From f154b81ff960f3ee003ef4efd3bc87b1c89e2a6a Mon Sep 17 00:00:00 2001 From: divya agarwal Date: Thu, 28 Aug 2025 10:44:38 -0400 Subject: [PATCH 1/7] patch libxml2 --- docker/1.7-1/base/Dockerfile.cpu | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docker/1.7-1/base/Dockerfile.cpu b/docker/1.7-1/base/Dockerfile.cpu index e1f72ffd..3e086e5d 100644 --- a/docker/1.7-1/base/Dockerfile.cpu +++ b/docker/1.7-1/base/Dockerfile.cpu @@ -193,5 +193,11 @@ RUN sqlite3 --version RUN apt list --installed +# Ensure libxml2 is updated to patch CVE-2025-49796 +RUN apt-get update && \ + apt-get -y install --only-upgrade libxml2 && \ + apt-get clean && \ + rm -rf /var/lib/apt/lists/* + # Install latest version of XGBoost RUN python3 -m pip install --no-cache -I xgboost==${XGBOOST_VERSION} From fe759a5231331a73a6fb7207aae8501c2d91377a Mon Sep 17 00:00:00 2001 From: divya agarwal Date: Tue, 2 Sep 2025 09:32:01 -0400 Subject: [PATCH 2/7] patch libxml and linux --- docker/1.7-1/base/Dockerfile.cpu | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docker/1.7-1/base/Dockerfile.cpu b/docker/1.7-1/base/Dockerfile.cpu index 3e086e5d..98ef58e6 100644 --- a/docker/1.7-1/base/Dockerfile.cpu +++ b/docker/1.7-1/base/Dockerfile.cpu @@ -193,9 +193,9 @@ RUN sqlite3 --version RUN apt list --installed -# Ensure libxml2 is updated to patch CVE-2025-49796 +# Ensure libxml2 and linux-libc-dev is updated to patch CVE-2025-49796 RUN apt-get update && \ - apt-get -y install --only-upgrade libxml2 && \ + apt-get -y install --only-upgrade libxml2 linux-libc-dev && \ apt-get clean && \ rm -rf /var/lib/apt/lists/* From 06a72e9447ff0742020b51e48f553864eefa849f Mon Sep 17 00:00:00 2001 From: divya agarwal Date: Tue, 2 Sep 2025 10:47:41 -0400 Subject: [PATCH 3/7] libxml2 cve patch --- docker/1.7-1/base/Dockerfile.cpu | 46 ++++++++++++++++++++++++-------- 1 file changed, 35 insertions(+), 11 deletions(-) diff --git a/docker/1.7-1/base/Dockerfile.cpu b/docker/1.7-1/base/Dockerfile.cpu index 98ef58e6..2fc325c0 100644 --- a/docker/1.7-1/base/Dockerfile.cpu +++ b/docker/1.7-1/base/Dockerfile.cpu @@ -1,9 +1,10 @@ ARG UBUNTU_VERSION=20.04 ARG CUDA_VERSION=11.6.1 ARG IMAGE_DIGEST=c2d95c9c6ff77da41cf0f2f9e8c5088f5b4db20c16a7566b808762f05b9032ef +ARG LIBXML2_VERSION=2.12.7 -# Build stage for SQLite compilation -FROM ubuntu:${UBUNTU_VERSION} as sqlite-builder +# Build stage for SQLite and libxml2 compilation +FROM ubuntu:${UBUNTU_VERSION} as builder RUN apt-get update && apt-get install -y --no-install-recommends \ build-essential \ wget \ @@ -19,6 +20,24 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ ldconfig && \ cd / && \ rm -rf /tmp/sqlite-autoconf-3500200 /tmp/sqlite-autoconf-3500200.tar.gz && \ + # Build libxml2 from source to fix CVE-2025-49796 + apt-get update && apt-get install -y --no-install-recommends \ + git \ + automake \ + libtool \ + autoconf \ + pkg-config \ + python3 \ + zlib1g-dev && \ + cd /tmp && \ + git clone --depth 1 --branch v${LIBXML2_VERSION} https://github.com/GNOME/libxml2.git && \ + cd libxml2 && \ + ./autogen.sh --prefix=/usr/local && \ + make -j$(nproc) && \ + make install && \ + ldconfig && \ + cd / && \ + rm -rf /tmp/libxml2 && \ apt-get clean && \ rm -rf /var/lib/apt/lists/* @@ -175,10 +194,15 @@ RUN echo "conda ${CONDA_PKG_VERSION}" >> /miniconda3/conda-meta/pinned && \ ldconfig && \ rm -rf /tmp/mlio -# Copy compiled SQLite from builder stage -COPY --from=sqlite-builder /usr/local/bin/sqlite3 /usr/local/bin/sqlite3 -COPY --from=sqlite-builder /usr/local/lib/libsqlite3.