diff --git a/expat-1.95.8-CVE-2009-3560.patch b/expat-1.95.8-CVE-2009-3560.patch new file mode 100644 index 0000000..406c9c5 --- /dev/null +++ b/expat-1.95.8-CVE-2009-3560.patch @@ -0,0 +1,13 @@ + +http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmlparse.c?r1=1.164&r2=1.165 + +--- expat-1.95.8/lib/xmlparse.c.cve3560 ++++ expat-1.95.8/lib/xmlparse.c +@@ -3637,7 +3637,6 @@ doProlog(XML_Parser parser, + return XML_ERROR_NO_ELEMENTS; + default: + tok = -tok; +- next = end; + break; + } + } diff --git a/expat-1.95.8-CVE-2009-3720.patch b/expat-1.95.8-CVE-2009-3720.patch new file mode 100644 index 0000000..4893e7f --- /dev/null +++ b/expat-1.95.8-CVE-2009-3720.patch @@ -0,0 +1,11 @@ +--- expat-1.95.8/lib/xmltok_impl.c.cve3720 ++++ expat-1.95.8/lib/xmltok_impl.c +@@ -1741,7 +1741,7 @@ PREFIX(updatePosition)(const ENCODING *e + const char *end, + POSITION *pos) + { +- while (ptr != end) { ++ while (ptr < end) { + switch (BYTE_TYPE(enc, ptr)) { + #define LEAD_CASE(n) \ + case BT_LEAD ## n: \ diff --git a/expat-2.0.1-confcxx.patch b/expat-2.0.1-confcxx.patch new file mode 100644 index 0000000..8b924e0 --- /dev/null +++ b/expat-2.0.1-confcxx.patch @@ -0,0 +1,13 @@ + +Configure for C++ too so the testsuite works. + +--- expat-2.0.1/configure.in.confcxx ++++ expat-2.0.1/configure.in +@@ -62,6 +62,7 @@ AC_SUBST(LIBAGE) + + dnl Checks for programs. + AC_PROG_CC ++AC_PROG_CXX + AC_PROG_INSTALL + + if test "$GCC" = yes ; then diff --git a/expat.spec b/expat.spec index d68e6fb..1f11b6f 100644 --- a/expat.spec +++ b/expat.spec @@ -1,13 +1,16 @@ Summary: An XML parser library Name: expat Version: 2.0.1 -Release: 7 +Release: 8%{?dist} Group: System Environment/Libraries Source: http://download.sourceforge.net/expat/expat-%{version}.tar.gz +Patch1: expat-2.0.1-confcxx.patch +Patch2: expat-1.95.8-CVE-2009-3560.patch +Patch3: expat-1.95.8-CVE-2009-3720.patch URL: http://www.libexpat.org/ License: MIT BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) -BuildRequires: autoconf, automake, libtool +BuildRequires: autoconf, automake, libtool, check-devel %description This is expat, the C library for parsing XML, written by James Clark. Expat @@ -28,10 +31,13 @@ to develop XML applications with expat. %prep %setup -q +%patch1 -p1 -b .confcxx +%patch2 -p1 -b .cve3560 +%patch3 -p1 -b .cve3720 %build rm -rf autom4te*.cache -cp `aclocal --print-ac-dir`/libtool.m4 conftools || exit 1 +rm conftools/libtool.m4 libtoolize --copy --force --automake && aclocal && autoheader && autoconf export CFLAGS="$RPM_OPT_FLAGS -fPIC" %configure --libdir=/%{_lib} @@ -53,6 +59,9 @@ rm -f $RPM_BUILD_ROOT/%{_lib}/libexpat.la lib=`echo $RPM_BUILD_ROOT/%{_lib}/libexpat.so.*.*` ln -sf ../../%{_lib}/`basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/libexpat.so +%check +make check + %clean rm -rf ${RPM_BUILD_ROOT} @@ -74,6 +83,11 @@ rm -rf ${RPM_BUILD_ROOT} %{_includedir}/*.h %changelog +* Tue Dec 1 2009 Joe Orton - 2.0.1-8 +- add security fix for CVE-2009-3560 (#533174) +- add security fix for CVE-2009-3720 (#531697) +- run the test suite + * Fri Jul 24 2009 Fedora Release Engineering - 2.0.1-7 - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild