Hello community,
here is the log from the commit of package libxml2.1799 for openSUSE:12.2:Update checked in at 2013-06-26 12:37:56
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:12.2:Update/libxml2.1799 (Old)
and /work/SRC/openSUSE:12.2:Update/.libxml2.1799.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libxml2.1799"
Changes:
--------
New Changes file:
--- /dev/null 2013-06-25 18:53:24.372030255 +0200
+++ /work/SRC/openSUSE:12.2:Update/.libxml2.1799.new/libxml2.changes 2013-06-26 12:37:58.000000000 +0200
@@ -0,0 +1,1598 @@
+-------------------------------------------------------------------
+Wed Jun 19 12:15:30 UTC 2013 - vcizek@suse.com
+
+- fix a leak in lzma code (bnc#823792)
+ * added libxml2-lzma_memory_leak.patch
+
+-------------------------------------------------------------------
+Thu Mar 7 13:28:59 UTC 2013 - vcizek@suse.com
+
+- fix for CVE-2013-0338 (bnc#805233)
+ libxml2-CVE-2013-0338-Detect-excessive-entities-expansion-upon-replacement.patch
+
+-------------------------------------------------------------------
+Fri Dec 7 10:49:11 UTC 2012 - vcizek@suse.com
+
+- fixed CVE-2012-5134 (bnc#793334) / libxml2-CVE-2012-5134.patch
+
+-------------------------------------------------------------------
+Thu Jun 28 09:48:22 UTC 2012 - vcizek@suse.com
+
+- fixed CVE-2012-2807 (bnc#769184)
+
+-------------------------------------------------------------------
+Sun Mar 11 21:00:19 UTC 2012 - jengelh@medozas.de
+
+- libxml2-2 should not require libxml2-tools. There is no trouble
+ expected, since attempting to install libxml2 will already pull
+ in libxml2-tools due to Provides tags.
+
+-------------------------------------------------------------------
+Mon Mar 5 10:18:12 UTC 2012 - coolo@suse.com
+
+- revert the two commits that broke perl-XML-LibXML's test case,
+ I hope the two upstreams will figure it out
+
+-------------------------------------------------------------------
+Fri Mar 2 16:47:56 UTC 2012 - coolo@suse.com
+
+- update to git to fix some issues
+ * Fix a logic error in Schemas Component ConstraintsHEADmaster
+ * Fix a wrong enum type use in Schemas Types
+
+-------------------------------------------------------------------
+Thu Mar 1 18:36:33 CET 2012 - meissner@suse.de
+
+- fixed a 64bit big endian bug in the file reader.
+
+-------------------------------------------------------------------
+Sat Feb 25 13:50:54 UTC 2012 - coolo@suse.com
+
+- the fallout of requiring libxml2-tools as explicit buildrequire
+ is just too large, so avoid it for now and create a cycle between
+ libxml2-2 and libxml2-tools
+
+-------------------------------------------------------------------
+Sat Feb 25 08:09:00 UTC 2012 - coolo@suse.com
+
+- add provide for the old name to fix packages with explicit
+ library dependency
+
+-------------------------------------------------------------------
+Thu Feb 23 10:42:16 UTC 2012 - coolo@suse.com
+
+- update to today's GIT snapshot:
+ include XZ support
+- split libxml2-2 according to shared library policy
+
+-------------------------------------------------------------------
+Mon Dec 26 17:08:52 UTC 2011 - jengelh@medozas.de
+
+- Remove redundant tags/sections
+
+-------------------------------------------------------------------
+Wed Dec 21 10:24:19 UTC 2011 - coolo@suse.com
+
+- add autoconf as buildrequire to avoid implicit dependency
+
+-------------------------------------------------------------------
+Tue Dec 20 11:05:01 UTC 2011 - coolo@suse.com
+
+- own aclocal directory, there is no other reason to buildrequire
+ automake
+
+-------------------------------------------------------------------
+Fri Jul 8 08:52:06 UTC 2011 - saschpe@suse.de
+
+- update to libxml-2.7.8+git20110708
+ - several important bugfixes
+- drop upstreamed patches:
+ * libxml2-CVE-2010-4494.patch
+ * libxml2-CVE-2011-1944.patch
+ * noxref.patch
+ * symbol-versioning.patch
+
+-------------------------------------------------------------------
+Wed Jun 29 09:05:59 UTC 2011 - puzel@novell.com
+
+- add libxml2-CVE-2011-1944.patch (bnc#697372)
+
+-------------------------------------------------------------------
+Sun Jun 5 21:36:07 UTC 2011 - cshorler@googlemail.com
+
+- add symbol-versioning.patch to restore 11.3 versioned symbols
+
+-------------------------------------------------------------------
+Mon Jan 3 09:21:20 UTC 2011 - puzel@novell.com
+
+- add libxml2-CVE-2010-4494.patch (bnc#661471)
+
+-------------------------------------------------------------------
+Fri Dec 3 12:09:40 UTC 2010 - puzel@novell.com
+
+- update to libxml-2.7.8
+ - number of bufixes, documentation and portability fixes
+ - update language ID parser to RFC 5646
+ - sort python generated stubs
+ - add an HTML parser option to avoid a default doctype
+ - see http://xmlsoft.org/news.html for exact details
+- drop libxml2-xpath-ns-attr-axis.patch (in upstream)
+- clean up specfile
+
+-------------------------------------------------------------------
+Mon Nov 1 10:00:04 UTC 2010 - puzel@novell.com
+
+- add libxml2-xpath-ns-attr-axis.patch (bnc#648277)
+
+-------------------------------------------------------------------
+Sat Oct 30 22:45:22 UTC 2010 - cristian.rodriguez@opensuse.org
+
+- Use --disable-static
+
+-------------------------------------------------------------------
+Mon Sep 20 11:36:31 UTC 2010 - puzel@novell.com
+
+- drop libxml2-largefile64.patch (revert last change)
+ - the issue is fixed in zlib
+
+-------------------------------------------------------------------
+Fri Sep 17 16:28:46 UTC 2010 - puzel@novell.com
+
+- add libxml2-largefile64.patch (fixes build)
+ - debian bug#439843
+
+-------------------------------------------------------------------
+Wed Jul 14 20:05:00 UTC 2010 - jw@novell.com
+
+- added noxref.patch,
+ this implements a new --noxref option, which turns
+ validation errors about missing xrefs into warnings.
+ Upstreamed as https://bugzilla.gnome.org/show_bug.cgi?id=624386
+
+-------------------------------------------------------------------
+Sat Apr 24 09:50:01 UTC 2010 - coolo@novell.com
+
+- buildrequire pkg-config to fix provides
+
+-------------------------------------------------------------------
+Tue Mar 23 23:46:00 CET 2010 - mrdocs@opensuse.org
+
+- update to 2.7.7
+- add extra options to ./configure for scribus features and avoid a crash
+- updates from 2.7.3 > 2.7.7 include a number of portability, correctness
+ memory leaks and build fixes including some CVE
+- see http://xmlsoft.org/news.html for exact details
+
+-------------------------------------------------------------------
+Mon Feb 22 22:11:00 CET 2010 - mrdocs@opensuse.org
+
+- add sax parser option compiled in
+
+-------------------------------------------------------------------
+Mon Dec 14 16:14:49 CET 2009 - jengelh@medozas.de
+
+- add baselibs.conf as a source
+- package documentation as noarch
+
+-------------------------------------------------------------------
+Sun Aug 2 16:58:15 UTC 2009 - jansimon.moeller@opensuse.org
+
+- Disable the check for ARM as qemu-arm can't keep up atm.
+
+-------------------------------------------------------------------
+Thu Mar 19 10:16:50 CET 2009 - prusnak@suse.cz
+
+- updated to 2.7.2
+ * Portability fix: fix solaris compilation problem,
+ fix compilation if XPath is not configured in
+ * Bug fixes: nasty entity bug introduced in 2.7.0, restore old
+ behaviour when saving an HTML doc with an xml dump function,
+ HTML UTF-8 parsing bug, fix reader custom error handlers
+ (Riccardo Scussat)
+ * Improvement: xmlSave options for more flexibility to save
+ as XML/HTML/XHTML, handle leading BOM in HTML documents
+- updated to 2.7.3
+ * Build fix: fix build when HTML support is not included.
