Removed rpms ============ - alsa-plugins-pulse-32bit - alsa-oss-32bit - cyrus-sasl-gssapi-32bit - fontconfig-32bit - glibc-locale-32bit - glibc-locale-base-32bit - libXau6-32bit - libattr1-32bit - libblkid1-32bit - libbrotlidec1-32bit - libdw1-32bit - libexpat1-32bit - libffi7-32bit - libgdbm4-32bit - libgobject-2_0-0-32bit - libhogweed6-32bit - liblz4-1-32bit - libpulse0-32bit - libtextstyle0-32bit - libvorbis0-32bit - nss-mdns-32bit - pam_pwquality-32bit - perl-base-32bit - samba-client-libs-32bit - qemu-ipxe - libFLAC8-32bit - libacl1-32bit - libaudit1-32bit - libcrypt1-32bit - libdbus-1-3-32bit - libfontconfig1-32bit - libfreetype6-32bit - libgmodule-2_0-0-32bit - libidn2-0-32bit - libkeyutils1-32bit - libldb2-32bit - liblzma5-32bit - libmagic1-32bit - libnss_usrfiles2-32bit - libparted0-32bit - libpci3-32bit - libpcre1-32bit - libpopt0-32bit - libselinux1-32bit - libsndfile1-32bit - libtirpc3-32bit - libudev1-32bit - libunistring2-32bit - libuuid1-32bit - qemu-vgabios - samba-client-32bit Added rpms ========== - alsa-oss-32bit - cyrus-sasl-gssapi-32bit - fontconfig-32bit - glibc-locale-32bit - glibc-locale-base-32bit - alsa-plugins-pulse-32bit - libFLAC8-32bit - libacl1-32bit - libaudit1-32bit - libcrypt1-32bit - libdbus-1-3-32bit - libfontconfig1-32bit - libfreetype6-32bit - libgmodule-2_0-0-32bit - libidn2-0-32bit - libkeyutils1-32bit - libldb2-32bit - liblzma5-32bit - libmagic1-32bit - libnss_usrfiles2-32bit - libparted0-32bit - libpci3-32bit - libpcre1-32bit - libpopt0-32bit - libselinux1-32bit - libsndfile1-32bit - libtirpc3-32bit - libudev1-32bit - libunistring2-32bit - libuuid1-32bit - samba-client-32bit - qemu-vgabios - libXau6-32bit - libattr1-32bit - libblkid1-32bit - libbrotlidec1-32bit - libdw1-32bit - libexpat1-32bit - libffi7-32bit - libgdbm4-32bit - libgobject-2_0-0-32bit - libhogweed6-32bit - liblz4-1-32bit - libpulse0-32bit - libtextstyle0-32bit - libvorbis0-32bit - nss-mdns-32bit - pam_pwquality-32bit - perl-base-32bit - qemu-ipxe - samba-client-libs-32bit Package Source Changes ====================== acl -- test: Add helper library to fake passwd/group files -- quote: escape literal backslashes (bsc#953659). -- Added patch: - * 0001-test-Add-helper-library-to-fake-passwd-group-files.patch - * 0002-quote-escape-literal-backslashes.patch - -- refresh acl-2.2.52-tests.patch to work with perl 5.26 - -- BuildRequires gettext-tools-mini instead of gettext-tools: as - acl is part of the bootstrap, we want to try to keep the dep - chain as small as possible. - -- Remove --with-pic that's just for static libraries. -- Replace %__-type macro indirections. - Replace old $RPM_ by their macro equivalents for consistency. - Make the macro style consistent across the file again. - -- reenable full Larg File Support for i586 - -- Make it possible to disable tests (for Ring0) -- Add BuildRequires: system-user-daemon for the testsuite - -- Add BuildRequires for system user bin needed by test suite - -- Update to git snapshot dated 21 Sep 2015. - - Added: - * 0001-Install-the-libraries-to-the-appropriate-directory.patch - * 0002-setfacl.1-fix-typo-inclu-de-include.patch - * 0003-test-fix-insufficient-quoting-of.patch - * 0004-Makefile-rename-configure.in-to-configure.ac.patch - * 0005-Bad-markup-in-acl.5-page.patch - * 0006-.gitignore-ignore-and-config.h.in.patch - * 0007-Use-autoreconf-rather-than-autoconf-to-regenerate-th.patch - * 0008-libacl-Make-sure-that-acl_from_text-always-sets-errn.patch - * 0009-libacl-fix-SIGSEGV-of-getfacl-e-on-overly-long-group.patch - * 0010-punt-debian-rpm-packaging-logic.patch - * 0011-move-gettext-logic-into-misc.h.patch - * 0012-test-make-running-parallel-out-of-tree-safe.patch - * 0013-modernize-build-system.patch - * 0014-po-regenerate-files-after-move.patch - * 0015-build-drop-aclincludedir-use-pkgincludedir.patch - * 0016-build-make-use-of-an-aux-dir-to-stow-away-helper-scr.patch - * 0017-build-ship-a-pkgconfig-file-for-libacl.patch - * 0018-read_acl_-comments-seq-rename-line-to-lineno.patch - * 0019-read_acl_-comments-seq-switch-to-next_line.patch - * 0020-telldir-return-value-and-seekdir-second-parameters-a.patch - * 0021-mark-libmisc-funcs-as-hidden-so-they-are-not-exporte.patch - * 0022-add-__acl_-prefixes-to-internal-symbols.patch - * 0023-cp.test-Check-permissions-of-the-right-file.patch - * 0024-libacl-acl_set_file-Remove-unnecesary-racy-check.patch - * 0025-fix-compilation-with-latest-xattr-git.patch - * 0026-getfacl-Fix-memory-leak.patch - * 0027-Fix-the-display-block-nesting-in-acl.5.patch - * 0028-setfacl-man-page-Minor-wording-improvements.patch - * 0029-getfacl-Fix-minor-resource-leak.patch - * 0030-Do-not-export-symbols-that-are-not-supposed-to-be-ex.patch - * 0031-walk_tree-mark-internal-variables-as-static.patch - * 0032-ignore-configure.lineno.patch -- Signficant spec file restructuring due to 0013-modernize-build-system.patch -- removed builddefs.in.diff - -- Reduce size of filelist by using wildcards; - remove %doc (some locations are always %doc), - remove %attr (files already have proper permissions) - -- add acl-2.2.52-tests.patch and enable tests, check section taken - from Fedora package - -- remove gpg-offline calls from bootstrap package - -- Update to new upstream release 2.2.52 - * This release fixes a few build system issues that were found and - merges in a tree walking bug fix. -- Remove acl-fiximplicit.patch (merged upstream), - config-guess-sub-update.diff (no longer applies) -- Sync baselibs.conf with in-.spec obsoletes/provides. - -- add gpg checking - -- use source url - -- Add config-guess-sub-update.diff: - update config.guess/sub to latest state for AArch64 - -- Use OS byteswapping routines, application already Includes - "endian.h" but then goes ahead defining ad-hoc equivalent - functionality (0001-Use-OS-byteswapping-macros.patch) - -- remove useless automake deps - -- patch license to follow spdx.org standard - -- license update: GPL-2.0+;LGPL-2.1+ - SPDX format - -- add automake as buildrequire to avoid implicit dependency - -- Fix provides/Obsoletes - -- Implement shlib package (libacl1) -- Enable libacl-devel on all baselib arches - -- upgrade to 2.2.51 - - Test fixes - -- upgrade to 2.2.50 - - OPTIONS in man pages should be a section heading, not a subsection heading - - Fix a typo in the setfacl man page - - setfacl: Clarify that removing a non-existent acl entry is not an error - - Prevent setfacl --restore from SIGSEGV on malformed restore file - - setfacl: make sure that -R only calls stat(2) on symlinks when it needs to - - libacl: fix potential null pointer dereference - - setfacl: fix restore crash on malformed input - - setfacl: print useful error from read_acl_comments - - setfacl: changing owner and when S_ISUID should be set --restore fix - -- use %_smp_mflags - -- add baselibs.conf as a source -- adjust baselibs.conf for SPARC - -- readded incorrectly removed libattr-devel requires in -devel - -- fixed implicit strchr() usage. - -- do not package static libraries -- fix -devel package dependencies - -- Version bump to 2.2.48 - - Document the new flags comments - - Include the S_ISUID, S_ISGID, S_ISVTX flags in the getfacl output, and restore them with "setfacl --restore=file". - - Make sure that getfacl -R only calls stat(2) on symlinks when it needs to - - Stop quoting nonprintable characters in the getfacl output - - Avoid unnecessary but destructive chown calls - - Clarify license notice - alsa-oss +- use https for urls + +- Drop the superfluous buildreq alsa-topology-devel again; + it's no longer mandatory + +- Fix build breakage by the new alsa update; now it requires + alsa-topology-devel + +- Avoid repetition of name in summary. Update description. + +- Update to alsa-oss 1.1.8 (bsc#1181571): + Fix the build with the recent glibc +- Remove obsoleted patch: + remove-libio.patch: + +- remove-libio.patch: don't use obsolete + +- Remove old kludges +- Run spec-cleaner + +- Update to alsa-oss 1.1.6: + * Change FSF address (Franklin Street) +- Use %license file tag + +- Updated to alsa-oss 1.0.28: + All pervious fix patches are obsoleted: + 0002-Add-AM_MAINTAINER_MODE-enable-to-configure.in.patch + 0003-Fix-the-argument-passed-to-snd_pcm_dump_setup.patch + 0004-Workaround-for-aoss-dmix-with-unaligned-rates.patch + +- Fix for dmix with unaligned sample rate: + 0003-Fix-the-argument-passed-to-snd_pcm_dump_setup.patch + 0004-Workaround-for-aoss-dmix-with-unaligned-rates.patch + branding-openSUSE +- use path->union for fonts in logo boo#1203394 + +- Bump to 15.5 +- Supply new Wallpaper Issue#132 + expat +- Security fixes: + * (CVE-2022-25236, bsc#1196784) [>=2.4.5] Fix to CVE-2022-25236 + breaks biboumi, ClairMeta, jxmlease, libwbxml, + openleadr-python, rnv, xmltodict + - Added expat-CVE-2022-25236-relax-fix.patch + +- Security fixes: + * (CVE-2022-25236, bsc#1196025) Expat before 2.4.5 allows + attackers to insert namespace-separator characters into + namespace URIs + - Added expat-CVE-2022-25236.patch + * (CVE-2022-25235, bsc#1196026) xmltok_impl.c in Expat before + 2.4.5 does not check whether a UTF-8 character is valid in a + certain context. + - Added expat-CVE-2022-25235.patch + * (CVE-2022-25313, bsc#1196168) Stack exhaustion in + build_model() via uncontrolled recursion + - Added expat-CVE-2022-25313.patch + - The fix upstream introduced a regression that was later + amended in 2.4.6 version + + Added expat-CVE-2022-25313-fix-regression.patch + * (CVE-2022-25314, bsc#1196169) Integer overflow in copyString + - Added expat-CVE-2022-25314.patch + * (CVE-2022-25315, bsc#1196171) Integer overflow in storeRawNames + - Added expat-CVE-2022-25315.patch + +- Update to latest version 2.4.4 in SLE-15-SP4 [jsc#SLE-21253] + +- update to 2.4.4 (bsc#1195217, bsc#1195054): + * Security fixes: + - CVE-2022-23852 -- Fix signed integer overflow + (undefined behavior) in function XML_GetBuffer + that is also called by function XML_Parse internally) + for when XML_CONTEXT_BYTES is defined to >0 (which is both + common and default). + Impact is denial of service or more. + - CVE-2022-23990 -- Fix unsigned integer overflow in function + doProlog triggered by large content in element type + declarations when there is an element declaration handler + present (from a prior call to XML_SetElementDeclHandler). + Impact is denial of service or more. + * Bug fixes: + - xmlwf: Fix a memory leak on output file opening error + * Other changes: + - Version info bumped from 9:3:8 to 9:4:8; + see https://verbump.de/ for what these numbers do + * Drop unused file valid-xhtml10.png + +- update to 2.4.3 (bsc#1194251, bsc#1194362, bsc#1194474, + bsc#1194476, bsc#1194477, bsc#1194478, bsc#1194479, bsc#1194480): + * CVE-2021-45960 -- Fix issues with left shifts by >=29 places + resulting in + a) realloc acting as free + b) realloc allocating too few bytes + c) undefined behavior + depending on architecture and precise value + for XML documents with >=2^27+1 prefixed attributes + on a single XML tag a la + "" + where XML_ParserCreateNS is used to create the parser + (which needs argument "-n" when running xmlwf). + Impact is denial of service, or more. + * CVE-2021-46143 (ZDI-CAN-16157) -- Fix integer overflow + on variable m_groupSize in function doProlog leading + to realloc acting as free. + Impact is denial of service or more. + * CVE-2022-22822 to CVE-2022-22827 -- Prevent integer overflows + near memory allocation at multiple places. Mitre assigned + a dedicated CVE for each involved internal C function: + - CVE-2022-22822 for function addBinding + - CVE-2022-22823 