libxml2: 2.9.3 -> 2.9.4 for three CVEs

[grahamc]

Motivation for this change

Things done

• Tested using sandboxing
  (nix.useSandbox on NixOS,
  or option build-use-sandbox in nix.conf
  on non-NixOS)
• Built on platform(s)
  • NixOS
  • OS X
  • Linux
• Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
• Tested execution of all binary files (usually in ./result/bin/)
• Fits CONTRIBUTING.md.

---

• CVE-2016-4447: libxml2: Heap-based buffer underreads due to xmlParseName
  https://bugzilla.redhat.com/show_bug.cgi?id=1338686
• CVE-2016-4448 libxml2: Format string vulnerability
  https://bugzilla.redhat.com/show_bug.cgi?id=1338700
• CVE-2016-4449 libxml2: Inappropriate fetch of entities content
  https://bugzilla.redhat.com/show_bug.cgi?id=1338701

and many other fixed issues, available at http://www.xmlsoft.org/news.html

---

Please backport to 16.03 and 15.09.

[mention-bot]

By analyzing the blame information on this pull request, we identified @jgillich, @vcunat and @edolstra to be potential reviewers

[grahamc]

No chance I'll be able to build and test all the depending packages :)

[grahamc]

Thank you, @vcunat!

[vcunat]

Unfortunately, there's a significant "regression" http://hydra.nixos.org/build/36154318/nixlog/1/raw. It might be that just some invalid code was previously accepted; I don't know ATM.

[vcunat]

Hmm, the test error persists even in latest XMLLibXML (2.0124). We might disable the tests, but I'd prefer to first make sure it's not some new bug in libxml.

[vcunat]

It does seem like a regression in libxml2: https://bugzilla.gnome.org/show_bug.cgi?id=766834. That's a bit unfortunate.

[vcunat]

Hmm, I see some of the CVEs were fixed by @peti :-)

[peti]

@vcunat, occupational hazard. :-)

[edolstra]

Should 809aa9c be reverted in the meantime? It broke the 16.03 channels.

[vcunat]

Reverting it would bring back security vulnerabilities, so I don't much like that. I was trying to find some public distro backporting (all) the patches, but I could find none yet, and doing it all myself would take quite some time.

[vcunat]

There's also the possibility that the breakage is caused by one of the security commits.

[vcunat]

Tracked down, and rebuilding 16.03-small again is scheduled.

[domenkozar]

@vcunat thanks, you (with a proper fix) were 5min faster than me :)

[vcunat]

Perhaps I should've written I was bisecting it; I didn't expect anyone reacting that fast.

[grahamc]

So is this resolved?

[vcunat]

It should be fine in staging and 16.03. I expect to merge staging to master today, after Hydra progresses a bit with the rebuild. (Github should mark this PR as merged at that point.)