diff --git a/expat-CVE-2009-2625.patch b/expat-CVE-2009-2625.patch new file mode 100644 index 0000000..f1de4ee --- /dev/null +++ b/expat-CVE-2009-2625.patch @@ -0,0 +1,13 @@ +http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?r1=1.13&r2=1.15 + +--- lib/xmltok_impl.c ++++ lib/xmltok_impl.c +@@ -1744,7 +1744,7 @@ + const char *end, + POSITION *pos) + { +- while (ptr != end) { ++ while (ptr < end) { + switch (BYTE_TYPE(enc, ptr)) { + #define LEAD_CASE(n) \ + case BT_LEAD ## n: \ diff --git a/expat.changes b/expat.changes index 1591913..115a824 100644 --- a/expat.changes +++ b/expat.changes @@ -1,13 +1,18 @@ +------------------------------------------------------------------- +Thu Oct 29 14:22:47 CET 2009 - prusnak@suse.cz + +- fix DoS (CVE-2009-2625.patch) [bnc#550664] + ------------------------------------------------------------------- Sun Apr 5 15:45:49 CEST 2009 - crrodriguez@suse.de -- test suite requires gcc-c++ to compile +- test suite requires gcc-c++ to compile ------------------------------------------------------------------- Thu Feb 19 04:55:08 CET 2009 - crrodriguez@suse.de - remove static libraries, shouldnt be needed anymore. -- run make check +- run make check ------------------------------------------------------------------- Wed Dec 10 12:34:56 CET 2008 - olh@suse.de @@ -158,7 +163,7 @@ Wed Aug 15 19:54:16 CEST 2001 - rvasice@suse.cz ------------------------------------------------------------------- Mon May 14 12:08:01 CEST 2001 - pblaha@suse.cz -- fixed links for soname of libexpat.so* +- fixed links for soname of libexpat.so* ------------------------------------------------------------------- Fri May 11 09:03:03 CEST 2001 - cihlar@suse.cz @@ -174,7 +179,7 @@ Fri Jan 5 10:13:20 CET 2001 - pblaha@suse.cz Thu Jan 4 15:46:21 CET 2001 - pblaha@suse.cz - update on 1.95.1 on sourgeforge needed for midgard -- new description +- new description ------------------------------------------------------------------- Thu Mar 9 11:01:23 CET 2000 - ke@suse.de diff --git a/expat.spec b/expat.spec index 26ff2ef..edb9891 100644 --- a/expat.spec +++ b/expat.spec @@ -20,9 +20,9 @@ Name: expat Version: 2.0.1 -Release: 90 +Release: 91 Group: Development/Libraries/C and C++ -License: X11/MIT +License: MIT License (or similar) Url: http://expat.sourceforge.net/ # bug437293 %ifarch ppc64 @@ -32,6 +32,7 @@ Obsoletes: expat-64bit Summary: XML Parser Toolkit Source0: %{name}-%{version}.tar.bz2 Source1: %{name}faq.html +Patch0: %{name}-CVE-2009-2625.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: gcc-c++ @@ -65,7 +66,7 @@ Authors: James Clark %package -n libexpat1 -License: MOZILLA PUBLIC LICENSE (MPL/NPL) +License: MPL .. Summary: XML Parser Toolkit Group: Development/Libraries/C and C++ # bug437293 @@ -104,7 +105,7 @@ Authors: James Clark %package -n libexpat-devel -License: MOZILLA PUBLIC LICENSE (MPL/NPL) +License: MPL .. Summary: XML Parser Toolkit Group: Development/Libraries/C and C++ Requires: libexpat1 = %{version} glibc-devel @@ -140,6 +141,7 @@ Authors: %prep %setup -q +%patch0 cp %{S:1} . rm -f examples/*.dsp @@ -184,99 +186,3 @@ rm -rf $RPM_BUILD_ROOT %{_libdir}/libexpat.so %changelog -* Sun Apr 05 2009 crrodriguez@suse.de -- test suite requires gcc-c++ to compile -* Thu Feb 19 2009 crrodriguez@suse.de -- remove static libraries, shouldnt be needed anymore. -- run make check -* Wed Dec 10 2008 olh@suse.de -- use Obsoletes: -XXbit only for ppc64 to help solver during distupgrade - (bnc#437293) -* Thu Oct 30 2008 olh@suse.de -- obsolete old -XXbit packages (bnc#437293) -* Thu Apr 10 2008 ro@suse.de -- added baselibs.conf file to build xxbit packages - for multilib support -* Sat Jul 28 2007 coolo@suse.de -- fix devel symlink -* Wed Jul 25 2007 prusnak@suse.cz -- move libraries from /usr/lib to /lib [#285472] -- replace deprecated %%run_ldconfig with /sbin/ldconfig -* Thu Jun 07 2007 prusnak@suse.cz -- update to 2.0.1: - ( from Changes ) - * Fixed bugs #1515266, 1515600: The character data handler's calling - of XML_StopParser() was not handled properly; if the parser was - stopped and the handler set to NULL, the parser would segfault. - * Fixed bug #1690883: Expat failed on EBCDIC systems as it assumed - some character constants to be ASCII encoded. - * Minor cleanups of the test harness. - * Fixed xmlwf bug #1513566: "out of memory" error on file size zero. - * Fixed outline.c bug #1543233: missing a final XML_ParserFree() call. - * Fixes and improvements for Windows platform: - bugs #1409451, #1476160, 1548182, 1602769, 1717322. - * Build fixes for various platforms: - HP-UX, Tru64, Solaris 9: patch #1437840, bug #1196180. - All Unix: #1554618 (refreshed config.sub/config.guess). - [#1490371], #1613457: support both, DESTDIR and INSTALL_ROOT, - without relying on GNU-Make specific features. - [#1647805]: Patched configure.in to work better with Intel compiler. - * Fixes to Makefile.in to have make check work correctly: - bugs #1408143, #1535603, #1536684. - * Added Open Watcom support: patch #1523242. -* Tue Apr 17 2007 prusnak@suse.cz -- split libexpat1 and libexpat-devel subpackages [#260214] -* Thu Oct 19 2006 dmueller@suse.de -- strip .la file -* Wed Jan 25 2006 mls@suse.de -- converted neededforbuild to BuildRequires -* Fri Jan 13 2006 ro@suse.de -- fixed file list for debuginfo package (do not pack all of libdir) -* Wed Jan 11 2006 mjancar@suse.cz -- update to 2.0.0 -* Mon Jan 09 2006 mjancar@suse.cz -- update to 2.0 pre release -* Wed Nov 10 2004 ro@suse.de -- fixed filelist -* Mon Aug 09 2004 tcrhak@suse.cz -- update to 1.95.8 -* Thu Feb 05 2004 kukuk@suse.de -- Build as user -* Thu Feb 05 2004 tcrhak@suse.cz -- update to version 1.95.7 -* Tue Feb 18 2003 tcrhak@suse.cz -- in expat.h, declare enum XML_Status before using it; - put into patch "...-header.diff" [bug #23742] -* Mon Feb 17 2003 tcrhak@suse.cz -- updated to version 1.95.6 -* Sun Dec 22 2002 tcrhak@suse.cz -- update to version 1.95.5 -* Sat Jul 13 2002 tcrhak@suse.cz -- update to version 1.95.4 -* Thu Mar 28 2002 tcrhak@suse.cz -- added parameter --target to configure -* Mon Jan 14 2002 rvasice@suse.cz -- use %%{_libdir} and %%{_lib} -* Tue Nov 20 2001 rvasice@suse.cz -- fix URL in spec file -* Wed Aug 15 2001 rvasice@suse.cz -- update to version 1.95.2 -- spec file cleanup -- added DESTDIR -* Mon May 14 2001 pblaha@suse.cz -- fixed links for soname of libexpat.so* -* Fri May 11 2001 cihlar@suse.cz -- fixed soname of libexpat.so.1.2 -* Fri Jan 05 2001 pblaha@suse.cz -- back on stable version 1.2 added build shared libexpat.so -* Thu Jan 04 2001 pblaha@suse.cz -- update on 1.95.1 on sourgeforge needed for midgard -- new description -* Thu Mar 09 2000 ke@suse.de -- Don't "install" symlinks; use "cp"; reported by bs; proposed fix - by ro. -- Cleanup the spec file: better Group tag; more accurate files list. -* Tue Nov 23 1999 ke@suse.de -- first SuSE package: version 1.1. -- apply Debian patch to build shared libs. -- build libexpat.a.