FreshPorts -- textproc/libxml2: XML parser library for GNOME

textproc/libxml2: Update to 2.11.9

Fixes CVE-2024-40896

Changelog: https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.9

PR:		281350
Approved by:	desktop (fluffy)
Exp-run by:	antoine
textproc/libxml2: Update to 2.11.8

Fixes CVE-2024-34459

Reference:
https://www.cve.org/CVERecord?id=CVE-2024-34459

Changelog:
https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.8

PR:		279043
Approved by:	desktop (tcberner)
Sponsored by:	Blinkinblox
Exp-run by:	antoine
py-libxml2: Byte compile

This eliminates annoying fs-violation errors, notably from
textproc/itstool and textproc/gtk-doc where the byte code is generated
at build time instead of already having been generated by py-libxml2.

It is still peculiar to me that these files are dumped directly into
PYTHON_SITELIBDIR and don't have a subdirectory of their own.
Worth investigating, but hierachical changes are obviously more
intrusive and beyond this scope.
textproc/libxml2: Update to 2.11.7

Fixes CVE-2024-25062

Reference:
https://www.cve.org/CVERecord?id=CVE-2024-25062

Changelog: https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.7

PR:		276900
Approved by:	desktop (fluffy)
Sponsored by:	Blinkinblox
Exp-run by:	antoine
textproc/libxml2: Update to 2.11.6

Changelog: https://gitlab.gnome.org/GNOME/libxml2/-/blob/v2.11.6/NEWS

PR:		273210
Reviewed by:	fluffy
Approved by:	desktop (arrowd)
Exp-run by:	antoine
devel/icu: update to 74.1

Changes:	https://github.com/unicode-org/icu/releases/tag/release-74-1
Reported by:	GitHub (watch releases)
PR:		274317
Exp-run by:	antoine (incomplete)
Approved by:	fluffy
textproc/libxml2: fix build with lld 17

Many symbols in the linker version script libxml2.syms are only defined
when --with-xptr-locs is enabled at configure time. Since version
scripts do not support conditionals, suppress errors with lld >= 17 due
to these undefined symbols.

PR:		273789
MFH:		2023Q3
Approved by:	blanket (for desktop and kde)
textproc/libxml2: restore accidentally deleted PORTREVISION?= line
textproc/libxml2: update to 2.10.14 security release (+)

- [CVE-2023-29469] Hashing of empty dict strings isn't deterministic
- [CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType
- schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK

- SAX2: Ignore namespaces in HTML documents
- io: Fix "buffer full" error with certain buffer sizes

PR:		270906
Security:	0bd7f07b-dc22-11ed-bf28-589cfc0f81b0

Sponsored by:	Serenity Cybersecurity, LLC
devel/icu: update to 73.1

- Temporarily switch to GitHub auto archive (release artifacts are N/A atm)

Changes:	https://github.com/unicode-org/icu/releases/tag/release-73-1
Reported by:	GitHub (watch releases)
PR:		270422
Exp-run by:	antoine
devel/icu: update to 72.1

Changes:	https://github.com/unicode-org/icu/releases/tag/release-72-1
Reported by:	GitHub (watch releases)
PR:		266582
Exp-run by:	antoine
textproc/libxml2: update to 2.10.3 security release (+)

* [CVE-2022-40304] Fix dict corruption caused by entity reference cycles
* [CVE-2022-40303] Fix integer overflows with XML_PARSE_HUGE
* Fix overflow check in SAX2.c

Changelog:	https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.10.3
MFH:		2022Q4
Remove WWW entries moved into port Makefiles

Commit b7f05445c00f has added WWW entries to port Makefiles based on
WWW: lines in pkg-descr files.

This commit removes the WWW: lines of moved-over URLs from these
pkg-descr files.

Approved by:		portmgr (tcberner)
Add WWW entries to port Makefiles

It has been common practice to have one or more URLs at the end of the
ports' pkg-descr files, one per line and prefixed with "WWW:". These
URLs should point at a project website or other relevant resources.

Access to these URLs required processing of the pkg-descr files, and
they have often become stale over time. If more than one such URL was
present in a pkg-descr file, only the first one was tarnsfered into
the port INDEX, but for many ports only the last line did contain the
port specific URL to further information.

There have been several proposals to make a project URL available as
a macro in the ports' Makefiles, over time.

textproc/libxml2: update to 2.10.2 maintenance release (+)

Changelog:	https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.10.2
textproc/libxml2: update to 2.10.1 release (+)

Changelog:	https://gitlab.gnome.org/GNOME/libxml2/-/tags/v2.10.0 \
		https://gitlab.gnome.org/GNOME/libxml2/-/tags/v2.10.1
textproc/libxml2: update to 2.9.14 maintenance release (+)

Changelog:	https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.9.14
textproc: remove 'Created by' lines

A big Thank You to the original contributors of these ports:

  *  "Choe, Cheng-Dae" whitekid
  *  -
  *  <glewis@FreeBSD.org>
  *  <koshy@india.hp.com>
  *  Aaron Dalton <aaron@FreeBSD.org>
  *  Aaron Dalton <aaron@daltons.ca>
  *  Aaron Straup Cope
  *  Aaron Straup Cope <ascope@cpan.org>
  *  Ache
  *  Adam Herzog <adam@herzogdesigns.com>
  *  Adam Weinberger <adamw@FreeBSD.org>
textproc/{,py-}libxml2: switch back to autotools

See notes in Makefile and linked PRs.

While here, disable the ICU option by default. CFLAGS for libicu
are passed to libxml2's consumers when the option is enabled. As
icu's API is not stable between versions, PORTREVISION bumps can
get missed.

Additionally, properly exclude all OPTIONS from py-libxml2 and
prevent do-configure from unnecessarily running.

Co-authored-by: diizzy
PR: 262853, 262940, 262877
Approved by: fluffy (mentor)
devel/icu: update to 71.1

Changes:	https://github.com/unicode-org/icu/releases/tag/release-71-1
Reported by:	GitHub (watch releases)
PR:		262654
Exp-run by:	antoine
Approved by:	fluffy
textproc/libxml2: Update to 2.9.13 and migrate to CMake

Depend on ICU and (lib)readline to follow other distros

Changelog: https://gitlab.gnome.org/GNOME/libxml2/-/tags/v2.9.13

I'd like to thank both tcberner and mandree for reviewing,
suggesting improvements and helping out in general. I'd also like
thank antoine for doing exp-runs.

PR:		262288
Reviewed by:	tcberner, mandree
Approved by:	desktop (tcberner)
Differential Revision:	https://reviews.freebsd.org/D34338
Exp-run by:	antoine
*: Clean up some things

- Fix typos
- Remove nop or unreferenced variables
- Clean up commented PORTREVISION
- Add missing USES

Reported by:	portscan
textproc/libxml2: Update to 2.9.12

PR:		256436
Reviewed by:	arrowd
Tested by:	arrowd
textproc/libxml2: add upstream fix for CVE-2021-3541

This is relapted to parameter entities expansion and following
the line of the billion laugh attack. Somehow in that path the
counting of parameters was missed and the normal algorithm based
on entities "density" was useless.

PR:		256094
Obtained
from:	https://gitlab.gnome.org/GNOME/libxml2/-/commit/8598060bacada41a0eb09d95c97744ff4e428f8e
Security:	CVE-2021-3541
textproc/libxml2: fix build with VALIDATION option off

Grab two commits from upstream that fix the build when
--no-valid is passed to configure; in the ports build
that translates to the VALIDATION option turned off.
These come straight from GNOME GitLab, although I've
bunged them into one patch-* file.

Not bumping PORTREVISION, since with this option off
it would never have built, and with the option on
the resulting package is unchanged.

PR:		253596
Remove # $FreeBSD$ from Makefiles.
textproc/libxml2: rename VALID option to VALIDATION

- The option name could under some circumctances lead to issues
  with the VALID_CATEGOIRES variable of the ports framework.
- Simply rename the option, to something similar.

PR:		252933
Submitted by:	andrew@tao11.riddles.org.uk
textproc/libxml2: ship patches via files/ due to gitlab

- gitlab has a tendency to change checksum of patches due to metadata changes
- switch to including the patches in the tree directly instead of using
PATCH_FILES

PR:             251040
Submitted by:   daniel.engberg.lists@pyret.net
Reported by:    David Armstrong <bink19th@pm.me>
textproc/libxml2: backport python 3.9.x support

No PORTREVISION bump, py-libxml2 was always unbuildable with py39

With hat:	desktop
Obtained from:	libxml2 repo
textproc/libxml2: Multiple vulnerabilities

Includes upstreams fixes for

	* CVE-2019-20388
	* CVE-2020-7595
	* CVE-2020-24977

PR:		249386
Submitted by:	daniel.engberg.lists@pyret.net
MFH:		2020Q3
In preparation of the update of glib remove the -reference ports

Those ports mainly concern old Gnome2 libraries, the behaviour of this infra
is not compatible with the meson build system (being used in newer version)
the documentation is provided otherwise in the other version
Unbreak py-libxml2
textproc/libxml2: Remove gmake dependency

- remove dependency on gmake in textproc/libxml2 and textproc/libxml2-reference

PR:		243346
Submitted by:	daniel.engberg.lists@pyret.net
textproc/libxml2: update to 2.9.10

PR:		24004
Exp-run by:	antoine
Reviewed by:	madpilot
Differential Revision:	https://reviews.freebsd.org/D22410
Create desktop@ as maintainer of some shared desktop ports

This idea has been around for quite some time. Time to make it happen.

In order to share the load on the ports required by multiple desktop
environments start to share the responsibility of maintainership.

This is the initial list that came to mind, but we can probably extend it, to
include another handful of ports.

WWW: https://wiki.freebsd.org/DesktopTeam
Mailing List: https://lists.freebsd.org/mailman/listinfo/freebsd-desktop

Approved by:	swills, kwm (gnome), madpilot (xfce)
Differential Revision:	https://reviews.freebsd.org/D22389
MASTERDIR is always defined after bsd.port.pre.mk
Prepare for powerpc-on-clang by deleting hard-coded tests for libstdc++.so
as a stand-in for "are we running on gcc".

For people already testing powerpc on clang, it is possible that they
already have both compilers in base.  Thus, the assumption that "gcc is
in base" (e.g.  libstdc++.so exists) always means "force use of GCC" is
already broken.  It will be for everyone on -CURRENT once the switch is
made.

Tested on both amd64 and powerpc64.

PR:		239153
Approved by:	gnome (maintainer-timeout, > 1 month)
textproc/libxml2: Update to 2.9.9 [1]

While here, fix a bug in libxslt triggered by the libxml2 update

PR:		235713 [1]
PR:		238522
Exp-run by:	antoine
Reported by:	kunda <chitty_cloud@me.com> [1]
Reviewed by:	kwm [1] [2]
Obtained
from:	https://gitlab.gnome.org/GNOME/libxslt/commit/5b0965010abf274f7a3a1291d16dde34c167e8a7
Workaround https://bugzilla.gnome.org/show_bug.cgi?id=789714

PR:		234633
Obtained from:	Fedora / openSuse
textproc/libxml2: fix build with GCC-based architectures

PR:		234563
Submitted by:	Piotr Kubaj <pkubaj@anongoth.pl>
Pointyhat to:	swills
Fix LICENSE_PERMS
textproc/libxml2: update to 2.9.8

PR:		233804
Exp-run by:	antoine
Remove usage of _PyVerify_fd().

This function appears to be removed in python 3.5.0. Instead of adding a
version check like the submitter proposed. Grab the upstream patch instead
that just removes the function usage.

PR:		224902
Submitted by:	Michael Zhilin <mizhka@gmail.com>
Obtained from:	libxml2 upstream
- Add LICENSE

Approved by:	portmgr blanket
Switch some MASTER_SITES from http/ftp to https.

Also some cleanup of dead entries.

PR:		226203
Submitted by:	Sam H
Sponsored by:	Absolight
textproc/libxml2: update to 2.9.7

PR:		222893
PR:		224189
Reported by:	Walter Hop <walter@lifeforms.nl>
Approved by:	gnome@ (kwm)
Exp-run by:	antoine
MFH:		2017Q4
Security:	76e59f55-4f7a-4887-bcb0-11604004163a
${RM} already has -f.

PR:		213570
Submitted by:	mat
Exp-run by:	antoine
Sponsored by:	Absolight
textproc/libxml2: remove LICENSE block to unbreak libxml2-reference

The addition of the MIT licence block broke at least the
textproc/libxml2-reference port due to how the helper script
bsd.gnome-reference.mk works.  Removed at the request of person that
suggested the license be added [2].

PR:		209806

PR:		212265 [2]
Reported by:	cpm
Update libxml2 to 2.9.4.

Add license block.
Pull extra patch to fix NULL pointer deref. [1]

Changelog:	https://mail.gnome.org/archives/xml/2016-May/msg00023.html

PR:		209806
Submitted by:	pi@
Obtained from:	upstream [1]
MFH:		2016Q3
Security:	e195679d-045b-4953-bb33-be0073ba2ac6
New release to fix a number of CVE's.

CVE-2015-1819 is also listed in the release notes of 2.9.3 but that issue
was fixed in a previous commit and documented in another vuxml entry.

MFH:		2015Q4
Security:	e5423caf-8fb8-11e5-918c-bcaec565249c
- Add option to disable validator

Approved by:	kwm
Fix libxml2 CVE-2015-1819

doc/ tree tested by:	wblock@

Obtained from:	libxml2 upstream
MFH:		2015Q3
Security: 9c7177ff-1fe1-11e5-9a01-bcaec565249c
Remove $FreeBSD$ from patches files everywhere.

