Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package expat for openSUSE:Factory checked
in at 2022-01-22 08:17:45
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/expat (Old)
and /work/SRC/openSUSE:Factory/.expat.new.1938 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "expat"
Sat Jan 22 08:17:45 2022 rev:64 rq:947307 version:2.4.3
Changes:
--------
--- /work/SRC/openSUSE:Factory/expat/expat.changes 2021-12-29
21:10:39.318270659 +0100
+++ /work/SRC/openSUSE:Factory/.expat.new.1938/expat.changes 2022-01-22
08:17:46.755067472 +0100
@@ -1,0 +2,32 @@
+Mon Jan 17 09:14:10 UTC 2022 - Dirk M??ller <dmuel...@suse.com>
+
+- update to 2.4.3 (bsc#1194251, bsc#1194362, bsc#1194474,
+ bsc#1194476, bsc#1194477, bsc#1194478, bsc#1194479, bsc#1194480):
+ * CVE-2021-45960 -- Fix issues with left shifts by >=29 places
+ resulting in
+ a) realloc acting as free
+ b) realloc allocating too few bytes
+ c) undefined behavior
+ depending on architecture and precise value
+ for XML documents with >=2^27+1 prefixed attributes
+ on a single XML tag a la
+ "<r xmlns:a='[..]' a:a123='[..]' [..] />"
+ where XML_ParserCreateNS is used to create the parser
+ (which needs argument "-n" when running xmlwf).
+ Impact is denial of service, or more.
+ * CVE-2021-46143 (ZDI-CAN-16157) -- Fix integer overflow
+ on variable m_groupSize in function doProlog leading
+ to realloc acting as free.
+ Impact is denial of service or more.
+ * CVE-2022-22822 to CVE-2022-22827 -- Prevent integer overflows
+ near memory allocation at multiple places. Mitre assigned
+ a dedicated CVE for each involved internal C function:
+ - CVE-2022-22822 for function addBinding
+ - CVE-2022-22823 for function build_model
+ - CVE-2022-22824 for function defineAttribute
+ - CVE-2022-22825 for function lookup
+ - CVE-2022-22826 for function nextScaffoldPart
+ - CVE-2022-22827 for function storeAtts
+ Impact is denial of service or more.
+
+-------------------------------------------------------------------
Old:
----
expat-2.4.2.tar.xz
expat-2.4.2.tar.xz.asc
New:
----
expat-2.4.3.tar.xz
expat-2.4.3.tar.xz.asc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ expat.spec ++++++
--- /var/tmp/diff_new_pack.n7n0en/_old 2022-01-22 08:17:47.623061622 +0100
+++ /var/tmp/diff_new_pack.n7n0en/_new 2022-01-22 08:17:47.631061569 +0100
@@ -1,7 +1,7 @@
#
# spec file for package expat
#
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -16,9 +16,9 @@
#
-%global unversion 2_4_2
+%global unversion 2_4_3
Name: expat
-Version: 2.4.2
+Version: 2.4.3
Release: 0
Summary: XML Parser Toolkit
License: MIT
++++++ expat-2.4.2.tar.xz -> expat-2.4.3.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/expat-2.4.2/CMake.README new/expat-2.4.3/CMake.README
--- old/expat-2.4.2/CMake.README 2021-12-19 23:21:42.000000000 +0100
+++ new/expat-2.4.3/CMake.README 2022-01-16 14:13:19.000000000 +0100
@@ -3,25 +3,25 @@
The cmake based buildsystem for expat works on Windows (cygwin, mingw, Visual
Studio) and should work on all other platform cmake supports.
-Assuming ~/expat-2.4.2 is the source directory of expat, add a subdirectory
+Assuming ~/expat-2.4.3 is the source directory of expat, add a subdirectory
build and change into that directory:
-~/expat-2.4.2$ mkdir build && cd build
-~/expat-2.4.2/build$
+~/expat-2.4.3$ mkdir build && cd build
+~/expat-2.4.3/build$
From that directory, call cmake first, then call make, make test and
make install in the usual way:
-~/expat-2.4.2/build$ cmake ..
+~/expat-2.4.3/build$ cmake ..
-- The C compiler identification is GNU
-- The CXX compiler identification is GNU
....
-- Configuring done
-- Generating done
--- Build files have been written to: /home/patrick/expat-2.4.2/build
+-- Build files have been written to: /home/patrick/expat-2.4.3/build
If you want to specify the install location for your files, append
-DCMAKE_INSTALL_PREFIX=/your/install/path to the cmake call.
