--- xmlsec1-1.2.14.orig/debian/TODO.Debian +++ xmlsec1-1.2.14/debian/TODO.Debian @@ -0,0 +1,7 @@ +xmlsec and libxmlsec for Debian +------------------------------- + + * set up doc-base + + + -- John V. Belmonte --- xmlsec1-1.2.14.orig/debian/README.Debian +++ xmlsec1-1.2.14/debian/README.Debian @@ -0,0 +1,37 @@ +xmlsec and libxmlsec for Debian +------------------------------- + +The upstream documentation is included with the libxmlsec1-dev package and +located at /usr/share/doc/libxmlsec1-dev. + +When developing with the xmlsec library, you have a choice of openssl, +gnutls, or nss crypto engines. By using "pkg-config xmlsec1-" or +"xmlsec1-config --crypto=", you can get the necessary compiler +command-line switches for enabling a certain engine. + +If you want to license your application that uses the xmlsec library under +the GNU GPL, or want your library that uses the xmlsec library to be GPL- +compatible, I suggest using the gnutls engine. Use of the nss crypto engine +may also be compatible with the GPL, but see bugs #207024 and #207026. +Regarding openssl, there is a bit of controversy about whether it can be +considered part of the OS and therefore make use of a loophole in the GPL. +(See the xmlsec FAQ in the documentation.) More specifically, debian-legal +takes a hard line and does not allow GPL'd packages that link to openssl to +exist in main. In the future, support for PGP key types may be added, which +would become another reason to go with the gnutls engine. + +Note that the library has a dynamic crypto engine loading feature, but I +have not yet enabled it. + +Note that a number of the examples included with the -dev package will +not compile successfuly under the gnutls engine (due to lack of features +compared to openssl), and will fail under both the gnutls and nss engines +(due to lack of pem file support, etc.). + +Upstream has promised that they will increment the number in the library name +name (for example, xmlsec1 -> xmlsec2) whenever a binary incompatibility is +introduced, and that it will always match the soname number. For this +reason I chose to omit the soname number from package names. + + + -- John V. Belmonte --- xmlsec1-1.2.14.orig/debian/watch +++ xmlsec1-1.2.14/debian/watch @@ -0,0 +1,3 @@ +version=2 +http://www.aleksey.com/xmlsec/download/xmlsec1-([\d\.]+)\.tar\.gz \ + debian uupdate --- xmlsec1-1.2.14.orig/debian/libxmlsec1-dev.manpages +++ xmlsec1-1.2.14/debian/libxmlsec1-dev.manpages @@ -0,0 +1 @@ +man/xmlsec1-config.1 --- xmlsec1-1.2.14.orig/debian/libxmlsec1-nss.install +++ xmlsec1-1.2.14/debian/libxmlsec1-nss.install @@ -0,0 +1 @@ +usr/lib/libxmlsec1-nss.so.* --- xmlsec1-1.2.14.orig/debian/libxmlsec1-openssl.install +++ xmlsec1-1.2.14/debian/libxmlsec1-openssl.install @@ -0,0 +1 @@ +usr/lib/libxmlsec1-openssl.so.* --- xmlsec1-1.2.14.orig/debian/compat +++ xmlsec1-1.2.14/debian/compat @@ -0,0 +1 @@ +7 --- xmlsec1-1.2.14.orig/debian/rules +++ xmlsec1-1.2.14/debian/rules @@ -0,0 +1,105 @@ +#!/usr/bin/make -f +# Sample debian/rules that uses debhelper. +# GNU copyright 1997 to 1999 by Joey Hess. + +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + +# These are used for cross-compiling and for saving the configure script +# from having to guess our platform (since we know it already) +DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) +DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) + + +ifneq (,$(findstring debug,$(DEB_BUILD_OPTIONS))) + CFLAGS += -g +endif + +# shared library versions, option 1 +#version=2.0.5 +#major=2 +# option 2, assuming the library is created as src/.libs/libfoo.so.2.0.5 or so +version=`ls src/.libs/lib*.so.* | \ + awk '{if (match($$0,/[0-9]+\.[0-9]+\.[0-9]+$$/)) print substr($$0,RSTART)}'` +major=`ls src/.libs/lib*.so.* | \ + awk '{if (match($$0,/\.so\.[0-9]+$$/)) print substr($$0,RSTART+4)}'` + +config.status: configure + dh_testdir + # Add here commands to configure the package. + -test -r /usr/share/misc/config.sub && \ + cp -f /usr/share/misc/config.sub config.sub + -test -r /usr/share/misc/config.guess && \ + cp -f /usr/share/misc/config.guess config.guess + ./configure \ + --host=$(DEB_HOST_GNU_TYPE) \ + --build=$(DEB_BUILD_GNU_TYPE) \ + --prefix=/usr \ + --mandir=\$${prefix}/share/man \ + --infodir=\$${prefix}/share/info \ + --with-html-dir=\$${prefix}/share/doc/xmlsec1/html \ + --enable-dynamic \ + --disable-crypto-dl \ + --disable-apps-crypto-dl + + +build: build-stamp +build-stamp: config.status + dh_testdir + + # Add here commands to compile the package. + $(MAKE) + + touch build-stamp + +clean: + dh_testdir + dh_testroot + rm -f build-stamp + + # Add here commands to clean up after the build process. + [ ! -f Makefile ] || $(MAKE) distclean + + dh_clean COPYING config.log config.cache config.status config.sub \ + config.guess + +install: build + dh_testdir + dh_testroot + dh_prep + dh_installdirs + + # Add here commands to install the package into debian/tmp + $(MAKE) install prefix=$(CURDIR)/debian/tmp/usr + # strip unwanted RPATH caused by bug in old libtool + chrpath -d $(CURDIR)/debian/tmp/usr/lib/*.so \ + $(CURDIR)/debian/tmp/usr/bin/xmlsec1 + find debian/tmp/usr/lib -name "*.la" -exec \ + sed -i -e "s,^dependency_libs=.*,dependency_libs=''," {} + + +# Build architecture-independent files here. +binary-indep: build install +# We have nothing to do by default. + +# Build architecture-dependent files here. +binary-arch: build install + dh_testdir + dh_testroot + + dh_install -X.cvsignore --sourcedir=debian/tmp + dh_installexamples -X.cvsignore examples/* + dh_installdocs -X.sgml --all README debian/README.Debian debian/TODO.Debian + dh_installman + dh_installchangelogs ChangeLog + dh_strip + dh_compress -Xexamples/ + dh_fixperms + dh_makeshlibs -V + dh_installdeb + dh_shlibdeps -l $(CURDIR)/debian/libxmlsec1/usr/lib + dh_gencontrol + dh_md5sums + dh_builddeb + +binary: binary-indep binary-arch +.PHONY: build clean binary-indep binary-arch binary install --- xmlsec1-1.2.14.orig/debian/control +++ xmlsec1-1.2.14/debian/control @@ -0,0 +1,76 @@ +Source: xmlsec1 +Section: text +Priority: optional +Maintainer: John V. Belmonte +Build-Depends: debhelper (>> 7.0.0), autotools-dev, chrpath, pkg-config, libxml2-dev (>= 2.6.12), libxslt1-dev (>= 1.0.20), libssl-dev (>= 0.9.8), libgnutls-dev (>= 1.0.0), libnss3-dev +Standards-Version: 3.8.3 +Homepage: http://www.aleksey.com/xmlsec/ + +Package: libxmlsec1-dev +Section: libdevel +Architecture: any +Depends: libxmlsec1 (= ${binary:Version}), libxmlsec1-openssl (= ${binary:Version}), libxmlsec1-gnutls (= ${binary:Version}), libxmlsec1-nss (= ${binary:Version}), libc6-dev, libxml2-dev (>= 2.6.12), libxslt1-dev (>= 1.0.20), libssl-dev (>= 0.9.8), libgnutls-dev (>= 1.0.0), libnss3-dev +Description: Development files for the XML security library + The XML Security Library is a C library that implements these XML standards: + . + * XML Signature + * XML Encryption + . + This package provides development files including documentation, examples, + headers, static libraries, and configuration support. + +Package: libxmlsec1 +Section: libs +Architecture: any +Depends: ${shlibs:Depends} +Description: XML security library + The XML Security Library implements standards related to secure handling + of XML data. + . + This package provides dynamic libraries for use by applications. + Specifically, it provides all XML security library functionality + except for the cryptography engine. + +Package: libxmlsec1-openssl +Section: libs +Architecture: any +Depends: ${shlibs:Depends} +Description: Openssl engine for the XML security library + The XML Security Library implements standards related to secure handling + of XML data. + . + This package provides dynamic libraries for use by applications. + Specifically, it provides the openssl implementation of the XML security + library cryptography functions. + +Package: libxmlsec1-gnutls +Section: libs +Architecture: any +Depends: ${shlibs:Depends} +Description: Gnutls engine for the XML security library + The XML Security Library implements standards related to secure handling + of XML data. + . + This package provides dynamic libraries for use by applications. + Specifically, it provides the gnutls implementation of the XML security + library cryptography functions. + +Package: libxmlsec1-nss +Section: libs +Architecture: any +Depends: ${shlibs:Depends} +Description: Nss engine for the XML security library + The XML Security Library implements standards related to secure handling + of XML data. + . + This package provides dynamic libraries for use by applications. + Specifically, it provides the nss implementation of the XML security + library cryptography functions. + +Package: xmlsec1 +Section: text +Architecture: any +Depends: ${shlibs:Depends} +Description: XML security command line processor + Xmlsec is a command line tool for signature and encryption transformations + of XML data. It is part of the XML Security Library. --- xmlsec1-1.2.14.orig/debian/changelog +++ xmlsec1-1.2.14/debian/changelog @@ -0,0 +1,179 @@ +xmlsec1 (1.2.14-1.2build1) precise; urgency=low + + * No-change rebuild against current pkgbinarymangler to fix broken + md5sums. (see LP #875466) + + -- Martin Pitt Wed, 29 Feb 2012 09:16:39 +0100 + +xmlsec1 (1.2.14-1.2) unstable; urgency=low + + * Non-maintainer upload. + * Empty dependency_libs in libtool la file. Closes: #610239 + http://wiki.debian.org/ReleaseGoals/LAFileRemoval + + -- Andreas Metzler Sat, 23 Apr 2011 08:53:37 +0200 + +xmlsec1 (1.2.14-1.1) unstable; urgency=high + + * Non-maintainer upload by the Security Team. + * Apply patch from upstream addressing arbitrary file overwrite + (CVE-2011-1425, closes: #620560). + + -- Thijs Kinkhorst Sat, 09 Apr 2011 17:40:24 +0200 + +xmlsec1 (1.2.14-1) unstable; urgency=low + + * New upstream release, fixes CVE-2009-3736 (Closes: #559831) + * debian/rules: dh_prep instead of dh_clean + + -- John V. Belmonte Tue, 08 Dec 2009 21:47:36 -0500 + +xmlsec1 (1.2.12-1) unstable; urgency=low + + * New upstream release, fixes CVE-2009-0217 (Closes: #532751, #529918) + * Update debian/watch + * Upgrade to latest debhelper version + * In debian/control: + * add Homepage + * remove use of ${Source-Version} + * In debian/rules: + * fix distclean call + * $(CURDIR) instead of $(PWD) + * remove xulrunner hack since upstream now supports it in configure + * strip RPATH's caused by bug in upstream's libtool version + * Confirm Debian standards 3.8.3 + + -- John V. Belmonte Sat, 05 Sep 2009 18:21:58 -0400 + +xmlsec1 (1.2.9-5) unstable; urgency=low + + * Remove shlibs.local (Closes: #379445) + * Add minimum versions to Build-Depends and -dev Depends + + -- John V. Belmonte Sun, 30 Jul 2006 22:27:01 -0400 + +xmlsec1 (1.2.9-4) unstable; urgency=low + + * Fix gnutls dependency in shlibs.local (Closes: #379390) + + -- John V. Belmonte Sun, 23 Jul 2006 10:46:53 -0400 + +xmlsec1 (1.2.9-3) unstable; urgency=low + + * Adjust gnutls dependency (Closes: #335771) + * Adjust libxml2 min version + + -- John V. Belmonte Mon, 26 Jun 2006 20:48:41 -0400 + +xmlsec1 (1.2.9-2) unstable; urgency=low + + * Add engine libraries to depends of dev package + * Switch to mozilla libs provided by xulrunner package (Closes: #364382) + * Confirm Debian standards 3.7.2 + + -- John V. Belmonte Thu, 08 Jun 2006 21:52:55 -0400 + +xmlsec1 (1.2.9-1) unstable; urgency=low + + * New upstream release (Closes: #319807) + * Upgrade to Debian standards 3.6.2 + + -- John V. Belmonte Sat, 17 Sep 2005 09:36:11 -0400 + +xmlsec1 (1.2.6-1) unstable; urgency=low + + * New upstream release + + -- John V. Belmonte Thu, 26 Aug 2004 15:07:52 -0400 + +xmlsec1 (1.2.4-3) unstable; urgency=low + + * Adjust gnutls dependency (Closes: #263626) + * Add debian/watch + + -- John V. Belmonte Thu, 5 Aug 2004 12:09:42 -0400 + +xmlsec1 (1.2.4-2) unstable; urgency=low + + * Change maintainer address + * Adjust libxslt dependency (Closes: #261831) + + -- John V. Belmonte Mon, 2 Aug 2004 10:05:04 -0400 + +xmlsec1 (1.2.4-1) unstable; urgency=low + + * New upstream release (Closes: #228531) + * Add binary for nss crypto engine + * Upgrade gnutls dependency to gnutls10 + + -- John V. Belmonte Tue, 27 Jan 2004 12:49:49 -0500 + +xmlsec1 (1.1.1-2) unstable; urgency=low + + * Upgrade to Debian standards 3.6.1 + * In debian/rules: + * remove unused "nostrip" logic + * replace use of $CURDIR with `pwd` + * remove unused debhelper calls + * convert from dh_movefiles to dh_install + * omit makefiles and SGML files from HTML docs + + -- John V. Belmonte Mon, 13 Oct 2003 15:43:41 -0400 + +xmlsec1 (1.1.1-1) unstable; urgency=low + + * New upstream release + * Add soname number to build/-dev depends for libgnutls + * Add version to build/-dev depends for libssl since no + libssl-dev is available + * In README.Debian, clarify restriction on use of openssl crypto engine + by GPL'd official Debian packages + * In README.Debian, more about the yet unpackaged nss crypto engine + + -- John V. Belmonte Sun, 24 Aug 2003 06:39:56 -0400 + +xmlsec1 (1.1.0-1) unstable; urgency=low + + * New upstream release + * Add pkg-config files (Closes: #203376) + * Downplay xmlsec1-config in README.Debian, package descriptions + * Remove some upstream workarounds from debian/rules + + -- John V. Belmonte Mon, 11 Aug 2003 10:05:06 -0400 + +xmlsec1 (1.0.4-2) unstable; urgency=low + + * No change, except this time my sponsor won't accidentally mutilate the + package before uploading :-) + + -- John V. Belmonte Fri, 18 Jul 2003 01:11:45 -0400 + +xmlsec1 (1.0.4-1) unstable; urgency=low + + * New upstream release + * Update README.Debian regarding nss engine support + * Fix typo in libxmlsec1 description + * Remove some upstream workarounds from debian/rules + + -- John V. Belmonte Tue, 15 Jul 2003 21:23:11 -0400 + +xmlsec1 (1.0.3-1) unstable; urgency=low + + * New upstream release (Closes: #194270) + * change source name for xmlsec1 series + * change dev package section to libdevel + + -- John V. Belmonte Tue, 17 Jun 2003 23:19:17 -0400 + +xmlsec (0.0.14-1) unstable; urgency=low + + * New upstream release + * upgrade to Debian standards 3.5.9 + + -- John V. Belmonte Fri, 28 Mar 2003 14:21:10 -0500 + +xmlsec (0.0.12-1) unstable; urgency=low + + * Initial Release (Closes: #152605) + + -- John V. Belmonte Tue, 11 Feb 2003 14:58:00 -0500 --- xmlsec1-1.2.14.orig/debian/libxmlsec1-dev.docs +++ xmlsec1-1.2.14/debian/libxmlsec1-dev.docs @@ -0,0 +1 @@ +debian/tmp/usr/share/doc/xmlsec1/html/ --- xmlsec1-1.2.14.orig/debian/libxmlsec1-dev.install +++ xmlsec1-1.2.14/debian/libxmlsec1-dev.install @@ -0,0 +1,6 @@ +usr/include/* +usr/lib/lib*.a +usr/lib/lib*.so +usr/lib/lib*.la +usr/lib/pkgconfig/* +usr/bin/xmlsec1-config --- xmlsec1-1.2.14.orig/debian/libxmlsec1-gnutls.install +++ xmlsec1-1.2.14/debian/libxmlsec1-gnutls.install @@ -0,0 +1 @@ +usr/lib/libxmlsec1-gnutls.so.* --- xmlsec1-1.2.14.orig/debian/xmlsec1.manpages +++ xmlsec1-1.2.14/debian/xmlsec1.manpages @@ -0,0 +1 @@ +man/xmlsec1.1 --- xmlsec1-1.2.14.orig/debian/copyright +++ xmlsec1-1.2.14/debian/copyright @@ -0,0 +1,29 @@ +This package was debianized by John V. Belmonte on +Tue, 11 Feb 2003 14:58:00 -0500. + +It was downloaded from ftp://ftp.aleksey.com/pub/xmlsec/releases/ + +Upstream Author: Aleksey Sanin + +Copyright (C) 2002 Aleksey Sanin. All Rights Reserved. + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is fur- +nished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FIT- +NESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +DANIEL VEILLARD BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CON- +NECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +Except as contained in this notice, the name of Aleksey Sanin shall not +be used in advertising or otherwise to promote the sale, use or other deal- +ings in this Software without prior written authorization from him. --- xmlsec1-1.2.14.orig/debian/libxmlsec1.install +++ xmlsec1-1.2.14/debian/libxmlsec1.install @@ -0,0 +1 @@ +usr/lib/libxmlsec1.so.* --- xmlsec1-1.2.14.orig/debian/xmlsec1.install +++ xmlsec1-1.2.14/debian/xmlsec1.install @@ -0,0 +1 @@ +usr/bin/xmlsec1 --- xmlsec1-1.2.14.orig/apps/xmlsec.c +++ xmlsec1-1.2.14/apps/xmlsec.c @@ -24,6 +24,7 @@ #include #include #include +#include #include #endif /* XMLSEC_NO_XSLT */ @@ -2400,6 +2401,11 @@ } static int intialized = 0; + +#ifndef XMLSEC_NO_XSLT +static xsltSecurityPrefsPtr xsltSecPrefs = NULL; +#endif /* XMLSEC_NO_XSLT */ + static int xmlSecAppInit(void) { if(intialized != 0) { @@ -2414,7 +2420,20 @@ #ifndef XMLSEC_NO_XSLT xmlIndentTreeOutput = 1; #endif /* XMLSEC_NO_XSLT */ - + + + /* Init libxslt */ +#ifndef XMLSEC_NO_XSLT + /* disable everything */ + xsltSecPrefs = xsltNewSecurityPrefs(); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_FILE, xsltSecurityForbid); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_FILE, xsltSecurityForbid); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_CREATE_DIRECTORY, xsltSecurityForbid); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_READ_NETWORK, xsltSecurityForbid); + xsltSetSecurityPrefs(xsltSecPrefs, XSLT_SECPREF_WRITE_NETWORK, xsltSecurityForbid); + xsltSetDefaultSecurityPrefs(xsltSecPrefs); +#endif /* XMLSEC_NO_XSLT */ + /* Init xmlsec */ if(xmlSecInit() < 0) { fprintf(stderr, "Error: xmlsec intialization failed.\n"); @@ -2461,6 +2480,7 @@ /* Shutdown libxslt/libxml */ #ifndef XMLSEC_NO_XSLT + xsltFreeSecurityPrefs(xsltSecPrefs); xsltCleanupGlobals(); #endif /* XMLSEC_NO_XSLT */ xmlCleanupParser();