diff -Nru ruby-nokogiri-1.10.7+dfsg1/CHANGELOG.md ruby-nokogiri-1.10.9+dfsg/CHANGELOG.md --- ruby-nokogiri-1.10.7+dfsg1/CHANGELOG.md 2019-12-04 14:06:07.000000000 +0000 +++ ruby-nokogiri-1.10.9+dfsg/CHANGELOG.md 2020-03-01 18:37:44.000000000 +0000 @@ -1,5 +1,20 @@ # Nokogiri Changelog +## 1.10.9 / 2020-03-01 + +### Fixed + +* [MRI] Raise an exception when Nokogiri detects a specific libxml2 edge case involving blank Schema nodes wrapped by Ruby objects that would cause a segfault. Currently no fix is available upstream, so we're preventing a dangerous operation and informing users to code around it if possible. [[#1985](https://github.com/sparklemotion/nokogiri/issues/1985), [#2001](https://github.com/sparklemotion/nokogiri/issues/2001)] +* [JRuby] Change `NodeSet#to_a` to return a RubyArray instead of Object, for compilation under JRuby 9.2.9 and later. [[#1968](https://github.com/sparklemotion/nokogiri/issues/1968), [#1969](https://github.com/sparklemotion/nokogiri/issues/1969)] (Thanks, [@headius](https://github.com/headius)!) + + +## 1.10.8 / 2020-02-10 + +### Security + +[MRI] Pulled in upstream patch from libxml that addresses CVE-2020-7595. Full details are available in [#1992](https://github.com/sparklemotion/nokogiri/issues/1992). Note that this patch is not yet (as of 2020-02-10) in an upstream release of libxml. + + ## 1.10.7 / 2019-12-03 ### Bug @@ -23,6 +38,7 @@ * CVE-2019-13117 * CVE-2019-13118 * CVE-2019-18197 +* CVE-2019-19956 More details are available at #1943. diff -Nru ruby-nokogiri-1.10.7+dfsg1/debian/changelog ruby-nokogiri-1.10.9+dfsg/debian/changelog --- ruby-nokogiri-1.10.7+dfsg1/debian/changelog 2020-02-26 17:10:59.000000000 +0000 +++ ruby-nokogiri-1.10.9+dfsg/debian/changelog 2020-03-28 06:23:38.000000000 +0000 @@ -1,12 +1,10 @@ -ruby-nokogiri (1.10.7+dfsg1-2build1) focal; urgency=medium +ruby-nokogiri (1.10.9+dfsg-1) unstable; urgency=medium - [ Rafael David Tinoco ] - * Sponsoring ruby2.7 transitions + * Change repacksuffix to just +dfsg (it was +dfsg1) + * New upstream version 1.10.9+dfsg + * Update gemspec file to match new version - [ Lucas Kanashiro ] - * No-change rebuild for ruby2.7 - - -- Rafael David Tinoco Wed, 26 Feb 2020 17:10:59 +0000 + -- Pirate Praveen Sat, 28 Mar 2020 11:53:38 +0530 ruby-nokogiri (1.10.7+dfsg1-2) unstable; urgency=medium diff -Nru ruby-nokogiri-1.10.7+dfsg1/debian/gemspec ruby-nokogiri-1.10.9+dfsg/debian/gemspec --- ruby-nokogiri-1.10.7+dfsg1/debian/gemspec 2020-02-06 12:53:54.000000000 +0000 +++ ruby-nokogiri-1.10.9+dfsg/debian/gemspec 2020-03-28 06:23:38.000000000 +0000 @@ -1,65 +1,49 @@ # -*- encoding: utf-8 -*- -# stub: nokogiri 1.10.7 ruby lib +# stub: nokogiri 1.10.9 ruby lib # stub: ext/nokogiri/extconf.rb Gem::Specification.new do |s| s.name = "nokogiri".freeze - s.version = "1.10.7" + s.version = "1.10.9" s.required_rubygems_version = Gem::Requirement.new(">= 0".freeze) if s.respond_to? :required_rubygems_version= s.metadata = { "bug_tracker_uri" => "https://github.com/sparklemotion/nokogiri/issues", "changelog_uri" => "https://nokogiri.org/CHANGELOG.html", "documentation_uri" => "https://nokogiri.org/rdoc/index.html", "homepage_uri" => "https://nokogiri.org", "source_code_uri" => "https://github.com/sparklemotion/nokogiri" } if s.respond_to? :metadata= s.require_paths = ["lib".freeze] s.authors = ["Aaron Patterson".freeze, "Mike Dalessio".freeze, "Yoko Harada".freeze, "Tim Elliott".freeze, "Akinori MUSHA".freeze, "John Shahid".freeze, "Lars Kanis".freeze] - s.date = "2019-12-04" + s.date = "2020-03-01" s.description = "Nokogiri (\u92F8) is an HTML, XML, SAX, and Reader parser. Among\nNokogiri's many features is the ability to search documents via XPath\nor CSS3 selectors.".freeze s.email = ["aaronp@rubyforge.org".freeze, "mike.dalessio@gmail.com".freeze, "yokolet@gmail.com".freeze, "tle@holymonkey.com".freeze, "knu@idaemons.org".freeze, "jvshahid@gmail.com".freeze, "lars@greiz-reinsdorf.de".freeze] s.executables = ["nokogiri".freeze] s.extensions = ["ext/nokogiri/extconf.rb".freeze] s.extra_rdoc_files = ["LICENSE-DEPENDENCIES.md".freeze, "LICENSE.md".freeze, "README.md".freeze, "ext/nokogiri/html_document.c".freeze, "ext/nokogiri/html_element_description.c".freeze, "ext/nokogiri/html_entity_lookup.c".freeze, "ext/nokogiri/html_sax_parser_context.c".freeze, "ext/nokogiri/html_sax_push_parser.c".freeze, "ext/nokogiri/nokogiri.c".freeze, "ext/nokogiri/xml_attr.c".freeze, "ext/nokogiri/xml_attribute_decl.c".freeze, "ext/nokogiri/xml_cdata.c".freeze, "ext/nokogiri/xml_comment.c".freeze, "ext/nokogiri/xml_document.c".freeze, "ext/nokogiri/xml_document_fragment.c".freeze, "ext/nokogiri/xml_dtd.c".freeze, "ext/nokogiri/xml_element_content.c".freeze, "ext/nokogiri/xml_element_decl.c".freeze, "ext/nokogiri/xml_encoding_handler.c".freeze, "ext/nokogiri/xml_entity_decl.c".freeze, "ext/nokogiri/xml_entity_reference.c".freeze, "ext/nokogiri/xml_io.c".freeze, "ext/nokogiri/xml_libxml2_hacks.c".freeze, "ext/nokogiri/xml_namespace.c".freeze, "ext/nokogiri/xml_node.c".freeze, "ext/nokogiri/xml_node_set.c".freeze, "ext/nokogiri/xml_processing_instruction.c".freeze, "ext/nokogiri/xml_reader.c".freeze, "ext/nokogiri/xml_relax_ng.c".freeze, "ext/nokogiri/xml_sax_parser.c".freeze, "ext/nokogiri/xml_sax_parser_context.c".freeze, "ext/nokogiri/xml_sax_push_parser.c".freeze, "ext/nokogiri/xml_schema.c".freeze, "ext/nokogiri/xml_syntax_error.c".freeze, "ext/nokogiri/xml_text.c".freeze, "ext/nokogiri/xml_xpath_context.c".freeze, "ext/nokogiri/xslt_stylesheet.c".freeze] - s.files = ["LICENSE-DEPENDENCIES.md".freeze, "LICENSE.md".freeze, "README.md".freeze, "bin/nokogiri".freeze, "dependencies.yml".freeze, "ext/nokogiri/depend".freeze, "ext/nokogiri/extconf.rb".freeze, "ext/nokogiri/html_document.c".freeze, "ext/nokogiri/html_document.h".freeze, "ext/nokogiri/html_element_description.c".freeze, "ext/nokogiri/html_element_description.h".freeze, "ext/nokogiri/html_entity_lookup.c".freeze, "ext/nokogiri/html_entity_lookup.h".freeze, "ext/nokogiri/html_sax_parser_context.c".freeze, "ext/nokogiri/html_sax_parser_context.h".freeze, "ext/nokogiri/html_sax_push_parser.c".freeze, "ext/nokogiri/html_sax_push_parser.h".freeze, "ext/nokogiri/nokogiri.c".freeze, "ext/nokogiri/nokogiri.h".freeze, "ext/nokogiri/xml_attr.c".freeze, "ext/nokogiri/xml_attr.h".freeze, "ext/nokogiri/xml_attribute_decl.c".freeze, "ext/nokogiri/xml_attribute_decl.h".freeze, "ext/nokogiri/xml_cdata.c".freeze, "ext/nokogiri/xml_cdata.h".freeze, "ext/nokogiri/xml_comment.c".freeze, "ext/nokogiri/xml_comment.h".freeze, "ext/nokogiri/xml_document.c".freeze, "ext/nokogiri/xml_document.h".freeze, "ext/nokogiri/xml_document_fragment.c".freeze, "ext/nokogiri/xml_document_fragment.h".freeze, "ext/nokogiri/xml_dtd.c".freeze, "ext/nokogiri/xml_dtd.h".freeze, "ext/nokogiri/xml_element_content.c".freeze, "ext/nokogiri/xml_element_content.h".freeze, "ext/nokogiri/xml_element_decl.c".freeze, "ext/nokogiri/xml_element_decl.h".freeze, "ext/nokogiri/xml_encoding_handler.c".freeze, "ext/nokogiri/xml_encoding_handler.h".freeze, "ext/nokogiri/xml_entity_decl.c".freeze, "ext/nokogiri/xml_entity_decl.h".freeze, "ext/nokogiri/xml_entity_reference.c".freeze, "ext/nokogiri/xml_entity_reference.h".freeze, "ext/nokogiri/xml_io.c".freeze, "ext/nokogiri/xml_io.h".freeze, "ext/nokogiri/xml_libxml2_hacks.c".freeze, "ext/nokogiri/xml_libxml2_hacks.h".freeze, "ext/nokogiri/xml_namespace.c".freeze, "ext/nokogiri/xml_namespace.h".freeze, "ext/nokogiri/xml_node.c".freeze, "ext/nokogiri/xml_node.h".freeze, "ext/nokogiri/xml_node_set.c".freeze, "ext/nokogiri/xml_node_set.h".freeze, "ext/nokogiri/xml_processing_instruction.c".freeze, "ext/nokogiri/xml_processing_instruction.h".freeze, "ext/nokogiri/xml_reader.c".freeze, "ext/nokogiri/xml_reader.h".freeze, "ext/nokogiri/xml_relax_ng.c".freeze, "ext/nokogiri/xml_relax_ng.h".freeze, "ext/nokogiri/xml_sax_parser.c".freeze, "ext/nokogiri/xml_sax_parser.h".freeze, "ext/nokogiri/xml_sax_parser_context.c".freeze, "ext/nokogiri/xml_sax_parser_context.h".freeze, "ext/nokogiri/xml_sax_push_parser.c".freeze, "ext/nokogiri/xml_sax_push_parser.h".freeze, "ext/nokogiri/xml_schema.c".freeze, "ext/nokogiri/xml_schema.h".freeze, "ext/nokogiri/xml_syntax_error.c".freeze, "ext/nokogiri/xml_syntax_error.h".freeze, "ext/nokogiri/xml_text.c".freeze, "ext/nokogiri/xml_text.h".freeze, "ext/nokogiri/xml_xpath_context.c".freeze, "ext/nokogiri/xml_xpath_context.h".freeze, "ext/nokogiri/xslt_stylesheet.c".freeze, "ext/nokogiri/xslt_stylesheet.h".freeze, "lib/nokogiri.rb".freeze, "lib/nokogiri/css.rb".freeze, "lib/nokogiri/css/node.rb".freeze, "lib/nokogiri/css/parser.rb".freeze, "lib/nokogiri/css/parser.y".freeze, "lib/nokogiri/css/parser_extras.rb".freeze, "lib/nokogiri/css/syntax_error.rb".freeze, "lib/nokogiri/css/tokenizer.rb".freeze, "lib/nokogiri/css/tokenizer.rex".freeze, "lib/nokogiri/css/xpath_visitor.rb".freeze, "lib/nokogiri/decorators/slop.rb".freeze, "lib/nokogiri/html.rb".freeze, "lib/nokogiri/html/builder.rb".freeze, "lib/nokogiri/html/document.rb".freeze, "lib/nokogiri/html/document_fragment.rb".freeze, "lib/nokogiri/html/element_description.rb".freeze, "lib/nokogiri/html/element_description_defaults.rb".freeze, "lib/nokogiri/html/entity_lookup.rb".freeze, "lib/nokogiri/html/sax/parser.rb".freeze, "lib/nokogiri/html/sax/parser_context.rb".freeze, "lib/nokogiri/html/sax/push_parser.rb".freeze, "lib/nokogiri/syntax_error.rb".freeze, "lib/nokogiri/version.rb".freeze, "lib/nokogiri/xml.rb".freeze, "lib/nokogiri/xml/attr.rb".freeze, "lib/nokogiri/xml/attribute_decl.rb".freeze, "lib/nokogiri/xml/builder.rb".freeze, "lib/nokogiri/xml/cdata.rb".freeze, "lib/nokogiri/xml/character_data.rb".freeze, "lib/nokogiri/xml/document.rb".freeze, "lib/nokogiri/xml/document_fragment.rb".freeze, "lib/nokogiri/xml/dtd.rb".freeze, "lib/nokogiri/xml/element_content.rb".freeze, "lib/nokogiri/xml/element_decl.rb".freeze, "lib/nokogiri/xml/entity_decl.rb".freeze, "lib/nokogiri/xml/entity_reference.rb".freeze, "lib/nokogiri/xml/namespace.rb".freeze, "lib/nokogiri/xml/node.rb".freeze, "lib/nokogiri/xml/node/save_options.rb".freeze, "lib/nokogiri/xml/node_set.rb".freeze, "lib/nokogiri/xml/notation.rb".freeze, "lib/nokogiri/xml/parse_options.rb".freeze, "lib/nokogiri/xml/pp.rb".freeze, "lib/nokogiri/xml/pp/character_data.rb".freeze, "lib/nokogiri/xml/pp/node.rb".freeze, "lib/nokogiri/xml/processing_instruction.rb".freeze, "lib/nokogiri/xml/reader.rb".freeze, "lib/nokogiri/xml/relax_ng.rb".freeze, "lib/nokogiri/xml/sax.rb".freeze, "lib/nokogiri/xml/sax/document.rb".freeze, "lib/nokogiri/xml/sax/parser.rb".freeze, "lib/nokogiri/xml/sax/parser_context.rb".freeze, "lib/nokogiri/xml/sax/push_parser.rb".freeze, "lib/nokogiri/xml/schema.rb".freeze, "lib/nokogiri/xml/searchable.rb".freeze, "lib/nokogiri/xml/syntax_error.rb".freeze, "lib/nokogiri/xml/text.rb".freeze, "lib/nokogiri/xml/xpath.rb".freeze, "lib/nokogiri/xml/xpath/syntax_error.rb".freeze, "lib/nokogiri/xml/xpath_context.rb".freeze, "lib/nokogiri/xslt.rb".freeze, "lib/nokogiri/xslt/stylesheet.rb".freeze, "lib/xsd/xmlparser/nokogiri.rb".freeze, "patches/libxml2/0001-Revert-Do-not-URI-escape-in-server-side-includes.patch".freeze, "patches/libxml2/0002-Remove-script-macro-support.patch".freeze, "patches/libxml2/0003-Update-entities-to-remove-handling-of-ssi.patch".freeze, "patches/libxml2/0004-libxml2.la-is-in-top_builddir.patch".freeze, "ports/archives/libxml2-2.9.10.tar.gz".freeze, "ports/archives/libxslt-1.1.34.tar.gz".freeze] + s.files = ["LICENSE-DEPENDENCIES.md".freeze, "LICENSE.md".freeze, "README.md".freeze, "bin/nokogiri".freeze, "dependencies.yml".freeze, "ext/nokogiri/depend".freeze, "ext/nokogiri/extconf.rb".freeze, "ext/nokogiri/html_document.c".freeze, "ext/nokogiri/html_document.h".freeze, "ext/nokogiri/html_element_description.c".freeze, "ext/nokogiri/html_element_description.h".freeze, "ext/nokogiri/html_entity_lookup.c".freeze, "ext/nokogiri/html_entity_lookup.h".freeze, "ext/nokogiri/html_sax_parser_context.c".freeze, "ext/nokogiri/html_sax_parser_context.h".freeze, "ext/nokogiri/html_sax_push_parser.c".freeze, "ext/nokogiri/html_sax_push_parser.h".freeze, "ext/nokogiri/nokogiri.c".freeze, "ext/nokogiri/nokogiri.h".freeze, "ext/nokogiri/xml_attr.c".freeze, "ext/nokogiri/xml_attr.h".freeze, "ext/nokogiri/xml_attribute_decl.c".freeze, "ext/nokogiri/xml_attribute_decl.h".freeze, "ext/nokogiri/xml_cdata.c".freeze, "ext/nokogiri/xml_cdata.h".freeze, "ext/nokogiri/xml_comment.c".freeze, "ext/nokogiri/xml_comment.h".freeze, "ext/nokogiri/xml_document.c".freeze, "ext/nokogiri/xml_document.h".freeze, "ext/nokogiri/xml_document_fragment.c".freeze, "ext/nokogiri/xml_document_fragment.h".freeze, "ext/nokogiri/xml_dtd.c".freeze, "ext/nokogiri/xml_dtd.h".freeze, "ext/nokogiri/xml_element_content.c".freeze, "ext/nokogiri/xml_element_content.h".freeze, "ext/nokogiri/xml_element_decl.c".freeze, "ext/nokogiri/xml_element_decl.h".freeze, "ext/nokogiri/xml_encoding_handler.c".freeze, "ext/nokogiri/xml_encoding_handler.h".freeze, "ext/nokogiri/xml_entity_decl.c".freeze, "ext/nokogiri/xml_entity_decl.h".freeze, "ext/nokogiri/xml_entity_reference.c".freeze, "ext/nokogiri/xml_entity_reference.h".freeze, "ext/nokogiri/xml_io.c".freeze, "ext/nokogiri/xml_io.h".freeze, "ext/nokogiri/xml_libxml2_hacks.c".freeze, "ext/nokogiri/xml_libxml2_hacks.h".freeze, "ext/nokogiri/xml_namespace.c".freeze, "ext/nokogiri/xml_namespace.h".freeze, "ext/nokogiri/xml_node.c".freeze, "ext/nokogiri/xml_node.h".freeze, "ext/nokogiri/xml_node_set.c".freeze, "ext/nokogiri/xml_node_set.h".freeze, "ext/nokogiri/xml_processing_instruction.c".freeze, "ext/nokogiri/xml_processing_instruction.h".freeze, "ext/nokogiri/xml_reader.c".freeze, "ext/nokogiri/xml_reader.h".freeze, "ext/nokogiri/xml_relax_ng.c".freeze, "ext/nokogiri/xml_relax_ng.h".freeze, "ext/nokogiri/xml_sax_parser.c".freeze, "ext/nokogiri/xml_sax_parser.h".freeze, "ext/nokogiri/xml_sax_parser_context.c".freeze, "ext/nokogiri/xml_sax_parser_context.h".freeze, "ext/nokogiri/xml_sax_push_parser.c".freeze, "ext/nokogiri/xml_sax_push_parser.h".freeze, "ext/nokogiri/xml_schema.c".freeze, "ext/nokogiri/xml_schema.h".freeze, "ext/nokogiri/xml_syntax_error.c".freeze, "ext/nokogiri/xml_syntax_error.h".freeze, "ext/nokogiri/xml_text.c".freeze, "ext/nokogiri/xml_text.h".freeze, "ext/nokogiri/xml_xpath_context.c".freeze, "ext/nokogiri/xml_xpath_context.h".freeze, "ext/nokogiri/xslt_stylesheet.c".freeze, "ext/nokogiri/xslt_stylesheet.h".freeze, "lib/nokogiri.rb".freeze, "lib/nokogiri/css.rb".freeze, "lib/nokogiri/css/node.rb".freeze, "lib/nokogiri/css/parser.rb".freeze, "lib/nokogiri/css/parser.y".freeze, "lib/nokogiri/css/parser_extras.rb".freeze, "lib/nokogiri/css/syntax_error.rb".freeze, "lib/nokogiri/css/tokenizer.rb".freeze, "lib/nokogiri/css/tokenizer.rex".freeze, "lib/nokogiri/css/xpath_visitor.rb".freeze, "lib/nokogiri/decorators/slop.rb".freeze, "lib/nokogiri/html.rb".freeze, "lib/nokogiri/html/builder.rb".freeze, "lib/nokogiri/html/document.rb".freeze, "lib/nokogiri/html/document_fragment.rb".freeze, "lib/nokogiri/html/element_description.rb".freeze, "lib/nokogiri/html/element_description_defaults.rb".freeze, "lib/nokogiri/html/entity_lookup.rb".freeze, "lib/nokogiri/html/sax/parser.rb".freeze, "lib/nokogiri/html/sax/parser_context.rb".freeze, "lib/nokogiri/html/sax/push_parser.rb".freeze, "lib/nokogiri/syntax_error.rb".freeze, "lib/nokogiri/version.rb".freeze, "lib/nokogiri/xml.rb".freeze, "lib/nokogiri/xml/attr.rb".freeze, "lib/nokogiri/xml/attribute_decl.rb".freeze, "lib/nokogiri/xml/builder.rb".freeze, "lib/nokogiri/xml/cdata.rb".freeze, "lib/nokogiri/xml/character_data.rb".freeze, "lib/nokogiri/xml/document.rb".freeze, "lib/nokogiri/xml/document_fragment.rb".freeze, "lib/nokogiri/xml/dtd.rb".freeze, "lib/nokogiri/xml/element_content.rb".freeze, "lib/nokogiri/xml/element_decl.rb".freeze, "lib/nokogiri/xml/entity_decl.rb".freeze, "lib/nokogiri/xml/entity_reference.rb".freeze, "lib/nokogiri/xml/namespace.rb".freeze, "lib/nokogiri/xml/node.rb".freeze, "lib/nokogiri/xml/node/save_options.rb".freeze, "lib/nokogiri/xml/node_set.rb".freeze, "lib/nokogiri/xml/notation.rb".freeze, "lib/nokogiri/xml/parse_options.rb".freeze, "lib/nokogiri/xml/pp.rb".freeze, "lib/nokogiri/xml/pp/character_data.rb".freeze, "lib/nokogiri/xml/pp/node.rb".freeze, "lib/nokogiri/xml/processing_instruction.rb".freeze, "lib/nokogiri/xml/reader.rb".freeze, "lib/nokogiri/xml/relax_ng.rb".freeze, "lib/nokogiri/xml/sax.rb".freeze, "lib/nokogiri/xml/sax/document.rb".freeze, "lib/nokogiri/xml/sax/parser.rb".freeze, "lib/nokogiri/xml/sax/parser_context.rb".freeze, "lib/nokogiri/xml/sax/push_parser.rb".freeze, "lib/nokogiri/xml/schema.rb".freeze, "lib/nokogiri/xml/searchable.rb".freeze, "lib/nokogiri/xml/syntax_error.rb".freeze, "lib/nokogiri/xml/text.rb".freeze, "lib/nokogiri/xml/xpath.rb".freeze, "lib/nokogiri/xml/xpath/syntax_error.rb".freeze, "lib/nokogiri/xml/xpath_context.rb".freeze, "lib/nokogiri/xslt.rb".freeze, "lib/nokogiri/xslt/stylesheet.rb".freeze, "lib/xsd/xmlparser/nokogiri.rb".freeze, "patches/libxml2/0001-Revert-Do-not-URI-escape-in-server-side-includes.patch".freeze, "patches/libxml2/0002-Remove-script-macro-support.patch".freeze, "patches/libxml2/0003-Update-entities-to-remove-handling-of-ssi.patch".freeze, "patches/libxml2/0004-libxml2.la-is-in-top_builddir.patch".freeze, "patches/libxml2/0005-Fix-infinite-loop-in-xmlStringLenDecodeEntities.patch".freeze, "ports/archives/libxml2-2.9.10.tar.gz".freeze, "ports/archives/libxslt-1.1.34.tar.gz".freeze] s.homepage = "https://nokogiri.org".freeze s.licenses = ["MIT".freeze] s.rdoc_options = ["--main".freeze, "README.md".freeze] s.required_ruby_version = Gem::Requirement.new(">= 2.3.0".freeze) - s.rubygems_version = "2.7.6.2".freeze + s.rubygems_version = "3.1.2".freeze s.summary = "Nokogiri (\u92F8) is an HTML, XML, SAX, and Reader parser".freeze if s.respond_to? :specification_version then s.specification_version = 4 + end - if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then - s.add_development_dependency(%q.freeze, ["~> 0.24"]) - s.add_development_dependency(%q.freeze, ["~> 1.2"]) - s.add_development_dependency(%q.freeze, ["~> 