* /usr/local/lib/ -COPY --from=sqlite-builder /usr/local/include/sqlite3*.h /usr/local/include/ +# Copy compiled SQLite and libxml2 from builder stage +COPY --from=builder /usr/local/bin/sqlite3 /usr/local/bin/sqlite3 +COPY --from=builder /usr/local/lib/libsqlite3.* /usr/local/lib/ +COPY --from=builder /usr/local/include/sqlite3*.h /usr/local/include/ + +# Copy compiled libxml2 from builder stage to fix CVE-2025-49796 +COPY --from=builder /usr/local/lib/libxml2* /usr/local/lib/ +COPY --from=builder /usr/local/include/libxml2 /usr/local/include/ +COPY --from=builder /usr/local/bin/xml* /usr/local/bin/ # Update library cache and ensure /usr/local/bin is in PATH RUN ldconfig && \ @@ -193,11 +217,11 @@ RUN sqlite3 --version RUN apt list --installed -# Ensure libxml2 and linux-libc-dev is updated to patch CVE-2025-49796 -RUN apt-get update && \ - apt-get -y install --only-upgrade libxml2 linux-libc-dev && \ - apt-get clean && \ - rm -rf /var/lib/apt/lists/* +# Set up library config to ensure our custom-built libxml2 is used instead of system version +RUN echo "/usr/local/lib" > /etc/ld.so.conf.d/libxml2.conf && \ + # Verify the libxml2 version that will be used + ldconfig && \ + xml2-config --version # Install latest version of XGBoost RUN python3 -m pip install --no-cache -I xgboost==${XGBOOST_VERSION} From 1152277409a47e8309eeaed0e1eeb8a40944cab3 Mon Sep 17 00:00:00 2001 From: divya agarwal Date: Tue, 2 Sep 2025 10:57:47 -0400 Subject: [PATCH 4/7] build error fix for libxml2 --- docker/1.7-1/base/Dockerfile.cpu | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/1.7-1/base/Dockerfile.cpu b/docker/1.7-1/base/Dockerfile.cpu index 2fc325c0..a7fc0551 100644 --- a/docker/1.7-1/base/Dockerfile.cpu +++ b/docker/1.7-1/base/Dockerfile.cpu @@ -30,7 +30,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ python3 \ zlib1g-dev && \ cd /tmp && \ - git clone --depth 1 --branch v${LIBXML2_VERSION} https://github.com/GNOME/libxml2.git && \ + git clone --depth 1 --branch ${LIBXML2_VERSION} https://gitlab.gnome.org/GNOME/libxml2.git && \ cd libxml2 && \ ./autogen.sh --prefix=/usr/local && \ make -j$(nproc) && \ From 5d7ee4968b9cee47a06cdbde9477785198f19049 Mon Sep 17 00:00:00 2001 From: divya agarwal Date: Tue, 2 Sep 2025 11:11:48 -0400 Subject: [PATCH 5/7] fix build error for libxml patch --- docker/1.7-1/base/Dockerfile.cpu | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/docker/1.7-1/base/Dockerfile.cpu b/docker/1.7-1/base/Dockerfile.cpu index a7fc0551..1288d4bd 100644 --- a/docker/1.7-1/base/Dockerfile.cpu +++ b/docker/1.7-1/base/Dockerfile.cpu @@ -5,6 +5,7 @@ ARG LIBXML2_VERSION=2.12.7 # Build stage for SQLite and libxml2 compilation FROM ubuntu:${UBUNTU_VERSION} as builder +ARG LIBXML2_VERSION RUN apt-get update && apt-get install -y --no-install-recommends \ build-essential \ wget \ @@ -22,7 +23,6 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ rm -rf /tmp/sqlite-autoconf-3500200 /tmp/sqlite-autoconf-3500200.tar.gz && \ # Build libxml2 from source to fix CVE-2025-49796 apt-get update && apt-get install -y --no-install-recommends \ - git \ automake \ libtool \ autoconf \ @@ -30,14 +30,16 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ python3 \ zlib1g-dev && \ cd /tmp && \ - git clone --depth 1 --branch ${LIBXML2_VERSION} https://gitlab.gnome.org/GNOME/libxml2.git && \ - cd libxml2 && \ + # Use direct tarball download instead of git to avoid branch/tag issues + wget https://download.gnome.org/sources/libxml2/2.12/libxml2-${LIBXML2_VERSION}.tar.xz && \ + tar -xf libxml2-${LIBXML2_VERSION}.tar.xz && \ + cd libxml2-${LIBXML2_VERSION} && \ ./autogen.sh --prefix=/usr/local && \ make -j$(nproc) && \ make install && \ ldconfig && \ cd / && \ - rm -rf /tmp/libxml2 && \ + rm -rf /tmp/libxml2-${LIBXML2_VERSION} /tmp/libxml2-${LIBXML2_VERSION}.tar.xz && \ apt-get clean && \ rm -rf /var/lib/apt/lists/* From 42c4653662f322f289aa5cf6ff7dfa455696c403 Mon Sep 17 00:00:00 2001 From: divya agarwal Date: Tue, 2 Sep 2025 11:22:54 -0400 Subject: [PATCH 6/7] build error fix libxml2 --- docker/1.7-1/base/Dockerfile.cpu | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docker/1.7-1/base/Dockerfile.cpu b/docker/1.7-1/base/Dockerfile.cpu index 1288d4bd..8ee354c1 100644 --- a/docker/1.7-1/base/Dockerfile.cpu +++ b/docker/1.7-1/base/Dockerfile.cpu @@ -27,14 +27,14 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ libtool \ autoconf \ pkg-config \ - python3 \ + python3-dev \ zlib1g-dev && \ cd /tmp && \ # Use direct tarball download instead of git to avoid branch/tag issues wget https://download.gnome.org/sources/libxml2/2.12/libxml2-${LIBXML2_VERSION}.tar.xz && \ tar -xf libxml2-${LIBXML2_VERSION}.tar.xz && \ cd libxml2-${LIBXML2_VERSION} && \ - ./autogen.sh --prefix=/usr/local && \ + ./autogen.sh --prefix=/usr/local --without-python && \ make -j$(nproc) && \ make install && \ ldconfig && \ From 948a5c571ddd440adae7e0c1ff62fa83fef93e36 Mon Sep 17 00:00:00 2001 From: divya agarwal Date: Tue, 2 Sep 2025 11:36:43 -0400 Subject: [PATCH 7/7] build fix --- docker/1.7-1/base/Dockerfile.cpu | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docker/1.7-1/base/Dockerfile.cpu b/docker/1.7-1/base/Dockerfile.cpu index 8ee354c1..694b32e2 100644 --- a/docker/1.7-1/base/Dockerfile.cpu +++ b/docker/1.7-1/base/Dockerfile.cpu @@ -1,7 +1,7 @@ ARG UBUNTU_VERSION=20.04 ARG CUDA_VERSION=11.6.1 ARG IMAGE_DIGEST=c2d95c9c6ff77da41cf0f2f9e8c5088f5b4db20c16a7566b808762f05b9032ef -ARG LIBXML2_VERSION=2.12.7 +ARG LIBXML2_VERSION=2.9.14 # Build stage for SQLite and libxml2 compilation FROM ubuntu:${UBUNTU_VERSION} as builder @@ -31,10 +31,10 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ zlib1g-dev && \ cd /tmp && \ # Use direct tarball download instead of git to avoid branch/tag issues - wget https://download.gnome.org/sources/libxml2/2.12/libxml2-${LIBXML2_VERSION}.tar.xz && \ + wget https://download.gnome.org/sources/libxml2/2.9/libxml2-${LIBXML2_VERSION}.tar.xz && \ tar -xf libxml2-${LIBXML2_VERSION}.tar.xz && \ cd libxml2-${LIBXML2_VERSION} && \ - ./autogen.sh --prefix=/usr/local --without-python && \ + ./configure --prefix=/usr/local --without-python && \ make -j$(nproc) && \ make install && \ ldconfig && \