SHA256
1
0
forked from pool/expat

Accepting request 947286 from home:dirkmueller:Factory

- update to 2.4.3 (bsc#1194251, bsc#1194362, bsc#1194474, 
     bsc#1194476, bsc#1194477, bsc#1194478, bsc#1194479, bsc#1194480):
  * CVE-2021-45960 -- Fix issues with left shifts by >=29 places
    resulting in
       a) realloc acting as free
       b) realloc allocating too few bytes
       c) undefined behavior
    depending on architecture and precise value
    for XML documents with >=2^27+1 prefixed attributes
    on a single XML tag a la
    "<r xmlns:a='[..]' a:a123='[..]' [..] />"
    where XML_ParserCreateNS is used to create the parser
    (which needs argument "-n" when running xmlwf).
    Impact is denial of service, or more.
  * CVE-2021-46143 (ZDI-CAN-16157) -- Fix integer overflow
    on variable m_groupSize in function doProlog leading
    to realloc acting as free.
    Impact is denial of service or more.
  * CVE-2022-22822 to CVE-2022-22827 -- Prevent integer overflows
    near memory allocation at multiple places.  Mitre assigned
    a dedicated CVE for each involved internal C function:
    - CVE-2022-22822 for function addBinding
    - CVE-2022-22823 for function build_model
    - CVE-2022-22824 for function defineAttribute
    - CVE-2022-22825 for function lookup
    - CVE-2022-22826 for function nextScaffoldPart
    - CVE-2022-22827 for function storeAtts
    Impact is denial of service or more.

OBS-URL: https://build.opensuse.org/request/show/947286
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/expat?expand=0&rev=91
This commit is contained in:
David Anes 2022-01-18 22:15:40 +00:00 committed by Git OBS Bridge
parent 9cc5eeea21
commit 643bc0949b
6 changed files with 54 additions and 22 deletions

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:bc2ff58f49c29aac7bff705a6c167a821f26c512079ff08ac432fd0fdc9bb199
size 449664

View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEy43nCpDPv2w79cxWliYqz/vTrsYFAmG/ssMACgkQliYqz/vT
rsY0uQ//e9M41TQjjBbMKLclq093cOhqOjJZGa3lP1FKAxqbiqbgwQoakPMpPF7r
sduLu/GBbjER2iZ0FufsOCbeNbv1i//84xhZMxloG4HXLpIsNZj69jm4pEsJW8b+
1g2SSQGbJpL7pXo0o6XR7w8jCV5DN0yvIJce2Prtqer2BbhfYYUtf7g4MuIXpFtZ
gUuJJkEmZQgHIa4+VRjHlg8X2r0s4LqWq3ho2q0+zfNb/TP+Q8GrPurTq6dWy85U
SLM+RPd7I8LtJS90wwoABKtFLMmlEgNPLSpoVdTw9UHoCHc3/w9WbYU+mK9tyOtY
5RFr8f54iwxZInMWTV9OC51uGQm+NBKKrM5IX3AIzrj5GzpvDCS0YtMYyndwix0y
NFs2J2lg26GH+qEJu8XnDTP5BMiJvMpuDr9D1Tw1YmbWihOPSt1Nr9HRYfuxqVRQ
FmlM9/tAE6ZmJZ13ZRgY2TPq7JC+/umh3mNN/g2ZnK+Z8To3Y/Gcz4rZDrMS9vpk
gBimDQhJ9DY9Yj72PynuCclJwWh2S4LAayU9hKiwOfPAAKUw5EgCFF6XkRChjkeH
WP5pUWdfofzsrPdEVawX49/6rHgE91tAuvy/FmuNaDpjjZKEu/lOp7H3BWQ7C8pI
3vzos/do1852Ts6WsGzQ2B5/nAQoDqsxtmiU92HKxVeoagd0Tow=
=Pxlz
-----END PGP SIGNATURE-----

3
expat-2.4.3.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:b1f9f1b1a5ebb0acaa88c9ff79bfa4e145823b78aa5185e5c5d85f060824778a
size 451012

