commit libxml2 for openSUSE:Factory

h_root Sun, 12 Jun 2016 09:51:54 -0700

Hello community,

here is the log from the commit of package libxml2 for openSUSE:Factory checked 
in at 2016-06-12 18:51:32
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/libxml2 (Old)
 and      /work/SRC/openSUSE:Factory/.libxml2.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "libxml2"

Changes:
--------
--- /work/SRC/openSUSE:Factory/libxml2/libxml2.changes  2016-05-25 
21:21:24.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.libxml2.new/libxml2.changes     2016-06-12 
18:51:33.000000000 +0200
@@ -1,0 +2,19 @@
+Wed Jun  8 12:20:43 UTC 2016 - kstreit...@suse.com
+
+- add libxml2-2.9.4-fix_attribute_decoding.patch to fix attribute
+  decoding during XML schema validation [bnc#983288]
+
+-------------------------------------------------------------------
+Fri May 27 14:22:55 UTC 2016 - psim...@suse.com
+
+- Update libxml2 to version libxml2-2.9.4. The new version is
+  resistant against CVE-2016-3627, CVE-2016-1833, CVE-2016-1835,
+  CVE-2016-1837, CVE-2016-1836, CVE-2016-1839, CVE-2016-1838,
+  CVE-2016-1840, CVE-2016-4483, CVE-2016-1834, CVE-2016-3705, and
+  CVE-2016-1762.
+
+- Remove obsolete patches libxml2-2.9.1-CVE-2016-3627.patch,
+  0001-Add-missing-increments-of-recursion-depth-counter-to.patch,
+  and libxml2-2.9.3-bogus_UTF-8_encoding_error.patch.
+
+-------------------------------------------------------------------
--- /work/SRC/openSUSE:Factory/libxml2/python-libxml2.changes   2014-11-06 
16:49:40.000000000 +0100
+++ /work/SRC/openSUSE:Factory/.libxml2.new/python-libxml2.changes      
2016-06-12 18:51:33.000000000 +0200
@@ -1,0 +2,9 @@
+Fri May 27 14:22:55 UTC 2016 - psim...@suse.com
+
+- Update python-libxml2 to version libxml2-2.9.4. The new version
+  is resistant against CVE-2016-3627, CVE-2016-1833, CVE-2016-1835,
+  CVE-2016-1837, CVE-2016-1836, CVE-2016-1839, CVE-2016-1838,
+  CVE-2016-1840, CVE-2016-4483, CVE-2016-1834, CVE-2016-3705, and
+  CVE-2016-1762.
+
+-------------------------------------------------------------------

Old:
----
  0001-Add-missing-increments-of-recursion-depth-counter-to.patch
  libxml2-2.9.1-CVE-2016-3627.patch
  libxml2-2.9.3-bogus_UTF-8_encoding_error.patch
  libxml2-2.9.3.tar.gz
  libxml2-2.9.3.tar.gz.asc

New:
----
  libxml2-2.9.4-fix_attribute_decoding.patch
  libxml2-2.9.4.tar.gz
  libxml2-2.9.4.tar.gz.asc

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ libxml2.spec ++++++
--- /var/tmp/diff_new_pack.cVKM0d/_old  2016-06-12 18:51:34.000000000 +0200
+++ /var/tmp/diff_new_pack.cVKM0d/_new  2016-06-12 18:51:34.000000000 +0200
@@ -18,7 +18,7 @@
 
 %define lname libxml2-2
 Name:           libxml2
-Version:        2.9.3
+Version:        2.9.4
 Release:        0
 Summary:        A Library to Manipulate XML Files
 License:        MIT
@@ -29,12 +29,8 @@
 Source2:        baselibs.conf
 Source3:        %{name}.keyring
 Patch0:         fix-perl.diff
-# PATCH-FIX-SUSE bnc#972335 psim...@suse.com -- CVE-2016-3627 - stack 
exhaustion while parsing xml files in recovery mode
-Patch1:         libxml2-2.9.1-CVE-2016-3627.patch
-# PATCH-FIX-SUSE bnc#975947 psim...@suse.com -- crash in xml validator
-Patch2:         0001-Add-missing-increments-of-recursion-depth-counter-to.patch
-# PATCH-FIX-UPSTREAM bnc#962796 kstreit...@suse.com -- parser fails with bogus 
UTF-8 encoding error
-Patch3:         libxml2-2.9.3-bogus_UTF-8_encoding_error.patch
+# PATCH-FIX-UPSTREAM bnc#983288 kstreit...@suse.com -- fix attribute decoding 
during XML schema validation
+Patch1:         libxml2-2.9.4-fix_attribute_decoding.patch
 BuildRequires:  fdupes
 BuildRequires:  pkg-config
 BuildRequires:  readline-devel
@@ -131,8 +127,6 @@
 %setup -q
 %patch0
 %patch1 -p1
-%patch2 -p1
-%patch3 -p1
 
 %build
 %configure --disable-static \

++++++ python-libxml2.spec ++++++
--- /var/tmp/diff_new_pack.cVKM0d/_old  2016-06-12 18:51:34.000000000 +0200
+++ /var/tmp/diff_new_pack.cVKM0d/_new  2016-06-12 18:51:34.000000000 +0200
@@ -17,7 +17,7 @@
 
 
 Name:           python-libxml2
-Version:        2.9.3
+Version:        2.9.4
 Release:        0
 Summary:        Python Bindings for libxml2
 License:        MIT

++++++ libxml2-2.9.4-fix_attribute_decoding.patch ++++++
>From 256366ed60f8795279b25f7b7b55e8089b4c6ff4 Mon Sep 17 00:00:00 2001
From: Alex Henrie <alexhenri...@gmail.com>
Date: Thu, 26 May 2016 17:38:35 -0600
Subject: [PATCH] Fix attribute decoding during XML schema validation

For https://bugzilla.gnome.org/show_bug.cgi?id=766834

vctxt->parserCtxt is always NULL in xmlSchemaSAXHandleStartElementNs,
so this function can't call xmlStringLenDecodeEntities to decode the
entities.
---
 xmlschemas.c | 30 +++++++++++++++++++++++++-----
 1 file changed, 25 insertions(+), 5 deletions(-)

diff --git a/xmlschemas.c b/xmlschemas.c
index e1b3a4f..59535e5 100644
--- a/xmlschemas.c
+++ b/xmlschemas.c
@@ -27391,6 +27391,7 @@ xmlSchemaSAXHandleStartElementNs(void *ctx,
     * attributes yet.
     */
     if (nb_attributes != 0) {
+       int valueLen, k, l;
        xmlChar *value;
 
         for (j = 0, i = 0; i < nb_attributes; i++, j += 5) {
@@ -27400,12 +27401,31 @@ xmlSchemaSAXHandleStartElementNs(void *ctx,
            * libxml2 differs from normal SAX here in that it escapes all 
ampersands
            * as &#38; instead of delivering the raw converted string. Changing 
the
            * behavior at this point would break applications that use this 
API, so
-           * we are forced to work around it. There is no danger of 
accidentally
-           * decoding some entity other than &#38; in this step because without
-           * unescaped ampersands there can be no other entities in the string.
+           * we are forced to work around it.
            */
-           value = xmlStringLenDecodeEntities(vctxt->parserCtxt, 
attributes[j+3],
-               attributes[j+4] - attributes[j+3], XML_SUBSTITUTE_REF, 0, 0, 0);
+           valueLen = attributes[j+4] - attributes[j+3];
+           value = xmlMallocAtomic(valueLen + 1);
+           if (value == NULL) {
+               xmlSchemaVErrMemory(vctxt,
+                   "allocating string for decoded attribute",
+                   NULL);
+               goto internal_error;
+           }
+           for (k = 0, l = 0; k < valueLen; l++) {
+               if (k < valueLen - 4 &&
+                   attributes[j+3][k+0] == '&' &&
+                   attributes[j+3][k+1] == '#' &&
+                   attributes[j+3][k+2] == '3' &&
+                   attributes[j+3][k+3] == '8' &&
+                   attributes[j+3][k+4] == ';') {
+                   value[l] = '&';
+                   k += 5;
+               } else {
+                   value[l] = attributes[j+3][k];
+                   k++;
+               }
+           }
+           value[l] = '\0';
            /*
            * TODO: Set the node line.
            */
-- 
2.8.3

++++++ libxml2-2.9.3.tar.gz -> libxml2-2.9.4.tar.gz ++++++
++++ 18058 lines of diff (skipped)

commit libxml2 for openSUSE:Factory

Reply via email to