2.0"]) - s.add_development_dependency(%q.freeze, ["~> 1.0"]) - s.add_development_dependency(%q.freeze, ["~> 1.6"]) - s.add_development_dependency(%q.freeze, ["~> 5.8"]) - s.add_development_dependency(%q.freeze, ["~> 1.4.14"]) - s.add_development_dependency(%q.freeze, ["~> 12.0"]) - s.add_development_dependency(%q.freeze, ["~> 1.0.3"]) - s.add_development_dependency(%q.freeze, ["~> 0.7.0"]) - s.add_development_dependency(%q.freeze, ["~> 1.0.5"]) - s.add_development_dependency(%q.freeze, ["~> 0.73"]) - s.add_development_dependency(%q.freeze, ["~> 0.16"]) - s.add_development_dependency(%q.freeze, ["< 7", ">= 4.0"]) - s.add_development_dependency(%q.freeze, ["~> 3.20"]) - else - s.add_dependency(%q.freeze, ["~> 0.24"]) - s.add_dependency(%q.freeze, ["~> 1.2"]) - s.add_dependency(%q.freeze, ["~> 2.0"]) - s.add_dependency(%q.freeze, ["~> 1.0"]) - s.add_dependency(%q.freeze, ["~> 1.6"]) - s.add_dependency(%q.freeze, ["~> 5.8"]) - s.add_dependency(%q.freeze, ["~> 1.4.14"]) - s.add_dependency(%q.freeze, ["~> 12.0"]) - s.add_dependency(%q.freeze, ["~> 1.0.3"]) - s.add_dependency(%q.freeze, ["~> 0.7.0"]) - s.add_dependency(%q.freeze, ["~> 1.0.5"]) - s.add_dependency(%q.freeze, ["~> 0.73"]) - s.add_dependency(%q.freeze, ["~> 0.16"]) - s.add_dependency(%q.freeze, ["< 7", ">= 4.0"]) - s.add_dependency(%q.freeze, ["~> 3.20"]) - end + if s.respond_to? :add_runtime_dependency then + s.add_development_dependency(%q.freeze, ["~> 0.24"]) + s.add_development_dependency(%q.freeze, ["~> 1.2"]) + s.add_development_dependency(%q.freeze, ["~> 2.0"]) + s.add_development_dependency(%q.freeze, ["~> 1.0"]) + s.add_development_dependency(%q.freeze, ["~> 1.6"]) + s.add_development_dependency(%q.freeze, ["~> 5.8"]) + s.add_development_dependency(%q.freeze, ["~> 1.4.14"]) + s.add_development_dependency(%q.freeze, ["~> 12.0"]) + s.add_development_dependency(%q.freeze, ["~> 1.1.0"]) + s.add_development_dependency(%q.freeze, ["~> 0.7.0"]) + s.add_development_dependency(%q.freeze, ["~> 1.0.5"]) + s.add_development_dependency(%q.freeze, ["~> 0.73"]) + s.add_development_dependency(%q.freeze, ["~> 0.16"]) + s.add_development_dependency(%q.freeze, [">= 4.0", "< 7"]) + s.add_development_dependency(%q.freeze, ["~> 3.22"]) else s.add_dependency(%q.freeze, ["~> 0.24"]) s.add_dependency(%q.freeze, ["~> 1.2"]) @@ -69,13 +53,13 @@ s.add_dependency(%q.freeze, ["~> 5.8"]) s.add_dependency(%q.freeze, ["~> 1.4.14"]) s.add_dependency(%q.freeze, ["~> 12.0"]) - s.add_dependency(%q.freeze, ["~> 1.0.3"]) + s.add_dependency(%q.freeze, ["~> 1.1.0"]) s.add_dependency(%q.freeze, ["~> 0.7.0"]) s.add_dependency(%q.freeze, ["~> 1.0.5"]) s.add_dependency(%q.freeze, ["~> 0.73"]) s.add_dependency(%q.freeze, ["~> 0.16"]) - s.add_dependency(%q.freeze, ["< 7", ">= 4.0"]) - s.add_dependency(%q.freeze, ["~> 3.20"]) + s.add_dependency(%q.freeze, [">= 4.0", "< 7"]) + s.add_dependency(%q.freeze, ["~> 3.22"]) end end diff -Nru ruby-nokogiri-1.10.7+dfsg1/debian/watch ruby-nokogiri-1.10.9+dfsg/debian/watch --- ruby-nokogiri-1.10.7+dfsg1/debian/watch 2020-02-06 12:53:54.000000000 +0000 +++ ruby-nokogiri-1.10.9+dfsg/debian/watch 2020-03-28 06:23:38.000000000 +0000 @@ -1,4 +1,4 @@ version=4 -opts="filenamemangle=s%(?:.*?)?v?(\d[\d.]*)\.tar\.gz%nokogiri-$1.tar.gz%,dversionmangle=s/\+dfsg\d*$//,repacksuffix=+dfsg1" \ +opts="filenamemangle=s%(?:.*?)?v?(\d[\d.]*)\.tar\.gz%nokogiri-$1.tar.gz%,dversionmangle=s/\+dfsg\d*$//,repacksuffix=+dfsg" \ https://github.com/sparklemotion/nokogiri/tags \ (?:.*?/)?v?(\d[\d.]*)\.tar\.gz debian uupdate diff -Nru ruby-nokogiri-1.10.7+dfsg1/ext/java/nokogiri/XmlNodeSet.java ruby-nokogiri-1.10.9+dfsg/ext/java/nokogiri/XmlNodeSet.java --- ruby-nokogiri-1.10.7+dfsg1/ext/java/nokogiri/XmlNodeSet.java 2019-12-04 14:06:07.000000000 +0000 +++ ruby-nokogiri-1.10.9+dfsg/ext/java/nokogiri/XmlNodeSet.java 2020-03-01 18:37:44.000000000 +0000 @@ -39,6 +39,7 @@ import java.util.Arrays; import org.jruby.Ruby; +import org.jruby.RubyArray; import org.jruby.RubyClass; import org.jruby.RubyFixnum; import org.jruby.RubyObject; @@ -391,7 +392,7 @@ } @JRubyMethod(name = {"to_a", "to_ary"}) - public IRubyObject to_a(ThreadContext context) { + public RubyArray to_a(ThreadContext context) { return context.runtime.newArrayNoCopy(nodes); } diff -Nru ruby-nokogiri-1.10.7+dfsg1/ext/nokogiri/xml_schema.c ruby-nokogiri-1.10.9+dfsg/ext/nokogiri/xml_schema.c --- ruby-nokogiri-1.10.7+dfsg1/ext/nokogiri/xml_schema.c 2019-12-04 14:06:07.000000000 +0000 +++ ruby-nokogiri-1.10.9+dfsg/ext/nokogiri/xml_schema.c 2020-03-01 18:37:44.000000000 +0000 @@ -133,6 +133,31 @@ return rb_schema; } +/* Schema creation will remove and deallocate "blank" nodes. + * If those blank nodes have been exposed to Ruby, they could get freed + * out from under the VALUE pointer. This function checks to see if any of + * those nodes have been exposed to Ruby, and if so we should raise an exception. + */ +static int has_blank_nodes_p(VALUE cache) +{ + long i; + + if (NIL_P(cache)) { + return 0; + } + + for (i = 0; i < RARRAY_LEN(cache); i++) { + xmlNodePtr node; + VALUE element = rb_ary_entry(cache, i); + Data_Get_Struct(element, xmlNode, node); + if (xmlIsBlankNode(node)) { + return 1; + } + } + + return 0; +} + /* * call-seq: * from_document(doc) @@ -152,6 +177,10 @@ /* In case someone passes us a node. ugh. */ doc = doc->doc; + if (has_blank_nodes_p(DOC_NODE_CACHE(doc))) { + rb_raise(rb_eArgError, "Creating a schema from a document that has blank nodes exposed to Ruby is dangerous"); + } + ctx = xmlSchemaNewDocParserCtxt(doc); errors = rb_ary_new(); diff -Nru ruby-nokogiri-1.10.7+dfsg1/Gemfile ruby-nokogiri-1.10.9+dfsg/Gemfile --- ruby-nokogiri-1.10.7+dfsg1/Gemfile 2019-12-04 14:06:07.000000000 +0000 +++ ruby-nokogiri-1.10.9+dfsg/Gemfile 2020-03-01 18:37:44.000000000 +0000 @@ -14,7 +14,7 @@ gem "minitest", "~>5.8", :group => [:development, :test] gem "racc", "~>1.4.14", :group => [:development, :test] gem "rake", "~>12.0", :group => [:development, :test] -gem "rake-compiler", "~>1.0.3", :group => [:development, :test] +gem "rake-compiler", "~>1.1.0", :group => [:development, :test] gem "rake-compiler-dock", "~>0.7.0", :group => [:development, :test] gem "rexical", "~>1.0.5", :group => [:development, :test] gem "rubocop", "~>0.73", :group => [:development, :test] diff -Nru ruby-nokogiri-1.10.7+dfsg1/.hoerc ruby-nokogiri-1.10.9+dfsg/.hoerc --- ruby-nokogiri-1.10.7+dfsg1/.hoerc 2019-12-04 14:06:07.000000000 +0000 +++ ruby-nokogiri-1.10.9+dfsg/.hoerc 2020-03-01 18:37:44.000000000 +0000 @@ -35,7 +35,7 @@ |STANDARD_RESPONSES.md |Y_U_NO_GEMSPEC.md |C_CODING_STYLE.* - |patches/sort-patches-by-date + |patches ) |\.gitkeep /x' diff -Nru ruby-nokogiri-1.10.7+dfsg1/lib/nokogiri/version.rb ruby-nokogiri-1.10.9+dfsg/lib/nokogiri/version.rb --- ruby-nokogiri-1.10.7+dfsg1/lib/nokogiri/version.rb 2019-12-04 14:06:07.000000000 +0000 +++ ruby-nokogiri-1.10.9+dfsg/lib/nokogiri/version.rb 2020-03-01 18:37:44.000000000 +0000 @@ -1,6 +1,6 @@ module Nokogiri # The version of Nokogiri you are using - VERSION = "1.10.7" + VERSION = "1.10.9" class VersionInfo # :nodoc: def jruby? diff -Nru ruby-nokogiri-1.10.7+dfsg1/Manifest.txt ruby-nokogiri-1.10.9+dfsg/Manifest.txt --- ruby-nokogiri-1.10.7+dfsg1/Manifest.txt 2019-12-04 14:06:07.000000000 +0000 +++ ruby-nokogiri-1.10.9+dfsg/Manifest.txt 2020-03-01 18:37:44.000000000 +0000 @@ -233,6 +233,3 @@ lib/xercesImpl.jar lib/xml-apis.jar lib/xsd/xmlparser/nokogiri.rb -patches/libxml2/0001-Revert-Do-not-URI-escape-in-server-side-includes.patch -patches/libxml2/0002-Remove-script-macro-support.patch -patches/libxml2/0003-Update-entities-to-remove-handling-of-ssi.patch diff -Nru ruby-nokogiri-1.10.7+dfsg1/patches/libxml2/0005-Fix-infinite-loop-in-xmlStringLenDecodeEntities.patch ruby-nokogiri-1.10.9+dfsg/patches/libxml2/0005-Fix-infinite-loop-in-xmlStringLenDecodeEntities.patch --- ruby-nokogiri-1.10.7+dfsg1/patches/libxml2/0005-Fix-infinite-loop-in-xmlStringLenDecodeEntities.patch 1970-01-01 00:00:00.000000000 +0000 +++ ruby-nokogiri-1.10.9+dfsg/patches/libxml2/0005-Fix-infinite-loop-in-xmlStringLenDecodeEntities.patch 2020-03-01 18:37:44.000000000 +0000 @@ -0,0 +1,32 @@ +From 0e1a49c8907645d2e155f0d89d4d9895ac5112b5 Mon Sep 17 00:00:00 2001 +From: Zhipeng Xie +Date: Thu, 12 Dec 2019 17:30:55 +0800 +Subject: [PATCH] Fix infinite loop in xmlStringLenDecodeEntities + +When ctxt->instate == XML_PARSER_EOF,xmlParseStringEntityRef +return NULL which cause a infinite loop in xmlStringLenDecodeEntities + +Found with libFuzzer. + +Signed-off-by: Zhipeng Xie +--- + parser.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/parser.c b/parser.c +index d1c3196..a34bb6c 100644 +--- a/parser.c ++++ b/parser.c +@@ -2646,7 +2646,8 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, + else + c = 0; + while ((c != 0) && (c != end) && /* non input consuming loop */ +- (c != end2) && (c != end3)) { ++ (c != end2) && (c != end3) && ++ (ctxt->instate != XML_PARSER_EOF)) { + + if (c == 0) break; + if ((c == '&') && (str[1] == '#')) { +-- +2.17.1 + diff -Nru ruby-nokogiri-1.10.7+dfsg1/Rakefile ruby-nokogiri-1.10.9+dfsg/Rakefile --- ruby-nokogiri-1.10.7+dfsg1/Rakefile 2019-12-04 14:06:07.000000000 +0000 +++ ruby-nokogiri-1.10.9+dfsg/Rakefile 2020-03-01 18:37:44.000000000 +0000 @@ -148,7 +148,7 @@ ["minitest", "~> 5.8"], ["racc", "~> 1.4.14"], ["rake", "~> 12.0"], - ["rake-compiler", "~> 1.0.3"], + ["rake-compiler", "~> 1.1.0"], ["rake-compiler-dock", "~> 0.7.0"], ["rexical", "~> 1.0.5"], ["rubocop", "~> 0.73"], diff -Nru ruby-nokogiri-1.10.7+dfsg1/test/xml/test_schema.rb ruby-nokogiri-1.10.9+dfsg/test/xml/test_schema.rb --- ruby-nokogiri-1.10.7+dfsg1/test/xml/test_schema.rb 2019-12-04 14:06:07.000000000 +0000 +++ ruby-nokogiri-1.10.9+dfsg/test/xml/test_schema.rb 2020-03-01 18:37:44.000000000 +0000 @@ -7,6 +7,34 @@ assert @xsd = Nokogiri::XML::Schema(File.read(PO_SCHEMA_FILE)) end + def test_segv + skip("Pure Java version shouldn't have this bug") unless Nokogiri.uses_libxml? + + # This is a test for a workaround for a bug in LibXML2. The upstream + # bug is here: https://gitlab.gnome.org/GNOME/libxml2/issues/148 + # Schema creation can result in dangling pointers. If no nodes have + # been exposed, then it should be fine to create a schema. If nodes + # have been exposed to Ruby, then we need to make sure they won't be + # freed out from under us. + doc = <<~doc + + + doc + + # This is OK, no nodes have been exposed + xsd_doc = Nokogiri::XML(doc) + assert Nokogiri::XML::Schema.from_document(xsd_doc) + + # This is not OK, nodes have been exposed to Ruby + xsd_doc = Nokogiri::XML(doc) + node = xsd_doc.root.children.find(&:blank?) # Finds a node + + ex = assert_raise(ArgumentError) do + Nokogiri::XML::Schema.from_document(xsd_doc) + end + assert_match(/blank nodes/, ex.message) + end + def test_schema_from_document doc = Nokogiri::XML(File.open(PO_SCHEMA_FILE)) assert doc