commit libxml2.2842 for openSUSE:12.3:Update
Hello community,
here is the log from the commit of package libxml2.2842 for openSUSE:12.3:Update checked in at 2014-05-27 13:48:50
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:12.3:Update/libxml2.2842 (Old)
and /work/SRC/openSUSE:12.3:Update/.libxml2.2842.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libxml2.2842"
Changes:
--------
New Changes file:
--- /dev/null 2014-05-19 01:51:27.372033255 +0200
+++ /work/SRC/openSUSE:12.3:Update/.libxml2.2842.new/libxml2.changes 2014-05-27 13:48:51.000000000 +0200
@@ -0,0 +1,1647 @@
+-------------------------------------------------------------------
+Fri May 23 09:27:47 UTC 2014 - vcizek@suse.com
+
+- update the libxml2-CVE-2014-0191.patch, because it caused xmllint
+ breakage
+
+-------------------------------------------------------------------
+Wed May 7 10:48:11 UTC 2014 - vcizek@suse.com
+
+- fix for CVE-2014-0191 (bnc#876652)
+ * libxml2: external parameter entity loaded when entity
+ substitution is disabled
+ * added libxml2-CVE-2014-0191.patch
+
+-------------------------------------------------------------------
+Thu Jul 11 15:31:49 UTC 2013 - vcizek@suse.com
+
+- fix for CVE-2013-2877 (bnc#829077)
+ * added libxml2-CVE-2013-2877.patch
+
+-------------------------------------------------------------------
+Thu Apr 18 14:07:49 UTC 2013 - vcizek@suse.com
+
+- fix for CVE-2013-1969 (bnc#815665)
+ * libxml2-CVE-2013-1969.patch
+
+-------------------------------------------------------------------
+Thu Mar 7 13:28:59 UTC 2013 - vcizek@suse.com
+
+- fix for CVE-2013-0338 (bnc#805233)
+ libxml2-CVE-2013-0338-Detect-excessive-entities-expansion-upon-replacement.patch
+
+-------------------------------------------------------------------
+Sat Dec 15 15:55:26 UTC 2012 - p.drouand@gmail.com
+
+- update to 2.9.0 version:
+ * please see the Changelog
+- Updated patchs to get working with new version:
+ * libxml2-2.9.0-CVE-2012-5134.patch ( libxml2-CVE-2012-5134.patch )
+ * fix-perl.diff
+
+-------------------------------------------------------------------
+Fri Dec 7 10:49:11 UTC 2012 - vcizek@suse.com
+
+- Add libxml2-CVE-2012-5134.patch to fix CVE-2012-5134 (bnc#793334)
+
+-------------------------------------------------------------------
+Sun Sep 23 19:40:30 UTC 2012 - dimstar@opensuse.org
+
+- Add a comment next to libxml2.la to make sure that anybody
+ removing it knows why it's there and reconsiders.
+
+-------------------------------------------------------------------
+Sun Sep 23 19:28:04 UTC 2012 - coolo@suse.com
+
+- readd .la file, python-libxml2 needs it
+
+-------------------------------------------------------------------
+Fri Sep 21 18:04:16 UTC 2012 - jengelh@inai.de
+
+- Remove .la files; make sure installation succeeds for
+ Fedora_17 target
+
+-------------------------------------------------------------------
+Tue Jun 12 18:10:07 UTC 2012 - chris@computersalat.de
+
+- update to 2.8.0
+ * please se ChangeLog for more info
+- remove obsolete bigendian64 patch
+- rebase fix-perl patch
+
+-------------------------------------------------------------------
+Sun Mar 11 21:00:19 UTC 2012 - jengelh@medozas.de
+
+- libxml2-2 should not require libxml2-tools. There is no trouble
+ expected, since attempting to install libxml2 will already pull
+ in libxml2-tools due to Provides tags.
+
+-------------------------------------------------------------------
+Mon Mar 5 10:18:12 UTC 2012 - coolo@suse.com
+
+- revert the two commits that broke perl-XML-LibXML's test case,
+ I hope the two upstreams will figure it out
+
+-------------------------------------------------------------------
+Fri Mar 2 16:47:56 UTC 2012 - coolo@suse.com
+
+- update to git to fix some issues
+ * Fix a logic error in Schemas Component ConstraintsHEADmaster
+ * Fix a wrong enum type use in Schemas Types
+
+-------------------------------------------------------------------
+Thu Mar 1 18:36:33 CET 2012 - meissner@suse.de
+
+- fixed a 64bit big endian bug in the file reader.
+
+-------------------------------------------------------------------
+Sat Feb 25 13:50:54 UTC 2012 - coolo@suse.com
+
+- the fallout of requiring libxml2-tools as explicit buildrequire
+ is just too large, so avoid it for now and create a cycle between
+ libxml2-2 and libxml2-tools
+
+-------------------------------------------------------------------
+Sat Feb 25 08:09:00 UTC 2012 - coolo@suse.com
+
+- add provide for the old name to fix packages with explicit
+ library dependency
+
+-------------------------------------------------------------------
+Thu Feb 23 10:42:16 UTC 2012 - coolo@suse.com
+
+- update to today's GIT snapshot:
+ include XZ support
+- split libxml2-2 according to shared library policy
+
+-------------------------------------------------------------------
+Mon Dec 26 17:08:52 UTC 2011 - jengelh@medozas.de
+
+- Remove redundant tags/sections
+
+-------------------------------------------------------------------
+Wed Dec 21 10:24:19 UTC 2011 - coolo@suse.com
+
+- add autoconf as buildrequire to avoid implicit dependency
+
+-------------------------------------------------------------------
+Tue Dec 20 11:05:01 UTC 2011 - coolo@suse.com
+
+- own aclocal directory, there is no other reason to buildrequire
+ automake
+
+-------------------------------------------------------------------
+Fri Jul 8 08:52:06 UTC 2011 - saschpe@suse.de
+
+- update to libxml-2.7.8+git20110708
+ - several important bugfixes
+- drop upstreamed patches:
+ * libxml2-CVE-2010-4494.patch
+ * libxml2-CVE-2011-1944.patch
+ * noxref.patch
+ * symbol-versioning.patch
+
+-------------------------------------------------------------------
+Wed Jun 29 09:05:59 UTC 2011 - puzel@novell.com
+
+- add libxml2-CVE-2011-1944.patch (bnc#697372)
+
+-------------------------------------------------------------------
+Sun Jun 5 21:36:07 UTC 2011 - cshorler@googlemail.com
+
+- add symbol-versioning.patch to restore 11.3 versioned symbols
+
+-------------------------------------------------------------------
+Mon Jan 3 09:21:20 UTC 2011 - puzel@novell.com
+
+- add libxml2-CVE-2010-4494.patch (bnc#661471)
+
+-------------------------------------------------------------------
+Fri Dec 3 12:09:40 UTC 2010 - puzel@novell.com
+
+- update to libxml-2.7.8
+ - number of bufixes, documentation and portability fixes
+ - update language ID parser to RFC 5646
+ - sort python generated stubs
+ - add an HTML parser option to avoid a default doctype
+ - see http://xmlsoft.org/news.html for exact details
+- drop libxml2-xpath-ns-attr-axis.patch (in upstream)
+- clean up specfile
+
+-------------------------------------------------------------------
+Mon Nov 1 10:00:04 UTC 2010 - puzel@novell.com
+
+- add libxml2-xpath-ns-attr-axis.patch (bnc#648277)
+
+-------------------------------------------------------------------
+Sat Oct 30 22:45:22 UTC 2010 - cristian.rodriguez@opensuse.org
+
+- Use --disable-static
+
+-------------------------------------------------------------------
+Mon Sep 20 11:36:31 UTC 2010 - puzel@novell.com
+
+- drop libxml2-largefile64.patch (revert last change)
+ - the issue is fixed in zlib
+
+-------------------------------------------------------------------
+Fri Sep 17 16:28:46 UTC 2010 - puzel@novell.com
+
+- add libxml2-largefile64.patch (fixes build)
+ - debian bug#439843
+
+-------------------------------------------------------------------
+Wed Jul 14 20:05:00 UTC 2010 - jw@novell.com
+
+- added noxref.patch,
+ this implements a new --noxref option, which turns
++++ 1450 more lines (skipped)
++++ between /dev/null
++++ and /work/SRC/openSUSE:12.3:Update/.libxml2.2842.new/libxml2.changes
New Changes file:
--- /dev/null 2014-05-19 01:51:27.372033255 +0200
+++ /work/SRC/openSUSE:12.3:Update/.libxml2.2842.new/python-libxml2.changes 2014-05-27 13:48:51.000000000 +0200
@@ -0,0 +1,1489 @@
+-------------------------------------------------------------------
+Sat Dec 15 15:55:26 UTC 2012 - p.drouand@gmail.com
+
+- update to 2.9.0 version:
+ * please see the Changelog
+- Updated patchs to get working with new version:
+ * libxml2-2.9.0-CVE-2012-5134.patch ( libxml2-CVE-2012-5134.patch )
+ * fix-perl.diff
+
+-------------------------------------------------------------------
+Tue Jun 12 18:10:07 UTC 2012 - chris@computersalat.de
+
+- update to 2.8.0
+ * please see ChangeLog for more info
+
+-------------------------------------------------------------------
+Sat Feb 25 08:47:58 UTC 2012 - coolo@suse.com
