From 0947457fd1d8f1f808bdea048fddc7c000999680 Mon Sep 17 00:00:00 2001 From: Tomas Korbar Date: Tue, 26 Apr 2022 10:34:22 +0200 Subject: [PATCH] Rebase to version 2.4.7 Resolves: rhbz#2067201 Resolves: CVE-2022-25313 Resolves: CVE-2022-25314 Resolves: CVE-2022-25236 --- .gitignore | 1 + expat.spec | 30 +++++++++++------------------- sources | 2 +- 3 files changed, 13 insertions(+), 20 deletions(-) diff --git a/.gitignore b/.gitignore index 85b23c3..df84f0e 100644 --- a/.gitignore +++ b/.gitignore @@ -18,3 +18,4 @@ expat-2.0.1.tar.gz /expat-2.2.7.tar.gz /expat-2.2.8.tar.gz /expat-2.2.10.tar.gz +/expat-2.4.7.tar.gz diff --git a/expat.spec b/expat.spec index a516d10..634e9b0 100644 --- a/expat.spec +++ b/expat.spec @@ -1,22 +1,14 @@ -%global unversion 2_2_10 +%global unversion 2_4_7 Summary: An XML parser library Name: expat Version: %(echo %{unversion} | sed 's/_/./g') -Release: 11%{?dist} +Release: 1%{?dist} Source: https://github.com/libexpat/libexpat/archive/R_%{unversion}.tar.gz#/expat-%{version}.tar.gz URL: https://libexpat.github.io/ License: MIT BuildRequires: autoconf, libtool, xmlto, gcc-c++ BuildRequires: make -Patch0: expat-2.2.10-prevent-integer-overflow-in-doProlog.patch -Patch1: expat-2.2.10-Prevent-more-integer-overflows.patch -Patch2: expat-2.2.10-Prevent-integer-overflow-on-m_groupSize-in-function.patch -Patch3: expat-2.2.10-Detect-and-prevent-troublesome-left-shifts.patch -Patch4: expat-2.2.10-Detect-and-prevent-integer-overflow-in-XML_GetBuffer.patch -Patch5: expat-2.2.10-Protect-against-malicious-namespace-declarations.patch -Patch6: expat-2.2.10-Add-missing-validation-of-encoding.patch -Patch7: expat-2.2.10-Prevent-integer-overflow-in-storeRawNames.patch %description This is expat, the C library for parsing XML, written by James Clark. Expat @@ -44,14 +36,6 @@ Install it if you need to link statically with expat. %prep %setup -q -n libexpat-R_%{unversion}/expat -%patch0 -p1 -b .CVE-2022-23990 -%patch1 -p1 -b .CVE-2022-22822-CVE-2022-22827 -%patch2 -p1 -b .CVE-2021-46143 -%patch3 -p1 -b .CVE-2021-45960 -%patch4 -p1 -b .CVE-2022-23852 -%patch5 -p1 -b .CVE-2022-25236 -%patch6 -p1 -b .CVE-2022-25235 -%patch7 -p1 -b .CVE-2022-25315 sed -i 's/install-data-hook/do-nothing-please/' lib/Makefile.am ./buildconf.sh @@ -80,15 +64,23 @@ make check %{_mandir}/*/* %files devel -%doc doc/reference.html doc/*.png doc/*.css examples/*.c +%doc doc/reference.html doc/*.css examples/*.c %{_libdir}/lib*.so %{_libdir}/pkgconfig/*.pc %{_includedir}/*.h +%{_libdir}/cmake/expat-%{version} %files static %{_libdir}/lib*.a %changelog +* Tue Apr 26 2022 Tomas Korbar - 2.4.7-1 +- Rebase to version 2.4.7 +- Resolves: rhbz#2067201 +- Resolves: CVE-2022-25313 +- Resolves: CVE-2022-25314 +- Resolves: CVE-2022-25236 + * Mon Mar 14 2022 Tomas Korbar - 2.2.10-11 - Improve fix for CVE-2022-25236 - Related: CVE-2022-25236 diff --git a/sources b/sources index 62223a7..b6f13dc 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (expat-2.2.10.tar.gz) = 5f2d00ead20139aae89910cc08246cf15f7562af2a4fe1b37ebe4c1500a71d9f0a655ebc43f10164ac846be3186ff43f2b94287b18d2a3af882cbd0a1de41a36 +SHA512 (expat-2.4.7.tar.gz) = 91bc9792c4ba1d0ad835f633d8cfa62130692f48308eea8932ec5e13a01542120561b0f255b4adc58b1adae6f83632cbabf428b5b5c0d2ac6de542478a951232