Hello community, here is the log from the commit of package libcroco for openSUSE:Leap:15.2 checked in at 2020-03-06 12:37:11 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2/libcroco (Old) and /work/SRC/openSUSE:Leap:15.2/.libcroco.new.26092 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libcroco" Fri Mar 6 12:37:11 2020 rev:17 rq:779601 version:0.6.13 Changes: -------- --- /work/SRC/openSUSE:Leap:15.2/libcroco/libcroco.changes 2020-01-15 15:19:30.266378505 +0100 +++ /work/SRC/openSUSE:Leap:15.2/.libcroco.new.26092/libcroco.changes 2020-03-06 12:37:12.122608567 +0100 @@ -1,0 +2,28 @@ +Thu May 2 17:45:07 UTC 2019 - [email protected] + +- Add libcroco-CVE-2017-8834.patch: fix infinite loop on invalid + UTF-8 (boo#1043898 boo#1043899 bgo#782647 CVE-2017-8834 + CVE-2017-8871). + +------------------------------------------------------------------- +Sat Apr 6 20:01:33 UTC 2019 - Bjørn Lie <[email protected]> + +- Update to version 0.6.13: + + Visual Studio builds: Enhance security of x64 binaries. + + win32/replace.py: Fix replacing items in files with UTF-8 + content. + + tknzr: support only max long rgb values. + + input: check end of input before reading a byte. +- Drop upstream fixed patches: + + libcroco-fix-CVE-2017-7960.patch. + + libcroco-fix-CVE-2017-7961.patch. +- Stop exporting -fno-strict-aliasing" to configure, no longer + needed. +- Update URL to new gitlab home. + +------------------------------------------------------------------- +Wed Feb 28 16:34:08 UTC 2018 - [email protected] + +- Modernize spec-file by calling spec-cleaner + +------------------------------------------------------------------- Old: ---- libcroco-0.6.12.tar.xz libcroco-fix-CVE-2017-7960.patch libcroco-fix-CVE-2017-7961.patch New: ---- libcroco-0.6.13.tar.xz libcroco-CVE-2017-8834.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libcroco.spec ++++++ --- /var/tmp/diff_new_pack.foWaSb/_old 2020-03-06 12:37:12.870609022 +0100 +++ /var/tmp/diff_new_pack.foWaSb/_new 2020-03-06 12:37:12.870609022 +0100 @@ -1,7 +1,7 @@ # # spec file for package libcroco # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,31 +12,25 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # Name: libcroco -Version: 0.6.12 +Version: 0.6.13 Release: 0 Summary: CSS2 Parser Library -License: LGPL-2.1 +License: LGPL-2.1-only Group: Development/Libraries/C and C++ -Url: http://www.freespiders.org/projects/libcroco/ -Source: http://download.gnome.org/sources/libcroco/0.6/%{name}-%{version}.tar.xz +URL: https://gitlab.gnome.org/GNOME/libcroco +Source: https://download.gnome.org/sources/libcroco/0.6/%{name}-%{version}.tar.xz Source99: baselibs.conf -# PATCH-FIX-UPSTREAM libcroco-fix-CVE-2017-7960.patch boo#1034481 [email protected] -- Fix CVE-2017-7960 -Patch0: libcroco-fix-CVE-2017-7960.patch -# PATCH-FIX-UPSTREAM libcroco-fix-CVE-2017-7961.patch boo#1034482 [email protected] -- Fix CVE-2017-7961 -Patch1: libcroco-fix-CVE-2017-7961.patch + +# PATCH-FIX-UPSTREAM libcroco-CVE-2017-8834.patch boo#1043898 boo#1043899 [email protected] -- fix infinite loop on invalid UTF-8. +Patch0: libcroco-CVE-2017-8834.patch +BuildRequires: pkgconfig BuildRequires: pkgconfig(glib-2.0) >= 2.0 BuildRequires: pkgconfig(libxml-2.0) >= 2.4.23 -# bug437293 -%ifarch ppc64 -Obsoletes: libcroco-64bit -%endif -# -BuildRoot: %{_tmppath}/%{name}-%{version}-build %description Libcroco is a stand-alone CSS2 parsing library. It provides a low-level @@ -49,7 +43,6 @@ %ifarch ppc64 Obsoletes: libcroco-64bit %endif -# %description 0_6-3 Libcroco is a stand-alone CSS2 parsing library. It provides a low-level @@ -59,46 +52,36 @@ Summary: CSS2 Parser Library Development Files Group: Development/Libraries/C and C++ Requires: %{name} = %{version} -# bug437293 -%ifarch ppc64 -Obsoletes: libcroco-devel-64bit -%endif -# %description devel Libcroco is a stand-alone CSS2 parsing library. It provides a low-level event-driven SAC-like API and a CSS object model like API. %prep -%setup -q -%patch0 -p1 -%patch1 -p1 +%autosetup -p1 %build -# needed for libcroco-0.6.1: -export CFLAGS="%{optflags} -fno-strict-aliasing" -%configure --disable-static -make %{?_smp_mflags} +%configure \ + --disable-static \ + %{nil} +%make_build %install %make_install -rm -f %{buildroot}%{_libdir}/*.la +find %{buildroot} -type f -name "*.la" -delete -print %post 0_6-3 -p /sbin/ldconfig - %postun 0_6-3 -p /sbin/ldconfig %files -%defattr (-, root, root) -%doc AUTHORS COPYING COPYING.LIB ChangeLog HACKING NEWS README TODO +%license COPYING +%doc AUTHORS ChangeLog HACKING NEWS README TODO %{_bindir}/csslint-0.6 %files 0_6-3 -%defattr (-, root, root) %{_libdir}/*.so.* %files devel -%defattr (-, root, root) %doc %{_datadir}/gtk-doc/html/libcroco/ %{_bindir}/*-config %{_includedir}/* ++++++ libcroco-0.6.12.tar.xz -> libcroco-0.6.13.tar.xz ++++++ ++++ 10602 lines of diff (skipped) ++++++ libcroco-CVE-2017-8834.patch ++++++ >From deda38539f5b25616aa294d8b19d33ebf8e175ff Mon Sep 17 00:00:00 2001 From: Mike Gorse <[email protected]> Date: Thu, 2 May 2019 10:54:43 -0500 Subject: [PATCH] cr_utils_read_char_from_utf8_buf: move past invalid UTF-8 Otherwise, the offending character is never consumed, possibly leading to an infinite loop. https://bugzilla.gnome.org/show_bug.cgi?id=782647 --- src/cr-utils.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/cr-utils.c b/src/cr-utils.c index 2420cec..6cf4849 100644 --- a/src/cr-utils.c +++ b/src/cr-utils.c @@ -505,6 +505,7 @@ cr_utils_read_char_from_utf8_buf (const guchar * a_in, } else { /*BAD ENCODING */ + nb_bytes_2_decode = 1; goto end; } -- 2.20.1