-~/expat-2.4.2/build$ make && make test && make install
+~/expat-2.4.3/build$ make && make test && make install
Scanning dependencies of target expat
[ 5%] Building C object CMakeFiles/expat.dir/lib/xmlparse.c.o
[ 11%] Building C object CMakeFiles/expat.dir/lib/xmlrole.c.o
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/expat-2.4.2/CMakeLists.txt
new/expat-2.4.3/CMakeLists.txt
--- old/expat-2.4.2/CMakeLists.txt 2021-12-19 23:21:42.000000000 +0100
+++ new/expat-2.4.3/CMakeLists.txt 2022-01-16 14:13:19.000000000 +0100
@@ -7,7 +7,7 @@
#
# Copyright (c) 2010 Patrick Spendrin <ps...@gmx.de>
# Copyright (c) 2012 Karl Waclawek <k...@waclawek.net>
-# Copyright (c) 2016-2021 Sebastian Pipping <sebast...@pipping.org>
+# Copyright (c) 2016-2022 Sebastian Pipping <sebast...@pipping.org>
# Copyright (c) 2016 Sergei Nikulov <sergey.niku...@gmail.com>
# Copyright (c) 2016 Bj??rn Lindahl <bjorn.lind...@foi.se>
# Copyright (c) 2016 Tobias Taschner <git...@tc84.de>
@@ -64,7 +64,7 @@
project(expat
VERSION
- 2.4.2
+ 2.4.3
LANGUAGES
C
)
@@ -151,6 +151,9 @@
if(MSVC OR _EXPAT_HELP)
set(EXPAT_MSVC_STATIC_CRT OFF CACHE BOOL "Use /MT flag (static CRT) when
compiling in MSVC")
endif()
+if(NOT _EXPAT_HELP)
+ set(_EXPAT_M32 OFF CACHE BOOL "(Unofficial!) Produce 32bit code with -m32")
+endif()
if(EXPAT_BUILD_TESTS)
# We have to call enable_language() before modifying any CMAKE_CXX_*
variables
@@ -322,6 +325,23 @@
endif()
endif()
+if(_EXPAT_M32 AND NOT MSVC)
+ foreach(flag_var
+ CMAKE_CXX_FLAGS_${_EXPAT_BUILD_TYPE_UPPER}
+ CMAKE_CXX_FLAGS_DEBUG
+ CMAKE_CXX_FLAGS_RELEASE
+ CMAKE_CXX_FLAGS_MINSIZEREL
+ CMAKE_CXX_FLAGS_RELWITHDEBINFO
+ CMAKE_C_FLAGS_${_EXPAT_BUILD_TYPE_UPPER}
+ CMAKE_C_FLAGS_DEBUG
+ CMAKE_C_FLAGS_RELEASE
+ CMAKE_C_FLAGS_MINSIZEREL
+ CMAKE_C_FLAGS_RELWITHDEBINFO
+ )
+ set(${flag_var} "${${flag_var}} -m32")
+ endforeach()
+endif()
+
include_directories(${CMAKE_CURRENT_BINARY_DIR}
${CMAKE_CURRENT_SOURCE_DIR}/lib)
if(MSVC)
add_definitions(-D_CRT_SECURE_NO_WARNINGS -wd4996)
@@ -388,7 +408,7 @@
endif()
set(LIBCURRENT 9) # sync
-set(LIBREVISION 2) # with
+set(LIBREVISION 3) # with
set(LIBAGE 8) # configure.ac!
math(EXPR LIBCURRENT_MINUS_AGE "${LIBCURRENT} - ${LIBAGE}")
@@ -461,8 +481,7 @@
file(GENERATE
OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/$<CONFIG>/expat.pc
- INPUT ${PROJECT_SOURCE_DIR}/expat.pc.cmake
- TARGET expat)
+ INPUT ${PROJECT_SOURCE_DIR}/expat.pc.cmake)
expat_install(FILES ${CMAKE_CURRENT_BINARY_DIR}/$<CONFIG>/expat.pc
DESTINATION ${CMAKE_INSTALL_LIBDIR}/pkgconfig)
endif()
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/expat-2.4.2/Changes new/expat-2.4.3/Changes
--- old/expat-2.4.2/Changes 2021-12-19 23:21:42.000000000 +0100
+++ new/expat-2.4.3/Changes 2022-01-16 14:13:19.000000000 +0100
@@ -2,6 +2,58 @@
https://github.com/libexpat/libexpat/labels/help%20wanted
If you can help, please get in touch. Thanks!
+Release 2.4.3 Sun January 16 2022
+ Security fixes:
+ #531 #534 CVE-2021-45960 -- Fix issues with left shifts by >=29 places
+ resulting in
+ a) realloc acting as free
+ b) realloc allocating too few bytes
+ c) undefined behavior
+ depending on architecture and precise value
+ for XML documents with >=2^27+1 prefixed attributes
+ on a single XML tag a la
+ "<r xmlns:a='[..]' a:a123='[..]' [..] />"
+ where XML_ParserCreateNS is used to create the parser
+ (which needs argument "-n" when running xmlwf).
+ Impact is denial of service, or more.
+ #532 #538 CVE-2021-46143 (ZDI-CAN-16157) -- Fix integer overflow
+ on variable m_groupSize in function doProlog leading
+ to realloc acting as free.
+ Impact is denial of service or more.
+ #539 CVE-2022-22822 to CVE-2022-22827 -- Prevent integer overflows
+ near memory allocation at multiple places. Mitre assigned
+ a dedicated CVE for each involved internal C function:
+ - CVE-2022-22822 for function addBinding
+ - CVE-2022-22823 for function build_model
+ - CVE-2022-22824 for function defineAttribute
+ - CVE-2022-22825 for function lookup
+ - CVE-2022-22826 for function nextScaffoldPart
+ - CVE-2022-22827 for function storeAtts
+ Impact is denial of service or more.
+
+ Other changes:
+ #535 CMake: Make call to file(GENERATE [..]) work for CMake <3.19
+ #541 Autotools|CMake: MinGW: Make run.sh(.in) work for Cygwin
+ and MSYS2 by not going through Wine on these platforms
+ #527 #528 Address compiler warnings
+ #533 #543 Version info bumped from 9:2:8 to 9:3:8;
+ see https://verbump.de/ for what these numbers do
+
+ Infrastructure:
+ #536 CI: Check for realistic minimum CMake version
+ #529 #539 CI: Cover compilation with -m32
+ #529 CI: Store coverage reports as artifacts for download
+ #528 CI: Upgrade Clang from 11 to 13
+
+ Special thanks to:
+ An anonymous whitehat
+ Christopher Degawa
+ J. Peter Mugaas
+ Tyson Smith
+ and
+ GCC Farm Project
+ Trend Micro Zero Day Initiative
+
Release 2.4.2 Sun December 19 2021
Other changes:
#509 #510 Link againgst libm for function "isnan"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/expat-2.4.2/README.md new/expat-2.4.3/README.md
--- old/expat-2.4.2/README.md 2021-12-19 23:21:42.000000000 +0100
+++ new/expat-2.4.3/README.md 2022-01-16 14:13:19.000000000 +0100
@@ -5,7 +5,7 @@
[](https://github.com/libexpat/libexpat/releases)
-# Expat, Release 2.4.2
+# Expat, Release 2.4.3
This is Expat, a C library for parsing XML, started by
[James Clark](https://en.wikipedia.org/wiki/James_Clark_%28programmer%29) in
1997.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/expat-2.4.2/configure new/expat-2.4.3/configure
--- old/expat-2.4.2/configure 2021-12-19 23:30:38.000000000 +0100
+++ new/expat-2.4.3/configure 2022-01-16 14:53:12.000000000 +0100
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.71 for expat 2.4.2.
+# Generated by GNU Autoconf 2.71 for expat 2.4.3.
#
# Report bugs to <expat-b...@libexpat.org>.
#
@@ -621,8 +621,8 @@
# Identity of this package.
PACKAGE_NAME='expat'
PACKAGE_TARNAME='expat'
-PACKAGE_VERSION='2.4.2'
-PACKAGE_STRING='expat 2.4.2'
+PACKAGE_VERSION='2.4.3'
+PACKAGE_STRING='expat 2.4.3'
PACKAGE_BUGREPORT='expat-b...@libexpat.org'
PACKAGE_URL=''
@@ -1413,7 +1413,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures expat 2.4.2 to adapt to many kinds of systems.
+\`configure' configures expat 2.4.3 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1484,7 +1484,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of expat 2.4.2:";;
+ short | recursive ) echo "Configuration of expat 2.4.3:";;
esac
cat <<\_ACEOF
@@ -1618,7 +1618,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-expat configure 2.4.2
+expat configure 2.4.3
generated by GNU Autoconf 2.71
Copyright (C) 2021 Free Software Foundation, Inc.
@@ -2249,7 +2249,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by expat $as_me 2.4.2, which was
+It was created by expat $as_me 2.4.3, which was
generated by GNU Autoconf 2.71. Invocation command line was
$ $0$ac_configure_args_raw
@@ -3816,7 +3816,7 @@
# Define the identity of the package.
PACKAGE='expat'
- VERSION='2.4.2'
+ VERSION='2.4.3'
printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h
@@ -3923,7 +3923,7 @@
LIBCURRENT=9 # sync
-LIBREVISION=2 # with
+LIBREVISION=3 # with
LIBAGE=8 # CMakeLists.txt!
ac_config_headers="$ac_config_headers expat_config.h"
@@ -20214,7 +20214,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by expat $as_me 2.4.2, which was
+This file was extended by expat $as_me 2.4.3, which was
generated by GNU Autoconf 2.71. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -20282,7 +20282,7 @@
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config='$ac_cs_config_escaped'
ac_cs_version="\\
-expat config.status 2.4.2
+expat config.status 2.4.3
configured by $0, generated by GNU Autoconf 2.71,
with options \\"\$ac_cs_config\\"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/expat-2.4.2/configure.ac new/expat-2.4.3/configure.ac
--- old/expat-2.4.2/configure.ac 2021-12-19 23:21:42.000000000 +0100
+++ new/expat-2.4.3/configure.ac 2022-01-16 14:13:19.000000000 +0100
@@ -11,7 +11,7 @@
dnl Copyright (c) 2000-2005 Fred L. Drake, Jr. <fdr...@users.sourceforge.net>
dnl Copyright (c) 2001-2003 Greg Stein <gst...@users.sourceforge.net>
dnl Copyright (c) 2006-2012 Karl Waclawek <k...@waclawek.net>
-dnl Copyright (c) 2016-2021 Sebastian Pipping <sebast...@pipping.org>
+dnl Copyright (c) 2016-2022 Sebastian Pipping <sebast...@pipping.org>
dnl Copyright (c) 2017 S. P. Zeidler <s...@netbsd.org>
dnl Copyright (c) 2017 Stephen Groat <step...@groat.us>
dnl Copyright (c) 2017-2020 Joe Orton <jor...@redhat.com>
@@ -82,7 +82,7 @@
dnl
LIBCURRENT=9 # sync
-LIBREVISION=2 # with
+LIBREVISION=3 # with
LIBAGE=8 # CMakeLists.txt!
AC_CONFIG_HEADERS([expat_config.h])
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/expat-2.4.2/doc/reference.html
new/expat-2.4.3/doc/reference.html
--- old/expat-2.4.2/doc/reference.html 2021-12-19 23:21:42.000000000 +0100
+++ new/expat-2.4.3/doc/reference.html 2022-01-16 14:13:19.000000000 +0100
@@ -14,7 +14,7 @@
Copyright (c) 2000 Clark Cooper <coope...@users.sourceforge.net>
Copyright (c) 2000-2004 Fred L. Drake, Jr. <fdr...@users.sourceforge.net>
Copyright (c) 2002-2012 Karl Waclawek <k...@waclawek.net>
- Copyright (c) 2017-2021 Sebastian Pipping <sebast...@pipping.org>
+ Copyright (c) 2017-2022 Sebastian Pipping <sebast...@pipping.org>
Copyright (c) 2017 Jakub Wilk <jw...@jwilk.net>
Copyright (c) 2021 Tomas Korbar <tkor...@redhat.com>
Copyright (c) 2021 Nicolas Cavallari
<nicolas.cavall...@green-communications.fr>
@@ -49,7 +49,7 @@
<div>
<h1>
The Expat XML Parser
- <small>Release 2.4.2</small>
+ <small>Release 2.4.3</small>
</h1>
</div>
<div class="content">
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/expat-2.4.2/doc/xmlwf.1 new/expat-2.4.3/doc/xmlwf.1
--- old/expat-2.4.2/doc/xmlwf.1 2021-12-19 23:30:45.000000000 +0100
+++ new/expat-2.4.3/doc/xmlwf.1 2022-01-16 14:53:19.000000000 +0100
@@ -5,7 +5,7 @@
\\$2 \(la\\$1\(ra\\$3
..
.if \n(.g .mso www.tmac
-.TH XMLWF 1 "December 19, 2021" "" ""
+.TH XMLWF 1 "January 16, 2022" "" ""
.SH NAME
xmlwf \- Determines if an XML document is well-formed
.SH SYNOPSIS
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/expat-2.4.2/doc/xmlwf.xml
new/expat-2.4.3/doc/xmlwf.xml
--- old/expat-2.4.2/doc/xmlwf.xml 2021-12-19 23:21:42.000000000 +0100
+++ new/expat-2.4.3/doc/xmlwf.xml 2022-01-16 14:13:19.000000000 +0100
@@ -9,7 +9,7 @@
Copyright (c) 2001 Scott Bronson <bron...@rinspin.com>
Copyright (c) 2002-2003 Fred L. Drake, Jr. <fdr...@users.sourceforge.net>
Copyright (c) 2009 Karl Waclawek <k...@waclawek.net>
- Copyright (c) 2016-2021 Sebastian Pipping <sebast...@pipping.org>
+ Copyright (c) 2016-2022 Sebastian Pipping <sebast...@pipping.org>
Copyright (c) 2016 Ardo van Rangelrooij <a...@debian.org>
Copyright (c) 2017 Rhodri James <rho...@wildebeest.org.uk>
Copyright (c) 2020 Joe Orton <jor...@redhat.com>
@@ -22,7 +22,7 @@
<!ENTITY dhfirstname "<firstname>Scott</firstname>">
<!ENTITY dhsurname "<surname>Bronson</surname>">
<!-- Please adjust the date whenever revising the manpage. -->
- <!ENTITY dhdate "<date>December 19, 2021</date>">
+ <!ENTITY dhdate "<date>January 16, 2022</date>">
<!ENTITY dhsection "<manvolnum>1</manvolnum>">
<!ENTITY dhemail "<email>bron...@rinspin.com</email>">
<!ENTITY dhusername "Scott Bronson">
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/expat-2.4.2/expat.pc.cmake
new/expat-2.4.3/expat.pc.cmake
--- old/expat-2.4.2/expat.pc.cmake 2021-12-15 15:25:31.000000000 +0100
+++ new/expat-2.4.3/expat.pc.cmake 2022-01-13 23:29:11.000000000 +0100
@@ -1,11 +1,11 @@
-prefix=$<TARGET_PROPERTY:pkgconfig_prefix>
-exec_prefix=$<TARGET_PROPERTY:pkgconfig_exec_prefix>
-libdir=$<TARGET_PROPERTY:pkgconfig_libdir>
-includedir=$<TARGET_PROPERTY:pkgconfig_includedir>
+prefix=$<TARGET_PROPERTY:expat,pkgconfig_prefix>
+exec_prefix=$<TARGET_PROPERTY:expat,pkgconfig_exec_prefix>
+libdir=$<TARGET_PROPERTY:expat,pkgconfig_libdir>
+includedir=$<TARGET_PROPERTY:expat,pkgconfig_includedir>
-Name: $<TARGET_PROPERTY:pkgconfig_$<LOWER_CASE:$<CONFIG>>_name>
-Version: $<TARGET_PROPERTY:pkgconfig_version>
+Name: $<TARGET_PROPERTY:expat,pkgconfig_$<LOWER_CASE:$<CONFIG>>_name>
+Version: $<TARGET_PROPERTY:expat,pkgconfig_version>
Description: expat XML parser
URL: https://libexpat.github.io/
-Libs: -L${libdir} -l$<TARGET_PROPERTY:pkgconfig_$<LOWER_CASE:$<CONFIG>>_name>
$<TARGET_PROPERTY:pkgconfig_libm>
+Libs: -L${libdir}
-l$<TARGET_PROPERTY:expat,pkgconfig_$<LOWER_CASE:$<CONFIG>>_name>
$<TARGET_PROPERTY:expat,pkgconfig_libm>
Cflags: -I${includedir}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/expat-2.4.2/expat_config.h
new/expat-2.4.3/expat_config.h
--- old/expat-2.4.2/expat_config.h 2021-12-19 23:30:44.000000000 +0100
+++ new/expat-2.4.3/expat_config.h 2022-01-16 14:53:18.000000000 +0100
@@ -77,7 +77,7 @@
#define PACKAGE_NAME "expat"
/* Define to the full name and version of this package. */
-#define PACKAGE_STRING "expat 2.4.2"
+#define PACKAGE_STRING "expat 2.4.3"
/* Define to the one symbol short name of this package. */
#define PACKAGE_TARNAME "expat"
@@ -86,7 +86,7 @@
#define PACKAGE_URL ""
/* Define to the version of this package. */
-#define PACKAGE_VERSION "2.4.2"
+#define PACKAGE_VERSION "2.4.3"
/* Define to 1 if all of the C90 standard headers exist (not just the ones
required in a freestanding environment). This macro is provided for
@@ -94,7 +94,7 @@
#define STDC_HEADERS 1
/* Version number of package */
-#define VERSION "2.4.2"
+#define VERSION "2.4.3"
/* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most
significant byte first (like Motorola and SPARC, unlike Intel). */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/expat-2.4.2/lib/expat.h new/expat-2.4.3/lib/expat.h
--- old/expat-2.4.2/lib/expat.h 2021-12-19 23:21:42.000000000 +0100
+++ new/expat-2.4.3/lib/expat.h 2022-01-16 14:13:19.000000000 +0100
@@ -11,7 +11,7 @@
Copyright (c) 2000-2005 Fred L. Drake, Jr. <fdr...@users.sourceforge.net>
Copyright (c) 2001-2002 Greg Stein <gst...@users.sourceforge.net>
Copyright (c) 2002-2016 Karl Waclawek <k...@waclawek.net>
- Copyright (c) 2016-2021 Sebastian Pipping <sebast...@pipping.org>
+ Copyright (c) 2016-2022 Sebastian Pipping <sebast...@pipping.org>
Copyright (c) 2016 Cristian Rodr??guez <crrodrig...@opensuse.org>
Copyright (c) 2016 Thomas Beutlich <t...@tbeu.de>
Copyright (c) 2017 Rhodri James <rho...@wildebeest.org.uk>
@@ -1041,7 +1041,7 @@
*/
#define XML_MAJOR_VERSION 2
#define XML_MINOR_VERSION 4
-#define XML_MICRO_VERSION 2
+#define XML_MICRO_VERSION 3
#ifdef __cplusplus
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/expat-2.4.2/lib/xmlparse.c
new/expat-2.4.3/lib/xmlparse.c
--- old/expat-2.4.2/lib/xmlparse.c 2021-12-19 23:21:42.000000000 +0100
+++ new/expat-2.4.3/lib/xmlparse.c 2022-01-16 14:13:19.000000000 +0100
@@ -1,4 +1,4 @@
-/* 0550bc9a27b099d462d8d1007271cfeaa39852f20cd0d5d2caeadaeb39516fbe (2.4.2+)
+/* 9ca2a2fedc35bcb13ba9a134ba5e173020bc2ff5f5a311abf742cec7da1ff26a (2.4.3+)
__ __ _
___\ \/ /_ __ __ _| |_
/ _ \\ /| '_ \ / _` | __|
@@ -13,7 +13,7 @@
Copyright (c) 2002-2016 Karl Waclawek <k...@waclawek.net>
Copyright (c) 2005-2009 Steven Solie <sso...@users.sourceforge.net>
Copyright (c) 2016 Eric Rahm <er...@mozilla.com>
- Copyright (c) 2016-2021 Sebastian Pipping <sebast...@pipping.org>
+ Copyright (c) 2016-2022 Sebastian Pipping <sebast...@pipping.org>
Copyright (c) 2016 Gaurav <g.gu...@samsung.com>
Copyright (c) 2016 Thomas Beutlich <t...@tbeu.de>
Copyright (c) 2016 Gustavo Grieco <gustavo.gri...@imag.fr>
@@ -3261,13 +3261,38 @@
/* get the attributes from the tokenizer */
n = XmlGetAttributes(enc, attStr, parser->m_attsSize, parser->m_atts);
+
+ /* Detect and prevent integer overflow */
+ if (n > INT_MAX - nDefaultAtts) {
+ return XML_ERROR_NO_MEMORY;
+ }
+
if (n + nDefaultAtts > parser->m_attsSize) {
int oldAttsSize = parser->m_attsSize;
ATTRIBUTE *temp;
#ifdef XML_ATTR_INFO
XML_AttrInfo *temp2;
#endif
+
+ /* Detect and prevent integer overflow */
+ if ((nDefaultAtts > INT_MAX - INIT_ATTS_SIZE)
+ || (n > INT_MAX - (nDefaultAtts + INIT_ATTS_SIZE))) {
+ return XML_ERROR_NO_MEMORY;
+ }
+
parser->m_attsSize = n + nDefaultAtts + INIT_ATTS_SIZE;
+
+ /* Detect and prevent integer overflow.
+ * The preprocessor guard addresses the "always false" warning
+ * from -Wtype-limits on platforms where
+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
+#if UINT_MAX >= SIZE_MAX
+ if ((unsigned)parser->m_attsSize > (size_t)(-1) / sizeof(ATTRIBUTE)) {
+ parser->m_attsSize = oldAttsSize;
+ return XML_ERROR_NO_MEMORY;
+ }
+#endif
+
temp = (ATTRIBUTE *)REALLOC(parser, (void *)parser->m_atts,
parser->m_attsSize * sizeof(ATTRIBUTE));
if (temp == NULL) {
@@ -3276,6 +3301,17 @@
}
parser->m_atts = temp;
#ifdef XML_ATTR_INFO
+ /* Detect and prevent integer overflow.
