From baf6de60c2c8ae0dacfa25b96c86fa971edccba020fffc1fed729583b2b373b9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= Date: Mon, 28 Jan 2019 07:51:27 +0000 Subject: [PATCH] Accepting request 668947 from home:mgorse:branches:devel:libraries:c_c++ - Version update to 2.9.9: * Security: + CVE-2018-9251 CVE-2018-14567 Fix infinite loop in LZMA decompression (boo#1088279 boo#1105166). + CVE-2018-14404 Fix nullptr deref with XPath logic ops (boo#1102046). * Bug fixes: + Fix building relative URIs + Problem with data in interleave in RelaxNG validation + Fix memory leak in xmlSwitchInputEncodingInt error path + Set doc on element obtained from freeElems + Fix HTML serialization with UTF-8 encoding + Use actual doc in xmlTextReaderRead*Xml + Unlink node before freeing it in xmlSAX2StartElement + Check return value of nodePush in xmlSAX2StartElement + Free input buffer in xmlHaltParser + Reset HTML parser input pointers on encoding failure + Fix xmlSchemaValidCtxtPtr reuse memory leak + Fix xmlTextReaderNext with preparsed document + HTML noscript should not close p + Don't change context node in xmlXPathRoot * Improvements: + Remove redefined starts and defines inside include elements + Allow choice within choice in nameClass in RELAX NG + Look inside divs for starts and defines inside include + Add newlines to 'xmllint --xpath' output + Don't include SAX.h from globals.h + Support xmlTextReaderNextSibling w/o preparsed doc + Improve restoring of context size and position + Simplify and harden nodeset filtering OBS-URL: https://build.opensuse.org/request/show/668947 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/libxml2?expand=0&rev=132 --- libxml2-2.9.8.tar.gz | 3 -- libxml2-2.9.8.tar.gz.asc | 10 ------- libxml2-2.9.9.tar.gz | 3 ++ libxml2-2.9.9.tar.gz.asc | 10 +++++++ libxml2-python3-string-null-check.patch | 15 ++++++---- libxml2.changes | 36 +++++++++++++++++++++++ libxml2.spec | 6 ++-- python-libxml2-python.changes | 38 +++++++++++++++++++++++++ python-libxml2-python.spec | 9 ++++-- 9 files changed, 105 insertions(+), 25 deletions(-) delete mode 100644 libxml2-2.9.8.tar.gz delete mode 100644 libxml2-2.9.8.tar.gz.asc create mode 100644 libxml2-2.9.9.tar.gz create mode 100644 libxml2-2.9.9.tar.gz.asc diff --git a/libxml2-2.9.8.tar.gz b/libxml2-2.9.8.tar.gz deleted file mode 100644 index b6bc8d0..0000000 --- a/libxml2-2.9.8.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:0b74e51595654f958148759cfef0993114ddccccbb6f31aee018f3558e8e2732 -size 5469097 diff --git a/libxml2-2.9.8.tar.gz.asc b/libxml2-2.9.8.tar.gz.asc deleted file mode 100644 index f0eb4b8..0000000 --- a/libxml2-2.9.8.tar.gz.asc +++ /dev/null @@ -1,10 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEcBAABAgAGBQJanWtRAAoJEBVYiyZZa+pdV7oIAJWdFahwt+reN/Zt2RPmjjcr -eSsY7UV1RXjScnNjTzJT1h2hJ7SnUjCkqjR6VdtKDUIzpuX+S2U83joafJH6mxUb -yw2nO4RfjYTPxpz5JkvqT7jmgEIaD81BuwcMehqpMpIfiKa2NgO1DSfZxgs8a9E2 -+ehc/kZWuI5gmNGrd84EEWUqpYW/Xx7jy02osioJuU5IMPjzZKNR3maXp9oAKeBc -S2QNa1ID/pUk3K3M/5nlwNgAtQ7lxQrqhrSma2dsKt/IpL6VXomxuD4Bh1r2MZhX -uZ456X/xJN8UmPewLZWGBU1MK9wqu3Zx5Qwz64H6UdlYIzXZ2jXj2YWZa6xkxPA= -=69xn ------END PGP SIGNATURE----- diff --git a/libxml2-2.9.9.tar.gz b/libxml2-2.9.9.tar.gz new file mode 100644 index 0000000..1dc91fe --- /dev/null +++ b/libxml2-2.9.9.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:94fb70890143e3c6549f265cee93ec064c80a84c42ad0f23e85ee1fd6540a871 +size 5476717 diff --git a/libxml2-2.9.9.tar.gz.asc b/libxml2-2.9.9.tar.gz.asc new file mode 100644 index 0000000..bc12d0f --- /dev/null +++ b/libxml2-2.9.9.tar.gz.asc @@ -0,0 +1,10 @@ +-----BEGIN PGP SIGNATURE----- + +iQEbBAABAgAGBQJcLlEXAAoJEBVYiyZZa+pd1B8H93xeCYNBLx+eX0xe3qS3ReS/ +YstjkXKUkmDQYwqQ/9Knmv1P6NX64hQL5E1pZX5sXp36giwXXJ5tCK72VRzektzU +Kpo+M1/QA9feZQs1GmyKaXYzNwTSJnsdKA9nWqTHZ3bzfdhFSZ0czo94vgY/cz5z +9P3FIgeldj1vi8p2rjXbArMFQyaxHnve9LdxI8hbudNSeUw/FEV6mjtXrlZ7MXqn +hmAkah2JwktOStF5tIlddCRqZeUPUX5flBxT95gfskXXlGEhaoGMXcC3izqqJyV2 +sx5nY7fnXdkwfYsgRUXYWmDmbs8DnFjXH9lux9O4OWglLonaRoAqFPcOzE3aCw== +=4qWg +-----END PGP SIGNATURE----- diff --git a/libxml2-python3-string-null-check.patch b/libxml2-python3-string-null-check.patch index 621e92b..81eac4b 100644 --- a/libxml2-python3-string-null-check.patch +++ b/libxml2-python3-string-null-check.patch @@ -8,14 +8,14 @@ encoded. We should check for this and return None, rather than returning NULL. Fixes a NULL pointer dereference when reporting an error with an invalid string. --- - python/types.c | 4 ++++ + python/types.c | 4 ++++ 1 file changed, 4 insertions(+) -Index: libxml2-2.10.3/python/types.c -=================================================================== ---- libxml2-2.10.3.orig/python/types.c -+++ libxml2-2.10.3/python/types.c -@@ -274,6 +274,10 @@ libxml_charPtrConstWrap(const char *str) +diff --git a/python/types.c b/python/types.c +index 124af565..50951ba3 100644 +--- a/python/types.c ++++ b/python/types.c +@@ -150,6 +150,10 @@ libxml_charPtrConstWrap(const char *str) return (Py_None); } ret = PY_IMPORT_STRING(str); @@ -26,3 +26,6 @@ Index: libxml2-2.10.3/python/types.c return (ret); } +-- +2.18.0 + diff --git a/libxml2.changes b/libxml2.changes index 8f51274..54c04b5 100644 --- a/libxml2.changes +++ b/libxml2.changes @@ -1,3 +1,39 @@ +------------------------------------------------------------------- +Sat Jan 26 00:24:23 UTC 2019 - mgorse@suse.com + +- Version update to 2.9.9: + * Security: + + CVE-2018-9251 CVE-2018-14567 Fix infinite loop in LZMA + decompression (boo#1088279 boo#1105166). + + CVE-2018-14404 Fix nullptr deref with XPath logic ops + (boo#1102046). + * Bug fixes: + + Fix building relative URIs + + Problem with data in interleave in RelaxNG validation + + Fix memory leak in xmlSwitchInputEncodingInt error path + + Set doc on element obtained from freeElems + + Fix HTML serialization with UTF-8 encoding + + Use actual doc in xmlTextReaderRead*Xml + + Unlink node before freeing it in xmlSAX2StartElement + + Check return value of nodePush in xmlSAX2StartElement + + Free input buffer in xmlHaltParser + + Reset HTML parser input pointers on encoding failure + + Fix xmlSchemaValidCtxtPtr reuse memory leak + + Fix xmlTextReaderNext with preparsed document + + HTML noscript should not close p + + Don't change context node in xmlXPathRoot + * Improvements: + + Remove redefined starts and defines inside include elements + + Allow choice within choice in nameClass in RELAX NG + + Look inside divs for starts and defines inside include + + Add newlines to 'xmllint --xpath' output + + Don't include SAX.h from globals.h + + Support xmlTextReaderNextSibling w/o preparsed doc + + Improve restoring of context size and position + + Simplify and harden nodeset filtering + + Avoid unnecessary backups of the context node + + Fix inconsistency in xmlXPathIsInf + ------------------------------------------------------------------- Tue Mar 20 13:15:36 CET 2018 - kukuk@suse.de diff --git a/libxml2.spec b/libxml2.spec index 2491355..798ccd3 100644 --- a/libxml2.spec +++ b/libxml2.spec @@ -1,7 +1,7 @@ # # spec file for package libxml2 # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,13 +12,13 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # %define lname libxml2-2 Name: libxml2 -Version: 2.9.8 +Version: 2.9.9 Release: 0 Summary: A Library to Manipulate XML Files License: MIT diff --git a/python-libxml2-python.changes b/python-libxml2-python.changes index 7f826d7..0c494c4 100644 --- a/python-libxml2-python.changes +++ b/python-libxml2-python.changes @@ -1,3 +1,41 @@ +------------------------------------------------------------------- +Sat Jan 26 00:25:51 UTC 2019 - mgorse@suse.com + +- Version update to 2.9.9: + * Security: + + CVE-2018-9251 CVE-2018-14567 Fix infinite loop in LZMA + decompression. + + CVE-2018-14404 Fix nullptr deref with XPath logic ops. + * Bug fixes: + + Fix building relative URIs + + Problem with data in interleave in RelaxNG validation + + Fix memory leak in xmlSwitchInputEncodingInt error path + + Set doc on element obtained from freeElems + + Fix HTML serialization with UTF-8 encoding + + Use actual doc in xmlTextReaderRead*Xml + + Unlink node before freeing it in xmlSAX2StartElement + + Check return value of nodePush in xmlSAX2StartElement + + Free input buffer in xmlHaltParser + + Reset HTML parser input pointers on encoding failure + + Fix xmlSchemaValidCtxtPtr reuse memory leak + + Fix xmlTextReaderNext with preparsed document + + HTML noscript should not close p + + Don't change context node in xmlXPathRoot + * Improvements: + + Remove redefined starts and defines inside include elements + + Allow choice within choice in nameClass in RELAX NG + + Look inside divs for starts and defines inside include + + Add newlines to 'xmllint --xpath' output + + Don't include SAX.h from globals.h + + Support xmlTextReaderNextSibling w/o preparsed doc + + Improve restoring of context size and position + + Simplify and harden nodeset filtering + + Avoid unnecessary backups of the context node + + Fix inconsistency in xmlXPathIsInf +- Add libxml2-python3-string-null-check.patch: fix NULL pointer + dereference when parsing invalid data (bsc#1065270 + glgo#libxml2!15).). + ------------------------------------------------------------------- Wed Mar 14 13:12:34 UTC 2018 - tchvatal@suse.com diff --git a/python-libxml2-python.spec b/python-libxml2-python.spec index 2aa67e1..24a5ab9 100644 --- a/python-libxml2-python.spec +++ b/python-libxml2-python.spec @@ -1,7 +1,7 @@ # # spec file for package python-libxml2-python # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,14 +12,14 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # %{?!python_module:%define python_module() python-%{**} python3-%{**}} %define oldpython python Name: python-libxml2-python -Version: 2.9.8 +Version: 2.9.9 Release: 0 Summary: Python Bindings for libxml2 License: MIT @@ -27,6 +27,8 @@ Group: Development/Libraries/Python Url: http://xmlsoft.org Source: ftp://xmlsoft.org/libxml2/libxml2-%{version}.tar.gz Patch1: libxml2-python3-unicode-errors.patch +# PATCH-FIX-UPSTREAM libxml2-python3-string-null-check.patch bsc#1065270 mgorse@suse.com -- don't return a NULL string for an invalid UTF-8 conversion. +Patch2: libxml2-python3-string-null-check.patch BuildRequires: %{python_module devel} BuildRequires: %{python_module xml} BuildRequires: pkgconfig @@ -54,6 +56,7 @@ either at parse time or later once the document has been modified. %prep %setup -q -n libxml2-%{version} %patch1 -p1 +%patch2 -p1 %build export CFLAGS="%{optflags} -fno-strict-aliasing"