+ * Bug fixes: avoid memory overflow in gigantic text nodes,
+ indentation problem on the writed (Rob Richards),
++++ 1401 more lines (skipped)
++++ between /dev/null
++++ and /work/SRC/openSUSE:12.2:Update/.libxml2.1799.new/libxml2.changes
New Changes file:
--- /dev/null 2013-06-25 18:53:24.372030255 +0200
+++ /work/SRC/openSUSE:12.2:Update/.libxml2.1799.new/python-libxml2.changes 2013-06-26 12:37:58.000000000 +0200
@@ -0,0 +1,1474 @@
+-------------------------------------------------------------------
+Sat Feb 25 08:47:58 UTC 2012 - coolo@suse.com
+
+- fix version
+
+-------------------------------------------------------------------
+Thu Feb 23 11:00:21 UTC 2012 - coolo@suse.com
+
+- renamed to python-libxml2 to follow python naming expectations
+- do not require python but let rpm figure it out
+
+-------------------------------------------------------------------
+Mon Dec 26 17:08:59 UTC 2011 - jengelh@medozas.de
+
+- Remove redundant tags/sections
+
+-------------------------------------------------------------------
+Fri Jul 8 08:52:06 UTC 2011 - saschpe@suse.de
+
+- update to libxml-2.7.8+git20110708
+ - several important bugfixes
+
+-------------------------------------------------------------------
+Mon Dec 6 09:05:53 UTC 2010 - coolo@novell.com
+
+- buildrequire python-xml to fix build
+
+-------------------------------------------------------------------
+Fri Dec 3 12:24:42 UTC 2010 - puzel@novell.com
+
+- update to libxml-2.7.8
+ - number of bufixes, documentation and portability fixes
+ - update language ID parser to RFC 5646
+ - sort python generated stubs
+ - add an HTML parser option to avoid a default doctype
+ - see http://xmlsoft.org/news.html for exact details
+- clean up specfile
+
+-------------------------------------------------------------------
+Wed Apr 7 16:34:29 UTC 2010 - coolo@novell.com
+
+- fix build
+
+-------------------------------------------------------------------
+Tue Mar 23 23:46:00 CET 2010 - mrdocs@opensuse.org
+
+- update to 2.7.7
+- add extra options to ./configure for scribus features and avoid a crash
+- updates from 2.7.3 > 2.7.7 include a number of portability, correctness
+ memory leaks and build fixes including some CVE
+- see http://xmlsoft.org/news.html for exact details
+
+-------------------------------------------------------------------
+Tue Dec 15 12:19:16 CET 2009 - jengelh@medozas.de
+
+- enable parallel building
+
+-------------------------------------------------------------------
+Thu Mar 19 10:16:50 CET 2009 - prusnak@suse.cz
+
+- updated to 2.7.2
+ * Portability fix: fix solaris compilation problem,
+ fix compilation if XPath is not configured in
+ * Bug fixes: nasty entity bug introduced in 2.7.0, restore old
+ behaviour when saving an HTML doc with an xml dump function,
+ HTML UTF-8 parsing bug, fix reader custom error handlers
+ (Riccardo Scussat)
+ * Improvement: xmlSave options for more flexibility to save
+ as XML/HTML/XHTML, handle leading BOM in HTML documents
+- updated to 2.7.3
+ * Build fix: fix build when HTML support is not included.
+ * Bug fixes: avoid memory overflow in gigantic text nodes,
+ indentation problem on the writed (Rob Richards),
+ xmlAddChildList pointer problem (Rob Richards and Kevin Milburn),
+ xmlAddChild problem with attribute (Rob Richards and Kris Breuker),
+ avoid a memory leak in an edge case (Daniel Zimmermann),
+ deallocate some pthread data (Alex Ott).
+ * Improvements: configure option to avoid rebuilding docs
+ (Adrian Bunk), limit text nodes to 10MB max by default,
+ add element traversal APIs, add a parser option to enable
+ pre 2.7 SAX behavior (Rob Richards),
+ add gcc malloc checking (Marcus Meissner),
+ add gcc printf like functions parameters checking (Marcus Meissner).
+- dropped obsoleted patches:
+ * alloc_size.patch (mainline)
+ * CVE-2008-4225.patch (mainline)
+ * CVE-2008-4226.patch (mainline)
+ * CVE-2008-4409.patch (mainline)
+ * oldsax.patch (mainline)
+ * pritnf.patch (mainline)
+ * xmlsave.patch (mainline)
+
+-------------------------------------------------------------------
+Mon Jan 12 17:21:59 CET 2009 - prusnak@suse.cz
+
+- added oldsax.patch to enable pre 2.7.0 sax behaviour [bnc#457056]
+
+-------------------------------------------------------------------
+Wed Dec 10 12:34:56 CET 2008 - olh@suse.de
+
+- use Obsoletes: -XXbit only for ppc64 to help solver during distupgrade
+ (bnc#437293)
+
+-------------------------------------------------------------------
+Tue Nov 25 16:00:27 CET 2008 - prusnak@suse.cz
+
+- fix broken xmlsave (xmlsave.patch) [bnc#437203]
+
+-------------------------------------------------------------------
+Tue Nov 18 16:24:39 CET 2008 - prusnak@suse.cz
+
+- fixed CVE-2008-4225 [bnc#445677]
+
+-------------------------------------------------------------------
+Thu Nov 6 12:02:25 CET 2008 - prusnak@suse.cz
+
+- fixed CVE-2008-4226 [bnc#441368]
+
+-------------------------------------------------------------------
+Thu Oct 30 12:34:56 CET 2008 - olh@suse.de
+
+- obsolete old -XXbit packages (bnc#437293)
+
+-------------------------------------------------------------------
+Mon Oct 6 14:50:38 CEST 2008 - prusnak@suse.cz
+
+- fixed CVE-2008-4409 [bnc#432486]
+
+-------------------------------------------------------------------
+Tue Sep 9 17:01:12 CEST 2008 - meissner@suse.de
+
+- added GCC attribute alloc_size markup (alloc_size.patch)
+
+-------------------------------------------------------------------
+Wed Sep 3 16:58:23 CEST 2008 - prusnak@suse.cz
+
+- updated to 2.7.1
+ * Portability fix: Borland C fix (Moritz Both)
+ * Bug fixes: python serialization wrappers, XPath QName corner
+ case handking and leaks (Martin)
+ * Improvement: extend the xmlSave to handle HTML documents and trees
+ * Cleanup: python serialization wrappers
+
+-------------------------------------------------------------------
+Wed Sep 3 16:57:46 CEST 2008 - prusnak@suse.cz
+
+- updated to 2.7.0
+ * Documentation: switch ChangeLog to UTF-8, improve mutithreads and
+ xmlParserCleanup docs
+ * Portability fixes: Older Win32 platforms (Rob Richards), MSVC
+ porting fix (Rob Richards), Mac OS X regression tests (Sven Herzberg),
+ non GNUCC builds (Rob Richards), compilation on Haiku (Andreas Färber)
+ * Bug fixes: various realloc problems (Ashwin), potential double-free
+ (Ashwin), regexp crash, icrash with invalid whitespace facets (Rob
+ Richards), pattern fix when streaming (William Brack), various XML
+ parsing and validation fixes based on the W3C regression tests, reader
+ tree skipping function fix (Ashwin), Schemas regexps escaping fix
+ (Volker Grabsch), handling of entity push errors (Ashwin), fix a slowdown
+ when encoder cant serialize characters on output
+ * Code cleanup: compilation fix without the reader, without the output
+ (Robert Schwebel), python whitespace (Martin), many space/tabs cleanups,
+ serious cleanup of the entity handling code
+ * Improvement: switch parser to XML-1.0 5th edition, add parsing flags
+ for old versions, switch URI parsing to RFC 3986,
+ add xmlSchemaValidCtxtGetParserCtxt (Holger Kaelberer),
+ new hashing functions for dictionnaries (based on Stefan Behnel work),
+ improve handling of misplaced html/head/body in HTML parser, better
+ regression test tools and code coverage display, better algorithms
+ to detect various versions of the billion laughts attacks, make
+ arbitrary parser limits avoidable as a parser option
+- dropped obsoleted patches:
+ * billion-laughs.patch (included in update)
+
+-------------------------------------------------------------------
+Wed Aug 13 12:05:08 CEST 2008 - prusnak@suse.cz
+
+- fixed billion laughs vulnerability (billion-laughs.patch) [bnc#415371]
+
+-------------------------------------------------------------------
+Fri Apr 11 14:34:30 CEST 2008 - prusnak@suse.cz
+
+- updated to 2.6.32
+ * Documentation:
+ - returning heap memory to kernel (Wolfram Sang)
+ - trying to clarify xmlCleanupParser() use
+ - xmlXPathContext improvement (Jack Jansen)
+ - improve the *Recover* functions documentation
+ - XmlNodeType doc link fix (Martijn Arts)
+ * Bug fixes:
+ - internal subset memory leak (Ashwin)
+ - avoid problem with paths starting with // (Petr Sumbera)
+ - streaming XSD validation callback patches (Ashwin)
+ - fix redirection on port other than 80 (William Brack)
+ - SAX2 leak (Ashwin)
+ - XInclude fragment of own document (Chris Ryan)
+ - regexp bug with '.' (Andrew Tosh)
+ - flush the writer at the end of the document (Alfred Mickautsch)
++++ 1277 more lines (skipped)
++++ between /dev/null
++++ and /work/SRC/openSUSE:12.2:Update/.libxml2.1799.new/python-libxml2.changes
New:
----
baselibs.conf
bigendian64.patch
fix-perl.diff
libxml2-CVE-2012-2807.patch
libxml2-CVE-2012-5134.patch
libxml2-CVE-2013-0338-Detect-excessive-entities-expansion-upon-replacement.patch
libxml2-git-snapshot.tar.gz
libxml2-lzma_memory_leak.patch
libxml2.changes
libxml2.spec
python-libxml2.changes
python-libxml2.spec
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ libxml2.spec ++++++
#
# spec file for package libxml2
#
# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
%define lname libxml2-2
Name: libxml2
Version: 2.7.8+git20120223
Release: 0
Summary: A Library to Manipulate XML Files
License: MIT
Group: System/Libraries
Url: http://xmlsoft.org
# Source ftp://xmlsoft.org/libxml2/libxml2-git-snapshot.tar.gz changes every day
Source: libxml2-git-snapshot.tar.gz
Source2: baselibs.conf
Patch0: bigendian64.patch
Patch1: fix-perl.diff
Patch2: libxml2-CVE-2012-2807.patch
# PATCH-FIX-UPSTREAM CVE-2012-5134 (bnc#793334)
Patch3: libxml2-CVE-2012-5134.patch
Patch4: libxml2-CVE-2013-0338-Detect-excessive-entities-expansion-upon-replacement.patch
Patch5: libxml2-lzma_memory_leak.patch
BuildRequires: pkg-config
BuildRequires: readline-devel
BuildRequires: xz-devel
BuildRequires: zlib-devel
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
The XML C library was initially developed for the GNOME project. It is
now used by many programs to load and save extensible data structures
or manipulate any kind of XML files.
This library implements a number of existing standards related to
markup languages, including the XML standard, name spaces in XML, XML
Base, RFC 2396, XPath, XPointer, HTML4, XInclude, SGML catalogs, and
XML catalogs. In most cases, libxml tries to implement the
specification in a rather strict way. To some extent, it provides
support for the following specifications, but does not claim to
implement them: DOM, FTP client, HTTP client, and SAX.
The library also supports RelaxNG. Support for W3C XML Schemas is in
progress.
%package -n %lname
Summary: A Library to Manipulate XML Files
Group: System/Libraries
%description -n %lname
The XML C library was initially developed for the GNOME project. It is
now used by many programs to load and save extensible data structures
or manipulate any kind of XML files.
This library implements a number of existing standards related to
markup languages, including the XML standard, name spaces in XML, XML
Base, RFC 2396, XPath, XPointer, HTML4, XInclude, SGML catalogs, and
XML catalogs. In most cases, libxml tries to implement the
specification in a rather strict way. To some extent, it provides
support for the following specifications, but does not claim to
implement them: DOM, FTP client, HTTP client, and SAX.
The library also supports RelaxNG. Support for W3C XML Schemas is in
progress.
%package tools
Summary: Tools using libxml
Group: System/Libraries
Provides: %name = %version-%release
Obsoletes: %name < 2.7.8+git20120223
%description tools
This package contains xmllint, a very useful tool proving libxml's power.
%package devel
Summary: Include Files and Libraries mandatory for Development
Group: Development/Libraries/C and C++
Requires: %name-tools = %{version}
Requires: %{lname} = %{version}
Requires: glibc-devel
Requires: readline-devel
Requires: xz-devel
Requires: zlib-devel
# bug437293
%ifarch ppc64
Obsoletes: libxml2-devel-64bit
%endif
%description devel
This package contains all necessary include files and libraries needed
to develop applications that require these.
%package doc
Summary: A Library to Manipulate XML Files
Group: System/Libraries
Requires: %{lname} = %{version}
%if 0%{?suse_version} >= 1120
BuildArch: noarch
%endif
%description doc
The XML C library was initially developed for the GNOME project. It is
now used by many programs to load and save extensible data structures
or manipulate any kind of XML files.
This library implements a number of existing standards related to
markup languages, including the XML standard, name spaces in XML, XML
Base, RFC 2396, XPath, XPointer, HTML4, XInclude, SGML catalogs, and
XML catalogs. In most cases, libxml tries to implement the
specification in a rather strict way. To some extent, it provides
support for the following specifications, but does not claim to
implement them: DOM, FTP client, HTTP client, and SAX.
The library also supports RelaxNG. Support for W3C XML Schemas is in
progress.
%prep
%setup -q -n %{name}-2.7.8
%patch0 -p0
%patch1 -p1 -R
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%build
%configure --disable-static \
--with-html-subdir=packages/%{name}/html \
--with-fexceptions \
--with-history \
--without-python \
--enable-ipv6 \
--with-sax1 \
--with-regexps \
--with-threads \
--with-reader \
--with-http
make %{?_smp_mflags} DOC_MODULE=packages/%{name}
%install
%makeinstall DOC_MODULE=packages/%{name}
cp -a AUTHORS NEWS README COPYING* Copyright TODO* %{buildroot}%{_docdir}/%{name}/
ln -s libxml2/libxml %{buildroot}%{_includedir}/libxml
%check
# qemu-arm can't keep up atm, disabling check for arm
%ifnarch %arm
make check
%endif
%post -n %lname -p /sbin/ldconfig
%postun -n %lname -p /sbin/ldconfig
%files -n %lname
%defattr(-, root, root)
%{_libdir}/lib*.so.*
%doc %dir %{_docdir}/%{name}
%doc %{_docdir}/%{name}/[ANRCT]*
%files tools
%defattr(-, root, root)
%{_bindir}/xmllint
%{_bindir}/xmlcatalog
%doc %{_mandir}/man1/xmllint.1*
%doc %{_mandir}/man1/xmlcatalog.1*
%files devel
%defattr(-, root, root)
%{_bindir}/xml2-config
%dir %{_datadir}/aclocal
%{_datadir}/aclocal/libxml.m4
%{_includedir}/libxml
%{_includedir}/libxml2
%{_libdir}/lib*.so
%{_libdir}/libxml2.la
%{_libdir}/*.sh
%{_libdir}/pkgconfig/*.pc
%doc %{_mandir}/man1/xml2-config.1*
%doc %{_mandir}/man3/libxml.3*
%files doc
%defattr(-, root, root)
%{_datadir}/gtk-doc/html/*
%doc %{_docdir}/%{name}/examples
%doc %{_docdir}/%{name}/html
# owning these directories prevents gtk-doc <-> libxml2 build loop:
%dir %{_datadir}/gtk-doc
%dir %{_datadir}/gtk-doc/html
%changelog
++++++ python-libxml2.spec ++++++
#
# spec file for package python-libxml2
#
# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
Name: python-libxml2
Version: 2.7.8+git20120223
Release: 0
Summary: Python Bindings for libxml2
License: MIT
Group: Development/Libraries/Python
Url: http://xmlsoft.org
Source: libxml2-git-snapshot.tar.gz
BuildRequires: libxml2-devel
BuildRequires: python-devel
BuildRequires: python-xml
Requires: libxml2-2 = %{version}
# Uncomment to save space:
#NoSource: 0
BuildRoot: %{_tmppath}/%{name}-%{version}-build
Provides: libxml2-python = %{version}
Obsoletes: libxml2-python < 2.7.8+git20110223
%description
The libxml2-python package contains a module that permits applications
written in the Python programming language to use the interface
supplied by the libxml2 library to manipulate XML files.
This library allows manipulation of XML files. It includes support for
reading, modifying, and writing XML and HTML files. There is DTD
support that includes parsing and validation even with complex DTDs,
either at parse time or later once the document has been modified.
%prep
%setup -q -n libxml2-2.7.8
%build
# workaround for bnc#310196
%ifarch s390 s390x
export RPM_OPT_FLAGS=${RPM_OPT_FLAGS/-O2/-O1}
%endif
export CFLAGS="%{optflags} -fno-strict-aliasing"
%configure \
--with-fexceptions \
--with-history \
--enable-ipv6 \
--with-sax1 \
--with-regexps \
--with-threads \
--with-reader \
--with-http
# use libxml2 as built by libxml2 source package
mkdir .libs
cp -v %{_libdir}/libxml2.la .
make -C python %{?_smp_mflags}
%install
make -C python install \
DESTDIR=%{buildroot} \
pythondir=%{py_sitedir} \
PYTHON_SITE_PACKAGES=%{py_sitedir}
chmod a-x python/tests/*.py
# Unwanted doc stuff
rm -fr %{buildroot}%{_datadir}/doc
rm -f python/tests/Makefile*
# #223696
rm -f %{buildroot}%{py_sitedir}/*.{la,a}
%files
%defattr(-, root, root)
%doc python/TODO
%doc python/libxml2class.txt
%doc python/tests
%{py_sitedir}/*
%changelog
++++++ baselibs.conf ++++++
libxml2-2
libxml2-devel
requires -libxml2-<targettype>
requires "libxml2-2-<targettype> = <version>"
++++++ bigendian64.patch ++++++
--- xzlib.c.xx 2012-03-01 17:23:54.000000000 +0000
+++ xzlib.c 2012-03-01 17:24:48.000000000 +0000
@@ -228,9 +228,14 @@
if (state->err != LZMA_OK)
return -1;
if (state->eof == 0) {
+ /* avail_in is size_t, which is not necessary sizeof(unsigned) */
+ unsigned tmp = strm->avail_in;
if (xz_load(state, state->in, state->size,
- (unsigned *) &(strm->avail_in)) == -1)
+ &tmp) == -1) {
+ strm->avail_in = tmp;
return -1;
+ }
+ strm->avail_in = tmp;
strm->next_in = state->in;
}
return 0;
++++++ fix-perl.diff ++++++
commit 77b77b1301e052d90e6a0967534a698506afcd86
Author: Daniel Veillard
From 459eeb9dc752d5185f57ff6b135027f11981a626 Mon Sep 17 00:00:00 2001 From: Daniel Veillard
Date: Tue, 17 Jul 2012 08:19:17 +0000 Subject: Fix parser local buffers size problems
---
Index: libxml2-2.7.8/parser.c
===================================================================
--- libxml2-2.7.8.orig/parser.c 2012-03-01 06:25:02.000000000 +0100
+++ libxml2-2.7.8/parser.c 2012-08-01 13:36:55.890102432 +0200
@@ -40,6 +40,7 @@
#endif
#include
From 6a36fbe3b3e001a8a840b5c1fdd81cefc9947f0d Mon Sep 17 00:00:00 2001 From: Daniel Veillard
Date: Mon, 29 Oct 2012 02:39:55 +0000 Subject: Fix potential out of bound access
--- Index: libxml2-2.8.0/parser.c =================================================================== --- libxml2-2.8.0.orig/parser.c 2012-05-18 09:30:30.000000000 +0200 +++ libxml2-2.8.0/parser.c 2012-12-07 12:00:57.111732279 +0100 @@ -3931,7 +3931,7 @@ xmlParseAttValueComplex(xmlParserCtxtPtr c = CUR_CHAR(l); } if ((in_space) && (normalize)) { - while (buf[len - 1] == 0x20) len--; + while ((len > 0) && (buf[len - 1] == 0x20)) len--; } buf[len] = 0; if (RAW == '<') { ++++++ libxml2-CVE-2013-0338-Detect-excessive-entities-expansion-upon-replacement.patch ++++++
From 23f05e0c33987d6605387b300c4be5da2120a7ab Mon Sep 17 00:00:00 2001 From: Daniel Veillard
Date: Tue, 19 Feb 2013 10:21:49 +0800 Subject: [PATCH] Detect excessive entities expansion upon replacement
If entities expansion in the XML parser is asked for,
it is possble to craft relatively small input document leading
to excessive on-the-fly content generation.
This patch accounts for those replacement and stop parsing
after a given threshold. it can be bypassed as usual with the
HUGE parser option.
---
include/libxml/parser.h | 1 +
parser.c | 44 ++++++++++++++++++++++++++++++++++++++------
parserInternals.c | 2 ++
3 files changed, 41 insertions(+), 6 deletions(-)
Index: libxml2-2.7.8/include/libxml/parser.h
===================================================================
--- libxml2-2.7.8.orig/include/libxml/parser.h 2012-03-01 06:25:02.000000000 +0100
+++ libxml2-2.7.8/include/libxml/parser.h 2013-03-07 14:33:36.522115244 +0100
@@ -308,6 +308,7 @@ struct _xmlParserCtxt {
int nodeInfoNr; /* Depth of the parsing stack */
int nodeInfoMax; /* Max depth of the parsing stack */
xmlParserNodeInfo *nodeInfoTab; /* array of nodeInfos */
+ unsigned long sizeentcopy; /* volume of entity copy */
};
/**
Index: libxml2-2.7.8/parser.c
===================================================================
--- libxml2-2.7.8.orig/parser.c 2013-03-07 14:32:24.067961711 +0100
+++ libxml2-2.7.8/parser.c 2013-03-07 14:32:39.704426464 +0100
@@ -119,7 +119,7 @@ xmlCreateEntityParserCtxtInternal(const
*/
static int
xmlParserEntityCheck(xmlParserCtxtPtr ctxt, size_t size,
- xmlEntityPtr ent)
+ xmlEntityPtr ent, size_t replacement)
{
size_t consumed = 0;
@@ -127,7 +127,24 @@ xmlParserEntityCheck(xmlParserCtxtPtr ct
return (0);
if (ctxt->lastError.code == XML_ERR_ENTITY_LOOP)
return (1);
- if (size != 0) {
+ if (replacement != 0) {
+ if (replacement < XML_MAX_TEXT_LENGTH)
+ return(0);
+
+ /*
+ * If the volume of entity copy reaches 10 times the
+ * amount of parsed data and over the large text threshold
+ * then that's very likely to be an abuse.