+ * The preprocessor guard addresses the "always false" warning
+ * from -Wtype-limits on platforms where
+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
+# if UINT_MAX >= SIZE_MAX
+ if ((unsigned)parser->m_attsSize > (size_t)(-1) / sizeof(XML_AttrInfo)) {
+ parser->m_attsSize = oldAttsSize;
+ return XML_ERROR_NO_MEMORY;
+ }
+# endif
+
temp2 = (XML_AttrInfo *)REALLOC(parser, (void *)parser->m_attInfo,
parser->m_attsSize * sizeof(XML_AttrInfo));
if (temp2 == NULL) {
@@ -3414,7 +3450,13 @@
if (nPrefixes) {
int j; /* hash table index */
unsigned long version = parser->m_nsAttsVersion;
- int nsAttsSize = (int)1 << parser->m_nsAttsPower;
+
+ /* Detect and prevent invalid shift */
+ if (parser->m_nsAttsPower >= sizeof(unsigned int) * 8 /* bits per byte */)
{
+ return XML_ERROR_NO_MEMORY;
+ }
+
+ unsigned int nsAttsSize = 1u << parser->m_nsAttsPower;
unsigned char oldNsAttsPower = parser->m_nsAttsPower;
/* size of hash table must be at least 2 * (# of prefixed attributes) */
if ((nPrefixes << 1)
@@ -3425,7 +3467,28 @@
;
if (parser->m_nsAttsPower < 3)
parser->m_nsAttsPower = 3;
- nsAttsSize = (int)1 << parser->m_nsAttsPower;
+
+ /* Detect and prevent invalid shift */
+ if (parser->m_nsAttsPower >= sizeof(nsAttsSize) * 8 /* bits per byte */)
{
+ /* Restore actual size of memory in m_nsAtts */
+ parser->m_nsAttsPower = oldNsAttsPower;
+ return XML_ERROR_NO_MEMORY;
+ }
+
+ nsAttsSize = 1u << parser->m_nsAttsPower;
+
+ /* Detect and prevent integer overflow.
+ * The preprocessor guard addresses the "always false" warning
+ * from -Wtype-limits on platforms where
+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
+#if UINT_MAX >= SIZE_MAX
+ if (nsAttsSize > (size_t)(-1) / sizeof(NS_ATT)) {
+ /* Restore actual size of memory in m_nsAtts */
+ parser->m_nsAttsPower = oldNsAttsPower;
+ return XML_ERROR_NO_MEMORY;
+ }
+#endif
+
temp = (NS_ATT *)REALLOC(parser, parser->m_nsAtts,
nsAttsSize * sizeof(NS_ATT));
if (! temp) {
@@ -3583,9 +3646,31 @@
tagNamePtr->prefixLen = prefixLen;
for (i = 0; localPart[i++];)
; /* i includes null terminator */
+
+ /* Detect and prevent integer overflow */
+ if (binding->uriLen > INT_MAX - prefixLen
+ || i > INT_MAX - (binding->uriLen + prefixLen)) {
+ return XML_ERROR_NO_MEMORY;
+ }
+
n = i + binding->uriLen + prefixLen;
if (n > binding->uriAlloc) {
TAG *p;
+
+ /* Detect and prevent integer overflow */
+ if (n > INT_MAX - EXPAND_SPARE) {
+ return XML_ERROR_NO_MEMORY;
+ }
+ /* Detect and prevent integer overflow.
+ * The preprocessor guard addresses the "always false" warning
+ * from -Wtype-limits on platforms where
+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
+#if UINT_MAX >= SIZE_MAX
+ if ((unsigned)(n + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) {
+ return XML_ERROR_NO_MEMORY;
+ }
+#endif
+
uri = (XML_Char *)MALLOC(parser, (n + EXPAND_SPARE) * sizeof(XML_Char));
if (! uri)
return XML_ERROR_NO_MEMORY;
@@ -3681,6 +3766,21 @@
if (parser->m_freeBindingList) {
b = parser->m_freeBindingList;
if (len > b->uriAlloc) {
+ /* Detect and prevent integer overflow */
+ if (len > INT_MAX - EXPAND_SPARE) {
+ return XML_ERROR_NO_MEMORY;
+ }
+
+ /* Detect and prevent integer overflow.
+ * The preprocessor guard addresses the "always false" warning
+ * from -Wtype-limits on platforms where
+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
+#if UINT_MAX >= SIZE_MAX
+ if ((unsigned)(len + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) {
+ return XML_ERROR_NO_MEMORY;
+ }
+#endif
+
XML_Char *temp = (XML_Char *)REALLOC(
parser, b->uri, sizeof(XML_Char) * (len + EXPAND_SPARE));
if (temp == NULL)
@@ -3693,6 +3793,21 @@
b = (BINDING *)MALLOC(parser, sizeof(BINDING));
if (! b)
return XML_ERROR_NO_MEMORY;
+
+ /* Detect and prevent integer overflow */
+ if (len > INT_MAX - EXPAND_SPARE) {
+ return XML_ERROR_NO_MEMORY;
+ }
+ /* Detect and prevent integer overflow.
+ * The preprocessor guard addresses the "always false" warning
+ * from -Wtype-limits on platforms where
+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
+#if UINT_MAX >= SIZE_MAX
+ if ((unsigned)(len + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) {
+ return XML_ERROR_NO_MEMORY;
+ }
+#endif
+
b->uri
= (XML_Char *)MALLOC(parser, sizeof(XML_Char) * (len + EXPAND_SPARE));
if (! b->uri) {
@@ -5019,6 +5134,11 @@
if (parser->m_prologState.level >= parser->m_groupSize) {
if (parser->m_groupSize) {
{
+ /* Detect and prevent integer overflow */
+ if (parser->m_groupSize > (unsigned int)(-1) / 2u) {
+ return XML_ERROR_NO_MEMORY;
+ }
+
char *const new_connector = (char *)REALLOC(
parser, parser->m_groupConnector, parser->m_groupSize *= 2);
if (new_connector == NULL) {
@@ -5029,6 +5149,16 @@
}
if (dtd->scaffIndex) {
+ /* Detect and prevent integer overflow.
+ * The preprocessor guard addresses the "always false" warning
+ * from -Wtype-limits on platforms where
+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
+#if UINT_MAX >= SIZE_MAX
+ if (parser->m_groupSize > (size_t)(-1) / sizeof(int)) {
+ return XML_ERROR_NO_MEMORY;
+ }
+#endif
+
int *const new_scaff_index = (int *)REALLOC(
parser, dtd->scaffIndex, parser->m_groupSize * sizeof(int));
if (new_scaff_index == NULL)
@@ -6099,7 +6229,24 @@
}
} else {
DEFAULT_ATTRIBUTE *temp;
+
+ /* Detect and prevent integer overflow */
+ if (type->allocDefaultAtts > INT_MAX / 2) {
+ return 0;
+ }
+
int count = type->allocDefaultAtts * 2;
+
+ /* Detect and prevent integer overflow.
+ * The preprocessor guard addresses the "always false" warning
+ * from -Wtype-limits on platforms where
+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
+#if UINT_MAX >= SIZE_MAX
+ if ((unsigned)count > (size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE)) {
+ return 0;
+ }
+#endif
+
temp = (DEFAULT_ATTRIBUTE *)REALLOC(parser, type->defaultAtts,
(count * sizeof(DEFAULT_ATTRIBUTE)));
if (temp == NULL)
@@ -6750,8 +6897,20 @@
/* check for overflow (table is half full) */
if (table->used >> (table->power - 1)) {
unsigned char newPower = table->power + 1;
+
+ /* Detect and prevent invalid shift */
+ if (newPower >= sizeof(unsigned long) * 8 /* bits per byte */) {
+ return NULL;
+ }
+
size_t newSize = (size_t)1 << newPower;
unsigned long newMask = (unsigned long)newSize - 1;
+
+ /* Detect and prevent integer overflow */
+ if (newSize > (size_t)(-1) / sizeof(NAMED *)) {
+ return NULL;
+ }
+
size_t tsize = newSize * sizeof(NAMED *);
NAMED **newV = (NAMED **)table->mem->malloc_fcn(tsize);
if (! newV)
@@ -7101,6 +7260,20 @@
if (dtd->scaffCount >= dtd->scaffSize) {
CONTENT_SCAFFOLD *temp;
if (dtd->scaffold) {
+ /* Detect and prevent integer overflow */
+ if (dtd->scaffSize > UINT_MAX / 2u) {
+ return -1;
+ }
+ /* Detect and prevent integer overflow.
+ * The preprocessor guard addresses the "always false" warning
+ * from -Wtype-limits on platforms where
+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
+#if UINT_MAX >= SIZE_MAX
+ if (dtd->scaffSize > (size_t)(-1) / 2u / sizeof(CONTENT_SCAFFOLD)) {
+ return -1;
+ }
+#endif
+
temp = (CONTENT_SCAFFOLD *)REALLOC(
parser, dtd->scaffold, dtd->scaffSize * 2 *
sizeof(CONTENT_SCAFFOLD));
if (temp == NULL)
@@ -7170,8 +7343,26 @@
XML_Content *ret;
XML_Content *cpos;
XML_Char *str;
- int allocsize = (dtd->scaffCount * sizeof(XML_Content)
- + (dtd->contentStringLen * sizeof(XML_Char)));
+
+ /* Detect and prevent integer overflow.
+ * The preprocessor guard addresses the "always false" warning
+ * from -Wtype-limits on platforms where
+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
+#if UINT_MAX >= SIZE_MAX
+ if (dtd->scaffCount > (size_t)(-1) / sizeof(XML_Content)) {
+ return NULL;
+ }
+ if (dtd->contentStringLen > (size_t)(-1) / sizeof(XML_Char)) {
+ return NULL;
+ }
+#endif
+ if (dtd->scaffCount * sizeof(XML_Content)
+ > (size_t)(-1) - dtd->contentStringLen * sizeof(XML_Char)) {
+ return NULL;
+ }
+
+ const size_t allocsize = (dtd->scaffCount * sizeof(XML_Content)
+ + (dtd->contentStringLen * sizeof(XML_Char)));
ret = (XML_Content *)MALLOC(parser, allocsize);
if (! ret)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/expat-2.4.2/lib/xmltok_ns.c
new/expat-2.4.3/lib/xmltok_ns.c
--- old/expat-2.4.2/lib/xmltok_ns.c 2021-10-22 13:24:55.000000000 +0200
+++ new/expat-2.4.3/lib/xmltok_ns.c 2022-01-16 14:13:19.000000000 +0100
@@ -11,7 +11,7 @@
Copyright (c) 2002 Greg Stein <gst...@users.sourceforge.net>
Copyright (c) 2002 Fred L. Drake, Jr. <fdr...@users.sourceforge.net>
Copyright (c) 2002-2006 Karl Waclawek <k...@waclawek.net>
- Copyright (c) 2017 Sebastian Pipping <sebast...@pipping.org>
+ Copyright (c) 2017-2021 Sebastian Pipping <sebast...@pipping.org>
Licensed under the MIT license:
Permission is hereby granted, free of charge, to any person obtaining
@@ -93,7 +93,7 @@
static const ENCODING *
NS(findEncoding)(const ENCODING *enc, const char *ptr, const char *end) {
# define ENCODING_MAX 128
- char buf[ENCODING_MAX];
+ char buf[ENCODING_MAX] = "";
char *p = buf;
int i;
XmlUtf8Convert(enc, &ptr, end, &p, p + ENCODING_MAX - 1);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/expat-2.4.2/run.sh.in new/expat-2.4.3/run.sh.in
--- old/expat-2.4.2/run.sh.in 2021-10-22 13:24:55.000000000 +0200
+++ new/expat-2.4.3/run.sh.in 2022-01-16 14:13:19.000000000 +0100
@@ -6,7 +6,7 @@
# \___/_/\_\ .__/ \__,_|\__|
# |_| XML parser
#
-# Copyright (c) 2017 Sebastian Pipping <sebast...@pipping.org>
+# Copyright (c) 2017-2022 Sebastian Pipping <sebast...@pipping.org>
# Licensed under the MIT license:
#
# Permission is hereby granted, free of charge, to any person obtaining
@@ -30,7 +30,16 @@
case "@host@" in
*-mingw*)
- exec wine "$@"
+ case "$(uname -o)" in
+ Cygwin|Msys)
+ # Windows binary on Windows host
+ exec "$@"
+ ;;
+ *)
+ # Windows binary on non-Windows host
+ exec wine "$@"
+ ;;
+ esac
;;
*)
exec "$@"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/expat-2.4.2/tests/runtests.c
new/expat-2.4.3/tests/runtests.c
--- old/expat-2.4.2/tests/runtests.c 2021-12-19 23:21:42.000000000 +0100
+++ new/expat-2.4.3/tests/runtests.c 2022-01-16 14:13:19.000000000 +0100
@@ -10,7 +10,7 @@
Copyright (c) 2003 Greg Stein <gst...@users.sourceforge.net>
Copyright (c) 2005-2007 Steven Solie <sso...@users.sourceforge.net>
Copyright (c) 2005-2012 Karl Waclawek <k...@waclawek.net>
- Copyright (c) 2016-2021 Sebastian Pipping <sebast...@pipping.org>
+ Copyright (c) 2016-2022 Sebastian Pipping <sebast...@pipping.org>
Copyright (c) 2017-2018 Rhodri James <rho...@wildebeest.org.uk>
Copyright (c) 2017 Joe Orton <jor...@redhat.com>
Copyright (c) 2017 Jos?? Guti??rrez de la Concha <j...@zeroc.com>
@@ -7352,7 +7352,7 @@
fail("Version mismatch");
#if ! defined(XML_UNICODE) || defined(XML_UNICODE_WCHAR_T)
- if (xcstrcmp(version_text, XCS("expat_2.4.2"))) /* needs bump on releases */
+ if (xcstrcmp(version_text, XCS("expat_2.4.3"))) /* needs bump on releases */
fail("XML_*_VERSION in expat.h out of sync?\n");
#else
/* If we have XML_UNICODE defined but not XML_UNICODE_WCHAR_T
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/expat-2.4.2/win32/expat.iss
new/expat-2.4.3/win32/expat.iss
--- old/expat-2.4.2/win32/expat.iss 2021-12-19 23:21:42.000000000 +0100
+++ new/expat-2.4.3/win32/expat.iss 2022-01-16 14:13:19.000000000 +0100
@@ -14,7 +14,7 @@
; Copyright (c) 2001 Tim Peters <tim.pet...@gmail.com>
; Copyright (c) 2001-2005 Fred L. Drake, Jr. <fdr...@users.sourceforge.net>
; Copyright (c) 2006-2017 Karl Waclawek <k...@waclawek.net>
-; Copyright (c) 2007-2021 Sebastian Pipping <sebast...@pipping.org>
+; Copyright (c) 2007-2022 Sebastian Pipping <sebast...@pipping.org>
; Licensed under the MIT license:
;
; Permission is hereby granted, free of charge, to any person obtaining
@@ -36,7 +36,7 @@
; OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
; USE OR OTHER DEALINGS IN THE SOFTWARE.
-#define expatVer "2.4.2"
+#define expatVer "2.4.3"
[Setup]
AppName=Expat
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/expat-2.4.2/xmlwf/xmlwf.c
new/expat-2.4.3/xmlwf/xmlwf.c
--- old/expat-2.4.2/xmlwf/xmlwf.c 2021-10-22 13:24:55.000000000 +0200
+++ new/expat-2.4.3/xmlwf/xmlwf.c 2022-01-13 23:41:22.000000000 +0100
@@ -1128,6 +1128,8 @@
#ifdef XML_DTD
XML_SetBillionLaughsAttackProtectionActivationThreshold(
parser, attackThresholdBytes);
+#else
+ (void)attackThresholdBytes; // silence -Wunused-but-set-variable
#endif
}
