Navigation:
Browse pkgsrc
(this page)
textproc expat
CVSweb ] [ 
Homepage ] [ 
RSS ] [ 
Required by ] [ 
Add to tracker ] 2025-03-30 09:48:15 by Thomas Klausner | Files touched by this commit (3) |  |
Log message:
expat: update to 2.7.1.
Release 2.7.1 Thu March 27 2025
Bug fixes:
#980 #989 Restore event pointer behavior from Expat 2.6.4
(that the fix to CVE-2024-8176 changed in 2.7.0);
affected API functions are:
- XML_GetCurrentByteCount
- XML_GetCurrentByteIndex
- XML_GetCurrentColumnNumber
- XML_GetCurrentLineNumber
- XML_GetInputContext
Other changes:
#976 #977 Autotools: Integrate files \
"fuzz/xml_lpm_fuzzer.{cpp,proto}"
with Automake that were missing from 2.7.0 release tarballs
#983 #984 Fix printf format specifiers for 32bit Emscripten
#992 docs: Promote OpenSSF Best Practices self-certification
#978 tests/benchmark: Resolve mistaken double close
#986 Address compiler warnings
#990 #993 Version info bumped from 11:1:10 (libexpat*.so.1.10.1)
to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/
for what these numbers do
Infrastructure:
#982 CI: Start running Perl XML::Parser integration tests
#987 CI: Enforce Clang Static Analyzer clean code
#991 CI: Re-enable warning clang-analyzer-valist.Uninitialized
for clang-tidy
#981 CI: Cover compilation with musl
#983 #984 CI: Cover compilation with 32bit Emscripten
#976 #977 CI: Protect against fuzzer files missing from future
release archives
Release 2.7.0 Thu March 13 2025
Security fixes:
#893 #973 CVE-2024-8176 -- Fix crash from chaining a large number
of entities caused by stack overflow by resolving use of
recursion, for all three uses of entities:
- general entities in character data \
("<e>&g1;</e>")
- general entities in attribute values ("<e \
k1='&g1;'/>")
- parameter entities ("%p1;")
Known impact is (reliable and easy) denial of service:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C
(Base Score: 7.5, Temporal Score: 7.2)
Please note that a layer of compression around XML can
significantly reduce the minimum attack payload size.
Other changes:
#935 #937 Autotools: Make generated CMake files look for
libexpat.@SO_MAJOR@.dylib on macOS
#925 Autotools: Sync CMake templates with CMake 3.29
#945 #962 #966 CMake: Drop support for CMake <3.13
#942 CMake: Small fuzzing related improvements
#921 docs: Add missing documentation of error code
XML_ERROR_NOT_STARTED that was introduced with 2.6.4
#941 docs: Document need for C++11 compiler for use from C++
#959 tests/benchmark: Fix a (harmless) TOCTTOU
#944 Windows: Fix installer target location of file xmlwf.xml
for CMake
#953 Windows: Address warning -Wunknown-warning-option
about -Wno-pedantic-ms-format from LLVM MinGW
#971 Address Cppcheck warnings
#969 #970 Mass-migrate links from http:// to https://
#947 #958 ..
#974 #975 Document changes since the previous release
#974 #975 Version info bumped from 11:0:10 (libexpat*.so.1.10.0)
to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/
for what these numbers do
Infrastructure:
#926 tests: Increase robustness
#927 #932 ..
#930 #933 tests: Increase test coverage
#617 #950 ..
#951 #952 ..
#954 #955 .. Fuzzing: Add new fuzzer "xml_lpm_fuzzer" based on
#961 Google's libprotobuf-mutator ("LPM")
#957 Fuzzing|CI: Start producing fuzzing code coverage reports
#936 CI: Pass -q -q for LCOV >=2.1 in coverage.sh
#942 CI: Small fuzzing related improvements
#139 #203 ..
#791 #946 CI: Make GitHub Actions build using MSVC on Windows and
produce 32bit and 64bit Windows binaries
#956 CI: Get off of about-to-be-removed Ubuntu 20.04
#960 #964 CI: Start uploading to Coverity Scan for static analysis
#972 CI: Stop loading DTD from the internet to address flaky CI
#971 CI: Adapt to breaking changes in Cppcheck
|
| 2024-12-18 16:03:59 by Brook Milligan | Files touched by this commit (2) |
Log message:
textproc/expat: fix file used by other packages to find installed library
On Darwin, the installed expat shared library includes only the major
version number, not minor version and patch, in the name. The
corresponding configure check, however, looks for the full name with
all three parts and fails.
The same problem occurs on Windows and is discussed in issue 485, even
mentioning that Darwin likely has the same issue:
https://github.com/libexpat/libexpat/issues/485
For some reason, the fix (removing minor and patch versions from the
cmake file used by configure) was applied for Windows but not for
Darwin.
See the upstream issue:
https://github.com/libexpat/libexpat/issues/935
which was closed with
https://github.com/libexpat/libexpat/pull/937
--- cmake/autotools/expat-noconfig__macos.cmake.in.orig 2023-08-26 \
12:27:53.000000000 +0000
+++ cmake/autotools/expat-noconfig__macos.cmake.in
@@ -8,12 +8,12 @@ set(CMAKE_IMPORT_FILE_VERSION 1)
# Import target "expat::expat" for configuration "NoConfig"
set_property(TARGET expat::expat APPEND PROPERTY IMPORTED_CONFIGURATIONS NOCONFIG)
set_target_properties(expat::expat PROPERTIES
- IMPORTED_LOCATION_NOCONFIG \
"${_IMPORT_PREFIX}/@LIBDIR_BASENAME@/libexpat.@SO_MAJOR@.@SO_MINOR@.@SO_PAT \
CH@.dylib"
+ IMPORTED_LOCATION_NOCONFIG \
"${_IMPORT_PREFIX}/@LIBDIR_BASENAME@/libexpat.@SO_MAJOR@.dylib"
IMPORTED_SONAME_NOCONFIG "@rpath/libexpat.@SO_MAJOR@.dylib"
)
list(APPEND _cmake_import_check_targets expat::expat )
-list(APPEND _cmake_import_check_files_for_expat::expat \
"${_IMPORT_PREFIX}/@LIBDIR_BASENAME@/libexpat.@SO_MAJOR@.@SO_MINOR@.@SO_PATCH@.dylib" \
)
+list(APPEND _cmake_import_check_files_for_expat::expat \
"${_IMPORT_PREFIX}/@LIBDIR_BASENAME@/libexpat.@SO_MAJOR@.dylib" )
# Commands beyond this point should not need to know the version.
set(CMAKE_IMPORT_FILE_VERSION)
|
| 2024-09-04 15:08:26 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message:
expat: updated to 2.6.3
Release 2.6.3 Wed September 4 2024
Security fixes:
CVE-2024-45490 -- Calling function XML_ParseBuffer with
len < 0 without noticing and then calling XML_GetBuffer
will have XML_ParseBuffer fail to recognize the problem
and XML_GetBuffer corrupt memory.
With the fix, XML_ParseBuffer now complains with error
XML_ERROR_INVALID_ARGUMENT just like sibling XML_Parse
has been doing since Expat 2.2.1, and now documented.
Impact is denial of service to potentially artitrary code
execution.
CVE-2024-45491 -- Internal function dtdCopy can have an
integer overflow for nDefaultAtts on 32-bit platforms
(where UINT_MAX equals SIZE_MAX).
Impact is denial of service to potentially artitrary code
execution.
CVE-2024-45492 -- Internal function nextScaffoldPart can
have an integer overflow for m_groupSize on 32-bit
platforms (where UINT_MAX equals SIZE_MAX).
Impact is denial of service to potentially artitrary code
execution.
Other changes:
Autotools: Sync CMake templates with CMake 3.28
Autotools: Always provide path to find(1) for portability
Autotools: Ensure that the m4 directory always exists.
Autotools: Simplify handling of SIZEOF_VOID_P
Autotools: Support non-GNU sed
Autotools|CMake: Fix main() to main(void)
Autotools|CMake: Fix compile tests for HAVE_SYSCALL_GETRANDOM
Autotools|CMake: Stop requiring dos2unix
CMake: Fix check for symbols size_t and off_t
docs|tests: Convert README to Markdown and update
Windows: Drop support for Visual Studio <=15.0/2017
Drop needless XML_DTD guards around is_param access
Fix typo in a code comment
Version info bumped from 10:2:9 (libexpat*.so.1.9.2)
to 10:3:9 (libexpat*.so.1.9.3); see https://verbump.de/
for what these numbers do
Infrastructure:
Readme: Promote the call for help
CI: Fix various issues
CI: Allow triggering GitHub Actions workflows manually
..
CI: Adapt to breaking changes in GitHub Actions
|
| 2024-03-14 10:15:57 by Thomas Klausner | Files touched by this commit (2) | |
Log message:
expat: update to 2.6.2.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!! <blink>Expat is UNDERSTAFFED and WITHOUT FUNDING.</blink> \
!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Release 2.6.2 Wed March 13 2024
Security fixes:
#839 #842 CVE-2024-28757 -- Prevent billion laughs attacks with
isolated use of external parsers. Please see the commit
message of commit 1d50b80cf31de87750103656f6eb693746854aa8
for details.
Bug fixes:
#839 #841 Reject direct parameter entity recursion
and avoid the related undefined behavior
Other changes:
#847 Autotools: Fix build for DOCBOOK_TO_MAN containing spaces
#837 Add missing #821 and #824 to 2.6.1 change log
#838 #843 Version info bumped from 10:1:9 (libexpat*.so.1.9.1)
to 10:2:9 (libexpat*.so.1.9.2); see https://verbump.de/
for what these numbers do
Special thanks to:
Philippe Antoine
Tomas Korbar
and
Clang UndefinedBehaviorSanitizer
OSS-Fuzz / ClusterFuzz
|
| 2024-03-01 07:50:02 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message:
expat: updated to 2.6.1
Release 2.6.1
Bug fixes:
Make tests independent of CPU speed, and thus more robust
Expose billion laughs API with XML_DTD defined and
XML_GE undefined, regression from 2.6.0
Other changes:
Hide test-only code behind new internal macro
Autotools: Reject expat_config.h.in defining SIZEOF_VOID_P
Address compiler warnings
Version info bumped from 10:0:9 (libexpat*.so.1.9.0)
to 10:1:9 (libexpat*.so.1.9.1); see https://verbump.de/
for what these numbers do
Infrastructure:
CI: Adapt to breaking changes in clang-format
|
| 2024-02-07 14:19:26 by Adam Ciarcinski | Files touched by this commit (3) | |
Log message:
expat: updated to 2.6.0
Release 2.6.0 Tue February 6 2024
Security fixes:
* * CVE-2023-52425 -- Fix quadratic runtime issues with big tokens
that can cause denial of service, in partial where
dealing with compressed XML input. Applications
that parsed a document in one go -- a single call to
functions XML_Parse or XML_ParseBuffer -- were not affected.
The smaller the chunks/buffers you use for parsing
previously, the bigger the problem prior to the fix.
Backporters should be careful to no omit parts of
pull request * and to include earlier pull request *,
in order to not break the fix.
* CVE-2023-52426 -- Fix billion laughs attacks for users
compiling *without* XML_DTD defined (which is not common).
Users with XML_DTD defined have been protected since
Expat >=2.4.0 (and that was CVE-2013-0340 back then).
Bug fixes:
* Fix parse-size-dependent "invalid token" error for
external entities that start with a byte order mark
* Fix NULL pointer dereference in setContext via
XML_ExternalEntityParserCreate for compilation with
XML_DTD undefined
* * Protect against closing entities out of order
Other changes:
* Improve support for arc4random/arc4random_buf
* * Improve buffer growth in XML_GetBuffer and XML_Parse
* * xmlwf: Support --help and --version
* * xmlwf: Support custom buffer size for XML_GetBuffer and read
* xmlwf: Improve language and URL clickability in help output
* examples: Add new example "element_declarations.c"
* Be stricter about macro XML_CONTEXT_BYTES at build time
* Make inclusion to expat_config.h consistent
* * Autotools: configure.ac: Support --disable-maintainer-mode
* * ..
* * * Autotools: Sync CMake templates with CMake 3.26
* Autotools: Make installation of shipped man page doc/xmlwf.1
independent of docbook2man availability
* Autotools|CMake: Add missing -DXML_STATIC to pkg-config file
section "Cflags.private" in order to fix compilation
against static libexpat using pkg-config on Windows
* * Autotools|CMake: Require a C99 compiler
(a de-facto requirement already since Expat 2.2.2 of 2017)
* Autotools|CMake: Fix PACKAGE_BUGREPORT variable
* * Autotools|CMake: Make test suite require a C++11 compiler
* CMake: Require CMake >=3.5.0
* CMake: Lowercase off_t and size_t to help a bug in Meson
* CMake: Sort xmlwf sources alphabetically
* CMake|Windows: Fix generation of DLL file version info
* CMake: Build tests/benchmark/benchmark.c as well for
a build with -DEXPAT_BUILD_TESTS=ON
* * docs: Document the importance of isFinal + adjust tests
accordingly
* docs: Improve use of "NULL" and "null"
* docs: Be specific about version of XML (XML 1.0r4)
and version of C (C99); (XML 1.0r5 will need a sponsor.)
* docs: reference.html: Promote function XML_ParseBuffer more
* docs: reference.html: Add HTML anchors to XML_* macros
* docs: reference.html: Upgrade to OK.css 1.2.0
* * docs: Fix typos
* docs|CI: Use HTTPS URLs instead of HTTP at various places
* * ..
* * ..
* * Address compiler warnings
* * Address clang-tidy warnings
* * Version info bumped from 9:10:8 (libexpat*.so.1.8.10)
to 10:0:9 (libexpat*.so.1.9.0); see https://verbump.de/
for what these numbers do
Infrastructure:
* * docs: Document security policy in file SECURITY.md
* docs: Improve parse buffer variables in-code documentation
* * ..
* * ..
* * * Refactor coverage and conformance tests
* * Refactor debug level variables to unsigned long
* Improve handling of empty environment variable value
in function getDebugLevel (without visible user effect)
* * ..
* * ..
* * tests: Improve test coverage with regard to parse chunk size
* * * Fuzzing: Improve fuzzing coverage
* * Fuzzing|CI: Start running OSS-Fuzz fuzzing regression tests
* * CI: Resolve some Travis CI leftovers
* CI: Be robust towards absence of Git tags
* * CI: Set permissions to "contents: read" for security
* CI: Pin all GitHub Actions to specific commits for security
* CI: Reject spelling errors using codespell
* CI: Enforce clang-tidy clean code
* * ..
* * CI: Upgrade Clang from 15 to 18
* CI: Start using Clang's Control Flow Integrity sanitizer
* * * CI: Adapt to breaking changes in GitHub Actions Ubuntu images
* CI: Adapt to breaking changes in Clang/LLVM Debian packaging
* CI: Adapt to breaking changes in codespell
* CI: Adapt to breaking changes in Cppcheck
|
| 2024-01-13 21:07:34 by Taylor R Campbell | Files touched by this commit (24) |
Log message:
*/builtin.mk: Use ${_CROSS_DESTDIR:U} for build-time file checks.
These are questions about the target system, whose files at
build-time are all relative to ${_CROSS_DESTDIR} if it is defined,
i.e., if USE_CROSS_COMPILE is set to yes.
No change to native builds because ${_CROSS_DESTDIR:U} is empty in
them. (Possible minor change by adding :Q to ${H_FOO} in command
lines, but if this makes a difference it likely fixes problems.)
|
| 2022-10-26 12:38:21 by Thomas Klausner | Files touched by this commit (1) |
Log message: expat: pkglint cleanup |
New packages: