diff --git a/9621.patch b/9621.patch new file mode 100644 index 0000000..b4c3835 --- /dev/null +++ b/9621.patch @@ -0,0 +1,36 @@ +From 72119ea71422d2892f2a0475fc282835310f8d9e Mon Sep 17 00:00:00 2001 +From: Cory Quammen +Date: Thu, 29 Sep 2022 13:10:00 -0400 +Subject: [PATCH] vtkXMLTreeReader: protect against possible nullptr + dereference + +Vulnerability reported at +https://nvd.nist.gov/vuln/detail/CVE-2021-42521. + +Fixes #17818 + +(cherry picked from commit 9a2fe8ef2ecbf04f811b2e02b71eae8b94aae089) +--- + IO/Infovis/vtkXMLTreeReader.cxx | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/IO/Infovis/vtkXMLTreeReader.cxx b/IO/Infovis/vtkXMLTreeReader.cxx +index 64abca37e96..af64572b27f 100644 +--- a/IO/Infovis/vtkXMLTreeReader.cxx ++++ b/IO/Infovis/vtkXMLTreeReader.cxx +@@ -217,6 +217,12 @@ int vtkXMLTreeReader::RequestData( + + // Get the root element node + xmlNode* rootElement = xmlDocGetRootElement(doc); ++ if (!rootElement) ++ { ++ vtkErrorMacro(<< "Could not get root element of document."); ++ return 0; ++ } ++ + vtkXMLTreeReaderProcessElement(builder, -1, rootElement, this->ReadCharData, this->MaskArrays); + + xmlFreeDoc(doc); +-- +GitLab + diff --git a/vtk.spec b/vtk.spec index 506e76f..0ed1647 100644 --- a/vtk.spec +++ b/vtk.spec @@ -46,7 +46,7 @@ Summary: The Visualization Toolkit - A high level 3D visualization library Name: vtk Version: 9.0.1 -Release: 9%{?dist} +Release: 10%{?dist} # This is a variant BSD license, a cross between BSD and ZLIB. # For all intents, it has the same rights and restrictions as BSD. # http://fedoraproject.org/wiki/Licensing/BSD#VTKBSDVariant @@ -67,6 +67,8 @@ Patch3: vtk-AllValues.patch Patch4: vtk_freetype-2.10.4.patch # Proj 5 support - backport https://gitlab.kitware.com/vtk/vtk/-/merge_requests/7731 Patch5: vtk-proj5.patch +# CVE-2021-42521 - vtkXMLTreeReader: possible nullptr dereference +Patch6: https://gitlab.kitware.com/vtk/vtk/-/merge_requests/9621.patch URL: https://vtk.org/ @@ -445,6 +447,7 @@ programming languages. %patch3 -p1 -b .AllValues %patch4 -p1 -b .freetype %patch5 -p1 -b .proj5 +%patch6 -p1 -b .CVE-2021-42521 # Remove included thirdparty sources just to be sure # TODO - diy2 - not yet packaged # TODO - exodusII - not yet packaged @@ -792,6 +795,10 @@ cat xorg.log %changelog +* Tue Apr 25 2023 Orion Poplawski - 9.0.1-10 +- Add upstream patch for CVE-2021-42521 - vtkXMLTreeReader: possible nullptr + dereference (bz#2189654) + * Fri Jun 04 2021 Python Maint - 9.0.1-9 - Rebuilt for Python 3.10