Merge pull request #2457 from sparklemotion/flavorjones-libxml-2.9.13…

…-v1.13.x

upgrade to libxml 2.9.13 and libxslt 1.1.35 (branch v1.13.x)

.github/workflows/ci.yml

@@ -244,12 +244,11 @@ jobs:
       - uses: actions/checkout@v2
         with:
           submodules: true
-      - uses: MSP-Greg/setup-ruby-pkgs@win-ucrt-2
+      - uses: MSP-Greg/setup-ruby-pkgs@v1
         with:
           ruby-version: "${{matrix.ruby}}"
           mingw: "libxml2 libxslt"
           bundler-cache: true
-          setup-ruby-ref: MSP-Greg/ruby-setup-ruby/win-ucrt-1
       - uses: actions/cache@v2
         if: matrix.sys == 'disable'
         with:

.github/workflows/gem-install.yml

@@ -113,11 +113,10 @@ jobs:
       - uses: actions/checkout@v2
         with:
           submodules: true
-      - uses: MSP-Greg/setup-ruby-pkgs@win-ucrt-2
+      - uses: MSP-Greg/setup-ruby-pkgs@v1
         with:
           ruby-version: "3.1"
           mingw: "libxml2 libxslt"
-          setup-ruby-ref: MSP-Greg/ruby-setup-ruby/win-ucrt-1
       - uses: actions/download-artifact@v2
         with:
           name: cruby-gem
@@ -289,10 +288,9 @@ jobs:
         ruby: ["3.1"]
     runs-on: windows-2022
     steps:
-      - uses: MSP-Greg/setup-ruby-pkgs@win-ucrt-2
+      - uses: MSP-Greg/setup-ruby-pkgs@v1
         with:
           ruby-version: "${{matrix.ruby}}"
-          setup-ruby-ref: MSP-Greg/ruby-setup-ruby/win-ucrt-1
       - uses: actions/download-artifact@v2
         with:
           name: cruby-x64-mingw-ucrt-gem

.github/workflows/upstream.yml

@@ -83,13 +83,12 @@ jobs:
       - uses: actions/checkout@v2
         with:
           submodules: true
-      - uses: MSP-Greg/setup-ruby-pkgs@ucrt
+      - uses: MSP-Greg/setup-ruby-pkgs@v1
         with:
           ruby-version: "head"
           apt-get: "libxml2-dev libxslt1-dev pkg-config"
           mingw: "_upgrade_ libxml2 libxslt pkgconf"
           bundler-cache: true
-          setup-ruby-ref: MSP-Greg/ruby-setup-ruby/00-win-ucrt
       - uses: actions/cache@v2
         if: matrix.sys == 'disable'
         with:
@@ -135,24 +134,24 @@ jobs:
       - run: bundle exec rake compile
       - run: bundle exec rake test
 
-  html5lib-tests:
-    runs-on: ubuntu-latest
-    container:
-      image: ghcr.io/sparklemotion/nokogiri-test:mri-3.1
-    steps:
-      - uses: actions/checkout@v2
-        with:
-          submodules: true
-      - uses: actions/cache@v2
-        with:
-          path: ports
-          key: ports-ubuntu-${{hashFiles('dependencies.yml', 'patches/**/*.patch')}}
-      - name: Update html5lib-tests
-        run: |
-          cd test/html5lib-tests
-          git remote update origin
-          git checkout origin/master
-          git log --pretty=oneline -n1
-      - run: bundle install --local || bundle install
-      - run: bundle exec rake compile -- --disable-system-libraries
-      - run: bundle exec rake test
+  # html5lib-tests:
+  #   runs-on: ubuntu-latest
+  #   container:
+  #     image: ghcr.io/sparklemotion/nokogiri-test:mri-3.1
+  #   steps:
+  #     - uses: actions/checkout@v2
+  #       with:
+  #         submodules: true
+  #     - uses: actions/cache@v2
+  #       with:
+  #         path: ports
+  #         key: ports-ubuntu-${{hashFiles('dependencies.yml', 'patches/**/*.patch')}}
+  #     - name: Update html5lib-tests
+  #       run: |
+  #         cd test/html5lib-tests
+  #         git remote update origin
+  #         git checkout origin/master
+  #         git log --pretty=oneline -n1
+  #     - run: bundle install --local || bundle install
+  #     - run: bundle exec rake compile -- --disable-system-libraries
+  #     - run: bundle exec rake test

CHANGELOG.md

@@ -4,6 +4,14 @@ Nokogiri follows [Semantic Versioning](https://semver.org/), please see the [REA
 
 ---
 
+## 1.13.2 / unreleased
+
+### Dependencies
+
+* [CRuby] Vendored libxml2 is updated from 2.9.12 to 2.9.13. This update addresses [CVE-2022-23308](https://gitlab.gnome.org/GNOME/libxml2/-/commit/652dd12). Full changelog is available at https://download.gnome.org/sources/libxml2/2.9/libxml2-2.9.13.news
+* [CRuby] Vendored libxslt is updated from 1.1.34 to 1.1.35. This update addresses [CVE-2021-30560](https://nvd.nist.gov/vuln/detail/CVE-2021-30560). Full changelog is available at https://download.gnome.org/sources/libxslt/1.1/libxslt-1.1.35.news
+
+
 ## 1.13.1 / 2022-01-13
 
 ### Fixed

dependencies.yml

@@ -1,62 +1,12 @@
 libxml2:
-  version: "2.9.12"
-  sha256: "c8d6681e38c56f172892c85ddc0852e1fd4b53b4209e7f4ebf17f7e2eae71d92"
-  #  manually verified checksum:
-  #
-  #    $ gpg --verify libxml2-2.9.12.tar.gz.asc ports/archives/libxml2-2.9.12.tar.gz
-  #    gpg: Signature made Thu 13 May 2021 02:59:16 PM EDT
-  #    gpg:                using RSA key DB46681BB91ADCEA170FA2D415588B26596BEA5D
-  #    gpg: Good signature from "Daniel Veillard (Red Hat work email) <veillard@redhat.com>" [unknown]
-  #    gpg:                 aka "Daniel Veillard <Daniel.Veillard@w3.org>" [unknown]
-  #    gpg: WARNING: This key is not certified with a trusted signature!
-  #    gpg:          There is no indication that the signature belongs to the owner.
-  #    Primary key fingerprint: C744 15BA 7C9C 7F78 F02E  1DC3 4606 B8A5 DE95 BC1F
-  #         Subkey fingerprint: DB46 681B B91A DCEA 170F  A2D4 1558 8B26 596B EA5D
-  #
-  #  using this pgp signature:
-  #
-  #    -----BEGIN PGP SIGNATURE-----
-  #    
-  #    iQEzBAABCAAdFiEE20ZoG7ka3OoXD6LUFViLJllr6l0FAmCddwQACgkQFViLJllr
-  #    6l11LQgAioRTdfmcC+uK/7+6HPtF/3c5zkX6j8VGYuvFBwZ0jayqMRBAl++fcpjE
-  #    JUU/JKebSZ/KCYjzyeOWK/i3Gq77iqm3UbZFB85rqu4a5P3gmj/4STWVyAx0KU3z
-  #    G3jKqDhJOt7c0acXb5lh2DngfDa1dn/VGcQcIXsqplNxNr4ET7MnSJjZ3nlxYfW2
-  #    E5vWBdPCMUeXDBl6MjYvw9XnGGBLUAaEJWoFToG6jKmVf4GAd9nza20jj5dtbcJq
-  #    QEOaSDKDr+f9h2NS8haOhJ9vOpy52PdeGzaFlbRkXarGXuAr8kITgATVs8FAqcgv
-  #    MoVhmrO5r2hJf0dCM9fZoYqzpMfmNA==
-  #    =KfJ9
-  #    -----END PGP SIGNATURE-----
-  #
+  version: "2.9.13"
+  sha256: "276130602d12fe484ecc03447ee5e759d0465558fbc9d6bd144e3745306ebf0e"
+  # sha-256 hash provided in https://download.gnome.org/sources/libxml2/2.9/libxml2-2.9.13.sha256sum
 
