There's a major problem with libxml2-2.7.x and the php function
xml_parse_into_struct. All entities are lost
in the output.
This problem does not occur with libxml2-2.6.32
Please mask >libxml2-2.7
The problem appears with all libxml2-2.7.x versions
This is a major problem. If you use e.g. Typo3, all
locallang.xml with entities won't be displayed correctly.
Steps to Reproduce:
Run the following php simple script:
$simple = "<note>simple & note</note>>";
$p = xml_parser_create();
xml_parse_into_struct($p, $simple, $vals, $index);
simple & note
dev-lang/php-5.2.6-r7 USE="apache2 bcmath berkdb bzip2 cli crypt ctype curl exif ftp gd-external gdbm gmp hash iconv imap json mysql mysqli ncurses nls pcntl pcre pdo posix readline reflection session sharedmem simplexml soap sockets spell spl ssl sysvipc tokenizer truetype unicode wddx xml xmlreader xmlrpc xmlwriter xsl zip zlib"
dev-libs/libxml2-2.7.2-r1 USE="python readline"
Portage 126.96.36.199 (default/linux/amd64/2008.0, gcc-4.1.2, glibc-2.6.1-r0, 188.8.131.52-web04-0.1 x86_64)
System uname: 184.108.40.206-web04-0.1 x86_64 Intel(R) Xeon(R) CPU E5310 @ 1.60GHz
Timestamp of tree: Wed, 03 Dec 2008 06:45:02 +0000
sys-devel/automake: 1.5, 1.9.6-r2, 1.10.1-r1
CFLAGS="-march=nocona -O2 -pipe"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-march=nocona -O2 -pipe"
FEATURES="distlocks metadata-transfer sandbox sfperms strict unmerge-orphans userfetch"
GENTOO_MIRRORS="http://mirror.switch.ch/mirror/gentoo/ http://distfiles.gentoo.org http://www.ibiblio.org/pub/Linux/distributions/gentoo"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
USE="amd64 apache2 berkdb bzip2 cracklib crypt fam fortran gdbm gpm iconv jpeg jpeg2k libwww mmx mudflap multilib mysql ncurses nls nptl nptlonly pam pcre perl php png python readline sse sse2 ssl ssse3 svg tcpd threads tiff truetype unicode xml xsl zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias asis auth_basic auth_digest authn_file authn_dbm authz_dbm authz_host authz_user autoindex cache cern_meta charset_lite dav dav_fs deflate dir disk_cache env expires ext_filter filter file_cache headers include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_connect proxy_ftp proxy_http rewrite setenvif speling status unique_id usertrack vhost_alias" APACHE2_MPMS="itk" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="fbdev glint i810 intel mach64 mga neomagic nv r128 radeon savage sis tdfx trident vesa vga via vmware voodoo"
Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Is there an UPSTREAM bug report?
MT`AwAy reported this on #gentoo-php yesterday already and did some investigation (thanks!).
Here is the outcome:
PHP messes with libxml2-internal data structures, which changed in the new 2.7 version.
There are multiple ways to mitigate the problem:
a) Mask libxml2-2.7.x
b) Have PHP block >=libxml2-2.7
c) Patch libxml2 to revert these changes
d) Patch PHP to work with the changes
e) Have PHP link to expat explicitly, which disables the compat layer, which
is the only part in PHP which exhibits this problem
a) and b) are not possible for security reasons and because the problem is limited to PHP and it's great property of playing with non-API parts of a library (these statements are based on the findings by the mentioned user). c) is not a nice solution for similar reasons.
d) would be the best solution, but someone would have to fully research the issue first and prepare a patch... (might be impossible to do, after all, who knows).
e) would be the next solution, which I could think of; should not have any side effects, but it introduces a new dependency on expat...
Moving the bug to php team as this is more likely a problem in PHP than in libxml2, at least this is my current understanding.
This bug seems to be known already, see $URL. No really new information though...
During the latest libxml2 security bugs embargo lift date I asked upstream if they are releasing a new version for the security bug. The answer was basically to patch it, so that a 2.7.2 release can contain a fix or workaround for some then unspecified (to me) PHP expat problem. I assume there's a libxml2 upstream bug report too then
gnome: I just backported the security fix (CVS-2008-4225, CVE-2008-4226) from bug #245960 to libxml2-2.6.32-r1, please stabilize 2.6.32-r1 ASAP, and package.mask 2.7.x.
security: you're going to need to update the GLSA because of the breakage that 2.7.x is causing.
severity raised to critical because it managed to temporarily break at least one infra box before I caught it and downgraded again.
Can't PHP stop using private struct members or what's the real issue here? They are talking about some mysterious patch I want to see, validate and include..
I can't see an ABI compatible fix for CVE-2008-3281 and a fix for CVE-2008-3529 in libxml2-2.6.32-r1. I believe one of them deals with entities and that security fix might break PHP...
This should be fixed in PHP rather than masking latest versions of libxml2.
With dev-libs/libxml2-2.6.32-r1 the bug doesn't occur.
Please stabilize it.
According the latest posts from scottmac and rrichards in
http://bugs.php.net/45996 the bug is in libxml2 (not in php).
Although I can't find neither a libxml2 patch
nor a entry in the libxml2 bug reporting tool.
(In reply to comment #8)
> With dev-libs/libxml2-2.6.32-r1 the bug doesn't occur.
> Please stabilize it.
