Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package expat for openSUSE:Factory checked in at 2022-03-07 17:45:32 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/expat (Old) and /work/SRC/openSUSE:Factory/.expat.new.1958 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "expat" Mon Mar 7 17:45:32 2022 rev:67 rq:959581 version:2.4.7 Changes: -------- --- /work/SRC/openSUSE:Factory/expat/expat.changes 2022-02-23 16:25:36.843507036 +0100 +++ /work/SRC/openSUSE:Factory/.expat.new.1958/expat.changes 2022-03-07 17:45:33.435143822 +0100 @@ -1,0 +2,31 @@ +Sat Mar 5 06:34:13 UTC 2022 - David Anes <[email protected]> + +- udpate to 2.4.7 (bsc#1196784, CVE-2022-25236): + * Bug fixes: + - Relax fix to CVE-2022-25236 (introduced with release 2.4.5) + with regard to all valid URI characters (RFC 3986), + i.e. the following set (excluding whitespace): + ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz + 0123456789 % -._~ :/?#[]@ !$&'()*+,;= + * Other changes: + - CMake|Windows: Store Expat version in the DLL + - Document consequences of namespace separator choices not just + in doc/reference.html but also in header <expat.h> + - Document Expat's lack of validation of namespace URIs against + RFC 3986, and that the XML 1.0r4 specification doesn't + require Expat to validate namespace URIs, and that Expat + may do more in that regard in future releases. + If you find need for strict RFC 3986 URI validation on + application level today, https://uriparser.github.io/ may + be of interest. + - Fix documentation of XML_EndDoctypeDeclHandler in <expat.h> + - Document that a call to XML_FreeContentModel can be done at + a later time from outside the element declaration handler + - Make hardcoded namespace URIs easier to find in code + - Update documentation on use of XML_POOR_ENTOPY on Solaris + - tests: Resolve use of macros NAN and INFINITY for GNU G++ + 4.8.2 on Solaris. + - Version info bumped from 9:6:8 to 9:7:8; + see https://verbump.de/ for what these numbers do + +------------------------------------------------------------------- Old: ---- expat-2.4.6.tar.xz expat-2.4.6.tar.xz.asc New: ---- expat-2.4.7.tar.xz expat-2.4.7.tar.xz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ expat.spec ++++++ --- /var/tmp/diff_new_pack.up2poS/_old 2022-03-07 17:45:34.215143596 +0100 +++ /var/tmp/diff_new_pack.up2poS/_new 2022-03-07 17:45:34.219143595 +0100 @@ -16,9 +16,9 @@ # -%global unversion 2_4_6 +%global unversion 2_4_7 Name: expat -Version: 2.4.6 +Version: 2.4.7 Release: 0 Summary: XML Parser Toolkit License: MIT ++++++ expat-2.4.6.tar.xz -> expat-2.4.7.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/expat-2.4.6/CMake.README new/expat-2.4.7/CMake.README --- old/expat-2.4.6/CMake.README 2022-02-20 18:02:05.000000000 +0100 +++ new/expat-2.4.7/CMake.README 2022-03-04 20:42:23.000000000 +0100 @@ -3,25 +3,25 @@ The cmake based buildsystem for expat works on Windows (cygwin, mingw, Visual Studio) and should work on all other platform cmake supports. -Assuming ~/expat-2.4.6 is the source directory of expat, add a subdirectory +Assuming ~/expat-2.4.7 is the source directory of expat, add a subdirectory build and change into that directory: -~/expat-2.4.6$ mkdir build && cd build -~/expat-2.4.6/build$ +~/expat-2.4.7$ mkdir build && cd build +~/expat-2.4.7/build$ From that directory, call cmake first, then call make, make test and make install in the usual way: -~/expat-2.4.6/build$ cmake .. +~/expat-2.4.7/build$ cmake .. -- The C compiler identification is GNU -- The CXX compiler identification is GNU .... -- Configuring done -- Generating done --- Build files have been written to: /home/patrick/expat-2.4.6/build +-- Build files have been written to: /home/patrick/expat-2.4.7/build If you want to specify the install location for your