Hello community, here is the log from the commit of package libxml2 for openSUSE:Factory checked in at 2014-11-06 16:49:37 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libxml2 (Old) and /work/SRC/openSUSE:Factory/.libxml2.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libxml2" Changes: -------- --- /work/SRC/openSUSE:Factory/libxml2/libxml2.changes 2014-10-19 19:27:55.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.libxml2.new/libxml2.changes 2014-11-06 16:49:40.000000000 +0100 @@ -1,0 +2,47 @@ +Mon Nov 3 17:13:24 UTC 2014 - vci...@suse.com + +- fix a missing entities after CVE-2014-3660 fix + (https://bugzilla.gnome.org/show_bug.cgi?id=738805) + * added patches: + 0001-Fix-missing-entities-after-CVE-2014-3660-fix.patch + 0002-Adding-example-from-bugs-738805-to-regression-tests.patch + +------------------------------------------------------------------- +Mon Nov 3 10:01:23 UTC 2014 - vci...@suse.com + +- fix a regression in libxml2 2.9.2 + * https://bugzilla.redhat.com/show_bug.cgi?id=1153753 +- add libxml2-dont_initialize_catalog.patch + +------------------------------------------------------------------- +Fri Oct 31 10:55:27 UTC 2014 - vci...@suse.com + +- update to 2.9.2 + * drop libxml2-CVE-2014-3660.patch (upstream) + * add keyring to verify tarball + Security: + Fix for CVE-2014-3660 billion laugh variant + CVE-2014-0191 Do not fetch external parameter entities + Improvements: + win32/libxml2.def.src after rebuild in doc + elfgcchack.h: more legacy needs xmlSAX2StartElement() and xmlSAX2EndElement() + elfgcchack.h: add xmlXPathNodeEval and xmlXPathSetContextNode + Provide cmake module + Fix a couple of issues raised by make dist + Fix and add const qualifiers + Preparing for upcoming release of 2.9.2 + Fix zlib and lzma libraries check via command line + wrong error column in structured error when parsing end tag + doc/news.html: small update to avoid line join while generating NEWS. + Add methods for python3 iterator + Support element node traversal in document fragments + xmlNodeSetName: Allow setting the name to a substring of the currently set name + Added macros for argument casts + adding init calls to xml and html Read parsing entry points + Get rid of 'REPLACEMENT CHARACTER' Unicode chars in xmlschemas.c + Implement choice for name classes on attributes + Two small namespace tweaks + xmllint --memory should fail on empty files + Cast encoding name to char pointer to match arg type + +------------------------------------------------------------------- --- /work/SRC/openSUSE:Factory/libxml2/python-libxml2.changes 2013-07-08 07:14:41.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.libxml2.new/python-libxml2.changes 2014-11-06 16:49:40.000000000 +0100 @@ -1,0 +2,5 @@ +Fri Oct 31 10:55:27 UTC 2014 - vci...@suse.com + +- Update to 2.9.2 version + +------------------------------------------------------------------- Old: ---- libxml2-2.9.1.tar.gz libxml2-CVE-2014-3660.patch New: ---- 0001-Fix-missing-entities-after-CVE-2014-3660-fix.patch 0002-Adding-example-from-bugs-738805-to-regression-tests.patch libxml2-2.9.2.tar.gz libxml2-2.9.2.tar.gz.asc libxml2-dont_initialize_catalog.patch libxml2.keyring ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libxml2.spec ++++++ --- /var/tmp/diff_new_pack.fHeuZt/_old 2014-11-06 16:49:41.000000000 +0100 +++ /var/tmp/diff_new_pack.fHeuZt/_new 2014-11-06 16:49:41.000000000 +0100 @@ -19,7 +19,7 @@ %define lname libxml2-2 Name: libxml2 -Version: 2.9.1 +Version: 2.9.2 Release: 0 Summary: A Library to Manipulate XML Files License: MIT @@ -27,9 +27,13 @@ Url: http://xmlsoft.org # Source ftp://xmlsoft.org/libxml2/libxml2-git-snapshot.tar.gz changes every day Source: ftp://xmlsoft.org/libxml2/%{name}-%{version}.tar.gz +Source1: ftp://xmlsoft.org/libxml2/%{name}-%{version}.tar.gz.asc Source2: baselibs.conf +Source3: %{name}.keyring Patch0: fix-perl.diff -Patch1: libxml2-CVE-2014-3660.patch +Patch1: libxml2-dont_initialize_catalog.patch +Patch2: 0001-Fix-missing-entities-after-CVE-2014-3660-fix.patch +Patch3: 0002-Adding-example-from-bugs-738805-to-regression-tests.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: pkg-config BuildRequires: readline-devel @@ -125,6 +129,8 @@ %setup -q %patch0 %patch1 -p1 +%patch2 -p1 +%patch3 -p1 %build %configure --disable-static \ @@ -183,6 +189,7 @@ %{_libdir}/libxml2.la %{_libdir}/*.sh %{_libdir}/pkgconfig/*.pc +%{_libdir}/cmake %doc %{_mandir}/man1/xml2-config.1* %doc %{_mandir}/man3/libxml.3* ++++++ python-libxml2.spec ++++++ --- /var/tmp/diff_new_pack.fHeuZt/_old 2014-11-06 16:49:41.000000000 +0100 +++ /var/tmp/diff_new_pack.fHeuZt/_new 2014-11-06 16:49:41.000000000 +0100 @@ -17,7 +17,7 @@ Name: python-libxml2 -Version: 2.9.1 +Version: 2.9.2 Release: 0 Summary: Python Bindings for libxml2 License: MIT ++++++ 0001-Fix-missing-entities-after-CVE-2014-3660-fix.patch ++++++ >From 72a46a519ce7326d9a00f0b6a7f2a8e958cd1675 Mon Sep 17 00:00:00 2001 From: Daniel Veillard <veill...@redhat.com> Date: Thu, 23 Oct 2014 11:35:36 +0800 Subject: [PATCH 1/2] Fix missing entities after CVE-2014-3660 fix For https://bugzilla.gnome.org/show_bug.cgi?id=738805 The fix for CVE-2014-3660 introduced a regression in some case where entity substitution is required and the entity is used first in anotther entity referenced from an attribute value --- parser.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/parser.c b/parser.c index 67c9dfd..a8d1b67 100644 --- a/parser.c +++ b/parser.c @@ -7235,7 +7235,8 @@ xmlParseReference(xmlParserCtxtPtr ctxt) { * far more secure as the parser will only process data coming from * the document entity by default. */ - if ((ent->checked == 0) && + if (((ent->checked == 0) || + ((ent->children == NULL) && (ctxt->options & XML_PARSE_NOENT))) && ((ent->etype != XML_EXTERNAL_GENERAL_PARSED_ENTITY) || (ctxt->options & (XML_PARSE_NOENT | XML_PARSE_DTDVALID)))) { unsigned long oldnbent = ctxt->nbentities; -- 2.1.2 ++++++ 0002-Adding-example-from-bugs-738805-to-regression-tests.patch ++++++ >From df23f584fda15955a0811bd768a8925eb98741c9 Mon Sep 17 00:00:00 2001 From: Daniel Veillard <veill...@redhat.com> Date: Thu, 23 Oct 2014 13:52:47 +0800 Subject: [PATCH 2/2] Adding example from bugs 738805 to regression tests For https://bugzilla.gnome.org/show_bug.cgi?id=738805 Tortuous test case provided by pierre.labas...@neuf.fr --- result/ent_738805.xml | 15 +++++++++++ result/ent_738805.xml.rde | 15 +++++++++++ result/ent_738805.xml.rdr | 31 +++++++++++++++++++++ result/ent_738805.xml.sax | 66 +++++++++++++++++++++++++++++++++++++++++++++ result/ent_738805.xml.sax2 | 66 +++++++++++++++++++++++++++++++++++++++++++++ result/noent/ent_738805.xml | 15 +++++++++++ test/ent_738805.xml | 16 +++++++++++ 7 files changed, 224 insertions(+) create mode 100644 result/ent_738805.xml create mode 100644 result/ent_738805.xml.rde create mode 100644 result/ent_738805.xml.rdr create mode 100644 result/ent_738805.xml.sax create mode 100644 result/ent_738805.xml.sax2 create mode 100644 result/noent/ent_738805.xml create mode 100644 test/ent_738805.xml diff --git a/result/ent_738805.xml b/result/ent_738805.xml new file mode 100644 index 0000000..d285eee --- /dev/null +++ b/result/ent_738805.xml @@ -0,0 +1,15 @@ +<?xml version="1.0" encoding="ISO-8859-1"?> +<!DOCTYPE somedoc [ +<!ENTITY a "something"> +<!ENTITY b "&a;"> +]> +<somedoc> + +<somebeacon someattribute="&b;"/> + +&a; should appear after colon: &a; +&b; should appear after colon: &a; +&a; should appear after colon: &b; +&b; should appear after colon: &b; + +</somedoc> diff --git a/result/ent_738805.xml.rde b/result/ent_738805.xml.rde new file mode 100644 index 0000000..fa086fe --- /dev/null +++ b/result/ent_738805.xml.rde @@ -0,0 +1,15 @@ +0 10 somedoc 0 0 +0 1 somedoc 0 0 +1 14 #text 0 1 + + +1 1 somebeacon 1 0 +1 3 #text 0 1 + +something should appear after colon: something +something should appear after colon: something +something should appear after colon: something +something should appear after colon: something + + +0 15 somedoc 0 0 diff --git a/result/ent_738805.xml.rdr b/result/ent_738805.xml.rdr new file mode 100644 index 0000000..c52dbf1 --- /dev/null +++ b/result/ent_738805.xml.rdr @@ -0,0 +1,31 @@ +0 10 somedoc 0 0 +0 1 somedoc 0 0 +1 14 #text 0 1 + + +1 1 somebeacon 1 0 +1 14 #text 0 1 + + +1 5 a 0 0 +1 3 #text 0 1 should appear after colon: +1 5 a 0 0 +1 14 #text 0 1 + +1 5 b 0 0 +1 3 #text 0 1 should appear after colon: +1 5 a 0 0 +1 14 #text 0 1 + +1 5 a 0 0 +1 3 #text 0 1 should appear after colon: +1 5 b 0 0 +1 14 #text 0 1 + +1 5 b 0 0 +1 3 #text 0 1 should appear after colon: +1 5 b 0 0 +1 14 #text 0 1 + + +0 15 somedoc 0 0 diff --git a/result/ent_738805.xml.sax b/result/ent_738805.xml.sax new file mode 100644 index 0000000..2649117 --- /dev/null +++ b/result/ent_738805.xml.sax @@ -0,0 +1,66 @@ +SAX.setDocumentLocator() +SAX.startDocument() +SAX.internalSubset(somedoc, , ) +SAX.entityDecl(a, 1, (null), (null), something) +SAX.getEntity(a) +SAX.entityDecl(b, 1, (null), (null), &a;) +SAX.getEntity(b) +SAX.externalSubset(somedoc, , ) +SAX.startElement(somedoc) +SAX.characters( + +, 2) +SAX.getEntity(b) +SAX.getEntity(a) +SAX.startElement(somebeacon, someattribute='&b;') +SAX.endElement(somebeacon) +SAX.characters( + +, 2) +SAX.getEntity(a) +SAX.characters(something, 9) +SAX.reference(a) +SAX.characters( should appear after colon: , 28) +SAX.getEntity(a) +SAX.characters(something, 9) +SAX.reference(a) +SAX.characters( +, 1) +SAX.getEntity(b) +SAX.getEntity(a) +SAX.characters(something, 9) +SAX.reference(a) +SAX.reference(b) +SAX.characters( should appear after colon: , 28) +SAX.getEntity(a) +SAX.characters(something, 9) +SAX.reference(a) +SAX.characters( +, 1) +SAX.getEntity(a) +SAX.characters(something, 9) +SAX.reference(a) +SAX.characters( should appear after colon: , 28) +SAX.getEntity(b) +SAX.getEntity(a) +SAX.characters(something, 9) +SAX.reference(a) +SAX.reference(b) +SAX.characters( +, 1) +SAX.getEntity(b) +SAX.getEntity(a) +SAX.characters(something, 9) +SAX.reference(a) +SAX.reference(b) +SAX.characters( should appear after colon: , 28) +SAX.getEntity(b) +SAX.getEntity(a) +SAX.characters(something, 9) +SAX.reference(a) +SAX.reference(b) +SAX.characters( + +, 2) +SAX.endElement(somedoc) +SAX.endDocument() diff --git a/result/ent_738805.xml.sax2 b/result/ent_738805.xml.sax2 new file mode 100644 index 0000000..1eae781 --- /dev/null +++ b/result/ent_738805.xml.sax2 @@ -0,0 +1,66 @@ +SAX.setDocumentLocator() +SAX.startDocument() +SAX.internalSubset(somedoc, , ) +SAX.entityDecl(a, 1, (null), (null), something) +SAX.getEntity(a) +SAX.entityDecl(b, 1, (null), (null), &a;) +SAX.getEntity(b) +SAX.externalSubset(somedoc, , ) +SAX.startElementNs(somedoc, NULL, NULL, 0, 0, 0) +SAX.characters( + +, 2) +SAX.getEntity(b) +SAX.getEntity(a) +SAX.startElementNs(somebeacon, NULL, NULL, 0, 1, 0, someattribute='&b;...', 3) +SAX.endElementNs(somebeacon, NULL, NULL) +SAX.characters( + +, 2) +SAX.getEntity(a) +SAX.characters(something, 9) +SAX.reference(a) +SAX.characters( should appear after colon: , 28) +SAX.getEntity(a) +SAX.characters(something, 9) +SAX.reference(a) +SAX.characters( +, 1) +SAX.getEntity(b) +SAX.getEntity(a) +SAX.characters(something, 9) +SAX.reference(a) +SAX.reference(b) +SAX.characters( should appear after colon: , 28) +SAX.getEntity(a) +SAX.characters(something, 9) +SAX.reference(a) +SAX.characters( +, 1) +SAX.getEntity(a) +SAX.characters(something, 9) +SAX.reference(a) +SAX.characters( should appear after colon: , 28) +SAX.getEntity(b) +SAX.getEntity(a) +SAX.characters(something, 9) +SAX.reference(a) +SAX.reference(b) +SAX.characters( +, 1) +SAX.getEntity(b) +SAX.getEntity(a) +SAX.characters(something, 9) +SAX.reference(a) +SAX.reference(b) +SAX.characters( should appear after colon: , 28) +SAX.getEntity(b) +SAX.getEntity(a) +SAX.characters(something, 9) +SAX.reference(a) +SAX.reference(b) +SAX.characters( + +, 2) +SAX.endElementNs(somedoc, NULL, NULL) +SAX.endDocument() diff --git a/result/noent/ent_738805.xml b/result/noent/ent_738805.xml new file mode 100644 index 0000000..5e44a55 --- /dev/null +++ b/result/noent/ent_738805.xml @@ -0,0 +1,15 @@ +<?xml version="1.0" encoding="ISO-8859-1"?> +<!DOCTYPE somedoc [ +<!ENTITY a "something"> +<!ENTITY b "&a;"> +]> +<somedoc> + +<somebeacon someattribute="something"/> + +something should appear after colon: something +something should appear after colon: something +something should appear after colon: something +something should appear after colon: something + +</somedoc> diff --git a/test/ent_738805.xml b/test/ent_738805.xml new file mode 100644 index 0000000..9ec70b1 --- /dev/null +++ b/test/ent_738805.xml @@ -0,0 +1,16 @@ +<?xml version="1.0" encoding="ISO-8859-1"?