Hello community, here is the log from the commit of package pspp for openSUSE:Factory checked in at 2019-01-24 14:03:58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/pspp (Old) and /work/SRC/openSUSE:Factory/.pspp.new.28833 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pspp" Thu Jan 24 14:03:58 2019 rev:9 rq:663107 version:1.2.0 Changes: -------- --- /work/SRC/openSUSE:Factory/pspp/pspp.changes 2017-09-12 19:56:32.297431043 +0200 +++ /work/SRC/openSUSE:Factory/.pspp.new.28833/pspp.changes 2019-01-24 14:04:00.308011052 +0100 @@ -1,0 +2,26 @@ +Fri Jan 4 13:54:30 UTC 2019 - Jan Engelhardt <[email protected]> + +- Drop useless AutoReqProv: on. + +------------------------------------------------------------------- +Thu Jan 3 15:07:54 UTC 2019 - [email protected] + +- Add upstream patch CVE-2018-20230.patch to fix CVE-2018-20230 + (bnc#1120061). +- Add upstream patch avoid_old_Texinfo_4.13.patch to avoid + compiling with old Texinfo 4.13. + +------------------------------------------------------------------- +Sat Nov 10 20:12:10 UTC 2018 - [email protected] + +- pspp 1.2.0: + * New experimental command SAVE DATA COLLECTION to save MDD files + * MTIME and YMDHMS variable formats now supported. + * Spread sheet rendering now done via spread-sheet-widget + +------------------------------------------------------------------- +Sat Nov 10 19:59:09 UTC 2018 - [email protected] + +- add upstream signing key and verify source signature + +------------------------------------------------------------------- Old: ---- pspp-1.0.1.tar.gz New: ---- CVE-2018-20230.patch avoid_old_Texinfo_4.13.patch pspp-1.2.0.tar.gz pspp-1.2.0.tar.gz.sig pspp.keyring ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pspp.spec ++++++ --- /var/tmp/diff_new_pack.lm2I7O/_old 2019-01-24 14:04:00.928010344 +0100 +++ /var/tmp/diff_new_pack.lm2I7O/_new 2019-01-24 14:04:00.928010344 +0100 @@ -1,8 +1,9 @@ -# spec file for PSPP 1.0.1 +# spec file for PSPP 1.2.0 # Copyright (c) 2008 Matj Cepl <[email protected]> # Copyright (c) 2008 D. Steuer <[email protected]> -# Copyright (c) 2010-2017 <[email protected]> +# Copyright (c) 2018 <[email protected]> +# Copyright (c) 2010-2019 <[email protected]> # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -14,7 +15,7 @@ # published by the Open Source Initiative. # Usable with currently supported openSUSE releases -# 42.1, 42.2, 42.3, TW +# 42.3, 15.0, TW %if 0%{?mandriva_version} %define _disable_ld_no_undefined 1 @@ -23,7 +24,7 @@ %endif Name: pspp -Version: 1.0.1 +Version: 1.2.0 Release: 0 Summary: A program for statistical analysis of sampled data @@ -31,6 +32,12 @@ License: GPL-3.0+ URL: http://www.gnu.org/software/pspp/ Source0: ftp://ftp.gnu.org/pub/gnu/pspp/pspp-%{version}.tar.gz +Source1: ftp://ftp.gnu.org/pub/gnu/pspp/pspp-%{version}.tar.gz.sig +Source2: https://savannah.gnu.org/people/viewgpg.php?user_id=245#/%{name}.keyring +# PATCH-FIX-UPSTREAM CVE-2018-20230.patch bnc#1120061 CVE-2018-20230 +Patch0: CVE-2018-20230.patch +# Fix build with Texinfo 4.13 for openSUSE Leap 42.* +Patch1: avoid_old_Texinfo_4.13.patch BuildRoot: %{_tmppath}/pspp-root %if 0%{?centos_version} @@ -59,7 +66,7 @@ PreReq: %install_info_prereq %endif %if 0%{?suse_version} -BuildRequires: gtksourceview-devel >= 3.14.5 +BuildRequires: gtksourceview-devel >= 3.18.0 %endif %if 0%{?suse_version} #Next package only for "make check" @@ -83,10 +90,13 @@ # BuildRequires: postgresql93-libs %endif BuildRequires: readline-devel +BuildRequires: spread-sheet-widget-devel >= 0.3 BuildRequires: texinfo BuildRequires: zlib-devel +%if 0%{?suse_version} <= 1320 +BuildRequires: libtool +%endif Requires: yelp -AutoReqProv: Yes %description PSPP is a program for statistical analysis of sampled data. It @@ -122,6 +132,11 @@ %setup -n pspp-%{version} %endif +%patch0 -p1 +%if 0%{?suse_version} <= 1320 +%patch1 -p1 +%endif + %if 0%{?fedora} || 0%{?rhel_version} || 0%{?centos_version} || 0%{?mandriva_version} %build %else @@ -129,10 +144,12 @@ %endif export SUSE_ASNEEDED=0 export CFLAGS="%{optflags} -fgnu89-inline" +%if 0%{?suse_version} <= 1320 +autoreconf -f -i +%endif %configure \ --disable-relocatable --disable-static --disable-rpath \ - --disable-anachronistic-dependencies --enable-debug \ - --without-libreadline-prefix + --enable-debug --without-libreadline-prefix #Fix "File is compiled without RPM_OPT_FLAGS" make ++++++ CVE-2018-20230.patch ++++++ pspp-dump-sav: Issue error message for too-large extension records. CVE-2018-20230. --- a/utilities/pspp-dump-sav.c +++ b/utilities/pspp-dump-sav.c @@ -37,6 +37,7 @@ #include "gl/progname.h" #include "gl/version-etc.h" #include "gl/xalloc.h" +#include "gl/xsize.h" #define ID_MAX_LEN 64 @@ -99,7 +100,7 @@ static void read_simple_compressed_data (struct sfm_reader *, int max_cases); static void read_zlib_compressed_data (struct sfm_reader *); static struct text_record *open_text_record ( - struct sfm_reader *, size_t size); + struct sfm_reader *, size_t size, size_t count); static void close_text_record (struct text_record *); static bool read_variable_to_value_pair (struct text_record *, char **key, char **value); @@ -735,7 +736,7 @@ read_extra_product_info (struct sfm_reader *r, const char *s; printf ("%08llx: extra product info\n", (long long int) ftello (r->file)); - text = open_text_record (r, size * count); + text = open_text_record (r, size, count); s = text_get_all (text); print_string (s, strlen (s)); close_text_record (text); @@ -749,7 +750,7 @@ read_mrsets (struct sfm_reader *r, size_t size, size_t count) printf ("%08llx: multiple response sets\n", (long long int) ftello (r->file)); - text = open_text_record (r, size * count); + text = open_text_record (r, size, count); for (;;) { const char *name; @@ -909,7 +910,7 @@ read_long_var_name_map (struct sfm_reader *r, size_t size, size_t count) printf ("%08llx: long variable names (short => long)\n", (long long int) ftello (r->file)); - text = open_text_record (r, size * count); + text = open_text_record (r, size, count); while (read_variable_to_value_pair (text, &var, &long_name)) printf ("\t%s => %s\n", var, long_name); close_text_record (text); @@ -926,7 +927,7 @@ read_long_string_map (struct sfm_reader *r, size_t size, size_t count) printf ("%08llx: very long strings (variable => length)\n", (long long int) ftello (r->file)); - text = open_text_record (r, size * count); + text = open_text_record (r, size, count); while (read_variable_to_value_pair (text, &var, &length_s)) printf ("\t%s => %d\n", var, atoi (length_s)); close_text_record (text); @@ -1004,7 +1005,7 @@ read_datafile_attributes (struct sfm_reader *r, size_t size, size_t count) struct text_record *text; printf ("%08llx: datafile attributes\n", (long long int) ftello (r->file)); - text = open_text_record (r, size * count); + text = open_text_record (r, size, count); read_attributes (r, text, "datafile"); close_text_record (text); } @@ -1196,7 +1197,7 @@ read_variable_attributes (struct sfm_reader *r, size_t size, size_t count) struct text_record *text; printf ("%08llx: variable attributes\n", (long long int) ftello (r->file)); - text = open_text_record (r, size * count); + text = open_text_record (r, size, count); for (;;) { const char *variable = text_tokenize (text, ':'); @@ -1389,18 +1390,23 @@ struct text_record size_t pos; /* Current position in buffer. */ }; -/* Reads SIZE bytes into a text record for R, +/* Reads SIZE * COUNT bytes into a text record for R, and returns the new text record. */ static struct text_record * -open_text_record (struct sfm_reader *r, size_t size) +open_text_record (struct sfm_reader *r, size_t size, size_t count) { struct text_record *text = xmalloc (sizeof *text); - char *buffer = xmalloc (size + 1); - read_bytes (r, buffer, size); + + if (size_overflow_p (xsum (1, xtimes (size, count)))) + sys_error (r, "Extension record too large."); + + size_t n_bytes = size * count; + char *buffer = xmalloc (n_bytes + 1); + read_bytes (r, buffer, n_bytes); buffer[size] = '\0'; text->reader = r; text->buffer = buffer; - text->size = size; + text->size = n_bytes; text->pos = 0; return text; } ++++++ avoid_old_Texinfo_4.13.patch ++++++ Texinfo 4.13 was causing problems (e.g. on openSUSE Leap 42) despite the implemented workarounds, so this commit removes the workaround in favor of just using the distributed pspp.xml if makeinfo is broken. --- a/acinclude.m4 +++ b/acinclude.m4 @@ -281,6 +281,21 @@ EOF AC_SUBST([AM_MAKEINFOFLAGS]) fi]) +dnl Texinfo 4.13 generates broken DocBook XML. Probably other old +dnl versions do too, but that's the one that causes problems. +AC_DEFUN([PSPP_CHECK_MAKEINFO_DOCBOOK_XML], + [AC_REQUIRE([AM_INIT_AUTOMAKE]) # Defines MAKEINFO + AC_CACHE_CHECK( + [whether makeinfo generates broken DocBook XML], + [pspp_cv_broken_docbook_xml], + [AS_CASE( + [$(eval "$MAKEINFO --version | head -1")], + [*texinfo*4.13*], [pspp_cv_broken_docbook_xml=yes], + [*texinfo*], [pspp_cv_broken_docbook_xml=no], + [*], [pspp_cv_broken_docbook_xml=yes])]) + AM_CONDITIONAL( + [BROKEN_DOCBOOK_XML], [test "$pspp_cv_broken_docbook_xml" = yes])]) + # The following comes from Open vSwitch: # ---------------------------------------------------------------------- # Copyright (c) 2008, 2009, 2010, 2011 Nicira Networks. --- a/configure.ac +++ b/configure.ac @@ -36,6 +36,7 @@ AC_HEADER_TIOCGWINSZ PKG_PROG_PKG_CONFIG m4_pattern_forbid([PKG_CHECK_MODULES]) PSPP_CHECK_CLICKSEQUENCE +PSPP_CHECK_MAKEINFO_DOCBOOK_XML PSPP_CHECK_DOT PSPP_ENABLE_WERROR @@ -81,12 +82,7 @@ if test "$with_cairo" != no; then [PSPP_REQUIRED_PREREQ([cairo 1.5 or later and pango 1.22 or later (or use --without-cairo)])]) fi -dnl Xmllint is used in the rules to build the documentation. It is not actually necessary, -dnl but is used for post-build consistency checks. Thus, non-developers can live without it. -dnl However for it to be useful, it needs to be a certain version and have certain features. -dnl The macros below check that it the xmllint available is up to scratch. If it isn't -dnl then a dummy /bin/echo is subsituted instead. - +dnl One of the tests uses xmllint. AC_CACHE_CHECK([for an xmllint program which fits our needs],[ac_cv_path_XMLLINT], [AC_PATH_PROGS_FEATURE_CHECK([XMLLINT], [xmllint], [[$ac_path_XMLLINT --version 2>&1 | $GREP XPath > /dev/null && --- a/doc/automake.mk +++ b/doc/automake.mk @@ -59,35 +59,14 @@ $(AM_V_GEN)echo "@set example-dir $(examplesdir)" > $@ -# The SED and AWK filters in this rule, are to work-around some nasty bugs in -# makeinfo version 4.13, which produces broken docbook xml. These workarounds -# are rather horrible and must be removed asap. $(srcdir)/doc/pspp.xml: doc/pspp.texi $(doc_pspp_TEXINFOS) $(top_srcdir)/doc/help-pages-list +if BROKEN_DOCBOOK_XML + touch $@ +else @$(MKDIR_P) doc $(AM_V_GEN)$(MAKEINFO) $(AM_MAKEINFOFLAGS) --docbook -I $(top_srcdir) \ - $(top_srcdir)/doc/pspp.texi -o - \ - | $(SED) -e 's/Time-&-Date/Time-\&-Date/g' \ - -e 's/“/\“/g' \ - -e 's/”/\”/g' \ - -e 's/‘/\‘/g' \ - -e 's/’/\’/g' \ - -e 's/—/\—/g' \ - -e 's/–/\′/g' \ - -e 's/é/\é/g' \ - -e 's/©/\©/g' \ - -e 's/−/\−/g' \ - -e 's/…/\…/g' \ - -e 's/•/\ߦ/g' \ - -e 's/././g' \ - -e 's%\(<figure [^>]*\)>%\1/>%g' \ - | $(AWK) '/<para>.*<table.*>.*<\/para>/{x=sub("</para>",""); print; s=1;next}/<\/table>/{print; if (s==1) print "</para>"; s=0; next}1' \ - > $@,tmp - $(AM_V_at)$(XMLLINT) --output /dev/null $@,tmp - $(AM_V_at)cat $(top_srcdir)/doc/help-pages-list | while read node ; do \ - $(XMLLINT) --xpath "$$node" $@,tmp > /dev/null; \ - if test $$? -ne 0 ; then echo "$$node does not appear in $@" ; exit 1; fi ; \ - done - mv $@,tmp $@ + $< -o $@ +endif docbookdir = $(docdir) dist_docbook_DATA = doc/pspp.xml ++++++ pspp-1.0.1.tar.gz -> pspp-1.2.0.tar.gz ++++++ /work/SRC/openSUSE:Factory/pspp/pspp-1.0.1.tar.gz /work/SRC/openSUSE:Factory/.pspp.new.28833/pspp-1.2.0.tar.gz differ: char 5, line 1
