Hello community, here is the log from the commit of package libxml2 for openSUSE:Factory checked in at 2019-02-04 21:10:12 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libxml2 (Old) and /work/SRC/openSUSE:Factory/.libxml2.new.28833 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "libxml2" Mon Feb 4 21:10:12 2019 rev:93 rq:668978 version:2.9.9 Changes: -------- --- /work/SRC/openSUSE:Factory/libxml2/libxml2.changes 2018-03-26 12:05:24.153792873 +0200 +++ /work/SRC/openSUSE:Factory/.libxml2.new.28833/libxml2.changes 2019-02-04 21:10:14.511894228 +0100 @@ -1,0 +2,36 @@ +Sat Jan 26 00:24:23 UTC 2019 - mgorse@suse.com + +- Version update to 2.9.9: + * Security: + + CVE-2018-9251 CVE-2018-14567 Fix infinite loop in LZMA + decompression (boo#1088279 boo#1105166). + + CVE-2018-14404 Fix nullptr deref with XPath logic ops + (boo#1102046). + * Bug fixes: + + Fix building relative URIs + + Problem with data in interleave in RelaxNG validation + + Fix memory leak in xmlSwitchInputEncodingInt error path + + Set doc on element obtained from freeElems + + Fix HTML serialization with UTF-8 encoding + + Use actual doc in xmlTextReaderRead*Xml + + Unlink node before freeing it in xmlSAX2StartElement + + Check return value of nodePush in xmlSAX2StartElement + + Free input buffer in xmlHaltParser + + Reset HTML parser input pointers on encoding failure + + Fix xmlSchemaValidCtxtPtr reuse memory leak + + Fix xmlTextReaderNext with preparsed document + + HTML noscript should not close p + + Don't change context node in xmlXPathRoot + * Improvements: + + Remove redefined starts and defines inside include elements + + Allow choice within choice in nameClass in RELAX NG + + Look inside divs for starts and defines inside include + + Add newlines to 'xmllint --xpath' output + + Don't include SAX.h from globals.h + + Support xmlTextReaderNextSibling w/o preparsed doc + + Improve restoring of context size and position + + Simplify and harden nodeset filtering + + Avoid unnecessary backups of the context node + + Fix inconsistency in xmlXPathIsInf + +------------------------------------------------------------------- --- /work/SRC/openSUSE:Factory/libxml2/python-libxml2-python.changes 2018-03-19 23:31:26.916352270 +0100 +++ /work/SRC/openSUSE:Factory/.libxml2.new.28833/python-libxml2-python.changes 2019-02-04 21:10:14.631894185 +0100 @@ -1,0 +2,38 @@ +Sat Jan 26 00:25:51 UTC 2019 - mgorse@suse.com + +- Version update to 2.9.9: + * Security: + + CVE-2018-9251 CVE-2018-14567 Fix infinite loop in LZMA + decompression. + + CVE-2018-14404 Fix nullptr deref with XPath logic ops. + * Bug fixes: + + Fix building relative URIs + + Problem with data in interleave in RelaxNG validation + + Fix memory leak in xmlSwitchInputEncodingInt error path + + Set doc on element obtained from freeElems + + Fix HTML serialization with UTF-8 encoding + + Use actual doc in xmlTextReaderRead*Xml + + Unlink node before freeing it in xmlSAX2StartElement + + Check return value of nodePush in xmlSAX2StartElement + + Free input buffer in xmlHaltParser + + Reset HTML parser input pointers on encoding failure + + Fix xmlSchemaValidCtxtPtr reuse memory leak + + Fix xmlTextReaderNext with preparsed document + + HTML noscript should not close p + + Don't change context node in xmlXPathRoot + * Improvements: + + Remove redefined starts and defines inside include elements + + Allow choice within choice in nameClass in RELAX NG + + Look inside divs for starts and defines inside include + + Add newlines to 'xmllint --xpath' output + + Don't include SAX.h from globals.h + + Support xmlTextReaderNextSibling w/o preparsed doc + + Improve restoring of context size and position + + Simplify and harden nodeset filtering + + Avoid unnecessary backups of the context node + + Fix inconsistency in xmlXPathIsInf +- Add libxml2-python3-string-null-check.patch: fix NULL pointer + dereference when parsing invalid data (bsc#1065270 + glgo#libxml2!15).). + +------------------------------------------------------------------- Old: ---- libxml2-2.9.8.tar.gz libxml2-2.9.8.tar.gz.asc New: ---- libxml2-2.9.9.tar.gz libxml2-2.9.9.tar.gz.asc libxml2-python3-string-null-check.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libxml2.spec ++++++ --- /var/tmp/diff_new_pack.DKgD09/_old 2019-02-04 21:10:15.419893904 +0100 +++ /var/tmp/diff_new_pack.DKgD09/_new 2019-02-04 21:10:15.423893902 +0100 @@ -1,7 +1,7 @@ # # spec file for package libxml2 # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,13 +12,13 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # %define lname libxml2-2 Name: libxml2 -Version: 2.9.8 +Version: 2.9.9 Release: 0 Summary: A Library to Manipulate XML Files License: MIT ++++++ python-libxml2-python.spec ++++++ --- /var/tmp/diff_new_pack.DKgD09/_old 2019-02-04 21:10:15.439893896 +0100 +++ /var/tmp/diff_new_pack.DKgD09/_new 2019-02-04 21:10:15.447893893 +0100 @@ -1,7 +1,7 @@ # # spec file for package python-libxml2-python # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,14 +12,14 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # %{?!python_module:%define python_module() python-%{**} python3-%{**}} %define oldpython python Name: python-libxml2-python -Version: 2.9.8 +Version: 2.9.9 Release: 0 Summary: Python Bindings for libxml2 License: MIT @@ -27,6 +27,8 @@ Url: http://xmlsoft.org Source: ftp://xmlsoft.org/libxml2/libxml2-%{version}.tar.gz Patch1: libxml2-python3-unicode-errors.patch +# PATCH-FIX-UPSTREAM libxml2-python3-string-null-check.patch bsc#1065270 mgorse@suse.com -- don't return a NULL string for an invalid UTF-8 conversion. +Patch2: libxml2-python3-string-null-check.patch BuildRequires: %{python_module devel} BuildRequires: %{python_module xml} BuildRequires: pkgconfig @@ -54,6 +56,7 @@ %prep %setup -q -n libxml2-%{version} %patch1 -p1 +%patch2 -p1 %build export CFLAGS="%{optflags} -fno-strict-aliasing" ++++++ libxml2-2.9.8.tar.gz -> libxml2-2.9.9.tar.gz ++++++ ++++ 3523 lines of diff (skipped) ++++++ libxml2-python3-string-null-check.patch ++++++
From 07b1c4c8a736a31ac4b8ae13ea25d50793dfea83 Mon Sep 17 00:00:00 2001 From: Mike Gorse
Date: Fri, 25 Jan 2019 12:55:52 -0600 Subject: [PATCH] python: return None if PY_IMPORT_STRING returns NULL
PY_IMPORT_STRING might return NULL on python 3 if, ie, a string can't be encoded. We should check for this and return None, rather than returning NULL. Fixes a NULL pointer dereference when reporting an error with an invalid string. --- python/types.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/python/types.c b/python/types.c index 124af565..50951ba3 100644 --- a/python/types.c +++ b/python/types.c @@ -150,6 +150,10 @@ libxml_charPtrConstWrap(const char *str) return (Py_None); } ret = PY_IMPORT_STRING(str); + if (ret == NULL) { + Py_INCREF(Py_None); + return (Py_None); + } return (ret); } -- 2.18.0