files, append -DCMAKE_INSTALL_PREFIX=/your/install/path to the cmake call. -~/expat-2.4.6/build$ make && make test && make install +~/expat-2.4.7/build$ make && make test && make install Scanning dependencies of target expat [ 5%] Building C object CMakeFiles/expat.dir/lib/xmlparse.c.o [ 11%] Building C object CMakeFiles/expat.dir/lib/xmlrole.c.o diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/expat-2.4.6/CMakeLists.txt new/expat-2.4.7/CMakeLists.txt --- old/expat-2.4.6/CMakeLists.txt 2022-02-20 18:02:05.000000000 +0100 +++ new/expat-2.4.7/CMakeLists.txt 2022-03-04 20:42:23.000000000 +0100 @@ -29,6 +29,7 @@ # Copyright (c) 2020 Gulliver <[email protected]> # Copyright (c) 2020 Thomas Beutlich <[email protected]> # Copyright (c) 2021 Alex Richardson <[email protected]> +# Copyright (c) 2022 Johnny Jazeix <[email protected]> # Unlike most of Expat, # this file is copyrighted under the BSD-license for buildsystem files of KDE. @@ -64,7 +65,7 @@ project(expat VERSION - 2.4.6 + 2.4.7 LANGUAGES C ) @@ -381,7 +382,7 @@ # # C library # -set(expat_SRCS +set(_EXPAT_C_SOURCES lib/xmlparse.c lib/xmlrole.c lib/xmltok.c @@ -393,13 +394,18 @@ if(EXPAT_SHARED_LIBS) set(_SHARED SHARED) if(MSVC) - set(expat_SRCS ${expat_SRCS} lib/libexpat.def) + set(_EXPAT_EXTRA_SOURCES ${_EXPAT_EXTRA_SOURCES} lib/libexpat.def) + endif() + if(WIN32) + # Add DLL version + string(REPLACE "." "," _EXPAT_DLL_VERSION ${PROJECT_VERSION}.0) + set(_EXPAT_EXTRA_SOURCES ${_EXPAT_EXTRA_SOURCES} win32/version.rc) endif() else() set(_SHARED STATIC) endif() -add_library(expat ${_SHARED} ${expat_SRCS}) +add_library(expat ${_SHARED} ${_EXPAT_C_SOURCES} ${_EXPAT_EXTRA_SOURCES}) if(_EXPAT_LIBM_FOUND) target_link_libraries(expat m) endif() @@ -408,7 +414,7 @@ endif() set(LIBCURRENT 9) # sync -set(LIBREVISION 6) # with +set(LIBREVISION 7) # with set(LIBAGE 8) # configure.ac! math(EXPR LIBCURRENT_MINUS_AGE "${LIBCURRENT} - ${LIBAGE}") @@ -434,8 +440,12 @@ $<INSTALL_INTERFACE:${CMAKE_INSTALL_INCLUDEDIR}> ) -if(NOT EXPAT_SHARED_LIBS AND WIN32) - target_compile_definitions(expat PUBLIC -DXML_STATIC) +if(WIN32) + if(EXPAT_SHARED_LIBS) + target_compile_definitions(expat PRIVATE VER_FILEVERSION=${_EXPAT_DLL_VERSION}) + else() + target_compile_definitions(expat PUBLIC -DXML_STATIC) + endif() endif() expat_install(TARGETS expat EXPORT expat @@ -550,7 +560,7 @@ tests/memcheck.c tests/minicheck.c tests/structdata.c - ${expat_SRCS} + ${_EXPAT_C_SOURCES} ) if(NOT MSVC) @@ -619,7 +629,7 @@ set(encoding_types UTF-16 UTF-8 ISO-8859-1 US-ASCII UTF-16BE UTF-16LE) set(fuzz_targets xml_parse_fuzzer xml_parsebuffer_fuzzer) - add_library(fuzzpat STATIC ${expat_SRCS}) + add_library(fuzzpat STATIC ${_EXPAT_C_SOURCES}) if(NOT EXPAT_OSSFUZZ_BUILD) target_compile_options(fuzzpat PRIVATE -fsanitize=fuzzer-no-link) endif() diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/expat-2.4.6/Changes new/expat-2.4.7/Changes --- old/expat-2.4.6/Changes 2022-02-20 18:02:05.000000000 +0100 +++ new/expat-2.4.7/Changes 2022-03-04 22:25:25.000000000 +0100 @@ -2,6 +2,40 @@ https://github.com/libexpat/libexpat/labels/help%20wanted If you can help, please get in touch. Thanks! +Release 2.4.7 Fri March 4 2022 + Bug fixes: + #572 #577 Relax fix to CVE-2022-25236 (introduced with release 2.4.5) + with regard to all valid URI characters (RFC 3986), + i.e. the following set (excluding whitespace): + ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz + 0123456789 % -._~ :/?#[]@ !$&'()*+,;= + + Other changes: + #555 #570 #581 CMake|Windows: Store Expat version in the DLL + #577 Document consequences of namespace separator choices not just + in doc/reference.html but also in header <expat.h> + #577 Document Expat's lack of validation of namespace URIs against + RFC 3986, and that the XML 1.0r4 specification doesn't + require Expat to validate namespace URIs, and that Expat + may do more in that regard in future releases. + If you find need for strict RFC 3986 URI validation on + application level today, https://uriparser.github.io/ may + be of interest. + #579 Fix documentation of XML_EndDoctypeDeclHandler in <expat.h> + #575 Document that a call to XML_FreeContentModel can be done at + a later time from outside the element declaration handler + #574 Make hardcoded namespace URIs easier to find in code + #573 Update documentation on use of XML_POOR_ENTOPY on Solaris + #569 #571 tests: Resolve use of macros NAN and INFINITY for GNU G++ + 4.8.2 on Solaris. + #578 #580 Version info bumped from 9:6:8 to 9:7:8; + see https://verbump.de/ for what these numbers do + + Special thanks to: + Jeffrey Walton + Johnny Jazeix + Thijs Schreijer + Release 2.4.6 Sun February 20 2022 Bug fixes: #566 Fix a regression introduced by the fix for CVE-2022-25313 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/expat-2.4.6/Makefile.am new/expat-2.4.7/Makefile.am --- old/expat-2.4.6/Makefile.am 2022-02-18 19:04:32.000000000 +0100 +++ new/expat-2.4.7/Makefile.am 2022-03-04 20:42:23.000000000 +0100 @@ -8,6 +8,7 @@ # # Copyright (c) 2017-2021 Sebastian Pipping <[email protected]> # Copyright (c) 2018 KangLin <[email protected]> +# Copyright (c) 2022 Johnny Jazeix <[email protected]> # Licensed under the MIT license: # # Permission is hereby granted, free of charge, to any person obtaining @@ -82,7 +83,8 @@ win32/build_expat_iss.bat \ win32/expat.iss \ win32/MANIFEST.txt \ - win32/README.txt + win32/README.txt \ + win32/version.rc EXTRA_DIST = \ $(_EXTRA_DIST_CMAKE) \ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/expat-2.4.6/Makefile.in new/expat-2.4.7/Makefile.in --- old/expat-2.4.6/Makefile.in 2022-02-20 18:04:17.000000000 +0100 +++ new/expat-2.4.7/Makefile.in 2022-03-04 22:27:56.000000000 +0100 @@ -24,6 +24,7 @@ # # Copyright (c) 2017-2021 Sebastian Pipping <[email protected]> # Copyright (c) 2018 KangLin <[email protected]> +# Copyright (c) 2022 Johnny Jazeix <[email protected]> # Licensed under the MIT license: # # Permission is hereby granted, free of charge, to any person obtaining @@ -475,7 +476,8 @@ win32/build_expat_iss.bat \ win32/expat.iss \ win32/MANIFEST.txt \ - win32/README.txt + win32/README.txt \ + win32/version.rc EXTRA_DIST = \ $(_EXTRA_DIST_CMAKE) \ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/expat-2.4.6/README.md new/expat-2.4.7/README.md --- old/expat-2.4.6/README.md 2022-02-20 18:02:05.000000000 +0100 +++ new/expat-2.4.7/README.md 2022-03-04 20:42:23.000000000 +0100 @@ -5,7 +5,7 @@ [](https://github.com/libexpat/libexpat/releases) -# Expat, Release 2.4.6 +# Expat, Release 2.4.7 This is Expat, a C library for parsing XML, started by [James Clark](https://en.wikipedia.org/wiki/James_Clark_%28programmer%29) in 1997. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/expat-2.4.6/configure new/expat-2.4.7/configure --- old/expat-2.4.6/configure 2022-02-20 18:04:16.000000000 +0100 +++ new/expat-2.4.7/configure 2022-03-04 22:27:55.000000000 +0100 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.71 for expat 2.4.6. +# Generated by GNU Autoconf 2.71 for expat 2.4.7. # # Report bugs to <[email protected]>. # @@ -621,8 +621,8 @@ # Identity of this package. PACKAGE_NAME='expat' PACKAGE_TARNAME='expat' -PACKAGE_VERSION='2.4.6' -PACKAGE_STRING='expat 2.4.6' +PACKAGE_VERSION='2.4.7' +PACKAGE_STRING='expat 2.4.7' PACKAGE_BUGREPORT='[email protected]' PACKAGE_URL='' @@ -1414,7 +1414,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures expat 2.4.6 to adapt to many kinds of systems. +\`configure' configures expat 2.4.7 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1485,7 +1485,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of expat 