Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libxml2 for openSUSE:Factory checked in at 2023-09-04 13:19:30 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libxml2 (Old) and /work/SRC/openSUSE:Factory/.libxml2.new.1766 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libxml2" Mon Sep 4 13:19:30 2023 rev:119 rq:1108847 version:2.10.4 Changes: -------- --- /work/SRC/openSUSE:Factory/libxml2/libxml2.changes 2023-04-26 17:24:54.265463275 +0200 +++ /work/SRC/openSUSE:Factory/.libxml2.new.1766/libxml2.changes 2023-09-04 13:19:31.315503380 +0200 @@ -1,0 +2,7 @@ +Mon Sep 4 10:36:54 UTC 2023 - David Anes <david.a...@suse.com> + +- Security fix: CVE-2023-39615 (bsc#1214768) + * crafted xml can cause global buffer overflow + * Added file libxml2-CVE-2023-39615.patch + +------------------------------------------------------------------- New: ---- libxml2-CVE-2023-39615.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libxml2.spec ++++++ --- /var/tmp/diff_new_pack.2jibAv/_old 2023-09-04 13:19:33.611585222 +0200 +++ /var/tmp/diff_new_pack.2jibAv/_new 2023-09-04 13:19:33.619585507 +0200 @@ -42,6 +42,9 @@ # PATCH-FIX-UPSTREAM libxml2-python3-string-null-check.patch bsc#1065270 mgo...@suse.com # https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/15 Patch1: libxml2-python3-string-null-check.patch +# PATCH-FIX-UPSTREAM CVE-2023-39615 bsc#1214768 +# https://gitlab.gnome.org/GNOME/libxml2/-/commit/d0c3f01e110d54415611c5fa0040cdf4a56053f9 +Patch2: libxml2-CVE-2023-39615.patch # ### -- openSUSE patches range from 1000 to 1999 -- ### # PATCH-FIX-OPENSUSE ++++++ libxml2-CVE-2023-39615.patch ++++++ >From d0c3f01e110d54415611c5fa0040cdf4a56053f9 Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer <wellnho...@aevum.de> Date: Sat, 6 May 2023 17:47:37 +0200 Subject: [PATCH] parser: Fix old SAX1 parser with custom callbacks For some reason, xmlCtxtUseOptionsInternal set the start and end element SAX handlers to the internal DOM builder functions when XML_PARSE_SAX1 was specified. This means that custom SAX handlers could never work with that flag because these functions would receive the wrong user data argument and crash immediately. Fixes #535. --- parser.c | 2 -- 1 file changed, 2 deletions(-) Index: libxml2-2.10.4/parser.c =================================================================== --- libxml2-2.10.4.orig/parser.c +++ libxml2-2.10.4/parser.c @@ -15064,8 +15064,6 @@ xmlCtxtUseOptionsInternal(xmlParserCtxtP } #ifdef LIBXML_SAX1_ENABLED if (options & XML_PARSE_SAX1) { - ctxt->sax->startElement = xmlSAX2StartElement; - ctxt->sax->endElement = xmlSAX2EndElement; ctxt->sax->startElementNs = NULL; ctxt->sax->endElementNs = NULL; ctxt->sax->initialized = 1;