Accepting request 1157769 from home:AndreasStieger:branches:devel:libraries:c_c++

expat 2.6.2 CVE-2024-28757 boo#1221289 OBS-URL: https://build.opensuse.org/request/show/1157769 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/expat?expand=0&rev=112
2024-03-15 16:04:51 +00:00 · 2024-03-15 16:04:51 +00:00 · 9ceaa6e2e3
commit 9ceaa6e2e3
parent b939258924
6 changed files with 40 additions and 27 deletions
--- a/expat-2.6.1.tar.xz
+++ b/expat-2.6.1.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:0c00d2760ad12efef6e26efc8b363c8eb28eb8c8de719e46d5bb67b40ba904a3
-size 484000
--- a/expat-2.6.1.tar.xz.asc
+++ b/expat-2.6.1.tar.xz.asc
@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEEy43nCpDPv2w79cxWliYqz/vTrsYFAmXg6xUACgkQliYqz/vT
-rsZWrw/9H+aLw9+Wk5KXrLSf0JxXoo11hQdHeMYbP1/1u/ne5phVehjRY1ebuZmh
-425/adJQvcvGBoSpFcHQOJolgv1FRf3kZ30mXuibUVxuFTcqrebV4YXt/fL+FQ4W
-he1aWO9V4MSoLudkt3bNAOYvPTQutLV1HqLmc3/YqzMDmF+Qd8lrk7qVP5tQX50C
-yJC7E5gxlyZxlcXDRAeK96tzfG7eJMpmu11gyzSOdIlhUtmHpgBZ/nm8j5RNB+ih
-nGSw//JVsOIgvijZNIjmNMe/BIid5Kw1g2ocQPYPyK0r+jqQ3Xqb4DhZaFJ4AIl0
-UGDTQr7DMhbpL5XOXUvlpBRx9S9/KMpYK0Pabo0x7BLc1WGqw73U5kZ9kTd504Uu
-72nWhd0DVJ3EnTvcReyrPDmhMy+4EF3BxyBU/zvBy72ajhgjf0DpXrmGVK46i8I5
-C2VW+K54/fhbuLmcLqJ472Q0vEZ0hoAfI8ZCGe8bnDs4NlbyHUAcr3rwPxVpPcTs
-ncHv7zrd0qEMtsJd6iUF9sGe/Sb6ZXq/0Ymvm19epr+RAGECtlA6lR0vv3Lm3nGo
-P8Id7vF38uvVvD7QSk64qUlhMwtk8wApvl2KphqavQK8mEt9TkrTBsJ1MlS11W+9
-4zXpgr4bGGVbKGVw/1x+n7iIMDtk8qVfMbCZVmgt4+Fj6KyuSac=
-=EhJd
-----END PGP SIGNATURE-----
--- a/expat-2.6.2.tar.xz
+++ b/expat-2.6.2.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ee14b4c5d8908b1bec37ad937607eab183d4d9806a08adee472c3c3121d27364
+size 485236
--- a/expat-2.6.2.tar.xz.asc
+++ b/expat-2.6.2.tar.xz.asc
@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEEy43nCpDPv2w79cxWliYqz/vTrsYFAmXx2UUACgkQliYqz/vT
+rsYCKw//X838HdkfERw6b0UaauHg3k5h5yzV/4gPzmVWlLhPaSFH6Ns69p7vvHz0
+xtSH0GQ4rp+l7GAjFoH5dzJxZ4g/EstYK+QJwOK7A9+gf86tbFt6pNj43u7bHqW2
+0p55xEoCcki+sZv1WX3VPe7NcCq7cs7UeOyOcqADZkmzcLkpHATh9kiA/LHe5WKp
+jbAZthOCBG3S40xGib9KLZMR/fJ3RKaWsm+Jl+SABEQk5VmpOuoocboE+ZlTfEC/
+9F7czV28xHfdhfhP4nA328VgVPPP1atyVw0sO79fpnxmAFMZO31j/cGIyv4sQX1/
+2MLDbXWeEX6C2+ZCaTtNZbtxq7n+ydI9BAHWawN6BE2DNpt4w0x7m+QzrG207Y9r
+jP+vFLC4winwaXoraJeZ18A7I5lOklNJ/iwzwVQHp+kLM1uGOuc5z/NWmBff1out
+ErgjbAbINNIXEpjZ7AETUai0q2PJRucFsYxjYs19RKObbM8BLo7zbzL93QHm947R
+46+iyemznYXQP2vsBjjQDzPhtyTk3evbRTWy5Mq0XXt8NSBrgGHGU4h35sQL3z2a
+Qw6RhRRMIfrnntvDmLO2kbdBLmz4GQGfmmlUyvDtB6SivD3BWvX91lArfozad5Ve
+pL8oFOu2ObHqCK6foTvwhYl05a7yaElwGX9vTBDsYT9Vqol0sKk=
+=M9y2
+-----END PGP SIGNATURE-----
--- a/expat.changes
+++ b/expat.changes
@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Wed Mar 13 22:23:20 UTC 2024 - Andreas Stieger <andreas.stieger@gmx.de>
+
+- update to 2.6.2:
+  * CVE-2024-28757 -- Prevent billion laughs attacks with isolated
+    use of external parsers (boo#1221289)
+  * Reject direct parameter entity recursion and avoid the related
+    undefined behavior
+
 -------------------------------------------------------------------
 Fri Mar  1 16:45:35 UTC 2024 - Andreas Stieger <andreas.stieger@gmx.de>

--- a/expat.spec
+++ b/expat.spec
@ -2,6 +2,7 @@
 # spec file for package expat
 #
 # Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2024 Andreas Stieger <Andreas.Stieger@gmx.de>
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -16,9 +17,10 @@
 #


-%global unversion 2_6_1
+%global unversion 2_6_2
+%define sover 1
 Name:           expat
-Version:        2.6.1
+Version:        2.6.2
 Release:        0
 Summary:        XML Parser Toolkit
 License:        MIT
@ -39,11 +41,11 @@ Expat is an XML parser library written in C. It is a stream-oriented
 parser in which an application registers handlers for things the
 parser might find in the XML document (like start tags).

-%package -n libexpat1
+%package -n libexpat%{sover}
 Summary:        XML Parser Toolkit
 Group:          System/Libraries

-%description -n libexpat1
+%description -n libexpat%{sover}
 Expat is an XML parser library written in C. It is a stream-oriented
 parser in which an application registers handlers for things the
 parser might find in the XML document (like start tags).
@ -52,7 +54,7 @@ parser might find in the XML document (like start tags).
 Summary:        Development files for expat, an XML parser toolkit
 Group:          Development/Libraries/C and C++
 Requires:       glibc-devel
-Requires:       libexpat1 = %{version}
+Requires:       libexpat%{sover} = %{version}

 %description -n libexpat-devel
 Expat is an XML parser library written in C. It is a stream-oriented
@ -89,8 +91,7 @@ cp %{SOURCE3} .
 %make_install
 find %{buildroot} -type f -name "*.la" -delete -print

-%post -n libexpat1 -p /sbin/ldconfig
-%postun -n libexpat1 -p /sbin/ldconfig
+%ldconfig_scriptlets -n libexpat%{sover}

 %files
 %license COPYING
@ -102,9 +103,12 @@ find %{buildroot} -type f -name "*.la" -delete -print
 %{_mandir}/man1/xmlwf.1%{?ext_man}

 %files -n libexpat1
-%{_libdir}/libexpat.so.*
+%license COPYING
+%{_libdir}/libexpat.so.%{sover}
+%{_libdir}/libexpat.so.%{sover}.*

 %files -n libexpat-devel
+%license COPYING
 %{_includedir}/*
 %{_libdir}/libexpat.so
 %{_libdir}/pkgconfig/expat.pc