Subject: CVS commit: pkgsrc/textproc/expat
From: Adam Ciarcinski
Date: 2024-09-04 15:08:26
Message id: 20240904130826.54C2CFC74@cvs.NetBSD.org
Log Message:
expat: updated to 2.6.3

Release 2.6.3 Wed September 4 2024
 Security fixes:
 CVE-2024-45490 -- Calling function XML_ParseBuffer with
             len < 0 without noticing and then calling XML_GetBuffer
             will have XML_ParseBuffer fail to recognize the problem
             and XML_GetBuffer corrupt memory.
             With the fix, XML_ParseBuffer now complains with error
             XML_ERROR_INVALID_ARGUMENT just like sibling XML_Parse
             has been doing since Expat 2.2.1, and now documented.
             Impact is denial of service to potentially artitrary code
             execution.
 CVE-2024-45491 -- Internal function dtdCopy can have an
             integer overflow for nDefaultAtts on 32-bit platforms
             (where UINT_MAX equals SIZE_MAX).
             Impact is denial of service to potentially artitrary code
             execution.
 CVE-2024-45492 -- Internal function nextScaffoldPart can
             have an integer overflow for m_groupSize on 32-bit
             platforms (where UINT_MAX equals SIZE_MAX).
             Impact is denial of service to potentially artitrary code
             execution.

 Other changes:
 Autotools: Sync CMake templates with CMake 3.28
      Autotools: Always provide path to find(1) for portability
      Autotools: Ensure that the m4 directory always exists.
      Autotools: Simplify handling of SIZEOF_VOID_P
      Autotools: Support non-GNU sed
      Autotools|CMake: Fix main() to main(void)
      Autotools|CMake: Fix compile tests for HAVE_SYSCALL_GETRANDOM
      Autotools|CMake: Stop requiring dos2unix
 CMake: Fix check for symbols size_t and off_t
      docs|tests: Convert README to Markdown and update
      Windows: Drop support for Visual Studio <=15.0/2017
      Drop needless XML_DTD guards around is_param access
      Fix typo in a code comment
 Version info bumped from 10:2:9 (libexpat*.so.1.9.2)
             to 10:3:9 (libexpat*.so.1.9.3); see https://verbump.de/
             for what these numbers do

 Infrastructure:
      Readme: Promote the call for help
      CI: Fix various issues
      CI: Allow triggering GitHub Actions workflows manually
    ..
 CI: Adapt to breaking changes in GitHub Actions
Files:
RevisionActionfile
1.58modifypkgsrc/textproc/expat/Makefile
1.51modifypkgsrc/textproc/expat/distinfo