for function build_model + - CVE-2022-22824 for function defineAttribute + - CVE-2022-22825 for function lookup + - CVE-2022-22826 for function nextScaffoldPart + - CVE-2022-22827 for function storeAtts + Impact is denial of service or more. + +- update to 2.4.2: + * Link againgst libm for function "isnan" + * Include expat_config.h as early as possible + * Autotools: Include files with release archives: + - buildconf.sh + - fuzz/*.c + * Autotools: Sync CMake templates + * docs: Document that function XML_GetBuffer may return NULL + when asking for a buffer of 0 (zero) bytes size + * docs: Fix return value docs for both + XML_SetBillionLaughsAttackProtection* functions + * Version info bumped from 9:1:8 to 9:2:8 + +- Update to 2.4.1 in SLE-15-SP4 [jsc#SLE-21253] + * Remove expat-CVE-2018-20843.patch upstream + +- Update to 2.4.1: + * Bug fixes: + - Autotools: Fix installed header expat_config.h for multilib + systems; regression introduced in 2.4.0 by pull request #486 + * Other changes: + - Version info bumped from 9:0:8 to 9:1:8; see + https://verbump.de/ for what these numbers do + +- Update to 2.4.0: [CVE-2013-0340 "Billion Laughs"] + * Security fixes: + - CVE-2013-0340/CWE-776 -- Protect against billion laughs attacks + (denial-of-service; flavors targeting CPU time or RAM or both, + leveraging general entities or parameter entities or both) + by tracking and limiting the input amplification factor + ( := ( + ) / ). + By conservative default, amplification up to a factor of 100.0 + is tolerated and rejection only starts after 8 MiB of output bytes + (= + ) have been processed. + The fix adds the following to the API: + - A new error code XML_ERROR_AMPLIFICATION_LIMIT_BREACH to + signals this specific condition. + - Two new API functions .. + - XML_SetBillionLaughsAttackProtectionMaximumAmplification and + - XML_SetBillionLaughsAttackProtectionActivationThreshold + .. to further tighten billion laughs protection parameters + when desired. Please see file "doc/reference.html" for details. + If you ever need to increase the defaults for non-attack XML + payload, please file a bug report with libexpat. + - Two new XML_FEATURE_* constants .. + - that can be queried using the XML_GetFeatureList function, and + - that are shown in "xmlwf -v" output. + - Two new environment variable switches .. + - EXPAT_ACCOUNTING_DEBUG=(0|1|2|3) and + - EXPAT_ENTITY_DEBUG=(0|1) + .. for runtime debugging of accounting and entity processing. + Specific behavior of these values may change in the future. + - Two new command line arguments "-a FACTOR" and "-b BYTES" + for xmlwf to further tighten billion laughs protection + parameters when desired. + If you ever need to increase the defaults for non-attack XML + payload, please file a bug report with libexpat. + * Bug fixes: + - For (non-default) compilation with -DEXPAT_MIN_SIZE=ON (CMake) + or CPPFLAGS=-DXML_MIN_SIZE (GNU Autotools): Fix segfault + for UTF-16 payloads containing CDATA sections. + - Autotools: Fix generated CMake files for non-64bit and + non-Linux platforms (e.g. macOS and MinGW in particular) + that were introduced with release 2.3.0 + * Other changes: + - xmlwf: Improve help output and the xmlwf man page + - xmlwf: Improve maintainability through some refactoring + - xmlwf: Fix man page DocBook validity + - CMake: Support absolute paths for both CMAKE_INSTALL_LIBDIR + and CMAKE_INSTALL_INCLUDEDIR + - CMake: Add support for standard variable BUILD_SHARED_LIBS + - Unexpose symbol _INTERNAL_trim_to_complete_utf8_characters + - Resolve macro HAVE_EXPAT_CONFIG_H + - Delete unused legacy helper file "conftools/PrintPath" + - doc/reference.html: Fix XHTML validity + - doc/reference.html: Replace the 90s look by OK.css + - Version info bumped from 8:0:7 to 9:0:8 due to addition of + new symbols and error codes; see https://verbump.de/ for + what these numbers do + +- Do not BuildRequire cmake: expat is part of the distro bootstrap + cycle and any additional dependency makes the ring larger. In + this case here, cmake was even only used to own a directory. + +- update to 2.3.0: + * When calling XML_ParseBuffer without a prior successful call to + XML_GetBuffer as a user, no longer trigger undefined behavior + (by adding an integer to a NULL pointer) but rather return + XML_STATUS_ERROR and set the error code to (new) code + XML_ERROR_NO_BUFFER. Found by UBSan (UndefinedBehaviorSanitizer) + of Clang 11 (but not Clang 9). + * xmlwf: Exit status 2 was used for both: + - malformed input files (documented) and + - invalid command-line arguments (undocumented). + case of invalid command-line arguments now + has its own exit status 4, resolving the ambiguity. + * Other changes + +- Update to 2.2.10: + * Bug fixes: + - Fix undefined behavior during parsing caused by pointer + arithmetic with NULL pointers + - Fix reading uninitialized variable during parsing + - xmlwf: Add missing check for malloc NULL return + * Other changes: + - xmlwf: Document exit codes in xmlwf manpage and exit with code 3 + (rather than code 1) for output errors when used with "-d DIRECTORY" + - Autotools: Use -Werror while configure tests the compiler for + supported compile flags to avoid false positives + - Autotools: Improve handling of user (C|CPP|CXX|LD)FLAGS, e.g. + ensure that they have the last word over flags added while + running ./configure + - CMake: Create libexpatw.{dll,so} and expatw.pc (with emphasis + on suffix "w") with -DEXPAT_CHAR_TYPE=(ushort|wchar_t) + - CMake: Detect and deny unsupported build combinations + involving -DEXPAT_CHAR_TYPE=(ushort|wchar_t) + - CMake: Install pre-compiled shipped xmlwf.1 manpage in case + of -DEXPAT_BUILD_DOCS=OFF + - CMake: Fix use of Expat by means of add_subdirectory + - CMake: Keep expat target name constant at "expat" (i.e. refrain + from using the target name to control build artifact filenames) + - CMake: Expose man page compilation as target "xmlwf-manpage" + - CMake: Introduce option EXPAT_BUILD_PKGCONFIG to control + generation of pkg-config file "expat.pc" + - CMake: Add minimalistic support for building binary packages + with CMake target "package"; based on CPack + - CMake: Add option -DEXPAT_OSSFUZZ_BUILD=(ON|OFF) with default + OFF to build fuzzer code against OSS-Fuzz and related + environment variable LIB_FUZZING_ENGINE + - Fix testsuite for -DEXPAT_DTD=OFF and -DEXPAT_NS=OFF + - Address compiler warnings + - Address pngcheck warnings with doc/*.png images: Version info + bumped from 7:11:6 to 7:12:6 + +- Version update to 2.2.9 + * Other changes: + - examples: Drop executable bits from elements.c + [#349] Windows: Change the name of the Windows DLLs from expat*.dll + to libexpat*.dll once more (regression from 2.2.8, first + fixed in 1.95.3, issue #61 on SourceForge today, + was issue #432456 back then); needs a fix due + case-insensitive file systems on Windows and the fact that + Perl's XML::Parser::Expat compiles into Expat.dll. + [#347] Windows: Only define _CRT_RAND_S if not defined + Version info bumped from 7:10:6 to 7:11:6 + +- Version update to 2.2.8 + * Security fixes: (CVE-2019-15903, bsc#1149429) + - CVE-2019-15903 -- Fix heap overflow triggered by XML_GetCurrentLineNumber + (or XML_GetCurrentColumnNumber), and deny internal entities closing the doctype; + * Bug fixes: + - Fix cases where XML_StopParser did not have any effect + when called from inside of an end element handler + - xmlwf: Fix exit code for operation without "-d DIRECTORY"; + previously, only "-d DIRECTORY" would give you a proper exit code: + Now both cases return exit code 2. + * Other changes: + - examples: Improve elements.c + - Autotools: Add argument --enable-xml-attr-info + - Autotools: Add arguments --with-getrandom --without-getrandom --with-sys-getrandom --without-sys-getrandom + - Autotools: Fix linking issues with "./configure LD=clang" + - Autotools: Fix "make run-xmltest" for out-of-source builds + - CMake: Pull all options from Expat <=2.2.7 into namespace + - CMake: Add argument -DEXPAT_ATTR_INFO=(ON|OFF), default OFF + - CMake: Add argument -DEXPAT_LARGE_SIZE=(ON|OFF), default OFF + - CMake: Add argument -DEXPAT_MIN_SIZE=(ON|OFF), default OFF + - CMake: Add arguments -DEXPAT_WITH_GETRANDOM=(ON|OFF|AUTO), default AUTO + - CMake: Add arguments -DEXPAT_WITH_SYS_GETRANDOM=(ON|OFF|AUTO), default AUTO + - CMake: Install expat_config.h to include directory + - CMake: Generate and install configuration files for future find_package(expat [..] CONFIG [..]) + - CMake: Now produces a summary of applied configuration + - CMake: Require C++ compiler only when tests are enabled + - CMake: Fix compilation for 16bit character types, i.e. ex -DXML_UNICODE=ON (and ex -DXML_UNICODE_WCHAR_T=ON) + - CMake: Port "make run-xmltest" from GNU Autotools to CMake + - CMake: Integrate OSS-Fuzz fuzzers, option -DEXPAT_BUILD_FUZZERS=(ON|OFF), default OFF +- Removed patches fixed in the update: + * expat-CVE-2019-15903.patch + * expat-CVE-2019-15903-tests.patch + +- Security fix (CVE-2019-15903, bsc#1149429) + * Crafted XML input results in heap-based buffer over-read by fooling + the parser into changing from DTD parsing to document parsing + * Added patches: + - expat-CVE-2019-15903.patch + - expat-CVE-2019-15903-tests.patch + +- Version update to 2.2.7 (CVE-2018-20843, bsc#1139937) + * Security fixes: + - CVE-2018-20843 - Fix extraction of namespace prefixes from + XML names; XML names with multiple colons could end up in + the wrong namespace, and take a high amount of RAM and CPU + resources while processing, opening the door to use for + denial-of-service attacks + * Other changes: + - Autotools/CMake: Utilize -fvisibility=hidden to stop + exporting non-API symbols + - Autotools: Add --without-examples and --without-tests + - Autotools: Modernize configure.ac + - Autotools: Fix check for -fvisibility=hidden for Clang + - Autotools: Fix compilation for lack of docbook2x-man + - CMake: Make libdir of pkgconfig expat.pc support multilib + - CMake: Build man page in PROJECT_BINARY_DIR not _SOURCE_DIR + - Remove fallback to bcopy, assume that memmove(3) exists +- Removed expat-2.2.6-fix-make-clean.patch + +- Add expat-2.2.6-fix-make-clean.patch +- Allow profile guided optimization again + +- Drop docbook2x dependency, the manpages are generated in + the upstream archive and this way we break buildcycle + +- Version update to 2.2.6 Sun August 12 2018 + * Bug fixes: + - Avoid doing arithmetic with NULL pointers in XML_GetBuffer + - Fix 2.2.5 regression with suspend-resume while parsing + a document like '' + * Other changes: + - Autotools: Fix docbook-related configure syntax error + - Autotools: Avoid grep option `-q` for Solaris + - Autotools: Support + ./configure DOCBOOK_TO_MAN="xmlto man --skip-validation" + - Autotools: Support DOCBOOK_TO_MAN command which produces + xmlwf.1 rather than XMLWF.1; also covers case insensitive + file systems + - Autotools: Drop -rpath option passed to libtool + - Autotools: Detect and deny SGML docbook2man as ours is XML + - Autotools/CMake: Support command db2x_docbook2man as well + - CMake: Introduce option WARNINGS_AS_ERRORS, defaults to OFF + - CMake: Introduce option MSVC_USE_STATIC_CRT, defaults to OFF + - CMake: Introduce option XML_UNICODE and XML_UNICODE_WCHAR_T, + both defaulting to OFF + - CMake: Prefer check_symbol_exists over check_function_exists + - CMake: Create the same pkg-config file as with GNU Autotools + - CMake: Use GNUInstallDirs module to set proper defaults for + install directories + - CMake: Utilize expat_config.h.cmake for