 libxslt:
-  version: "1.1.34"
-  sha256: "98b1bd46d6792925ad2dfe9a87452ea2adebf69dcb9919ffd55bf926a7f93f7f"
-  #  manually verified checksum:
-  #
-  #    $ gpg --verify ~/Downloads/libxslt-1.1.34.tar.gz.asc ports/archives/libxslt-1.1.34.tar.gz
-  #    gpg: Signature made Wed 30 Oct 2019 04:02:48 PM EDT
-  #    gpg:                using RSA key DB46681BB91ADCEA170FA2D415588B26596BEA5D
-  #    gpg: Good signature from "Daniel Veillard (Red Hat work email) <veillard@redhat.com>" [unknown]
-  #    gpg:                 aka "Daniel Veillard <Daniel.Veillard@w3.org>" [unknown]
-  #    gpg: WARNING: This key is not certified with a trusted signature!
-  #    gpg:          There is no indication that the signature belongs to the owner.
-  #    Primary key fingerprint: C744 15BA 7C9C 7F78 F02E  1DC3 4606 B8A5 DE95 BC1F
-  #         Subkey fingerprint: DB46 681B B91A DCEA 170F  A2D4 1558 8B26 596B EA5D
-  #
-  #  using this pgp signature:
-  #
-  #    -----BEGIN PGP SIGNATURE-----
-  #    
-  #    iQEzBAABCAAdFiEE20ZoG7ka3OoXD6LUFViLJllr6l0FAl257GgACgkQFViLJllr
-  #    6l2vVggAjJEHmASiS56SxhPOsGqbfBihM66gQFoIymQfMu2430N1GSTkLsfbkJO8
-  #    8yBX11NjzK/m9uxwshMW3rVCU7EpL3PUimN3reXdPiQj9hAOAWF1V3BZNevbQC2E
-  #    FCIraioukaidf8sjUG4/sGpK/gOcP/3hYoN0HUoBigCNJjDqhijxM3M3GJJtCASp
-  #    jL4CQbs2OmxW8ixOZbuWEESvFFHUgYRsdZjRVN+GRfSOvJjxypurmYwQ3RjO7JxL
-  #    2FY8qKQ+xpeID8NV8F5OUEvWBjk1QS133VTqBZNlONdnEtV/og6jNu5k0O/Kvhup
-  #    caR+8TMErOcLr9OgDklO6DoYyAsf9Q==
-  #    =g4i4
-  #    -----END PGP SIGNATURE-----
-  #
+  version: "1.1.35"
+  sha256: "8247f33e9a872c6ac859aa45018bc4c4d00b97e2feac9eebc10c93ce1f34dd79"
+  # sha-256 hash provided in https://download.gnome.org/sources/libxslt/1.1/libxslt-1.1.35.sha256sum
 
 zlib:
   version: "1.2.11"

ext/nokogiri/extconf.rb

@@ -15,7 +15,7 @@
 REQUIRED_LIBXML_VERSION = "2.6.21"
 RECOMMENDED_LIBXML_VERSION = "2.9.3"
 
-REQUIRED_MINI_PORTILE_VERSION = "~> 2.7.0" # keep this version in sync with the one in the gemspec
+REQUIRED_MINI_PORTILE_VERSION = "~> 2.8.0" # keep this version in sync with the one in the gemspec
 REQUIRED_PKG_CONFIG_VERSION = "~> 1.1"
 
 # Keep track of what versions of what libraries we build against
@@ -211,6 +211,18 @@ def local_have_library(lib, func = nil, headers = nil)
   have_library(lib, func, headers) || have_library("lib#{lib}", func, headers)
 end
 
+def gnome_source
+  # As of 2022-02-20, some mirrors have expired SSL certificates. I'm able to retrieve from my home,
+  # but whatever host is resolved on the github actions workers see an expired cert.
+  #
+  # See https://github.com/sparklemotion/nokogiri/runs/5266206403?check_suite_focus=true
+  if ENV["NOKOGIRI_USE_CANONICAL_GNOME_SOURCE"]
+    "https://download.gnome.org"
+  else
+    "https://mirror.csclub.uwaterloo.ca/gnome" # old reliable
+  end
+end
+
 LOCAL_PACKAGE_RESPONSE = Object.new
 def LOCAL_PACKAGE_RESPONSE.%(package)
   package ? "yes: #{package}" : "no"
@@ -512,6 +524,7 @@ def recipe.port_path
 
       EOM
 
+      pp(recipe.files)
       chdir_for_build { recipe.cook }
       FileUtils.touch(checkpoint)
     end
@@ -770,8 +783,9 @@ def compile
     if source_dir
       recipe.source_directory = source_dir
     else
+      minor_version = Gem::Version.new(recipe.version).segments.take(2).join(".")
       recipe.files = [{
-        url: "http://xmlsoft.org/sources/#{recipe.name}-#{recipe.version}.tar.gz",
+        url: "#{gnome_source}/sources/libxml2/#{minor_version}/#{recipe.name}-#{recipe.version}.tar.xz",
         sha256: dependencies["libxml2"]["sha256"],
       }]
       recipe.patch_files = Dir[File.join(PACKAGE_ROOT_DIR, "patches", "libxml2", "*.patch")].sort
@@ -818,8 +832,9 @@ def compile
     if source_dir
       recipe.source_directory = source_dir
     else
+      minor_version = Gem::Version.new(recipe.version).segments.take(2).join(".")
       recipe.files = [{
-        url: "http://xmlsoft.org/sources/#{recipe.name}-#{recipe.version}.tar.gz",
+        url: "#{gnome_source}/sources/libxslt/#{minor_version}/#{recipe.name}-#{recipe.version}.tar.xz",
         sha256: dependencies["libxslt"]["sha256"],
       }]
       recipe.patch_files = Dir[File.join(PACKAGE_ROOT_DIR, "patches", "libxslt", "*.patch")].sort

nokogiri.gemspec

@@ -318,7 +318,7 @@ Gem::Specification.new do |spec|
   spec.extra_rdoc_files += Dir.glob("README.md")
   spec.rdoc_options = ["--main", "README.md"]
 
-  spec.add_runtime_dependency("mini_portile2", "~> 2.7.0") unless java_p # keep version in sync with extconf.rb
+  spec.add_runtime_dependency("mini_portile2", "~> 2.8.0") unless java_p # keep version in sync with extconf.rb
   spec.add_runtime_dependency("racc", "~> 1.4")
 
   spec.add_development_dependency("bundler", "~> 2.2")

patches/libxml2/0004-use-glibc-strlen.patch

@@ -31,18 +31,18 @@ diff --git a/xmlstring.c b/xmlstring.c
 index e8a1e45d..df247dff 100644
 --- a/xmlstring.c
 +++ b/xmlstring.c
-@@ -423,14 +423,9 @@ xmlStrsub(const xmlChar *str, int start, int len) {
+@@ -423,12 +423,7 @@ xmlStrsub(const xmlChar *str, int start, int len) {
 
  int
  xmlStrlen(const xmlChar *str) {
--    int len = 0;
+-    size_t len = 0;
 -
      if (str == NULL) return(0);
 -    while (*str != 0) { /* non input consuming */
 -        str++;
 -        len++;
 -    }
--    return(len);
+-    return(len > INT_MAX ? 0 : len);
 +
 +    return strlen((const char*)str);
  }