[Gpg4win-commits] [git] Gpg4win - branch, master, updated. gpg4win-2.1.0-113-g07c9a74

by Werner Koch cvs at cvs.gnupg.org
Fri Dec 7 10:33:23 CET 2012 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GnuPG for Windows".

The branch, master has been updated
       via  07c9a7460c7144bc4f9e87ab8038bed4adede52e (commit)
       via  add2cecf74d0e7f24518f4267f8f53d231bd2f62 (commit)
      from  e74e4284f06f9823897abe7c5fb49ae72b00d86f (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 07c9a7460c7144bc4f9e87ab8038bed4adede52e
Author: Werner Koch <wk at gnupg.org>
Date:   Fri Dec 7 10:31:53 2012 +0100

    Update GPA.
    
    * packages/packages.current (gpa): Update to 0.9.3.

diff --git a/NEWS b/NEWS
index 8e34789..b86bbb7 100644
--- a/NEWS
+++ b/NEWS
@@ -18,7 +18,7 @@ Noteworthy changes in version 2.1.1 (unreleased)
 ~~~~~~~~~~~~~~~
 GnuPG:          2.0.19
 Kleopatra:      2.1.0 (2011-02-04)
-GPA:            0.9.2
+GPA:            0.9.3
 GpgOL:          1.1.3
 GpgEX:          0.9.7
 Claws-Mail:     3.8.0cvs30
diff --git a/packages/packages.current b/packages/packages.current
index f4d3f107..32e0a56 100644
--- a/packages/packages.current
+++ b/packages/packages.current
@@ -76,6 +76,7 @@ chk   fffb34be2e3c66e58a5d3daaf8aa38cae33b284f
 # libxml2 for Claws plugins
 
 # checked: 2012-03-28 wk - updated
+#          2012-12-07 wk - add patch for CVE-2012-5135
 server ftp://xmlsoft.org/libxml2
 file   libxml2-2.7.8.tar.gz
 chk    859dd535edbb851cc15b64740ee06551a7a17d40
@@ -375,7 +376,8 @@ chk  190c09e6688f688fb0a5cf884d01e240d957ac1f
 file dirmngr/dirmngr-1.1.0.tar.bz2
 chk  a7a7d1432db9edad2783ea1bce761a8106464165
 
-# checked: 2012-03-28 wk
+# checked: 2012-03-28 wk - updated
+#          2012-12-07 wk - can't update to 0.8.2 due to MOC problems.
 file pinentry/pinentry-0.8.1.tar.gz
 chk  84a6940175b552a8562b4014f4661dec3ff10165
 
@@ -383,13 +385,13 @@ chk  84a6940175b552a8562b4014f4661dec3ff10165
 file scute/scute-1.4.0.tar.bz2
 chk  e28141d2b03612c09512651795976c58ed3f8035
 
-# checked: 2012-05-02 wk
+# checked: 2012-12-07 wk
 file gpgme/gpgme-1.3.2.tar.bz2
 chk  5b5ebcc4dad46ced0e436a30f5542577536619c7
 
-# checked: 2012-05-02 wk
-file gpa/gpa-0.9.2.tar.bz2
-chk  17caec5db3c77b99291b5ae91bc1dd94566f612c
+# checked: 2012-12-07 wk
+file gpa/gpa-0.9.3.tar.bz2
+chk  8dc810e465ec49cd8353d93b3ede8e69ad3cf48b
 
 
 # (Snapshots)

commit add2cecf74d0e7f24518f4267f8f53d231bd2f62
Author: Werner Koch <wk at gnupg.org>
Date:   Fri Dec 7 10:31:13 2012 +0100

    Patch libxml2 due to CVE-2012-5134.
    
    * patches/libxml2-2.7.8/01-cve-2012-5134: New.
    * Makefile.am: Add patch.

diff --git a/Makefile.am b/Makefile.am
index e7f1cb0..b638f42 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -30,6 +30,7 @@ EXTRA_DIST = autogen.sh README.GIT ONEWS \
         patches/glib-2.12.12/03-gspawn-w32-fixup.patch \
         patches/glib-2.20.0/01-socket.patch \
         patches/glib-2.24.0/01-socket.patch \
+        patches/libxml2-2.7.8/01-cve-2012-5134 \
 	patches/gpgme/01-gpg2.patch \
 	patches/gpgme-1.1.7/01-registry.patch \
 	patches/gpgme-1.1.7/02-extern-umlaute.patch \
diff --git a/patches/libxml2-2.7.8/01-cve-2012-5134 b/patches/libxml2-2.7.8/01-cve-2012-5134
new file mode 100755
index 0000000..3c7f86c
--- /dev/null
+++ b/patches/libxml2-2.7.8/01-cve-2012-5134
@@ -0,0 +1,18 @@
+#! /bin/sh
+patch -p1 -f $* < $0
+exit $?
+
+This fixes a buffer underflow.
+
+
+--- libxml2-2.7.8/parser.c~     2010-11-04 16:55:45.000000000 +0100
++++ libxml2-2.7.8/parser.c      2012-12-07 10:04:17.865677886 +0100
+@@ -3922,7 +3922,7 @@
+        c = CUR_CHAR(l);
+     }
+     if ((in_space) && (normalize)) {
+-        while (buf[len - 1] == 0x20) len--;
++        while (len > 0 && buf[len - 1] == 0x20) len--;
+     }
+     buf[len] = 0;
+     if (RAW == '<') {

-----------------------------------------------------------------------

Summary of changes:
 Makefile.am                            |    1 +
 NEWS                                   |    2 +-
 packages/packages.current              |   12 +++++++-----
 patches/libxml2-2.7.8/01-cve-2012-5134 |   18 ++++++++++++++++++
 4 files changed, 27 insertions(+), 6 deletions(-)
 create mode 100755 patches/libxml2-2.7.8/01-cve-2012-5134


hooks/post-receive
-- 
GnuPG for Windows
http://git.gnupg.org

More information about the Gpg4win-commits mailing list