From f33a25f4378df33912ebc6b4ebc0f9e8e80ddfa8 Mon Sep 17 00:00:00 2001 From: Mike Dalessio Date: Sun, 4 Feb 2024 10:18:16 -0500 Subject: [PATCH 1/2] dep: remove patch from #3112 which has been released upstream - fix is in libxml 2.12.5 - also update test to not rely on the presence of the patch --- ...h-in-xmlParseInNodeContext-with-HTML.patch | 33 ------------------- test/html5/test_api.rb | 7 ++-- 2 files changed, 3 insertions(+), 37 deletions(-) delete mode 100644 patches/libxml2/0012-parser-Fix-crash-in-xmlParseInNodeContext-with-HTML.patch diff --git a/patches/libxml2/0012-parser-Fix-crash-in-xmlParseInNodeContext-with-HTML.patch b/patches/libxml2/0012-parser-Fix-crash-in-xmlParseInNodeContext-with-HTML.patch deleted file mode 100644 index 56e8851784..0000000000 --- a/patches/libxml2/0012-parser-Fix-crash-in-xmlParseInNodeContext-with-HTML.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 95f2a17440568694a6df6a326c5b411e77597be2 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Tue, 30 Jan 2024 13:25:17 +0100 -Subject: [PATCH] parser: Fix crash in xmlParseInNodeContext with HTML - documents - -Ignore namespaces if we have an HTML document with namespaces added -manually. - -Fixes #672. ---- - parser.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/parser.c b/parser.c -index 1038d71b..f7842ed1 100644 ---- a/parser.c -+++ b/parser.c -@@ -12415,8 +12415,10 @@ xmlParseInNodeContext(xmlNodePtr node, const char *data, int datalen, - } - xmlAddChild(node, fake); - -- if (node->type == XML_ELEMENT_NODE) { -+ if (node->type == XML_ELEMENT_NODE) - nodePush(ctxt, node); -+ -+ if ((ctxt->html == 0) && (node->type == XML_ELEMENT_NODE)) { - /* - * initialize the SAX2 namespaces stack - */ --- -2.42.0 - diff --git a/test/html5/test_api.rb b/test/html5/test_api.rb index 1263aefa36..926fa8a4dc 100644 --- a/test/html5/test_api.rb +++ b/test/html5/test_api.rb @@ -239,12 +239,11 @@ def test_node_wrap_uses_parent_node_as_parsing_context_node end def test_parse_in_context_of_foreign_namespace - if Nokogiri.uses_libxml?("~> 2.12.0") - skip_unless_libxml2_patch("0012-parser-Fix-crash-in-xmlParseInNodeContext-with-HTML.patch") - end - # https://github.com/sparklemotion/nokogiri/issues/3112 # https://gitlab.gnome.org/GNOME/libxml2/-/issues/672 + # released upstream in v2.12.5 + skip if Nokogiri.uses_libxml?(["~> 2.12.0", "< 2.12.5"]) + doc = Nokogiri::HTML5::Document.parse("") math = doc.at_css("math") From 0d4018dc7009580659c101fc41efb3babcfec229 Mon Sep 17 00:00:00 2001 From: Mike Dalessio Date: Sun, 4 Feb 2024 10:38:55 -0500 Subject: [PATCH 2/2] dep: update libxml2 to v2.12.5 https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.5 This addresses CVE-2024-25062, for more information see: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xc9x-jj77-9p9j --- CHANGELOG.md | 12 ++++++++++++ dependencies.yml | 6 +++--- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1f98216c36..314b585e79 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,18 @@ Nokogiri follows [Semantic Versioning](https://semver.org/), please see the [REA --- +## v1.16.next / unreleased + +### Security + +* [CRuby] Vendored libxml2 is updated to address CVE-2024-25062. See [GHSA-xc9x-jj77-9p9j](https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xc9x-jj77-9p9j) for more information. + + +### Dependencies + +* [CRuby] Vendored libxml2 is updated to [v2.12.5](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.5) from v2.12.4. (@flavorjones) + + ## v1.16.1 / 2024-02-03 ### Dependencies diff --git a/dependencies.yml b/dependencies.yml index a69fe871b3..03860e6a3e 100644 --- a/dependencies.yml +++ b/dependencies.yml @@ -1,8 +1,8 @@ libxml2: - version: "2.12.4" - sha256: "497360e423cf0bd99eacdb7c6215dea92e6d6e89ee940393c2bae0e77cb9b7d0" - # sha-256 hash provided in https://download.gnome.org/sources/libxml2/2.12/libxml2-2.12.4.sha256sum + version: "2.12.5" + sha256: "a972796696afd38073e0f59c283c3a2f5a560b5268b4babc391b286166526b21" + # sha-256 hash provided in https://download.gnome.org/sources/libxml2/2.12/libxml2-2.12.5.sha256sum libxslt: version: "1.1.39"