Hello community, here is the log from the commit of package tidy for openSUSE:Factory checked in at 2015-06-05 08:45:38 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/tidy (Old) and /work/SRC/openSUSE:Factory/.tidy.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tidy" Changes: -------- --- /work/SRC/openSUSE:Factory/tidy/tidy.changes 2012-06-25 14:57:09.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.tidy.new/tidy.changes 2015-06-05 08:45:40.000000000 +0200 @@ -1,0 +2,7 @@ +Thu Jun 4 08:33:48 UTC 2015 - [email protected] + +- add tidy-fix-buffer-overflow.patch in order to fix a heap-based + buffer overflow in tidy/libtidy (gh#htacg/tidy-html5#217 + boo#933588) + +------------------------------------------------------------------- New: ---- tidy-fix-buffer-overflow.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ tidy.spec ++++++ --- /var/tmp/diff_new_pack.ZdWd68/_old 2015-06-05 08:45:41.000000000 +0200 +++ /var/tmp/diff_new_pack.ZdWd68/_new 2015-06-05 08:45:41.000000000 +0200 @@ -1,7 +1,7 @@ # -# spec file for package tidy (Version 1.0.20100204cvs) +# spec file for package tidy # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -15,23 +15,22 @@ # Please submit bugfixes or comments via http://bugs.opensuse.org/ # -# norootforbuild %define snapshot 20100204cvs - Name: tidy Version: 1.0.%{snapshot} -Release: 2 +Release: 0 Summary: Utility to Clean Up and Pretty-print HTML, XHTML or XML Markup -Group: Productivity/Publishing/HTML/Tools License: W3C +Group: Productivity/Publishing/HTML/Tools Url: http://tidy.sourceforge.net/ Source0: tidy-%{snapshot}.tar.bz2 Source10: tidy_generate_tarball.sh -AutoReqProv: on +# PATCH-FIX-UPSTREAM tidy-fix-buffer-overflow.patch gh#htacg/tidy-html5#217 boo#933588 gber -- Fix heap-based buffer overflow +Patch0: tidy-fix-buffer-overflow.patch +BuildRequires: doxygen BuildRequires: libtool BuildRequires: libxslt -BuildRequires: doxygen BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -43,21 +42,7 @@ Furthermore, it can convert plain HTML to XHTML. For generic XML files, Tidy is limited to correcting basic well-formedness errors and pretty printing. - -Authors: --------- - Dave Raggett <[email protected]> - Jelks Cabaniss - Arnaud Desitter - Bjoern Hoehrmann <[email protected]> - Pradeep Padala <[email protected]> - Dave Raggett <[email protected]> - Charles Reitzel - Terry Teague <[email protected]> - - %package doc -License: W3C Summary: Documentation for tidy and libtidy-0_99-0 Group: Productivity/Publishing/HTML/Tools %if 0%{?suse_version} >= 1120 @@ -67,14 +52,11 @@ %description doc This package contains the documentation for both tidy and libtidy. - %package -n libtidy-0_99-0 -License: W3C Summary: Library to Clean Up and Pretty-print HTML, XHTML or XML Markup Group: Productivity/Publishing/HTML/Tools Provides: libtidy = %{version} Obsoletes: libtidy <= 1.0 -AutoReqProv: on %description -n libtidy-0_99-0 TidyLib is a library for cleaning up and pretty printing HTML, XHTML and XML @@ -88,54 +70,37 @@ There is a commandline frontend for this library, contained in the package "tidy". - -Authors: --------- - Dave Raggett <[email protected]> - Jelks Cabaniss - Arnaud Desitter - Bjoern Hoehrmann <[email protected]> - Pradeep Padala <[email protected]> - Dave Raggett <[email protected]> - Charles Reitzel - Terry Teague <[email protected]> - - %package -n libtidy-0_99-0-devel -License: W3C Summary: Include Files and Libraries for Development Group: Development/Libraries/C and C++ -Requires: libtidy-0_99-0 = %{version} glibc-devel +Requires: glibc-devel +Requires: libtidy-0_99-0 = %{version} Provides: libtidy-devel = %{version} Obsoletes: libtidy-devel <= 1.0 -AutoReqProv: on %description -n libtidy-0_99-0-devel This package contains all necessary include files and libraries needed to develop applications using functions provided by the TidyLib library. - %prep %setup -q -n %{name}-%{snapshot} +%patch0 -p1 %build -export CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing" +export CFLAGS="%{optflags} -fno-strict-aliasing" /bin/sh build/gnuauto/setup.sh %configure --disable-static --with-pic --disable-dependency-tracking \ --includedir=%{_includedir}/%{name} -make %{?_smp_mflags} all +make all # generate quickref.html and tidy(1) manpage make -C build/gmake/ doc # generate API documentation doxygen htmldoc/doxygen.cfg %install -make install DESTDIR=$RPM_BUILD_ROOT -install -D -p -m 644 htmldoc/tidy.1 $RPM_BUILD_ROOT%{_mandir}/man1/tidy.1 -rm -f $RPM_BUILD_ROOT%{_libdir}/libtidy.la - -%clean -rm -rf $RPM_BUILD_ROOT +make DESTDIR=%{buildroot} install %{?_smp_mflags} +install -D -p -m 644 htmldoc/tidy.1 %{buildroot}%{_mandir}/man1/tidy.1 +rm -f %{buildroot}%{_libdir}/libtidy.la %post -n libtidy-0_99-0 -p /sbin/ldconfig ++++++ tidy-fix-buffer-overflow.patch ++++++ Index: tidy-20100204cvs/src/lexer.c =================================================================== --- tidy-20100204cvs.orig/src/lexer.c +++ tidy-20100204cvs/src/lexer.c @@ -3467,16 +3467,18 @@ static tmbstr ParseValue( TidyDocImpl* d /* and prompts attributes unless --literal-attributes is set to yes */ /* #994841 - Whitespace is removed from value attributes */ - if (munge && + /* see https://github.com/htacg/tidy-html5/issues/217 -- + * Also only if/while (len > 0) - MUST NEVER GO NEGATIVE! */ + if ((len > 0) && munge && TY_(tmbstrcasecmp)(name, "alt") && TY_(tmbstrcasecmp)(name, "title") && TY_(tmbstrcasecmp)(name, "value") && TY_(tmbstrcasecmp)(name, "prompt")) { - while (TY_(IsWhite)(lexer->lexbuf[start+len-1])) + while (TY_(IsWhite)(lexer->lexbuf[start+len-1]) && (len > 0)) --len; - while (TY_(IsWhite)(lexer->lexbuf[start]) && start < len) + while (TY_(IsWhite)(lexer->lexbuf[start]) && (start < len) && (len > 0)) { ++start; --len;