+
+- fix version
+
+-------------------------------------------------------------------
+Thu Feb 23 11:00:21 UTC 2012 - coolo@suse.com
+
+- renamed to python-libxml2 to follow python naming expectations
+- do not require python but let rpm figure it out
+
+-------------------------------------------------------------------
+Mon Dec 26 17:08:59 UTC 2011 - jengelh@medozas.de
+
+- Remove redundant tags/sections
+
+-------------------------------------------------------------------
+Fri Jul 8 08:52:06 UTC 2011 - saschpe@suse.de
+
+- update to libxml-2.7.8+git20110708
+ - several important bugfixes
+
+-------------------------------------------------------------------
+Mon Dec 6 09:05:53 UTC 2010 - coolo@novell.com
+
+- buildrequire python-xml to fix build
+
+-------------------------------------------------------------------
+Fri Dec 3 12:24:42 UTC 2010 - puzel@novell.com
+
+- update to libxml-2.7.8
+ - number of bufixes, documentation and portability fixes
+ - update language ID parser to RFC 5646
+ - sort python generated stubs
+ - add an HTML parser option to avoid a default doctype
+ - see http://xmlsoft.org/news.html for exact details
+- clean up specfile
+
+-------------------------------------------------------------------
+Wed Apr 7 16:34:29 UTC 2010 - coolo@novell.com
+
+- fix build
+
+-------------------------------------------------------------------
+Tue Mar 23 23:46:00 CET 2010 - mrdocs@opensuse.org
+
+- update to 2.7.7
+- add extra options to ./configure for scribus features and avoid a crash
+- updates from 2.7.3 > 2.7.7 include a number of portability, correctness
+ memory leaks and build fixes including some CVE
+- see http://xmlsoft.org/news.html for exact details
+
+-------------------------------------------------------------------
+Tue Dec 15 12:19:16 CET 2009 - jengelh@medozas.de
+
+- enable parallel building
+
+-------------------------------------------------------------------
+Thu Mar 19 10:16:50 CET 2009 - prusnak@suse.cz
+
+- updated to 2.7.2
+ * Portability fix: fix solaris compilation problem,
+ fix compilation if XPath is not configured in
+ * Bug fixes: nasty entity bug introduced in 2.7.0, restore old
+ behaviour when saving an HTML doc with an xml dump function,
+ HTML UTF-8 parsing bug, fix reader custom error handlers
+ (Riccardo Scussat)
+ * Improvement: xmlSave options for more flexibility to save
+ as XML/HTML/XHTML, handle leading BOM in HTML documents
+- updated to 2.7.3
+ * Build fix: fix build when HTML support is not included.
+ * Bug fixes: avoid memory overflow in gigantic text nodes,
+ indentation problem on the writed (Rob Richards),
+ xmlAddChildList pointer problem (Rob Richards and Kevin Milburn),
+ xmlAddChild problem with attribute (Rob Richards and Kris Breuker),
+ avoid a memory leak in an edge case (Daniel Zimmermann),
+ deallocate some pthread data (Alex Ott).
+ * Improvements: configure option to avoid rebuilding docs
+ (Adrian Bunk), limit text nodes to 10MB max by default,
+ add element traversal APIs, add a parser option to enable
+ pre 2.7 SAX behavior (Rob Richards),
+ add gcc malloc checking (Marcus Meissner),
+ add gcc printf like functions parameters checking (Marcus Meissner).
+- dropped obsoleted patches:
+ * alloc_size.patch (mainline)
+ * CVE-2008-4225.patch (mainline)
+ * CVE-2008-4226.patch (mainline)
+ * CVE-2008-4409.patch (mainline)
+ * oldsax.patch (mainline)
+ * pritnf.patch (mainline)
+ * xmlsave.patch (mainline)
+
+-------------------------------------------------------------------
+Mon Jan 12 17:21:59 CET 2009 - prusnak@suse.cz
+
+- added oldsax.patch to enable pre 2.7.0 sax behaviour [bnc#457056]
+
+-------------------------------------------------------------------
+Wed Dec 10 12:34:56 CET 2008 - olh@suse.de
+
+- use Obsoletes: -XXbit only for ppc64 to help solver during distupgrade
+ (bnc#437293)
+
+-------------------------------------------------------------------
+Tue Nov 25 16:00:27 CET 2008 - prusnak@suse.cz
+
+- fix broken xmlsave (xmlsave.patch) [bnc#437203]
+
+-------------------------------------------------------------------
+Tue Nov 18 16:24:39 CET 2008 - prusnak@suse.cz
+
+- fixed CVE-2008-4225 [bnc#445677]
+
+-------------------------------------------------------------------
+Thu Nov 6 12:02:25 CET 2008 - prusnak@suse.cz
+
+- fixed CVE-2008-4226 [bnc#441368]
+
+-------------------------------------------------------------------
+Thu Oct 30 12:34:56 CET 2008 - olh@suse.de
+
+- obsolete old -XXbit packages (bnc#437293)
+
+-------------------------------------------------------------------
+Mon Oct 6 14:50:38 CEST 2008 - prusnak@suse.cz
+
+- fixed CVE-2008-4409 [bnc#432486]
+
+-------------------------------------------------------------------
+Tue Sep 9 17:01:12 CEST 2008 - meissner@suse.de
+
+- added GCC attribute alloc_size markup (alloc_size.patch)
+
+-------------------------------------------------------------------
+Wed Sep 3 16:58:23 CEST 2008 - prusnak@suse.cz
+
+- updated to 2.7.1
+ * Portability fix: Borland C fix (Moritz Both)
+ * Bug fixes: python serialization wrappers, XPath QName corner
+ case handking and leaks (Martin)
+ * Improvement: extend the xmlSave to handle HTML documents and trees
+ * Cleanup: python serialization wrappers
+
+-------------------------------------------------------------------
+Wed Sep 3 16:57:46 CEST 2008 - prusnak@suse.cz
+
+- updated to 2.7.0
+ * Documentation: switch ChangeLog to UTF-8, improve mutithreads and
+ xmlParserCleanup docs
+ * Portability fixes: Older Win32 platforms (Rob Richards), MSVC
+ porting fix (Rob Richards), Mac OS X regression tests (Sven Herzberg),
+ non GNUCC builds (Rob Richards), compilation on Haiku (Andreas Färber)
+ * Bug fixes: various realloc problems (Ashwin), potential double-free
+ (Ashwin), regexp crash, icrash with invalid whitespace facets (Rob
+ Richards), pattern fix when streaming (William Brack), various XML
+ parsing and validation fixes based on the W3C regression tests, reader
+ tree skipping function fix (Ashwin), Schemas regexps escaping fix
+ (Volker Grabsch), handling of entity push errors (Ashwin), fix a slowdown
+ when encoder cant serialize characters on output
+ * Code cleanup: compilation fix without the reader, without the output
+ (Robert Schwebel), python whitespace (Martin), many space/tabs cleanups,
+ serious cleanup of the entity handling code
+ * Improvement: switch parser to XML-1.0 5th edition, add parsing flags
+ for old versions, switch URI parsing to RFC 3986,
+ add xmlSchemaValidCtxtGetParserCtxt (Holger Kaelberer),
+ new hashing functions for dictionnaries (based on Stefan Behnel work),
+ improve handling of misplaced html/head/body in HTML parser, better
+ regression test tools and code coverage display, better algorithms
+ to detect various versions of the billion laughts attacks, make
+ arbitrary parser limits avoidable as a parser option
+- dropped obsoleted patches:
+ * billion-laughs.patch (included in update)
+
+-------------------------------------------------------------------
+Wed Aug 13 12:05:08 CEST 2008 - prusnak@suse.cz
+
+- fixed billion laughs vulnerability (billion-laughs.patch) [bnc#415371]
+
+-------------------------------------------------------------------
+Fri Apr 11 14:34:30 CEST 2008 - prusnak@suse.cz
+
+- updated to 2.6.32
++++ 1292 more lines (skipped)
++++ between /dev/null
++++ and /work/SRC/openSUSE:12.3:Update/.libxml2.2842.new/python-libxml2.changes
New:
----
baselibs.conf
fix-perl.diff
libxml2-2.9.0-CVE-2012-5134.patch
libxml2-2.9.0.tar.gz
libxml2-CVE-2013-0338-Detect-excessive-entities-expansion-upon-replacement.patch
libxml2-CVE-2013-1969.patch
libxml2-CVE-2013-2877.patch
libxml2-CVE-2014-0191.patch
libxml2.changes
libxml2.spec
python-libxml2.changes
python-libxml2.spec
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ libxml2.spec ++++++
#
# spec file for package libxml2
#
# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
%define lname libxml2-2
Name: libxml2
Version: 2.9.0
Release: 0
Summary: A Library to Manipulate XML Files
License: MIT
Group: System/Libraries
Url: http://xmlsoft.org
# Source ftp://xmlsoft.org/libxml2/libxml2-git-snapshot.tar.gz changes every day
Source: ftp://xmlsoft.org/libxml2/%{name}-%{version}.tar.gz
Source2: baselibs.conf
Patch0: fix-perl.diff
# PATCH-FIX-UPSTREAM CVE-2012-5134 (bnc#793334)
Patch1: libxml2-2.9.0-CVE-2012-5134.patch
Patch4: libxml2-CVE-2013-0338-Detect-excessive-entities-expansion-upon-replacement.patch
Patch5: libxml2-CVE-2013-1969.patch
Patch6: libxml2-CVE-2013-2877.patch
Patch7: libxml2-CVE-2014-0191.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: pkg-config
BuildRequires: readline-devel
BuildRequires: xz-devel
BuildRequires: zlib-devel
%description
The XML C library was initially developed for the GNOME project. It is
now used by many programs to load and save extensible data structures
or manipulate any kind of XML files.
