GNOME Bugzilla – Bug 704904
Incorrect and unsafe use of weak references to pthread functions
Last modified: 2021-07-05 13:20:42 UTC
libxml2's threads.c redeclares the pthread functions with __attribute((weak)), on compilers that support it, presumably in order to avoid pulling in a dependency on libpthread.so if the application using libxml2 does not use threads. This usage of weak references is valid for shared libraries, assuming all of the pthread functions lie in a single shared library file, but it is incorrect and dangerous for use with static linking. Suppose a program (to be static linked) uses threads but never calls pthread_equal. There will be no non-weak reference to pthread_equal, so it won't be linked in, and thus xmlInitThreads will wrongly consider the program non-threaded based on the condition (pthread_equal != NULL) failing. Unfortunately I don't believe there's any correct way to "weak reference" pthreads like this when static linking. The best suggestion I can make is to disable the weak reference trick when building object files for the static library and only use it for the shared library. However at that point it might be preferable just to disable it entirely.
static linking of libxml2 ought to die, we can't push security updates for those. Daniel
You cant push updates to embedded firmware anyway. All the world is not a gnome.
GNOME is going to shut down bugzilla.gnome.org in favor of gitlab.gnome.org. As part of that, we are mass-closing older open tickets in bugzilla.gnome.org which have not seen updates for a longer time (resources are unfortunately quite limited so not every ticket can get handled). If you can still reproduce the situation described in this ticket in a recent and supported software version, then please follow https://wiki.gnome.org/GettingInTouch/BugReportingGuidelines and create a new ticket at https://gitlab.gnome.org/GNOME/libxml2/-/issues/ Thank you for your understanding and your help.