Hello community,

here is the log from the commit of package tidy for openSUSE:Factory checked in 
at 2015-06-05 08:45:38
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/tidy (Old)
 and      /work/SRC/openSUSE:Factory/.tidy.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "tidy"

Changes:
--------
--- /work/SRC/openSUSE:Factory/tidy/tidy.changes        2012-06-25 
14:57:09.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.tidy.new/tidy.changes   2015-06-05 
08:45:40.000000000 +0200
@@ -1,0 +2,7 @@
+Thu Jun  4 08:33:48 UTC 2015 - [email protected]
+
+- add tidy-fix-buffer-overflow.patch in order to fix a heap-based
+  buffer overflow in tidy/libtidy (gh#htacg/tidy-html5#217
+  boo#933588)
+
+-------------------------------------------------------------------

New:
----
  tidy-fix-buffer-overflow.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ tidy.spec ++++++
--- /var/tmp/diff_new_pack.ZdWd68/_old  2015-06-05 08:45:41.000000000 +0200
+++ /var/tmp/diff_new_pack.ZdWd68/_new  2015-06-05 08:45:41.000000000 +0200
@@ -1,7 +1,7 @@
 #
-# spec file for package tidy (Version 1.0.20100204cvs)
+# spec file for package tidy
 #
-# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -15,23 +15,22 @@
 # Please submit bugfixes or comments via http://bugs.opensuse.org/
 #
 
-# norootforbuild
 
 %define snapshot 20100204cvs
-
 Name:           tidy
 Version:        1.0.%{snapshot}
-Release:        2
+Release:        0
 Summary:        Utility to Clean Up and Pretty-print HTML, XHTML or XML Markup
-Group:          Productivity/Publishing/HTML/Tools
 License:        W3C
+Group:          Productivity/Publishing/HTML/Tools
 Url:            http://tidy.sourceforge.net/
 Source0:        tidy-%{snapshot}.tar.bz2
 Source10:       tidy_generate_tarball.sh
-AutoReqProv:    on
+# PATCH-FIX-UPSTREAM tidy-fix-buffer-overflow.patch gh#htacg/tidy-html5#217 
boo#933588 gber -- Fix heap-based buffer overflow
+Patch0:         tidy-fix-buffer-overflow.patch
+BuildRequires:  doxygen
 BuildRequires:  libtool
 BuildRequires:  libxslt
-BuildRequires:  doxygen
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 %description
@@ -43,21 +42,7 @@
 Furthermore, it can convert plain HTML to XHTML. For generic XML files, Tidy is
 limited to correcting basic well-formedness errors and pretty printing.
 
-
-Authors:
---------
-    Dave Raggett <[email protected]>
-    Jelks Cabaniss
-    Arnaud Desitter
-    Bjoern Hoehrmann <[email protected]>
-    Pradeep Padala <[email protected]>
-    Dave Raggett <[email protected]>
-    Charles Reitzel
-    Terry Teague <[email protected]>
-
-
 %package doc
-License:        W3C
 Summary:        Documentation for tidy and libtidy-0_99-0
 Group:          Productivity/Publishing/HTML/Tools
 %if 0%{?suse_version} >= 1120
@@ -67,14 +52,11 @@
 %description doc
 This package contains the documentation for both tidy and libtidy.
 
-
 %package -n libtidy-0_99-0
-License:        W3C
 Summary:        Library to Clean Up and Pretty-print HTML, XHTML or XML Markup
 Group:          Productivity/Publishing/HTML/Tools
 Provides:       libtidy = %{version}
 Obsoletes:      libtidy <= 1.0
-AutoReqProv:    on
 
 %description -n libtidy-0_99-0
 TidyLib is a library for cleaning up and pretty printing HTML, XHTML and XML
@@ -88,54 +70,37 @@
 There is a commandline frontend for this library, contained in the package
 "tidy".
 
-
-Authors:
---------
-    Dave Raggett <[email protected]>
-    Jelks Cabaniss
-    Arnaud Desitter
-    Bjoern Hoehrmann <[email protected]>
-    Pradeep Padala <[email protected]>
-    Dave Raggett <[email protected]>
-    Charles Reitzel
-    Terry Teague <[email protected]>
-
-
 %package -n libtidy-0_99-0-devel
-License:        W3C
 Summary:        Include Files and Libraries for Development
 Group:          Development/Libraries/C and C++
-Requires:       libtidy-0_99-0 = %{version} glibc-devel
+Requires:       glibc-devel
+Requires:       libtidy-0_99-0 = %{version}
 Provides:       libtidy-devel = %{version}
 Obsoletes:      libtidy-devel <= 1.0
-AutoReqProv:    on
 
 %description -n libtidy-0_99-0-devel
 This package contains all necessary include files and libraries needed
 to develop applications using functions provided by the TidyLib library.
 
-
 %prep
 %setup -q -n %{name}-%{snapshot}
+%patch0 -p1
 
 %build
-export CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing"
+export CFLAGS="%{optflags} -fno-strict-aliasing"
 /bin/sh build/gnuauto/setup.sh
 %configure --disable-static --with-pic --disable-dependency-tracking \
            --includedir=%{_includedir}/%{name}
-make %{?_smp_mflags} all
+make all
 # generate quickref.html and tidy(1) manpage
 make -C build/gmake/ doc
 # generate API documentation
 doxygen htmldoc/doxygen.cfg
 
 %install
-make install DESTDIR=$RPM_BUILD_ROOT
-install -D -p -m 644 htmldoc/tidy.1 $RPM_BUILD_ROOT%{_mandir}/man1/tidy.1
-rm -f $RPM_BUILD_ROOT%{_libdir}/libtidy.la
-
-%clean
-rm -rf $RPM_BUILD_ROOT
+make DESTDIR=%{buildroot} install %{?_smp_mflags}
+install -D -p -m 644 htmldoc/tidy.1 %{buildroot}%{_mandir}/man1/tidy.1
+rm -f %{buildroot}%{_libdir}/libtidy.la
 
 %post -n libtidy-0_99-0 -p /sbin/ldconfig
 

++++++ tidy-fix-buffer-overflow.patch ++++++
Index: tidy-20100204cvs/src/lexer.c
===================================================================
--- tidy-20100204cvs.orig/src/lexer.c
+++ tidy-20100204cvs/src/lexer.c
@@ -3467,16 +3467,18 @@ static tmbstr ParseValue( TidyDocImpl* d
         /* and prompts attributes unless --literal-attributes is set to yes    
  */
         /* #994841 - Whitespace is removed from value attributes               
  */
 
-        if (munge &&
+        /* see https://github.com/htacg/tidy-html5/issues/217 --
+         * Also only if/while (len > 0) - MUST NEVER GO NEGATIVE! */
+        if ((len > 0) && munge &&
             TY_(tmbstrcasecmp)(name, "alt") &&
             TY_(tmbstrcasecmp)(name, "title") &&
             TY_(tmbstrcasecmp)(name, "value") &&
             TY_(tmbstrcasecmp)(name, "prompt"))
         {
-            while (TY_(IsWhite)(lexer->lexbuf[start+len-1]))
+            while (TY_(IsWhite)(lexer->lexbuf[start+len-1]) && (len > 0))
                 --len;
 
-            while (TY_(IsWhite)(lexer->lexbuf[start]) && start < len)
+            while (TY_(IsWhite)(lexer->lexbuf[start]) && (start < len) && (len 
> 0))
             {
                 ++start;
                 --len;

Reply via email to