From 8c7a30700c6ef78544e9f07604fd0b46def5c614 Mon Sep 17 00:00:00 2001 From: tigro Date: Wed, 25 Dec 2024 21:23:37 +0300 Subject: [PATCH] import tinyxml-2.6.2-30.el10 --- .gitignore | 1 + .tinyxml.metadata | 1 + SOURCES/CVE-2021-42260.patch | 23 ++++ SOURCES/CVE-2023-34194.patch | 28 +++++ SOURCES/tinyxml-2.5.3-stl.patch | 12 ++ SOURCES/tinyxml-issue51.patch | 55 ++++++++ SOURCES/tinyxml.pc.in | 10 ++ SPECS/tinyxml.spec | 216 ++++++++++++++++++++++++++++++++ 8 files changed, 346 insertions(+) create mode 100644 .gitignore create mode 100644 .tinyxml.metadata create mode 100644 SOURCES/CVE-2021-42260.patch create mode 100644 SOURCES/CVE-2023-34194.patch create mode 100644 SOURCES/tinyxml-2.5.3-stl.patch create mode 100644 SOURCES/tinyxml-issue51.patch create mode 100644 SOURCES/tinyxml.pc.in create mode 100644 SPECS/tinyxml.spec diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..5b31211 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/tinyxml_2_6_2.tar.gz diff --git a/.tinyxml.metadata b/.tinyxml.metadata new file mode 100644 index 0000000..50c5ee5 --- /dev/null +++ b/.tinyxml.metadata @@ -0,0 +1 @@ +cba3f50dd657cb1434674a03b21394df9913d764 SOURCES/tinyxml_2_6_2.tar.gz diff --git a/SOURCES/CVE-2021-42260.patch b/SOURCES/CVE-2021-42260.patch new file mode 100644 index 0000000..d9eeb45 --- /dev/null +++ b/SOURCES/CVE-2021-42260.patch @@ -0,0 +1,23 @@ +Description: In stamp always advance the pointer if *p= 0xef + . + The current implementation only advanced if 0xef is followed + by two non-zero bytes. In case of malformed input (0xef should be + the start byte of a three byte character) this leads to an infinite + loop. (CVE-2021-42260) +Origin: https://sourceforge.net/p/tinyxml/git/merge-requests/1/ + +--- a/tinyxmlparser.cpp ++++ b/tinyxmlparser.cpp +@@ -274,6 +274,12 @@ void TiXmlParsingData::Stamp( const char* now, TiXmlEncoding encoding ) + else + { p +=3; ++col; } // A normal character. + } ++ else ++ { ++ // TIXML_UTF_LEAD_0 (239) is the start character of a 3 byte sequence, so ++ // there is something wrong here. Just advance the pointer to evade infinite loops ++ ++p; ++ } + } + else + { diff --git a/SOURCES/CVE-2023-34194.patch b/SOURCES/CVE-2023-34194.patch new file mode 100644 index 0000000..dee0aa1 --- /dev/null +++ b/SOURCES/CVE-2023-34194.patch @@ -0,0 +1,28 @@ +From: Guilhem Moulin +Date: Sat, 30 Dec 2023 14:15:54 +0100 +Subject: Avoid reachable assertion via crafted XML document with a '\0' + located after whitespace + +Bug: https://www.forescout.com/resources/sierra21-vulnerabilities +Bug-Debian: https://bugs.debian.org/1059315 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2023-34194 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2023-40462 +--- + tinyxmlparser.cpp | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/tinyxmlparser.cpp b/tinyxmlparser.cpp +index 8aa0dfa..1601962 100644 +--- a/tinyxmlparser.cpp ++++ b/tinyxmlparser.cpp +@@ -1606,6 +1606,10 @@ const char* TiXmlDeclaration::Parse( const char* p, TiXmlParsingData* data, TiXm + } + + p = SkipWhiteSpace( p, _encoding ); ++ if ( !p || !*p ) ++ { ++ break; ++ } + if ( StringEqual( p, "version", true, _encoding ) ) + { + TiXmlAttribute attrib; diff --git a/SOURCES/tinyxml-2.5.3-stl.patch b/SOURCES/tinyxml-2.5.3-stl.patch new file mode 100644 index 0000000..7bcde59 --- /dev/null +++ b/SOURCES/tinyxml-2.5.3-stl.patch @@ -0,0 +1,12 @@ +diff -up tinyxml/tinyxml.h~ tinyxml/tinyxml.h +--- tinyxml/tinyxml.h~ 2007-11-30 22:39:36.000000000 +0100 ++++ tinyxml/tinyxml.h 2007-11-30 22:39:36.000000000 +0100 +@@ -26,6 +26,8 @@ distribution. + #ifndef TINYXML_INCLUDED + #define TINYXML_INCLUDED + ++#define TIXML_USE_STL 1 ++ + #ifdef _MSC_VER + #pragma warning( push ) + #pragma warning( disable : 4530 ) diff --git a/SOURCES/tinyxml-issue51.patch b/SOURCES/tinyxml-issue51.patch new file mode 100644 index 0000000..f6eed91 --- /dev/null +++ b/SOURCES/tinyxml-issue51.patch @@ -0,0 +1,55 @@ +diff -up tinyxml/tinyxml.cpp.orig tinyxml/tinyxml.cpp +--- tinyxml/tinyxml.cpp.orig 2011-05-15 04:24:57.000000000 +0200 ++++ tinyxml/tinyxml.cpp 2024-01-03 14:55:14.246379618 +0100 +@@ -57,30 +57,7 @@ void TiXmlBase::EncodeString( const TIXM + { + unsigned char c = (unsigned char) str[i]; + +- if ( c == '&' +- && i < ( (int)str.length() - 2 ) +- && str[i+1] == '#' +- && str[i+2] == 'x' ) +- { +- // Hexadecimal character reference. +- // Pass through unchanged. +- // © -- copyright symbol, for example. +- // +- // The -1 is a bug fix from Rob Laveaux. It keeps +- // an overflow from happening if there is no ';'. +- // There are actually 2 ways to exit this loop - +- // while fails (error case) and break (semicolon found). +- // However, there is no mechanism (currently) for +- // this function to return an error. +- while ( i<(int)str.length()-1 ) +- { +- outString->append( str.c_str() + i, 1 ); +- ++i; +- if ( str[i] == ';' ) +- break; +- } +- } +- else if ( c == '&' ) ++ if ( c == '&' ) + { + outString->append( entity[0].str, entity[0].strLength ); + ++i; +diff -up tinyxml/xmltest.cpp.orig tinyxml/xmltest.cpp +--- tinyxml/xmltest.cpp.orig 2011-05-15 04:24:57.000000000 +0200 ++++ tinyxml/xmltest.cpp 2024-01-03 14:55:14.247379623 +0100 +@@ -1366,6 +1366,16 @@ int main() + }*/ + } + ++ #ifdef TIXML_USE_STL ++ { ++ TiXmlDocument xml; ++ xml.Parse("foo&#xa+bar"); ++ std::string str; ++ str << xml; ++ XmlTest( "Entity escaping", "foo&#xa+bar", str.c_str() ); ++ } ++ #endif ++ + /* 1417717 experiment + { + TiXmlDocument xml; diff --git a/SOURCES/tinyxml.pc.in b/SOURCES/tinyxml.pc.in new file mode 100644 index 0000000..9af2098 --- /dev/null +++ b/SOURCES/tinyxml.pc.in @@ -0,0 +1,10 @@ +prefix=@prefix@ +exec_prefix=@exec_prefix@ +libdir=@libdir@ +includedir=@includedir@ + +Name: TinyXML +Description: A simple, small, C++ XML parser +Version: @version@ +Libs: -L${libdir} -ltinyxml +Cflags: -I${includedir} -DTIXML_USE_STL=YES diff --git a/SPECS/tinyxml.spec b/SPECS/tinyxml.spec new file mode 100644 index 0000000..52159f7 --- /dev/null +++ b/SPECS/tinyxml.spec @@ -0,0 +1,216 @@ +%global _hardened_build 1 + +%define underscore_version 2_6_2 + +Name: tinyxml +Version: 2.6.2 +Release: 30%{?dist} +Summary: A simple, small, C++ XML parser +License: zlib +URL: http://www.grinninglizard.com/tinyxml/ +Source0: http://downloads.sourceforge.net/%{name}/%{name}_%{underscore_version}.tar.gz +Source1: tinyxml.pc.in +Patch0: tinyxml-2.5.3-stl.patch +# https://sourceforge.net/p/tinyxml/patches/_discuss/thread/fa2235db/f16d/attachment/entity.patch +Patch1: tinyxml-issue51.patch +Patch2: https://sources.debian.org/data/main/t/tinyxml/2.6.2-6.1/debian/patches/CVE-2021-42260.patch +Patch3: https://sources.debian.org/data/main/t/tinyxml/2.6.2-6.1/debian/patches/CVE-2023-34194.patch + +BuildRequires: gcc-c++ + +%description +TinyXML is a simple, small, C++ XML parser that can be easily integrating +into other programs. Have you ever found yourself writing a text file parser +every time you needed to save human readable data or serialize objects? +TinyXML solves the text I/O file once and for all. +(Or, as a friend said, ends the Just Another Text File Parser problem.) + + +%package devel +Summary: Development files for %{name} +Requires: %{name} = %{version}-%{release} + +%description devel +The %{name}-devel package contains libraries and header files for +developing applications that use %{name}. + + +%prep +%autosetup -p1 -n %{name} + + +%build +%{set_build_flags} +mv changes.txt changes.txt-orig +iconv -f ISO-8859-1 -t UTF-8 changes.txt-orig > changes.txt +rm -f changes.txt-orig +# Not really designed to be build as lib, DYI +for i in tinyxml.cpp tinystr.cpp tinyxmlerror.cpp tinyxmlparser.cpp; do + ${CXX} $RPM_OPT_FLAGS -fPIC -o $i.o -c $i +done +${CXX} $RPM_LD_FLAGS -shared -o lib%{name}.so.0.%{version} \ + -Wl,-soname,lib%{name}.so.0 *.cpp.o + + +%install +rm -rf $RPM_BUILD_ROOT +# Not really designed to be build as lib, DYI +mkdir -p $RPM_BUILD_ROOT%{_libdir} +mkdir -p $RPM_BUILD_ROOT%{_includedir} +install -m 755 lib%{name}.so.0.%{version} $RPM_BUILD_ROOT%{_libdir} +ln -s lib%{name}.so.0.%{version} $RPM_BUILD_ROOT%{_libdir}/lib%{name}.so.0 +ln -s lib%{name}.so.0.%{version} $RPM_BUILD_ROOT%{_libdir}/lib%{name}.so +install -p -m 644 %{name}.h $RPM_BUILD_ROOT%{_includedir} + +mkdir -p %{buildroot}%{_libdir}/pkgconfig +sed -e 's![@]prefix[@]!%{_prefix}!g' \ + -e 's![@]exec_prefix[@]!%{_exec_prefix}!g' \ + -e 's![@]libdir[@]!%{_libdir}!g' \ + -e 's![@]includedir[@]!%{_includedir}!g' \ + -e 's![@]version[@]!%{version}!g' \ + %{SOURCE1} > %{buildroot}%{_libdir}/pkgconfig/%{name}.pc + + +%check +%{set_build_flags} +${CXX} $RPM_OPT_FLAGS -DTIXML_USE_STL -fPIE -ltinyxml -L%{buildroot}%{_libdir} -o xmltest xmltest.cpp +chmod +x xmltest +LD_LIBRARY_PATH=%{buildroot}%{_libdir} ./xmltest + + +%files +%doc changes.txt readme.txt +%{_libdir}/*.so.* + +%files devel +%doc docs/* +%{_includedir}/* +%{_libdir}/*.so +%{_libdir}/pkgconfig/%{name}.pc + + +%changelog +* Wed Dec 25 2024 Arkady L. Shane - 2.6.2-30 +- Rebuilt for MSVSphere 10 + +* Sat Jul 20 2024 Fedora Release Engineering - 2.6.2-30 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild + +* Sat Jan 27 2024 Fedora Release Engineering - 2.6.2-29 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Wed Jan 03 2024 Dominik Mierzejewski - 2.6.2-28 +- apply Debian patch to fix CVE-2021-42260 (rhbz#2253716, rhbz#2253718) +- apply Debian patch to fix CVE-2023-34194 and its duplicate, CVE-2023-40462 + (rhbz#2254376, rhbz#2254381) +- fix incorrect text element encoding (upstream isssue #51) +- compile and run tests + +* Sat Jul 22 2023 Fedora Release Engineering - 2.6.2-27 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Sat Jan 21 2023 Fedora Release Engineering - 2.6.2-26 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Sat Jul 23 2022 Fedora Release Engineering - 2.6.2-25 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Sat Jan 22 2022 Fedora Release Engineering - 2.6.2-24 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Fri Jul 23 2021 Fedora Release Engineering - 2.6.2-23 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Wed Jan 27 2021 Fedora Release Engineering - 2.6.2-22 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Wed Jul 29 2020 Fedora Release Engineering - 2.6.2-21 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Fri Jan 31 2020 Fedora Release Engineering - 2.6.2-20 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Sat Jul 27 2019 Fedora Release Engineering - 2.6.2-19 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Sun Feb 03 2019 Fedora Release Engineering - 2.6.2-18 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Sat Jul 14 2018 Fedora Release Engineering - 2.6.2-17 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Fri Feb 23 2018 Florian Weimer - 2.6.2-16 +- Use LDFLAGS from redhat-rpm-config + +* Fri Feb 09 2018 Fedora Release Engineering - 2.6.2-15 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Thu Aug 03 2017 Fedora Release Engineering - 2.6.2-14 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 2.6.2-13 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Sat Feb 11 2017 Fedora Release Engineering - 2.6.2-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Fri Feb 05 2016 Fedora Release Engineering - 2.6.2-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Fri Jun 19 2015 Fedora Release Engineering - 2.6.2-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Sat May 02 2015 Kalev Lember - 2.6.2-9 +- Rebuilt for GCC 5 C++11 ABI change + +* Thu Mar 26 2015 Kalev Lember - 2.6.2-8 +- Rebuilt for GCC 5 ABI change + +* Fri Jan 09 2015 François Cami - 2.6.2-7 +- Use PIC. + +* Mon Aug 18 2014 Fedora Release Engineering - 2.6.2-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Sun Jun 08 2014 Fedora Release Engineering - 2.6.2-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Fri Apr 04 2014 Scott K Logan - 2.6.2-4 +- Fix wrong pkgconfig path + +* Sat Mar 01 2014 Scott K Logan - 2.6.2-3 +- Add basic pkgconfig + +* Sun Aug 04 2013 Fedora Release Engineering - 2.6.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Thu Jan 17 2013 François Cami - 2.6.2-1 +- Update to 2.6.2 +- Fix changes.txt encoding + +* Sat Jul 21 2012 Fedora Release Engineering - 2.6.1-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Sat Jan 14 2012 Fedora Release Engineering - 2.6.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Wed Feb 09 2011 Fedora Release Engineering - 2.6.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Mon May 03 2010 Rakesh Pandit - 2.6.1-1 +- Updated to 2.6.1 + +* Sun Jul 26 2009 Fedora Release Engineering - 2.5.3-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Wed Feb 25 2009 Fedora Release Engineering - 2.5.3-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Tue Feb 19 2008 Fedora Release Engineering - 2.5.3-3 +- Autorebuild for GCC 4.3 + +* Fri Dec 14 2007 Hans de Goede 2.5.3-2 +- Various improvements from review (bz 407571) + +* Fri Nov 30 2007 Hans de Goede 2.5.3-1 +- Initial Fedora Package