+ */
+ if (ctxt->input != NULL) {
+ consumed = ctxt->input->consumed +
+ (ctxt->input->cur - ctxt->input->base);
+ }
+ consumed += ctxt->sizeentities;
+
+ if (replacement < XML_PARSER_NON_LINEAR * consumed)
+ return(0);
+ } else if (size != 0) {
/*
* Do the check based on the replacement size of the entity
*/
@@ -173,7 +190,6 @@ xmlParserEntityCheck(xmlParserCtxtPtr ct
*/
return (0);
}
-
xmlFatalErr(ctxt, XML_ERR_ENTITY_LOOP, NULL);
return (1);
}
@@ -2706,7 +2722,7 @@ xmlStringLenDecodeEntities(xmlParserCtxt
while (*current != 0) { /* non input consuming loop */
buffer[nbchars++] = *current++;
if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) {
- if (xmlParserEntityCheck(ctxt, nbchars, ent))
+ if (xmlParserEntityCheck(ctxt, nbchars, ent, 0))
goto int_error;
growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
}
@@ -2748,7 +2764,7 @@ xmlStringLenDecodeEntities(xmlParserCtxt
while (*current != 0) { /* non input consuming loop */
buffer[nbchars++] = *current++;
if (nbchars + XML_PARSER_BUFFER_SIZE > buffer_size) {
- if (xmlParserEntityCheck(ctxt, nbchars, ent))
+ if (xmlParserEntityCheck(ctxt, nbchars, ent, 0))
goto int_error;
growBuffer(buffer, XML_PARSER_BUFFER_SIZE);
}
@@ -6975,7 +6991,7 @@ xmlParseReference(xmlParserCtxtPtr ctxt)
xmlFreeNodeList(list);
return;
}
- if (xmlParserEntityCheck(ctxt, 0, ent)) {
+ if (xmlParserEntityCheck(ctxt, 0, ent, 0)) {
xmlFreeNodeList(list);
return;
}
@@ -7135,6 +7151,13 @@ xmlParseReference(xmlParserCtxtPtr ctxt)
xmlNodePtr nw = NULL, cur, firstChild = NULL;
/*
+ * We are copying here, make sure there is no abuse
+ */
+ ctxt->sizeentcopy += ent->length;
+ if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy))
+ return;
+
+ /*
* when operating on a reader, the entities definitions
* are always owning the entities subtree.
if (ctxt->parseMode == XML_PARSE_READER)
@@ -7174,6 +7197,14 @@ xmlParseReference(xmlParserCtxtPtr ctxt)
} else if (list == NULL) {
xmlNodePtr nw = NULL, cur, next, last,
firstChild = NULL;
+
+ /*
+ * We are copying here, make sure there is no abuse
+ */
+ ctxt->sizeentcopy += ent->length;
+ if (xmlParserEntityCheck(ctxt, 0, ent, ctxt->sizeentcopy))
+ return;
+
/*
* Copy the entity child list and make it the new
* entity child list. The goal is to make sure any
@@ -14339,6 +14370,7 @@ xmlCtxtReset(xmlParserCtxtPtr ctxt)
ctxt->catalogs = NULL;
ctxt->nbentities = 0;
ctxt->sizeentities = 0;
+ ctxt->sizeentcopy = 0;
xmlInitNodeInfoSeq(&ctxt->node_seq);
if (ctxt->attsDefault != NULL) {
Index: libxml2-2.7.8/parserInternals.c
===================================================================
--- libxml2-2.7.8.orig/parserInternals.c 2012-03-01 06:25:02.000000000 +0100
+++ libxml2-2.7.8/parserInternals.c 2013-03-07 14:34:38.744964733 +0100
@@ -1757,6 +1757,8 @@ xmlInitParserCtxt(xmlParserCtxtPtr ctxt)
ctxt->charset = XML_CHAR_ENCODING_UTF8;
ctxt->catalogs = NULL;
ctxt->nbentities = 0;
+ ctxt->sizeentities = 0;
+ ctxt->sizeentcopy = 0;
xmlInitNodeInfoSeq(&ctxt->node_seq);
return(0);
}
++++++ libxml2-lzma_memory_leak.patch ++++++
commit 9f3cdef08a5d45c82c71bf740a54e2bc5d07f3ec
Author: Daniel Veillard