XML_DEV_URANDOM + - Address compiler warnings + - Fix miscellaneous typos + +- Expand description of expat-devel. + +- Do not generate manpages from docbook +- Temporarily disable profiling due to bug in build system + +- Version update to 2.2.5 Tue October 31 2017 + * Bug fixes: + - If the parser runs out of memory, make sure its internal + state reflects the memory it actually has, not the memory + it wanted to have. + - The default handler wasn't being called when it should for + a SYSTEM or PUBLIC doctype if an entity declaration handler + was registered. + - Fix a case of mistakenly reported parsing success where + XML_StopParser was called from an element handler + - Function XML_ErrorString was returning NULL rather than + a message for code XML_ERROR_INVALID_ARGUMENT + introduced with release 2.2.1 + * Other changes: + - Add argument -N adding notation declarations + - various compiler-specific fixes + - Improve docbook2x-man detection +- drop expat-docbook.patch + * fixed in 0f5186c7b8e503c669e332d944712de010b265f3 +- switch to github for release tarballs and website + +- Version update to 2.2.4 Sat August 19 2017 + * Bug fixes: + [#115] Fix copying of partial characters for UTF-8 input + * Other changes: + [#109] Fix "make check" for non-x86 architectures that default + to unsigned type char (-128..127 rather than 0..255) + [#109] coverage.sh: Cover -funsigned-char + Autotools: Introduce --without-xmlwf argument + [#65] Autotools: Replace handwritten Makefile with GNU Automake + [#43] CMake: Auto-detect high quality entropy extractors, add new + option USE_libbsd=ON to use arc4random_buf of libbsd + [#74] CMake: Add -fno-strict-aliasing only where supported + [#114] CMake: Always honor manually set BUILD_* options + [#114] CMake: Compile man page if docbook2x-man is available, only + [#117] Include file tests/xmltest.log.expected in source tarball + (required for "make run-xmltest") + [#111] Fix some typos in documentation + Version info bumped from 7:5:6 to 7:6:6 +- Release 2.2.3 Wed August 2 2017 + * Bug fixes: + [#85] Fix a dangling pointer issue related to realloc + * Other changes: + [#91] Linux: Allow getrandom to fail if nonblocking pool has not + yet been initialized and read /dev/urandom then, instead. + This is in line with what recent Python does. + [#86] Check that a UTF-16 encoding in an XML declaration has the + right endianness + [#4] #5 #7 Recover correctly when some reallocations fail + Repair "./configure && make" for systems without any + provider of high quality entropy + and try reading /dev/urandom on those + Ensure that user-defined character encodings have converter + functions when they are needed + Fix mis-leading description of argument -c in xmlwf.1 + Rely on macro HAVE_ARC4RANDOM_BUF (rather than __CloudABI__) + for CloudABI + [#100] Fix use of SIPHASH_MAIN in siphash.h + [#23] Test suite: Fix memory leaks + Version info bumped from 7:4:6 to 7:5:6 +- Release 2.2.2 Wed July 12 2017 + * Security fixes: + [#43] Protect against compilation without any source of high + quality entropy enabled, e.g. with CMake build system; + * [MOX-006] Fix non-NULL parser parameter validation in XML_Parse; + resulted in NULL dereference, previously; + * Bug fixes: + [#69] Fix improper use of unsigned long long integer literals + * Other changes: + [#73] Start requiring a C99 compiler + [#49] Fix "==" Bashism in configure script + [#58] Address compile warnings + [#68] Fix "./buildconf.sh && ./configure" for some versions + of Dash for /bin/sh + [#72] CMake: Ease use of Expat in context of a parent project + with multiple CMakeLists.txt files + [#72] CMake: Resolve mistaken executable permissions + [#76] Address compile warning with -DNDEBUG (not recommended!) + [#77] Address compile warning about macro redefinition + * Added patch expat-docbook.patch to compile the man pages with + docbook-to-man + * Cleaned spec file with spec-cleaner + +- Allow building when do_profiling is undefined + +- Build with profiling when possible + +- Version update to 2.2.1 Sat June 17 2017 + - Security fixes: + CVE-2017-9233 / bsc#1047236 -- External entity infinite loop DoS + Details: https://libexpat.github.io/doc/cve-2017-9233/ + Commit c4bf96bb51dd2a1b0e185374362ee136fe2c9d7f + - [MOX-002] CVE-2016-9063 / bsc#1047240 -- Detect integer overflow; + (Fixed version of existing downstream patches!) + - (SF.net) #539 Fix regression from fix to CVE-2016-0718 cutting off + longer tag names; + [#25] More integer overflow detection (function poolGrow); + - [MOX-002] Detect overflow from len=INT_MAX call to XML_Parse; + - [MOX-005] #30 Use high quality entropy for hash initialization: + * arc4random_buf on BSD, systems with libbsd + (when configured with --with-libbsd), CloudABI + * RtlGenRandom on Windows XP / Server 2003 and later + * getrandom on Linux 3.17+ + In a way, that's still part of CVE-2016-5300. + https://github.com/libexpat/libexpat/pull/30/commits + - [MOX-005] For the low quality entropy extraction fallback code, + the parser instance address can no longer leak, + - [MOX-003] Prevent use of uninitialised variable; commit + - [MOX-004] a4dc944f37b664a3ca7199c624a98ee37babdb4b + Add missing parameter validation to public API functions + and dedicated error code XML_ERROR_INVALID_ARGUMENT: + - [MOX-006] * NULL checks; commits + * Negative length (XML_Parse); commit + - [MOX-002] 70db8d2538a10f4c022655d6895e4c3e78692e7f + - [MOX-001] #35 Change hash algorithm to William Ahern's version of SipHash + to go further with fixing CVE-2012-0876. + https://github.com/libexpat/libexpat/pull/39/commits + - Bug fixes: + [#32] Fix sharing of hash salt across parsers; + relevant where XML_ExternalEntityParserCreate is called + prior to XML_Parse, in particular (e.g. FBReader) + [#28] xmlwf: Auto-disable use of memory-mapping (and parsing + as a single chunk) for files larger than ~1 GB (2^30 bytes) + rather than failing with error "out of memory" + [#3] Fix double free after malloc failure in DTD code; commit + 7ae9c3d3af433cd4defe95234eae7dc8ed15637f + [#17] Fix memory leak on parser error for unbound XML attribute + prefix with new namespaces defined in the same tag; + found by Google's OSS-Fuzz; commits + xmlwf on Windows: Add missing calls to CloseHandle + - New features: + [#30] Introduced environment switch EXPAT_ENTROPY_DEBUG=1 + for runtime debugging of entropy extraction + Bump version info from 7:2:6 to 7:3:6 + +- Remove pointless --with-pic (for static only) + +- Version update to 2.2.0: + * Fixes bnc#983215 CVE-2012-6702 + * Fixes bnc#983216 CVE-2016-5300 + * Various cmake and autotools script updates + * Fix detection of utf8 character boundaries +- Remove all patches merged upstream: + * expat-2.1.1-avoid_relying_on_undef_behaviour.patch + * expat-2.1.1-parser_crashes_on_malformed_input.patch + * expat-alloc-size.patch + * expat-visibility.patch + +- add expat-2.1.1-avoid_relying_on_undef_behaviour.patch to avoid + relying on undefined behavior in the original CVE-2015-1283 fix + [bnc#980391], [bnc#983985], [CVE-2016-4472] +- add expat-2.1.1-parser_crashes_on_malformed_input.patch to fix + Expat XML parser that mishandles certain kinds of malformed input + documents [bnc#979441], [CVE-2016-0718] +- use spec-cleaner to clean specfile + +- After simplification of expat-visibility.patch, it became + uneffective as no symbols are getting hidden. add + - fvisibility=hidden to CFLAGS again. +- expat-alloc-size.patch: fix braino, realloc()-like functions + should not take __attribute__(malloc) + +- Update to version 2.1.1 + * Fixes CVE-2015-1283 — Multiple integer overflows in the + XML_GetBuffer function + * Fix potential null pointer dereference + * Symbol XML_SetHashSalt was not exported + * Output of xmlwf -h was incomplete + * Document behavior of calling XML_SetHashSalt with salt 0 + * Minor improvements to man page xmlwf(1) +- Simplify expat-visibility.patch, refresh expat-alloc-size.patch +- Drop config-guess-sub-update.patch, fixed upstream. + +- Cleanup spec file with spec-cleaner +- Remove old ppc obsoletes/provides + flac -- Fix out of bound write in append_to_verify_fifo_interleaved_ - (CVE-2021-0561 bsc#1196660): - libFlac-Exit-at-EOS-in-verify-mode.patch - -- Fix memory leak (CVE-2020-0487 bsc#1180112): - stream_decoder.c-Fix-a-memory-leak.patch - -- Fix out-of-bounds access (CVE-2020-0499 bsc#1180099): - libFLAC-bitreader.c-Fix-out-of-bounds-read.patch - -- Fix memory leak in read_metadata_vorbiscomment_() function - (CVE-2017-6888, bsc#1091045): - flac-CVE-2017-6888.patch - -- Update to version 1.3.2 - * Fix undefined behaviour using GCC/Clang UBSAN (erikd). - * General hardening via fuzz testing with AFL (erikd and - others). - * General code improvements (lvqcl, erikd and others). - * Add FLAC in MP4 specification docs (Ralph Giles). - * Fix some cppcheck warnings (erikd). - * Assume all currently used OSes support SSE2. - flac: - * Fix potential infinite loop on flac-to-flac conversion - (erikd). - * Add WAVEFORMATEXTENSIBLE to WAV (as needed) when - decoding (lvqcl). - * Only write vorbis-comments if they are non-empty. - * Error out if decoding RAW with bits != (8|16|24). - metaflac: - * Add --scan-replay-gain option. - libraries: - * CPU detection cleanup and fixes (Julian Calaby, erikd - and lvqcl). - * Fix two stream decoder bugs (Max Kellermann). - * Fix a NULL dereference bug (on a malformed file). - * Changed the LPC order guess for a slight compression - improvement, particularly for classical music - (Martijn van Beurden). - * Improved encoding speed on older Intel CPUs. - * Fixed a seeking bug when decoding certain files - (Miroslav Lichvar). - * Put an upper bound (32768) on the number of seek - points. - * Fix potential memory leaks. - * Support 64bit brword/bwword allowing - FLAC__BYTES_PER_WORD to be set to 8 (disabled by - default). - * Fix an out-of-bounds heap read. -- Refreshed flac-cflags.patch - -- Drop patch that should be upstreamed first, otherwise we will - have to keep it ofrever: - * flac-ocloexec.patch -- Drop wrong patch: - * flac-fix-pkgconfig.patch - + If using this change you get assert.h include overriden in your - project by the one from FLAC/ which is not what upstream desired - If packages fail to build they should fix their include - -- Build documentation as noarch - -- Cleanup spec file with spec-cleaner -- Update url -- Remove no longer needed patches - * flac-fix-CVE-2014-8962.patch - * flac-fix-CVE-2014-9028.patch - * 0001-getopt_long-not-broken-here.patch -- Remove following as benefit of using openssl is small - * 0001-Allow-use-of-openSSL.patch -- Add flac-cflags.patch -- Use doxygen to build documentation -- Split documentation to separate package -- Update to 1.3.1 - * Improved decoding efficiency of all bit depths but especially - so for 24 bits for IA32 architecture (lvqcl and Miroslav Lichvar). - * Faster encoding using SSE and AVX (lvqcl). - * Fixed bartlett, bartlett_hann and triangle functions. - * New apodization functions partial_tukey and punchout_tukey for - improved compression (Martijn van Beurden). - * Retuned compression presets to incorporate new apodization - functions (Martijn van Beurden). - * Fix -Wcast-align warnings on armhf architecture (Erik de - Castro Lopo). - * Help output documentation improvements. - * I/O buffering improvements on Windows to reduce disk - fragmentation when writing files. - * Only write vorbis-comments if they are non-empty. - * Fix symbol visibility in XMMS plugin. - * Many fixes and improvements across all the build systems. - * Fix