Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 249703 - dev-libs/libxml2-2.7.x breaks the xml_parse_into_struct php function
Summary: dev-libs/libxml2-2.7.x breaks the xml_parse_into_struct php function
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: AMD64 Linux
: High critical (vote)
Assignee: PHP Bugs
Depends on:
Reported: 2008-12-03 12:58 UTC by valli
Modified: 2009-04-09 09:32 UTC (History)
9 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description valli 2008-12-03 12:58:33 UTC
There's a major problem with libxml2-2.7.x and the php function
xml_parse_into_struct. All entities are lost 
in the output.
This problem does not occur with libxml2-2.6.32

Please mask >libxml2-2.7

The problem appears with all libxml2-2.7.x versions
in portage.

This is a major problem. If you use e.g. Typo3, all
locallang.xml with entities won't be displayed correctly.

Reproducible: Always

Steps to Reproduce:
Run the following php simple script:
$simple = "<note>simple &amp; note</note>>";
$p = xml_parser_create();
xml_parse_into_struct($p, $simple, $vals, $index);

Actual Results:  
simple  note

Expected Results:  
simple & note

dev-lang/php-5.2.6-r7  USE="apache2 bcmath berkdb bzip2 cli crypt ctype curl exif ftp gd-external gdbm gmp hash iconv imap json mysql mysqli ncurses nls pcntl pcre pdo posix readline reflection session sharedmem simplexml soap sockets spell spl ssl sysvipc tokenizer truetype unicode wddx xml xmlreader xmlrpc xmlwriter xsl zip zlib"

dev-libs/libxml2-2.7.2-r1 USE="python readline"

Portage (default/linux/amd64/2008.0, gcc-4.1.2, glibc-2.6.1-r0, x86_64)
System uname: x86_64 Intel(R) Xeon(R) CPU E5310 @ 1.60GHz
Timestamp of tree: Wed, 03 Dec 2008 06:45:02 +0000
app-shells/bash:     3.2_p33
dev-lang/python:     2.5.2-r7
sys-devel/autoconf:  2.61-r2
sys-devel/automake:  1.5, 1.9.6-r2, 1.10.1-r1
sys-devel/binutils:  2.18-r3
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.23-r3
CFLAGS="-march=nocona -O2 -pipe"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-march=nocona -O2 -pipe"
FEATURES="distlocks metadata-transfer sandbox sfperms strict unmerge-orphans userfetch"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
USE="amd64 apache2 berkdb bzip2 cracklib crypt fam fortran gdbm gpm iconv jpeg jpeg2k libwww mmx mudflap multilib mysql ncurses nls nptl nptlonly pam pcre perl php png python readline sse sse2 ssl ssse3 svg tcpd threads tiff truetype unicode xml xsl zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias asis auth_basic auth_digest authn_file authn_dbm authz_dbm authz_host authz_user autoindex cache cern_meta charset_lite dav dav_fs deflate dir disk_cache env expires ext_filter filter file_cache headers include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_connect proxy_ftp proxy_http rewrite setenvif speling status unique_id usertrack vhost_alias" APACHE2_MPMS="itk" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="fbdev glint i810 intel mach64 mga neomagic nv r128 radeon savage sis tdfx trident vesa vga via vmware voodoo"
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2008-12-03 16:56:36 UTC
Is there an UPSTREAM bug report?
Comment 2 Christian Hoffmann (RETIRED) gentoo-dev 2008-12-03 17:14:54 UTC
MT`AwAy reported this on #gentoo-php yesterday already and did some investigation (thanks!).

Here is the outcome:

PHP messes with libxml2-internal data structures, which changed in the new 2.7 version.
There are multiple ways to mitigate the problem:
  a) Mask libxml2-2.7.x
  b) Have PHP block >=libxml2-2.7
  c) Patch libxml2 to revert these changes
  d) Patch PHP to work with the changes
  e) Have PHP link to expat explicitly, which disables the compat layer, which
     is the only part in PHP which exhibits this problem

a) and b) are not possible for security reasons and because the problem is limited to PHP and it's great property of playing with non-API parts of a library (these statements are based on the findings by the mentioned user). c) is not a nice solution for similar reasons.
d) would be the best solution, but someone would have to fully research the issue first and prepare a patch... (might be impossible to do, after all, who knows).
e) would be the next solution, which I could think of; should not have any side effects, but it introduces a new dependency on expat...

Moving the bug to php team as this is more likely a problem in PHP than in libxml2, at least this is my current understanding.
Comment 3 Christian Hoffmann (RETIRED) gentoo-dev 2008-12-03 17:42:34 UTC
This bug seems to be known already, see $URL. No really new information though...
Comment 4 Mart Raudsepp gentoo-dev 2008-12-04 00:44:38 UTC
During the latest libxml2 security bugs embargo lift date I asked upstream if they are releasing a new version for the security bug. The answer was basically to patch it, so that a 2.7.2 release can contain a fix or workaround for some then unspecified (to me) PHP expat problem. I assume there's a libxml2 upstream bug report too then
Comment 5 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2008-12-23 04:58:59 UTC
gnome: I just backported the security fix (CVS-2008-4225, CVE-2008-4226) from bug #245960 to libxml2-2.6.32-r1, please stabilize 2.6.32-r1 ASAP, and package.mask 2.7.x. 

security: you're going to need to update the GLSA because of the breakage that 2.7.x is causing.

severity raised to critical because it managed to temporarily break at least one infra box before I caught it and downgraded again.
Comment 6 Mart Raudsepp gentoo-dev 2008-12-23 09:48:34 UTC
Can't PHP stop using private struct members or what's the real issue here? They are talking about some mysterious patch I want to see, validate and include..

I can't see an ABI compatible fix for CVE-2008-3281 and a fix for CVE-2008-3529 in libxml2-2.6.32-r1. I believe one of them deals with entities and that security fix might break PHP...
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2008-12-23 12:31:32 UTC
This should be fixed in PHP rather than masking latest versions of libxml2.
Comment 8 valli 2008-12-23 13:04:46 UTC
With dev-libs/libxml2-2.6.32-r1 the bug doesn't occur.
Please stabilize it.

According the latest posts from scottmac and rrichards in the bug is in libxml2 (not in php).

Although I can't find neither a libxml2 patch
nor a entry in the libxml2 bug reporting tool.
Comment 9 Gilles Dartiguelongue (RETIRED) gentoo-dev 2008-12-23 13:28:48 UTC
(In reply to comment #8)
> With dev-libs/libxml2-2.6.32-r1 the bug doesn't occur.
> Please stabilize it.
2.6.32-r1 is dead and for good reason, it caused more breakage than expected and was punted as soon as 2.7 entered the tree to fix security issues. It means 2.6.32 and lower have security issues and there is no way we mask later releases. We will wait until the libxml patch is available to provided a fixed libxml in gentoo. In the meantime, workarounds have been described on the php bug already.
Comment 10 Mart Raudsepp gentoo-dev 2008-12-24 03:27:37 UTC
(In reply to comment #8)
> With dev-libs/libxml2-2.6.32-r1 the bug doesn't occur.
> Please stabilize it.

It has two known security bugs, not a responsible thing to do...

> According the latest posts from scottmac and rrichards in
> the bug is in libxml2 (not in php).

No, it is not really a bug in libxml2 in its true sense. It is PHP using it in a way that was not officially supported by libxml2. SAX/expat like parsing or something like that? Anyway, yes, the solution can happen in libxml2 as a new public feature, and rrichards is working on that in cooperation of libxml2 author.

> Although I can't find neither a libxml2 patch
> nor a entry in the libxml2 bug reporting tool.

Neither could I, but stuff is moving now between PHP and libxml2 respective authors/maintainers.

I will not OK a stabilization of 2.6.32-r1 when it has known security bugs.
Also, it shouldn't be called -r1, because -r1 was an old revision that broke ABI and was in ~arch for a day before p.masked and then removed, so it should be -r2, but it shouldn't be at all if there are the known security bugs there.
Fix for one of the security bugs to my knowledge was what made it incompatible with the way PHP was using it in the first place I think (but not sure).
Comment 11 Christian Hoffmann (RETIRED) gentoo-dev 2009-01-11 12:43:36 UTC
gnome team, can you please provide a 2.7.x ebuild with this changeset applied?

According to Richard, there will be a new release of libxml2 with this change around 20th of January, but I think we could fix this earlier.

I'll provide a new revision of php to make the necessary changes there in a minute.
Comment 12 Mart Raudsepp gentoo-dev 2009-01-11 19:47:04 UTC
(In reply to comment #11)
> gnome team, can you please provide a 2.7.x ebuild with this changeset applied?

Included in dev-libs/libxml2-2.7.2-r2
So done from our side.

> According to Richard, there will be a new release of libxml2 with this change
> around 20th of January, but I think we could fix this earlier.

By latest 20th January, hopefully much earlier. But now we aren't in a rush anymore with that.

> I'll provide a new revision of php to make the necessary changes there in a
> minute.

Go right ahead :)
Comment 13 Christian Hoffmann (RETIRED) gentoo-dev 2009-01-11 21:21:53 UTC
I'm slacking, I know. :)
php-5.2.8-r2 is in the tree now, which has the fix, along with some others.

Arches, please make sure that no ext/xml/tests* fails, when testing this version.

To fix this bug, we need the following packages stable:

Target keywords: alpha amd64 arm hppa ia64 (m68k) ppc ppc64 s390 sh sparc x86

(Technically m68k is not needed, because php isn't keyworded for it, but I guess we want libxml2 KEYWORDS to be the same on all arches).

I will request stabilization in the next 1-2 days, leio already gave his OK for libxml2-2.7.2-r2. In the meantime, some positive (real world) test reports would be great. :)
Comment 14 valli 2009-01-14 11:31:47 UTC
Thanks for fixing this!
I tested
on amd64 with some typo3 installations. No problems so far.
Comment 15 Christian Hoffmann (RETIRED) gentoo-dev 2009-01-19 15:02:43 UTC
Arches, please mark the versions of libxml and php as noted in comment 13 stable.

(Why I've waited for so long? Mainly for time reason, but hanno also reported a regression because of another bugfix (Apache/mod_php)).
Comment 16 Tobias Scherbaum (RETIRED) gentoo-dev 2009-01-19 15:32:01 UTC
Adding arches ;)
Comment 17 Jeroen Roovers (RETIRED) gentoo-dev 2009-01-20 17:17:58 UTC
Stable for HPPA.
Comment 18 Tobias Heinlein (RETIRED) gentoo-dev 2009-01-20 17:26:15 UTC
(In reply to comment #16)
> Adding arches ;)

You forgot alpha and amd64. Added.
Comment 19 Tobias Heinlein (RETIRED) gentoo-dev 2009-01-20 17:26:38 UTC
amd64 stable.

dev-libs/libxml2-2.7.2-r2: all tests passed.

TEST RESULT SUMMARY                                                  
Exts skipped    :   42                                               
Exts tested     :   37                                               

Number of tests : 6610              4884
Tests borked    :    1 (  0.0%) --------
Tests skipped   : 1725 ( 26.1%) --------
Tests warned    :    1 (  0.0%) (  0.0%)
Tests failed    :    4 (  0.1%) (  0.1%)
Expected fail   :    0 (  0.0%) (  0.0%)
Tests passed    : 4879 ( 73.8%) ( 99.9%)
Time taken      :  345 seconds                                       

BORKED TEST SUMMARY                                                  
duplicated INI section [/var/tmp/portage/dev-lang/php-5.2.8-r2/work/php-5.2.8/ext/json/tests/bug41567.phpt]                                                                                                     

FAILED TEST SUMMARY                                                  
Bug #41125 (PDO mysql + quote() + prepare() can result in seg fault) [ext/pdo_mysql/tests/bug41125.phpt]
Bug #44327 (PDORow::queryString property & numeric offsets / Crash) [ext/pdo_mysql/tests/bug44327.phpt] 
readline_callback_handler_install(): Basic test [ext/readline/tests/readline_callback_handler_install_001.phpt]                                                                                                 
readline_callback_handler_remove(): Basic test [ext/readline/tests/readline_callback_handler_remove_001.phpt]                                                                                                   
htmlentities() test 4 (setlocale / ja_JP.EUC-JP) [ext/standard/tests/strings/htmlentities04.phpt] (warn: possibly braindead libc)                                          
Comment 20 Brent Baude (RETIRED) gentoo-dev 2009-01-23 16:47:05 UTC
ppc64 done
Comment 21 Tobias Scherbaum (RETIRED) gentoo-dev 2009-01-24 18:34:57 UTC
ppc stable
Comment 22 Jim 2009-01-25 14:17:36 UTC

I have been trying to update php to a more recent version due to the GLSA 200811-05.  However, this dependency is masked in gentoo-hardened.  Are these fixes stable for i686 and gentoo-hardened profile yet?

$ emerge --ask --oneshot --verbose ">=dev-lang/php-5.2.6-r6"
Calculating dependencies /
!!! All ebuilds that could satisfy ">=dev-libs/libxml2-2.7.2-r2" have been masked.
!!! One of the following masked packages is required to complete your request:
- dev-libs/libxml2-2.7.2-r2 (masked by: ~x86 keyword)

For more information, see MASKED PACKAGES section in the emerge man page or
refer to the Gentoo Handbook.
(dependency required by "dev-lang/php-5.2.8-r2" [ebuild])
Comment 23 Markus Meier gentoo-dev 2009-01-25 15:20:11 UTC
x86 stable
Comment 24 Robert Buchholz (RETIRED) gentoo-dev 2009-01-28 14:10:45 UTC
Jim, please retry now after syncing.
Comment 25 Tobias Klausmann (RETIRED) gentoo-dev 2009-01-31 15:41:38 UTC
Stable on alpha.
Comment 26 Tiago Cunha (RETIRED) gentoo-dev 2009-02-01 00:06:14 UTC
IUSE.invalid                  3
   dev-lang/php/php-5.2.6-r7.ebuild: pic
   dev-lang/php/php-5.2.8-r1.ebuild: pic
   dev-lang/php/php-5.2.8-r2.ebuild: pic

sparc stable
Comment 27 Raúl Porcel (RETIRED) gentoo-dev 2009-02-02 19:32:41 UTC
arm/ia64 stable
Comment 28 Raúl Porcel (RETIRED) gentoo-dev 2009-03-18 10:40:26 UTC
m68k/s390/sh stable
Comment 29 Christian Hoffmann (RETIRED) gentoo-dev 2009-04-09 09:32:10 UTC
I wonder why this bug is still open, both php and libxml2 have been fixed and stable on all required arches... so, closing.
Thanks to all involved parties. :)