Navigation:
Browse pkgsrc
(this page)
textproc expat
CVSweb ] [ 
Homepage ] [ 
RSS ] [ 
Required by ] [ 
Add to tracker ]| 2024-12-18 16:03:59 by Brook Milligan | Files touched by this commit (2) |
Log message:
textproc/expat: fix file used by other packages to find installed library
On Darwin, the installed expat shared library includes only the major
version number, not minor version and patch, in the name. The
corresponding configure check, however, looks for the full name with
all three parts and fails.
The same problem occurs on Windows and is discussed in issue 485, even
mentioning that Darwin likely has the same issue:
https://github.com/libexpat/libexpat/issues/485
For some reason, the fix (removing minor and patch versions from the
cmake file used by configure) was applied for Windows but not for
Darwin.
See the upstream issue:
https://github.com/libexpat/libexpat/issues/935
which was closed with
https://github.com/libexpat/libexpat/pull/937
--- cmake/autotools/expat-noconfig__macos.cmake.in.orig 2023-08-26 \
12:27:53.000000000 +0000
+++ cmake/autotools/expat-noconfig__macos.cmake.in
@@ -8,12 +8,12 @@ set(CMAKE_IMPORT_FILE_VERSION 1)
# Import target "expat::expat" for configuration "NoConfig"
set_property(TARGET expat::expat APPEND PROPERTY IMPORTED_CONFIGURATIONS NOCONFIG)
set_target_properties(expat::expat PROPERTIES
- IMPORTED_LOCATION_NOCONFIG \
"${_IMPORT_PREFIX}/@LIBDIR_BASENAME@/libexpat.@SO_MAJOR@.@SO_MINOR@.@SO_PAT \
CH@.dylib"
+ IMPORTED_LOCATION_NOCONFIG \
"${_IMPORT_PREFIX}/@LIBDIR_BASENAME@/libexpat.@SO_MAJOR@.dylib"
IMPORTED_SONAME_NOCONFIG "@rpath/libexpat.@SO_MAJOR@.dylib"
)
list(APPEND _cmake_import_check_targets expat::expat )
-list(APPEND _cmake_import_check_files_for_expat::expat \
"${_IMPORT_PREFIX}/@LIBDIR_BASENAME@/libexpat.@SO_MAJOR@.@SO_MINOR@.@SO_PATCH@.dylib" \
)
+list(APPEND _cmake_import_check_files_for_expat::expat \
"${_IMPORT_PREFIX}/@LIBDIR_BASENAME@/libexpat.@SO_MAJOR@.dylib" )
# Commands beyond this point should not need to know the version.
set(CMAKE_IMPORT_FILE_VERSION)
|
2024-09-04 15:08:26 by Adam Ciarcinski | Files touched by this commit (2) |  |
Log message:
expat: updated to 2.6.3
Release 2.6.3 Wed September 4 2024
Security fixes:
CVE-2024-45490 -- Calling function XML_ParseBuffer with
len < 0 without noticing and then calling XML_GetBuffer
will have XML_ParseBuffer fail to recognize the problem
and XML_GetBuffer corrupt memory.
With the fix, XML_ParseBuffer now complains with error
XML_ERROR_INVALID_ARGUMENT just like sibling XML_Parse
has been doing since Expat 2.2.1, and now documented.
Impact is denial of service to potentially artitrary code
execution.
CVE-2024-45491 -- Internal function dtdCopy can have an
integer overflow for nDefaultAtts on 32-bit platforms
(where UINT_MAX equals SIZE_MAX).
Impact is denial of service to potentially artitrary code
execution.
CVE-2024-45492 -- Internal function nextScaffoldPart can
have an integer overflow for m_groupSize on 32-bit
platforms (where UINT_MAX equals SIZE_MAX).
Impact is denial of service to potentially artitrary code
execution.
Other changes:
Autotools: Sync CMake templates with CMake 3.28
Autotools: Always provide path to find(1) for portability
Autotools: Ensure that the m4 directory always exists.
Autotools: Simplify handling of SIZEOF_VOID_P
Autotools: Support non-GNU sed
Autotools|CMake: Fix main() to main(void)
Autotools|CMake: Fix compile tests for HAVE_SYSCALL_GETRANDOM
Autotools|CMake: Stop requiring dos2unix
CMake: Fix check for symbols size_t and off_t
docs|tests: Convert README to Markdown and update
Windows: Drop support for Visual Studio <=15.0/2017
Drop needless XML_DTD guards around is_param access
Fix typo in a code comment
Version info bumped from 10:2:9 (libexpat*.so.1.9.2)
to 10:3:9 (libexpat*.so.1.9.3); see https://verbump.de/
for what these numbers do
Infrastructure:
Readme: Promote the call for help
CI: Fix various issues
CI: Allow triggering GitHub Actions workflows manually
..
