NetCube-Systems-Austria/kumquat-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

package/python-lxml: security bump to version 4.9.1

Browse Source 
Fix CVE-2022-2309: NULL Pointer Dereference allows attackers to cause a
denial of service (or application crash). This only applies when lxml is
used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and
earlier are not affected. It allows triggering crashes through forged
input data, given a vulnerable code sequence in the application. The
vulnerability is caused by the iterwalk function (also used by the
canonicalize function). Such code shouldn't be in wide-spread use, given
that parsing + iterwalk would usually be replaced with the more
efficient iterparse function. However, an XML converter that serialises
to C14N would also be vulnerable, for example, and there are legitimate
use cases for this code sequence. If untrusted input is received (also
remotely) and processed via iterwalk function, a crash can be
triggered.

https://github.com/lxml/lxml/blob/lxml-4.9.1/CHANGES.txt

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
(cherry picked from commit ff3b5ca2c1)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This commit is contained in:
Fabrice Fontaine 2022-07-23 23:37:46 +02:00 committed by Peter Korsgaard
parent ebe467582f
commit 7e71021a60
2 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
package/python-lxml/python-lxml.hash
View File

@ -1,5 +1,5 @@
# Locally computed
sha256 f63f62fc60e6228a4ca9abae28228f35e1bd3ce675013d1dfb828688d50c6e23 lxml-4.8.0.tar.gz
sha256 fe749b052bb7233fe5d072fcb549221a8cb1a16725c47c37e42b0b9cb3ff2c3f lxml-4.9.1.tar.gz
sha256 41d49dd406aa0e1548a6d5f21a30d6bf638b3cd96eb7289dd348d83ed2e40392 LICENSES.txt
sha256 69edb445c1335a8312d4c09271847e9956d84f0d9f724d125340cc3fad767b2a doc/licenses/BSD.txt
sha256 0497ae8138811ef4466ede653bab7a59feb3d3c14f9ed50fc33a00aeb5bec32e doc/licenses/elementtree.txt

4
package/python-lxml/python-lxml.mk
View File

@ -4,8 +4,8 @@
#
################################################################################
PYTHON_LXML_VERSION = 4.8.0
PYTHON_LXML_SITE = https://files.pythonhosted.org/packages/3b/94/e2b1b3bad91d15526c7e38918795883cee18b93f6785ea8ecf13f8ffa01e
PYTHON_LXML_VERSION = 4.9.1
PYTHON_LXML_SITE = https://files.pythonhosted.org/packages/70/bb/7a2c7b4f8f434aa1ee801704bf08f1e53d7b5feba3d5313ab17003477808
PYTHON_LXML_SOURCE = lxml-$(PYTHON_LXML_VERSION).tar.gz
# Not including the GPL, because it is used only for the test scripts.