- update to 2.4.5 (bsc#1196171, bsc#1196169, bsc#1196168, 
  bsc#1196026, bsc#1196025):
    * Security fixes:
      - CVE-2022-25235 -- Passing malformed 2- and 3-byte UTF-8
        sequences (e.g. from start tag names) to the XML
        processing application on top of Expat can cause
        arbitrary damage (e.g. code execution) depending
        on how invalid UTF-8 is handled inside the XML
        processor; validation was not their job but Expat's.
        Exploits with code execution are known to exist.
      - CVE-2022-25236 -- Passing (one or more) namespace separator
        characters in "xmlns[:prefix]" attribute values
        made Expat send malformed tag names to the XML
        processor on top of Expat which can cause
        arbitrary damage (e.g. code execution) depending
        on such unexpectable cases are handled inside the XML
        processor; validation was not their job but Expat's.
        Exploits with code execution are known to exist.
      - CVE-2022-25313 -- Fix stack exhaustion in doctype parsing
        that could be triggered by e.g. a 2 megabytes
        file with a large number of opening braces.
        Expected impact is denial of service or potentially
        arbitrary code execution.
      - CVE-2022-25314 -- Fix integer overflow in function copyString;
        only affects the encoding name parameter at parser creation
        time which is often hardcoded (rather than user input),
        takes a value in the gigabytes to trigger, and a 64-bit
        machine.  Expected impact is denial of service.
      - CVE-2022-25315 -- Fix integer overflow in function storeRawNames;
        needs input in the gigabytes and a 64-bit machine.

• Files Changed
• Browse Source

- update to 2.4.4 (bsc#1195217, bsc#1195054):
  * Security fixes:
    - CVE-2022-23852 -- Fix signed integer overflow
      (undefined behavior) in function XML_GetBuffer
      that is also called by function XML_Parse internally)
      for when XML_CONTEXT_BYTES is defined to >0 (which is both
      common and default).
      Impact is denial of service or more.
    - CVE-2022-23990 -- Fix unsigned integer overflow in function
      doProlog triggered by large content in element type
      declarations when there is an element declaration handler
      present (from a prior call to XML_SetElementDeclHandler).
      Impact is denial of service or more.
  * Bug fixes:
    - xmlwf: Fix a memory leak on output file opening error
  * Other changes:
    - Version info bumped from 9:3:8 to 9:4:8;
      see https://verbump.de/ for what these numbers do
  * Drop unused file valid-xhtml10.png

• Files Changed
• Browse Source

- update to 2.4.3 (bsc#1194251, bsc#1194362, bsc#1194474, 
     bsc#1194476, bsc#1194477, bsc#1194478, bsc#1194479, bsc#1194480):
  * CVE-2021-45960 -- Fix issues with left shifts by >=29 places
    resulting in
       a) realloc acting as free
       b) realloc allocating too few bytes
       c) undefined behavior
    depending on architecture and precise value
    for XML documents with >=2^27+1 prefixed attributes
    on a single XML tag a la
    "<r xmlns:a='[..]' a:a123='[..]' [..] />"
    where XML_ParserCreateNS is used to create the parser
    (which needs argument "-n" when running xmlwf).
    Impact is denial of service, or more.
  * CVE-2021-46143 (ZDI-CAN-16157) -- Fix integer overflow
    on variable m_groupSize in function doProlog leading
    to realloc acting as free.
    Impact is denial of service or more.
  * CVE-2022-22822 to CVE-2022-22827 -- Prevent integer overflows
    near memory allocation at multiple places.  Mitre assigned
    a dedicated CVE for each involved internal C function:
    - CVE-2022-22822 for function addBinding
    - CVE-2022-22823 for function build_model
    - CVE-2022-22824 for function defineAttribute
    - CVE-2022-22825 for function lookup
    - CVE-2022-22826 for function nextScaffoldPart
    - CVE-2022-22827 for function storeAtts
    Impact is denial of service or more.

• Files Changed
• Browse Source

- update to 2.4.2:
  * Link againgst libm for function "isnan"
  * Include expat_config.h as early as possible
  * Autotools: Include files with release archives:
    - buildconf.sh
    - fuzz/*.c
  * Autotools: Sync CMake templates
  * docs: Document that function XML_GetBuffer may return NULL
    when asking for a buffer of 0 (zero) bytes size
  * docs: Fix return value docs for both
    XML_SetBillionLaughsAttackProtection* functions
  * Version info bumped from 9:1:8 to 9:2:8

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

- Update to 2.4.1:
  * Bug fixes:
    - Autotools: Fix installed header expat_config.h for multilib
      systems; regression introduced in 2.4.0 by pull request #486
  * Other changes:
    - Version info bumped from 9:0:8 to 9:1:8; see
      https://verbump.de/ for what these numbers do

- Update to 2.4.0: [CVE-2013-0340 "Billion Laughs"]
  * Security fixes:
    - CVE-2013-0340/CWE-776 -- Protect against billion laughs attacks
      (denial-of-service; flavors targeting CPU time or RAM or both,
      leveraging general entities or parameter entities or both)
      by tracking and limiting the input amplification factor
      (<amplification> := (<direct> + <indirect>) / <direct>).
      By conservative default, amplification up to a factor of 100.0
      is tolerated and rejection only starts after 8 MiB of output bytes
      (=<direct> + <indirect>) have been processed.
      The fix adds the following to the API:
      - A new error code XML_ERROR_AMPLIFICATION_LIMIT_BREACH to
        signals this specific condition.
      - Two new API functions ..
        - XML_SetBillionLaughsAttackProtectionMaximumAmplification and
        - XML_SetBillionLaughsAttackProtectionActivationThreshold
        .. to further tighten billion laughs protection parameters
        when desired.  Please see file "doc/reference.html" for details.
        If you ever need to increase the defaults for non-attack XML
        payload, please file a bug report with libexpat.
      - Two new XML_FEATURE_* constants ..
        - that can be queried using the XML_GetFeatureList function, and

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

- Do not BuildRequire cmake: expat is part of the distro bootstrap
  cycle and any additional dependency makes the ring larger. In
  this case here, cmake was even only used to own a directory.

• Files Changed
• Browse Source

- update to 2.3.0:
  * When calling XML_ParseBuffer without a prior successful call to
    XML_GetBuffer as a user, no longer trigger undefined behavior
    (by adding an integer to a NULL pointer) but rather return
    XML_STATUS_ERROR and set the error code to (new) code
    XML_ERROR_NO_BUFFER. Found by UBSan (UndefinedBehaviorSanitizer)
    of Clang 11 (but not Clang 9).
  * xmlwf: Exit status 2 was used for both:
    - malformed input files (documented) and
    - invalid command-line arguments (undocumented).
    case of invalid command-line arguments now
    has its own exit status 4, resolving the ambiguity.
  * Other changes

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

- Update to 2.2.10:
  * Bug fixes:
    - Fix undefined behavior during parsing caused by pointer
      arithmetic with NULL pointers
    - Fix reading uninitialized variable during parsing
    - xmlwf: Add missing check for malloc NULL return
  * Other changes:
    - xmlwf: Document exit codes in xmlwf manpage and exit with code 3
      (rather than code 1) for output errors when used with "-d DIRECTORY"
    - Autotools: Use -Werror while configure tests the compiler for
      supported compile flags to avoid false positives
    - Autotools: Improve handling of user (C|CPP|CXX|LD)FLAGS, e.g.
      ensure that they have the last word over flags added while
      running ./configure
    - CMake: Create libexpatw.{dll,so} and expatw.pc (with emphasis
      on suffix "w") with -DEXPAT_CHAR_TYPE=(ushort|wchar_t)
    - CMake: Detect and deny unsupported build combinations
      involving -DEXPAT_CHAR_TYPE=(ushort|wchar_t)
    - CMake: Install pre-compiled shipped xmlwf.1 manpage in case
      of -DEXPAT_BUILD_DOCS=OFF
    - CMake: Fix use of Expat by means of add_subdirectory
    - CMake: Keep expat target name constant at "expat" (i.e. refrain
      from using the target name to control build artifact filenames)
    - CMake: Expose man page compilation as target "xmlwf-manpage"
    - CMake: Introduce option EXPAT_BUILD_PKGCONFIG to control
      generation of pkg-config file "expat.pc"
    - CMake: Add minimalistic support for building binary packages
      with CMake target "package"; based on CPack
    - CMake: Add option -DEXPAT_OSSFUZZ_BUILD=(ON|OFF) with default
      OFF to build fuzzer code against OSS-Fuzz and related

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

- Version update to 2.2.9
  * Other changes:
    - examples: Drop executable bits from elements.c
      #349  Windows: Change the name of the Windows DLLs from expat*.dll
            to libexpat*.dll once more (regression from 2.2.8, first
            fixed in 1.95.3, issue #61 on SourceForge today,
            was issue #432456 back then); needs a fix due
            case-insensitive file systems on Windows and the fact that
            Perl's XML::Parser::Expat compiles into Expat.dll.
      #347  Windows: Only define _CRT_RAND_S if not defined
            Version info bumped from 7:10:6 to 7:11:6

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

- Version update to 2.2.8
  * Security fixes: (CVE-2019-15903, bsc#1149429)
    - CVE-2019-15903 -- Fix heap overflow triggered by XML_GetCurrentLineNumber
      (or XML_GetCurrentColumnNumber), and deny internal entities closing the doctype;
  * Bug fixes:
    - Fix cases where XML_StopParser did not have any effect
      when called from inside of an end element handler
    - xmlwf: Fix exit code for operation without "-d DIRECTORY";
      previously, only "-d DIRECTORY" would give you a proper exit code:
      Now both cases return exit code 2.
  * Other changes:
    - examples: Improve elements.c
    - Autotools: Add argument --enable-xml-attr-info
    - Autotools: Add arguments --with-getrandom --without-getrandom --with-sys-getrandom --without-sys-getrandom
    - Autotools: Fix linking issues with "./configure LD=clang"
    - Autotools: Fix "make run-xmltest" for out-of-source builds
    - CMake: Pull all options from Expat <=2.2.7 into namespace
    - CMake: Add argument -DEXPAT_ATTR_INFO=(ON|OFF), default OFF
    - CMake: Add argument -DEXPAT_LARGE_SIZE=(ON|OFF), default OFF
    - CMake: Add argument -DEXPAT_MIN_SIZE=(ON|OFF), default OFF
    - CMake: Add arguments -DEXPAT_WITH_GETRANDOM=(ON|OFF|AUTO), default AUTO
    - CMake: Add arguments -DEXPAT_WITH_SYS_GETRANDOM=(ON|OFF|AUTO), default AUTO
    - CMake: Install expat_config.h to include directory
    - CMake: Generate and install configuration files for future find_package(expat [..] CONFIG [..])
    - CMake: Now produces a summary of applied configuration
    - CMake: Require C++ compiler only when tests are enabled
    - CMake: Fix compilation for 16bit character types, i.e. ex -DXML_UNICODE=ON (and ex -DXML_UNICODE_WCHAR_T=ON)
    - CMake: Port "make run-xmltest" from GNU Autotools to CMake
    - CMake: Integrate OSS-Fuzz fuzzers, option -DEXPAT_BUILD_FUZZERS=(ON|OFF), default OFF
- Removed patches fixed in the update:

• Files Changed
• Browse Source

- Security fix (CVE-2019-15903, bsc#1149429)
  * Crafted XML input results in heap-based buffer over-read by fooling
    the parser into changing from DTD parsing to document parsing
  * Added patches:
    - expat-CVE-2019-15903.patch
    - expat-CVE-2019-15903-tests.patch

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source

• Files Changed
• Browse Source

- Version update to 2.2.7 (CVE-2018-20843, bsc#1139937)
  * Security fixes:
    - CVE-2018-20843 - Fix extraction of namespace prefixes from
      XML names; XML names with multiple colons could end up in
      the wrong namespace, and take a high amount of RAM and CPU
      resources while processing, opening the door to use for
      denial-of-service attacks
  * Other changes:
    - Autotools/CMake: Utilize -fvisibility=hidden to stop
      exporting non-API symbols
    - Autotools: Add --without-examples and --without-tests
    - Autotools: Modernize configure.ac
    - Autotools: Fix check for -fvisibility=hidden for Clang
    - Autotools: Fix compilation for lack of docbook2x-man
    - CMake: Make libdir of pkgconfig expat.pc support multilib
    - CMake: Build man page in PROJECT_BINARY_DIR not _SOURCE_DIR
    - Remove fallback to bcopy, assume that memmove(3) exists
- Use docbook2x to build the man pages
- Removed expat-2.2.6-fix-make-clean.patch

• Files Changed
• Browse Source

baserev update by copy to link target

• Files Changed
• Browse Source