build: Disable support for compression libraries by default

libxml2 has limited support for reading and writing compressed data with the help of zlib and liblzma which used to be enabled by default. This only works for files read from the file system and never worked with memory buffers. My guess is that this feature is virtually unused. In light of the recently discovered xz backdoor, it's a good time to disable these features by default to reduce attack surface and prepare for eventual removal. If --with-legacy is passed to the Autotools build, compression will be enabled by default as before.
2025-01-27 14:03:36 +03:00 · 2024-04-02 12:56:11 +02:00 · 2024-04-02 12:56:11 +02:00 · f7f1453772
commit f7f1453772
parent 365976dbe0
4 changed files with 29 additions and 23 deletions
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -36,7 +36,7 @@ option(LIBXML2_WITH_ICONV "Add ICONV support" ON)
 option(LIBXML2_WITH_ICU "Add ICU support" OFF)
 option(LIBXML2_WITH_ISO8859X "Add ISO8859X support if no iconv" ON)
 option(LIBXML2_WITH_LEGACY "Add deprecated APIs for compatibility" OFF)
-option(LIBXML2_WITH_LZMA "Use liblzma" ON)
+option(LIBXML2_WITH_LZMA "Use liblzma" OFF)
 option(LIBXML2_WITH_MEM_DEBUG "Add the memory debugging module" OFF)
 option(LIBXML2_WITH_MODULES "Add the dynamic modules support" ON)
 option(LIBXML2_WITH_OUTPUT "Add the serialization support" ON)
@ -61,7 +61,7 @@ option(LIBXML2_WITH_XINCLUDE "Add the XInclude support" ON)
 option(LIBXML2_WITH_XPATH "Add the XPATH support" ON)
 option(LIBXML2_WITH_XPTR "Add the XPointer support" ON)
 option(LIBXML2_WITH_XPTR_LOCS "Add support for XPointer locations" OFF)
-option(LIBXML2_WITH_ZLIB "Use libz" ON)
+option(LIBXML2_WITH_ZLIB "Use libz" OFF)
 set(LIBXML2_XMLCONF_WORKING_DIR ${CMAKE_CURRENT_BINARY_DIR} CACHE PATH "Working directory for XML Conformance Test Suite")

 if(LIBXML2_WITH_PYTHON)
--- a/5
+++ b/5
@ -20,6 +20,11 @@ downstream test suites accordingly.

 Support for HTTP POST was removed.

+Support for zlib and liblzma is now disabled by default and has to be
+enabled by passing --with-zlib or --with-lzma to configure. In legacy
+mode (--with-legacy) compression support is enabled by default as
+before.
+

 v2.12.0: Nov 16 2023

--- a/README.md
+++ b/README.md
@ -53,7 +53,7 @@ The following options disable or enable code modules and relevant symbols:
    --with-iconv[=DIR]      iconv support (on)
    --with-icu              ICU support (off)
    --with-iso8859x         ISO-8859-X support if no iconv (on)
-    --with-lzma[=DIR]       use liblzma in DIR (on)
+    --with-lzma[=DIR]       use liblzma in DIR (off)
    --with-mem-debug        memory debugging module (off)
    --with-modules          dynamic modules support (on)
    --with-output           serialization support (on)
@ -74,7 +74,7 @@ The following options disable or enable code modules and relevant symbols:
    --with-xinclude         XInclude 1.0 support (on)
    --with-xpath            XPath 1.0 support (on)
    --with-xptr             XPointer support (on)
-    --with-zlib[=DIR]       use libz in DIR (on)
+    --with-zlib[=DIR]       use libz in DIR (off)

 Other options:

@ -127,18 +127,15 @@ Libxml does not require any other libraries. A platform with somewhat
 recent POSIX support should be sufficient (please report any violation
 to this rule you may find).

-However, if found at configuration time, libxml will detect and use
-the following libraries:
+The iconv function is required for conversion of character encodings.
+This function is part of POSIX.1-2001. If your platform doesn't provide
+iconv, you need an external libiconv library, for example
+[GNU libiconv](https://www.gnu.org/software/libiconv/). Alternatively,
+you can use [ICU](https://icu.unicode.org/).

- [libz](https://zlib.net/), a highly portable and widely available
-  compression library.
- [liblzma](https://tukaani.org/xz/), another compression library.
- [libiconv](https://www.gnu.org/software/libiconv/), a character encoding
-  conversion library. The iconv function is part of POSIX.1-2001, so
-  libiconv isn't required on modern UNIX-like systems like Linux, BSD or
-  macOS.
- [ICU](https://icu.unicode.org/), a Unicode library. Mainly useful as an
-  alternative to iconv on Windows. Unnecessary on most other systems.
+If enabled, libxml uses [libz](https://zlib.net/) or
+[liblzma](https://tukaani.org/xz/) to support reading compressed files.
+Use of this feature is discouraged.

 ## Contributing

--- a/configure.ac
+++ b/configure.ac
@ -86,7 +86,7 @@ AC_ARG_WITH(icu,
 AC_ARG_WITH(iso8859x,
 [  --with-iso8859x         ISO-8859-X support if no iconv (on)])
 AC_ARG_WITH(lzma,
-[  --with-lzma[[=DIR]]       use liblzma in DIR (on)])
+[  --with-lzma[[=DIR]]       use liblzma in DIR (off)])
 AC_ARG_WITH(mem_debug,
 [  --with-mem-debug        memory debugging module (off)])
 AC_ARG_WITH(modules,
@ -128,7 +128,7 @@ AC_ARG_WITH(xptr,
 AC_ARG_WITH(xptr-locs,
 [  --with-xptr-locs        XPointer ranges and points (off)])
 AC_ARG_WITH(zlib,
-[  --with-zlib[[=DIR]]       use libz in DIR (on)])
+[  --with-zlib[[=DIR]]       use libz in DIR (off)])

 AC_ARG_WITH(minimum,
 [  --with-minimum          build a minimally sized library (off)])
@ -907,9 +907,11 @@ dnl Checks for zlib library.
 dnl
 WITH_ZLIB=0

-if test "$with_zlib" = "no"; then
-    echo "Disabling zlib compression support"
-else
+if test "$with_zlib" != "no" && \
+   (test "$with_zlib" != "" || test "$with_legacy" = "yes")
+then
+    echo "Enabling zlib compression support"
+
    if test "$with_zlib" != "yes"; then
        Z_DIR=$with_zlib
    fi
@ -959,9 +961,11 @@ dnl Checks for lzma library.
 dnl
 WITH_LZMA=0

-if test "$with_lzma" = "no"; then
-    echo "Disabling lzma compression support"
-else
+if test "$with_lzma" != "no" && \
+   (test "$with_lzma" != "" || test "$with_legacy" = "yes")
+then
+    echo "Enabling lzma compression support"
+
    if test "$with_lzma" != "yes"; then
        LZMA_DIR=$with_lzma
    fi