, LZMA_PROG_ERROR, "compression error");
+             return -1;
+         }
++        if ((state->how != GZIP) &&
++            (ret != LZMA_OK) && (ret != LZMA_STREAM_END)) {
++            xz_error(state, ret, "lzma error");
++            return -1;
++        }
+     } while (strm->avail_out && ret != LZMA_STREAM_END);
+ 
+     /* update available output and crc check value */
+-- 
+2.17.1
+

data/test/xml/test_node_reparenting.rb

@@ -197,6 +197,17 @@ module Nokogiri
             end
           end
 
+          describe "given the new document is empty" do
+            it "adds the node to the new document" do
+              doc1 = Nokogiri::XML.parse("<value>3</value>")
+              doc2 = Nokogiri::XML::Document.new
+              node = doc1.at_xpath("//value")
+              node.remove
+              doc2.add_child(node)
+              assert_match /<value>3<\/value>/, doc2.to_xml
+            end
+          end
+
           describe "given a parent node with a default namespace" do
             before do
               @doc = Nokogiri::XML(<<-eoxml)

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: nokogiri
 version: !ruby/object:Gem::Version
-  version: 1.8.4
+  version: 1.8.5
 platform: java
 authors:
 - Aaron Patterson
@@ -14,7 +14,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2018-07-03 00:00:00.000000000 Z
+date: 2018-10-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
@@ -515,6 +515,8 @@ files:
 - lib/xml-apis.jar
 - lib/xsd/xmlparser/nokogiri.rb
 - patches/libxml2/0001-Revert-Do-not-URI-escape-in-server-side-includes.patch
+- patches/libxml2/0002-Fix-nullptr-deref-with-XPath-logic-ops.patch
+- patches/libxml2/0003-Fix-infinite-loop-in-LZMA-decompression.patch
 - patches/sort-patches-by-date
 - suppressions/README.txt
 - suppressions/nokogiri_ruby-2.supp
@@ -652,7 +654,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project:
-rubygems_version: 2.6.14
+rubygems_version: 2.6.14.1
 signing_key:
 specification_version: 4
 summary: Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser