Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package rubygem-nokogiri for
openSUSE:Factory checked in at 2022-05-17 17:23:39
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/rubygem-nokogiri (Old)
and /work/SRC/openSUSE:Factory/.rubygem-nokogiri.new.1538 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rubygem-nokogiri"
Tue May 17 17:23:39 2022 rev:62 rq:977450 version:1.13.6
Changes:
--------
--- /work/SRC/openSUSE:Factory/rubygem-nokogiri/rubygem-nokogiri.changes
2022-04-14 17:23:49.251148056 +0200
+++
/work/SRC/openSUSE:Factory/.rubygem-nokogiri.new.1538/rubygem-nokogiri.changes
2022-05-17 17:23:43.735132565 +0200
@@ -1,0 +2,38 @@
+Sun May 15 15:49:25 UTC 2022 - Manuel Schnitzer <[email protected]>
+
+- updated to version 1.13.6
+
+ ## 1.13.6 / 2022-05-08
+
+ ### Security
+
+ * [CRuby] Address
[CVE-2022-29181](https://nvd.nist.gov/vuln/detail/CVE-2022-29181), improper
handling of unexpected data types, related to untrusted inputs to the SAX
parsers. See
[GHSA-xh29-r2w5-wx8m](https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xh29-r2w5-wx8m)
for more information.
+
+
+ ### Improvements
+
+ * `{HTML4,XML}::SAX::{Parser,ParserContext}` constructor methods now raise
`TypeError` instead of segfaulting when an incorrect type is passed.
+
+
+ ## 1.13.5 / 2022-05-04
+
+ ### Security
+
+ * [CRuby] Vendored libxml2 is updated to address
[CVE-2022-29824](https://nvd.nist.gov/vuln/detail/CVE-2022-29824). See
[GHSA-cgx6-hpwq-fhv5](https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-cgx6-hpwq-fhv5)
for more information.
+
+
+ ### Dependencies
+
+ * [CRuby] Vendored libxml2 is updated from v2.9.13 to
[v2.9.14](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.9.14).
+
+
+ ### Improvements
+
+ * [CRuby] The libxml2 HTML parser no longer exhibits quadratic behavior when
recovering some broken markup related to start-of-tag and bare `<` characters.
+
+
+ ### Changed
+
+ * [CRuby] The libxml2 HTML parser in v2.9.14 recovers from some broken
markup differently. Notably, the XML CDATA escape sequence `< noted above. The
behavior of downstream sanitizers relying on this behavior will also change.
Some tests describing the changed behavior are in
[`test/html4/test_comments.rb`](https://github.com/sparklemotion/nokogiri/blob/3ed5bf2b5a367cb9dc6e329c5a1c512e1dd4565d/test/html4/test_comments.rb#L187-L204).
+
+-------------------------------------------------------------------
Old:
----
nokogiri-1.13.4.gem
New:
----
nokogiri-1.13.6.gem
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ rubygem-nokogiri.spec ++++++
--- /var/tmp/diff_new_pack.7Y3UZs/_old 2022-05-17 17:23:44.271133053 +0200
+++ /var/tmp/diff_new_pack.7Y3UZs/_new 2022-05-17 17:23:44.275133057 +0200
@@ -24,7 +24,7 @@
#
Name: rubygem-nokogiri
-Version: 1.13.4
+Version: 1.13.6
Release: 0
%define mod_name nokogiri
%define mod_full_name %{mod_name}-%{version}
++++++ nokogiri-1.13.4.gem -> nokogiri-1.13.6.gem ++++++
Binary files old/checksums.yaml.gz and new/checksums.yaml.gz differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/dependencies.yml new/dependencies.yml
--- old/dependencies.yml 2022-04-11 22:18:49.000000000 +0200
+++ new/dependencies.yml 2022-05-08 16:15:46.000000000 +0200
@@ -1,7 +1,7 @@
libxml2:
- version: "2.9.13"
- sha256: "276130602d12fe484ecc03447ee5e759d0465558fbc9d6bd144e3745306ebf0e"
- # sha-256 hash provided in
https://download.gnome.org/sources/libxml2/2.9/libxml2-2.9.13.sha256sum
+ version: "2.9.14"
+ sha256: "60d74a257d1ccec0475e749cba2f21559e48139efba6ff28224357c7c798dfee"
+ # sha-256 hash provided in
https://download.gnome.org/sources/libxml2/2.9/libxml2-2.9.14.sha256sum
libxslt:
version: "1.1.35"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ext/nokogiri/html4_sax_parser_context.c
new/ext/nokogiri/html4_sax_parser_context.c
--- old/ext/nokogiri/html4_sax_parser_context.c 2022-04-11 22:18:49.000000000
+0200
+++ new/ext/nokogiri/html4_sax_parser_context.c 2022-05-08 16:15:46.000000000
+0200
@@ -19,9 +19,8 @@
{
htmlParserCtxtPtr ctxt;
- if (NIL_P(data)) {
- rb_raise(rb_eArgError, "data cannot be nil");
- }
+ Check_Type(data, T_STRING);
+
if (!(int)RSTRING_LEN(data)) {
rb_raise(rb_eRuntimeError, "data cannot be empty");
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/ext/nokogiri/xml_sax_parser_context.c
new/ext/nokogiri/xml_sax_parser_context.c
--- old/ext/nokogiri/xml_sax_parser_context.c 2022-04-11 22:18:49.000000000
+0200
+++ new/ext/nokogiri/xml_sax_parser_context.c 2022-05-08 16:15:46.000000000
+0200
@@ -2,6 +2,8 @@
VALUE cNokogiriXmlSaxParserContext ;
+static ID id_read;
+
static void
deallocate(xmlParserCtxtPtr ctxt)
{
@@ -26,6 +28,10 @@
xmlParserCtxtPtr ctxt;
xmlCharEncoding enc = (xmlCharEncoding)NUM2INT(encoding);
+ if (!rb_respond_to(io, id_read)) {
+ rb_raise(rb_eTypeError, "argument expected to respond to :read");
+ }
+
ctxt = xmlCreateIOParserCtxt(NULL, NULL,
(xmlInputReadCallback)noko_io_read,
(xmlInputCloseCallback)noko_io_close,
@@ -62,9 +68,8 @@
{
xmlParserCtxtPtr ctxt;
- if (NIL_P(data)) {
- rb_raise(rb_eArgError, "data cannot be nil");
- }
+ Check_Type(data, T_STRING);
+
if (!(int)RSTRING_LEN(data)) {
rb_raise(rb_eRuntimeError, "data cannot be empty");
}
@@ -278,4 +283,6 @@
rb_define_method(cNokogiriXmlSaxParserContext, "recovery", get_recovery, 0);
rb_define_method(cNokogiriXmlSaxParserContext, "line", line, 0);
rb_define_method(cNokogiriXmlSaxParserContext, "column", column, 0);
+
+ id_read = rb_intern("read");
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/nokogiri/html4/sax/parser.rb
new/lib/nokogiri/html4/sax/parser.rb
--- old/lib/nokogiri/html4/sax/parser.rb 2022-04-11 22:18:49.000000000
+0200
+++ new/lib/nokogiri/html4/sax/parser.rb 2022-05-08 16:15:46.000000000
+0200
@@ -28,7 +28,7 @@
###
# Parse html stored in +data+ using +encoding+
def parse_memory(data, encoding = "UTF-8")
- raise ArgumentError unless data
+ raise TypeError unless String === data
return if data.empty?
ctx = ParserContext.memory(data, encoding)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/nokogiri/version/constant.rb
new/lib/nokogiri/version/constant.rb
--- old/lib/nokogiri/version/constant.rb 2022-04-11 22:18:49.000000000
+0200
+++ new/lib/nokogiri/version/constant.rb 2022-05-08 16:15:46.000000000
+0200
@@ -2,5 +2,5 @@
module Nokogiri
# The version of Nokogiri you are using
- VERSION = "1.13.4"
+ VERSION = "1.13.6"
end
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/lib/nokogiri/xml/node.rb new/lib/nokogiri/xml/node.rb
--- old/lib/nokogiri/xml/node.rb 2022-04-11 22:18:49.000000000 +0200
+++ new/lib/nokogiri/xml/node.rb 2022-05-08 16:15:46.000000000 +0200
@@ -123,8 +123,8 @@
# [Yields] Nokogiri::XML::Node
# [Returns] Nokogiri::XML::Node
#
- def initialize(name, document) # rubocop:disable
Style/RedundantInitialize
- # This is intentionally empty.
+ def initialize(name, document)
+ # This is intentionally empty, and sets the method signature for
subclasses.
end
###
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/metadata new/metadata
--- old/metadata 2022-04-11 22:18:49.000000000 +0200
+++ new/metadata 2022-05-08 16:15:46.000000000 +0200
@@ -1,7 +1,7 @@
--- !ruby/object:Gem::Specification
name: nokogiri
version: !ruby/object:Gem::Version
- version: 1.13.4
+ version: 1.13.6
platform: ruby
authors:
- Mike Dalessio
@@ -20,7 +20,7 @@
autorequire:
bindir: bin
cert_chain: []
-date: 2022-04-11 00:00:00.000000000 Z
+date: 2022-05-08 00:00:00.000000000 Z
dependencies:
- !ruby/object:Gem::Dependency
name: mini_portile2
@@ -182,14 +182,20 @@
requirements:
- - "~>"
- !ruby/object:Gem::Version
- version: '1.23'
+ version: '1.28'
+ - - ">="
+ - !ruby/object:Gem::Version
+ version: 1.28.2
type: :development
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - "~>"
- !ruby/object:Gem::Version
- version: '1.23'
+ version: '1.28'
+ - - ">="
+ - !ruby/object:Gem::Version
+ version: 1.28.2
- !ruby/object:Gem::Dependency
name: rubocop-minitest
requirement: !ruby/object:Gem::Requirement
@@ -492,9 +498,8 @@
- patches/libxml2/0006-update-automake-files-for-arm64.patch
- patches/libxml2/0008-htmlParseComment-handle-abruptly-closed-comments.patch
- patches/libxml2/0009-allow-wildcard-namespaces.patch
--
patches/libxml2/0010-Revert-Different-approach-to-fix-quadratic-behavior.patch
- patches/libxslt/0001-update-automake-files-for-arm64.patch
-- ports/archives/libxml2-2.9.13.tar.xz
+- ports/archives/libxml2-2.9.14.tar.xz
- ports/archives/libxslt-1.1.35.tar.xz
homepage: https://nokogiri.org
licenses:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/patches/libxml2/0010-Revert-Different-approach-to-fix-quadratic-behavior.patch
new/patches/libxml2/0010-Revert-Different-approach-to-fix-quadratic-behavior.patch
---
old/patches/libxml2/0010-Revert-Different-approach-to-fix-quadratic-behavior.patch
2022-04-11 22:18:49.000000000 +0200
+++
new/patches/libxml2/0010-Revert-Different-approach-to-fix-quadratic-behavior.patch
1970-01-01 01:00:00.000000000 +0100
@@ -1,45 +0,0 @@
-From ddc5f3d22644e0f6fbcc20541c86825757ffee62 Mon Sep 17 00:00:00 2001
-From: Mike Dalessio <[email protected]>
-Date: Mon, 21 Feb 2022 18:27:45 -0500
-Subject: [PATCH] Revert "Different approach to fix quadratic behavior in HTML
- push parser"
-
-This reverts commit 798bdf13f6964a650b9a0b7b4b3a769f6f1d509a.
----
- HTMLparser.c | 14 +-------------
- 1 file changed, 1 insertion(+), 13 deletions(-)
-
-diff --git a/HTMLparser.c b/HTMLparser.c
-index eba2d7c..c0b8119 100644
---- a/HTMLparser.c
-+++ b/HTMLparser.c
-@@ -3960,25 +3960,13 @@ htmlParseStartTag(htmlParserCtxtPtr ctxt) {
- htmlParseErr(ctxt, XML_ERR_NAME_REQUIRED,
- "htmlParseStartTag: invalid element name\n",
- NULL, NULL);
-- /*
-- * The recovery code is disabled for now as it can result in
-- * quadratic behavior with the push parser. htmlParseStartTag
-- * must consume all content up to the final '>' in order to avoid
-- * rescanning for this terminator.
-- *
-- * For a proper fix in line with HTML5, htmlParseStartTag and
-- * htmlParseElement should only be called when there's an ASCII
-- * alpha character following the initial '<'. Otherwise, the '<'
-- * should be emitted as text (unless followed by '!', '/' or '?').
-- */
--#if 0
- /* if recover preserve text on classic misconstructs */
- if ((ctxt->recovery) && ((IS_BLANK_CH(CUR)) || (CUR == '<') ||
- (CUR == '=') || (CUR == '>') || (((CUR >= '0') && (CUR <= '9'))))) {
- htmlParseCharDataInternal(ctxt, '<');
- return(-1);
- }
--#endif
-+
-
- /* Dump the bogus tag like browsers do */
- while ((CUR != 0) && (CUR != '>') &&
---
-2.31.0
-
Binary files old/ports/archives/libxml2-2.9.13.tar.xz and
new/ports/archives/libxml2-2.9.13.tar.xz differ
Binary files old/ports/archives/libxml2-2.9.14.tar.xz and
new/ports/archives/libxml2-2.9.14.tar.xz differ
