Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package prosody for openSUSE:Factory checked
in at 2022-01-13 23:21:44
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/prosody (Old)
and /work/SRC/openSUSE:Factory/.prosody.new.1892 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "prosody"
Thu Jan 13 23:21:44 2022 rev:27 rq:946206 version:0.11.12
Changes:
--------
--- /work/SRC/openSUSE:Factory/prosody/prosody.changes 2022-01-04
19:38:59.054047380 +0100
+++ /work/SRC/openSUSE:Factory/.prosody.new.1892/prosody.changes
2022-01-13 23:22:22.848084358 +0100
@@ -1,0 +2,7 @@
+Thu Jan 13 18:25:26 UTC 2022 - Michael Vetter <mvet...@suse.com>
+
+- Update to 0.11.12:
+ * util.xml: Do not allow doctypes, comments or processing
+ instructions (CVE-2022-0217)
+
+-------------------------------------------------------------------
Old:
----
prosody-0.11.11.tar.gz
prosody-0.11.11.tar.gz.asc
New:
----
prosody-0.11.12.tar.gz
prosody-0.11.12.tar.gz.asc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ prosody.spec ++++++
--- /var/tmp/diff_new_pack.uyEWq4/_old 2022-01-13 23:22:23.340084680 +0100
+++ /var/tmp/diff_new_pack.uyEWq4/_new 2022-01-13 23:22:23.344084682 +0100
@@ -18,7 +18,7 @@
%define _piddir /run
Name: prosody
-Version: 0.11.11
+Version: 0.11.12
Release: 0
Summary: Communications server for Jabber/XMPP
License: MIT
++++++ prosody-0.11.11.tar.gz -> prosody-0.11.12.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/prosody-0.11.11/.hg_archival.txt
new/prosody-0.11.12/.hg_archival.txt
--- old/prosody-0.11.11/.hg_archival.txt 2021-12-20 20:02:14.576898558
+0100
+++ new/prosody-0.11.12/.hg_archival.txt 2022-01-13 13:19:13.904158902
+0100
@@ -1,4 +1,4 @@
repo: 3e3171b59028ee70122cfec6ecf98f518f946b59
-node: 76b4e3f12b53fedae96402d87fa9ee79e704ce5e
+node: 783056b4e4480389d0e27883289b1bfef57e4729
branch: 0.11
-tag: 0.11.11
+tag: 0.11.12
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/prosody-0.11.11/prosody.release
new/prosody-0.11.12/prosody.release
--- old/prosody-0.11.11/prosody.release 2021-12-20 20:02:14.576898558 +0100
+++ new/prosody-0.11.12/prosody.release 2022-01-13 13:19:13.904158902 +0100
@@ -1 +1 @@
-0.11.11
+0.11.12
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/prosody-0.11.11/spec/util_xml_spec.lua
new/prosody-0.11.12/spec/util_xml_spec.lua
--- old/prosody-0.11.11/spec/util_xml_spec.lua 2021-12-20 20:02:14.576898558
+0100
+++ new/prosody-0.11.12/spec/util_xml_spec.lua 2022-01-13 13:19:13.904158902
+0100
@@ -12,9 +12,41 @@
<a:z/> <!-- prefix 'a' is nil here, but should be 'b' -->
</x>
]]
- local stanza = xml.parse(x);
+ local stanza = xml.parse(x, {allow_comments = true});
assert.are.equal(stanza.tags[2].attr.xmlns, "b");
assert.are.equal(stanza.tags[2].namespaces["a"], "b");
end);
+
+ it("should reject doctypes", function()
+ local x = "<!DOCTYPE foo []><foo/>";
+ local ok = xml.parse(x);
+ assert.falsy(ok);
+ end);
+
+ it("should reject comments by default", function()
+ local x = "<foo><!-- foo --></foo>";
+ local ok = xml.parse(x);
+ assert.falsy(ok);
+ end);
+
+ it("should allow comments if asked nicely", function()
+ local x = "<foo><!-- foo --></foo>";
+ local stanza = xml.parse(x, {allow_comments = true});
+ assert.are.equal(stanza.name, "foo");
+ assert.are.equal(#stanza, 0);
+ end);
+
+ it("should reject processing instructions", function()
+ local x = "<foo><?php die(); ?></foo>";
+ local ok = xml.parse(x);
+ assert.falsy(ok);
+ end);
+
+ it("should allow an xml declaration", function()
+ local x = "<?xml version='1.0'?><foo/>";
+ local stanza = xml.parse(x);
+ assert.truthy(stanza);
+ assert.are.equal(stanza.name, "foo");
+ end);
end);
end);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/prosody-0.11.11/util/xml.lua
new/prosody-0.11.12/util/xml.lua
--- old/prosody-0.11.11/util/xml.lua 2021-12-20 20:02:14.576898558 +0100
+++ new/prosody-0.11.12/util/xml.lua 2022-01-13 13:19:13.904158902 +0100
@@ -3,6 +3,7 @@
local lxp = require "lxp";
local t_insert = table.insert;
local t_remove = table.remove;
+local error = error;
local _ENV = nil;
-- luacheck: std none
@@ -13,7 +14,7 @@
};
local ns_separator = "\1";
local ns_pattern = "^([^"..ns_separator.."]*)"..ns_separator.."?(.*)$";
- return function(xml)
+ return function(xml, options)
--luacheck: ignore 212/self
local handler = {};
local stanza = st.stanza("root");
@@ -64,7 +65,27 @@
function handler:EndElement()
stanza:up();
end
- local parser = lxp.new(handler, "\1");
+ local parser;
+ -- SECURITY: These two handlers, especially the Doctype one,
are required to prevent exploits such as Billion Laughs.
+ function handler:StartDoctypeDecl()
+ if not parser.stop or not parser:stop() then
+ error("Failed to abort parsing");
+ end
+ end
+ function handler:ProcessingInstruction()
+ if not parser.stop or not parser:stop() then
+ error("Failed to abort parsing");
+ end
+ end
+ if not options or not options.allow_comments then
+ -- NOTE: comments are generally harmless and can be
useful when parsing configuration files or other data, even user-provided data
+ function handler:Comment()
+ if not parser.stop or not parser:stop() then
+ error("Failed to abort parsing");
+ end
+ end
+ end
+ parser = lxp.new(handler, ns_separator);
local ok, err, line, col = parser:parse(xml);
if ok then ok, err, line, col = parser:parse(); end
--parser:close();