CVE-2014-9028 (heap write overflow) and CVE-2014-8962 - (heap read overflow) - -- A couple of security fixes: - * flac-fix-CVE-2014-8962.patch: - arbitrary code execution by a stack overflow (CVE-2014-8962, - bnc#906831) - * flac-fix-CVE-2014-9028.patch: - Heap overflow via specially crafted .flac files (CVE-2014-9028, - bnc#907016) - -- Update to final upstream release 1.3.0 - * No user-visible changes -- More robust make install call - freetype2 -- Add CVE-2020-15999.patch to fix a heap buffer overflow has been - found in the handling of embedded PNG bitmaps - CVE-2020-15999 bsc#1177914 - -- Use the compiler default C std, since 2012 gcc defaults - have changed, we now only need to get rid of ANSIFLAGS, override - that variable instead. - -- Update to version 2.10.1 - * The bytecode hinting of OpenType variation fonts was flawed, since - the data in the `CVAR' table wasn't correctly applied. - * Auto-hinter support for Mongolian. - * The handling of the default character in PCF fonts as introduced - in version 2.10.0 was partially broken, causing premature abortion - of charmap iteration for many fonts. - * If `FT_Set_Named_Instance' was called with the same arguments - twice in a row, the function returned an incorrect error code the - second time. - * Direct rendering using FT_RASTER_FLAG_DIRECT crashed (bug - introduced in version 2.10.0). - * Increased precision while computing OpenType font variation - instances. - * The flattening algorithm of cubic Bezier curves was slightly - changed to make it faster. This can cause very subtle rendering - changes, which aren't noticeable by the eye, however. - * The auto-hinter now disables hinting if there are blue zones - defined for a `style' (i.e., a certain combination of a script and - its related typographic features) but the font doesn't contain any - characters needed to set up at least one blue zone. -- Add tarball signatures and freetype2.keyring - -- Update to version 2.10.0 - * A bunch of new functions has been added to access and process - COLR/CPAL data of OpenType fonts with color-layered glyphs. - * As a GSoC 2018 project, Nikhil Ramakrishnan completely - overhauled and modernized the API reference. - * The logic for computing the global ascender, descender, and - height of OpenType fonts has been slightly adjusted for - consistency. - * `TT_Set_MM_Blend' could fail if called repeatedly with the same - arguments. - * The precision of handling deltas in Variation Fonts has been - increased.The problem did only show up with multidimensional - designspaces. - * New function `FT_Library_SetLcdGeometry' to set up the geometry - of LCD subpixels. - * FreeType now uses the `defaultChar' property of PCF fonts to set - the glyph for the undefined character at glyph index 0 (as - FreeType already does for all other supported font formats). As - a consequence, the order of glyphs of a PCF font if accessed - with FreeType can be different now compared to previous - versions. - This change doesn't affect PCF font access with cmaps. - * `FT_Select_Charmap' has been changed to allow parameter value - `FT_ENCODING_NONE', which is valid for BDF, PCF, and Windows FNT - formats to access built-in cmaps that don't have a predefined - `FT_Encoding' value. - * A previously reserved field in the `FT_GlyphSlotRec' structure - now holds the glyph index. - * The usual round of fuzzer bug fixes to better reject malformed - fonts. - * `FT_Outline_New_Internal' and `FT_Outline_Done_Internal' have - been removed.These two functions were public by oversight only - and were never documented. - * A new function `FT_Error_String' returns descriptions of error - codes if configuration macro FT_CONFIG_OPTION_ERROR_STRINGS is - defined. - * `FT_Set_MM_WeightVector' and `FT_Get_MM_WeightVector' are new - functions limited to Adobe MultiMaster fonts to directly set and - get the weight vector. - -- Remove old ppc64 parts in spec file -- Refresh patches: - + bugzilla-308961-cmex-workaround.patch - + don-t-mark-libpng-as-required-library.patch - + enable-long-family-names-by-default.patch -- Enable subpixel rendering with infinality config: - + enable-subpixel-rendering.patch - + enable-infinality-subpixel-hinting.patch - -- Re-enable freetype-config, there is just too many fallouts. - -- Update to version 2.9.1 - * Type 1 fonts containing flex features were not rendered - correctly (bug introduced in version 2.9). - * CVE-2018-6942: Older FreeType versions can crash with certain - malformed variation fonts. - * Bug fix: Multiple calls to `FT_Get_MM_Var' returned garbage. - * Emboldening of bitmaps didn't work correctly sometimes, showing - various artifacts (bug introduced in version 2.8.1). - * The auto-hinter script ranges have been updated for Unicode 11. - No support for new scripts have been added, however, with the - exception of Georgian Mtavruli. -- freetype-config is now deprecated by upstream and not enabled - by default. -- Drop upstreamed patches: - * bnc1079600.patch - * psaux-flex.patch - * 0001-src-truetype-ttinterp.c-Ins_GETVARIATION-Avoid-NULL-.patch - * 0001-truetype-Better-protection-against-invalid-VF-data.patch - -- Add bnc1079600.patch: Fix several integer overflow issues in - truetype/ttinterp.c (bsc#1079600) - -- Refresh spec-file via spec-cleaner. -- Add shell script freetype2.sh in separate package - freetype2-profile-tti35 in order to be able to set TrueType - interpreter version 35 (boo#1084085). - -- Added patch: - * enable-long-family-names-by-default.patch - + Define PCF_CONFIG_OPTION_LONG_FAMILY_NAMES to obtain 2.7.1 - behaviour - -- Added patches: - * 0001-src-truetype-ttinterp.c-Ins_GETVARIATION-Avoid-NULL-.patch - + Upstream fix for bsc#1079603: Avoid NULL reference in - src/truetype/ttinterp.c - * 0001-truetype-Better-protection-against-invalid-VF-data.patch - + Upstream fix for bsc#1079601: Protection against invalid VF - data - -- Add psaux-flex.patch to fix a regression in Type1 rendering - -- Update to version 2.9 - * Advance width values of variation fonts were often wrong. - * More fixes for variation font support; you should update to - this version if you want to support them. - * As a GSoC project, Ewald Hew extended the new (Adobe) CFF - engine to handle Type 1 fonts also, thus greatly improving - the rendering of this format. This is the new default. - * A new function, `FT_Set_Named_Instance', can be used to set - or change the current named instance. - * Starting with this FreeType version, resetting variation - coordinates will return to the currently selected named - instance. Previously, FreeType returned to the base font - (i.e., no instance set). - * Some fuzzer fixes to better reject malformed fonts. - -- Update to version 2.8.1 - * B/W hinting of TrueType fonts didn't work properly if - interpreter version 38 or 40 was selected. - * Some severe problems within the handling of TrueType Variation - Fonts were found and fixed. - * Function `FT_Set_Var_Design_Coordinates' didn't correctly handle - the case with less input coordinates than axes. - * By default, FreeType now offers high quality LCD-optimized - output without resorting to ClearType techniques of resolution - tripling and filtering. In this method, called Harmony, each - color channel is generated separately after shifting the glyph - outline, capitalizing on the fact that the color grids on LCD - panels are shifted by a third of a pixel. This output is - indistinguishable from ClearType with a light 3-tap filter. - * Using the new function `FT_Get_Var_Axis_Flags', an application - can access the `flags' field of a variation axis (introduced in - OpenType version 1.8.2) - * FreeType now synthesizes a missing Unicode cmap for (older) - TrueType fonts also if glyph names are available. - * The warping option has moved from `light' to `normal' hinting - where it replaces the original hinting algorithm. The `light' - mode is now always void of any hinting in x-direction. - -- Update to version 2.8 - * Support for OpenType Variation Fonts is now complete. The last - missing part was handling the `VVAR' and `MVAR' tables, which is - available with this release. - * A new function `FT_Face_Properties' allows the control of some - module and library properties per font. Currently, the - following properties can be handled: stem darkening, LCD filter - weights, and the random seed for the `random' CFF operator. - * The PCF change to show more `colourful' family names (introduced - in version 2.7.1) was too radical; it can now be configured with - PCF_CONFIG_OPTION_LONG_FAMILY_NAMES at compile time. If - activated, it can be switched off at run time with the new pcf - property `no-long-family-names'. If the `FREETYPE_PROPERTIES' - environment variable is available, you can say - FREETYPE_PROPERTIES=pcf:no-long-family-names=1 - * Support for the following scripts has been added to the - auto-hinter. - Adlam, Avestan, Bamum, Buhid, Carian, Chakma, Coptic, Cypriot, - Deseret, Glagolitic, Gothic, Kayah, Lisu, N'Ko, Ol Chiki, Old - Turkic, Osage, Osmanya, Saurashtra, Shavian, Sundanese, Tai - Viet, Tifinagh, Unified Canadian Syllabics, Vai - * `Light' auto-hinting mode no longer uses TrueType metrics for - TrueType fonts. This bug was introduced in version 2.4.6, - causing horizontal scaling also. Almost all GNU/Linux - distributions (with Fedora as a notable exception) disabled the - corresponding patch for good reasons; chances are thus high that - you won't notice a difference. - * If a TrueType font gets loaded with FT_LOAD_NO_HINTING, FreeType - now scales the font linearly again (bug introduced in version - 2.4.6). - * Fixed CVE-2017-8105, CVE-2017-8287: Older FreeType versions - have out-of-bounds writes caused by heap-based buffer overflows - related to Type 1 fonts. (boo#1035807, boo#1036457) -- See https://sourceforge.net/projects/freetype/files/freetype2/2.8/ for - the complete changelog. - -- Update to version 2.7.1: - * IMPORTANT CHANGES - + Support for the new CFF2 font format as introduced with - OpenType 1.8 has been contributed by Dave Arnolds from Adobe. - + Preliminary support for variation fonts as specified in - OpenType 1.8 (in addition to the already existing support for - Adobe's MM and Apple's GX formats). Dave Arnolds contributed - handling of advance width change variation; more will come in - the next version. - * IMPORTANT BUG FIXES - + Handling of raw CID fonts was partially broken (bug introduced - in 2.6.4). - * MISCELLANEOUS - + Some limits for TrueType bytecode execution have been tightened - to speed up FreeType's handling of malformed fonts, in - particular to quickly abort endless loops. - + The number of twilight points can no longer be set to an - arbitrarily large value. - + The total number of jump opcode instructions (like JMPR) with - negative arguments is dynamically restricted; the same holds - for the total number of iterations in LOOPCALL opcodes. - + The dynamic limits are based on the number of points in a glyph - and the number of CVT entries. Please report if you encounter a - font where the selected values are not adequate. - + PCF family names are made more `colourful'; they now include the - foundry and information whether they contain wide characters. - For example, you no longer get `Fixed' but rather `Sony Fixed' - or `Misc Fixed Wide'. - + A new function `FT_Get_Var_Blend_Coordinates' (with its alias - name `FT_Get_MM_Blend_Coordinates') to retrieve the normalized - blend coordinates of the currently selected variation instance - has been added to