2.4.6:";; + short | recursive ) echo "Configuration of expat 2.4.7:";; esac cat <<\_ACEOF @@ -1619,7 +1619,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -expat configure 2.4.6 +expat configure 2.4.7 generated by GNU Autoconf 2.71 Copyright (C) 2021 Free Software Foundation, Inc. @@ -2250,7 +2250,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by expat $as_me 2.4.6, which was +It was created by expat $as_me 2.4.7, which was generated by GNU Autoconf 2.71. Invocation command line was $ $0$ac_configure_args_raw @@ -3817,7 +3817,7 @@ # Define the identity of the package. PACKAGE='expat' - VERSION='2.4.6' + VERSION='2.4.7' printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h @@ -3924,7 +3924,7 @@ LIBCURRENT=9 # sync -LIBREVISION=6 # with +LIBREVISION=7 # with LIBAGE=8 # CMakeLists.txt! ac_config_headers="$ac_config_headers expat_config.h" @@ -20227,7 +20227,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by expat $as_me 2.4.6, which was +This file was extended by expat $as_me 2.4.7, which was generated by GNU Autoconf 2.71. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -20295,7 +20295,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config='$ac_cs_config_escaped' ac_cs_version="\\ -expat config.status 2.4.6 +expat config.status 2.4.7 configured by $0, generated by GNU Autoconf 2.71, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/expat-2.4.6/configure.ac new/expat-2.4.7/configure.ac --- old/expat-2.4.6/configure.ac 2022-02-20 18:02:05.000000000 +0100 +++ new/expat-2.4.7/configure.ac 2022-03-04 20:42:23.000000000 +0100 @@ -82,7 +82,7 @@ dnl LIBCURRENT=9 # sync -LIBREVISION=6 # with +LIBREVISION=7 # with LIBAGE=8 # CMakeLists.txt! AC_CONFIG_HEADERS([expat_config.h]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/expat-2.4.6/doc/reference.html new/expat-2.4.7/doc/reference.html --- old/expat-2.4.6/doc/reference.html 2022-02-20 18:02:05.000000000 +0100 +++ new/expat-2.4.7/doc/reference.html 2022-03-04 20:42:23.000000000 +0100 @@ -18,6 +18,7 @@ Copyright (c) 2017 Jakub Wilk <[email protected]> Copyright (c) 2021 Tomas Korbar <[email protected]> Copyright (c) 2021 Nicolas Cavallari <[email protected]> + Copyright (c) 2022 Thijs Schreijer <[email protected]> Licensed under the MIT license: Permission is hereby granted, free of charge, to any person obtaining @@ -49,7 +50,7 @@ <div> <h1> The Expat XML Parser - <small>Release 2.4.6</small> + <small>Release 2.4.7</small> </h1> </div> <div class="content"> @@ -974,6 +975,14 @@ to support RDF processors. It is a programming error to use the null separator with <a href= "#XML_SetReturnNSTriplet">namespace triplets</a>.</div> +<p><strong>Note:</strong> +Expat does not validate namespace URIs (beyond encoding) +against RFC 3986 today (and is not required to do so with regard to +the XML 1.0 namespaces specification) but it may start doing that +in future releases. Before that, an application using Expat must +be ready to receive namespace URIs containing non-URI characters. +</p> + <h4 id="XML_ParserCreate_MM">XML_ParserCreate_MM</h4> <pre class="fcndec"> XML_Parser XMLCALL @@ -1808,10 +1817,11 @@ </pre> <p>Sets a handler for element declarations in a DTD. The handler gets called with the name of the element in the declaration and a pointer -to a structure that contains the element model. It is the -application's responsibility to free this data structure using -<code><a href="#XML_FreeContentModel" ->XML_FreeContentModel</a></code>.</p> +to a structure that contains the element model. It's the user code's +responsibility to free model when finished with it. See <code> +<a href="#XML_FreeContentModel">XML_FreeContentModel</a></code>. +There is no need to free the model from the handler, it can be kept +around and freed at a later stage.</p> <p>The <code>model</code> argument is the root of a tree of <code>XML_Content</code> nodes. If <code>type</code> equals diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/expat-2.4.6/doc/xmlwf.1 new/expat-2.4.7/doc/xmlwf.1 --- old/expat-2.4.6/doc/xmlwf.1 2022-02-20 18:04:23.000000000 +0100 +++ new/expat-2.4.7/doc/xmlwf.1 2022-03-04 22:28:02.000000000 +0100 @@ -5,7 +5,7 @@ \\$2 \(la\\$1\(ra\\$3 .. .if \n(.g .mso www.tmac -.TH XMLWF 1 "February 20, 2022" "" "" +.TH XMLWF 1 "March 4, 2022" "" "" .SH NAME xmlwf \- Determines if an XML document is well-formed .SH SYNOPSIS diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/expat-2.4.6/doc/xmlwf.xml new/expat-2.4.7/doc/xmlwf.xml --- old/expat-2.4.6/doc/xmlwf.xml 2022-02-20 18:02:05.000000000 +0100 +++ new/expat-2.4.7/doc/xmlwf.xml 2022-03-04 20:42:23.000000000 +0100 @@ -21,7 +21,7 @@ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"; [ <!ENTITY dhfirstname "<firstname>Scott</firstname>"> <!ENTITY dhsurname "<surname>Bronson</surname>"> - <!ENTITY dhdate "<date>February 20, 2022</date>"> + <!ENTITY dhdate "<date>March 4, 2022</date>"> <!-- Please adjust this^^ date whenever cutting a new release. --> <!ENTITY dhsection "<manvolnum>1</manvolnum>"> <!ENTITY dhemail "<email>[email protected]</email>"> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/expat-2.4.6/expat_config.h new/expat-2.4.7/expat_config.h --- old/expat-2.4.6/expat_config.h 2022-02-20 18:04:23.000000000 +0100 +++ new/expat-2.4.7/expat_config.h 2022-03-04 22:28:02.000000000 +0100 @@ -77,7 +77,7 @@ #define PACKAGE_NAME "expat" /* Define to the full name and version of this package. */ -#define PACKAGE_STRING "expat 2.4.6" +#define PACKAGE_STRING "expat 2.4.7" /* Define to the one symbol short name of this package. */ #define PACKAGE_TARNAME "expat" @@ -86,7 +86,7 @@ #define PACKAGE_URL "" /* Define to the version of this package. */ -#define PACKAGE_VERSION "2.4.6" +#define PACKAGE_VERSION "2.4.7" /* Define to 1 if all of the C90 standard headers exist (not just the ones required in a freestanding environment). This macro is provided for @@ -94,7 +94,7 @@ #define STDC_HEADERS 1 /* Version number of package */ -#define VERSION "2.4.6" +#define VERSION "2.4.7" /* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most significant byte first (like Motorola and SPARC, unlike Intel). */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/expat-2.4.6/lib/expat.h new/expat-2.4.7/lib/expat.h --- old/expat-2.4.6/lib/expat.h 2022-02-20 18:02:05.000000000 +0100 +++ new/expat-2.4.7/lib/expat.h 2022-03-04 20:42:23.000000000 +0100 @@ -15,6 +15,7 @@ Copyright (c) 2016 Cristian Rodr??guez <[email protected]> Copyright (c) 2016 Thomas Beutlich <[email protected]> Copyright (c) 2017 Rhodri James <[email protected]> + Copyright (c) 2022 Thijs Schreijer <[email protected]> Licensed under the MIT license: Permission is hereby granted, free of charge, to any person obtaining @@ -174,8 +175,10 @@ }; /* This is called for an element declaration. See above for - description of the model argument. It's the caller's responsibility - to free model when finished with it. + description of the model argument. It's the user code's responsibility + to free model when finished with it. See XML_FreeContentModel. + There is no need to free the model from the handler, it can be kept + around and freed at a later stage. */ typedef void(XMLCALL *XML_ElementDeclHandler)(void *userData, const XML_Char *name, @@ -237,6 +240,17 @@ and the local part will be concatenated without any separator. It is a programming error to use the separator '\0' with namespace triplets (see XML_SetReturnNSTriplet). + If a namespace separator is chosen that can be part of a URI or + part of an XML name, splitting an expanded name back into its + 1, 2 or 3 original parts on application level in the element handler + may end up vulnerable, so these are advised against; sane choices for + a namespace separator are e.g. '\n' (line feed) and '|' (pipe). + + Note that Expat does not validate namespace URIs (beyond encoding) + against RFC 3986 today (and is not required to do so with regard to + the XML 1.0 namespaces specification) but it may start doing that + in future releases. Before that, an application using Expat must + be ready to receive namespace URIs containing non-URI characters. */ XMLPARSEAPI(XML_Parser) XML_ParserCreateNS(const XML_Char *encoding, XML_Char namespaceSeparator); @@ -317,7 +331,7 @@ const XML_Char *pubid, int has_internal_subset); -/* This is called for the start of the DOCTYPE declaration when the +/* This is called for the end of the DOCTYPE declaration when the closing > is encountered, but after processing any external subset. */ @@ -1041,7 +1055,7 @@ */ #define XML_MAJOR_VERSION 2 #define XML_MINOR_VERSION 4 -#define XML_MICRO_VERSION 6 +#define XML_MICRO_VERSION 7 #ifdef __cplusplus } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/expat-2.4.6/lib/xmlparse.c new/expat-2.4.7/lib/xmlparse.c --- old/expat-2.4.6/lib/xmlparse.c 2022-02-20 18:02:05.000000000 +0100 +++ new/expat-2.4.7/lib/xmlparse.c 2022-03-04 20:42:23.000000000 +0100 @@ -1,4 +1,4 @@ -/* a30d2613dcfdef81475a9d1a349134d2d42722172fdaa7d5bb12ed2aa74b9596 (2.4.6+) +/* fcb1a62fefa945567301146eb98e3ad3413e823a41c4378e84e8b6b6f308d824 (2.4.7+) __ __ _ ___\ \/ /_ __ __ _| |_ / _ \\ /| '_ \ / _` | __| @@ -34,6 +34,7 @@ Copyright (c) 2019 Vadim Zeitlin <[email protected]> Copyright (c) 2021 Dong-hee Na <[email protected]> Copyright (c) 2022 Samanta Navarro <[email protected]> + Copyright (c) 2022 Jeffrey Walton <[email protected]> Licensed under the MIT license: Permission is hereby granted, free of charge, to any person obtaining @@ -133,7 +134,7 @@ * BSD / macOS (including <10.7) (arc4random): HAVE_ARC4RANDOM, \ * libbsd (arc4random_buf): HAVE_ARC4RANDOM_BUF + HAVE_LIBBSD, \ * libbsd (arc4random): HAVE_ARC4RANDOM + HAVE_LIBBSD, \ - * Linux (including <3.17) / BSD / macOS (including <10.7) (/dev/urandom): XML_DEV_URANDOM, \ + * Linux (including <3.17) / BSD / macOS (including <10.7) / Solaris >=8 (/dev/urandom): XML_DEV_URANDOM, \ * Windows >=Vista (rand_s): _WIN32. \ \ If insist on not using any of these, bypass this error by defining \ @@ -722,6 +723,7 @@ return XML_ParserCreate_MM(encodingName, NULL, tmp); } +// "xml=http://www.w3.org/XML/1998/namespace"; static const XML_Char implicitContext[] = {ASCII_x, ASCII_m, ASCII_l, ASCII_EQUALS, ASCII_h, ASCII_t, ASCII_t, ASCII_p, ASCII_COLON, ASCII_SLASH, @@ -3704,12 +3706,124 @@ return XML_ERROR_NONE; } +static XML_Bool +is_rfc3986_uri_char(XML_Char candidate) { + // For the RFC 3986 ANBF grammar see + // https://datatracker.ietf.org/doc/html/rfc3986#appendix-A + + switch (candidate) { + // From rule "ALPHA" (uppercase half) + case 'A': + case 'B': + case 'C': + case 'D': + case 'E': + case 'F': + case 'G': + case 'H': + case 'I': + case 'J': + case 'K': + case 'L': + case 'M': + case 'N': + case 'O': + case 'P': + case 'Q': + case 'R': + case 'S': + case 'T': + case 'U': + case 'V': + case 'W': + case 'X': + case 'Y': + case 'Z': + + // From rule "ALPHA" (lowercase half) + case 'a': + case 'b': + case 'c': + case 'd': + case 'e': + case 'f': + case 'g': + case 'h': + case 'i': + case 'j': + case 'k': + case 'l': + case 'm': + case 'n': + case 'o': + case 'p': + case 'q': + case 'r': + case 's': + case 't': + case 'u': + case 'v': + case 'w': + case 'x': + case 'y': + case 'z': + + // From rule "DIGIT" + case '0': + case '1': + case '2': + case '3': + case '4': + case '5': + case '6': + case '7': + case '8': + case '9': + + // From rule "pct-encoded" + case '%': + + // From rule "unreserved" + case '-': + case '.': + case '_': + case '~': + + // From rule "gen-delims" + case ':': + case '/': + case '?': + case '#': + case '[': + case ']': + case '@': + + // From rule "sub-delims" + case '!': + case '$': + case '&': + case '\'': + case '(': + case ')': + case '*': + case '+': + case ',': + case ';': + case '=': + return XML_TRUE; + + default: + return XML_FALSE; + } +} + /* addBinding() overwrites the value of prefix->binding without checking. Therefore one must keep track of the old value outside of addBinding(). */ static enum XML_Error addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId, const XML_Char *uri, BINDING **bindingsPtr) { + // "http://www.w3.org/XML/1998/namespace"; static const XML_Char xmlNamespace[] = {ASCII_h, ASCII_t, ASCII_t, ASCII_p, ASCII_COLON, ASCII_SLASH, ASCII_SLASH, ASCII_w, ASCII_w, ASCII_w, @@ -3720,6 +3834,7 @@ ASCII_e, ASCII_s, ASCII_p, ASCII_a, ASCII_c, ASCII_e, '\0'}; static const int xmlLen = (int)sizeof(xmlNamespace) / sizeof(XML_Char) - 1; + // "http://www.w3.org/2000/xmlns/"; static const XML_Char xmlnsNamespace[] = {ASCII_h, ASCII_t, ASCII_t, ASCII_p, ASCII_COLON, ASCII_SLASH, ASCII_SLASH, ASCII_w, ASCII_w, ASCII_w, ASCII_PERIOD, ASCII_w, @@ -3760,14 +3875,26 @@ && (len > xmlnsLen || uri[len] != xmlnsNamespace[len])) isXMLNS = XML_FALSE; - // NOTE: While Expat does not validate namespace URIs against RFC 3986, - // we have to at least make sure that the XML processor on top of - // Expat (that is splitting tag names by namespace separator into - // 2- or 3-tuples (uri-local or uri-local-prefix)) cannot be confused - // by an attacker putting additional namespace separator characters - // into namespace declarations. That would be ambiguous and not to - // be expected. - if (parser->m_ns && (uri[len] == parser->m_namespaceSeparator)) { + // NOTE: While Expat does not validate namespace URIs against RFC 3986 + // today (and is not REQUIRED to do so with regard to the XML 1.0 + // namespaces specification) we have to at least make sure, that + // the application on top of Expat (that is likely splitting expanded + // element names ("qualified names") of form + // "[uri sep] local [sep prefix] '\0'" back into 1, 2 or 3 pieces + // in its element handler code) cannot be confused by an attacker + // putting additional namespace separator characters into namespace + // declarations. That would be ambiguous and not to be expected. + // + // While the HTML API docs of function XML_ParserCreateNS have been + // advising against use of a namespace separator character that can + // appear in a URI for >20 years now, some widespread applications + // are using URI characters (':' (colon) in particular) for a + // namespace separator, in practice. To keep these applications + // functional, we only reject namespaces URIs containing the + // application-chosen namespace separator if the chosen separator + // is a non-URI character with regard to RFC 3986. + if (parser->m_ns && (uri[len] == parser->m_namespaceSeparator) + && ! is_rfc3986_uri_char(uri[len])) { return XML_ERROR_SYNTAX; } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/expat-2.4.6/tests/runtests.c new/expat-2.4.7/tests/runtests.c --- old/expat-2.4.6/tests/runtests.c 2022-02-20 18:02:05.000000000 +0100 +++ new/expat-2.4.7/tests/runtests.c 2022-03-04 20:42:23.000000000 +0100 @@ -54,7 +54,6 @@ #include <ctype.h> #include <limits.h> #include <stdint.h> /* intptr_t uint64_t */ -#include <math.h> /* NAN, INFINITY, isnan */ #if ! defined(__cplusplus) # include <stdbool.h> @@ -7407,16 +7406,18 @@ struct test_case { enum XML_Status expectedStatus; const char *doc; + XML_Char namesep; }; struct test_case cases[] = { - {XML_STATUS_OK, "<doc xmlns='one_two' />"}, - {XML_STATUS_ERROR, "<doc xmlns='one
two' />"}, + {XML_STATUS_OK, "<doc xmlns='one_two' />", XCS('\n')}, + {XML_STATUS_ERROR, "<doc xmlns='one
two' />", XCS('\n')}, + {XML_STATUS_OK, "<doc xmlns='one:two' />", XCS(':')}, }; size_t i = 0; size_t failCount = 0; for (; i < sizeof(cases) / sizeof(cases[0]); i++) { - XML_Parser parser = XML_ParserCreateNS(NULL, '\n'); + XML_Parser parser = XML_ParserCreateNS(NULL, cases[i].namesep); XML_SetElementHandler(parser, dummy_start_element, dummy_end_element); if (XML_Parse(parser, cases[i].doc, (int)strlen(cases[i].doc), /*isFinal*/ XML_TRUE) @@ -7588,7 +7589,7 @@ fail("Version mismatch"); #if ! defined(XML_UNICODE) || defined(XML_UNICODE_WCHAR_T) - if (xcstrcmp(version_text, XCS("expat_2.4.6"))) /* needs bump on releases */ + if (xcstrcmp(version_text, XCS("expat_2.4.7"))) /* needs bump on releases */ fail("XML_*_VERSION in expat.h out of sync?\n"); #else /* If we have XML_UNICODE defined but not XML_UNICODE_WCHAR_T @@ -11762,6 +11763,16 @@ } END_TEST +static float +portableNAN() { + return strtof("nan", NULL); +} + +static float +portableINFINITY() { + return strtof("infinity", NULL); +} + START_TEST(test_billion_laughs_attack_protection_api) { XML_Parser parserWithoutParent = XML_ParserCreate(NULL); XML_Parser parserWithParent @@ -11780,7 +11791,7 @@ == XML_TRUE) fail("Call with non-root parser is NOT supposed to succeed"); if (XML_SetBillionLaughsAttackProtectionMaximumAmplification( - parserWithoutParent, NAN) + parserWithoutParent, portableNAN()) == XML_TRUE) fail("Call with NaN limit is NOT supposed to succeed"); if (XML_SetBillionLaughsAttackProtectionMaximumAmplification( @@ -11802,7 +11813,7 @@ == XML_FALSE) fail("Call with positive limit >=1.0 is supposed to succeed"); if (XML_SetBillionLaughsAttackProtectionMaximumAmplification( - parserWithoutParent, INFINITY) + parserWithoutParent, portableINFINITY()) == XML_FALSE) fail("Call with positive limit >=1.0 is supposed to succeed"); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/expat-2.4.6/win32/expat.iss new/expat-2.4.7/win32/expat.iss --- old/expat-2.4.6/win32/expat.iss 2022-02-20 18:02:05.000000000 +0100 +++ new/expat-2.4.7/win32/expat.iss 2022-03-04 22:25:25.000000000 +0100 @@ -15,6 +15,7 @@ ; Copyright (c) 2001-2005 Fred L. Drake, Jr. <[email protected]> ; Copyright (c) 2006-2017 Karl Waclawek <[email protected]> ; Copyright (c) 2007-2022 Sebastian Pipping <[email protected]> +; Copyright (c) 2022 Johnny Jazeix <[email protected]> ; Licensed under the MIT license: ; ; Permission is hereby granted, free of charge, to any person obtaining @@ -36,7 +37,7 @@ ; OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE ; USE OR OTHER DEALINGS IN THE SOFTWARE. -#define expatVer "2.4.6" +#define expatVer "2.4.7" [Setup] AppName=Expat @@ -76,6 +77,7 @@ Flags: ignoreversion; Source: doc\*.xml; DestDir: "{app}\Doc" Flags: ignoreversion; Source: win32\bin\Release\*.dll; DestDir: "{app}\Bin" Flags: ignoreversion; Source: win32\bin\Release\*.lib; DestDir: "{app}\Bin" +Flags: ignoreversion; Source: win32\version.rc; DestDir: "{app}\Source\win32" Flags: ignoreversion; Source: win32\README.txt; DestDir: "{app}\Source" Flags: ignoreversion; Source: AUTHORS; DestDir: "{app}\Source" Flags: ignoreversion; Source: Changes; DestDir: "{app}\Source" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/expat-2.4.6/win32/version.rc new/expat-2.4.7/win32/version.rc --- old/expat-2.4.6/win32/version.rc 1970-01-01 01:00:00.000000000 +0100 +++ new/expat-2.4.7/win32/version.rc 2022-03-04 19:13:03.000000000 +0100 @@ -0,0 +1,17 @@ +1 VERSIONINFO +FILEVERSION VER_FILEVERSION +PRODUCTVERSION VER_FILEVERSION +BEGIN + BLOCK "StringFileInfo" + BEGIN + BLOCK "040904E4" + BEGIN + VALUE "FileVersion", "VER_FILEVERSION" + VALUE "ProductVersion", "VER_FILEVERSION" + END + END + BLOCK "VarFileInfo" + BEGIN + VALUE "Translation", 0x0409, 1252 + END +END
