Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 794733 - <dev-libs/libxml2-2.9.12-r3: breaks all versions of PHP's (7.3 => 8.0) DOMDocument::saveHTML()
Summary: <dev-libs/libxml2-2.9.12-r3: breaks all versions of PHP's (7.3 => 8.0) DOMDoc...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Stabilization (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Sam James
URL: https://gitlab.gnome.org/GNOME/libxml...
Whiteboard:
Keywords: CC-ARCHES
Depends on:
Blocks: CVE-2021-3516, CVE-2021-3517, CVE-2021-3518, CVE-2021-3537, CVE-2021-3541
  Show dependency tree
 
Reported: 2021-06-07 11:46 UTC by Patrick ALLAERT
Modified: 2021-06-15 15:46 UTC (History)
3 users (show)

See Also:
Package list:
dev-libs/libxml2-2.9.12-r3
Runtime testing required: ---
nattka: sanity-check+


Attachments
Patch from upstream commit 92d9ab4c28842a09ca2b76d3ff2f933e01b6cd6f (92d9ab4c28842a09ca2b76d3ff2f933e01b6cd6f.patch,885 bytes, patch)
2021-06-07 14:57 UTC, Patrick ALLAERT
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Patrick ALLAERT 2021-06-07 11:46:45 UTC
With libxml2 < 2.9.12-r2 (not tested with 2.9.12), the result of

php -r 'var_dump((new DOMDocument)->saveHTML());'
Command line code:1:
string(1) "
"

has always been an empty HTML string.

Now, with 2.9.12(-r2), it returns false and breaks API.

Minimal script:

<?php

declare(strict_types=1);

function asHTML(DOMDocument $dom): string
{
    return $dom->saveHTML();
}

echo asHTML(new DOMDocument);
?>

This will generate:
Return value of asHTML() must be of the type string, bool returned
Comment 1 Patrick ALLAERT 2021-06-07 11:47:57 UTC
You can see that the behaviour as always be identical across versions of PHP: https://3v4l.org/W83pq
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-06-07 12:05:19 UTC
1. Thanks for the report.

2. Can you please report this upstream too to libxml2?
Comment 3 Patrick ALLAERT 2021-06-07 12:09:49 UTC
(In reply to Sam James from comment #2)
> 1. Thanks for the report.
> 
> 2. Can you please report this upstream too to libxml2?

I am not quite sure the problem is at libxml2 level or at PHP's one.

But I'll follow your advice and create one upstream and linking it here.
Comment 4 Patrick ALLAERT 2021-06-07 12:24:07 UTC
libxml2 upstream issue: https://gitlab.gnome.org/GNOME/libxml2/-/issues/266
Comment 5 Patrick ALLAERT 2021-06-07 13:49:34 UTC
Fixed upstream.

A patch inspired by https://gitlab.gnome.org/GNOME/libxml2/-/commit/92d9ab4c28842a09ca2b76d3ff2f933e01b6cd6f can probably be used until it is part of a release.
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-06-07 14:44:34 UTC
(In reply to Patrick ALLAERT from comment #5)
> Fixed upstream.
> 
> A patch inspired by
> https://gitlab.gnome.org/GNOME/libxml2/-/commit/
> 92d9ab4c28842a09ca2b76d3ff2f933e01b6cd6f can probably be used until it is
> part of a release.

Huge thanks for reporting upstream and to us. (The reason I asked you to go to libxml2 first is because even if this weren't necessarily caused by them, they may have insight as to what change made it appear, etc.)

I assume you've verified the patch works for you in /etc/portage/patches/?
Comment 7 Patrick ALLAERT 2021-06-07 14:46:18 UTC
(In reply to Sam James from comment #6)
> (In reply to Patrick ALLAERT from comment #5)
> > Fixed upstream.
> > 
> > A patch inspired by
> > https://gitlab.gnome.org/GNOME/libxml2/-/commit/
> > 92d9ab4c28842a09ca2b76d3ff2f933e01b6cd6f can probably be used until it is
> > part of a release.
> 
> Huge thanks for reporting upstream and to us. (The reason I asked you to go
> to libxml2 first is because even if this weren't necessarily caused by them,
> they may have insight as to what change made it appear, etc.)
> 
> I assume you've verified the patch works for you in /etc/portage/patches/?

No, I haven't.

Not familiar (yet) with local custom patches.

I will try now, hints welcome.
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-06-07 14:52:03 UTC
(In reply to Patrick ALLAERT from comment #7)
> No, I haven't.
> 
> Not familiar (yet) with local custom patches.
> 
> I will try now, hints welcome.

No worries at all. See https://wiki.gentoo.org/wiki//etc/portage/patches#Adding_user_patches but here's the rundown:

1) mkdir -p /etc/portage/patches/dev-libs/libxml2/
2) wget https://gitlab.gnome.org/GNOME/libxml2/-/commit/92d9ab4c28842a09ca2b76d3ff2f933e01b6cd6f.patch -O /etc/portage/patches/dev-libs/libxml2/bug794733.patch
3) emerge -v1 libxml2 (you should see 'user patches applied' towards the beginning')
4) try your PHP test case again
Comment 9 Patrick ALLAERT 2021-06-07 14:55:12 UTC
Local patch worked great!

$ eix ^libxml2$
[I] dev-libs/libxml2
     Available versions:  (2) 2.9.10-r5^t 2.9.12^t 2.9.12-r2^t
       {debug examples icu ipv6 lzma +python readline static-libs test verify-sig ABI_MIPS="n32 n64 o32" ABI_S390="32 64" ABI_X86="32 64 x32" PYTHON_TARGETS="python3_8 python3_9"}
     Installed versions:  2.9.12-r2(2)^t(16:51:31 07/06/21)(icu ipv6 python readline -debug -examples -lzma -static-libs -test -verify-sig ABI_MIPS="-n32 -n64 -o32" ABI_S390="-32 -64" ABI_X86="64 -32 -x32" PYTHON_TARGETS="python3_9 -python3_8")
     Homepage:            http://www.xmlsoft.org/ https://gitlab.gnome.org/GNOME/libxml2
     Description:         XML C parser and toolkit

$ php8.0 -r 'var_dump((new DOMDocument)->saveHTML());'
string(1) "
"
Comment 10 Patrick ALLAERT 2021-06-07 14:57:03 UTC
Created attachment 714294 [details, diff]
Patch from upstream commit 92d9ab4c28842a09ca2b76d3ff2f933e01b6cd6f

Patch from https://gitlab.gnome.org/GNOME/libxml2/-/commit/92d9ab4c28842a09ca2b76d3ff2f933e01b6cd6f.patch
Comment 11 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-06-07 17:21:33 UTC
(In reply to Patrick ALLAERT from comment #9)
> Local patch worked great!
> 

Huge thanks. Testing...
Comment 12 Larry the Git Cow gentoo-dev 2021-06-08 00:18:15 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=44c350da1481eb2666003486ea295bc836401d01

commit 44c350da1481eb2666003486ea295bc836401d01
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-06-07 23:54:11 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-06-08 00:17:56 +0000

    dev-libs/libxml2: add upstream patch for PHP/HTML serialisation regression
    
    Bug: https://bugs.gentoo.org/794733
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-libs/libxml2/Manifest                 |   1 +
 dev-libs/libxml2/libxml2-2.9.12-r3.ebuild | 251 ++++++++++++++++++++++++++++++
 2 files changed, 252 insertions(+)
Comment 13 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-06-13 03:43:02 UTC
x86 done
Comment 14 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-06-13 03:43:33 UTC
amd64 done
Comment 15 Agostino Sarubbo gentoo-dev 2021-06-13 06:31:04 UTC
sparc stable
Comment 16 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-06-13 11:11:33 UTC
arm64 done
Comment 17 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-06-13 12:38:23 UTC
arm done
Comment 18 Agostino Sarubbo gentoo-dev 2021-06-14 09:15:20 UTC
ppc stable
Comment 19 Agostino Sarubbo gentoo-dev 2021-06-14 09:16:01 UTC
ppc64 stable
Comment 20 Rolf Eike Beer archtester 2021-06-15 15:46:37 UTC
hppa done, bug done