This library implements a number of existing standards related to
markup languages, including the XML standard, name spaces in XML, XML
Base, RFC 2396, XPath, XPointer, HTML4, XInclude, SGML catalogs, and
XML catalogs. In most cases, libxml tries to implement the
specification in a rather strict way. To some extent, it provides
support for the following specifications, but does not claim to
implement them: DOM, FTP client, HTTP client, and SAX.
The library also supports RelaxNG. Support for W3C XML Schemas is in
progress.
%package -n %lname
Summary: A Library to Manipulate XML Files
Group: System/Libraries
%description -n %lname
The XML C library was initially developed for the GNOME project. It is
now used by many programs to load and save extensible data structures
or manipulate any kind of XML files.
This library implements a number of existing standards related to
markup languages, including the XML standard, name spaces in XML, XML
Base, RFC 2396, XPath, XPointer, HTML4, XInclude, SGML catalogs, and
XML catalogs. In most cases, libxml tries to implement the
specification in a rather strict way. To some extent, it provides
support for the following specifications, but does not claim to
implement them: DOM, FTP client, HTTP client, and SAX.
The library also supports RelaxNG. Support for W3C XML Schemas is in
progress.
%package tools
Summary: Tools using libxml
Group: System/Libraries
Provides: %{name} = %{version}-%{release}
Obsoletes: %{name} < %{version}-%{release}
%description tools
This package contains xmllint, a very useful tool proving libxml's power.
%package devel
Summary: Include Files and Libraries mandatory for Development
Group: Development/Libraries/C and C++
Requires: %{lname} = %{version}
Requires: %{name}-tools = %{version}
Requires: glibc-devel
Requires: readline-devel
Requires: xz-devel
Requires: zlib-devel
# bug437293
%ifarch ppc64
Obsoletes: libxml2-devel-64bit
%endif
%description devel
This package contains all necessary include files and libraries needed
to develop applications that require these.
%package doc
Summary: A Library to Manipulate XML Files
Group: System/Libraries
Requires: %{lname} = %{version}
BuildArch: noarch
%description doc
The XML C library was initially developed for the GNOME project. It is
now used by many programs to load and save extensible data structures
or manipulate any kind of XML files.
This library implements a number of existing standards related to
markup languages, including the XML standard, name spaces in XML, XML
Base, RFC 2396, XPath, XPointer, HTML4, XInclude, SGML catalogs, and
XML catalogs. In most cases, libxml tries to implement the
specification in a rather strict way. To some extent, it provides
support for the following specifications, but does not claim to
implement them: DOM, FTP client, HTTP client, and SAX.
The library also supports RelaxNG. Support for W3C XML Schemas is in
progress.
%prep
%setup -q
%patch0
%patch1 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%build
%configure --disable-static \
--docdir=%_docdir/%name \
--with-html-dir=%_docdir/%name/html \
--with-fexceptions \
--with-history \
--without-python \
--enable-ipv6 \
--with-sax1 \
--with-regexps \
--with-threads \
--with-reader \
--with-http
make %{?_smp_mflags} BASE_DIR="%_docdir" DOC_MODULE="%name"
%install
make install DESTDIR="%buildroot" BASE_DIR="%_docdir" DOC_MODULE="%name"
mkdir -p "%buildroot/%_docdir/%name"
cp -a AUTHORS NEWS README COPYING* Copyright TODO* %{buildroot}%{_docdir}/%{name}/
ln -s libxml2/libxml %{buildroot}%{_includedir}/libxml
%check
# qemu-arm can't keep up atm, disabling check for arm
%ifnarch %arm
make check
%endif
%post -n %lname -p /sbin/ldconfig
%postun -n %lname -p /sbin/ldconfig
%files -n %lname
%defattr(-, root, root)
%{_libdir}/lib*.so.*
%doc %dir %{_docdir}/%{name}
%doc %{_docdir}/%{name}/[ANRCT]*
%files tools
%defattr(-, root, root)
%{_bindir}/xmllint
%{_bindir}/xmlcatalog
%doc %{_mandir}/man1/xmllint.1*
%doc %{_mandir}/man1/xmlcatalog.1*
%files devel
%defattr(-, root, root)
%{_bindir}/xml2-config
%dir %{_datadir}/aclocal
%{_datadir}/aclocal/libxml.m4
%{_includedir}/libxml
%{_includedir}/libxml2
%{_libdir}/lib*.so
# libxml2.la is needed for the python-libxml2 build. Deleting it breaks build of python-libxml2.
%{_libdir}/libxml2.la
%{_libdir}/*.sh
%{_libdir}/pkgconfig/*.pc
%doc %{_mandir}/man1/xml2-config.1*
%doc %{_mandir}/man3/libxml.3*
%files doc
%defattr(-, root, root)
%{_datadir}/gtk-doc/html/*
%doc %{_docdir}/%{name}/examples
%doc %{_docdir}/%{name}/html
# owning these directories prevents gtk-doc <-> libxml2 build loop:
%dir %{_datadir}/gtk-doc
%dir %{_datadir}/gtk-doc/html
%changelog
++++++ python-libxml2.spec ++++++
#
# spec file for package python-libxml2
#
# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
Name: python-libxml2
Version: 2.9.0
Release: 0
Summary: Python Bindings for libxml2
License: MIT
Group: Development/Libraries/Python
Url: http://xmlsoft.org
Source: ftp://xmlsoft.org/libxml2/libxml2-%{version}.tar.gz
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: libxml2-devel
BuildRequires: python-devel
BuildRequires: python-xml
Requires: libxml2-2 = %{version}
# Uncomment to save space:
#NoSource: 0
Obsoletes: libxml2-python < %{version}
Provides: libxml2-python = %{version}
%description
The libxml2-python package contains a module that permits applications
written in the Python programming language to use the interface
supplied by the libxml2 library to manipulate XML files.
This library allows manipulation of XML files. It includes support for
reading, modifying, and writing XML and HTML files. There is DTD
support that includes parsing and validation even with complex DTDs,
either at parse time or later once the document has been modified.
%prep
%setup -q -n libxml2-%{version}
%build
# workaround for bnc#310196
%ifarch s390 s390x
export RPM_OPT_FLAGS=${RPM_OPT_FLAGS/-O2/-O1}
%endif
export CFLAGS="%{optflags} -fno-strict-aliasing"
%configure \
--with-fexceptions \
--with-history \
--enable-ipv6 \
--with-sax1 \
--with-regexps \
--with-threads \
--with-reader \
--with-http
# use libxml2 as built by libxml2 source package
mkdir .libs
cp -v %{_libdir}/libxml2.la .
make -C python %{?_smp_mflags}
%install
make -C python install \
DESTDIR=%{buildroot} \
pythondir=%{py_sitedir} \
PYTHON_SITE_PACKAGES=%{py_sitedir}
chmod a-x python/tests/*.py
# Unwanted doc stuff
rm -fr %{buildroot}%{_datadir}/doc
rm -f python/tests/Makefile*
# #223696
rm -f %{buildroot}%{py_sitedir}/*.{la,a}
%files
%defattr(-, root, root)
%doc python/TODO
%doc python/libxml2class.txt
%doc python/tests
%{py_sitedir}/*
%changelog
++++++ baselibs.conf ++++++
libxml2-2
libxml2-devel
requires -libxml2-<targettype>
requires "libxml2-2-<targettype> = <version>"
++++++ fix-perl.diff ++++++
commit 77b77b1301e052d90e6a0967534a698506afcd86
Author: Daniel Veillard
From 23f05e0c33987d6605387b300c4be5da2120a7ab Mon Sep 17 00:00:00 2001 From: Daniel Veillard
Date: Tue, 19 Feb 2013 10:21:49 +0800 Subject: [PATCH] Detect excessive entities expansion upon replacement
If entities expansion in the XML parser is asked for, it is possble to craft relatively small input document leading to excessive on-the-fly content generation. This patch accounts for those replacement and stop parsing after a given threshold. it can be bypassed as usual with the HUGE parser option. --- include/libxml/parser.h | 1 + parser.c | 44 ++++++++++++++++++++++++++++++++++++++------ parserInternals.c | 2 ++ 3 files changed, 41 insertions(+), 6 deletions(-) diff --git a/include/libxml/parser.h b/include/libxml/parser.h index e1346e4..3f5730d 100644 --- a/include/libxml/parser.h +++ b/include/libxml/parser.h @@ -310,6 +310,7 @@ struct _xmlParserCtxt { xmlParserNodeInfo *nodeInfoTab; /* array of nodeInfos */ int input_id; /* we need to label inputs */ + unsigned long sizeentcopy; /* volume of entity copy */ }; /** diff --git a/parser.c b/parser.c index 91f8c90..ddf3b5b 100644 --- a/parser.c +++ b/parser.c @@ -122,7 +122,7 @@ xmlCreateEntityParserCtxtInternal(const xmlChar *URL, const