diff --git a/backport-CVE-2024-34459.patch b/backport-CVE-2024-34459.patch deleted file mode 100644 index b7b80cec95b38869be718c96dda9d145b1ec879d..0000000000000000000000000000000000000000 --- a/backport-CVE-2024-34459.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 2876ac5392a4e891b81e40e592c3ac6cb46016ce Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Tue, 14 May 2024 08:50:50 +0800 -Subject: [PATCH] [CVE-2024-34459] Fix buffer overread with `xmllint --htmlout` - -Add a missing bounds check. ---- - xmllint.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/xmllint.c b/xmllint.c -index 5c26c3f..fcbf465 100644 ---- a/xmllint.c -+++ b/xmllint.c -@@ -560,7 +560,7 @@ xmlHTMLPrintFileContext(xmlParserInputPtr input) { - len = strlen(buffer); - snprintf(&buffer[len], sizeof(buffer) - len, "\n"); - cur = input->cur; -- while ((*cur == '\n') || (*cur == '\r')) -+ while ((cur > base) && ((*cur == '\n') || (*cur == '\r'))) - cur--; - n = 0; - while ((cur != base) && (n++ < 80)) { --- -2.33.0 - diff --git a/backport-CVE-2024-40896.patch b/backport-CVE-2024-40896.patch deleted file mode 100644 index 9fddd1ec7cd2aa0b6bddafecd4836a46cf45dc78..0000000000000000000000000000000000000000 --- a/backport-CVE-2024-40896.patch +++ /dev/null @@ -1,37 +0,0 @@ -From ae8f0ac0a2900219c3d762ae0b513e199dcf19a5 Mon Sep 17 00:00:00 2001 -From: Nick Wellnhofer -Date: Sat, 6 Jul 2024 01:03:46 +0200 -Subject: [PATCH] [CVE-2024-40896] Fix XXE protection in downstream code - -Some users set an entity's children manually in the getEntity SAX -callback to restrict entity expansion. This stopped working after -renaming the "checked" member of xmlEntity, making at least one -downstream project and its dependants susceptible to XXE attacks. - -See #761. ---- - parser.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/parser.c b/parser.c -index 4feb21a28..8fe0a064d 100644 ---- a/parser.c -+++ b/parser.c -@@ -7148,6 +7148,14 @@ xmlParseReference(xmlParserCtxtPtr ctxt) { - return; - } - -+ /* -+ * Some users try to parse entities on their own and used to set -+ * the renamed "checked" member. Fix the flags to cover this -+ * case. -+ */ -+ if (((ent->flags & XML_ENT_PARSED) == 0) && (ent->children != NULL)) -+ ent->flags |= XML_ENT_PARSED; -+ - /* - * The first reference to the entity trigger a parsing phase - * where the ent->children is filled with the result from --- -GitLab - diff --git a/libxml2-2.12.6.tar.xz b/libxml2-2.12.6.tar.xz deleted file mode 100644 index 201b4c84ac88da634ca923cab379f08492ffab83..0000000000000000000000000000000000000000 Binary files a/libxml2-2.12.6.tar.xz and /dev/null differ diff --git a/libxml2-2.12.9.tar.xz b/libxml2-2.12.9.tar.xz new file mode 100644 index 0000000000000000000000000000000000000000..95960d84c110b2f6c36fac406e77214d1b90d5af Binary files /dev/null and b/libxml2-2.12.9.tar.xz differ diff --git a/libxml2.spec b/libxml2.spec index 0c62d9848738427205c7814d72c363fedddbb386..ff41b3c10885619a32aad5c71f341e949c96bf80 100644 --- a/libxml2.spec +++ b/libxml2.spec @@ -1,21 +1,16 @@ Summary: Library providing XML and HTML support Name: libxml2 -Version: 2.12.6 -Release: 3 +Version: 2.12.9 +Release: 1 License: MIT Group: Development/Libraries Source: https://download.gnome.org/sources/%{name}/2.11/%{name}-%{version}.tar.xz Patch0: libxml2-multilib.patch -Patch1: backport-CVE-2024-34459.patch -Patch2: backport-CVE-2024-40896.patch - -BuildRoot: %{_tmppath}/%{name}-%{version}-root -BuildRequires: python3-devel -BuildRequires: zlib-devel -BuildRequires: pkgconfig -BuildRequires: xz-devel -BuildRequires: libtool + +BuildRequires: pkgconfig(liblzma) +BuildRequires: pkgconfig(python3) +BuildRequires: pkgconfig(zlib) URL: http://xmlsoft.org/ %description @@ -33,11 +28,8 @@ URI library. Summary: Libraries, includes, etc. to develop XML and HTML applications Group: Development/Libraries Requires: libxml2 = %{version}-%{release} -Requires: zlib-devel -Requires: xz-devel -Requires: pkgconfig Obsoletes: %{name}-static < %{version}-%{release} -Provides: %{name}-static +Provides: %{name}-static = %{version}-%{release} %description devel Libraries, include files, etc you can use to develop XML applications. @@ -68,13 +60,7 @@ to read, modify and write XML and HTML files. There is DTDs support this includes parsing and validation even with complex DTDs, either at parse time or later once the document has been modified. -%package help -Summary: Man page for libxml2 -BuildArch: noarch - -%description help -%{summary}. - +%package_help %prep %autosetup -n %{name}-%{version} -p1 @@ -84,49 +70,33 @@ cp doc/*.py py3doc sed -i 's|#!/usr/bin/python |#!%{__python3} |' py3doc/*.py %build -./autogen.sh %configure --enable-static --with-ftp %make_build find doc -type f -exec chmod 0644 \{\} \; %install -%configure --with-python=%{__python3} %make_install rm -f $RPM_BUILD_ROOT%{_libdir}/*.la rm -f $RPM_BUILD_ROOT%{_libdir}/python*/site-packages/*.a rm -f $RPM_BUILD_ROOT%{_libdir}/python*/site-packages/*.la -rm -rf $RPM_BUILD_ROOT%{_datadir}/doc/libxml2-%{version}/* -rm -rf $RPM_BUILD_ROOT%{_datadir}/doc/libxml2-python-%{version}/* +rm -rf $RPM_BUILD_ROOT%{_datadir}/doc/* gzip -9 -c doc/libxml2-api.xml > doc/libxml2-api.xml.gz %check -make runtests +%make_build check (cd doc/examples ; make clean ; rm -rf .deps Makefile) -%clean -rm -fr %{buildroot} - - -%post -p /sbin/ldconfig - -%postun -p /sbin/ldconfig - %files -%defattr(-, root, root) - -%doc %{_datadir}/doc/libxml2 - +%license Copyright %{_libdir}/lib*.so.* %{_bindir}/xmllint %{_bindir}/xmlcatalog %files devel -%defattr(-, root, root) - -%doc NEWS README.md Copyright +%doc NEWS README.md %doc doc/tutorial doc/libxml2-api.xml.gz %doc doc/examples %doc %dir %{_datadir}/gtk-doc/html/libxml2 @@ -145,8 +115,6 @@ rm -fr %{buildroot} %{_libdir}/*.a %files -n python3-%{name} -%defattr(-, root, root) - %{python3_sitearch}/libxml2mod.so %{python3_sitelib}/*.py %{python3_sitelib}/__pycache__/*.pyc @@ -154,12 +122,13 @@ rm -fr %{buildroot} %doc py3doc/*.py %files help -%doc %{_mandir}/man1/xml2-config.1* -%doc %{_mandir}/man1/xmllint.1* -%doc %{_mandir}/man1/xmlcatalog.1* +%{_mandir}/man?/* %changelog +* Tue Jul 30 2024 Funda Wang - 2.12.9-1 +- update to 2.12.9 + * Tue Jul 30 2024 zhuofeng - 2.12.6-3 - Type:CVE - CVE:CVE-2024-40896