16
expat-2.4.3.tar.xz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEy43nCpDPv2w79cxWliYqz/vTrsYFAmHkI5AACgkQliYqz/vT
rsaDyg//Uz2cyoYU79ndQt2jI+zaq58KGhyqHt1CfjPp8jCjhTlkTcFsmE8ftzaa
1IpI+CKyGatiFh8mIy7Pq+V9nOJkyfmp6t0QCaa/eE7ngOHAz8PDEwj4ievY1aBx
2dvvwLLrtXaIYhj48v1/xmpCCXUL0os0BIqs6WWl6l0mE3ba1J6AITnZytp1zPy9
NfaVxRirqA6z8n3TpMZ0FvLXGC0e9aRkE6vR+EQvHmTzdbvJhi0kXhjVIL72QR2R
9MrpoBD+Wyq+c4wE2otqJWj5Cazb2Ri5uVsoCHGHOGRSFPW4g+7dQC+dK9O+pzQ9
c/BlmLQTkmgkSLQbKSsFAociaKEe7ef1tXqxTEpsqqbfC9GqVKGfkDzSoigQfJbl
sKXXZvXVj/6LxhioKTEEAHZ21Z8a2qG3Q+g4Trd7uAPIrz2wQwwkB+TF1i8HAeRy
q8nNTPbbAmtFe2NuetyZeTaUbPHZAuxl7hH8JnsFs5vTUdP5C9xxGXU7c6xXRL1H
qKH60WPSxNUxtaiprTrWsyaKX4z3cQRp2pp0wf1M9m4jPWPSpi8SSkZu/C3xhNIz
U+cs3Ile+ctQSpx8R1nV3VE71NecjW7dkgnU29JkmCohpobAfWPJJMBopTNzPRCW
JxRLuQ//kpt7OnuNsaI/Ko3MTyvmP82Ynup1u8HrfTnLTFCT3Ic=
=26Td
-----END PGP SIGNATURE-----

View File

@ -1,3 +1,35 @@
-------------------------------------------------------------------
Mon Jan 17 09:14:10 UTC 2022 - Dirk Müller <dmueller@suse.com>
- update to 2.4.3 (bsc#1194251, bsc#1194362, bsc#1194474,
bsc#1194476, bsc#1194477, bsc#1194478, bsc#1194479, bsc#1194480):
* CVE-2021-45960 -- Fix issues with left shifts by >=29 places
resulting in
a) realloc acting as free
b) realloc allocating too few bytes
c) undefined behavior
depending on architecture and precise value
for XML documents with >=2^27+1 prefixed attributes
on a single XML tag a la
"<r xmlns:a='[..]' a:a123='[..]' [..] />"
where XML_ParserCreateNS is used to create the parser
(which needs argument "-n" when running xmlwf).
Impact is denial of service, or more.
* CVE-2021-46143 (ZDI-CAN-16157) -- Fix integer overflow
on variable m_groupSize in function doProlog leading
to realloc acting as free.
Impact is denial of service or more.
* CVE-2022-22822 to CVE-2022-22827 -- Prevent integer overflows
near memory allocation at multiple places. Mitre assigned
a dedicated CVE for each involved internal C function:
- CVE-2022-22822 for function addBinding
- CVE-2022-22823 for function build_model
- CVE-2022-22824 for function defineAttribute
- CVE-2022-22825 for function lookup
- CVE-2022-22826 for function nextScaffoldPart
- CVE-2022-22827 for function storeAtts
Impact is denial of service or more.
------------------------------------------------------------------- -------------------------------------------------------------------
Mon Dec 27 16:02:14 UTC 2021 - Dirk Müller <dmueller@suse.com> Mon Dec 27 16:02:14 UTC 2021 - Dirk Müller <dmueller@suse.com>

View File

@ -1,7 +1,7 @@
# #
# spec file for package expat # spec file for package expat
# #
# Copyright (c) 2021 SUSE LLC # Copyright (c) 2022 SUSE LLC
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed # remain the property of their copyright owners, unless otherwise agreed
@ -16,9 +16,9 @@
# #
%global unversion 2_4_2 %global unversion 2_4_3
Name: expat Name: expat
Version: 2.4.2 Version: 2.4.3
Release: 0 Release: 0
Summary: XML Parser Toolkit Summary: XML Parser Toolkit
License: MIT License: MIT