Skip to content

libxml2: split to multiple versions, init libxml2_13, add patch for 5 CVEs #421740

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
leona-ya merged 11 commits into from
Jul 19, 2025
Merged

libxml2: split to multiple versions, init libxml2_13, add patch for 5 CVEs #421740

leona-ya merged 11 commits into from
Jul 19, 2025

Conversation

@gepbird
Copy link
Contributor

@gepbird gepbird commented Jul 2, 2025
edited
Loading

This is a follow-up for #421204 and #421201, cc @alyssais

This solves the problem of not having a unified way to use the old libxml2 package. For some proprietary packages, it's not feasible to get a newer version of libxml2 working. One package used overrideAttrs, while another package vendored the old libxml2. I'll address these in separate PRs after this PR is accepted

This adds libxml2_13 package with a patch applied to fix the CVE

Unrelated to the aforementioned PRs, but I think it's safe to remove python2 support. I couldn't find any usages of it (I grepped for libxml2\. and libraries/libxml2)

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • Nixpkgs 25.11 Release Notes (or backporting 25.05 Nixpkgs Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
  • NixOS 25.11 Release Notes (or backporting 25.05 NixOS Release notes)
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md and other contributing documentation in corresponding paths.

Add a 👍 reaction to pull requests you find important.

@gepbird gepbird marked this pull request as draft July 2, 2025 10:04
@gepbird gepbird force-pushed the libxml2-versions branch from e5cc3e8 to b9de833 Compare July 2, 2025 10:06
@gepbird gepbird marked this pull request as ready for review July 2, 2025 10:07
@gepbird gepbird changed the title libxml2: split to version, init libxml2_2_13, remove python2 support libxml2: split to multiple versions, init libxml2_2_13, remove python2 support Jul 2, 2025
@gepbird gepbird force-pushed the libxml2-versions branch from b9de833 to 1ed6d7a Compare July 2, 2025 10:10
@nix-owners nix-owners bot requested a review from natsukium July 2, 2025 10:12
@gepbird gepbird marked this pull request as draft July 2, 2025 10:14
@gepbird gepbird force-pushed the libxml2-versions branch from 1ed6d7a to da442c9 Compare July 2, 2025 10:17
@gepbird gepbird marked this pull request as ready for review July 2, 2025 10:17
@nixpkgs-ci nixpkgs-ci bot added 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-darwin: 501+ This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-darwin: 501-1000 This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches. 6.topic: python Python is a high-level, general-purpose programming language. labels Jul 2, 2025
alyssais
alyssais approved these changes Jul 2, 2025
View reviewed changes
Copy link
Member

@alyssais alyssais left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you so much for picking this up! Looks good to me at a glance, but I'll give the package maintainer a chance to comment. Want to also change all the packages currently overriding libxml2 to use this?

@nixpkgs-ci nixpkgs-ci bot added the 12.approvals: 1 This PR was reviewed and approved by one person. label Jul 2, 2025
@emilazy
Copy link
Member

emilazy commented Jul 2, 2025

Have any of the packages using the old version been tested with the new one, or is it just build errors from the changed soname? I know the ABI changed along with security fixes, but it seems it would be better to avoid the security issues and version proliferation if it ends up working in practice.

@gepbird
Copy link
Contributor Author

gepbird commented Jul 2, 2025

Thank you so much for picking this up! Looks good to me at a glance, but I'll give the package maintainer a chance to comment. Want to also change all the packages currently overriding libxml2 to use this?

Thanks, but I want to address those packages in separate PRs. My reason is I'm planning to do other refactoring changes for those packages, and including those changes here would be too much for reviewers and probably delay getting this core change merged

@gepbird
Copy link
Contributor Author

gepbird commented Jul 2, 2025
edited
Loading

Have any of the packages using the old version been tested with the new one, or is it just build errors from the changed soname? I know the ABI changed along with security fixes, but it seems it would be better to avoid the security issues and version proliferation if it ends up working in practice.

@emilazy The example for the vendored (plex-desktop) was tested with the new libxml2, it didn't work: #418546 (comment)

I just tested the example for the overrideAttrs packages (ciscoPacketTracer8 and ciscoPacketTracer7) with the new libxml2, it suffers from the ABI breakage too:

nixpkgs ❯ ./result/bin/packettracer8        
/nix/store/qf1jkmmnwxc9y8wafxk41vr06gkplpsd-ciscoPacketTracer8-unwrapped/opt/pt/bin/PacketTracer: /nix/store/qf1jkmmnwxc9y8wafxk41vr06gkplpsd-ciscoPacketTracer8-unwrapped/lib/libxml2.so.2: no version information available (required by /nix/store/qf1jkmmnwxc9y8wafxk41vr06gkplpsd-ciscoPacketTracer8-unwrapped/opt/pt/bin/libQt5WebEngineCore.so.5)
/nix/store/qf1jkmmnwxc9y8wafxk41vr06gkplpsd-ciscoPacketTracer8-unwrapped/opt/pt/bin/PacketTracer: /nix/store/qf1jkmmnwxc9y8wafxk41vr06gkplpsd-ciscoPacketTracer8-unwrapped/lib/libxml2.so.2: no version information available (required by /nix/store/qf1jkmmnwxc9y8wafxk41vr06gkplpsd-ciscoPacketTracer8-unwrapped/opt/pt/bin/libQt5WebEngineCore.so.5)
/nix/store/qf1jkmmnwxc9y8wafxk41vr06gkplpsd-ciscoPacketTracer8-unwrapped/opt/pt/bin/PacketTracer: /nix/store/qf1jkmmnwxc9y8wafxk41vr06gkplpsd-ciscoPacketTracer8-unwrapped/lib/libxml2.so.2: no version information available (required by /nix/store/qf1jkmmnwxc9y8wafxk41vr06gkplpsd-ciscoPacketTracer8-unwrapped/opt/pt/bin/libQt5WebEngineCore.so.5)
/nix/store/qf1jkmmnwxc9y8wafxk41vr06gkplpsd-ciscoPacketTracer8-unwrapped/opt/pt/bin/PacketTracer: /nix/store/qf1jkmmnwxc9y8wafxk41vr06gkplpsd-ciscoPacketTracer8-unwrapped/lib/libxml2.so.2: no version information available (required by /nix/store/qf1jkmmnwxc9y8wafxk41vr06gkplpsd-ciscoPacketTracer8-unwrapped/opt/pt/bin/libQt5WebEngineCore.so.5)
/nix/store/qf1jkmmnwxc9y8wafxk41vr06gkplpsd-ciscoPacketTracer8-unwrapped/opt/pt/bin/PacketTracer: /nix/store/qf1jkmmnwxc9y8wafxk41vr06gkplpsd-ciscoPacketTracer8-unwrapped/lib/libxml2.so.2: no version information available (required by /nix/store/qf1jkmmnwxc9y8wafxk41vr06gkplpsd-ciscoPacketTracer8-unwrapped/opt/pt/bin/libQt5WebEngineCore.so.5)
/nix/store/qf1jkmmnwxc9y8wafxk41vr06gkplpsd-ciscoPacketTracer8-unwrapped/opt/pt/bin/PacketTracer: symbol lookup error: /nix/store/qf1jkmmnwxc9y8wafxk41vr06gkplpsd-ciscoPacketTracer8-unwrapped/opt/pt/bin/libQt5WebEngineCore.so.5: undefined symbol: valuePush, version LIBXML2_2.4.30

@emilazy
Copy link
Member

emilazy commented Jul 2, 2025

Gotcha. Then this seems fine. I hope we can do undo it and don’t end up with five libxml2 versions, but that doesn’t seem practical right now.