the Multiple Masters interface. - + A new function `FT_Get_Var_Design_Coordinates' to retrieve the - design coordinates of the currently selected variation instance - has been added to the Multiple Masters interface. - + A new load flag `FT_LOAD_BITMAP_METRICS_ONLY' to retrieve bitmap - information without loading the (embedded) bitmap itself. - + Retrieving advance widths from bitmap strikes (using - `FT_Get_Advance' and `FT_Get_Advances') have been sped up. - + The usual round of fuzzer fixes to better reject malformed - fonts. -- Drop freetype2-bitmap-foundry.patch, merged upstream. - -- update to version 2.7: - * IMPORTANT CHANGES - + As announced earlier, the 2.7.x series now uses the new subpixel - hinting mode as the default, emulating a modern version of - ClearType. - This change inevitably leads to different rendering results, and - you might change the `TT_CONFIG_OPTION_SUBPIXEL_HINTING' - configuration option to adapt it to your taste (or use the new - `FREETYPE_PROPERTIES' environment variable). See the - corresponding entry below for version 2.6.4, which gives more - information. - + A new option `FT_CONFIG_OPTION_ENVIRONMENT_PROPERTIES' has been - introduced. If set (which is the default), an environment - variable `FREETYPE_PROPERTIES' can be used to control driver - properties. Example: - FREETYPE_PROPERTIES=truetype:interpreter-version=35 \ - cff:no-stem-darkening=1 \ - autofitter:warping=1 - This allows to select, say, the subpixel hinting mode at runtime - for a given application. See file `ftoption.h' for more. - * IMPORTANT BUG FIXES - + After loading a named instance of a GX variation font, the - `face_index' value in the returned `FT_Face' structure now - correctly holds the named instance index in the upper 16bits as - documented. - * MISCELLANEOUS - + A new macro `FT_IS_NAMED_INSTANCE' to test whether a given face - is a named instance. - + More fixes to GX font handling. - + Apple's `GETVARIATION' bytecode operator (needed for GX - variation font support) has been implemented. - + Another round of fuzzer fixes, mainly to reject invalid fonts - faster. - + Handling of raw CID fonts was broken (bug introduced in version - 2.6.4). - + The smooth rasterizer has been streamlined to make it faster by - approx. 20%. - + The `ftgrid' demo program now understands command line option - `-d' to give start-up design coordinates. - + The `ftdump' demo program has a new command line option `-p' to - dump TrueType bytecode instructions. -- removed freetype2-subpixel.patch in favor of above - FREETYPE_PROPERTIES environment variable - -- Update to version 2.6.5: - + Compilation works again on Mac OS X (bug introduced in version - 2.6.4). - + The new subpixel hinting mode is now disabled by default; it - will be enabled by default in the forthcoming 2.7.x series. - Main reason for reverting this feature is the principle of least - surprise: a sudden change in appearance of all fonts (even if - the rendering improves for almost all recent fonts) should not - be expected in a new micro version of a series. -- Rebase freetype2-subpixel.patch. - -- Upadte to version 2.6.4: - * A new subpixel hinting mode, which is now the default rendering - mode for TrueType fonts. It implements (almost everything of) - version 40 of the bytecode engine. The existing code base in - FreeType (the `Infinality code') was stripped to the bare - minimum and all configurability removed in the name of speed - and simplicity. The configurability was mainly aimed at legacy - fonts like Arial, Times New Roman, or Courier. [Legacy fonts - are fonts that modify vertical stems to achieve clean - black-and-white bitmaps.] The new mode focuses on applying a - minimal set of rules to all fonts indiscriminately so that - modern and web fonts render well while legacy fonts render - okay. Activation of the subpixel hinting support can be - controlled with the `TT_CONFIG_OPTION_SUBPIXEL_HINTING' - configuration option at compile time: If set to value 1, you - get the old Infinality mode (which was never the default due to - its slowness). Value 2 activates the new subpixel hinting mode, - and value 3 activates both. The default is value 2. At run - time, you can select the subpixel hinting mode with the - `interpreter-version' property (provided you have compiled in - the corresponding hinting mode); see `ftttdrv.h' for more. - * Support for the following scripts has been added to the - auto-hinter: Armenian, Cherokee, Ethiopic, Georgian, Gujarati, - Gurmukhi, Malayalam, Sinhala, Tamil. -- Rebase freetype2-subpixel.patch. - -- Update to version 2.6.3 - * IMPORTANT CHANGES - - Khmer, Myanmar, Bengali, and Kannada script support has been - added to the auto-hinter. - * MISCELLANEOUS - - Better support of Indic scripts like Devanagari by using a - top-to-bottom hinting flow. - - All FreeType macros starting with two underscores have been - renamed to avoid a violation of both the C and C++ standards. - Example: Header macros of the form `__FOO_H__' are now called - `FOO_H_'. In most cases, this should be completely transparent - to the user. The exception to this is `__FTERRORS_H__', which - must be sometimes undefined by the user to get FreeType error - strings: Both this form and the new `FTERRORS_H_' macro are - accepted for backwards compatibility. - - Minor improvements mainly to the Type 1 driver. - - The new CFF engine now supports all Type 2 operators except - `random'. - - The macro `_STANDALONE_', used for compiling the B/W and smooth - rasterizers as stand-alone modules, has been renamed to - `STANDALONE_', since macro names starting with an underscore and - followed by an uppercase letter are reserved in both C and C++. - - Function `FT_Library_SetLcdFilterWeights' now also activates - custom LCD filter weights (instead of just adjusting them). - - Support for `unpatented hinting' has been completely removed: - Consequently, the two functions `FT_Face_CheckTrueTypePatents' - and `FT_Face_SetUnpatentedHinting' now return always false, - doing nothing. - -- Update to version 2.6.2 - * IMPORTANT CHANGES - - The auto-hinter now supports stem darkening, to be controlled by - the new `no-stem-darkening' and `darkening-parameters' - properties. This is an experimental feature contributed by - Nikolaus Waxweiler, and the interface might change in a future - release. - - By default, stem darkening is now switched off (for both the CFF - engine and the auto-hinter). The main reason is that you need - linear alpha blending and gamma correction to get correct - rendering results, and the latter is not yet available in most - freely available rendering stacks like X11. Applying stem - darkening without proper gamma correction leads to far too dark - rendering results. - - The meaning of `FT_RENDER_MODE_LIGHT' has been slightly - modified. It now essentially means `no hinting along the - horizontal axis'; in particular, no change of glyph advance - widths. Consequently, the auto-hinter is used for all scalable - font formats except for CFF. It is planned that other - font-specific rendering engines (TrueType, Type 1) will follow. - * MISCELLANEOUS - - The default LCD filter has been changed to be normalized and - color-balanced. - - For better compatibility with FontConfig, function - `FT_Library_SetLcdFilter' accepts a new enumeration value - `FT_LCD_FILTER_LEGACY1' (which has the same meaning as - `FT_LCD_FILTER_LEGACY'). - - A large number of bugs have been detected by using the libFuzzer - framework, which should further improve handling of invalid - fonts. Thanks again to Kostya Serebryany and Bungeman! - - `TT_CONFIG_OPTION_MAX_RUNNABLE_OPCODES', a new configuration - option, controls the maximum number of executed opcodes within a - bytecode program. You don't want to change this except for very - special situations (e.g., making a library fuzzer spend less - time to handle broken fonts). - - The smooth renderer has been made faster. - -- Update to version 2.6.1 - * IMPORTANT BUG FIXES - - It turned out that for CFFs only the advance widths should be - taken from the `htmx' table, not the side bearings. This bug, - introduced in version 2.6.0, makes it necessary to upgrade if - you are using CFFs; otherwise, you get cropped glyphs with GUI - interfaces like GTK or Qt. - - Accessing Type 42 fonts returned incorrect results if the glyph - order of the embedded TrueType font differs from the glyph order - of the Type 42 charstrings table. - * IMPORTANT CHANGES - - The header file layout has been changed (again), moving all - header files except `ft2build.h' into a subdirectory tree. - Doing so reduces the possibility of header file name clashes - (e.g., FTGL's `FTGlyph.h' with FreeType's `ftglyph.h') on case - insensitive file systems like Mac OS X or Windows. - Applications that use (a) the `freetype-config' script or - FreeType's `freetype2.pc' file for pkg-config to get the include - directory for the compiler, and (b) the documented way for - header inclusion like - [#]include - [#]include FT_FREETYPE_H - ... - don't need any change to the source code. - - Simple access to named instances in GX variation fonts is now - available (in addition to the previous method via FreeType's MM - interface). In the `FT_Face' structure, bits 16-30 of the - `face_index' field hold the current named instance index for the - given face index, and bits 16-30 of `style_flags' contain the - number of instances for the given face index. `FT_Open_Face' - and friends also understand the extended bits of the face index - parameter. - You need to enable TT_CONFIG_OPTION_GX_VAR_SUPPORT for this new - feature. Otherwise, bits 16-30 of the two fields are zero (or - are ignored). - - Lao script support has been added to the auto-hinter. - * MISCELLANEOUS - - The auto-hinter's Arabic script support has been enhanced. - - Superscript-like and subscript-like glyphs as used by various - phonetic alphabets like the IPA are now better supported by the - auto-hinter. - - The TrueType bytecode interpreter now runs slightly faster. - - Improved support for builds with cmake. - - The function `FT_CeilFix' now always rounds towards plus - infinity. - - The function `FT_FloorFix' now always rounds towards minus - infinity. - - A new load flag `FT_LOAD_COMPUTE_METRICS' has been added; it - makes FreeType ignore pre-computed metrics, as needed by font - validating or font editing programs. Right now, only the - TrueType module supports it to ignore data from the `hdmx' - table. - - Another round of bug fixes to better handle broken fonts, found - by Kostya Serebryany . -- Dropping upstreamed patch Dont-use-hmtx-table-for-LSB.patch. - -- Add Dont-use-hmtx-table-for-LSB.patch: Fixes gnu#45520, cut off - fonts in gtk and qt. Taken from upstream git. - -- Update to version 2.6 - * Thread safety improvements - * Thai script support has been added to the auto-hinter. - * Arabic script support has been added to the auto-hinter. - * Following OpenType version 1.7, advance widths and side bearing - values in CFFs (wrapped in an SFNT structure) are now always - taken from the `hmtx' table. - * Following OpenType version 1.7, the PostScript font name of a - CFF font (wrapped in an SFNT structure) is now always taken from - the `name' table. This is also true for OpenType Collections - (i.e., TTCs using CFFs subfonts instead of TTFs), where it may - have a significant difference. - * Fonts natively hinted for ClearType are now supported, properly - handling selector index 3 of the INSTCTRL bytecode instruction. - * Major improvements to the GX TrueType variation font handling. - -- Merge with the version 2.5.5 from openSUSE:Factory -- Removed patches: - * CVE-2014-9656.patch - * CVE-2014-9657.patch - * CVE-2014-9658.patch - * CVE-2014-9659.patch - * CVE-2014-9660.patch - * CVE-2014-9661.patch - * CVE-2014-9662.patch - * CVE-2014-9663.patch - * CVE-2014-9664.patch - * CVE-2014-9665.patch - * CVE-2014-9666.patch - * CVE-2014-9667.patch - * CVE-2014-9668.patch - * CVE-2014-9669.patch - * CVE-2014-9670.patch - * CVE-2014-9671.patch - * CVE-2014-9672.patch - * CVE-2014-9673.patch - * CVE-2014-9674.patch - * CVE-2014-9675.patch - - Integrated in the 2.5.5 release -- Modified patches: - * don-t-mark-libpng-as-required-library.patch - * bugzilla-308961-cmex-workaround.patch - * freetype2-subpixel.patch - * freetype2-bitmap-foundry.patch - * overflow.patch - - Adapt to the new version of sources - -- Modified patch: - * CVE-2014-9671.patch - - Adapt the code to correspond to the current git master of - freetype2 (fixes bsc#933247) - -- Enable the bz2 compression in freetype2 -- Remove patch overflow.patch from freetype2.spec where it is not - applied. -- Run spec-cleaner on the spec file. - -- fixed vulnerabilities (bnc#916847, bnc#916856, bnc#916857, - bnc#916858, bnc#916859, bnc#916860, bnc#916861, bnc#916862, - bnc#916863, bnc#916864, bnc#916865, bnc#916867, bnc#916868, - bnc#916870, bnc#916871, bnc#916872, bnc#916873, bnc#916874, - bnc#916879, bnc#916881) - - CVE-2014-9656.patch - - CVE-2014-9657.patch - - CVE-2014-9658.patch - - CVE-2014-9659.patch - - CVE-2014-9660.patch - - CVE-2014-9661.patch - - CVE-2014-9662.patch - - CVE-2014-9663.patch - - CVE-2014-9664.patch - - CVE-2014-9665.patch - - CVE-2014-9666.patch - - CVE-2014-9667.patch - - CVE-2014-9668.patch - - CVE-2014-9669.patch - - CVE-2014-9670.patch - - CVE-2014-9671.patch - - CVE-2014-9672.patch - - CVE-2014-9673.patch - - CVE-2014-9674.patch - - CVE-2014-9675.patch - -- Update to version 2.5.5 - * IMPORTANT BUG FIXES - - Handling of uncompressed PCF files works again (bug - introduced in version 2.5.4). -- Drop freetype2-2.5.3-fix-pcf.patch, merged upstream - -- Update to version 2.5.4 - * IMPORTANT BUG FIXES - - A variant of vulnerability CVE-2014-2240 was identified - (cf. http://savannah.nongnu.org/bugs/?43661) and fixed - in the new CFF driver. All users should upgrade. - - The new auto-hinter code using HarfBuzz crashed for some - invalid fonts. - - Many fixes to better protect against malformed input. - * IMPORTANT CHANGES - - Full auto-hinter support of the Devanagari script. - - Experimental auto-hinter support of the Telugu script. - - CFF stem darkening behaviour can now be controlled at - build time using the eight macros - CFF_CONFIG_OPTION_DARKENING_PARAMETER_{X,Y}{1,2,3,4} . - - Some fields in the `FT_Bitmap' structure have been changed - from signed to unsigned type, which better reflects - the actual usage. It is also an additional means to - protect against malformed input. This change doesn't break - the ABI; however, it might cause compiler warnings. - * MISCELLANEOUS - - Improvements to the auto-hinter's algorithm to recognize - stems and local extrema. - - Function `FT_Get_SubGlyph_Info' always returned an error - even in case of success. - - Version 2.5.1 introduced major bugs in the cjk part of - the auto-hinter, which are now fixed. - - The `FT_Sfnt_Tag' enumeration values have been changed to - uppercase, e.g. `FT_SFNT_HEAD'. The lowercase variants - are deprecated. This is for orthogonality with all other - enumeration (and enumeration-like) values in FreeType. - - `cmake' now supports builds of FreeType as an OS X framework - and for iOS. - - Improved project files for vc2010, - introducing a property file - - The documentation generator for the API reference has been - updated to produce better HTML code (with proper CSS). - At the same time, the documentation got a better structure. - - The FT_LOAD_BITMAP_CROP flag is obsolete; it is not used - by any driver. - - The TrueType DELTAP[123] bytecode instructions now work in - subpixel hinting mode as described in the ClearType - whitepaper (i.e., for touched points in the - non-subpixel direction). - - Many small improvements to the internal arithmetic routines. -- Rebase don-t-mark-libpng-as-required-library.patch, - bugzilla-308961-cmex-workaround.patch, freetype2-subpixel.patch, - freetype2-bitmap-foundry.patch and overflow.patch -- Add freetype2-2.5.3-fix-pcf.patch from upstream to resolve - http://savannah.nongnu.org/bugs/?43774, "Freetype 2.5.4 does not - load ungzipped PCF fonts" - keyutils -- Add /etc/keys/ and /usr/etc/keys/ directory (bsc#1187654) - -- adjust the library license to be LPGL-2.1+ only (the tools are GPL2+, - the library is just LGPL-2.1+) (bsc#1180603) - -- update to 1.6.3: - * Revert the change notifications that were using /dev/watch_queue. - * Apply the change notifications that use pipe2(O_NOTIFICATION_PIPE). - * Allow "keyctl supports" to retrieve raw capability data. - * Allow "keyctl id" to turn a symbolic key ID into a numeric ID. - * Allow "keyctl new_session" to name the keyring. - * Allow "keyctl add/padd/etc." to take hex-encoded data. - * Add "keyctl watch*" to expose kernel change notifications on keys. - * Add caps for namespacing and notifications. - * Set a default TTL on keys that upcall for name resolution. - * Explicitly clear memory after it's held sensitive information. - * Various manual page fixes. - * Fix C++-related errors. - * Add support for keyctl_move(). - * Add support for keyctl_capabilities(). - * Make key=val list optional for various public-key ops. - * Fix system call signature for KEYCTL_PKEY_QUERY. - * Fix 'keyctl pkey_query' argument passing. - * Use keyctl_read_alloc() in dump_key_tree_aux(). - * Various manual page fixes. -- spec-cleaner run (fixup failing homepage url) - -- prepare usrmerge (boo#1029961) - -- updated to 1.6 - - Apply various specfile cleanups from Fedora. - - request-key: Provide a command line option to suppress helper execution. - - request-key: Find least-wildcard match rather than first match. - - Remove the dependency on MIT Kerberos. - - Fix some error messages - - keyctl_dh_compute.3: Suggest /proc/crypto for list of available hashes. - - Fix doc and comment typos. - - Add public key ops for encrypt, decrypt, sign and verify (needs linux-4.20). - - Add pkg-config support for finding libkeyutils. -- upstream isn't offering PGP signatures for the source tarballs anymore - -- Replace krb5-devel BuildRequires with pkgconfig(krb5): Allow OBS - to shortcut the ring0 bootstrap cycle by also using krb5-mini. - -- add upstream signing key and verify source signature - -- updated to 1.5.11 (bsc#1113013) - - Add keyring restriction support. - - Add KDF support to the Diffie-Helman function. - - DNS: Add support for AFS config files and SRV records - -- Use %license (boo#1082318) - -- add keyutils-devel for baselibs, to allow biarch LTP builds. - (bsc#1061591) - -- updated to 1.5.10 - - added "dh_compute" callback - - manpage improvements - -- move binaries from /bin to /usr/bin (bsc#1029969) -- keyutils-usr-move.patch: also adjust the request-key.conf file - -- keyutils-nodate.patch: avoid including the timestamp. bsc#916180 - libidn2 -- The library is actually dual licensed, GPL-2.0-or-later or LGPL-3.0-or-later, - match factory licenses (bsc#1180138) - -- Update to version 2.2.0 CVE-2019-12290 bsc#1154884: - * Perform A-Label roundtrip for lookup functions by default - * Stricter check of input to punycode decoder - * Fix punycode decoding with no ASCII chars but given delimiter - * Fix 'idn2 --no-tr64' (was a no-op) - * Allow _ as a basic code point in domain labels - * Fail building documentation if 'ronn' isn't installed - * git tag changed to reflect https://semver.org/ - -- update to 2.1.1 CVE-2019-18224 bsc#1154887: - * Revert SONAME bump from release 2.1.0 - * Fix NULL dereference in idn2_register_u8() and - idn2_register_ul() - * Fix free of random value in idn2_to_ascii_4i() - * Improved fuzzer (which found the above issues) - * Check for valid unicode input in punycode encoder - * Avoid excessive CPU usage in punycode encoding with - large inputs - * Deprecate idn2_to_ascii_4i() in favor of idn2_to_ascii_4i2() - * Restrict output length of idn2_to_ascii_4i() to 63 bytes - -- update to 2.1.0: - * Two internal functions are no longer exposed, soname bump - * Fix label length check for idn2_register_u8() - * Add missing error messages to idn2_strerror_name() - -- update to 2.0.5: - * Switch the default library behavior to IDNA2008 as amended by - TR#46 (non-transitional). That default behavior is enabled when - no flags are specified to function calls. Applications can - utilize the %IDN2_NO_TR46 flag to switch to the unamended - IDNA2008. This is done in the interest of interoperability - based on the fact that this is what application writers care - about rather than strict compliance with a particular protocol - * Fixed memory leak in idn2_to_unicode_8zlz() - * Return error (IDN2_ICONV_FAIL) on charset conversion errors - * Fixed issue with STD3 rules applying in non-transitional TR46 - mode - * idn2: added option --usestd3asciirules -- put translations into libidn2-lang -- correct location of install_info_prereq macro to be on tools - -- update to 2.0.4: - * Fix integer overflow in bidi.c/_isBidi() bsc#1056451 - * Fix integer overflow in puny_decode.c/decode_digit() - bsc#1056450 - * Fix idna_free() to idn_free() -- enable documentation again - -- update to 2.0.3: - * %IDN2_USE_STD3_ASCII_RULES disabled by default. - Previously libidn2 was eliminating non-STD3 characters from - domain strings such as _443._tcp.example.com, or IPs such as - 1.2.3.4/24 provided to libidn2 functions. That was an - unexpected regression for applications switching from libidn - and thus it is no longer applied by default. - Use %IDN2_USE_STD3_ASCII_RULES to enable that behavior again. -- disable documentation, does not build correctly - -- update to 2.0.2: - * Fix TR46 transitional mode - * Fix several documentation issues - -- Sources updated from http://alpha.gnu.org to https://ftp.gnu.org - -- Update to version 2.0.1 -- Version 2.0.1 (released 2017-04-22) - * idn2 utility now using IDNA2008 + TR46 by default -- Version 2.0.0 (released 2017-03-29) [alpha] - * Version numbering scheme changed - * Added to ASCII conversion functions corresponding to libidn1 - functions: - - idn2_to_ascii_4i - idn2_to_ascii_4z - - idn2_to_ascii_8z - idn2_to_ascii_lz - * Added to unicode conversion functions corresponding to libidn1 - functions: - - idn2_to_unicode_8z4z - idn2_to_unicode_4z4z - - idn2_to_unicode_44i - idn2_to_unicode_8z8z - - idn2_to_unicode_8zlz - idn2_to_unicode_lzlz - * Including idn2.h will provide libidn1 compatibility functions - unless IDN2_SKIP_LIBIDN_COMPAT is defined. That allows converting - applications from libidn1 (which offers IDNA2003) to libidn2 (which - offers IDNA2008) by replacing idna.h to idn2.h in the applications' - source. -- Dropped patch not needed after revision - * libidn2-no-examples-build.patch - -- Update to version 0.16 - * build: Fix idn2_cmd.h build rule. - * API and ABI is backwards compatible with the previous version. -- Update to version 0.15 (released 2017-01-14) - * Fix out-of-bounds read. - * Fix NFC input conversion (regression). - * Shrink TR46 static mapping data. - * API and ABI is backwards compatible with the previous version. -- Update to version 0.14 (released 2016-12-30) - * build: Fix gentr46map build. - * API and ABI is backwards compatible with the previous version. -- Update to version 0.13: - * build: Doesn't download external files during build. - * doc: Clarify license. - * build: Generate ChangeLog file properly. - * doc: API documentation related to TR46 flags. - * API and ABI is backwards compatible with the previous version. -- Update to version 0.12: - * Builds/links with libunistring. - * Fix two possible crashes with unchecked NULL pointers. - * Memleak fix. - * Binary search for codepoints in tables. - * Do not taint output variable on error in idn2_register_u8(). - * Do not taint output variable on error in idn2_lookup_u8(). - * Update to Unicode 6.3.0 IDNA tables. - * Add TR46 / UTS#46 support to API and idn2 utility. - * Add NFC quick check. - * Add make target 'check-coverage' for test coverage report. - * Add tests to increase test code coverage. - * API and ABI is backwards compatible with the previous version. - -- update to 0.11: - * Fix stack underflow in 'idn2' command line tool. [boo#1014473] - * Fix gdoc script to fix texinfo syntax error. - * API and ABI is backwards compatible with the previous version. - -- Convert to libidn2 package started to being used, namely by curl -- Alternative implementation based on new specification from 2008 - + completely different codebase with no ties to libidn - -- libidn 1.33: - * bnc#990189 CVE-2015-8948 CVE-2016-6262 - * bnc#990190 CVE-2016-6261 - * bnc#990191 CVE-2016-6263 - * libidn: Fix out-of-bounds stack read in idna_to_ascii_4i. - * idn: Solve out-of-bounds-read when reading one zero byte as input. - * libidn: stringprep_utf8_nfkc_normalize reject invalid UTF-8. - -- Update to 1.32 - * libidn: Fix crash in idna_to_unicode_8z8z and - idna_to_unicode_8zlz. This problem was introduced in 1.31. - * API and ABI is backwards compatible with the previous version. -- Update gpg keyring - -- Add Apache-2.0 license to the license line. Under this is the - java code, but we don't build it -> just the sources license - -- Version bump to 1.31: - * Fixes bnc#923241 CVE-2015-2059 out-of-bounds read with stringprep on - invalid UTF-8 - * Few other triv changes - -- Version bump to 1.30: - * punycode.{c,h} files were reimported -- Cleanup with spec-cleaner - -- update version 1.29: - * libidn: Mark internal variable "g_utf8_skip" as static. - * idn: Flush stdout to simplify for tools that buffer too heavily. - * i18n: Added Brazilian Portuguese translation. - * Update gnulib files. - * API and ABI is backwards compatible with the previous version. - libsndfile -- Fix heap buffer overflow in flac_buffer_copy (CVE-2021-4156, - bsc#1194006): - libsndfile-CVE-2021-4156.patch - -- Fix heap buffer overflow vulnerability in msadpcm_decode_block - (CVE-2021-3246, bsc#1188540): - ms_adpcm-Fix-and-extend-size-checks.patch - -- Fix segfault in wav conversion due to the invalid loop count - (CVE-2018-19758, bsc#1117954): - libsndfile-wav-loop-count-fix.patch - -- Fix buffer overflow in sndfile-deinterleave, which isn't really a - security issue (bsc#1100167, CVE-2018-13139, bsc#1116993, - CVE-2018-19432): - sndfile-deinterlace-channels-check.patch - -- Use license file tag - -- Fix potential overflow in d2alaw_array() (CVE-2017-17456, - bsc#1071777): - libsndfile-CVE-2017-17456-alaw-range-check.patch -- Fix potential overflow in d2ulaw_array() (CVE-2017-17457, - bsc#1071767): - libsndfile-CVE-2017-17457-ulaw-range-check.patch - -- Fix VUL-0: divide-by-zero error exists in the function - double64_init() in double64.c (CVE-2017-14634, bsc#1059911): - 0030-double64_init-Check-psf-sf.channels-against-upper-bo.patch -- Tentative fix for VUL-0: out of bounds read in the function - d2alaw_array() in alaw.c (CVE-2017-14245, bsc#1059912) and - VUL-0: out of bounds read in the function d2ulaw_array() in - ulaw.c (CVE-2017-14246, bsc#1059913): - 0031-sfe_copy_data_fp-check-value-of-max-variable.patch - -- Fix Heap-based Buffer Overflow in the psf_binheader_writef - (CVE-2017-12562, bsc#1052476): - 0020-src-common.c-Fix-heap-buffer-overflows-when-writing-.patch - -- Fix out-of-bounds read memory access in the aiff_read_chanmap() - (CVE-2017-6892, bsc#1043978): - 0010-src-aiff.c-Fix-a-buffer-read-overflow.patch - -- Fix FLAC buffer overflows (CVE-2017-8361 CVE-2017-8363 - CVE-2017-8365 CVE-2017-8362 bsc#1036944 bsc#1036945 bsc#1036946 - bsc#1036943): - 0001-FLAC-Fix-a-buffer-read-overrun.patch - 0002-src-flac.c-Fix-a-buffer-read-overflow.patch - -- Update to version 1.0.27: - * Fix a seek regression in 1.0.26 - * Add metadata read/write for CAF and RF64 - * FIx PAF endian-ness issue -- Update to version 1.0.28 - * Fix buffer overruns in FLAC and ID3 handling code - (CVE-2017-7585, CVE-2017-7586, bsc#1033054, bsc#1033053) - * Reduce default header memory requirements - * Fix detection of Large File Support for 32 bit systems. -- Obsoleted patch: - libsndfile-psf_strlcpy_crlf-fix-CVE-2015-8075.patch - -- Fix spec file to enable builds on non opensuse OS - -- Update to version 1.0.26: - * Fix for CVE-2014-9496, CVE-2014-9756 and CVE-2015-7805. - * Add ALAC/CAF support. Minor bug fixes and improvements. -- Refreshed patches: - sndfile-ocloexec.patch - libsndfile-psf_strlcpy_crlf-fix-CVE-2015-8075.patch -- Removed obsoleted patches: - libsndfile-example-fix.diff - libsndfile-fix-header-read-CVE-2015-7805.patch - libsndfile-paf-zero-division-fix.diff - libsndfile-src-common.c-Fix-a-header-parsing-bug.patch - libsndfile-src-file_io.c-Prevent-potential-divide-by-zero.patch - sndfile-src-sd2.c-Fix-segfault-in-SD2-RSRC-parser.patch - sndfile-src-sd2.c-Fix-two-potential-buffer-read-overflows.patch - -- VUL-0: libsndfile 1.0.25 heap overflow (CVE-2015-7805, bsc#953516) - libsndfile-src-common.c-Fix-a-header-parsing-bug.patch - libsndfile-fix-header-read-CVE-2015-7805.patch -- VUL-0: libsndfile 1.0.25 heap overflow (CVE-2015-8075, bsc#953519) - libsndfile-psf_strlcpy_crlf-fix-CVE-2015-8075.patch -- Fix the build with SLE11-SP3 due to AM_SILENT_RULE macro - -- VUL-1: libsndfile DoS/divide-by-zero (CVE-2014-9756, bsc#953521): - libsndfile-src-file_io.c-Prevent-potential-divide-by-zero.patch - -- Cleanup spec file with spec-cleaner -- Add gpg signature -- Remove old ppc provides/obsoletes - -- VUL-0: two buffer read overflows in sd2_parse_rsrc_fork() - (CVE-2014-9496, bnc#911796): backported upstream fix patches - sndfile-src-sd2.c-Fix-segfault-in-SD2-RSRC-parser.patch - sndfile-src-sd2.c-Fix-two-potential-buffer-read-overflows.patch - libtirpc -- check for nullpointer in check_address (bsc#1198176) - update 0001-rpcb_clnt.c-config-to-try-protocolversion-2-first.patch - -- add option to enforce connection via protocol version 2 first - (bsc#1196647) - add 0001-rpcb_clnt.c-config-to-try-protocolversion-2-first.patch - -- Update to libtirpc 1.2.6 - - Drop patches all patches backported from this release - (0001-Add-authdes_seccreate-stub.patch, - 0001-Avoid-multiple-definiton-with-gcc-fno-common.patch) - -- Backport upstream fix daed7ee ("Avoid multiple-definiton with gcc -fno-common") - to fix build error with gcc flag -fno-common (bsc#1160875). - Tested on gcc-9 and gcc-10. - 0001-Avoid-multiple-definiton-with-gcc-fno-common.patch - -- Skip unneeded autogen.sh run (configure is up-to-date), drop - dependencies: libtool, autoconf -- Replace krb5-mini-devel/krb5-devel with pkgconfig(krb5) - -- Update to libtirpc 1.2.5 - - A number resource leaks and other issues were fix which were identified - by a Coverity Scan. - - The AUTH_DES authentication has been deprecated. If any of those routines - are called, they will fail immediately. - - numerous bug fixes -- Package changes: - - Build without AUTH_DES authentication - - Add patch from next release 0001-Add-authdes_seccreate-stub.patch - (a86b4ff Add authdes_seccreate() stub) - - Drop rc patches (libtirpc-1-1-5-rc1.patch, libtirpc-1-1-5-rc2.patch) - - Drop patches all patches backported from this release - (0001-Makefile.am-Use-LIBADD-instead-of-LDFLAGS-to-link-ag.patch, - 0002-man-rpc_secure.3t-Fix-typo-in-manpage.patch, - 0003-xdr-add-a-defensive-mask-in-xdr_int64_t-and-xdr_u_in.patch) - -- Fix previous version: - - actually delete - 0001-xdrstdio_create-buffers-do-not-output-encoded-values.patch - - use 0001-Makefile.am-Use-LIBADD-instead-of-LDFLAGS-to-link-ag.patch - - use 0002-man-rpc_secure.3t-Fix-typo-in-manpage.patch (renamed from - 0003-man-rpc_secure.3t-Fix-typo-in-manpage.patch) - - use 0003-xdr-add-a-defensive-mask-in-xdr_int64_t-and-xdr_u_in.patch - (renamed from - 0004-xdr-add-a-defensive-mask-in-xdr_int64_t-and-xdr_u_in.patch) - -- Updated to libtirpc 1.1.5 rc2 (this includes changes in 1.1.4 release) - - add libtirpc-1-1-5-rc1.patch and libtirpc-1-1-5-rc2.patch to reflect - upstream changes after 1.1.4 release - - remove /etc/bindresvport.blacklist as it's still supported by glibc - although it's not compiled with --enable-obsolete-rpc -- Drop patches accepted in previous releases or not needed - - 000-bindresvport_blacklist.patch (accepted in 5b037cc9, libtirpc 1.1.4) - - 001-new-rpcbindsock-path.patch (not needed, rpcbind now uses /var/run directory) - - 002-revert-binddynport.patch (fixed in 2802259, libtirpc-1-0-4-rc1) - - 0001-Fix-regression-introduced-by-change-rpc-version-orde.patch - (backport of 25d38d7, libtirpc-1-0-4-rc1) - - 0001-xdrstdio_create-buffers-do-not-output-encoded-values.patch - (backport of 145272c, libtirpc-1-0-4-rc2) -- Add fixes from upcomming release - - 0001-Makefile.am-Use-LIBADD-instead-of-LDFLAGS-to-link-ag.patch - - 0003-man-rpc_secure.3t-Fix-typo-in-manpage.patch - - 0004-xdr-add-a-defensive-mask-in-xdr_int64_t-and-xdr_u_in.patch - -- Fix SLES 15 - yp_bind_client_create_v3: RPC: Unknown host (bsc#1126096). - - Add upstream patch - 0001-xdrstdio_create-buffers-do-not-output-encoded-values.patch - -- fix socket leak introduced by change-rpc-protocol-version-order patch - (bsc#1087925) - - add 0001-Fix-regression-introduced-by-change-rpc-version-orde.patch - -- Revert binddynport changes as they break backward compatibility - [brc#1562169]. - - add 002-revert-binddynport.patch - -- Remove ineffective --with-pic. - -- Update to libtirpc 1.0.3 - - clnt_dg_call: Fix a buffer overflow (CVE-2016-4429) - - Avoid choosing reserved ports in legacy RPC APIs - - rpcinfo: change order of version to be tried to 4, 3, 2 - - includes 003-rpc-types.patch - - includes 004-replace-bzero-with-memset.patch - - includes 005-missing-includes.patch - - includes 011-Fix-typo-in-src-libtirpc.map-which-prevents-that-key.patch - - includes decls.patch -- Drop COPYING.GPLv2, GPLv2 code was removed from library - -- Adjust include directory [bsc#1083902] - -- Use %license (boo#1082318) - -- Move /usr/include/tirpc to /usr/include - -- Add COPYING.GPLv2 and install Licenses for GPLv2 code. - -- 005-missing-includes.patch: add missing includes to make headers - compatible to sunrpc. - -- Update to version 1.0.2 - - 002-old-automake.patch: not needed anymore - - 005-libtirpc-1.0.2-rc1.patch: dropped - - 006-Remove-old-meanwhile-wrong-comment-about-FD_SETSIZE-.patch: - removed, merged upstream - - 007-Change-rtime-function-to-use-poll-instead-of-select.patch: - removed, merged upstream - - 008-Add-parameters-to-local-prototypes-to-fix-compiler-w.patch: - removed, merged upstream - - 009-makefd_xprt-checks-that-the-filedesriptor-is-lower-t.patch: - removed, merged upstream - - 010-The-goto-again-statement-was-an-left-over-from-the-p.patch: - removed, merged upstream - - 012-libtirpc-needs-rpcsvc-nis.h-for-compiling-but-does-n.patch: - removed, merged upstream - - 013-If-we-don-t-compile-in-YP-support-don-t-include-YP-h.patch: - removed, merged upstream - - 014-Add-des_crypt.c-and-des_impl.c-to-become-independent.patch: - removed, merged upstream - - 015-Fix-includes-to-compile-without-deprecated-glibc-fun.patch: - removed, merged upstream - - patch6_7.diff: obsolete - - Replace explicit_bzero.patch with - 004-replace-bzero-with-memset.patch from git - - Rename libtirpc-new-path-rpcbindsock.patch to - 001-new-rpcbindsock-path.patch - -- 003-rpc-types.patch: Add some typedefs to rpc/types.h to allow - applications be compiled with -std=iso9899:1990 - -- Rectify RPM groups and summaries, - and update old macro/variable constructs. - -- decls.patch: fix missing declarations -- explicit_bzero.patch: use explicit_bzero if available - -- Add some patches to get libtirpc compiled without needing glibc - deprecated functions: - - 015-Fix-includes-to-compile-without-deprecated-glibc-fun.patch - - 014-Add-des_crypt.c-and-des_impl.c-to-become-independent.patch - - 013-If-we-don-t-compile-in-YP-support-don-t-include-YP-h.patch -- Add 012-libtirpc-needs-rpcsvc-nis.h-for-compiling-but-does-n.patch - to allow bootstrapping of libtirpc without glibc sunrpc code or - libnsl NIS+ code. - -- Add 011-Fix-typo-in-src-libtirpc.map-which-prevents-that-key.patch - (fix export of key_secretkey_is_set) - -- Add the following patches to fix some bugs from the poll() - port and an endless loop: - - 006-Remove-old-meanwhile-wrong-comment-about-FD_SETSIZE-.patch - - 007-Change-rtime-function-to-use-poll-instead-of-select.patch - - 008-Add-parameters-to-local-prototypes-to-fix-compiler-w.patch - - 009-makefd_xprt-checks-that-the-filedesriptor-is-lower-t.patch - - 010-The-goto-again-statement-was-an-left-over-from-the-p.patch - -- Remove 004-netconfig-prefer-IPv6.patch for SLES12. -- Remove libtirpc-getnetconfig-races.patch (was backport). - [FATE#320393] - -- Split the netconfig configuration file and manual page off into - an own RPM. Else it is not possible to install the old and new - libtirpc libraries in parallel. - -- Update to libtirpc-1.0.1 - - new major soname - - Adjust auth code to match other RPC implementations - - Implement more gss auth stuff - - use poll() instead of select() in svc_run() - - Add more sunrpc compat functions - - Sync compat headers with real functions -- Drop 005-missing-symvers.patch (upstream) -- Drop 006-memleak1.patch (upstream) -- Drop 007-memleak2.patch (upstream) -- Drop 008-fix-undef-ref.patch (upstream) -- Drop 009-authdes_pk_create.patch (upstream) -- Drop 010-xdr_sizeof.patch (upstream) -- Drop 011-authdes_create.patch (upstream) -- Drop 012-xp_sock.patch (upstream) -- Drop 099-poll.patch (upstream) -- Drop libtirpc-xdr-header.patch (was backport) -- Add 005-libtirpc-1.0.2-rc1.patch (fixes deadlock) - -- Fix public xdr.h header - xdr_rpcvers() were broken (bsc#902439) - Added: libtirpc-xdr-header.patch - -- Update 099-poll.patch with newest version send upstream. - -- Add 099-poll.patch: change svc_run from select() to poll(). - -- Add 012-xp_sock.patch: add sunrpc compatibility define - -- Update 009-authdes_pk_create.patch (fix syncaddr handling) -- Add 011-authdes_create.patch (fix syncaddr handling) - -- Add 010-xdr_sizeof.patch (enable xdr_sizeof) - -- Add 009-authdes_pk_create.patch (missing SunRPC compat function) - -- Add 008-fix-undef-ref.patch to fix a undefined reference bug - -- Update to version 0.3.2 (bring authdes back) -- Remove 005-no_IPv6_for_old_code.patch (accepted upstream) -- Remove 001-tirpc-features.patch (obsolete) -- Add 005-missing-symvers.patch (fix missing, new symbols) -- Add 006-memleak1.patch (fix memory leak) -- Add 007-memleak2.patch (fix memory leak) - -- Remove krb5-devel from -devel requires, not needed anymore - -- Update to libtirpc 0.3.1, which incorporates the following - patches: - - 011-gssapi-update1.patch - - 012-gssapi-update2.patch - - 013-gssapi-update3.patch - - 014-gssapi-update4.patch - - 015-gssapi-update5.patch - - 016-gssapi-update6.patch - - 017-gssapi-update7.patch - - 018-gssapi-update8.patch - Not needed anymore: - - 007-fix-tirpc_map.patch - Adjusted: - - 001-tirpc-features.patch, merged with 006-rework-features.diff - - 002-old-automake.patch - -- 007-fix-tirpc_map.patch: fix symbol version for new global names - -- 006-rework-features.diff: Adjust for set of gssapi patches -- 003-fix-gssapi.patch replaced by 011-gssapi-update1.patch -- 012-gssapi-update2.patch: fix krb5-config usage -- 013-gssapi-update3.patch: check for gssapi.h -- 014-gssapi-update4.patch: don't include rpcsec_gss.h -- 015-gssapi-update5.patch: don't install GSSAPI files if disabled -- 016-gssapi-update6.patch: fix rpc_gss_seccreate -- 017-gssapi-update7.patch: officialy export two internal functions -- 018-gssapi-update8.patch: don't use glibc special header files - -- 003-fix-gssapi.patch: Correct fix for GSS ABI breakage -- 005-no_IPv6_for_old_code.patch: Update comment -- 006-rework-features.diff: Rework tirpc-features.h - -- 003-fix-gssapi.patch: Update, one chunk did go lost - -- 001-tirpc-features.patch: update with official git version -- 002-old-automake.patch: re-add for SLES11 -- 003-fix-gssapi.patch: try to fix the disable-gssapi option correct - -- Fix HAVE_AUTHDES/HAVE_GSSAPI in public header files - (001-tirpc-features.patch) - -- Update to official release 0.3.0. authdes was disabled by default - upstream. -- Following patches were merged: - - 001-symbol-versions-v5.patch - - 003-add-des_crypt.diff -- Remove 002-old-automake.patch, not needed anymore - -- Update 001-symbol-versions-v4.patch with - 001-symbol-versions-v5.patch: Add --disable-symvers option - -- Update 003-add-des_crypt.diff, fix unresolved des functions - -- Update to git -- Add 003-add-des_crypt.diff to fix unresolved *_crypt() functions - -- Disable gssapi for SLE11, kerberos version is too old - -- rpc/rpc.h requires now indirectly gssapi.h from krb5-devel - -- Update to current git. -- The following patches were accepted upstream: - - 003-xdr_h-fix.patch - - 005-disable-rpcent.patch - - 006-no-libnsl.patch - - patch1_7.diff - - patch2_7.diff - - patch3_7.diff -- patch7_7.diff: removed, rejected upstream -- 001-symbol-versions-v3.patch: replace with 001-symbol-versions-v4.patch - -- Add the following patches from the libtirpc-devel mailing list: - - patch1_7.diff (remove wrong config.h.in) - - patch2_7.diff (fix function name of yp_check) - - patch3_7.diff (make sure config.h is included) - - patch6_7.diff (use getaddrinfo in getrpcport) - - patch7_7.diff (remove prototypes from headers we don't supply) - -- Add following patches: - - 003-xdr_h-fix.patch (fix wrong defines using xdr_u_int32) - - 005-disable-rpcent.patch (use rpcent functions from glibc) - - 006-no-libnsl.patch (don't link against libnsl) - -- Update to 0.2.5.git from 20150423 - - following patches are accepted upstream: - - 003-rpc_broadcast_misformed_replies.patch - - libtirpc-misc-segfaults.patch - - replace 001-symbol-versions-v2.patch with - 001-symbol-versions-v3.patch - - enable symbol versioning patch - -- Fix race conditions in getnetconfig (bsc#899576, bsc#882973) - Added: libtirpc-getnetconfig-races.patch - -- 004-netconfig-prefer-IPv6.patch: Prever IPv6 over IPv4 (configured - in /etc/netconfig) - -- 002-old-automake.patch: make buildable on old systems - -- Update to 0.2.5.git from 20141217 - - following patches are accepted upstream: - - 002-clnt_broadcast_fix.patch - - 004-getpmaphandle.patch - - libtirpc-clntunix_create.patch - - libtirpc-getbroadifs-crash.patch - - libtirpc-taddr2uaddr-local.patch - -- Update to upstream 0.2.5 release -- Add symbol versioning to fix symbol conflicts - (001-symbol-versions-v2.patch), but disable until commited upstream -- Adjust libtirpc-clnt_broadcast_fix.patch and rename to - 002-clnt_broadcast_fix.patch -- Adjust libtirpc-rpc_broadcast_misformed_replies.patch and rename - to 003-rpc_broadcast_misformed_replies.patch -- Rename libtirpc-getpmaphandle.patch to 004-getpmaphandle.patch -- Adjust libtirpc-bindresvport_blacklist.patch and rename to - 000-bindresvport_blacklist.patch -- Drop libtirpc-pmap-setunset.patch, not needed anymore -- Apply libtirpc-new-path-rpcbindsock.patch only on openSUSE 13.1 - and later - perl-Image-ExifTool +- Update to version 12.42: + * Added support for reading maker notes from Panasonic DC-GH6 videos + * Added conversion for Samsung MCCData + * Added a new Nikon LensID (thanks Chris) + * Added a few new Canon LensType values + * Added a couple of new Olympus StackedImage values (thanks Eberhard) + * Added a few new values for some Nikon Settings tags (thanks Warren Hatch) + * Added a "lang:" element to the -json output for alternate language tags when -D, -H or -t is used + * Update DNG writer to not issue an error when writing DNG 1.6 files + * Decode information from DJI "ae_dbg_info" maker notes + * Decode Olympus AISubjectTrackingMode + * Changed ExifTool FileSize print conversion to use kB/MB/GB units instead of KiB/MiB/GiB + * Changed "is not shiftable" warning to appear in -v (instead of just -v3) output + * Patched to allow PDF Encrypt object to be "null" + * Fixed bug reading ICC_Profile 'meta' tags + +- update to version 12.41: + * Added support for "OM SYSTEM" maker notes + * Added 2 new Sony LensType values (thanks Jos Roost) + * Added some new Canon lenses (thanks LibRaw) + * Added a new Nikon LensID (thanks Bert Ligtvoet) + * Added a new Canon ContinuousDrive value (thanks Wolfgang Gulcker) + * Enhanced -v0 option to also print new file name when renaming, moving or + copying a file + * Updated xmp2exif.args and exif2xmp.args helper files to reflect the IPTC + Photometadata Mapping Guidelines version 2202.1 + * Made "Invalid Xxx data" a minor warning for MakerNote data + * Patched to allow writing of MP4 videos which have other tracks with a + missing sample description entry + * Patched MacOS version to specify directory for external utilities (setfile, + xattr, stat, mdls and osascript from /usr/bin, and tag from /usr/local/bin) + * Fixed long-standing problem where Windows version could behave differently + for -if conditions containing undefined tags + * Fixed problem where -W+! combined with -j or -X produced invalid JSON or XML + when processing multiple files + * Fixed potential "uninitialized value $time in division" runtime warning when + reading MP4 videos + * Added PageCount tag to return the number of pages in a multi-page TIFF + * Added a new Nikon LensID (thanks Wolfgang Exler) + * Added a few more Sony LensTypes (thanks Jos Roost) + * Decode some new Canon tags (thanks Mark Reid) + * Decode another Nikon Z9 tag (thanks Warren Hatch) + * Decode Nikon NKSC GPSImgDirection (thanks Olaf) + * Improved handling of empty XMP structures in lists + * Tolerate leading UTF-8 BOM in -geotag log files + * Updated photoshop_paths.config to include WorkingPath + * Patched to allow writing of MP4 videos which have url tracks with a missing + sample description entry + * Fixed deep recursion error when reading multi-page TIFF images with more + than 100 pages + * Fixed potential deep recursion runtime error when writing nested XMP + structures + * Fixed warning which could be generated when writing new + Composite:GPSCoordinates tag + * Fixed description of GPR (General Purpose RAW) file type + * Fixed typo in the name of a new Nikon tag (thanks Herb) + +- update to version 12.39 - not CPAN released + For changes in version 12.31 to 12.39 see Changes file +- fixes CVE-2022-23935 security issue +