diff --git a/libplist-1.12+git20170119.6a44dfb.tar.xz b/libplist-1.12+git20170119.6a44dfb.tar.xz new file mode 100644 index 0000000..30e32dd --- /dev/null +++ b/libplist-1.12+git20170119.6a44dfb.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ed5b36f601c724cd4a355f4f4ff20cdab1ab68428e7ca1a6fcee2665750a9322 +size 87740 diff --git a/libplist-1.12.tar.bz2 b/libplist-1.12.tar.bz2 deleted file mode 100644 index e9e5ced..0000000 --- a/libplist-1.12.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:0effdedcb3de128c4930d8c03a3854c74c426c16728b8ab5f0a5b6bdc0b644be -size 384321 diff --git a/libplist.changes b/libplist.changes index 4d01b98..d2dfff7 100644 --- a/libplist.changes +++ b/libplist.changes @@ -1,3 +1,42 @@ +------------------------------------------------------------------- +Wed Jan 25 15:39:22 UTC 2017 - i@marguerite.su + +- update version 1.12+git20170119.6a44dfb + * xplist: Fix limiited but possible XXE security vulnerability + with XML + * plistutil: use static buffer for stat() + * plistutil: Plug some memory leaks + * bplist: Fix possible crash in plist_from_bin() caused by access + to already freed memory + * bplist: Plug memory leaks caused by unused and unfreed buffer + * bplist: Refactor binary plist parsing in a recursive way + * xplist: Get rid of setlocale() and use custom function to print + floating point values + * Node.cpp: let plist_t operations free _node when in a container + * cython: Fix module build with libplist already installed + * bplist: Speed up plist_to_bin conversion for large plists + * Implemented plist_is_binary() and plist_from_memory() + * plist_data_compare: Make sure to compare the node sizes for integer + nodes + * xplist: Plug memory leak when converting PLIST_UID nodes to XML + * Change internal storage of PLIST_DATE values from struct timeval + to double + * Use time64 implementation by Michael G Schwern to extend allowed + date/time range + * remove libxml2 in favor of custom XML parsing + * base64: Rework base64decode to handle split encoded data correctly + * plistutil: Prevent OOB heap buffer read by checking input size + * plistutil: Use plist_is_binary() to check for binary plist data + * bplist: Improve UINT_TO_HOST macro, remove uint24_from_be function + * bplist: Check for invalid offset_size in bplist trailer + * bplist: Use proper struct for binary plist trailer + * bplist: Check for invalid ref_size in bplist trailer +- fixed CVE-2017-5209, boo#1019531 + * The base64decode function in base64.c allows attackers to + obtaiin sensitive info from process memory or cause a denial + of service (buffer over-read) via split encoded Apple Property + List data. + ------------------------------------------------------------------- Tue Oct 21 22:40:00 UTC 2014 - m.szulecki@libimobiledevice.org diff --git a/libplist.spec b/libplist.spec index d806baa..8821bb6 100644 --- a/libplist.spec +++ b/libplist.spec @@ -1,7 +1,7 @@ # # spec file for package libplist # -# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,17 +17,18 @@ Name: libplist -Version: 1.12 +Version: 1.12+git20170119.6a44dfb Release: 0 Summary: Library for handling Apple Binary and XML Property Lists License: GPL-2.0 and LGPL-2.1+ Group: System/Libraries -Url: http://cgit.sukimashita.com/libplist.git -Source: http://www.libimobiledevice.org/downloads/%{name}-%{version}.tar.bz2 -Source99: baselibs.conf +Url: https://cgit.libimobiledevice.org/libplist.git +#Source: http://www.libimobiledevice.org/downloads/%{name}-%{version}.tar.bz2 +Source: %{name}-%{version}.tar.xz +Source99: baselibs.conf BuildRequires: gcc-c++ -BuildRequires: libxml2-devel >= 2.7.8 -BuildRequires: pkg-config +BuildRequires: libtool +BuildRequires: pkgconfig BuildRequires: python-cython BuildRequires: python-devel BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -100,6 +101,7 @@ This package contains the python bindings. %prep %setup -q +NO_CONFIGURE=1 ./autogen.sh %build %configure --disable-static @@ -109,7 +111,7 @@ make %{?_smp_mflags} TZ=Europe/Vienna make check VERBOSE=1 %install -make DESTDIR=%{buildroot} install %{?_smp_mflags} +make %{?_smp_mflags} DESTDIR=%{buildroot} install find %{buildroot} -type f -name "*.la" -delete -print rm -rf %{buildroot}%{python_sitearch}/*.la @@ -123,11 +125,8 @@ rm -fr %{buildroot}%{?_sysroot} %endif %post -n libplist3 -p /sbin/ldconfig - %postun -n libplist3 -p /sbin/ldconfig - %post -n libplist++3 -p /sbin/ldconfig - %postun -n libplist++3 -p /sbin/ldconfig %files -n libplist3