@gepbird gepbird force-pushed the libxml2-versions branch from c38ba8c to 2da008e Compare July 18, 2025 22:34
@nixpkgs-ci nixpkgs-ci bot removed the 2.status: merge conflict This PR has merge conflicts with the target branch label Jul 18, 2025
@gepbird
Copy link
Contributor Author

gepbird commented Jul 18, 2025

Are there any blockers? I feel like this has got enough reviews from enough people, including the package maintainer

Overall it is a refactor with python support removed and a new package, I feel like there's not much risk going forward with this as is

Note that there are packages on master with vulnerable, vendored libxml2 (2.13) libraries, which I'd love to start working on. However since the base of those future PRs could change at any time, I don't want to create extra work for myself

@LordGrimmauld
Copy link
Contributor

LordGrimmauld commented Jul 19, 2025

I don't think there is any blockers, and i would merge if i could. Though this does need to go through staging, and staging people are aware of this PR. It'll likely be picked up for next cycle, though that cycle will have to wait ~2 weeks going by current schedule (current staging-next is running, 25.05 will be after that). Doesn't mean this can't be merged earlier though. In fact, i believe it should be merged soon, so the backport of the CVE fixes can be picked into the 25.05 cycle.

@leona-ya leona-ya merged commit 50a6e54 into NixOS:staging Jul 19, 2025
24 of 27 checks passed
@gepbird gepbird deleted the libxml2-versions branch July 19, 2025 08:34
@gepbird gepbird mentioned this pull request Jul 20, 2025
Merged
14 tasks
huantianad added a commit to huantianad/nixpkgs that referenced this pull request Aug 3, 2025
@huantianad
unityhub: use overrideAttrs for old libxml2
b18b32e 
fixes NixOS#419634 before NixOS#421740 is merged to master
fm7-1 pushed a commit to stackbuilders/nixpkgs that referenced this pull request Aug 4, 2025
@huantianad @fm7-1
unityhub: use overrideAttrs for old libxml2
25ce3df 
fixes NixOS#419634 before NixOS#421740 is merged to master
This was referenced Aug 17, 2025
Closed
Merged
@yvt yvt mentioned this pull request Aug 24, 2025
Merged
13 tasks
bitbloxhub added a commit to bitbloxhub/nixpkgs-esp-dev that referenced this pull request Jan 8, 2026
@bitbloxhub
flake: bump nixpkgs to 25.11
ff5a378 
ecdsa is insecure, see
tlsfuzzer/python-ecdsa#352

For the libxml2 change, see
NixOS/nixpkgs#421740
@bitbloxhub bitbloxhub mentioned this pull request Jan 8, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jtojnar jtojnar jtojnar left review comments

@alyssais alyssais alyssais approved these changes

@SuperSandro2000 SuperSandro2000 SuperSandro2000 approved these changes

@leona-ya leona-ya leona-ya approved these changes

@LordGrimmauld LordGrimmauld LordGrimmauld approved these changes

@natsukium natsukium Awaiting requested review from natsukium

@fpletz fpletz Awaiting requested review from fpletz

@robsliwi robsliwi Awaiting requested review from robsliwi

@prusnak prusnak Awaiting requested review from prusnak

@adevress adevress Awaiting requested review from adevress

@bjornfor bjornfor Awaiting requested review from bjornfor

@HarisDotParis HarisDotParis Awaiting requested review from HarisDotParis

@thoughtpolice thoughtpolice Awaiting requested review from thoughtpolice

@amiloradovsky amiloradovsky Awaiting requested review from amiloradovsky

@qknight qknight Awaiting requested review from qknight

Assignees

No one assigned

Labels

1.severity: security Issues which raise a security issue, or PRs that fix one 6.topic: python Python is a high-level, general-purpose programming language. 10.rebuild-darwin: 501-1000 This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-darwin: 501+ This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches. 12.approvals: 3+ This PR was reviewed and approved by three or more persons.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

8 participants

@gepbird @emilazy @alyssais @LordGrimmauld @nixos-discourse @jtojnar @SuperSandro2000 @leona-ya