File libplist.changes of Package libplist.4095
------------------------------------------------------------------- Tue May 2 20:35:33 UTC 2017 - mgorse@suse.com - Add libplist-boo1029631-32bit.patch: ensure that sanity checks work on 32-bit platforms (boo#1029631 CVE-2017-6440). ------------------------------------------------------------------- Mon May 1 20:05:46 UTC 2017 - mgorse@suse.com - Add libplist-boo1035312-overflow-fixes.patch: add some safety checks, backported from upstream (boo#1035312 CVE-2017-7982). ------------------------------------------------------------------- Tue Feb 7 12:13:33 UTC 2017 - alarrosa@suse.com - Add patches from upstream to fix a multitude of memory leaks, out of bound reads and writes and check index ranges: 0001-Fix-possible-crash-in-plist_from_bin-caused-by-access-to-already-freed-memory.patch 0002-Plug-memory-leaks-caused-by-unused-and-unfreed-buffer.patch 0003-Refactor-binary-plist-parsing-in-a-recursive-way.patch 0004-Make-sure-to-compare-the-node-sizes-for-integer-nodes.patch 0005-Change-internal-storage-of-PLIST_DATE-values-from-struct-timeval-to-double.patch 0006-Fix-possible-out-of-bounds-read-in-parse_dict_node-with-proper-bounds-checking.patch 0007-Fix-possible-out-of-bounds-reads-in-parse_bin_node.patch 0008-Make-sure-the-index-in-parse_bin_node_at_index-is-actually-within-the-offset-table.patch 0009-Prevent-out-of-bounds-read-in-plist_from_bin-when-parsing-offset_table.patch 0010-Make-sure-to-error-out-if-allocation-of-used_indexes-buffer-in-plist_from_bin-fails.patch 0011-Disallow-key-nodes-with-non-string-node-types.patch 0012-Prevent-OOB-heap-buffer-read-by-checking-input-size.patch 0013-Improve-UINT_TO_HOST-macro-remove-uint24_from_be-function.patch 0014-Check-for-invalid-offset_size-in-bplist-trailer.patch 0015-Use-proper-struct-for-binary-plist-trailer.patch 0016-Mass-rename-dict_size-and-param_dict_size-to-more-appropiate-ref_size.patch 0017-Fix-possible-out-of-bounds-read-in-parse_array_node-with-proper-bounds-checking.patch 0018-Avoid-heap-buffer-allocation-when-parsing-array-dict-string-data-node-sizes-14.patch 0019-Unify-size-node-parsing-for-data-string-array-dict-nodes.patch 0020-Prevent-OOB-read-when-parsing-data-string-array-dict-size-nodes.patch 0021-Fix-OOB-write-on-heap-buffer-and-improve-recursion-check.patch 0022-Make-sure-node-index-is-smaller-than-number-of-objects.patch 0023-Make-sure-the-offset-table-is-in-the-correct-range.patch 0024-Plug-memory-leak-in-case-parsing-a-dictionary-key-fails.patch 0026-bplist-Improve-real-date-node-de-serialization.patch 0027-bplist-Improve-parsing-unicode-nodes.patch 0029-bplist-Make-sure-to-bail-out-if-malloc-fails-in-pars.patch 0030-bplist-Make-sure-to-bail-out-if-malloc-fails-in-pars.patch 0031-bplist-Make-sure-to-bail-out-if-malloc-fails-in-pars.patch 0032-bplist-Properly-handle-some-more-malloc-failure-situ.patch 0033-plist-Fix-assert-to-allow-16-or-8-byte-integer-sizes.patch C0001-Plug-memory-leak-when-converting-PLIST_UID-nodes-to-XML.patch C0002-Improve-writing-of-array-and-dictionary-nodes.patch C0003-Improve-writing-of-integer-nodes.patch C0004-Fix-UID-node-parsing-to-match-Apples-parser.patch C0005-Improve-writing-of-UID-nodes.patch C0006-Improve-writing-of-data-string-and-unicode-nodes.patch C0007-Improve-writing-of-offset-table.patch - Added patches from upstream so the previous list of patches (which was prepared for libplist 1.12) apply correctly in libplist : A0001-fix-compiler-warnings.patch A0002-fix-invalid-memory-access-in-copy_plist_data.patch A0003-implemented-handling-of-UID-keyed-encoding-type.patch A0004-use-__FLOAT_WORD_ORDER__-instead-of-__VFP_FP__-for-floating-point-endianness-detection.patch A0005-prevent-segmentation-fault-in-plist_from_bin.patch A0006-Fix-timezone-bound-date-time-conversion.patch A0007-Fix-memory-leaking-caused-by-unused-nodes-in-plist_from_bin.patch A0008-Silence-compiler-warnings-about-shadowing-global-declarations.patch A0009-Fix-PLIST_DATE-parsing-in-xml_to_node.patch A0010-Fix-PLIST_DATE-handling-to-respect-the-Mac-epoch.patch A0011-Handle-signed-vs-unsigned-integer-values-correctly.patch A0012-Silence-compiler-warning-about-always-true-comparison-due-to-type-mismatch.patch A0013-Prevent-crash-in-plist_from_bin-when-parsing-unusually-structured-binary-plist.patch A0014-Drop-src-common.h-and-use-byte-order-macros-from-config.h-directly.patch A0015-Fix-plist_from_bin-changing-value-nodes-to-key-nodes-in-dictionaries.patch - Renamed 0001-Prevent-OOB-heap-buffer-read-by-checking-input-size.patch to 0012-Prevent-OOB-heap-buffer-read-by-checking-input-size.patch to integrate the patch in the list of patches sorted by date. - In particular, 0011-Disallow-key-nodes-with-non-string-node-types.patch fixes a type inconsistency by which a maliciously crafted file could cause the application to crash (bsc#1023807, CVE-2017-5836). - 0014-Check-for-invalid-offset_size-in-bplist-trailer.patch fixes a vulnerability by which a maliciously crafted file could cause libplist to allocate large amounts of memory and consume lots of CPU (bsc#1023822, CVE-2017-5835). - 0017-Fix-possible-out-of-bounds-read-in-parse_array_node-with-proper-bounds-checking.patch fixes a vulnerability by which a maliciously crafted file could cause a heap buffer overflow and a segmentation fault (bsc#1023848, CVE-2017-5834) - Also added these patches from upstream: B0002-base64-use-strtok_r-instead-of-strtok-to-make-sure-were-thread-safe.patch B0003-base64-get-rid-of-strtok_r-and-use-strspn-strcspn-instead.patch B0004-silence-compiler-warning-by-using-correct-type.patch B0005-base64-Prevent-buffer-overflow-by-not-decoding-blocks-with-less-than-4-chrs.patch B0006-Prevent-use-strlen-in-base64decode-when-input-buffer-size-is-known.patch B0007-base64-Rework-base64decode-to-handle-split-encoded-data.patch - These patches fix CVE-2017-5209 and boo#1019531: The base64decode function in base64.c allows attackers to obtaiin sensitive info from process memory or cause a denial of service (buffer over-read) via split encoded Apple Property List data. - Added drop-common.h.patch . This is a cutted-down version of an upstream patch needed as a dependency for the rest of patches. ------------------------------------------------------------------- Tue Jan 31 17:24:19 UTC 2017 - alarrosa@suse.com - Add 0001-Prevent-OOB-heap-buffer-read-by-checking-input-size.patch This patch (from upstream, rebased) prevents an OOB heap buffer read which could allow attackers to obtain sensitive information from process memory or cause a DoS (bsc#1021610, CVE-2017-5545). ------------------------------------------------------------------- Mon Apr 15 12:54:38 UTC 2013 - mmeister@suse.com - Added url as source. Please see http://en.opensuse.org/SourceUrls ------------------------------------------------------------------- Tue Aug 28 15:52:14 UTC 2012 - cfarrell@suse.com - license update: LGPL-2.1+ LGPL-2.1 can be relicensed to GPL without further permission. No need to explicitly call out the GPL as a license option. Fedora has been using LGPL-2.1+ for awhile so gain compatibility there too ------------------------------------------------------------------- Mon Apr 09 15:45:03 CEST 2012 - opensuse@sukimashita.com - Allow compilation on 11.4 by disabling cython bindings ------------------------------------------------------------------- Mon Apr 02 15:54:57 CEST 2012 - opensuse@sukimashita.com - Update to version 1.8 * Add Cython based Python bindings * Fix memory corruption in libcnary * Fix building on Big Endian systems * Removed glib dependency, libplist now uses bundled libcnary * Fix building of Python bindings with GCC 4.6 - Do not build SWIG bindings for Python - Remove gcc46_build_fix.patch due to upstream fixes - Update pkgconfig patch ------------------------------------------------------------------- Tue Jan 31 10:50:25 UTC 2012 - jengelh@medozas.de - Remove redundant tags/sections per specfile guideline suggestions - Parallel building using %_smp_mflags ------------------------------------------------------------------- Wed Oct 5 12:24:02 UTC 2011 - uli@suse.com - cross-build fix: set cmake root, python paths - cross-build workaround: move installed files from sysroot to real root ------------------------------------------------------------------- Tue Jun 28 13:59:00 UTC 2011 - aj@suse.de - Add baselibs.conf - needed by usbmuxd's baselibs.conf. ------------------------------------------------------------------- Mon May 16 22:18:07 UTC 2011 - cgiboudeaux@gmx.com - Add gcc46_build_fix.patch. Fixes build with GCC4.6 ------------------------------------------------------------------- Sun Mar 20 18:17:36 CEST 2011 - opensuse@sukimashita.com - Update to version 1.4 * New maintainer and source location * Update AUTHORS from git history * Fix Unicode writing in binary plists * Update plist doctype * Fix Dictionary copy constructor * Fix Mac OS X library install path detection * Plug memory leak when writing Unicode data - Remove pkgconfig patch due to upstream fixes ------------------------------------------------------------------- Wed Dec 8 21:18:28 UTC 2010 - cristian.rodriguez@opensuse.org - Fix both -devel package dependencies and broken pkgconfig file ------------------------------------------------------------------- Tue Apr 27 11:20:20 CEST 2010 - opensuse@sukimashita.com - Update to version 1.3 * Endianness, alignment and type-punning fixes * Fix armel floating point endianess * Allow compiling with mingw on Windows * Minor bugfixes ------------------------------------------------------------------- Thu Apr 1 00:17:48 CEST 2010 - vuntz@opensuse.org - Clean up packaging, based on what I did in multimedia:libs. ------------------------------------------------------------------- Thu Mar 25 11:14:40 CET 2010 - meissner@suse.de - run prepare_spec ------------------------------------------------------------------- Fri Jan 22 01:40:54 CEST 2010 - opensuse@sukimashita.com - Update to version 1.2 * Fix xml entity conversion * Silence build warnings - Remove upstreamed patches ------------------------------------------------------------------- Sat Jan 09 11:07:34 CEST 2010 - opensuse@sukimashita.com - Add patches to fix xml entity conversion and tests ------------------------------------------------------------------- Wed Dec 30 18:33:27 CEST 2009 - opensuse@sukimashita.com - Update to version 1.1 * Fix use of integer nodes within Python Bindings ------------------------------------------------------------------- Tue Dec 08 00:20:17 CEST 2009 - opensuse@sukimashita.com - Update to version 1.0 * Bugfixes * Remove deprecated API ------------------------------------------------------------------- Wed Oct 28 21:01:57 CEST 2009 - opensuse@sukimashita.com - Update to version 0.16 * Build fixes * Fix issues with SWIG ------------------------------------------------------------------- Sat Oct 24 23:53:01 CEST 2009 - opensuse@sukimashita.com - Update to version 0.15 * Build fixes - Update to version 0.14 * Add C++ binding * Refactor API * Bugfixes ------------------------------------------------------------------- Sun Jul 19 00:06:10 CEST 2009 - opensuse@sukimashita.com - Update to version 0.13 * Add plist_copy for deep node copies * Add node setter functions * Unlink nodes from parent if free'd * Update Python bindings ------------------------------------------------------------------- Wed May 06 01:06:10 CEST 2009 - opensuse@sukimashita.com - Update to version 0.12 * Merge ascii and unicode handling in PLIST_STRING using UTF-8 * Remove unicode related declaration in API (breaks API&ABI) * Fix bad variable type for date elements * Silence compiler warnings * Plugged few memory leaks ------------------------------------------------------------------- Wed Apr 22 00:02:19 CET 2009 - opensuse@sukimashita.com - Update to version 0.11 * Fix Python binding segfaults * Python API additions * Better binary buffer handling in Python bindings ------------------------------------------------------------------- Sun Apr 12 19:17:41 CET 2009 - opensuse@sukimashita.com - Update to version 0.10 ------------------------------------------------------------------- Tue Apr 07 10:20:57 CET 2009 - opensuse@sukimashita.com - Add patch to fix uninitialized buffer ------------------------------------------------------------------- Sat Apr 04 11:08:16 CET 2009 - opensuse@sukimashita.com - Initial package created
