[Libreoffice-commits] core.git: 2 commits - download.lst external/python3

Libreoffice Gerrit user logerrit at kemper.freedesktop.org
Tue Jan 15 09:36:25 UTC 2019


 download.lst                                                                       |    4 
 external/python3/0001-3.6-bpo-17239-Disable-external-entities-in-SAX-parse.patch.1 |   59 ++++++++++
 external/python3/UnpackedTarball_python3.mk                                        |    1 
 3 files changed, 62 insertions(+), 2 deletions(-)

New commits:
commit a57dd8eba9c0799dd42eb547a37622bce8fdb0b3
Author:     Michael Stahl <Michael.Stahl at cib.de>
AuthorDate: Mon Jan 14 17:33:37 2019 +0100
Commit:     Michael Stahl <Michael.Stahl at cib.de>
CommitDate: Tue Jan 15 10:36:11 2019 +0100

    python3: add patch bpo-17239: Disable external entities in SAX parser
    
    Change-Id: I44e969d8d3a8fe6b6426d61a1cbe83154c8518dd
    Reviewed-on: https://gerrit.libreoffice.org/66329
    Tested-by: Jenkins
    Reviewed-by: Michael Stahl <Michael.Stahl at cib.de>

diff --git a/external/python3/0001-3.6-bpo-17239-Disable-external-entities-in-SAX-parse.patch.1 b/external/python3/0001-3.6-bpo-17239-Disable-external-entities-in-SAX-parse.patch.1
new file mode 100644
index 000000000000..489e5d0e89ee
--- /dev/null
+++ b/external/python3/0001-3.6-bpo-17239-Disable-external-entities-in-SAX-parse.patch.1
@@ -0,0 +1,59 @@
+From 582d188e6e3487180891f1fc457a80dec8be26a8 Mon Sep 17 00:00:00 2001
+From: Christian Heimes <christian at python.org>
+Date: Mon, 24 Sep 2018 14:38:31 +0200
+Subject: [PATCH] [3.6] bpo-17239: Disable external entities in SAX parser
+ (GH-9217) (GH-9512)
+
+The SAX parser no longer processes general external entities by default
+to increase security. Before, the parser created network connections
+to fetch remote files or loaded local files from the file system for DTD
+and entities.
+
+Signed-off-by: Christian Heimes <christian at python.org>
+
+https://bugs.python.org/issue17239.
+(cherry picked from commit 17b1d5d4e36aa57a9b25a0e694affbd1ee637e45)
+
+Co-authored-by: Christian Heimes <christian at python.org>
+
+
+
+https://bugs.python.org/issue17239
+---
+ Doc/library/xml.dom.pulldom.rst               | 14 +++++
+ Doc/library/xml.rst                           |  6 +-
+ Doc/library/xml.sax.rst                       |  8 +++
+ Doc/whatsnew/3.6.rst                          | 18 +++++-
+ Lib/test/test_pulldom.py                      |  7 +++
+ Lib/test/test_sax.py                          | 60 ++++++++++++++++++-
+ Lib/test/test_xml_etree.py                    | 13 ++++
+ Lib/xml/sax/expatreader.py                    |  2 +-
+ .../2018-09-11-18-30-55.bpo-17239.kOpwK2.rst  |  3 +
+ 9 files changed, 125 insertions(+), 6 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Security/2018-09-11-18-30-55.bpo-17239.kOpwK2.rst
+
+diff --git a/Lib/xml/sax/expatreader.py b/Lib/xml/sax/expatreader.py
+index 421358fa5b..5066ffc2fa 100644
+--- a/Lib/xml/sax/expatreader.py
++++ b/Lib/xml/sax/expatreader.py
+@@ -95,7 +95,7 @@ class ExpatParser(xmlreader.IncrementalParser, xmlreader.Locator):
+         self._lex_handler_prop = None
+         self._parsing = 0
+         self._entity_stack = []
+-        self._external_ges = 1
++        self._external_ges = 0
+         self._interning = None
+ 
+     # XMLReader methods
+diff --git a/Misc/NEWS.d/next/Security/2018-09-11-18-30-55.bpo-17239.kOpwK2.rst b/Misc/NEWS.d/next/Security/2018-09-11-18-30-55.bpo-17239.kOpwK2.rst
+new file mode 100644
+index 0000000000..8dd0fe8c1b
+--- /dev/null
++++ b/Misc/NEWS.d/next/Security/2018-09-11-18-30-55.bpo-17239.kOpwK2.rst
+@@ -0,0 +1,3 @@
++The xml.sax and xml.dom.minidom parsers no longer processes external
++entities by default. External DTD and ENTITY declarations no longer
++load files or create network connections.
+-- 
+2.20.1
+
diff --git a/external/python3/UnpackedTarball_python3.mk b/external/python3/UnpackedTarball_python3.mk
index ea5e160c3536..09bd9fa2edf6 100644
--- a/external/python3/UnpackedTarball_python3.mk
+++ b/external/python3/UnpackedTarball_python3.mk
@@ -27,6 +27,7 @@ $(eval $(call gb_UnpackedTarball_add_patches,python3,\
 	external/python3/ubsan.patch.0 \
 	external/python3/python-3.5.tweak.strip.soabi.patch \
 	external/python3/darwin.patch.0 \
+	external/python3/0001-3.6-bpo-17239-Disable-external-entities-in-SAX-parse.patch.1 \
 ))
 
 ifneq ($(filter DRAGONFLY FREEBSD LINUX NETBSD OPENBSD SOLARIS,$(OS)),)
commit 5e96a5c664aea950111199e56bda412512a849b0
Author:     Michael Stahl <Michael.Stahl at cib.de>
AuthorDate: Mon Jan 14 16:19:58 2019 +0100
Commit:     Michael Stahl <Michael.Stahl at cib.de>
CommitDate: Tue Jan 15 10:36:00 2019 +0100

    curl: upgrade to release 7.63.0
    
    fixes CVE-2018-16840
    
    Change-Id: Ica995a28a71eb5d5277d045d57fee9ba0f88883f
    Reviewed-on: https://gerrit.libreoffice.org/66328
    Tested-by: Jenkins
    Reviewed-by: Michael Stahl <Michael.Stahl at cib.de>

diff --git a/download.lst b/download.lst
index 0ce01b38bf6a..e93847c57e59 100644
--- a/download.lst
+++ b/download.lst
@@ -29,8 +29,8 @@ export CPPUNIT_SHA256SUM := 3d569869d27b48860210c758c4f313082103a5e58219a7669b52
 export CPPUNIT_TARBALL := cppunit-1.14.0.tar.gz
 export CT2N_SHA256SUM := 71b238efd2734be9800af07566daea8d6685aeed28db5eb5fa0e6453f4d85de3
 export CT2N_TARBALL := 1f467e5bb703f12cbbb09d5cf67ecf4a-converttexttonumber-1-5-0.oxt
-export CURL_SHA256SUM := eaa812e9a871ea10dbe8e1d3f8f12a64a8e3e62aeab18cb23742e2f1727458ae
-export CURL_TARBALL := curl-7.61.1.tar.gz
+export CURL_SHA256SUM := d483b89062832e211c887d7cf1b65c902d591b48c11fe7d174af781681580b41
+export CURL_TARBALL := curl-7.63.0.tar.gz
 export EBOOK_SHA256SUM := 7e8d8ff34f27831aca3bc6f9cc532c2f90d2057c778963b884ff3d1e34dfe1f9
 export EBOOK_TARBALL := libe-book-0.1.3.tar.xz
 export EPOXY_SHA256SUM := a9562386519eb3fd7f03209f279f697a8cba520d3c155d6e253c3e138beca7d8


More information about the Libreoffice-commits mailing list