File libplist.changes of Package libplist.27937
-------------------------------------------------------------------
Thu Feb 23 08:23:13 UTC 2023 - Xiaoguang Wang <xiaoguang.wang@suse.com>
- Add libplist-CVE-2015-10082.patch: Fix limited but possible XXE
security vulnerability with XML plists
(bsc#1208546 CVE-2015-10082).
-------------------------------------------------------------------
Tue Jul 25 17:12:11 UTC 2017 - mgorse@suse.com
- Add libplist-boo1029707-base64-invalid-read.patch: prevent
undefined shift when parsing invalid base64 encoded data
(boo#1029707 CVE-2017-6437).
-------------------------------------------------------------------
Wed May 3 17:39:06 UTC 2017 - mgorse@suse.com
- Add libplist-boo1035312-overflow-fixes.patch: add some safety
checks, backported from upstream (boo#1035312 CVE-2017-7982).
- Add libplist-boo1029631-32bit.patch: ensure that sanity checks
work on 32-bit platforms, and fix data range checks (boo#1029631
boo#1029638 boo#1029706 boo#1029751 CVE-2017-6440 CVE-2017-6439
CVE-2017-6438 CVE-2017-6436).
-------------------------------------------------------------------
Tue Feb 7 12:13:33 UTC 2017 - alarrosa@suse.com
- Add patches from upstream to fix a multitude of memory leaks,
out of bound reads and writes and check index ranges:
0001-Fix-possible-crash-in-plist_from_bin-caused-by-access-to-already-freed-memory.patch
0002-Plug-memory-leaks-caused-by-unused-and-unfreed-buffer.patch
0003-Refactor-binary-plist-parsing-in-a-recursive-way.patch
0004-Make-sure-to-compare-the-node-sizes-for-integer-nodes.patch
0005-Change-internal-storage-of-PLIST_DATE-values-from-struct-timeval-to-double.patch
0006-Fix-possible-out-of-bounds-read-in-parse_dict_node-with-proper-bounds-checking.patch
0007-Fix-possible-out-of-bounds-reads-in-parse_bin_node.patch
0008-Make-sure-the-index-in-parse_bin_node_at_index-is-actually-within-the-offset-table.patch
0009-Prevent-out-of-bounds-read-in-plist_from_bin-when-parsing-offset_table.patch
0010-Make-sure-to-error-out-if-allocation-of-used_indexes-buffer-in-plist_from_bin-fails.patch
0011-Disallow-key-nodes-with-non-string-node-types.patch
0012-Prevent-OOB-heap-buffer-read-by-checking-input-size.patch
0013-Improve-UINT_TO_HOST-macro-remove-uint24_from_be-function.patch
0014-Check-for-invalid-offset_size-in-bplist-trailer.patch
0015-Use-proper-struct-for-binary-plist-trailer.patch
0016-Mass-rename-dict_size-and-param_dict_size-to-more-appropiate-ref_size.patch
0017-Fix-possible-out-of-bounds-read-in-parse_array_node-with-proper-bounds-checking.patch
0018-Avoid-heap-buffer-allocation-when-parsing-array-dict-string-data-node-sizes-14.patch
0019-Unify-size-node-parsing-for-data-string-array-dict-nodes.patch
0020-Prevent-OOB-read-when-parsing-data-string-array-dict-size-nodes.patch
0021-Fix-OOB-write-on-heap-buffer-and-improve-recursion-check.patch
0022-Make-sure-node-index-is-smaller-than-number-of-objects.patch
0023-Make-sure-the-offset-table-is-in-the-correct-range.patch
0024-Plug-memory-leak-in-case-parsing-a-dictionary-key-fails.patch
0026-bplist-Improve-real-date-node-de-serialization.patch
0027-bplist-Improve-parsing-unicode-nodes.patch
0029-bplist-Make-sure-to-bail-out-if-malloc-fails-in-pars.patch
(boo#1029639 CVE-2017-6435)
0030-bplist-Make-sure-to-bail-out-if-malloc-fails-in-pars.patch
0031-bplist-Make-sure-to-bail-out-if-malloc-fails-in-pars.patch
0032-bplist-Properly-handle-some-more-malloc-failure-situ.patch
0033-plist-Fix-assert-to-allow-16-or-8-byte-integer-sizes.patch
C0001-Plug-memory-leak-when-converting-PLIST_UID-nodes-to-XML.patch
C0002-Improve-writing-of-array-and-dictionary-nodes.patch
C0003-Improve-writing-of-integer-nodes.patch
C0004-Fix-UID-node-parsing-to-match-Apples-parser.patch
C0005-Improve-writing-of-UID-nodes.patch
C0006-Improve-writing-of-data-string-and-unicode-nodes.patch
C0007-Improve-writing-of-offset-table.patch
- Renamed 0001-Prevent-OOB-heap-buffer-read-by-checking-input-size.patch to
0012-Prevent-OOB-heap-buffer-read-by-checking-input-size.patch to integrate
the patch in the list of patches sorted by date.
- In particular, 0011-Disallow-key-nodes-with-non-string-node-types.patch
fixes a type inconsistency by which a maliciously crafted file could
cause the application to crash (bsc#1023807, CVE-2017-5836).
- 0014-Check-for-invalid-offset_size-in-bplist-trailer.patch fixes a
vulnerability by which a maliciously crafted file could cause libplist
to allocate large amounts of memory and consume lots of CPU
(bsc#1023822, CVE-2017-5835).
- 0017-Fix-possible-out-of-bounds-read-in-parse_array_node-with-proper-bounds-checking.patch
fixes a vulnerability by which a maliciously crafted file could cause
a heap buffer overflow and a segmentation fault (bsc#1023848,
CVE-2017-5834)
- Dropped CVE-2017-5209 and added
B0005-base64-Prevent-buffer-overflow-by-not-decoding-blocks-with-less-than-4-chrs.patch
B0006-Prevent-use-strlen-in-base64decode-when-input-buffer-size-is-known.patch
B0007-base64-Rework-base64decode-to-handle-split-encoded-data.patch
to replace the former. These patches fix the same CVE issue in the
same way but they retain the information of the commits from upstream
that fix it and add another check for a pointer to be inside bounds
(boo#1019531, CVE-2017-5209)
-------------------------------------------------------------------
Tue Jan 31 17:24:19 UTC 2017 - alarrosa@suse.com
- Add 0001-Prevent-OOB-heap-buffer-read-by-checking-input-size.patch
This patch (from upstream, rebased) prevents an OOB heap buffer
read which could allow attackers to obtain sensitive information
from process memory or cause a DoS (bsc#1021610, CVE-2017-5545).
-------------------------------------------------------------------
Wed Jan 25 15:15:51 UTC 2017 - i@marguerite.su
- Fixed CVE-2017-5209 and boo#1019531: The base64decode function
in base64.c allows attackers to obtaiin sensitive info from
process memory or cause a denial of service (buffer over-read)
via split encoded Apple Property List data.
- Added patch CVE-2017-5209.patch
* Rework base64decode to handle spliti encoded data correctly
* The credit goes to Nikias Bassen <nikias@gmx.li>, here's just
a backport of the upstream commit
-------------------------------------------------------------------
Tue Oct 21 22:40:00 UTC 2014 - m.szulecki@libimobiledevice.org
- Enable %check as it is provided by libplist and improves quality
-------------------------------------------------------------------
Fri Oct 17 03:30:00 CEST 2014 - m.szulecki@libimobiledevice.org
- Update to version 1.12
* Fix plist_from_bin() changing value nodes to key nodes in dictionaries
* Avoid exporting non-public symbols
* Prevent crash in plist_from_bin() when parsing unusual binary plists
* Fix crash in String|Key::GetValue() and actually make C++ interface work
* Fix memory leaks in new_xml_plist() and parse_real_node()
* Fix header guards to conform to C++ standard
* Update Cython based Python bindings and remove plist_new_key()
* Fix key nodes not being output correctly if they contained XML entities
* Fix handling and storage of signed vs. unsigned integer values
* Fix date handling to respect the "Mac Epoch" instead of "Unix Epoch"
* Remove plist_set_type() as it should not be used
* Fix deprecated macros to work with older LLVM/Clang
* Fix various shadowed declarations
* Add documentation to explicitly describe memory buffer ownership
* Fix memory leak in plist_from_bin()
* Add various test cases based on fixes
* Fix wrong timezone related date/time conversion of date nodes
* Fix endian detection on MIPS architecture
* Fix parallel build for autotools
-------------------------------------------------------------------
Mon Jun 16 15:29:11 UTC 2014 - i@marguerite.su
- update version 1.11
* Deprecated plist_dict_insert_item() in favor of plist_dict_set_item()
* Updated cython bindings for Python 3.x
* Removed swig python bindings
* Changed build system to autotools
* Added new plist_dict_merge() function
* WIN32 (MinGW) + OSX compilation fixes
* Made base64 decoding thread safe
- remove patch: libplist-1.8-pkgconfig.patch
* upstream fixed
- added plist.pxd, needed by python-imobiledevice build
-------------------------------------------------------------------
Mon Apr 15 12:54:38 UTC 2013 - mmeister@suse.com
- Added url as source.
Please see http://en.opensuse.org/SourceUrls
-------------------------------------------------------------------
Tue Aug 28 15:52:14 UTC 2012 - cfarrell@suse.com
- license update: LGPL-2.1+
LGPL-2.1 can be relicensed to GPL without further permission. No need to
explicitly call out the GPL as a license option. Fedora has been using
LGPL-2.1+ for awhile so gain compatibility there too
-------------------------------------------------------------------
Mon Apr 09 15:45:03 CEST 2012 - opensuse@sukimashita.com
- Allow compilation on 11.4 by disabling cython bindings
-------------------------------------------------------------------
Mon Apr 02 15:54:57 CEST 2012 - opensuse@sukimashita.com
- Update to version 1.8
* Add Cython based Python bindings
* Fix memory corruption in libcnary
* Fix building on Big Endian systems
* Removed glib dependency, libplist now uses bundled libcnary
* Fix building of Python bindings with GCC 4.6
- Do not build SWIG bindings for Python
- Remove gcc46_build_fix.patch due to upstream fixes
- Update pkgconfig patch
-------------------------------------------------------------------
Tue Jan 31 10:50:25 UTC 2012 - jengelh@medozas.de
- Remove redundant tags/sections per specfile guideline suggestions
- Parallel building using %_smp_mflags
-------------------------------------------------------------------
Wed Oct 5 12:24:02 UTC 2011 - uli@suse.com
- cross-build fix: set cmake root, python paths
- cross-build workaround: move installed files from sysroot to
real root
-------------------------------------------------------------------
Tue Jun 28 13:59:00 UTC 2011 - aj@suse.de
- Add baselibs.conf - needed by usbmuxd's baselibs.conf.
-------------------------------------------------------------------
Mon May 16 22:18:07 UTC 2011 - cgiboudeaux@gmx.com
- Add gcc46_build_fix.patch. Fixes build with GCC4.6
-------------------------------------------------------------------
Sun Mar 20 18:17:36 CEST 2011 - opensuse@sukimashita.com
- Update to version 1.4
* New maintainer and source location
* Update AUTHORS from git history
* Fix Unicode writing in binary plists
* Update plist doctype
* Fix Dictionary copy constructor
* Fix Mac OS X library install path detection
* Plug memory leak when writing Unicode data
- Remove pkgconfig patch due to upstream fixes
-------------------------------------------------------------------
Wed Dec 8 21:18:28 UTC 2010 - cristian.rodriguez@opensuse.org
- Fix both -devel package dependencies and broken pkgconfig file
-------------------------------------------------------------------
Tue Apr 27 11:20:20 CEST 2010 - opensuse@sukimashita.com
- Update to version 1.3
* Endianness, alignment and type-punning fixes
* Fix armel floating point endianess
* Allow compiling with mingw on Windows
* Minor bugfixes
-------------------------------------------------------------------
Thu Apr 1 00:17:48 CEST 2010 - vuntz@opensuse.org
- Clean up packaging, based on what I did in multimedia:libs.
-------------------------------------------------------------------
Thu Mar 25 11:14:40 CET 2010 - meissner@suse.de
- run prepare_spec
-------------------------------------------------------------------
Fri Jan 22 01:40:54 CEST 2010 - opensuse@sukimashita.com
- Update to version 1.2
* Fix xml entity conversion
* Silence build warnings
- Remove upstreamed patches
-------------------------------------------------------------------
Sat Jan 09 11:07:34 CEST 2010 - opensuse@sukimashita.com
- Add patches to fix xml entity conversion and tests
-------------------------------------------------------------------
Wed Dec 30 18:33:27 CEST 2009 - opensuse@sukimashita.com
- Update to version 1.1
* Fix use of integer nodes within Python Bindings
-------------------------------------------------------------------
Tue Dec 08 00:20:17 CEST 2009 - opensuse@sukimashita.com
- Update to version 1.0
* Bugfixes
* Remove deprecated API
-------------------------------------------------------------------
Wed Oct 28 21:01:57 CEST 2009 - opensuse@sukimashita.com
- Update to version 0.16
* Build fixes
* Fix issues with SWIG
-------------------------------------------------------------------
Sat Oct 24 23:53:01 CEST 2009 - opensuse@sukimashita.com
- Update to version 0.15
* Build fixes
- Update to version 0.14
* Add C++ binding
* Refactor API
* Bugfixes
-------------------------------------------------------------------
Sun Jul 19 00:06:10 CEST 2009 - opensuse@sukimashita.com
- Update to version 0.13
* Add plist_copy for deep node copies
* Add node setter functions
* Unlink nodes from parent if free'd
* Update Python bindings
-------------------------------------------------------------------
Wed May 06 01:06:10 CEST 2009 - opensuse@sukimashita.com
- Update to version 0.12
* Merge ascii and unicode handling in PLIST_STRING using UTF-8
* Remove unicode related declaration in API (breaks API&ABI)
* Fix bad variable type for date elements
* Silence compiler warnings
* Plugged few memory leaks
-------------------------------------------------------------------
Wed Apr 22 00:02:19 CET 2009 - opensuse@sukimashita.com
- Update to version 0.11
* Fix Python binding segfaults
* Python API additions
* Better binary buffer handling in Python bindings
-------------------------------------------------------------------
Sun Apr 12 19:17:41 CET 2009 - opensuse@sukimashita.com
- Update to version 0.10
-------------------------------------------------------------------
Tue Apr 07 10:20:57 CET 2009 - opensuse@sukimashita.com
- Add patch to fix uninitialized buffer
-------------------------------------------------------------------
Sat Apr 04 11:08:16 CET 2009 - opensuse@sukimashita.com
- Initial package created
