./textproc/expat, XML parser library written in C

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: CURRENT, Version: 2.6.2, Package name: expat-2.6.2, Maintainer: pkgsrc-users

This is James Clark's expat XML parser library in C. It is a stream oriented
parser that requires setting handlers to deal with the structure that the
parser discovers in the document.


Master sites:

Filesize: 746.103 KB

Version history: (Expand)


CVS history: (Expand)


   2024-03-14 10:15:57 by Thomas Klausner | Files touched by this commit (2) | Package updated
Log message:
expat: update to 2.6.2.

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!! <blink>Expat is UNDERSTAFFED and WITHOUT FUNDING.</blink>         \ 
        !!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Release 2.6.2 Wed March 13 2024
        Security fixes:
       #839 #842  CVE-2024-28757 -- Prevent billion laughs attacks with
                    isolated use of external parsers.  Please see the commit
                    message of commit 1d50b80cf31de87750103656f6eb693746854aa8
                    for details.

        Bug fixes:
       #839 #841  Reject direct parameter entity recursion
                    and avoid the related undefined behavior

        Other changes:
            #847  Autotools: Fix build for DOCBOOK_TO_MAN containing spaces
            #837  Add missing #821 and #824 to 2.6.1 change log
       #838 #843  Version info bumped from 10:1:9 (libexpat*.so.1.9.1)
                    to 10:2:9 (libexpat*.so.1.9.2); see https://verbump.de/
                    for what these numbers do

        Special thanks to:
            Philippe Antoine
            Tomas Korbar
                 and
            Clang UndefinedBehaviorSanitizer
            OSS-Fuzz / ClusterFuzz
   2024-03-01 07:50:02 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
expat: updated to 2.6.1

Release 2.6.1

Bug fixes:
  Make tests independent of CPU speed, and thus more robust
  Expose billion laughs API with XML_DTD defined and
    XML_GE undefined, regression from 2.6.0

Other changes:
  Hide test-only code behind new internal macro
  Autotools: Reject expat_config.h.in defining SIZEOF_VOID_P
  Address compiler warnings
  Version info bumped from 10:0:9 (libexpat*.so.1.9.0)
     to 10:1:9 (libexpat*.so.1.9.1); see https://verbump.de/
     for what these numbers do

Infrastructure:
  CI: Adapt to breaking changes in clang-format
   2024-02-07 14:19:26 by Adam Ciarcinski | Files touched by this commit (3) | Package updated
Log message:
expat: updated to 2.6.0

Release 2.6.0 Tue February 6 2024
    Security fixes:
  * *  CVE-2023-52425 -- Fix quadratic runtime issues with big tokens
               that can cause denial of service, in partial where
               dealing with compressed XML input.  Applications
               that parsed a document in one go -- a single call to
               functions XML_Parse or XML_ParseBuffer -- were not affected.
               The smaller the chunks/buffers you use for parsing
               previously, the bigger the problem prior to the fix.
               Backporters should be careful to no omit parts of
               pull request * and to include earlier pull request *,
               in order to not break the fix.
       *  CVE-2023-52426 -- Fix billion laughs attacks for users
               compiling *without* XML_DTD defined (which is not common).
               Users with XML_DTD defined have been protected since
               Expat >=2.4.0 (and that was CVE-2013-0340 back then).

    Bug fixes:
        *  Fix parse-size-dependent "invalid token" error for
                external entities that start with a byte order mark
        *  Fix NULL pointer dereference in setContext via
                XML_ExternalEntityParserCreate for compilation with
                XML_DTD undefined
   * *  Protect against closing entities out of order

    Other changes:
        *  Improve support for arc4random/arc4random_buf
   * *  Improve buffer growth in XML_GetBuffer and XML_Parse
   * *  xmlwf: Support --help and --version
   * *  xmlwf: Support custom buffer size for XML_GetBuffer and read
        *  xmlwf: Improve language and URL clickability in help output
        *  examples: Add new example "element_declarations.c"
        *  Be stricter about macro XML_CONTEXT_BYTES at build time
        *  Make inclusion to expat_config.h consistent
   * *  Autotools: configure.ac: Support --disable-maintainer-mode
* * ..
  * * *  Autotools: Sync CMake templates with CMake 3.26
        *  Autotools: Make installation of shipped man page doc/xmlwf.1
                independent of docbook2man availability
        *  Autotools|CMake: Add missing -DXML_STATIC to pkg-config file
                section "Cflags.private" in order to fix compilation
                against static libexpat using pkg-config on Windows
   * *  Autotools|CMake: Require a C99 compiler
                (a de-facto requirement already since Expat 2.2.2 of 2017)
        *  Autotools|CMake: Fix PACKAGE_BUGREPORT variable
   * *  Autotools|CMake: Make test suite require a C++11 compiler
        *  CMake: Require CMake >=3.5.0
        *  CMake: Lowercase off_t and size_t to help a bug in Meson
        *  CMake: Sort xmlwf sources alphabetically
        *  CMake|Windows: Fix generation of DLL file version info
        *  CMake: Build tests/benchmark/benchmark.c as well for
                a build with -DEXPAT_BUILD_TESTS=ON
   * *  docs: Document the importance of isFinal + adjust tests
                accordingly
        *  docs: Improve use of "NULL" and "null"
        *  docs: Be specific about version of XML (XML 1.0r4)
                and version of C (C99); (XML 1.0r5 will need a sponsor.)
        *  docs: reference.html: Promote function XML_ParseBuffer more
        *  docs: reference.html: Add HTML anchors to XML_* macros
        *  docs: reference.html: Upgrade to OK.css 1.2.0
   * *  docs: Fix typos
        *  docs|CI: Use HTTPS URLs instead of HTTP at various places
* * ..
* * ..
   * *  Address compiler warnings
   * *  Address clang-tidy warnings
   * *  Version info bumped from 9:10:8 (libexpat*.so.1.8.10)
                to 10:0:9 (libexpat*.so.1.9.0); see https://verbump.de/
                for what these numbers do

    Infrastructure:
   * *  docs: Document security policy in file SECURITY.md
        *  docs: Improve parse buffer variables in-code documentation
* * ..
* * ..
  * * *  Refactor coverage and conformance tests
   * *  Refactor debug level variables to unsigned long
        *  Improve handling of empty environment variable value
                in function getDebugLevel (without visible user effect)
* * ..
* * ..
   * *  tests: Improve test coverage with regard to parse chunk size
  * * *  Fuzzing: Improve fuzzing coverage
   * *  Fuzzing|CI: Start running OSS-Fuzz fuzzing regression tests
   * *  CI: Resolve some Travis CI leftovers
        *  CI: Be robust towards absence of Git tags
   * *  CI: Set permissions to "contents: read" for security
        *  CI: Pin all GitHub Actions to specific commits for security
        *  CI: Reject spelling errors using codespell
        *  CI: Enforce clang-tidy clean code
* * ..
   * *  CI: Upgrade Clang from 15 to 18
        *  CI: Start using Clang's Control Flow Integrity sanitizer
  * * *  CI: Adapt to breaking changes in GitHub Actions Ubuntu images
        *  CI: Adapt to breaking changes in Clang/LLVM Debian packaging
        *  CI: Adapt to breaking changes in codespell
        *  CI: Adapt to breaking changes in Cppcheck
   2024-01-13 21:07:34 by Taylor R Campbell | Files touched by this commit (24)
Log message:
*/builtin.mk: Use ${_CROSS_DESTDIR:U} for build-time file checks.

These are questions about the target system, whose files at
build-time are all relative to ${_CROSS_DESTDIR} if it is defined,
i.e., if USE_CROSS_COMPILE is set to yes.

No change to native builds because ${_CROSS_DESTDIR:U} is empty in
them.  (Possible minor change by adding :Q to ${H_FOO} in command
lines, but if this makes a difference it likely fixes problems.)
   2022-10-26 12:38:21 by Thomas Klausner | Files touched by this commit (1)
Log message:
expat: pkglint cleanup
   2022-10-26 12:37:47 by Thomas Klausner | Files touched by this commit (2) | Package updated
Log message:
expat: update to 2.5.0.

Release 2.5.0 Tue October 25 2022
        Security fixes:
  #616 #649 #650  CVE-2022-43680 -- Fix heap use-after-free after overeager
                    destruction of a shared DTD in function
                    XML_ExternalEntityParserCreate in out-of-memory situations.
                    Expected impact is denial of service or potentially
                    arbitrary code execution.

        Bug fixes:
       #612 #645  Fix curruption from undefined entities
       #613 #654  Fix case when parsing was suspended while processing nested
                    entities
  #616 #652 #653  Stop leaking opening tag bindings after a closing tag
                    mismatch error where a parser is reset through
                    XML_ParserReset and then reused to parse
            #656  CMake: Fix generation of pkg-config file
            #658  MinGW|CMake: Fix static library name

        Other changes:
            #663  Protect header expat_config.h from multiple inclusion
            #666  examples: Make use of XML_GetBuffer and be more
                    consistent across examples
            #648  Address compiler warnings
       #667 #668  Version info bumped from 9:9:8 to 9:10:8;
                    see https://verbump.de/ for what these numbers do

        Special thanks to:
            Jann Horn
            Mark Brand
            Osyotr
            Rhodri James
                 and
            Google Project Zero
   2022-09-21 12:52:51 by Thomas Klausner | Files touched by this commit (2) | Package updated
Log message:
expat: update to 2.4.9.

Release 2.4.9 Tue September 20 2022
        Security fixes:
       #629 #640  CVE-2022-40674 -- Heap use-after-free vulnerability in
                    function doContent. Expected impact is denial of service
                    or potentially arbitrary code execution.

        Bug fixes:
            #634  MinGW: Fix mis-compilation for -D__USE_MINGW_ANSI_STDIO=0
            #614  docs: Fix documentation on effect of switch XML_DTD on
                    symbol visibility in doc/reference.html

        Other changes:
            #638  MinGW: Make fix-xmltest-log.sh drop more Wine bug output
       #596 #625  Autotools: Sync CMake templates with CMake 3.22
            #608  CMake: Migrate from use of CMAKE_*_POSTFIX to
                    dedicated variables EXPAT_*_POSTFIX to stop affecting
                    other projects
       #597 #599  Windows|CMake: Add missing -DXML_STATIC to test runners
                    and fuzzers
       #512 #621  Windows|CMake: Render .def file from a template to fix
                    linking with -DEXPAT_DTD=OFF and/or -DEXPAT_ATTR_INFO=ON
       #611 #621  MinGW|CMake: Apply MSVC .def file when linking
       #622 #624  MinGW|CMake: Sync library name with GNU Autotools,
                    i.e. produce libexpat-1.dll rather than libexpat.dll
                    by default.  Filename libexpat.dll.a is unaffected.
            #632  MinGW|CMake: Set missing variable CMAKE_RC_COMPILER in
                    toolchain file "cmake/mingw-toolchain.cmake" to avoid
                    error "windres: Command not found" on e.g. Ubuntu 20.04
       #597 #627  CMake: Unify inconsistent use of set() and option() in
                    context of public build time options to take need for
                    set(.. FORCE) in projects using Expat by means of
                    add_subdirectory(..) off Expat's users' shoulders
       #626 #641  Stop exporting API symbols when building a static library
            #644  Resolve use of deprecated "fgrep" by "grep -F"
            #620  CMake: Make documentation on variables a bit more consistent
            #636  CMake: Drop leading whitespace from a #cmakedefine line in
                    file expat_config.h.cmake
            #594  xmlwf: Fix harmless variable mix-up in function nsattcmp
  #592 #593 #610  Address Cppcheck warnings
            #643  Address Clang 15 compiler warnings
       #642 #644  Version info bumped from 9:8:8 to 9:9:8;
                    see https://verbump.de/ for what these numbers do

        Infrastructure:
       #597 #598  CI: Windows: Start covering MSVC 2022
            #619  CI: macOS: Migrate off deprecated macOS 10.15
            #632  CI: Linux: Make migration off deprecated Ubuntu 18.04 work
            #643  CI: Upgrade Clang from 14 to 15
            #637  apply-clang-format.sh: Add support for BSD find
            #633  coverage.sh: Exclude MinGW headers
            #635  coverage.sh: Fix name collision for -funsigned-char

        Special thanks to:
            David Faure
            Felix Wilhelm
            Frank Bergmann
            Rhodri James
            Rosen Penev
            Thijs Schreijer
            Vincent Torri
                 and
            Google Project Zero

Release 2.4.8 Mon March 28 2022
        Other changes:
            #587  pkg-config: Move "-lm" to section \ 
"Libs.private"
            #587  CMake|MSVC: Fix pkg-config section "Libs"
        #55 #582  CMake|macOS: Start using linker arguments
                    "-compatibility_version <version>" and
                    "-current_version <version>" in a way \ 
compatible with
                    GNU Libtool
       #590 #591  Version info bumped from 9:7:8 to 9:8:8;
                    see https://verbump.de/ for what these numbers do

        Infrastructure:
            #589  CI: Upgrade Clang from 13 to 14

        Special thanks to:
            evpobr
            Kai Pastor
            Sam James
   2022-03-05 09:53:04 by Thomas Klausner | Files touched by this commit (2) | Package updated
Log message:
expat: update to 2.4.7.

Release 2.4.7 Fri March 4 2022
        Bug fixes:
       #572 #577  Relax fix to CVE-2022-25236 (introduced with release 2.4.5)
                    with regard to all valid URI characters (RFC 3986),
                    i.e. the following set (excluding whitespace):
                    ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz
                    0123456789 % -._~ :/?#[]@ !$&'()*+,;=

        Other changes:
  #555 #570 #581  CMake|Windows: Store Expat version in the DLL
            #577  Document consequences of namespace separator choices not just
                    in doc/reference.html but also in header <expat.h>
            #577  Document Expat's lack of validation of namespace URIs against
                    RFC 3986, and that the XML 1.0r4 specification doesn't
                    require Expat to validate namespace URIs, and that Expat
                    may do more in that regard in future releases.
                    If you find need for strict RFC 3986 URI validation on
                    application level today, https://uriparser.github.io/ may
                    be of interest.
            #579  Fix documentation of XML_EndDoctypeDeclHandler in <expat.h>
            #575  Document that a call to XML_FreeContentModel can be done at
                    a later time from outside the element declaration handler
            #574  Make hardcoded namespace URIs easier to find in code
            #573  Update documentation on use of XML_POOR_ENTOPY on Solaris
       #569 #571  tests: Resolve use of macros NAN and INFINITY for GNU G++
                    4.8.2 on Solaris.
       #578 #580  Version info bumped from 9:6:8 to 9:7:8;
                    see https://verbump.de/ for what these numbers do