Navigation:
Browse pkgsrc
(this page)
textproc expat
CVSweb ] [ 
Homepage ] [ 
RSS ] [ 
Required by ] [ 
Add to tracker ] 2024-03-14 10:15:57 by Thomas Klausner | Files touched by this commit (2) |  |
Log message:
expat: update to 2.6.2.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!! <blink>Expat is UNDERSTAFFED and WITHOUT FUNDING.</blink> \
!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Release 2.6.2 Wed March 13 2024
Security fixes:
#839 #842 CVE-2024-28757 -- Prevent billion laughs attacks with
isolated use of external parsers. Please see the commit
message of commit 1d50b80cf31de87750103656f6eb693746854aa8
for details.
Bug fixes:
#839 #841 Reject direct parameter entity recursion
and avoid the related undefined behavior
Other changes:
#847 Autotools: Fix build for DOCBOOK_TO_MAN containing spaces
#837 Add missing #821 and #824 to 2.6.1 change log
#838 #843 Version info bumped from 10:1:9 (libexpat*.so.1.9.1)
to 10:2:9 (libexpat*.so.1.9.2); see https://verbump.de/
for what these numbers do
Special thanks to:
Philippe Antoine
Tomas Korbar
and
Clang UndefinedBehaviorSanitizer
OSS-Fuzz / ClusterFuzz
|
| 2024-03-01 07:50:02 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message:
expat: updated to 2.6.1
Release 2.6.1
Bug fixes:
Make tests independent of CPU speed, and thus more robust
Expose billion laughs API with XML_DTD defined and
XML_GE undefined, regression from 2.6.0
Other changes:
Hide test-only code behind new internal macro
Autotools: Reject expat_config.h.in defining SIZEOF_VOID_P
Address compiler warnings
Version info bumped from 10:0:9 (libexpat*.so.1.9.0)
to 10:1:9 (libexpat*.so.1.9.1); see https://verbump.de/
for what these numbers do
Infrastructure:
CI: Adapt to breaking changes in clang-format
|
| 2024-02-07 14:19:26 by Adam Ciarcinski | Files touched by this commit (3) | |
Log message:
expat: updated to 2.6.0
Release 2.6.0 Tue February 6 2024
Security fixes:
* * CVE-2023-52425 -- Fix quadratic runtime issues with big tokens
that can cause denial of service, in partial where
dealing with compressed XML input. Applications
that parsed a document in one go -- a single call to
functions XML_Parse or XML_ParseBuffer -- were not affected.
The smaller the chunks/buffers you use for parsing
previously, the bigger the problem prior to the fix.
Backporters should be careful to no omit parts of
pull request * and to include earlier pull request *,
in order to not break the fix.
* CVE-2023-52426 -- Fix billion laughs attacks for users
compiling *without* XML_DTD defined (which is not common).
Users with XML_DTD defined have been protected since
Expat >=2.4.0 (and that was CVE-2013-0340 back then).
Bug fixes:
* Fix parse-size-dependent "invalid token" error for
external entities that start with a byte order mark
* Fix NULL pointer dereference in setContext via
XML_ExternalEntityParserCreate for compilation with
XML_DTD undefined
* * Protect against closing entities out of order
Other changes:
* Improve support for arc4random/arc4random_buf
* * Improve buffer growth in XML_GetBuffer and XML_Parse
* * xmlwf: Support --help and --version
* * xmlwf: Support custom buffer size for XML_GetBuffer and read
* xmlwf: Improve language and URL clickability in help output
* examples: Add new example "element_declarations.c"
* Be stricter about macro XML_CONTEXT_BYTES at build time
* Make inclusion to expat_config.h consistent
* * Autotools: configure.ac: Support --disable-maintainer-mode
* * ..
* * * Autotools: Sync CMake templates with CMake 3.26
* Autotools: Make installation of shipped man page doc/xmlwf.1
independent of docbook2man availability
* Autotools|CMake: Add missing -DXML_STATIC to pkg-config file
section "Cflags.private" in order to fix compilation
against static libexpat using pkg-config on Windows
* * Autotools|CMake: Require a C99 compiler
(a de-facto requirement already since Expat 2.2.2 of 2017)
* Autotools|CMake: Fix PACKAGE_BUGREPORT variable
* * Autotools|CMake: Make test suite require a C++11 compiler
* CMake: Require CMake >=3.5.0
* CMake: Lowercase off_t and size_t to help a bug in Meson
* CMake: Sort xmlwf sources alphabetically
* CMake|Windows: Fix generation of DLL file version info
* CMake: Build tests/benchmark/benchmark.c as well for
a build with -DEXPAT_BUILD_TESTS=ON
* * docs: Document the importance of isFinal + adjust tests
accordingly
* docs: Improve use of "NULL" and "null"
* docs: Be specific about version of XML (XML 1.0r4)
and version of C (C99); (XML 1.0r5 will need a sponsor.)
* docs: reference.html: Promote function XML_ParseBuffer more
* docs: reference.html: Add HTML anchors to XML_* macros
* docs: reference.html: Upgrade to OK.css 1.2.0
* * docs: Fix typos
* docs|CI: Use HTTPS URLs instead of HTTP at various places
* * ..
* * ..
* * Address compiler warnings
* * Address clang-tidy warnings
* * Version info bumped from 9:10:8 (libexpat*.so.1.8.10)
to 10:0:9 (libexpat*.so.1.9.0); see https://verbump.de/
for what these numbers do
Infrastructure:
* * docs: Document security policy in file SECURITY.md
* docs: Improve parse buffer variables in-code documentation
* * ..
* * ..
* * * Refactor coverage and conformance tests
* * Refactor debug level variables to unsigned long
* Improve handling of empty environment variable value
in function getDebugLevel (without visible user effect)
* * ..
* * ..
* * tests: Improve test coverage with regard to parse chunk size
* * * Fuzzing: Improve fuzzing coverage
* * Fuzzing|CI: Start running OSS-Fuzz fuzzing regression tests
* * CI: Resolve some Travis CI leftovers
* CI: Be robust towards absence of Git tags
* * CI: Set permissions to "contents: read" for security
* CI: Pin all GitHub Actions to specific commits for security
* CI: Reject spelling errors using codespell
* CI: Enforce clang-tidy clean code
* * ..
* * CI: Upgrade Clang from 15 to 18
* CI: Start using Clang's Control Flow Integrity sanitizer
* * * CI: Adapt to breaking changes in GitHub Actions Ubuntu images
* CI: Adapt to breaking changes in Clang/LLVM Debian packaging
* CI: Adapt to breaking changes in codespell
* CI: Adapt to breaking changes in Cppcheck
|
| 2024-01-13 21:07:34 by Taylor R Campbell | Files touched by this commit (24) |
Log message:
*/builtin.mk: Use ${_CROSS_DESTDIR:U} for build-time file checks.
These are questions about the target system, whose files at
build-time are all relative to ${_CROSS_DESTDIR} if it is defined,
i.e., if USE_CROSS_COMPILE is set to yes.
No change to native builds because ${_CROSS_DESTDIR:U} is empty in
them. (Possible minor change by adding :Q to ${H_FOO} in command
lines, but if this makes a difference it likely fixes problems.)
|
| 2022-10-26 12:38:21 by Thomas Klausner | Files touched by this commit (1) |
Log message: expat: pkglint cleanup |
| 2022-10-26 12:37:47 by Thomas Klausner | Files touched by this commit (2) | |
Log message:
expat: update to 2.5.0.
Release 2.5.0 Tue October 25 2022
Security fixes:
#616 #649 #650 CVE-2022-43680 -- Fix heap use-after-free after overeager
destruction of a shared DTD in function
XML_ExternalEntityParserCreate in out-of-memory situations.
Expected impact is denial of service or potentially
arbitrary code execution.
Bug fixes:
#612 #645 Fix curruption from undefined entities
#613 #654 Fix case when parsing was suspended while processing nested
entities
#616 #652 #653 Stop leaking opening tag bindings after a closing tag
mismatch error where a parser is reset through
XML_ParserReset and then reused to parse
#656 CMake: Fix generation of pkg-config file
#658 MinGW|CMake: Fix static library name
Other changes:
#663 Protect header expat_config.h from multiple inclusion
#666 examples: Make use of XML_GetBuffer and be more
consistent across examples
#648 Address compiler warnings
#667 #668 Version info bumped from 9:9:8 to 9:10:8;
see https://verbump.de/ for what these numbers do
Special thanks to:
Jann Horn
Mark Brand
Osyotr
Rhodri James
and
Google Project Zero
|
| 2022-09-21 12:52:51 by Thomas Klausner | Files touched by this commit (2) | |
Log message:
expat: update to 2.4.9.
Release 2.4.9 Tue September 20 2022
Security fixes:
#629 #640 CVE-2022-40674 -- Heap use-after-free vulnerability in
function doContent. Expected impact is denial of service
or potentially arbitrary code execution.
Bug fixes:
#634 MinGW: Fix mis-compilation for -D__USE_MINGW_ANSI_STDIO=0
#614 docs: Fix documentation on effect of switch XML_DTD on
symbol visibility in doc/reference.html
Other changes:
#638 MinGW: Make fix-xmltest-log.sh drop more Wine bug output
#596 #625 Autotools: Sync CMake templates with CMake 3.22
#608 CMake: Migrate from use of CMAKE_*_POSTFIX to
dedicated variables EXPAT_*_POSTFIX to stop affecting
other projects
#597 #599 Windows|CMake: Add missing -DXML_STATIC to test runners
and fuzzers
#512 #621 Windows|CMake: Render .def file from a template to fix
linking with -DEXPAT_DTD=OFF and/or -DEXPAT_ATTR_INFO=ON
#611 #621 MinGW|CMake: Apply MSVC .def file when linking
#622 #624 MinGW|CMake: Sync library name with GNU Autotools,
i.e. produce libexpat-1.dll rather than libexpat.dll
by default. Filename libexpat.dll.a is unaffected.
#632 MinGW|CMake: Set missing variable CMAKE_RC_COMPILER in
toolchain file "cmake/mingw-toolchain.cmake" to avoid
error "windres: Command not found" on e.g. Ubuntu 20.04
#597 #627 CMake: Unify inconsistent use of set() and option() in
context of public build time options to take need for
set(.. FORCE) in projects using Expat by means of
add_subdirectory(..) off Expat's users' shoulders
#626 #641 Stop exporting API symbols when building a static library
#644 Resolve use of deprecated "fgrep" by "grep -F"
#620 CMake: Make documentation on variables a bit more consistent
#636 CMake: Drop leading whitespace from a #cmakedefine line in
file expat_config.h.cmake
#594 xmlwf: Fix harmless variable mix-up in function nsattcmp
#592 #593 #610 Address Cppcheck warnings
#643 Address Clang 15 compiler warnings
#642 #644 Version info bumped from 9:8:8 to 9:9:8;
see https://verbump.de/ for what these numbers do
Infrastructure:
#597 #598 CI: Windows: Start covering MSVC 2022
#619 CI: macOS: Migrate off deprecated macOS 10.15
#632 CI: Linux: Make migration off deprecated Ubuntu 18.04 work
#643 CI: Upgrade Clang from 14 to 15
#637 apply-clang-format.sh: Add support for BSD find
#633 coverage.sh: Exclude MinGW headers
#635 coverage.sh: Fix name collision for -funsigned-char
Special thanks to:
David Faure
Felix Wilhelm
Frank Bergmann
Rhodri James
Rosen Penev
Thijs Schreijer
Vincent Torri
and
Google Project Zero
Release 2.4.8 Mon March 28 2022
Other changes:
#587 pkg-config: Move "-lm" to section \
"Libs.private"
#587 CMake|MSVC: Fix pkg-config section "Libs"
#55 #582 CMake|macOS: Start using linker arguments
"-compatibility_version <version>" and
"-current_version <version>" in a way \
compatible with
GNU Libtool
#590 #591 Version info bumped from 9:7:8 to 9:8:8;
see https://verbump.de/ for what these numbers do
Infrastructure:
#589 CI: Upgrade Clang from 13 to 14
Special thanks to:
evpobr
Kai Pastor
Sam James
|
| 2022-03-05 09:53:04 by Thomas Klausner | Files touched by this commit (2) | |
Log message:
expat: update to 2.4.7.
Release 2.4.7 Fri March 4 2022
Bug fixes:
#572 #577 Relax fix to CVE-2022-25236 (introduced with release 2.4.5)
with regard to all valid URI characters (RFC 3986),
i.e. the following set (excluding whitespace):
ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz
0123456789 % -._~ :/?#[]@ !$&'()*+,;=
Other changes:
#555 #570 #581 CMake|Windows: Store Expat version in the DLL
#577 Document consequences of namespace separator choices not just
in doc/reference.html but also in header <expat.h>
#577 Document Expat's lack of validation of namespace URIs against
RFC 3986, and that the XML 1.0r4 specification doesn't
require Expat to validate namespace URIs, and that Expat
may do more in that regard in future releases.
If you find need for strict RFC 3986 URI validation on
application level today, https://uriparser.github.io/ may
be of interest.
#579 Fix documentation of XML_EndDoctypeDeclHandler in <expat.h>
#575 Document that a call to XML_FreeContentModel can be done at
a later time from outside the element declaration handler
#574 Make hardcoded namespace URIs easier to find in code
#573 Update documentation on use of XML_POOR_ENTOPY on Solaris
#569 #571 tests: Resolve use of macros NAN and INFINITY for GNU G++
4.8.2 on Solaris.
#578 #580 Version info bumped from 9:6:8 to 9:7:8;
see https://verbump.de/ for what these numbers do
|
New packages: