Add upstream patch for CVE-2021-42521

- vtkXMLTreeReader: possible nullptr dereference (bz#2189655)
Drop package.cfg
2023-04-25 19:35:19 -06:00 · 2021-06-11 18:47:45 -06:00 · 2021-06-11 18:47:24 -06:00 · 2020-06-18 09:00:55 +02:00
2 changed files with 44 additions and 1 deletions
--- a/9621.patch
+++ b/9621.patch
@ -0,0 +1,36 @@
+From 72119ea71422d2892f2a0475fc282835310f8d9e Mon Sep 17 00:00:00 2001
+From: Cory Quammen <cory.quammen@kitware.com>
+Date: Thu, 29 Sep 2022 13:10:00 -0400
+Subject: [PATCH] vtkXMLTreeReader: protect against possible nullptr
+ dereference
+
+Vulnerability reported at
+https://nvd.nist.gov/vuln/detail/CVE-2021-42521.
+
+Fixes #17818
+
+(cherry picked from commit 9a2fe8ef2ecbf04f811b2e02b71eae8b94aae089)
+---
+ IO/Infovis/vtkXMLTreeReader.cxx | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/IO/Infovis/vtkXMLTreeReader.cxx b/IO/Infovis/vtkXMLTreeReader.cxx
+index 64abca37e96..af64572b27f 100644
+--- a/IO/Infovis/vtkXMLTreeReader.cxx
+++ b/IO/Infovis/vtkXMLTreeReader.cxx
+@@ -217,6 +217,12 @@ int vtkXMLTreeReader::RequestData(
+ 
+   // Get the root element node
+   xmlNode* rootElement = xmlDocGetRootElement(doc);
+  if (!rootElement)
+  {
+    vtkErrorMacro(<< "Could not get root element of document.");
+    return 0;
+  }
+
+   vtkXMLTreeReaderProcessElement(builder, -1, rootElement, this->ReadCharData, this->MaskArrays);
+ 
+   xmlFreeDoc(doc);
+-- 
+GitLab
+
--- a/vtk.spec
+++ b/vtk.spec
@ -46,7 +46,7 @@
 Summary: The Visualization Toolkit - A high level 3D visualization library
 Name: vtk
 Version: 9.0.1
-Release: 9%{?dist}
+Release: 10%{?dist}
 # This is a variant BSD license, a cross between BSD and ZLIB.
 # For all intents, it has the same rights and restrictions as BSD.
 # http://fedoraproject.org/wiki/Licensing/BSD#VTKBSDVariant
@ -67,6 +67,8 @@ Patch3: vtk-AllValues.patch
 Patch4: vtk_freetype-2.10.4.patch
 # Proj 5 support - backport https://gitlab.kitware.com/vtk/vtk/-/merge_requests/7731
 Patch5: vtk-proj5.patch
+# CVE-2021-42521 - vtkXMLTreeReader: possible nullptr dereference
+Patch6: https://gitlab.kitware.com/vtk/vtk/-/merge_requests/9621.patch

 URL: https://vtk.org/

@ -445,6 +447,7 @@ programming languages.
 %patch3 -p1 -b .AllValues
 %patch4 -p1 -b .freetype
 %patch5 -p1 -b .proj5
+%patch6 -p1 -b .CVE-2021-42521
 # Remove included thirdparty sources just to be sure
 # TODO - diy2 - not yet packaged
 # TODO - exodusII - not yet packaged
@ -792,6 +795,10 @@ cat xorg.log


 %changelog
+* Tue Apr 25 2023 Orion Poplawski <orion@nwra.com> - 9.0.1-10
+- Add upstream patch for CVE-2021-42521 - vtkXMLTreeReader: possible nullptr
+  dereference (bz#2189654)
+
 * Fri Jun 04 2021 Python Maint <python-maint@redhat.com> - 9.0.1-9
 - Rebuilt for Python 3.10
Author	SHA1	Message	Date
Orion Poplawski	ae69ce8fd1	Add upstream patch for CVE-2021-42521 - vtkXMLTreeReader: possible nullptr dereference (bz#2189655)	2023-04-25 19:35:19 -06:00
Orion Poplawski	00da1a8bbd	Drop package.cfg	2021-06-11 18:47:45 -06:00
Orion Poplawski	a9f847c6ff	Merge branch 'rawhide' into epel8	2021-06-11 18:47:24 -06:00
Igor Raits	a852a09ebb	"Adding package.cfg file"	2020-06-18 09:00:55 +02:00