Hello community, here is the log from the commit of package liblouis for openSUSE:Factory checked in at 2018-06-22 13:14:34 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/liblouis (Old) and /work/SRC/openSUSE:Factory/.liblouis.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "liblouis" Fri Jun 22 13:14:34 2018 rev:36 rq:616350 version:3.6.0 Changes: -------- --- /work/SRC/openSUSE:Factory/liblouis/liblouis.changes 2018-06-02 11:55:21.464936881 +0200 +++ /work/SRC/openSUSE:Factory/.liblouis.new/liblouis.changes 2018-06-22 13:14:54.556092269 +0200 @@ -1,0 +2,30 @@ +Tue Jun 12 12:25:05 UTC 2018 - [email protected] + +- Word wrapped changes file + +------------------------------------------------------------------- +Tue Jun 12 07:05:35 UTC 2018 - [email protected] + +- Update to 3.6.0: + + New features: + - Add metadata fields name and display-name to tables + + Bug fixes: + - Fix a bunch of buffer overflow errors in table parsing + (CVE-2018-11410 bsc#1094685, CVE-2018-11440 bsc#1095189) + - Fix input-output mapping of context rules + - Fix back tracking with all caps words + - Fix context rules with lookback + - Fix a memory leak in default table resolver + - Fix an array out of bounds error which caused a crash on + i386 + - Fix numerous stack-based buffer overflow in table parsing + (CVE-2018-11683 bsc#1095827, CVE-2018-11684 bsc#1095826, + CVE-2018-11685 bsc#1095825). + + Braille table improvements. +- Applied spec-cleaner. +- Removed CVE-2018-11410.patch: Included upstream. +- Added CVE-2018-12085.patch: Fixed a stack-based buffer overflow + in the function parseChars() in compileTranslationTable.c + (CVE-2018-12085 bsc#1097103). + +------------------------------------------------------------------- @@ -4,2 +34,2 @@ -- Added CVE-2018-11410.patch: Fix a buffer overflow in table parsing - (bsc#1094685 CVE-2018-11410). +- Added CVE-2018-11410.patch: Fix a buffer overflow in table + parsing (bsc#1094685 CVE-2018-11410). @@ -11,4 +41,5 @@ - - New features - - The same name can now be used in more than one ~class~ rule. The effect - is that both set of characters become part of that one class. - - Bug fixes + + New features + - The same name can now be used in more than one ~class~ rule. + The effect is that both set of characters become part of that + one class. + + Bug fixes @@ -16,3 +47,4 @@ - - Treat characters within the range ~compbrlStart~ and ~compbrlEnd~ as a - special case. This fixes many if not most of the problems with cursor - position and the ~compbrlAtCursor~ mode. Thanks to Dave Mielke. + - Treat characters within the range ~compbrlStart~ and + ~compbrlEnd~ as a special case. This fixes many if not most + of the problems with cursor position and the + ~compbrlAtCursor~ mode. Thanks to Dave Mielke. @@ -20,14 +52,16 @@ - - Fix negation of attribute matcher in multipass expressions thanks to Bert Frees - - Braille table improvements - - Backwards incompatible changes - - The translation mode ~comp8Dots~ has been removed as it was never really - implemented anyway - - Support for the ~pass1Only~ flag has now been removed. Thanks to Bue - Vester-Andersen. - - The old UEB tables ~UEBC-g1.ctb~ and ~UEBC-g2.ctb~ have been removed as - the have been superseded by ~en-ueb-g1.ctb~ and ~en-ueb-g2.ctb~. - - The french tables ~fr-2007.ctb~, ~fr-fr-g1.utb~, ~fr-fr-g2.ctb~, - ~fr-ca-g1.utb~ and ~fr-ca-g2.ctb~ have been removed. Use - ~fr-bfu-comp6.utb~ for 6 dots literary, ~fr-bfu-comp8.utb~ for 8 dots computer - and ~fr-bfu-g2.ctb~ for contracted braille instead. - + - Fix negation of attribute matcher in multipass expressions + thanks to Bert Frees + + Braille table improvements + + Backwards incompatible changes + - The translation mode ~comp8Dots~ has been removed as it was + never really implemented anyway + - Support for the ~pass1Only~ flag has now been removed. Thanks + to Bue Vester-Andersen. + - The old UEB tables ~UEBC-g1.ctb~ and ~UEBC-g2.ctb~ have been + removed as the have been superseded by ~en-ueb-g1.ctb~ and + ~en-ueb-g2.ctb~. + - The french tables ~fr-2007.ctb~, ~fr-fr-g1.utb~, + ~fr-fr-g2.ctb~, ~fr-ca-g1.utb~ and ~fr-ca-g2.ctb~ have been + removed. Use ~fr-bfu-comp6.utb~ for 6 dots literary, + ~fr-bfu-comp8.utb~ for 8 dots computer and ~fr-bfu-g2.ctb~ + for contracted braille instead. @@ -35 +69 @@ - - New features + + New features @@ -37,9 +71,9 @@ - ~lou_checkyaml~ thanks to Bue Vester-Andersen. See the manual for - details and examples. - - Bug fixes - - output positions (~outputPos~) are now calculated based on input - positions (~inputPos~) thanks to Bert Frees. This avoids a whole - class of bugs that previously plagued the output positions. This fix - also obviates the need for the ~pass1Only~ flag. See below for the - deprecation notice. - - Braille table improvements + ~lou_checkyaml~ thanks to Bue Vester-Andersen. See the manual + for details and examples. + + Bug fixes + - output positions (~outputPos~) are now calculated based on + input positions (~inputPos~) thanks to Bert Frees. This + avoids a whole class of bugs that previously plagued the + output positions. This fix also obviates the need for the + ~pass1Only~ flag. See below for the deprecation notice. + + Braille table improvements Old: ---- CVE-2018-11410.patch liblouis-3.5.0.tar.gz New: ---- CVE-2018-12085.patch liblouis-3.6.0.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ liblouis.spec ++++++ --- /var/tmp/diff_new_pack.TvsWPQ/_old 2018-06-22 13:14:55.960040209 +0200 +++ /var/tmp/diff_new_pack.TvsWPQ/_new 2018-06-22 13:14:55.964040061 +0200 @@ -16,20 +16,21 @@ # +%define soname 16 Name: liblouis -Version: 3.5.0 +Version: 3.6.0 Release: 0 Summary: Two-way braille translator License: LGPL-3.0-or-later Group: Productivity/Other URL: http://liblouis.org/ Source0: https://github.com/liblouis/liblouis/releases/download/v%{version}/liblouis-%{version}.tar.gz -Patch0: CVE-2018-11410.patch +Patch0: CVE-2018-12085.patch BuildRequires: fdupes BuildRequires: pkgconfig BuildRequires: python-rpm-macros BuildRequires: python3 -Requires: liblouis14 = %{version} +Requires: liblouis%{soname} = %{version} # FIXME: use proper Requires(pre/post/preun/...) PreReq: %{install_info_prereq} @@ -43,7 +44,7 @@ Included are also tools for testing and debugging tables. -%package -n liblouis14 +%package -n liblouis%{soname} Summary: Two-way braille translator # We used to have a package named liblouis, until 2.4.1. License: LGPL-3.0-or-later @@ -52,7 +53,7 @@ Provides: %{name} = %{version} Obsoletes: %{name} < %{version} -%description -n liblouis14 +%description -n liblouis%{soname} liblouis is a translator from and to braille. It features support for computer and literary braille, supports contracted and uncontracted translation for many languages and has support for hyphenation. New @@ -97,7 +98,7 @@ Summary: Development files for the liblouis braille translator License: LGPL-3.0-or-later Group: Development/Libraries/C and C++ -Requires: liblouis14 = %{version} +Requires: liblouis%{soname} = %{version} %description devel liblouis is a translator from and to braille. It features support for @@ -111,7 +112,7 @@ Summary: Python3 bindings for the liblouis braille translator License: LGPL-3.0-or-later Group: Development/Languages/Python -Requires: liblouis14 = %{version} +Requires: liblouis%{soname} = %{version} %description -n python3-louis liblouis is a translator from and to braille. It features support for @@ -155,10 +156,10 @@ %preun doc %install_info_delete --info-dir=%{_infodir} %{_infodir}/%{name}.info.gz -%post -n liblouis14 -p /sbin/ldconfig -%postun -n liblouis14 -p /sbin/ldconfig +%post -n liblouis%{soname} -p /sbin/ldconfig +%postun -n liblouis%{soname} -p /sbin/ldconfig -%files -n liblouis14 +%files -n liblouis%{soname} %license COPYING.LESSER %doc AUTHORS ChangeLog NEWS README %{_libdir}/*.so.* @@ -173,7 +174,7 @@ %files doc %doc doc/liblouis.html doc/liblouis.txt -%{_infodir}/%{name}.info%{ext_info} +%{_infodir}/%{name}.info%{?ext_info} %files devel %{_libdir}/*.so ++++++ CVE-2018-11410.patch -> CVE-2018-12085.patch ++++++ --- /work/SRC/openSUSE:Factory/liblouis/CVE-2018-11410.patch 2018-06-02 11:55:19.733000408 +0200 +++ /work/SRC/openSUSE:Factory/.liblouis.new/CVE-2018-12085.patch 2018-06-22 13:14:52.896153822 +0200 @@ -1,43 +1,27 @@ -From ed6b00aea08005945c9ae8a4a4503acc43f3a844 Mon Sep 17 00:00:00 2001 -From: Samuel Thibault <[email protected]> -From: Karol Babioch <[email protected]> -Upstream: merged -Date: Fri, 25 May 2018 10:25:33 +0200 -Subject: [PATCH] Fix a buffer overflow in table parsing +From dbfa58bb128cae86729578ac596056b3385817ef Mon Sep 17 00:00:00 2001 +From: Christian Egli <[email protected]> +Date: Wed, 6 Jun 2018 16:41:53 +0200 +Subject: [PATCH] Check index before writing to result->chars -Fixes #573 +Fixes #595 --- - liblouis/pattern.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) + liblouis/compileTranslationTable.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) -Index: liblouis-3.5.0/liblouis/pattern.c +Index: liblouis-3.6.0/liblouis/compileTranslationTable.c =================================================================== ---- liblouis-3.5.0.orig/liblouis/pattern.c -+++ liblouis-3.5.0/liblouis/pattern.c -@@ -708,6 +708,8 @@ pattern_compile_expression(const widecha - expr_crs, loop_cnts)) - return 0; - -+ if (*expr_crs + 3 >= expr_max) return 0; -+ - EXPR_NXT(expr_sub) = *expr_crs; - - /* create end expression */ -@@ -720,7 +722,7 @@ pattern_compile_expression(const widecha - - case '+': - -- if (*expr_crs + 4 >= expr_max) return 0; -+ if (*expr_crs + 5 >= expr_max) return 0; - EXPR_TYPE(*expr_crs) = PTN_ONE_MORE; - EXPR_DATA_1(*expr_crs) = (*loop_cnts)++; - (*input_crs)++; -@@ -728,7 +730,7 @@ pattern_compile_expression(const widecha - - case '*': - -- if (*expr_crs + 4 >= expr_max) return 0; -+ if (*expr_crs + 5 >= expr_max) return 0; - EXPR_TYPE(*expr_crs) = PTN_ZERO_MORE; - EXPR_DATA_1(*expr_crs) = (*loop_cnts)++; - (*input_crs)++; +--- liblouis-3.6.0.orig/liblouis/compileTranslationTable.c ++++ liblouis-3.6.0/liblouis/compileTranslationTable.c +@@ -1127,11 +1127,11 @@ parseChars(FileInfo *nested, CharsString + } + in++; + } +- result->chars[out++] = (widechar)ch; + if (out >= MAXSTRING) { + result->length = out; + return 1; + } ++ result->chars[out++] = (widechar)ch; + continue; + } + lastOutSize = out; ++++++ liblouis-3.5.0.tar.gz -> liblouis-3.6.0.tar.gz ++++++ /work/SRC/openSUSE:Factory/liblouis/liblouis-3.5.0.tar.gz /work/SRC/openSUSE:Factory/.liblouis.new/liblouis-3.6.0.tar.gz differ: char 5, line 1