> +<!DOCTYPE somedoc [ + <!ENTITY a "something"> + <!ENTITY b "&a;"> +]> + +<somedoc> + +<somebeacon someattribute="&b;"/> + +&a; should appear after colon: &a; +&b; should appear after colon: &a; +&a; should appear after colon: &b; +&b; should appear after colon: &b; + +</somedoc> -- 2.1.2 ++++++ libxml2-2.9.1.tar.gz -> libxml2-2.9.2.tar.gz ++++++ ++++ 57592 lines of diff (skipped) ++++++ libxml2-dont_initialize_catalog.patch ++++++ >From f65128f38289d77ff322d63aef2858cc0a819c34 Mon Sep 17 00:00:00 2001 From: Daniel Veillard <veill...@redhat.com> Date: Fri, 17 Oct 2014 17:13:41 +0800 Subject: Revert "Missing initialization for the catalog module" This reverts commit 054c716ea1bf001544127a4ab4f4346d1b9947e7. As this break xmlcatalog command https://bugzilla.redhat.com/show_bug.cgi?id=1153753 diff --git a/parser.c b/parser.c index 1d93967..67c9dfd 100644 --- a/parser.c +++ b/parser.c @@ -14830,9 +14830,6 @@ xmlInitParser(void) { #ifdef LIBXML_XPATH_ENABLED xmlXPathInit(); #endif -#ifdef LIBXML_CATALOG_ENABLED - xmlInitializeCatalog(); -#endif xmlParserInitialized = 1; #ifdef LIBXML_THREAD_ENABLED } -- cgit v0.10.1 ++++++ libxml2.keyring ++++++ pub 1024D/DE95BC1F 2000-05-31 uid [ unknown] Daniel Veillard (Red Hat work email) <veill...@redhat.com> uid [ unknown] Daniel Veillard <daniel.veill...@w3.org> sub 1024g/8B494005 2000-05-31 -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2 mQGiBDk1EfQRBACMYQsU1LMs37qOMMJhTkfyb5aruPapu8ICNR4kNk36jT/ld7oN /0xtqM/e2S9VOzAd165POeEobxTXN234MOhj6PM9uJNOgAq1N1k1eWhGpVw2HIYs b40BHgKVf9mdrv7375L18Sb8qv3CcBhJfK8oW0Zv2oeruWFDpsMr9ULxxwCgmjap uDrJDZN7HEtOCcPF8CoNTG8D+wedGbKLvXg6NE5UyrkV3qfYwrPai84EsPY1VaWe mF+hPch+14r0CUIOVADX87HaIBsTmGZ/u6Ks9ZYALVZbwjQcyNp7MP4ZmvIpfHXd xgLJ+9DbKs6yTlgA1moUSERyfGq/kMC9nq3dVYgmYmxxRuO8/eVKufvStnxhIr/a v3o3A/0T4/hPXT2N4WCpvpCxKDIPy9/pqXcYjSEVbS1lfYP6zfxNDKwuF2j4gRWm unJnPowIGx0+Zhl1dc68B6QOgxqenJNkNbSKUUm23MlzSeT6zyyAJcXW///zxZ7t 7Yq4L9+X6FQtJ8D7kbcB/NQv93UqZKnUplD+35b/xM6zP6UqerQoRGFuaWVsIFZl aWxsYXJkIDxEYW5pZWwuVmVpbGxhcmRAdzMub3JnPoheBBMRAgAWBQI5NRH0BAsK BAMDFQMCAxYCAQIXgAASCRBGBril3pW8HwdlR1BHAAEBKNgAnRuDe5kcD79/3vhC 0jRUT7S4pGkMAJ9ORN7LL3LJHM45LM9yjIu68UOu7rQ6RGFuaWVsIFZlaWxsYXJk IChSZWQgSGF0IHdvcmsgZW1haWwpIDx2ZWlsbGFyZEByZWRoYXQuY29tPoheBBMR AgAeBQJDUpSLAhsDBgsJCAcDAgMVAgMDFgIBAh4BAheAAAoJEEYGuKXelbwfJcAA ni8XquAlSF6z8WnJwQ6I7yrVTA6IAJ9NnwyV+dwE1wkDg1eyogC6lcU8v7kBDQQ5 NRH8EAQA6raUOSvHFNG42i2tV40BREp+exkXNnTXKS6miTUtTNjvu5i0VDDHrkPy vaM8ILRng3jvRdDhhv/tVclHJZ7JylE//45a/1Xa5fl3Jk8vNDW5gy1PEwjAFBQU g375MbgeIpwwER+9c6UtsAMxYv2o03OIDyq7cLpJQo3p2G0OIUcAAwUEAMGyb7gN E1ryao3pM9KgK+/iwsAglaAQm8Wd/AdsAROH6Wy1dwQ2QcecJ4m9ffE1MhCRQo// 8VFGHFHS2C24MDsnOVIgEVnWbEIVMzp5vFfC+kIF7Rr9nq3Bgr4wHo6y+204GF1U c3r3Cb2Fn7YWmk1NnVJ6teellDsxT+7MvfM/iE4EGBECAAYFAjk1EfwAEgkQRga4 pd6VvB8HZUdQRwABATrDAJ48v66qkzGGLR2mH2C7SFw0y4OYSACghuQ7BYTNAlVF M7fTlvOUhgA69SI= =ao2X -----END PGP PUBLIC KEY BLOCK----- -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org