xmlChar *ID, */ static int xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, - xmlEntityPtr ent) + xmlEntityPtr ent, size_t replacement) { size_t consumed = 0; @@ -130,7 +130,24 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, return (0); if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP) return (1); - if (size != 0) { + if (replacement != 0) { + if (replacement < XML_MAX_TEXT_LENGTH) + return(0); + + /* + * If the volume of entity copy reaches 10 times the + * amount of parsed data and over the large text threshold + * then that's very likely to be an abuse. + */ + if (ctxt->input != NULL) { + consumed = ctxt->input->consumed + + (ctxt->input->cur - ctxt->input->base); + } + consumed += ctxt->sizeentities; + + if (replacement < XML_PARSER_NON_LINEAR * consumed) + return(0); + } else if (size != 0) { /* * Do the check based on the replacement size of the entity */ @@ -176,7 +193,6 @@ xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size, */ return (0); } - xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL); return (1); } @@ -2743,7 +2759,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, while (*current != 0) { /* non input consuming loop */ buffer[nbchars++] = *current++; if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) { - if (xmlParserEntityCheck(ctxt, nbchars, ent)) + if (xmlParserEntityCheck(ctxt, nbchars, ent, 0)) goto int_error; growBuffer(buffer, XML_PARSER_BUFFER_SIZE); } @@ -2785,7 +2801,7 @@ xmlStringLenDecodeEntities(xmlParserCtxtPtr ctxt, const xmlChar *str, int len, while (*current != 0) { /* non input consuming loop */ buffer[nbchars++] = *current++; if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) { - if (xmlParserEntityCheck(ctxt, nbchars, ent)) + if (xmlParserEntityCheck(ctxt, nbchars, ent, 0)) goto int_error; growBuffer(buffer, XML_PARSER_BUFFER_SIZE); } @@ -7203,7 +7219,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt) { xmlFreeNodeList(list); return; } - if (xmlParserEntityCheck(ctxt, 0, ent)) { + if (xmlParserEntityCheck(ctxt, 0, ent, 0)) { xmlFreeNodeList(list); return; } @@ -7361,6 +7377,13 @@ xmlParseReference(xmlParserCtxtPtr ctxt) { xmlNodePtr nw = NULL, cur, firstChild = NULL; /* + * We are copying here, make sure there is no abuse + */ + ctxt->sizeentcopy += ent->length; + if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy)) + return; + + /* * when operating on a reader, the entities definitions * are always owning the entities subtree. if (ctxt->parseMode == XML_PARSE_READER) @@ -7400,6 +7423,14 @@ xmlParseReference(xmlParserCtxtPtr ctxt) { } else if ((list == NULL) || (ctxt->inputNr > 0)) { xmlNodePtr nw = NULL, cur, next, last, firstChild = NULL; + + /* + * We are copying here, make sure there is no abuse + */ + ctxt->sizeentcopy += ent->length; + if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy)) + return; + /* * Copy the entity child list and make it the new * entity child list. The goal is to make sure any @@ -14767,6 +14798,7 @@ xmlCtxtReset(xmlParserCtxtPtr ctxt) ctxt->catalogs = NULL; ctxt->nbentities = 0; ctxt->sizeentities = 0; + ctxt->sizeentcopy = 0; xmlInitNodeInfoSeq(&ctxt->node_seq); if (ctxt->attsDefault != NULL) { diff --git a/parserInternals.c b/parserInternals.c index 02032d5..f8a7041 100644 --- a/parserInternals.c +++ b/parserInternals.c @@ -1719,6 +1719,8 @@ xmlInitParserCtxt(xmlParserCtxtPtr ctxt) ctxt->charset = XML_CHAR_ENCODING_UTF8; ctxt->catalogs = NULL; ctxt->nbentities = 0; + ctxt->sizeentities = 0; + ctxt->sizeentcopy = 0; ctxt->input_id = 1; xmlInitNodeInfoSeq(&ctxt->node_seq); return(0); -- 1.7.10.4 ++++++ libxml2-CVE-2013-1969.patch ++++++
From de0cc20c29cb3f056062925395e0f68d2250a46f Mon Sep 17 00:00:00 2001 From: Daniel Veillard
Date: Tue, 12 Feb 2013 08:55:34 +0000 Subject: Fix some buffer conversion issues
https://bugzilla.gnome.org/show_bug.cgi?id=690202
Buffer overflow errors originating from xmlBufGetInputBase in 2.9.0
The pointers from the context input were not properly reset after
that call which can do reallocations.
---
diff --git a/HTMLparser.c b/HTMLparser.c
index a533f37..6b83654 100644
--- a/HTMLparser.c
+++ b/HTMLparser.c
@@ -6054,6 +6054,8 @@ htmlParseChunk(htmlParserCtxtPtr ctxt, const char *chunk, int size,
if ((in->encoder != NULL) && (in->buffer != NULL) &&
(in->raw != NULL)) {
int nbchars;
+ size_t base = xmlBufGetInputBase(in->buffer, ctxt->input);
+ size_t current = ctxt->input->cur - ctxt->input->base;
nbchars = xmlCharEncInput(in);
if (nbchars < 0) {
@@ -6061,6 +6063,7 @@ htmlParseChunk(htmlParserCtxtPtr ctxt, const char *chunk, int size,
"encoder error\n", NULL, NULL);
return(XML_ERR_INVALID_ENCODING);
}
+ xmlBufSetInputBaseCur(in->buffer, ctxt->input, base, current);
}
}
}
diff --git a/parser.c b/parser.c
index 31f90d6..1c99051 100644
--- a/parser.c
+++ b/parser.c
@@ -12126,7 +12126,7 @@ xmldecl_done:
remain = 0;
}
}
- res =xmlParserInputBufferPush(ctxt->input->buf, size, chunk);
+ res = xmlParserInputBufferPush(ctxt->input->buf, size, chunk);
if (res < 0) {
ctxt->errNo = XML_PARSER_EOF;
ctxt->disableSAX = 1;
@@ -12143,6 +12143,8 @@ xmldecl_done:
if ((in->encoder != NULL) && (in->buffer != NULL) &&
(in->raw != NULL)) {
int nbchars;
+ size_t base = xmlBufGetInputBase(in->buffer, ctxt->input);
+ size_t current = ctxt->input->cur - ctxt->input->base;
nbchars = xmlCharEncInput(in);
if (nbchars < 0) {
@@ -12151,6 +12153,7 @@ xmldecl_done:
"xmlParseChunk: encoder error\n");
return(XML_ERR_INVALID_ENCODING);
}
+ xmlBufSetInputBaseCur(in->buffer, ctxt->input, base, current);
}
}
}
@@ -12190,7 +12193,14 @@ xmldecl_done:
}
if ((end_in_lf == 1) && (ctxt->input != NULL) &&
(ctxt->input->buf != NULL)) {
+ size_t base = xmlBufGetInputBase(ctxt->input->buf->buffer,
+ ctxt->input);
+ size_t current = ctxt->input->cur - ctxt->input->base;
+
xmlParserInputBufferPush(ctxt->input->buf, 1, "\r");
+
+ xmlBufSetInputBaseCur(ctxt->input->buf->buffer, ctxt->input,
+ base, current);
}
if (terminate) {
/*
--
cgit v0.9.1
++++++ libxml2-CVE-2013-2877.patch ++++++
commit e50ba8164eee06461c73cd8abb9b46aa0be81869
Author: Daniel Veillard
From 9cd1c3cfbd32655d60572c0a413e017260c854df Mon Sep 17 00:00:00 2001 From: Daniel Veillard
Date: Tue, 22 Apr 2014 15:30:56 +0800 Subject: Do not fetch external parameter entities
Unless explicitely asked for when validating or replacing entities
with their value. Problem pointed out by Daniel Berrange
From 7c3c663e4f844aaecbb0cfc29567fe2ee9506fc4 Mon Sep 17 00:00:00 2001 From: Alexandre Rostovtsev
Date: Fri, 16 May 2014 22:46:00 -0400 Subject: [PATCH] xmllint: a posteriori validation needs to load exernal entities
For https://bugzilla.gnome.org/show_bug.cgi?id=730290 Index: libxml2-2.9.1/parser.c =================================================================== --- libxml2-2.9.1.orig/parser.c 2013-04-16 15:39:18.000000000 +0200 +++ libxml2-2.9.1/parser.c 2014-05-23 11:26:43.344897186 +0200 @@ -2595,6 +2595,20 @@ xmlParserHandlePEReference(xmlParserCtxt xmlCharEncoding enc; /* + * Note: external parsed entities will not be loaded, it is + * not required for a non-validating parser, unless the + * option of validating, or substituting entities were + * given. Doing so is far more secure as the parser will + * only process data coming from the document entity by + * default. + */ + if ((entity->etype == XML_EXTERNAL_PARAMETER_ENTITY) && + ((ctxt->options & XML_PARSE_NOENT) == 0) && + ((ctxt->options & XML_PARSE_DTDVALID) == 0) && + (ctxt->validate == 0)) + return; + + /* * handle the extra spaces added before and after * c.f. http://www.w3.org/TR/REC-xml#as-PE * this is done independently. Index: libxml2-2.9.1/xmllint.c =================================================================== --- libxml2-2.9.1.orig/xmllint.c 2013-03-27 04:31:47.000000000 +0100 +++ libxml2-2.9.1/xmllint.c 2014-05-23 11:26:43.344897186 +0200 @@ -3505,7 +3505,12 @@ main(int argc, char **argv) { xmlLoadExtDtdDefaultValue |= XML_COMPLETE_ATTRS; if (noent != 0) xmlSubstituteEntitiesDefault(1); #ifdef LIBXML_VALID_ENABLED - if (valid != 0) xmlDoValidityCheckingDefaultValue = 1; + /* If we will validate only a posteriori, ensure that entities get loaded, + * but suppress validation messages during initial parsing */ + if (postvalid != 0 && valid == 0) + options |= XML_PARSE_DTDVALID | XML_PARSE_NOERROR | XML_PARSE_NOWARNING; + else if (valid != 0) + xmlDoValidityCheckingDefaultValue = 1; #endif /* LIBXML_VALID_ENABLED */ if ((htmlout) && (!nowrap)) { xmlGenericError(xmlGenericErrorContext, -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org
participants (1)
-
root@hilbert.suse.de