2.6.32-r1 is dead and for good reason, it caused more breakage than expected and was punted as soon as 2.7 entered the tree to fix security issues. It means 2.6.32 and lower have security issues and there is no way we mask later releases. We will wait until the libxml patch is available to provided a fixed libxml in gentoo. In the meantime, workarounds have been described on the php bug already.
(In reply to comment #8)
> With dev-libs/libxml2-2.6.32-r1 the bug doesn't occur.
> Please stabilize it.
It has two known security bugs, not a responsible thing to do...
> According the latest posts from scottmac and rrichards in
> http://bugs.php.net/45996 the bug is in libxml2 (not in php).
No, it is not really a bug in libxml2 in its true sense. It is PHP using it in a way that was not officially supported by libxml2. SAX/expat like parsing or something like that? Anyway, yes, the solution can happen in libxml2 as a new public feature, and rrichards is working on that in cooperation of libxml2 author.
> Although I can't find neither a libxml2 patch
> nor a entry in the libxml2 bug reporting tool.
Neither could I, but stuff is moving now between PHP and libxml2 respective authors/maintainers.
I will not OK a stabilization of 2.6.32-r1 when it has known security bugs.
Also, it shouldn't be called -r1, because -r1 was an old revision that broke ABI and was in ~arch for a day before p.masked and then removed, so it should be -r2, but it shouldn't be at all if there are the known security bugs there.
Fix for one of the security bugs to my knowledge was what made it incompatible with the way PHP was using it in the first place I think (but not sure).
gnome team, can you please provide a 2.7.x ebuild with this changeset applied?
According to Richard, there will be a new release of libxml2 with this change around 20th of January, but I think we could fix this earlier.
I'll provide a new revision of php to make the necessary changes there in a minute.
(In reply to comment #11)
> gnome team, can you please provide a 2.7.x ebuild with this changeset applied?
Included in dev-libs/libxml2-2.7.2-r2
So done from our side.
> According to Richard, there will be a new release of libxml2 with this change
> around 20th of January, but I think we could fix this earlier.
By latest 20th January, hopefully much earlier. But now we aren't in a rush anymore with that.
> I'll provide a new revision of php to make the necessary changes there in a
Go right ahead :)
I'm slacking, I know. :)
php-5.2.8-r2 is in the tree now, which has the fix, along with some others.
Arches, please make sure that no ext/xml/tests* fails, when testing this version.
To fix this bug, we need the following packages stable:
Target keywords: alpha amd64 arm hppa ia64 (m68k) ppc ppc64 s390 sh sparc x86
(Technically m68k is not needed, because php isn't keyworded for it, but I guess we want libxml2 KEYWORDS to be the same on all arches).
I will request stabilization in the next 1-2 days, leio already gave his OK for libxml2-2.7.2-r2. In the meantime, some positive (real world) test reports would be great. :)
Thanks for fixing this!
on amd64 with some typo3 installations. No problems so far.
Arches, please mark the versions of libxml and php as noted in comment 13 stable.
(Why I've waited for so long? Mainly for time reason, but hanno also reported a regression because of another bugfix (Apache/mod_php)).
Adding arches ;)
Stable for HPPA.
(In reply to comment #16)
> Adding arches ;)
You forgot alpha and amd64. Added.
dev-libs/libxml2-2.7.2-r2: all tests passed.
TEST RESULT SUMMARY
Exts skipped : 42
Exts tested : 37
Number of tests : 6610 4884
Tests borked : 1 ( 0.0%) --------
Tests skipped : 1725 ( 26.1%) --------
Tests warned : 1 ( 0.0%) ( 0.0%)
Tests failed : 4 ( 0.1%) ( 0.1%)
Expected fail : 0 ( 0.0%) ( 0.0%)
Tests passed : 4879 ( 73.8%) ( 99.9%)
Time taken : 345 seconds
BORKED TEST SUMMARY
duplicated INI section [/var/tmp/portage/dev-lang/php-5.2.8-r2/work/php-5.2.8/ext/json/tests/bug41567.phpt]
FAILED TEST SUMMARY
Bug #41125 (PDO mysql + quote() + prepare() can result in seg fault) [ext/pdo_mysql/tests/bug41125.phpt]
Bug #44327 (PDORow::queryString property & numeric offsets / Crash) [ext/pdo_mysql/tests/bug44327.phpt]
readline_callback_handler_install(): Basic test [ext/readline/tests/readline_callback_handler_install_001.phpt]
readline_callback_handler_remove(): Basic test [ext/readline/tests/readline_callback_handler_remove_001.phpt]
htmlentities() test 4 (setlocale / ja_JP.EUC-JP) [ext/standard/tests/strings/htmlentities04.phpt] (warn: possibly braindead libc)
I have been trying to update php to a more recent version due to the GLSA 200811-05. However, this dependency is masked in gentoo-hardened. Are these fixes stable for i686 and gentoo-hardened profile yet?
$ emerge --ask --oneshot --verbose ">=dev-lang/php-5.2.6-r6"
Calculating dependencies /
!!! All ebuilds that could satisfy ">=dev-libs/libxml2-2.7.2-r2" have been masked.
!!! One of the following masked packages is required to complete your request:
- dev-libs/libxml2-2.7.2-r2 (masked by: ~x86 keyword)
For more information, see MASKED PACKAGES section in the emerge man page or
refer to the Gentoo Handbook.
(dependency required by "dev-lang/php-5.2.8-r2" [ebuild])
Jim, please retry now after syncing.
Stable on alpha.
I wonder why this bug is still open, both php and libxml2 have been fixed and stable on all required arches... so, closing.
Thanks to all involved parties. :)