With hat:	portmgr
Sponsored by:	Absolight
- Add CPE info

Approved by:	portmgr blanket
Fix regression introduced in CVE-201403660 fix.

Submitted by:	gjb@
Obtained from:	libxml2 upstream
patch-parser.c:
 Replace allready applied patch with new patch from upstream to unbreak the
 xmlcatalog command.
patch-uri.c:
Revert uri.c commit that causes the document chain to fail.

Reported by:	antoine@
Tested by:	bapt@
MFH:		2014Q4
Update to 2.9.2.

This release fixes CVE-2014-3660 (DoS).

MFH:		2014Q4
Security:	0642b064-56c4-11e4-8b87-bcaec565249c
Fix miss merge relating to iconv support.

Reported & tested by:	Cyril Kalinchikov <cyr.k@me.com>
Make sure to remove all orphaned doc dirs.

Submitted by:	port jenkins via swills@
Make check-plist not trow it cookies.
Update to libxml2 2.9.1 [1]

This version fixes CVE-2013-2877.
Add upstream patch for CVE-2014-0191.

CVE's Reported by:	Akinori MUSHA <knu@iDaemons.org>
Obtained from:	GNOME dev repo [1], libxml2 upstream [2]
MFH:		2014Q2
When linking a library libA with a library libB using libtool, if libB.la
exists, libtool will add all libraries libB.la refers to (dependency_libs
field) to the linker command line and store them in the dependency_libs
field of libA.la.  So everything that subsequently links with libA will also
link to these extra libraries.  This causes too much overlinking.

This commit modifies Mk/Uses/libtool.mk so it empties the dependency_libs
field in .la libraries during staging.  However, because .la libraries have
very limited use when dependency_libs is empty it makes sense to completely
remove them during staging.

So with this commit USES=libtool is modified to remove .la libraries and a
new form (USES=libtool:keepla) is introduced in case they need to be kept
(dependency_libs is still emptied).

The FreeBSD x11@ and graphics team proudly presents
a zeising, kwm production, with help from dumbbell, bdrewery:

NEW XORG ON FREEBSD 9-STABLE AND 10-STABLE

This update switches over to use the new xorg stack by default on FreeBSD 9
and 10 stable, on osversions where vt(9) is available.
It is still possible to use the old stack by specifying WITHOUT_NEW_XORG in
/etc/make.conf .
FreeBSD 8-STABLE and released versions of FreeBSD still use
the old version.
A package repository with binary packages for new xorg will
be available soon.

This patch also contains updates of libxcb and related ports, pixman, as well
- Add STAGEDIR support.
- Use *_CONFIGURE_WITH.
- Add workaround for an iconv incompatibility on 10.X and later.
Add NO_STAGE all over the place in preparation for the staging support (cat:
textproc)
Introduce variable ICONV_PREFIX at Mk/Uses/iconv.mk. The default for
pre 100043 is ${LOCALBASE} and /usr otherwise. Convert all ports to
new variable usage.

Approved by:	portmgr (bapt, implicit)
Track down the latest USE_GNOME=pkgconfig
- Remove MAKE_JOBS_SAFE variable

Approved by:	portmgr (bdrewery)
- Convert USE_ICONV=yes to USES=iconv
- Change USE_GNOME=pkgconfig|gnomehack to USES=pathfix|pkgconfig and
  USE_GETTEXT=yes to USES=gettext while here
Fix build with LZMA.  All supported versions have liblzma in the base.

Approved by:	gnome (mezz)
Feature safe:	yes
- Add http mirror in case FTP is not available

Approved by:	gnome (kwm)
Approved by:	portmgr (implicit)
Fix options evaluation that got mixed up in the OptionsNG converstion.

PR:		ports/177480
Submitted by:	scf@
Pointyhat for:	kwm
Fix typo

PR:		ports/177480
Submitted by:	Sayetsky Anton <vsjcfm@gmail.com>
Update to 2.8.0. [1]
Add patch to fix CVE-2013-0338 and CVE-2013-0339. [2]
Convert to OptionsNG, rename patches to standard form. [1]

Notified by:	swills@ [2]
Obtained from:	gnome team repo [1]
Security:	843a4641-9816-11e2-9c51-080027019be0
Switch main site and mirror around. The mirror is still valid but it is really
slow.

Reported by:	many
Feature safe:	yes
- Revert previous change to add -pthread since libxml2 is not threaded, but is
  thread-safe, so -pthread is not needed here, but in threaded programs that
  use libxml2

Pointed out by:	ale@
Discussed with:	marcus, kwm
Pointyhat to:	swills
- Build with -pthread and include -pthread in xml2-config --libs output when
threads are enabled

PR:		ports/171353
Discussed with:	marcus, kwm
Approved by:	marcus
Merge the patch-Makefile.in into patch-aa which already patched Makefile.in.
Compile static libxml2.a with -fPIC so 3rd party shared libs can
link statically with libxml2.a.

OK from:	mezz
Fix the disable iconv option.

PR:             ports/167211
Submitted by:   sunpoet
Document and fix a off-by-one vulnability in libxml2.

Obtained from:  libxml upstream
Security:       b8ae4659-a0da-11e1-a294-bcaec565249c
Fix last commit which broke the build.

Feature safe:   yes
-Make the iconv optional.

PR:             ports/162571
Submitted by:   Pedro Giffuni <giffunip@tutopia.com>
Feature safe:   yes
Fix libxml2 heap buffer overflow vulnability.

PR:             ports/164270
Submitted by:   kj <b4039413@nwldx.com>
Security:       57f1a624-6197-11e1-b98c-bcaec565249c
- Remove WITH_FBSD10_FIX, is no longer needed
Do the WITH_FBSD10_FIX manualy, because it doesn't do the right thing (yet).
This should unbreak the python bindings.

Reported by:    miwi and pointyhat (via pav)
Make sure the FreeBSD 10 fix, doesn't blow away local changes.

Reported by:    Marco Steinbach <coco@executive-computing.de>
                Ruslan Mahmatkhanov <cvs-src@yandex.ru>
Add WITH_FBSD10_FIX=yes, to fix build on FreeBSD 10.0.

Submitted by:   beat@
Remove obsolete patch, for freebsd6.

PR:             ports/162011
Submitted by:   Ruslan Mahmatkhanov <cvs-src@yandex.ru>
- Add LDFLAGS to CONFIGURE_ENV and MAKE_ENV (as it was done with LDFLAGS)
- Fix all ports that add {CPP,LD}FLAGS to *_ENV to modify flags instead

PR:             157936
Submitted by:   myself
Exp-runs by:    pav
Approved by:    pav
Remove USE_GNOME=gnometarget from ports. It has been a empty keyword since
mid 2008.

PR:             ports/159624
Submitted by:   Ruslan Mahmatkhanov <cvs-src@yandex.ru>
Re-enable symbol versioning. This fixes the undefined symbols.

PR:             ports/152616 ports/152612
Submitted by:   Christoph Moench-Tegeder <cmt@burggraben.net>
                Pascal Stumpf <Pascal.Stumpf@cubes.de>
Update to 2.7.8.
Use USE_CSTD=gnu89 to build libxml2.
When build with Clang it tries to use C99 math functions we don't have.
Also fix a symbol collision with the python bindings that got exposed by a
Clang bug.

With hat:       gnome
Add an option to build libxml w/out threads support.

PR:             ports/146582
Submitted by:   Alexander Kriventsov <avk@vl.ru>
Feature safe:   yes
Presenting GNOME 2.30.1 for FreeBSD. The offical release notes for this
release can be found at http://library.gnome.org/misc/release-notes/2.30/ .

This release brings initial PackageKit support, Upower (replaces power
management part of hal), cuse4bsd integration with HAL and cheese, and a
faster Evolution.

Sadly GNOME 2.30.x will be the last release with FreeBSD 6.X support. This
will also be the last of the 2.x releases. The next release will be the
highly-anticipated GNOME 3.0 which will bring with it a new UI experience.

Currently, there are a few bugs with GNOME 2.30 that may be of note for our
users. Be sure to consult the UPGRADING note or the 2.30 upgrade FAQ at
http://www.freebsd.org/gnome/docs/faq230.html for specific upgrading
instructions, and the up-to-date list of known issues.
libxml2 knows too much about zlib internals.  Beginning from zlib 1.2.2.3
the zlib authors has provided a 'gzdirect' function to detect whether the
current gzFile descriptor is still providing a stream from uncompression,
so use it instead of rolling own.

The upcoming zlib 1.2.4 update will break the current libxml2 usage.

Patch was the same as Mark Adler provided to libxml2 maintainers at:

        http://osdir.com/ml/svn-commits-list/2010-01/msg05723.html

PR:             ports/144828
Approved by:    mezz (freebsd-gnome@)
Build thread-safe library and do it in the right way to not break other ports.

Reviewed by:    marcus
Approved by:    marcus
Update to 2.7.6.
Update to 2.7.5.

Feature safe:   yes

Newsfeed changes