CI: Adapt to breaking changes in GitHub Actions
|
| 2024-03-14 10:15:57 by Thomas Klausner | Files touched by this commit (2) | |
Log message:
expat: update to 2.6.2.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!! <blink>Expat is UNDERSTAFFED and WITHOUT FUNDING.</blink> \
!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Release 2.6.2 Wed March 13 2024
Security fixes:
#839 #842 CVE-2024-28757 -- Prevent billion laughs attacks with
isolated use of external parsers. Please see the commit
message of commit 1d50b80cf31de87750103656f6eb693746854aa8
for details.
Bug fixes:
#839 #841 Reject direct parameter entity recursion
and avoid the related undefined behavior
Other changes:
#847 Autotools: Fix build for DOCBOOK_TO_MAN containing spaces
#837 Add missing #821 and #824 to 2.6.1 change log
#838 #843 Version info bumped from 10:1:9 (libexpat*.so.1.9.1)
to 10:2:9 (libexpat*.so.1.9.2); see https://verbump.de/
for what these numbers do
Special thanks to:
Philippe Antoine
Tomas Korbar
and
Clang UndefinedBehaviorSanitizer
OSS-Fuzz / ClusterFuzz
|
| 2024-03-01 07:50:02 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message:
expat: updated to 2.6.1
Release 2.6.1
Bug fixes:
Make tests independent of CPU speed, and thus more robust
Expose billion laughs API with XML_DTD defined and
XML_GE undefined, regression from 2.6.0
Other changes:
Hide test-only code behind new internal macro
Autotools: Reject expat_config.h.in defining SIZEOF_VOID_P
Address compiler warnings
Version info bumped from 10:0:9 (libexpat*.so.1.9.0)
to 10:1:9 (libexpat*.so.1.9.1); see https://verbump.de/
for what these numbers do
Infrastructure:
CI: Adapt to breaking changes in clang-format
|
| 2024-02-07 14:19:26 by Adam Ciarcinski | Files touched by this commit (3) | |
Log message:
expat: updated to 2.6.0
Release 2.6.0 Tue February 6 2024
Security fixes:
* * CVE-2023-52425 -- Fix quadratic runtime issues with big tokens
that can cause denial of service, in partial where
dealing with compressed XML input. Applications
that parsed a document in one go -- a single call to
functions XML_Parse or XML_ParseBuffer -- were not affected.
The smaller the chunks/buffers you use for parsing
previously, the bigger the problem prior to the fix.
Backporters should be careful to no omit parts of
pull request * and to include earlier pull request *,
in order to not break the fix.
* CVE-2023-52426 -- Fix billion laughs attacks for users
compiling *without* XML_DTD defined (which is not common).
Users with XML_DTD defined have been protected since
Expat >=2.4.0 (and that was CVE-2013-0340 back then).
Bug fixes:
* Fix parse-size-dependent "invalid token" error for
external entities that start with a byte order mark
* Fix NULL pointer dereference in setContext via
XML_ExternalEntityParserCreate for compilation with
XML_DTD undefined
* * Protect against closing entities out of order
Other changes:
* Improve support for arc4random/arc4random_buf
* * Improve buffer growth in XML_GetBuffer and XML_Parse
* * xmlwf: Support --help and --version
* * xmlwf: Support custom buffer size for XML_GetBuffer and read
* xmlwf: Improve language and URL clickability in help output
* examples: Add new example "element_declarations.c"
* Be stricter about macro XML_CONTEXT_BYTES at build time
* Make inclusion to expat_config.h consistent
* * Autotools: configure.ac: Support --disable-maintainer-mode
* * ..
* * * Autotools: Sync CMake templates with CMake 3.26
* Autotools: Make installation of shipped man page doc/xmlwf.1
independent of docbook2man availability
* Autotools|CMake: Add missing -DXML_STATIC to pkg-config file
section "Cflags.private" in order to fix compilation
against static libexpat using pkg-config on Windows
* * Autotools|CMake: Require a C99 compiler
(a de-facto requirement already since Expat 2.2.2 of 2017)
* Autotools|CMake: Fix PACKAGE_BUGREPORT variable
* * Autotools|CMake: Make test suite require a C++11 compiler
* CMake: Require CMake >=3.5.0
* CMake: Lowercase off_t and size_t to help a bug in Meson
* CMake: Sort xmlwf sources alphabetically
* CMake|Windows: Fix generation of DLL file version info
* CMake: Build tests/benchmark/benchmark.c as well for
a build with -DEXPAT_BUILD_TESTS=ON
* * docs: Document the importance of isFinal + adjust tests
accordingly
* docs: Improve use of "NULL" and "null"
* docs: Be specific about version of XML (XML 1.0r4)
and version of C (C99); (XML 1.0r5 will need a sponsor.)
* docs: reference.html: Promote function XML_ParseBuffer more
* docs: reference.html: Add HTML anchors to XML_* macros
* docs: reference.html: Upgrade to OK.css 1.2.0
* * docs: Fix typos
* docs|CI: Use HTTPS URLs instead of HTTP at various places
* * ..
* * ..
* * Address compiler warnings
* * Address clang-tidy warnings
* * Version info bumped from 9:10:8 (libexpat*.so.1.8.10)
to 10:0:9 (libexpat*.so.1.9.0); see https://verbump.de/
for what these numbers do
Infrastructure:
* * docs: Document security policy in file SECURITY.md
* docs: Improve parse buffer variables in-code documentation
* * ..
* * ..
* * * Refactor coverage and conformance tests
* * Refactor debug level variables to unsigned long
* Improve handling of empty environment variable value
in function getDebugLevel (without visible user effect)
* * ..
* * ..
* * tests: Improve test coverage with regard to parse chunk size
* * * Fuzzing: Improve fuzzing coverage
* * Fuzzing|CI: Start running OSS-Fuzz fuzzing regression tests
* * CI: Resolve some Travis CI leftovers
* CI: Be robust towards absence of Git tags
* * CI: Set permissions to "contents: read" for security
* CI: Pin all GitHub Actions to specific commits for security
* CI: Reject spelling errors using codespell
* CI: Enforce clang-tidy clean code
* * ..
* * CI: Upgrade Clang from 15 to 18
* CI: Start using Clang's Control Flow Integrity sanitizer
* * * CI: Adapt to breaking changes in GitHub Actions Ubuntu images
* CI: Adapt to breaking changes in Clang/LLVM Debian packaging
* CI: Adapt to breaking changes in codespell
* CI: Adapt to breaking changes in Cppcheck
|
| 2024-01-13 21:07:34 by Taylor R Campbell | Files touched by this commit (24) |
Log message:
*/builtin.mk: Use ${_CROSS_DESTDIR:U} for build-time file checks.
These are questions about the target system, whose files at
build-time are all relative to ${_CROSS_DESTDIR} if it is defined,
i.e., if USE_CROSS_COMPILE is set to yes.
No change to native builds because ${_CROSS_DESTDIR:U} is empty in
them. (Possible minor change by adding :Q to ${H_FOO} in command
lines, but if this makes a difference it likely fixes problems.)
|
| 2022-10-26 12:38:21 by Thomas Klausner | Files touched by this commit (1) |
Log message: expat: pkglint cleanup |
| 2022-10-26 12:37:47 by Thomas Klausner | Files touched by this commit (2) | |
Log message:
expat: update to 2.5.0.
Release 2.5.0 Tue October 25 2022
Security fixes:
#616 #649 #650 CVE-2022-43680 -- Fix heap use-after-free after overeager
destruction of a shared DTD in function
XML_ExternalEntityParserCreate in out-of-memory situations.
Expected impact is denial of service or potentially
arbitrary code execution.
Bug fixes:
#612 #645 Fix curruption from undefined entities
#613 #654 Fix case when parsing was suspended while processing nested
entities
#616 #652 #653 Stop leaking opening tag bindings after a closing tag
mismatch error where a parser is reset through
XML_ParserReset and then reused to parse
#656 CMake: Fix generation of pkg-config file
#658 MinGW|CMake: Fix static library name
Other changes:
#663 Protect header expat_config.h from multiple inclusion
#666 examples: Make use of XML_GetBuffer and be more
consistent across examples
#648 Address compiler warnings
#667 #668 Version info bumped from 9:9:8 to 9:10:8;
see https://verbump.de/ for what these numbers do
Special thanks to:
Jann Horn
Mark Brand
Osyotr
Rhodri James
and
Google Project Zero
|
New packages: