Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package expat for openSUSE:Factory checked in at 2022-02-02 22:40:00 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/expat (Old) and /work/SRC/openSUSE:Factory/.expat.new.1898 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "expat" Wed Feb 2 22:40:00 2022 rev:65 rq:950090 version:2.4.4 Changes: -------- --- /work/SRC/openSUSE:Factory/expat/expat.changes 2022-01-22 08:17:46.755067472 +0100 +++ /work/SRC/openSUSE:Factory/.expat.new.1898/expat.changes 2022-02-02 22:40:01.424097128 +0100 @@ -1,0 +2,23 @@ +Mon Jan 31 06:13:13 UTC 2022 - David Anes <david.a...@suse.com> + +- update to 2.4.4 (bsc#1195217, bsc#1195054): + * Security fixes: + - CVE-2022-23852 -- Fix signed integer overflow + (undefined behavior) in function XML_GetBuffer + that is also called by function XML_Parse internally) + for when XML_CONTEXT_BYTES is defined to >0 (which is both + common and default). + Impact is denial of service or more. + - CVE-2022-23990 -- Fix unsigned integer overflow in function + doProlog triggered by large content in element type + declarations when there is an element declaration handler + present (from a prior call to XML_SetElementDeclHandler). + Impact is denial of service or more. + * Bug fixes: + - xmlwf: Fix a memory leak on output file opening error + * Other changes: + - Version info bumped from 9:3:8 to 9:4:8; + see https://verbump.de/ for what these numbers do + * Drop unused file valid-xhtml10.png + +------------------------------------------------------------------- Old: ---- expat-2.4.3.tar.xz expat-2.4.3.tar.xz.asc New: ---- expat-2.4.4.tar.xz expat-2.4.4.tar.xz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ expat.spec ++++++ --- /var/tmp/diff_new_pack.OsprWS/_old 2022-02-02 22:40:02.184091976 +0100 +++ /var/tmp/diff_new_pack.OsprWS/_new 2022-02-02 22:40:02.192091923 +0100 @@ -16,9 +16,9 @@ # -%global unversion 2_4_3 +%global unversion 2_4_4 Name: expat -Version: 2.4.3 +Version: 2.4.4 Release: 0 Summary: XML Parser Toolkit License: MIT @@ -95,7 +95,7 @@ %files %license COPYING %doc AUTHORS README.md expatfaq.html -%doc doc/reference.html doc/style.css doc/valid-xhtml10.png +%doc doc/reference.html doc/style.css %doc examples/elements.c examples/outline.c examples/Makefile.am examples/Makefile.in %doc changelog %{_bindir}/xmlwf ++++++ expat-2.4.3.tar.xz -> expat-2.4.4.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/expat-2.4.3/CMake.README new/expat-2.4.4/CMake.README --- old/expat-2.4.3/CMake.README 2022-01-16 14:13:19.000000000 +0100 +++ new/expat-2.4.4/CMake.README 2022-01-30 01:09:44.000000000 +0100 @@ -3,25 +3,25 @@ The cmake based buildsystem for expat works on Windows (cygwin, mingw, Visual Studio) and should work on all other platform cmake supports. -Assuming ~/expat-2.4.3 is the source directory of expat, add a subdirectory +Assuming ~/expat-2.4.4 is the source directory of expat, add a subdirectory build and change into that directory: -~/expat-2.4.3$ mkdir build && cd build -~/expat-2.4.3/build$ +~/expat-2.4.4$ mkdir build && cd build +~/expat-2.4.4/build$ From that directory, call cmake first, then call make, make test and make install in the usual way: -~/expat-2.4.3/build$ cmake .. +~/expat-2.4.4/build$ cmake .. -- The C compiler identification is GNU -- The CXX compiler identification is GNU .... -- Configuring done -- Generating done --- Build files have been written to: /home/patrick/expat-2.4.3/build +-- Build files have been written to: /home/patrick/expat-2.4.4/build If you want to specify the install location for your files, append -DCMAKE_INSTALL_PREFIX=/your/install/path to the cmake call. -~/expat-2.4.3/build$ make && make test && make install +~/expat-2.4.4/build$ make && make test && make install Scanning dependencies of target expat [ 5%] Building C object CMakeFiles/expat.dir/lib/xmlparse.c.o [ 11%] Building C object CMakeFiles/expat.dir/lib/xmlrole.c.o diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/expat-2.4.3/CMakeLists.txt new/expat-2.4.4/CMakeLists.txt --- old/expat-2.4.3/CMakeLists.txt 2022-01-16 14:13:19.000000000 +0100 +++ new/expat-2.4.4/CMakeLists.txt 2022-01-30 01:09:44.000000000 +0100 @@ -64,7 +64,7 @@ project(expat VERSION - 2.4.3 + 2.4.4 LANGUAGES C ) @@ -408,7 +408,7 @@ endif() set(LIBCURRENT 9) # sync -set(LIBREVISION 3) # with +set(LIBREVISION 4) # with set(LIBAGE 8) # configure.ac! math(EXPR LIBCURRENT_MINUS_AGE "${LIBCURRENT} - ${LIBAGE}") @@ -422,7 +422,7 @@ # on Windows by resorting to filename libexpat.dll since Expat 1.95.3. # Everything but MSVC is already adding prefix "lib", automatically. # NOTE: "set_property(TARGET expat PROPERTY PREFIX lib)" would only affect *.dll - # files but not *.lib files, so we have to rely on propert OUTPUT_NAME, instead. + # files but not *.lib files, so we have to rely on property OUTPUT_NAME, instead. # Property CMAKE_*_POSTFIX still applies. set_property(TARGET expat PROPERTY OUTPUT_NAME libexpat) endif() diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/expat-2.4.3/Changes new/expat-2.4.4/Changes --- old/expat-2.4.3/Changes 2022-01-16 14:13:19.000000000 +0100 +++ new/expat-2.4.4/Changes 2022-01-30 01:09:44.000000000 +0100 @@ -2,6 +2,38 @@ https://github.com/libexpat/libexpat/labels/help%20wanted If you can help, please get in touch. Thanks! +Release 2.4.4 Sun January 30 2022 + Security fixes: + #550 CVE-2022-23852 -- Fix signed integer overflow + (undefined behavior) in function XML_GetBuffer + (that is also called by function XML_Parse internally) + for when XML_CONTEXT_BYTES is defined to >0 (which is both + common and default). + Impact is denial of service or more. + #551 CVE-2022-23990 -- Fix unsigned integer overflow in function + doProlog triggered by large content in element type + declarations when there is an element declaration handler + present (from a prior call to XML_SetElementDeclHandler). + Impact is denial of service or more. + + Bug fixes: + #544 #545 xmlwf: Fix a memory leak on output file opening error + + Other changes: + #546 Autotools: Fix broken CMake support under Cygwin + #554 Windows: Add missing files to the installer to fix + compilation with CMake from installed sources + #552 #554 Version info bumped from 9:3:8 to 9:4:8; + see https://verbump.de/ for what these numbers do + + Special thanks to: + Carlo Bramini + hwt0415 + Roland Illig + Samanta Navarro + and + Clang LeakSan and the Clang team + Release 2.4.3 Sun January 16 2022 Security fixes: #531 #534 CVE-2021-45960 -- Fix issues with left shifts by >=29 places diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/expat-2.4.3/Makefile.in new/expat-2.4.4/Makefile.in --- old/expat-2.4.3/Makefile.in 2022-01-16 14:53:12.000000000 +0100 +++ new/expat-2.4.4/Makefile.in 2022-01-30 01:11:25.000000000 +0100 @@ -306,6 +306,7 @@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ +CMAKE_SHARED_LIBRARY_PREFIX = @CMAKE_SHARED_LIBRARY_PREFIX@ CPPFLAGS = @CPPFLAGS@ CSCOPE = @CSCOPE@ CTAGS = @CTAGS@ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/expat-2.4.3/README.md new/expat-2.4.4/README.md --- old/expat-2.4.3/README.md 2022-01-16 14:13:19.000000000 +0100 +++ new/expat-2.4.4/README.md 2022-01-30 01:09:44.000000000 +0100 @@ -5,7 +5,7 @@ [](https://github.com/libexpat/libexpat/releases) -# Expat, Release 2.4.3 +# Expat, Release 2.4.4 This is Expat, a C library for parsing XML, started by [James Clark](https://en.wikipedia.org/wiki/James_Clark_%28programmer%29) in 1997. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/expat-2.4.3/cmake/autotools/expat-noconfig__windows.cmake.in new/expat-2.4.4/cmake/autotools/expat-noconfig__windows.cmake.in --- old/expat-2.4.3/cmake/autotools/expat-noconfig__windows.cmake.in 2021-12-15 15:25:31.000000000 +0100 +++ new/expat-2.4.4/cmake/autotools/expat-noconfig__windows.cmake.in 2022-01-29 23:23:39.000000000 +0100 @@ -9,11 +9,11 @@ set_property(TARGET expat::expat APPEND PROPERTY IMPORTED_CONFIGURATIONS NOCONFIG) set_target_properties(expat::expat PROPERTIES IMPORTED_IMPLIB_NOCONFIG "${_IMPORT_PREFIX}/@LIBDIR_BASENAME@/libexpat.dll.a" - IMPORTED_LOCATION_NOCONFIG "${_IMPORT_PREFIX}/bin/libexpat-@SO_MAJOR@.dll" + IMPORTED_LOCATION_NOCONFIG "${_IMPORT_PREFIX}/bin/@CMAKE_SHARED_LIBRARY_PREFIX@expat-@SO_MAJOR@.dll" ) list(APPEND _IMPORT_CHECK_TARGETS expat::expat ) -list(APPEND _IMPORT_CHECK_FILES_FOR_expat::expat "${_IMPORT_PREFIX}/@LIBDIR_BASENAME@/libexpat.dll.a" "${_IMPORT_PREFIX}/bin/libexpat-@SO_MAJOR@.dll" ) +list(APPEND _IMPORT_CHECK_FILES_FOR_expat::expat "${_IMPORT_PREFIX}/@LIBDIR_BASENAME@/libexpat.dll.a" "${_IMPORT_PREFIX}/bin/@CMAKE_SHARED_LIBRARY_PREFIX@expat-@SO_MAJOR@.dll" ) # Commands beyond this point should not need to know the version. set(CMAKE_IMPORT_FILE_VERSION) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/expat-2.4.3/configure new/expat-2.4.4/configure --- old/expat-2.4.3/configure 2022-01-16 14:53:12.000000000 +0100 +++ new/expat-2.4.4/configure 2022-01-30 01:11:25.000000000 +0100 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.71 for expat 2.4.3. +# Generated by GNU Autoconf 2.71 for expat 2.4.4. # # Report bugs to <expat-b...@libexpat.org>. # @@ -621,8 +621,8 @@ # Identity of this package. PACKAGE_NAME='expat' PACKAGE_TARNAME='expat' -PACKAGE_VERSION='2.4.3' -PACKAGE_STRING='expat 2.4.3' +PACKAGE_VERSION='2.4.4' +PACKAGE_STRING='expat 2.4.4' PACKAGE_BUGREPORT='expat-b...@libexpat.org' PACKAGE_URL='' @@ -664,6 +664,7 @@ am__EXEEXT_TRUE LTLIBOBJS LIBOBJS +CMAKE_SHARED_LIBRARY_PREFIX AM_LDFLAGS AM_CXXFLAGS AM_CFLAGS @@ -1413,7 +1414,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures expat 2.4.3 to adapt to many kinds of systems. +\`configure' configures expat 2.4.4 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1484,7 +1485,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of expat 2.4.3:";; + short | recursive ) echo "Configuration of expat 2.4.4:";; esac cat <<\_ACEOF @@ -1618,7 +1619,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -expat configure 2.4.3 +expat configure 2.4.4 generated by GNU Autoconf 2.71 Copyright (C) 2021 Free Software Foundation, Inc. @@ -2249,7 +2250,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by expat $as_me 2.4.3, which was +It was created by expat $as_me 2.4.4, which was generated by GNU Autoconf 2.71. Invocation command line was $ $0$ac_configure_args_raw @@ -3816,7 +3817,7 @@ # Define the identity of the package. PACKAGE='expat' - VERSION='2.4.3' + VERSION='2.4.4' printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h @@ -3923,7 +3924,7 @@ LIBCURRENT=9 # sync -LIBREVISION=3 # with +LIBREVISION=4 # with LIBAGE=8 # CMakeLists.txt! ac_config_headers="$ac_config_headers expat_config.h" @@ -19638,10 +19639,22 @@ +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for shared library name prefix" >&5 +printf %s "checking for shared library name prefix... " >&6; } +case "${host_os}" in #( + cygwin*) : + CMAKE_SHARED_LIBRARY_PREFIX=cyg ;; #( + *) : + CMAKE_SHARED_LIBRARY_PREFIX=lib ;; +esac +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: ${CMAKE_SHARED_LIBRARY_PREFIX}" >&5 +printf "%s\n" "${CMAKE_SHARED_LIBRARY_PREFIX}" >&6; } + + case "${host_os}" in #( darwin*) : CMAKE_NOCONFIG_SOURCE=cmake/autotools/expat-noconfig__macos.cmake.in ;; #( - mingw*) : + mingw*|cygwin*) : CMAKE_NOCONFIG_SOURCE=cmake/autotools/expat-noconfig__windows.cmake.in ;; #( *) : CMAKE_NOCONFIG_SOURCE=cmake/autotools/expat-noconfig__linux.cmake.in ;; @@ -20214,7 +20227,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by expat $as_me 2.4.3, which was +This file was extended by expat $as_me 2.4.4, which was generated by GNU Autoconf 2.71. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -20282,7 +20295,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config='$ac_cs_config_escaped' ac_cs_version="\\ -expat config.status 2.4.3 +expat config.status 2.4.4 configured by $0, generated by GNU Autoconf 2.71, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/expat-2.4.3/configure.ac new/expat-2.4.4/configure.ac --- old/expat-2.4.3/configure.ac 2022-01-16 14:13:19.000000000 +0100 +++ new/expat-2.4.4/configure.ac 2022-01-30 01:09:44.000000000 +0100 @@ -82,7 +82,7 @@ dnl LIBCURRENT=9 # sync -LIBREVISION=3 # with +LIBREVISION=4 # with LIBAGE=8 # CMakeLists.txt! AC_CONFIG_HEADERS([expat_config.h]) @@ -395,9 +395,17 @@ AC_SUBST([AM_CXXFLAGS]) AC_SUBST([AM_LDFLAGS]) +dnl Emulate the use of CMAKE_SHARED_LIBRARY_PREFIX under CMake +AC_MSG_CHECKING([for shared library name prefix]) +AS_CASE("${host_os}", + [cygwin*], [CMAKE_SHARED_LIBRARY_PREFIX=cyg], + [CMAKE_SHARED_LIBRARY_PREFIX=lib]) +AC_MSG_RESULT([${CMAKE_SHARED_LIBRARY_PREFIX}]) +AC_SUBST([CMAKE_SHARED_LIBRARY_PREFIX]) + AS_CASE("${host_os}", [darwin*], [CMAKE_NOCONFIG_SOURCE=cmake/autotools/expat-noconfig__macos.cmake.in], - [mingw*], [CMAKE_NOCONFIG_SOURCE=cmake/autotools/expat-noconfig__windows.cmake.in], + [mingw*|cygwin*], [CMAKE_NOCONFIG_SOURCE=cmake/autotools/expat-noconfig__windows.cmake.in], [CMAKE_NOCONFIG_SOURCE=cmake/autotools/expat-noconfig__linux.cmake.in]) AC_CONFIG_FILES([Makefile] [expat.pc] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/expat-2.4.3/doc/Makefile.am new/expat-2.4.4/doc/Makefile.am --- old/expat-2.4.3/doc/Makefile.am 2022-01-13 23:41:19.000000000 +0100 +++ new/expat-2.4.4/doc/Makefile.am 2022-01-30 01:09:44.000000000 +0100 @@ -57,5 +57,4 @@ ok.min.css \ reference.html \ style.css \ - valid-xhtml10.png \ xmlwf.xml diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/expat-2.4.3/doc/Makefile.in new/expat-2.4.4/doc/Makefile.in --- old/expat-2.4.3/doc/Makefile.in 2022-01-16 14:53:12.000000000 +0100 +++ new/expat-2.4.4/doc/Makefile.in 2022-01-30 01:11:25.000000000 +0100 @@ -209,6 +209,7 @@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ +CMAKE_SHARED_LIBRARY_PREFIX = @CMAKE_SHARED_LIBRARY_PREFIX@ CPPFLAGS = @CPPFLAGS@ CSCOPE = @CSCOPE@ CTAGS = @CTAGS@ @@ -344,7 +345,6 @@ ok.min.css \ reference.html \ style.css \ - valid-xhtml10.png \ xmlwf.xml all: all-am diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/expat-2.4.3/doc/reference.html new/expat-2.4.4/doc/reference.html --- old/expat-2.4.3/doc/reference.html 2022-01-16 14:13:19.000000000 +0100 +++ new/expat-2.4.4/doc/reference.html 2022-01-30 01:09:44.000000000 +0100 @@ -49,7 +49,7 @@ <div> <h1> The Expat XML Parser - <small>Release 2.4.3</small> + <small>Release 2.4.4</small> </h1> </div> <div class="content"> Binary files old/expat-2.4.3/doc/valid-xhtml10.png and new/expat-2.4.4/doc/valid-xhtml10.png differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/expat-2.4.3/doc/xmlwf.1 new/expat-2.4.4/doc/xmlwf.1 --- old/expat-2.4.3/doc/xmlwf.1 2022-01-16 14:53:19.000000000 +0100 +++ new/expat-2.4.4/doc/xmlwf.1 2022-01-30 01:11:31.000000000 +0100 @@ -5,7 +5,7 @@ \\$2 \(la\\$1\(ra\\$3 .. .if \n(.g .mso www.tmac -.TH XMLWF 1 "January 16, 2022" "" "" +.TH XMLWF 1 "January 30, 2022" "" "" .SH NAME xmlwf \- Determines if an XML document is well-formed .SH SYNOPSIS diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/expat-2.4.3/doc/xmlwf.xml new/expat-2.4.4/doc/xmlwf.xml --- old/expat-2.4.3/doc/xmlwf.xml 2022-01-16 14:13:19.000000000 +0100 +++ new/expat-2.4.4/doc/xmlwf.xml 2022-01-30 01:09:44.000000000 +0100 @@ -21,8 +21,8 @@ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"; [ <!ENTITY dhfirstname "<firstname>Scott</firstname>"> <!ENTITY dhsurname "<surname>Bronson</surname>"> - <!-- Please adjust the date whenever revising the manpage. --> - <!ENTITY dhdate "<date>January 16, 2022</date>"> + <!ENTITY dhdate "<date>January 30, 2022</date>"> + <!-- Please adjust this^^ date whenever cutting a new release. --> <!ENTITY dhsection "<manvolnum>1</manvolnum>"> <!ENTITY dhemail "<email>bron...@rinspin.com</email>"> <!ENTITY dhusername "Scott Bronson"> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/expat-2.4.3/examples/Makefile.in new/expat-2.4.4/examples/Makefile.in --- old/expat-2.4.3/examples/Makefile.in 2022-01-16 14:53:12.000000000 +0100 +++ new/expat-2.4.4/examples/Makefile.in 2022-01-30 01:11:25.000000000 +0100 @@ -230,6 +230,7 @@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ +CMAKE_SHARED_LIBRARY_PREFIX = @CMAKE_SHARED_LIBRARY_PREFIX@ CPPFLAGS = @CPPFLAGS@ CSCOPE = @CSCOPE@ CTAGS = @CTAGS@ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/expat-2.4.3/expat_config.h new/expat-2.4.4/expat_config.h --- old/expat-2.4.3/expat_config.h 2022-01-16 14:53:18.000000000 +0100 +++ new/expat-2.4.4/expat_config.h 2022-01-30 01:11:31.000000000 +0100 @@ -77,7 +77,7 @@ #define PACKAGE_NAME "expat" /* Define to the full name and version of this package. */ -#define PACKAGE_STRING "expat 2.4.3" +#define PACKAGE_STRING "expat 2.4.4" /* Define to the one symbol short name of this package. */ #define PACKAGE_TARNAME "expat" @@ -86,7 +86,7 @@ #define PACKAGE_URL "" /* Define to the version of this package. */ -#define PACKAGE_VERSION "2.4.3" +#define PACKAGE_VERSION "2.4.4" /* Define to 1 if all of the C90 standard headers exist (not just the ones required in a freestanding environment). This macro is provided for @@ -94,7 +94,7 @@ #define STDC_HEADERS 1 /* Version number of package */ -#define VERSION "2.4.3" +#define VERSION "2.4.4" /* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most significant byte first (like Motorola and SPARC, unlike Intel). */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/expat-2.4.3/lib/Makefile.in new/expat-2.4.4/lib/Makefile.in --- old/expat-2.4.3/lib/Makefile.in 2022-01-16 14:53:13.000000000 +0100 +++ new/expat-2.4.4/lib/Makefile.in 2022-01-30 01:11:25.000000000 +0100 @@ -268,6 +268,7 @@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ +CMAKE_SHARED_LIBRARY_PREFIX = @CMAKE_SHARED_LIBRARY_PREFIX@ CPPFLAGS = @CPPFLAGS@ CSCOPE = @CSCOPE@ CTAGS = @CTAGS@ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/expat-2.4.3/lib/expat.h new/expat-2.4.4/lib/expat.h --- old/expat-2.4.3/lib/expat.h 2022-01-16 14:13:19.000000000 +0100 +++ new/expat-2.4.4/lib/expat.h 2022-01-30 01:09:44.000000000 +0100 @@ -1041,7 +1041,7 @@ */ #define XML_MAJOR_VERSION 2 #define XML_MINOR_VERSION 4 -#define XML_MICRO_VERSION 3 +#define XML_MICRO_VERSION 4 #ifdef __cplusplus } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/expat-2.4.3/lib/xmlparse.c new/expat-2.4.4/lib/xmlparse.c --- old/expat-2.4.3/lib/xmlparse.c 2022-01-16 14:13:19.000000000 +0100 +++ new/expat-2.4.4/lib/xmlparse.c 2022-01-30 01:09:44.000000000 +0100 @@ -1,4 +1,4 @@ -/* 9ca2a2fedc35bcb13ba9a134ba5e173020bc2ff5f5a311abf742cec7da1ff26a (2.4.3+) +/* 2e2c8ce5f11a473d65ec313ab20ceee6afefb355f5405afc06e7204e2e41c8c0 (2.4.4+) __ __ _ ___\ \/ /_ __ __ _| |_ / _ \\ /| '_ \ / _` | __| @@ -33,6 +33,7 @@ Copyright (c) 2019-2020 Ben Wagner <bunge...@chromium.org> Copyright (c) 2019 Vadim Zeitlin <va...@zeitlins.org> Copyright (c) 2021 Dong-hee Na <donghee...@python.org> + Copyright (c) 2022 Samanta Navarro <feri...@riseup.net> Licensed under the MIT license: Permission is hereby granted, free of charge, to any person obtaining @@ -974,7 +975,7 @@ if (memsuite) { XML_Memory_Handling_Suite *mtemp; - parser = (XML_Parser)memsuite->malloc_fcn(sizeof(struct XML_ParserStruct)); + parser = memsuite->malloc_fcn(sizeof(struct XML_ParserStruct)); if (parser != NULL) { mtemp = (XML_Memory_Handling_Suite *)&(parser->m_mem); mtemp->malloc_fcn = memsuite->malloc_fcn; @@ -2067,6 +2068,11 @@ keep = (int)EXPAT_SAFE_PTR_DIFF(parser->m_bufferPtr, parser->m_buffer); if (keep > XML_CONTEXT_BYTES) keep = XML_CONTEXT_BYTES; + /* Detect and prevent integer overflow */ + if (keep > INT_MAX - neededSize) { + parser->m_errorCode = XML_ERROR_NO_MEMORY; + return NULL; + } neededSize += keep; #endif /* defined XML_CONTEXT_BYTES */ if (neededSize @@ -4092,7 +4098,7 @@ const char *s; #ifdef XML_UNICODE char encodingBuf[128]; - /* See comments abount `protoclEncodingName` in parserInit() */ + /* See comments about `protocolEncodingName` in parserInit() */ if (! parser->m_protocolEncodingName) s = NULL; else { @@ -5367,7 +5373,7 @@ if (dtd->in_eldecl) { ELEMENT_TYPE *el; const XML_Char *name; - int nameLen; + size_t nameLen; const char *nxt = (quant == XML_CQUANT_NONE ? next : next - enc->minBytesPerChar); int myindex = nextScaffoldPart(parser); @@ -5383,7 +5389,13 @@ nameLen = 0; for (; name[nameLen++];) ; - dtd->contentStringLen += nameLen; + + /* Detect and prevent integer overflow */ + if (nameLen > UINT_MAX - dtd->contentStringLen) { + return XML_ERROR_NO_MEMORY; + } + + dtd->contentStringLen += (unsigned)nameLen; if (parser->m_elementDeclHandler) handleDefault = XML_FALSE; } @@ -6536,7 +6548,7 @@ static DTD * dtdCreate(const XML_Memory_Handling_Suite *ms) { - DTD *p = (DTD *)ms->malloc_fcn(sizeof(DTD)); + DTD *p = ms->malloc_fcn(sizeof(DTD)); if (p == NULL) return p; poolInit(&(p->pool), ms); @@ -6709,8 +6721,8 @@ if (! newE) return 0; if (oldE->nDefaultAtts) { - newE->defaultAtts = (DEFAULT_ATTRIBUTE *)ms->malloc_fcn( - oldE->nDefaultAtts * sizeof(DEFAULT_ATTRIBUTE)); + newE->defaultAtts + = ms->malloc_fcn(oldE->nDefaultAtts * sizeof(DEFAULT_ATTRIBUTE)); if (! newE->defaultAtts) { return 0; } @@ -6872,7 +6884,7 @@ /* table->size is a power of 2 */ table->size = (size_t)1 << INIT_POWER; tsize = table->size * sizeof(NAMED *); - table->v = (NAMED **)table->mem->malloc_fcn(tsize); + table->v = table->mem->malloc_fcn(tsize); if (! table->v) { table->size = 0; return NULL; @@ -6912,7 +6924,7 @@ } size_t tsize = newSize * sizeof(NAMED *); - NAMED **newV = (NAMED **)table->mem->malloc_fcn(tsize); + NAMED **newV = table->mem->malloc_fcn(tsize); if (! newV) return NULL; memset(newV, 0, tsize); @@ -6941,7 +6953,7 @@ } } } - table->v[i] = (NAMED *)table->mem->malloc_fcn(createSize); + table->v[i] = table->mem->malloc_fcn(createSize); if (! table->v[i]) return NULL; memset(table->v[i], 0, createSize); @@ -7229,7 +7241,7 @@ if (bytesToAllocate == 0) return XML_FALSE; - tem = (BLOCK *)pool->mem->malloc_fcn(bytesToAllocate); + tem = pool->mem->malloc_fcn(bytesToAllocate); if (! tem) return XML_FALSE; tem->size = blockSize; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/expat-2.4.3/tests/Makefile.in new/expat-2.4.4/tests/Makefile.in --- old/expat-2.4.3/tests/Makefile.in 2022-01-16 14:53:13.000000000 +0100 +++ new/expat-2.4.4/tests/Makefile.in 2022-01-30 01:11:26.000000000 +0100 @@ -516,6 +516,7 @@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ +CMAKE_SHARED_LIBRARY_PREFIX = @CMAKE_SHARED_LIBRARY_PREFIX@ CPPFLAGS = @CPPFLAGS@ CSCOPE = @CSCOPE@ CTAGS = @CTAGS@ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/expat-2.4.3/tests/benchmark/Makefile.in new/expat-2.4.4/tests/benchmark/Makefile.in --- old/expat-2.4.3/tests/benchmark/Makefile.in 2022-01-16 14:53:13.000000000 +0100 +++ new/expat-2.4.4/tests/benchmark/Makefile.in 2022-01-30 01:11:26.000000000 +0100 @@ -227,6 +227,7 @@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ +CMAKE_SHARED_LIBRARY_PREFIX = @CMAKE_SHARED_LIBRARY_PREFIX@ CPPFLAGS = @CPPFLAGS@ CSCOPE = @CSCOPE@ CTAGS = @CTAGS@ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/expat-2.4.3/tests/runtests.c new/expat-2.4.4/tests/runtests.c --- old/expat-2.4.3/tests/runtests.c 2022-01-16 14:13:19.000000000 +0100 +++ new/expat-2.4.4/tests/runtests.c 2022-01-30 01:09:44.000000000 +0100 @@ -3847,6 +3847,30 @@ } END_TEST +/* Test for signed integer overflow CVE-2022-23852 */ +#if defined(XML_CONTEXT_BYTES) +START_TEST(test_get_buffer_3_overflow) { + XML_Parser parser = XML_ParserCreate(NULL); + assert(parser != NULL); + + const char *const text = "\n"; + const int expectedKeepValue = (int)strlen(text); + + // After this call, variable "keep" in XML_GetBuffer will + // have value expectedKeepValue + if (XML_Parse(parser, text, (int)strlen(text), XML_FALSE /* isFinal */) + == XML_STATUS_ERROR) + xml_failure(parser); + + assert(expectedKeepValue > 0); + if (XML_GetBuffer(parser, INT_MAX - expectedKeepValue + 1) != NULL) + fail("enlarging buffer not failed"); + + XML_ParserFree(parser); +} +END_TEST +#endif // defined(XML_CONTEXT_BYTES) + /* Test position information macros */ START_TEST(test_byte_info_at_end) { const char *text = "<doc></doc>"; @@ -7352,7 +7376,7 @@ fail("Version mismatch"); #if ! defined(XML_UNICODE) || defined(XML_UNICODE_WCHAR_T) - if (xcstrcmp(version_text, XCS("expat_2.4.3"))) /* needs bump on releases */ + if (xcstrcmp(version_text, XCS("expat_2.4.4"))) /* needs bump on releases */ fail("XML_*_VERSION in expat.h out of sync?\n"); #else /* If we have XML_UNICODE defined but not XML_UNICODE_WCHAR_T @@ -11286,7 +11310,7 @@ {"<p:e xmlns:p=\"https://domain.invalid/\"; />", NULL, NULL, 0, filled_later}, {"<e k=\"&'><"\" />", NULL, NULL, - sizeof(XML_Char) * 5 /* number of predefined entites */, filled_later}, + sizeof(XML_Char) * 5 /* number of predefined entities */, filled_later}, {"<e1 xmlns='https://example.org/'>\n" " <e2 xmlns=''/>\n" "</e1>", @@ -11296,7 +11320,7 @@ {"<e>text</e>", NULL, NULL, 0, filled_later}, {"<e1><e2>text1<e3/>text2</e2></e1>", NULL, NULL, 0, filled_later}, {"<e>&'><"</e>", NULL, NULL, - sizeof(XML_Char) * 5 /* number of predefined entites */, filled_later}, + sizeof(XML_Char) * 5 /* number of predefined entities */, filled_later}, {"<e>A)</e>", NULL, NULL, 0, filled_later}, /* Prolog */ @@ -11731,6 +11755,9 @@ tcase_add_test(tc_basic, test_empty_parse); tcase_add_test(tc_basic, test_get_buffer_1); tcase_add_test(tc_basic, test_get_buffer_2); +#if defined(XML_CONTEXT_BYTES) + tcase_add_test(tc_basic, test_get_buffer_3_overflow); +#endif tcase_add_test(tc_basic, test_byte_info_at_end); tcase_add_test(tc_basic, test_byte_info_at_error); tcase_add_test(tc_basic, test_byte_info_at_cdata); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/expat-2.4.3/win32/expat.iss new/expat-2.4.4/win32/expat.iss --- old/expat-2.4.3/win32/expat.iss 2022-01-16 14:13:19.000000000 +0100 +++ new/expat-2.4.4/win32/expat.iss 2022-01-30 01:09:44.000000000 +0100 @@ -36,14 +36,14 @@ ; OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE ; USE OR OTHER DEALINGS IN THE SOFTWARE. -#define expatVer "2.4.3" +#define expatVer "2.4.4" [Setup] AppName=Expat AppId=expat AppVersion={#expatVer} AppVerName=Expat {#expatVer} -AppCopyright=Copyright ?? 1997-2021 Thai Open Source Software Center, Clark Cooper, and the Expat maintainers +AppCopyright=Copyright ?? 1997-2022 Thai Open Source Software Center, Clark Cooper, and the Expat maintainers AppPublisher=The Expat Developers AppPublisherURL=https://libexpat.github.io/ AppSupportURL=https://libexpat.github.io/ @@ -73,16 +73,20 @@ Flags: ignoreversion; Source: README.md; DestDir: "{app}"; DestName: README.txt Flags: ignoreversion; Source: doc\*.html; DestDir: "{app}\Doc" Flags: ignoreversion; Source: doc\*.css; DestDir: "{app}\Doc" -Flags: ignoreversion; Source: doc\*.png; DestDir: "{app}\Doc" +Flags: ignoreversion; Source: doc\*.xml; DestDir: "{app}\Doc" Flags: ignoreversion; Source: win32\bin\Release\*.dll; DestDir: "{app}\Bin" Flags: ignoreversion; Source: win32\bin\Release\*.lib; DestDir: "{app}\Bin" Flags: ignoreversion; Source: win32\README.txt; DestDir: "{app}\Source" +Flags: ignoreversion; Source: AUTHORS; DestDir: "{app}\Source" Flags: ignoreversion; Source: Changes; DestDir: "{app}\Source" Flags: ignoreversion; Source: CMake.README; DestDir: "{app}\Source" Flags: ignoreversion; Source: CMakeLists.txt; DestDir: "{app}\Source" Flags: ignoreversion; Source: ConfigureChecks.cmake; DestDir: "{app}\Source" +Flags: ignoreversion; Source: expat.pc.cmake; DestDir: "{app}\Source" Flags: ignoreversion; Source: expat_config.h.cmake; DestDir: "{app}\Source" +Flags: ignoreversion; Source: run.sh.in; DestDir: "{app}\Source" Flags: ignoreversion; Source: cmake\expat-config.cmake.in; DestDir: "{app}\Source\cmake" +Flags: ignoreversion; Source: fuzz\*.c; DestDir: "{app}\Source\fuzz" Flags: ignoreversion; Source: lib\*.c; DestDir: "{app}\Source\lib" Flags: ignoreversion; Source: lib\*.h; DestDir: "{app}\Source\lib" Flags: ignoreversion; Source: lib\*.def; DestDir: "{app}\Source\lib" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/expat-2.4.3/xmlwf/Makefile.in new/expat-2.4.4/xmlwf/Makefile.in --- old/expat-2.4.3/xmlwf/Makefile.in 2022-01-16 14:53:13.000000000 +0100 +++ new/expat-2.4.4/xmlwf/Makefile.in 2022-01-30 01:11:26.000000000 +0100 @@ -235,6 +235,7 @@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ +CMAKE_SHARED_LIBRARY_PREFIX = @CMAKE_SHARED_LIBRARY_PREFIX@ CPPFLAGS = @CPPFLAGS@ CSCOPE = @CSCOPE@ CTAGS = @CTAGS@ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/expat-2.4.3/xmlwf/xmlwf.c new/expat-2.4.4/xmlwf/xmlwf.c --- old/expat-2.4.3/xmlwf/xmlwf.c 2022-01-13 23:41:22.000000000 +0100 +++ new/expat-2.4.4/xmlwf/xmlwf.c 2022-01-30 01:09:44.000000000 +0100 @@ -11,7 +11,7 @@ Copyright (c) 2001-2003 Fred L. Drake, Jr. <fdr...@users.sourceforge.net> Copyright (c) 2004-2009 Karl Waclawek <k...@waclawek.net> Copyright (c) 2005-2007 Steven Solie <sso...@users.sourceforge.net> - Copyright (c) 2016-2021 Sebastian Pipping <sebast...@pipping.org> + Copyright (c) 2016-2022 Sebastian Pipping <sebast...@pipping.org> Copyright (c) 2017 Rhodri James <rho...@wildebeest.org.uk> Copyright (c) 2019 David Loffredo <loffr...@steptools.com> Copyright (c) 2020 Joe Orton <jor...@redhat.com> @@ -1175,9 +1175,9 @@ if (! userData.fp) { tperror(outName); exitCode = XMLWF_EXIT_OUTPUT_ERROR; + free(outName); + XML_ParserFree(parser); if (continueOnError) { - free(outName); - cleanupUserData(&userData); continue; } else { break;
