diff --git a/fix-CVE-2024-50602.patch b/fix-CVE-2024-50602.patch new file mode 100644 index 0000000..f8067a7 --- /dev/null +++ b/fix-CVE-2024-50602.patch @@ -0,0 +1,145 @@ +diff --git a/VTK/ThirdParty/expat/CMakeLists.txt b/VTK/ThirdParty/expat/CMakeLists.txt +index eac9269138..7cb69efe25 100644 +--- a/VTK/ThirdParty/expat/CMakeLists.txt ++++ b/VTK/ThirdParty/expat/CMakeLists.txt +@@ -8,9 +8,9 @@ vtk_module_third_party( + "Copyright (c) 1998-2000 Thai Open Source Software Center Ltd and Clark Cooper" + "Copyright (c) 2001-2019 Expat maintainers" + SPDX_DOWNLOAD_LOCATION +- "git+https://gitlab.kitware.com/third-party/expat.git@for/vtk-20220921-2.4.8" ++ "git+https://gitlab.kitware.com/third-party/expat.git@for/vtk-20241030-2.4.8" + VERSION +- "2.4.1" ++ "2.4.8" # CVE-2024-50602 fix manually added. + STANDARD_INCLUDE_DIRS + EXTERNAL + PACKAGE EXPAT +diff --git a/VTK/ThirdParty/expat/Testing/CMakeLists.txt b/VTK/ThirdParty/expat/Testing/CMakeLists.txt +new file mode 100644 +index 0000000000..35f9732a93 +--- /dev/null ++++ b/VTK/ThirdParty/expat/Testing/CMakeLists.txt +@@ -0,0 +1 @@ ++add_subdirectory(Cxx) +diff --git a/VTK/ThirdParty/expat/Testing/Cxx/CMakeLists.txt b/VTK/ThirdParty/expat/Testing/Cxx/CMakeLists.txt +new file mode 100644 +index 0000000000..7f0b6aba12 +--- /dev/null ++++ b/VTK/ThirdParty/expat/Testing/Cxx/CMakeLists.txt +@@ -0,0 +1,4 @@ ++vtk_add_test_cxx(vtkexpatCxxTests tests ++ NO_DATA NO_VALID NO_OUTPUT ++ TestIncludeExpat.cxx) ++vtk_test_cxx_executable(vtkexpatCxxTests tests) +diff --git a/VTK/ThirdParty/expat/Testing/Cxx/TestIncludeExpat.cxx b/VTK/ThirdParty/expat/Testing/Cxx/TestIncludeExpat.cxx +new file mode 100644 +index 0000000000..33ac2b65d2 +--- /dev/null ++++ b/VTK/ThirdParty/expat/Testing/Cxx/TestIncludeExpat.cxx +@@ -0,0 +1,8 @@ ++#include "vtk_expat.h" ++ ++#include ++ ++int TestIncludeExpat(int /*argc*/, char* /*argv*/[]) ++{ ++ return EXIT_SUCCESS; ++} +diff --git a/VTK/ThirdParty/expat/update.sh b/VTK/ThirdParty/expat/update.sh +index 1b4740f2cc..3781700497 100755 +--- a/VTK/ThirdParty/expat/update.sh ++++ b/VTK/ThirdParty/expat/update.sh +@@ -8,7 +8,7 @@ readonly name="expat" + readonly ownership="Expat Upstream " + readonly subtree="ThirdParty/$name/vtk$name" + readonly repo="https://gitlab.kitware.com/third-party/expat.git" +-readonly tag="for/vtk-20231023-2.4.8" ++readonly tag="for/vtk-20241030-2.4.8" + readonly paths=" + expat/.gitattributes + expat/CMakeLists.txt +diff --git a/VTK/ThirdParty/expat/vtk.module b/VTK/ThirdParty/expat/vtk.module +index bbc9a339b8..95ec414d25 100644 +--- a/VTK/ThirdParty/expat/vtk.module ++++ b/VTK/ThirdParty/expat/vtk.module +@@ -2,4 +2,6 @@ NAME + VTK::expat + LIBRARY_NAME + vtkexpat ++TEST_DEPENDS ++ VTK::TestingCore + THIRD_PARTY +diff --git a/VTK/ThirdParty/expat/vtkexpat/CMakeLists.txt b/VTK/ThirdParty/expat/vtkexpat/CMakeLists.txt +index 1910141339..a213b32ec7 100644 +--- a/VTK/ThirdParty/expat/vtkexpat/CMakeLists.txt ++++ b/VTK/ThirdParty/expat/vtkexpat/CMakeLists.txt +@@ -459,9 +459,10 @@ set(expat_headers + lib/vtk_expat_mangle.h) + + vtk_module_add_module(VTK::expat ++ HEADER_DIRECTORIES + SOURCES ${_EXPAT_C_SOURCES} + HEADERS ${expat_headers} +- HEADERS_SUBDIR "vtkexpat/lib") ++ HEADERS_SUBDIR "vtkexpat") + endif () + + if (FALSE) # XXX(kitware): VTK handles installation +diff --git a/VTK/ThirdParty/expat/vtkexpat/lib/expat.h b/VTK/ThirdParty/expat/vtkexpat/lib/expat.h +index c076f3d535..1475d1e783 100644 +--- a/VTK/ThirdParty/expat/vtkexpat/lib/expat.h ++++ b/VTK/ThirdParty/expat/vtkexpat/lib/expat.h +@@ -129,7 +129,9 @@ enum XML_Error { + /* Added in 2.3.0. */ + XML_ERROR_NO_BUFFER, + /* Added in 2.4.0. */ +- XML_ERROR_AMPLIFICATION_LIMIT_BREACH ++ XML_ERROR_AMPLIFICATION_LIMIT_BREACH, ++ /* Added in 2.6.4. */ ++ XML_ERROR_NOT_STARTED, + }; + + enum XML_Content_Type { +diff --git a/VTK/ThirdParty/expat/vtkexpat/lib/xmlparse.c b/VTK/ThirdParty/expat/vtkexpat/lib/xmlparse.c +index e986156ecb..a770978e13 100644 +--- a/VTK/ThirdParty/expat/vtkexpat/lib/xmlparse.c ++++ b/VTK/ThirdParty/expat/vtkexpat/lib/xmlparse.c +@@ -2162,6 +2162,9 @@ XML_StopParser(XML_Parser parser, XML_Bool resumable) { + if (parser == NULL) + return XML_STATUS_ERROR; + switch (parser->m_parsingStatus.parsing) { ++ case XML_INITIALIZED: ++ parser->m_errorCode = XML_ERROR_NOT_STARTED; ++ return XML_STATUS_ERROR; + case XML_SUSPENDED: + if (resumable) { + parser->m_errorCode = XML_ERROR_SUSPENDED; +@@ -2172,7 +2175,7 @@ XML_StopParser(XML_Parser parser, XML_Bool resumable) { + case XML_FINISHED: + parser->m_errorCode = XML_ERROR_FINISHED; + return XML_STATUS_ERROR; +- default: ++ case XML_PARSING: + if (resumable) { + #ifdef XML_DTD + if (parser->m_isParamEntity) { +@@ -2183,6 +2186,9 @@ XML_StopParser(XML_Parser parser, XML_Bool resumable) { + parser->m_parsingStatus.parsing = XML_SUSPENDED; + } else + parser->m_parsingStatus.parsing = XML_FINISHED; ++ break; ++ default: ++ assert(0); + } + return XML_STATUS_OK; + } +@@ -2447,6 +2453,9 @@ XML_ErrorString(enum XML_Error code) { + case XML_ERROR_AMPLIFICATION_LIMIT_BREACH: + return XML_L( + "limit on input amplification factor (from DTD and entities) breached"); ++ /* Added in 2.6.4. */ ++ case XML_ERROR_NOT_STARTED: ++ return XML_L("parser not started"); + } + return NULL; + } diff --git a/paraview.changes b/paraview.changes index 1d94e82..01f6aeb 100644 --- a/paraview.changes +++ b/paraview.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Fri Dec 20 00:00:00 UTC 2024 - Vicente Adolfo Bolea Sanchez + +- Added patch fix-CVE-2024-50602.patch which fixes CVE-2024-50602. + ------------------------------------------------------------------- Tue May 28 00:00:00 UTC 2024 - Vicente Adolfo Bolea Sanchez diff --git a/paraview.spec b/paraview.spec index d1d5029..e3a4023 100644 --- a/paraview.spec +++ b/paraview.spec @@ -56,6 +56,8 @@ Source1: %{name}-rpmlintrc Source2: https://www.paraview.org/files/v%{short_ver}/ParaViewGettingStarted-%{major_ver}.%{minor_ver}.0.pdf # PATCH-FIX-UPSTREAM paraview-desktop-entry-fix.patch badshah400@gmail.com -- Fix desktop menu entry by inserting proper required categories Patch0: paraview-desktop-entry-fix.patch +# PATCH-FIX-UPSTREAM https://gitlab.kitware.com/vtk/vtk/-/merge_requests/11609 --- Fixes CVE-2024-50602 +Patch1: fix-CVE-2024-50602.patch # PATCH-FIX-OPENSUSE fix-libharu-missing-m.patch -- missing libraries for linking (gh#libharu/libharu#213) Patch2: fix-libharu-missing-m.patch # We need to change the default soname for vtk modules.