Hello community, here is the log from the commit of package xmltooling for openSUSE:Factory checked in at 2018-02-28 20:03:13 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/xmltooling (Old) and /work/SRC/openSUSE:Factory/.xmltooling.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "xmltooling" Wed Feb 28 20:03:13 2018 rev:9 rq:580972 version:1.6.4 Changes: -------- --- /work/SRC/openSUSE:Factory/xmltooling/xmltooling.changes 2018-01-22 16:21:34.325364393 +0100 +++ /work/SRC/openSUSE:Factory/.xmltooling.new/xmltooling.changes 2018-02-28 20:03:16.338790530 +0100 @@ -1,0 +2,7 @@ +Wed Feb 28 11:13:56 UTC 2018 - kstreitova@suse.com + +- update to 1.6.4 + * [CPPXT-128] - Additional nodes can be added to XML without + breaking signature [bsc#1083247] [CVE-2018-0489] + +------------------------------------------------------------------- Old: ---- xmltooling-1.6.3.tar.bz2 xmltooling-1.6.3.tar.bz2.asc New: ---- xmltooling-1.6.4.tar.bz2 xmltooling-1.6.4.tar.bz2.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ xmltooling.spec ++++++ --- /var/tmp/diff_new_pack.iXUG3C/_old 2018-02-28 20:03:18.186723668 +0100 +++ /var/tmp/diff_new_pack.iXUG3C/_new 2018-02-28 20:03:18.210722800 +0100 @@ -19,7 +19,7 @@ %define opensaml_version 2.6.1 %define pkgdocdir %{_docdir}/%{name} Name: xmltooling -Version: 1.6.3 +Version: 1.6.4 Release: 0 Summary: OpenSAML XML library License: Apache-2.0 ++++++ xmltooling-1.6.3.tar.bz2 -> xmltooling-1.6.4.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xmltooling-1.6.3/config_win32.h new/xmltooling-1.6.4/config_win32.h --- old/xmltooling-1.6.3/config_win32.h 2018-01-11 21:46:39.000000000 +0100 +++ new/xmltooling-1.6.4/config_win32.h 2018-02-20 02:11:58.000000000 +0100 @@ -117,13 +117,13 @@ #define PACKAGE_NAME "xmltooling" /* Define to the full name and version of this package. */ -#define PACKAGE_STRING "xmltooling 1.6.3" +#define PACKAGE_STRING "xmltooling 1.6.4" /* Define to the one symbol short name of this package. */ #define PACKAGE_TARNAME "xmltooling" /* Define to the version of this package. */ -#define PACKAGE_VERSION "1.6.3" +#define PACKAGE_VERSION "1.6.4" /* Define to the necessary symbol if this constant uses a non-standard name on your system. */ @@ -136,7 +136,7 @@ /* #undef TM_IN_SYS_TIME */ /* Version number of package */ -#define VERSION "1.6.3" +#define VERSION "1.6.4" /* Define if you wish to disable XML-Security-dependent features. */ /* #undef XMLTOOLING_NO_XMLSEC */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xmltooling-1.6.3/configure new/xmltooling-1.6.4/configure --- old/xmltooling-1.6.3/configure 2018-01-11 21:47:04.000000000 +0100 +++ new/xmltooling-1.6.4/configure 2018-02-20 02:13:17.000000000 +0100 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for xmltooling 1.6.3. +# Generated by GNU Autoconf 2.69 for xmltooling 1.6.4. # # Report bugs to <https://issues.shibboleth.net/>. # @@ -590,8 +590,8 @@ # Identity of this package. PACKAGE_NAME='xmltooling' PACKAGE_TARNAME='xmltooling' -PACKAGE_VERSION='1.6.3' -PACKAGE_STRING='xmltooling 1.6.3' +PACKAGE_VERSION='1.6.4' +PACKAGE_STRING='xmltooling 1.6.4' PACKAGE_BUGREPORT='https://issues.shibboleth.net/' PACKAGE_URL='' @@ -1413,7 +1413,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures xmltooling 1.6.3 to adapt to many kinds of systems. +\`configure' configures xmltooling 1.6.4 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1483,7 +1483,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of xmltooling 1.6.3:";; + short | recursive ) echo "Configuration of xmltooling 1.6.4:";; esac cat <<\_ACEOF @@ -1619,7 +1619,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -xmltooling configure 1.6.3 +xmltooling configure 1.6.4 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2354,7 +2354,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by xmltooling $as_me 1.6.3, which was +It was created by xmltooling $as_me 1.6.4, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -3219,7 +3219,7 @@ # Define the identity of the package. PACKAGE='xmltooling' - VERSION='1.6.3' + VERSION='1.6.4' cat >>confdefs.h <<_ACEOF @@ -21695,7 +21695,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by xmltooling $as_me 1.6.3, which was +This file was extended by xmltooling $as_me 1.6.4, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -21761,7 +21761,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -xmltooling config.status 1.6.3 +xmltooling config.status 1.6.4 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xmltooling-1.6.3/configure.ac new/xmltooling-1.6.4/configure.ac --- old/xmltooling-1.6.3/configure.ac 2018-01-11 21:46:39.000000000 +0100 +++ new/xmltooling-1.6.4/configure.ac 2018-02-20 02:11:58.000000000 +0100 @@ -1,6 +1,6 @@ # Process this file with autoreconf AC_PREREQ([2.50]) -AC_INIT([xmltooling],[1.6.3],[https://issues.shibboleth.net/],[xmltooling]) +AC_INIT([xmltooling],[1.6.4],[https://issues.shibboleth.net/],[xmltooling]) AC_CONFIG_SRCDIR(xmltooling) AC_CONFIG_AUX_DIR(build-aux) AC_CONFIG_MACRO_DIR(m4) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xmltooling-1.6.3/xmltooling/AbstractComplexElement.cpp new/xmltooling-1.6.4/xmltooling/AbstractComplexElement.cpp --- old/xmltooling-1.6.3/xmltooling/AbstractComplexElement.cpp 2018-01-11 21:46:39.000000000 +0100 +++ new/xmltooling-1.6.4/xmltooling/AbstractComplexElement.cpp 2018-02-20 02:14:23.000000000 +0100 @@ -102,5 +102,19 @@ m_text.push_back(nullptr); ++size; } - m_text[position] = prepareForAssignment(m_text[position], value); + + // Merge if necessary. + if (value && *value) { + if (!m_text[position] || !*m_text[position]) { + m_text[position] = prepareForAssignment(m_text[position], value); + } + else { + XMLSize_t initialLen = XMLString::stringLen(m_text[position]); + XMLCh* merged = new XMLCh[initialLen + XMLString::stringLen(value) + 1]; + auto_arrayptr<XMLCh> janitor(merged); + XMLString::copyString(merged, m_text[position]); + XMLString::catString(merged + initialLen, value); + m_text[position] = prepareForAssignment(m_text[position], merged); + } + } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xmltooling-1.6.3/xmltooling/AbstractSimpleElement.cpp new/xmltooling-1.6.4/xmltooling/AbstractSimpleElement.cpp --- old/xmltooling-1.6.3/xmltooling/AbstractSimpleElement.cpp 2018-01-11 21:46:33.000000000 +0100 +++ new/xmltooling-1.6.4/xmltooling/AbstractSimpleElement.cpp 2018-02-20 02:14:23.000000000 +0100 @@ -77,12 +77,18 @@ if (position > 0) throw XMLObjectException("Cannot set text content in simple element at position > 0."); - // We overwrite the "one" piece of Text content if: - // - the new value is null - // - there is no existing value - // - the old value is all whitespace - // If there's a non-whitespace value set, we leave it alone unless we're clearing it with a null. - - if (!value || !m_value || XMLChar1_0::isAllSpaces(m_value, XMLString::stringLen(m_value))) - m_value=prepareForAssignment(m_value, value); + // Merge if necessary. + if (value && *value) { + if (!m_value || !*m_value) { + m_value = prepareForAssignment(m_value, value); + } + else { + XMLSize_t initialLen = XMLString::stringLen(m_value); + XMLCh* merged = new XMLCh[initialLen + XMLString::stringLen(value) + 1]; + auto_arrayptr<XMLCh> janitor(merged); + XMLString::copyString(merged, m_value); + XMLString::catString(merged + initialLen, value); + m_value = prepareForAssignment(m_value, merged); + } + } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xmltooling-1.6.3/xmltooling/Makefile.am new/xmltooling-1.6.4/xmltooling/Makefile.am --- old/xmltooling-1.6.3/xmltooling/Makefile.am 2018-01-11 21:46:39.000000000 +0100 +++ new/xmltooling-1.6.4/xmltooling/Makefile.am 2018-02-20 02:11:58.000000000 +0100 @@ -206,13 +206,13 @@ libxmltooling_lite_la_SOURCES = \ ${common_sources} libxmltooling_lite_la_CPPFLAGS = -DXMLTOOLING_LITE -libxmltooling_lite_la_LDFLAGS = -version-info 7:2:0 +libxmltooling_lite_la_LDFLAGS = -version-info 7:4:0 if BUILD_XMLSEC libxmltooling_la_SOURCES = \ ${common_sources} \ ${xmlsec_sources} -libxmltooling_la_LDFLAGS = $(XMLSEC_LIBS) -version-info 7:2:0 +libxmltooling_la_LDFLAGS = $(XMLSEC_LIBS) -version-info 7:4:0 endif install-exec-hook: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xmltooling-1.6.3/xmltooling/Makefile.in new/xmltooling-1.6.4/xmltooling/Makefile.in --- old/xmltooling-1.6.3/xmltooling/Makefile.in 2018-01-11 21:47:06.000000000 +0100 +++ new/xmltooling-1.6.4/xmltooling/Makefile.in 2018-02-20 02:13:18.000000000 +0100 @@ -727,12 +727,12 @@ ${common_sources} libxmltooling_lite_la_CPPFLAGS = -DXMLTOOLING_LITE -libxmltooling_lite_la_LDFLAGS = -version-info 7:2:0 +libxmltooling_lite_la_LDFLAGS = -version-info 7:4:0 @BUILD_XMLSEC_TRUE@libxmltooling_la_SOURCES = \ @BUILD_XMLSEC_TRUE@ ${common_sources} \ @BUILD_XMLSEC_TRUE@ ${xmlsec_sources} -@BUILD_XMLSEC_TRUE@libxmltooling_la_LDFLAGS = $(XMLSEC_LIBS) -version-info 7:2:0 +@BUILD_XMLSEC_TRUE@libxmltooling_la_LDFLAGS = $(XMLSEC_LIBS) -version-info 7:4:0 EXTRA_DIST = \ config_pub.h.in \ config_pub_win32.h\ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xmltooling-1.6.3/xmltooling/io/AbstractXMLObjectUnmarshaller.cpp new/xmltooling-1.6.4/xmltooling/io/AbstractXMLObjectUnmarshaller.cpp --- old/xmltooling-1.6.3/xmltooling/io/AbstractXMLObjectUnmarshaller.cpp 2018-01-11 21:46:33.000000000 +0100 +++ new/xmltooling-1.6.4/xmltooling/io/AbstractXMLObjectUnmarshaller.cpp 2018-02-20 02:14:23.000000000 +0100 @@ -206,8 +206,9 @@ else if (childNode->getNodeType() == DOMNode::TEXT_NODE || childNode->getNodeType() == DOMNode::CDATA_SECTION_NODE) { m_log.debug("processing text content at position (%d)", position); setTextContent(childNode->getNodeValue(), position); - } else if (childNode->getNodeType() == DOMNode::ENTITY_REFERENCE_NODE || childNode->getNodeType() == DOMNode::ENTITY_NODE) { - throw UnmarshallingException("Unmarshaller found Entity/Reference node."); + } + else if (childNode->getNodeType() != DOMNode::ATTRIBUTE_NODE) { + throw UnmarshallingException("Unmarshaller found unsupported node type."); } childNode = childNode->getNextSibling(); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xmltooling-1.6.3/xmltooling/util/ParserPool.cpp new/xmltooling-1.6.4/xmltooling/util/ParserPool.cpp --- old/xmltooling-1.6.3/xmltooling/util/ParserPool.cpp 2018-01-11 21:46:39.000000000 +0100 +++ new/xmltooling-1.6.4/xmltooling/util/ParserPool.cpp 2018-02-20 02:15:15.000000000 +0100 @@ -419,6 +419,7 @@ parser->getDomConfig()->setParameter(XMLUni::fgDOMResourceResolver, dynamic_cast<DOMLSResourceResolver*>(this)); parser->getDomConfig()->setParameter(XMLUni::fgXercesSecurityManager, m_security.get()); parser->getDomConfig()->setParameter(XMLUni::fgDOMDisallowDoctype, true); + parser->getDomConfig()->setParameter(XMLUni::fgDOMComments, false); return parser; } @@ -465,6 +466,7 @@ parser->setProperty(XMLUni::fgXercesSecurityManager, m_security.get()); parser->setFeature(XMLUni::fgXercesUserAdoptsDOMDocument, true); parser->setFeature(XMLUni::fgXercesDisableDefaultEntityResolution, true); + parser->setFeature(XMLUni::fgDOMComments, false); parser->setEntityResolver(this); return parser; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xmltooling-1.6.3/xmltooling/version.h new/xmltooling-1.6.4/xmltooling/version.h --- old/xmltooling-1.6.3/xmltooling/version.h 2018-01-11 21:46:39.000000000 +0100 +++ new/xmltooling-1.6.4/xmltooling/version.h 2018-02-20 02:11:58.000000000 +0100 @@ -44,7 +44,7 @@ #define XMLTOOLING_VERSION_MAJOR 1 #define XMLTOOLING_VERSION_MINOR 6 -#define XMLTOOLING_VERSION_REVISION 3 +#define XMLTOOLING_VERSION_REVISION 4 /** DO NOT MODIFY BELOW THIS LINE */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xmltooling-1.6.3/xmltooling/xmltooling.rc new/xmltooling-1.6.4/xmltooling/xmltooling.rc --- old/xmltooling-1.6.3/xmltooling/xmltooling.rc 2018-01-11 21:46:39.000000000 +0100 +++ new/xmltooling-1.6.4/xmltooling/xmltooling.rc 2018-02-20 02:11:58.000000000 +0100 @@ -28,7 +28,7 @@ // VS_VERSION_INFO VERSIONINFO - FILEVERSION 1,6,3,0 + FILEVERSION 1,6,4,0 PRODUCTVERSION 2,6,1,0 FILEFLAGSMASK 0x3fL #ifdef _DEBUG @@ -51,7 +51,7 @@ #else VALUE "FileDescription", "OpenSAML XMLTooling Library\0" #endif - VALUE "FileVersion", "1, 6, 3, 0\0" + VALUE "FileVersion", "1, 6, 4, 0\0" #ifdef XMLTOOLING_LITE #ifdef _DEBUG VALUE "InternalName", "xmltooling-lite1_6D\0" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xmltooling-1.6.3/xmltooling.spec new/xmltooling-1.6.4/xmltooling.spec --- old/xmltooling-1.6.3/xmltooling.spec 2018-01-11 21:47:31.000000000 +0100 +++ new/xmltooling-1.6.4/xmltooling.spec 2018-02-20 02:13:47.000000000 +0100 @@ -1,5 +1,5 @@ Name: xmltooling -Version: 1.6.3 +Version: 1.6.4 Release: 1 Summary: OpenSAML XML Processing library Group: Development/Libraries/C and C++ Binary files old/xmltooling-1.6.3/xmltoolingtest/data/cert.der.bak and new/xmltooling-1.6.4/xmltoolingtest/data/cert.der.bak differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xmltooling-1.6.3/xmltoolingtest/data/cert.pem.bak new/xmltooling-1.6.4/xmltoolingtest/data/cert.pem.bak --- old/xmltooling-1.6.3/xmltoolingtest/data/cert.pem.bak 1970-01-01 01:00:00.000000000 +0100 +++ new/xmltooling-1.6.4/xmltoolingtest/data/cert.pem.bak 2018-01-26 01:10:07.000000000 +0100 @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE----- +MIICjzCCAfigAwIBAgIJAKk8t1hYcMkhMA0GCSqGSIb3DQEBBAUAMDoxCzAJBgNV +BAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIxFzAVBgNVBAMTDnNwLmV4YW1wbGUu +b3JnMB4XDTA1MDYyMDE1NDgzNFoXDTMyMTEwNTE1NDgzNFowOjELMAkGA1UEBhMC +VVMxEjAQBgNVBAoTCUludGVybmV0MjEXMBUGA1UEAxMOc3AuZXhhbXBsZS5vcmcw +gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANlZ1L1mKzYbUVKiMQLhZlfGDyYa +/jjCiaXP0WhLNgvJpOTeajvsrApYNnFX5MLNzuC3NeQIjXUNLN2Yo2MCSthBIOL5 +qE5dka4z9W9zytoflW1LmJ8vXpx8Ay/meG4z//J5iCpYVEquA0xl28HUIlownZUF +7w7bx0cF/02qrR23AgMBAAGjgZwwgZkwHQYDVR0OBBYEFJZiO1qsyAyc3HwMlL9p +JpN6fbGwMGoGA1UdIwRjMGGAFJZiO1qsyAyc3HwMlL9pJpN6fbGwoT6kPDA6MQsw +CQYDVQQGEwJVUzESMBAGA1UEChMJSW50ZXJuZXQyMRcwFQYDVQQDEw5zcC5leGFt +cGxlLm9yZ4IJAKk8t1hYcMkhMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQAD +gYEAMFq/UeSQyngE0GpZueyD2UW0M358uhseYOgGEIfm+qXIFQF6MYwNoX7WFzhC +LJZ2E6mEvZZFHCHUtl7mGDvsRwgZ85YCtRbvleEpqfgNQToto9pLYe+X6vvH9Z6p +gmYsTmak+kxO93JprrOd9xp8aZPMEprL7VCdrhbZEfyYER0= +-----END CERTIFICATE----- Binary files old/xmltooling-1.6.3/xmltoolingtest/data/key.der.bak and new/xmltooling-1.6.4/xmltoolingtest/data/key.der.bak differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/xmltooling-1.6.3/xmltoolingtest/data/key.pem.bak new/xmltooling-1.6.4/xmltoolingtest/data/key.pem.bak --- old/xmltooling-1.6.3/xmltoolingtest/data/key.pem.bak 1970-01-01 01:00:00.000000000 +0100 +++ new/xmltooling-1.6.4/xmltoolingtest/data/key.pem.bak 2018-01-26 01:10:06.000000000 +0100 @@ -0,0 +1,15 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICXQIBAAKBgQDZWdS9Zis2G1FSojEC4WZXxg8mGv44womlz9FoSzYLyaTk3mo7 +7KwKWDZxV+TCzc7gtzXkCI11DSzdmKNjAkrYQSDi+ahOXZGuM/Vvc8raH5VtS5if +L16cfAMv5nhuM//yeYgqWFRKrgNMZdvB1CJaMJ2VBe8O28dHBf9Nqq0dtwIDAQAB +AoGAKsaVKdlLs9BYhuzIvIpju+6M2LEDS2Rt9qYZzm7O6i77NtfXDIgdq8OEo3Xq +3bPnfS5Retl8DYdURyBdN4Uh+WR/BUWQjBvOaJLEEdxvuAaLyAjniVREwkc2rXTZ +xoYYFL/XMyAEt/ye2ZbTw2u5R2i7HCYdddZWMkP1+Vabg8ECQQD7VJXWy8KFiyeC +thJiVqG/h5IO0y25dId/n81sW2B55eK0c4+IVsqc0a45/U/y2y1wtNBmIEQQn9yY +pDtWwzVRAkEA3WOgmvxFGTI5V1K5CLCCZzQIUYpzQDQvBu2sKYuy8dK2BMEGe9Zw +cKVyZJuDKHBvrVI5G6CqkHuFD2PwDvwAhwJBAPdfbM/q4/4/VddAz918uV1j2a2/ +y3yDJq7GIhHp6o5wZ3AHYhnmmyw48YxgOGWntxT80zYBwhy+zAhtdX5TStECQEKL +drP/TfnD2e6Ag/Ozso642iNAXWIYDWakvBIE1rXPYzzMlFlW3JdPc7H/+I2INlk/ +lMDUK1CggB9fJ8IpRzMCQQDQmqpWZtH6eaMAN6b/9WBdVzqzpCeTWFlL/SwhVbzI +s+k2zvC4HEAK9Y199g6SHVTQMEAE49wfhhCpY0JdCsQ/ +-----END RSA PRIVATE KEY----- Binary files old/xmltooling-1.6.3/xmltoolingtest/data/test.pfx.bak and new/xmltooling-1.6.4/xmltoolingtest/data/test.pfx.bak differ