Hello community, here is the log from the commit of package libxml2 for openSUSE:Factory checked in at 2014-11-06 16:49:37 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libxml2 (Old) and /work/SRC/openSUSE:Factory/.libxml2.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "libxml2" Changes: -------- --- /work/SRC/openSUSE:Factory/libxml2/libxml2.changes 2014-10-19 19:27:55.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.libxml2.new/libxml2.changes 2014-11-06 16:49:40.000000000 +0100 @@ -1,0 +2,47 @@ +Mon Nov 3 17:13:24 UTC 2014 - vcizek@suse.com + +- fix a missing entities after CVE-2014-3660 fix + (https://bugzilla.gnome.org/show_bug.cgi?id=738805) + * added patches: + 0001-Fix-missing-entities-after-CVE-2014-3660-fix.patch + 0002-Adding-example-from-bugs-738805-to-regression-tests.patch + +------------------------------------------------------------------- +Mon Nov 3 10:01:23 UTC 2014 - vcizek@suse.com + +- fix a regression in libxml2 2.9.2 + * https://bugzilla.redhat.com/show_bug.cgi?id=1153753 +- add libxml2-dont_initialize_catalog.patch + +------------------------------------------------------------------- +Fri Oct 31 10:55:27 UTC 2014 - vcizek@suse.com + +- update to 2.9.2 + * drop libxml2-CVE-2014-3660.patch (upstream) + * add keyring to verify tarball + Security: + Fix for CVE-2014-3660 billion laugh variant + CVE-2014-0191 Do not fetch external parameter entities + Improvements: + win32/libxml2.def.src after rebuild in doc + elfgcchack.h: more legacy needs xmlSAX2StartElement() and xmlSAX2EndElement() + elfgcchack.h: add xmlXPathNodeEval and xmlXPathSetContextNode + Provide cmake module + Fix a couple of issues raised by make dist + Fix and add const qualifiers + Preparing for upcoming release of 2.9.2 + Fix zlib and lzma libraries check via command line + wrong error column in structured error when parsing end tag + doc/news.html: small update to avoid line join while generating NEWS. + Add methods for python3 iterator + Support element node traversal in document fragments + xmlNodeSetName: Allow setting the name to a substring of the currently set name + Added macros for argument casts + adding init calls to xml and html Read parsing entry points + Get rid of 'REPLACEMENT CHARACTER' Unicode chars in xmlschemas.c + Implement choice for name classes on attributes + Two small namespace tweaks + xmllint --memory should fail on empty files + Cast encoding name to char pointer to match arg type + +------------------------------------------------------------------- --- /work/SRC/openSUSE:Factory/libxml2/python-libxml2.changes 2013-07-08 07:14:41.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.libxml2.new/python-libxml2.changes 2014-11-06 16:49:40.000000000 +0100 @@ -1,0 +2,5 @@ +Fri Oct 31 10:55:27 UTC 2014 - vcizek@suse.com + +- Update to 2.9.2 version + +------------------------------------------------------------------- Old: ---- libxml2-2.9.1.tar.gz libxml2-CVE-2014-3660.patch New: ---- 0001-Fix-missing-entities-after-CVE-2014-3660-fix.patch 0002-Adding-example-from-bugs-738805-to-regression-tests.patch libxml2-2.9.2.tar.gz libxml2-2.9.2.tar.gz.asc libxml2-dont_initialize_catalog.patch libxml2.keyring ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libxml2.spec ++++++ --- /var/tmp/diff_new_pack.fHeuZt/_old 2014-11-06 16:49:41.000000000 +0100 +++ /var/tmp/diff_new_pack.fHeuZt/_new 2014-11-06 16:49:41.000000000 +0100 @@ -19,7 +19,7 @@ %define lname libxml2-2 Name: libxml2 -Version: 2.9.1 +Version: 2.9.2 Release: 0 Summary: A Library to Manipulate XML Files License: MIT @@ -27,9 +27,13 @@ Url: http://xmlsoft.org # Source ftp://xmlsoft.org/libxml2/libxml2-git-snapshot.tar.gz changes every day Source: ftp://xmlsoft.org/libxml2/%{name}-%{version}.tar.gz +Source1: ftp://xmlsoft.org/libxml2/%{name}-%{version}.tar.gz.asc Source2: baselibs.conf +Source3: %{name}.keyring Patch0: fix-perl.diff -Patch1: libxml2-CVE-2014-3660.patch +Patch1: libxml2-dont_initialize_catalog.patch +Patch2: 0001-Fix-missing-entities-after-CVE-2014-3660-fix.patch +Patch3: 0002-Adding-example-from-bugs-738805-to-regression-tests.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: pkg-config BuildRequires: readline-devel @@ -125,6 +129,8 @@ %setup -q %patch0 %patch1 -p1 +%patch2 -p1 +%patch3 -p1 %build %configure --disable-static \ @@ -183,6 +189,7 @@ %{_libdir}/libxml2.la %{_libdir}/*.sh %{_libdir}/pkgconfig/*.pc +%{_libdir}/cmake %doc %{_mandir}/man1/xml2-config.1* %doc %{_mandir}/man3/libxml.3* ++++++ python-libxml2.spec ++++++ --- /var/tmp/diff_new_pack.fHeuZt/_old 2014-11-06 16:49:41.000000000 +0100 +++ /var/tmp/diff_new_pack.fHeuZt/_new 2014-11-06 16:49:41.000000000 +0100 @@ -17,7 +17,7 @@ Name: python-libxml2 -Version: 2.9.1 +Version: 2.9.2 Release: 0 Summary: Python Bindings for libxml2 License: MIT ++++++ 0001-Fix-missing-entities-after-CVE-2014-3660-fix.patch ++++++
From 72a46a519ce7326d9a00f0b6a7f2a8e958cd1675 Mon Sep 17 00:00:00 2001 From: Daniel Veillard
Date: Thu, 23 Oct 2014 11:35:36 +0800 Subject: [PATCH 1/2] Fix missing entities after CVE-2014-3660 fix
For https://bugzilla.gnome.org/show_bug.cgi?id=738805 The fix for CVE-2014-3660 introduced a regression in some case where entity substitution is required and the entity is used first in anotther entity referenced from an attribute value --- parser.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/parser.c b/parser.c index 67c9dfd..a8d1b67 100644 --- a/parser.c +++ b/parser.c @@ -7235,7 +7235,8 @@ xmlParseReference(xmlParserCtxtPtr ctxt) { * far more secure as the parser will only process data coming from * the document entity by default. */ - if ((ent->checked == 0) && + if (((ent->checked == 0) || + ((ent->children == NULL) && (ctxt->options & XML_PARSE_NOENT))) && ((ent->etype != XML_EXTERNAL_GENERAL_PARSED_ENTITY) || (ctxt->options & (XML_PARSE_NOENT | XML_PARSE_DTDVALID)))) { unsigned long oldnbent = ctxt->nbentities; -- 2.1.2 ++++++ 0002-Adding-example-from-bugs-738805-to-regression-tests.patch ++++++
From df23f584fda15955a0811bd768a8925eb98741c9 Mon Sep 17 00:00:00 2001 From: Daniel Veillard
Date: Thu, 23 Oct 2014 13:52:47 +0800 Subject: [PATCH 2/2] Adding example from bugs 738805 to regression tests
For https://bugzilla.gnome.org/show_bug.cgi?id=738805 Tortuous test case provided by pierre.labastie@neuf.fr --- result/ent_738805.xml | 15 +++++++++++ result/ent_738805.xml.rde | 15 +++++++++++ result/ent_738805.xml.rdr | 31 +++++++++++++++++++++ result/ent_738805.xml.sax | 66 +++++++++++++++++++++++++++++++++++++++++++++ result/ent_738805.xml.sax2 | 66 +++++++++++++++++++++++++++++++++++++++++++++ result/noent/ent_738805.xml | 15 +++++++++++ test/ent_738805.xml | 16 +++++++++++ 7 files changed, 224 insertions(+) create mode 100644 result/ent_738805.xml create mode 100644 result/ent_738805.xml.rde create mode 100644 result/ent_738805.xml.rdr create mode 100644 result/ent_738805.xml.sax create mode 100644 result/ent_738805.xml.sax2 create mode 100644 result/noent/ent_738805.xml create mode 100644 test/ent_738805.xml diff --git a/result/ent_738805.xml b/result/ent_738805.xml new file mode 100644 index 0000000..d285eee --- /dev/null +++ b/result/ent_738805.xml @@ -0,0 +1,15 @@ +<?xml version="1.0" encoding="ISO-8859-1"?> +<!DOCTYPE somedoc [ +<!ENTITY a "something"> +<!ENTITY b "&a;"> +]> +<somedoc> + +<somebeacon someattribute="&b;"/> + +&a; should appear after colon: &a; +&b; should appear after colon: &a; +&a; should appear after colon: &b; +&b; should appear after colon: &b; + +</somedoc> diff --git a/result/ent_738805.xml.rde b/result/ent_738805.xml.rde new file mode 100644 index 0000000..fa086fe --- /dev/null +++ b/result/ent_738805.xml.rde @@ -0,0 +1,15 @@ +0 10 somedoc 0 0 +0 1 somedoc 0 0 +1 14 #text 0 1 + + +1 1 somebeacon 1 0 +1 3 #text 0 1 + +something should appear after colon: something +something should appear after colon: something +something should appear after colon: something +something should appear after colon: something + + +0 15 somedoc 0 0 diff --git a/result/ent_738805.xml.rdr b/result/ent_738805.xml.rdr new file mode 100644 index 0000000..c52dbf1 --- /dev/null +++ b/result/ent_738805.xml.rdr @@ -0,0 +1,31 @@ +0 10 somedoc 0 0 +0 1 somedoc 0 0 +1 14 #text 0 1 + + +1 1 somebeacon 1 0 +1 14 #text 0 1 + + +1 5 a 0 0 +1 3 #text 0 1 should appear after colon: +1 5 a 0 0 +1 14 #text 0 1 + +1 5 b 0 0 +1 3 #text 0 1 should appear after colon: +1 5 a 0 0 +1 14 #text 0 1 + +1 5 a 0 0 +1 3 #text 0 1 should appear after colon: +1 5 b 0 0 +1 14 #text 0 1 + +1 5 b 0 0 +1 3 #text 0 1 should appear after colon: +1 5 b 0 0 +1 14 #text 0 1 + + +0 15 somedoc 0 0 diff --git a/result/ent_738805.xml.sax b/result/ent_738805.xml.sax new file mode 100644 index 0000000..2649117 --- /dev/null +++ b/result/ent_738805.xml.sax @@ -0,0 +1,66 @@ +SAX.setDocumentLocator() +SAX.startDocument() +SAX.internalSubset(somedoc, , ) +SAX.entityDecl(a, 1, (null), (null), something) +SAX.getEntity(a) +SAX.entityDecl(b, 1, (null), (null), &a;) +SAX.getEntity(b) +SAX.externalSubset(somedoc, , ) +SAX.startElement(somedoc) +SAX.characters( + +, 2) +SAX.getEntity(b) +SAX.getEntity(a) +SAX.startElement(somebeacon, someattribute='&b;') +SAX.endElement(somebeacon) +SAX.characters( + +, 2) +SAX.getEntity(a) +SAX.characters(something, 9) +SAX.reference(a) +SAX.characters( should appear after colon: , 28) +SAX.getEntity(a) +SAX.characters(something, 9) +SAX.reference(a) +SAX.characters( +, 1) +SAX.getEntity(b) +SAX.getEntity(a) +SAX.characters(something, 9) +SAX.reference(a) +SAX.reference(b) +SAX.characters( should appear after colon: , 28) +SAX.getEntity(a) +SAX.characters(something, 9) +SAX.reference(a) +SAX.characters( +, 1) +SAX.getEntity(a) +SAX.characters(something, 9) +SAX.reference(a) +SAX.characters( should appear after colon: , 28) +SAX.getEntity(b) +SAX.getEntity(a) +SAX.characters(something, 9) +SAX.reference(a) +SAX.reference(b) +SAX.characters( +, 1) +SAX.getEntity(b) +SAX.getEntity(a) +SAX.characters(something, 9) +SAX.reference(a) +SAX.reference(b) +SAX.characters( should appear after colon: , 28) +SAX.getEntity(b) +SAX.getEntity(a) +SAX.characters(something, 9) +SAX.reference(a) +SAX.reference(b) +SAX.characters( + +, 2) +SAX.endElement(somedoc) +SAX.endDocument() diff --git a/result/ent_738805.xml.sax2 b/result/ent_738805.xml.sax2 new file mode 100644 index 0000000..1eae781 --- /dev/null +++ b/result/ent_738805.xml.sax2 @@ -0,0 +1,66 @@ +SAX.setDocumentLocator() +SAX.startDocument() +SAX.internalSubset(somedoc, , ) +SAX.entityDecl(a, 1, (null), (null), something) +SAX.getEntity(a) +SAX.entityDecl(b, 1, (null), (null), &a;) +SAX.getEntity(b) +SAX.externalSubset(somedoc, , ) +SAX.startElementNs(somedoc, NULL, NULL, 0, 0, 0) +SAX.characters( + +, 2) +SAX.getEntity(b) +SAX.getEntity(a) +SAX.startElementNs(somebeacon, NULL, NULL, 0, 1, 0, someattribute='&b;...', 3) +SAX.endElementNs(somebeacon, NULL, NULL) +SAX.characters( + +, 2) +SAX.getEntity(a) +SAX.characters(something, 9) +SAX.reference(a) +SAX.characters( should appear after colon: , 28) +SAX.getEntity(a) +SAX.characters(something, 9) +SAX.reference(a) +SAX.characters( +, 1) +SAX.getEntity(b) +SAX.getEntity(a) +SAX.characters(something, 9) +SAX.reference(a) +SAX.reference(b) +SAX.characters( should appear after colon: , 28) +SAX.getEntity(a) +SAX.characters(something, 9) +SAX.reference(a) +SAX.characters( +, 1) +SAX.getEntity(a) +SAX.characters(something, 9) +SAX.reference(a) +SAX.characters( should appear after colon: , 28) +SAX.getEntity(b) +SAX.getEntity(a) +SAX.characters(something, 9) +SAX.reference(a) +SAX.reference(b) +SAX.characters( +, 1) +SAX.getEntity(b) +SAX.getEntity(a) +SAX.characters(something, 9) +SAX.reference(a) +SAX.reference(b) +SAX.characters( should appear after colon: , 28) +SAX.getEntity(b) +SAX.getEntity(a) +SAX.characters(something, 9) +SAX.reference(a) +SAX.reference(b) +SAX.characters( + +, 2) +SAX.endElementNs(somedoc, NULL, NULL) +SAX.endDocument() diff --git a/result/noent/ent_738805.xml b/result/noent/ent_738805.xml new file mode 100644 index 0000000..5e44a55 --- /dev/null +++ b/result/noent/ent_738805.xml @@ -0,0 +1,15 @@ +<?xml version="1.0" encoding="ISO-8859-1"?> +<!DOCTYPE somedoc [ +<!ENTITY a "something"> +<!ENTITY b "&a;"> +]> +<somedoc> + +<somebeacon someattribute="something"/> + +something should appear after colon: something +something should appear after colon: something +something should appear after colon: something +something should appear after colon: something + +</somedoc> diff --git a/test/ent_738805.xml b/test/ent_738805.xml new file mode 100644 index 0000000..9ec70b1 --- /dev/null +++ b/test/ent_738805.xml @@ -0,0 +1,16 @@ +<?xml version="1.0" encoding="ISO-8859-1"?> +<!DOCTYPE somedoc [ + <!ENTITY a "something"> + <!ENTITY b "&a;"> +]> + +<somedoc> + +<somebeacon someattribute="&b;"/> + +&a; should appear after colon: &a; +&b; should appear after colon: &a; +&a; should appear after colon: &b; +&b; should appear after colon: &b; + +</somedoc> -- 2.1.2 ++++++ libxml2-2.9.1.tar.gz -> libxml2-2.9.2.tar.gz ++++++ ++++ 57592 lines of diff (skipped) ++++++ libxml2-dont_initialize_catalog.patch ++++++
From f65128f38289d77ff322d63aef2858cc0a819c34 Mon Sep 17 00:00:00 2001 From: Daniel Veillard
Date: Fri, 17 Oct 2014 17:13:41 +0800 Subject: Revert "Missing initialization for the catalog module"
This reverts commit 054c716ea1bf001544127a4ab4f4346d1b9947e7.
As this break xmlcatalog command
https://bugzilla.redhat.com/show_bug.cgi?id=1153753
diff --git a/parser.c b/parser.c
index 1d93967..67c9dfd 100644
--- a/parser.c
+++ b/parser.c
@@ -14830,9 +14830,6 @@ xmlInitParser(void) {
#ifdef LIBXML_XPATH_ENABLED
xmlXPathInit();
#endif
-#ifdef LIBXML_CATALOG_ENABLED
- xmlInitializeCatalog();
-#endif
xmlParserInitialized = 1;
#ifdef LIBXML_THREAD_ENABLED
}
--
cgit v0.10.1
++++++ libxml2.keyring ++++++
pub 1024D/DE95BC1F 2000-05-31
uid [ unknown] Daniel Veillard (Red Hat work email)