libxml2: 2.9.9 -> 2.9.10, libxslt: 1.1.33 -> 1.1.34, addressing CVE-2019-18197 #73178
Conversation
| # disable test that's problematic with newer pythons: see | ||
| # https://mail.gnome.org/archives/xml/2017-August/msg00014.html | ||
| preCheck = if pythonSupport && !(python?pythonOlder && python.pythonOlder "3.5") then '' | ||
| echo "" > python/tests/tstLastError.py |
There was a problem hiding this comment.
can't we just
| echo "" > python/tests/tstLastError.py | |
| rm python/tests/tstLastError.py |
There was a problem hiding this comment.
The makefile isn't clever enough to cope with a missing file and still tries to call it in this case.
There was a problem hiding this comment.
Why would this failure suddenly occur for older Python versions while it did not in our case before?
There was a problem hiding this comment.
Because, as I said, the failure did indeed happen (look at hydra's logs), the makefile just never paid attention to its exit code. This changed in GNOME/libxml2@d188eb9 so it suddenly became a problem for us. I did look into it for a while, but to no avail - looks like it's deep in c module code.
disable python test which was previously failing anyway, but in previous versions it was being ignored
risicle
force-pushed
the
ris-libxml2-2.9.10
branch
from
e4f85e5
to
4fec9d5
Compare
| @@ -53,6 +53,12 @@ stdenv.mkDerivation rec { | |||
|
|
|||
| enableParallelBuilding = true; | |||
|
|
|||
| # disable test that's problematic with newer pythons: see | |||
| # https://mail.gnome.org/archives/xml/2017-August/msg00014.html | |||
| preCheck = lib.optionalString (pythonSupport && !(python?pythonOlder && python.pythonOlder "3.5")) '' | |||
There was a problem hiding this comment.
python?pythonOlder did you notice an interpreter that did not have this? A common passthru is used for all Python interpreters.
There was a problem hiding this comment.
Meh I was just fitting in with lower down where python?isPy3 is used.
|
@GrahamcOfBorg build libxml2 libxslt xmlstarlet python37Packages.lxml |
Motivation for this change
https://nvd.nist.gov/vuln/detail/CVE-2019-18197
libxslt1.1.34 requireslibxml22.9.10. To getlibxml22.9.10 building successfully I had to disable a couple of the python tests. These tests had actually always been failing on previous versions with python >= 3.5 - the results had just been previously ignored by the makefiles. We're also not the only ones to have had this problem: https://mail.gnome.org/archives/xml/2017-August/msg00014.htmlI also checked the new
libxsltdoes indeed include the fixes for the patches I removed in the bump.Anyway, I clearly have not done a full rebuild - I OOM'd my laptop just trying to compute the rebuilds.
Supersedes #72549
Things done
sandboxinnix.confon non-NixOS linux)nix-shell -p nix-review --run "nix-review wip"./result/bin/)nix path-info -Sbefore and after)Notify maintainers
cc @