Module Name: src Committed By: christos Date: Sat Jun 17 21:59:12 UTC 2017
Update of /cvsroot/src/external/mit/expat/dist In directory ivanova.netbsd.org:/tmp/cvs-serv19443 Log Message: Release 2.2.1 Sat June 17 2017 Security fixes: CVE-2017-9233 -- External entity infinite loop DoS Details: https://libexpat.github.io/doc/cve-2017-9233/ Commit c4bf96bb51dd2a1b0e185374362ee136fe2c9d7f [MOX-002] CVE-2016-9063 -- Detect integer overflow; commit d4f735b88d9932bd5039df2335eefdd0723dbe20 (Fixed version of existing downstream patches!) (SF.net) #539 Fix regression from fix to CVE-2016-0718 cutting off longer tag names; commits * 896b6c1fd3b842f377d1b62135dccf0a579cf65d * af507cef2c93cb8d40062a0abe43a4f4e9158fb2 #16 * 0dbbf43fdb20f593ddf4fa1ff67288000dd4a7fd #25 More integer overflow detection (function poolGrow); commits * 810b74e4703dcfdd8f404e3cb177d44684775143 * 44178553f3539ce69d34abee77a05e879a7982ac [MOX-002] Detect overflow from len=INT_MAX call to XML_Parse; commits * 4be2cb5afcc018d996f34bbbce6374b7befad47f * 7e5b71b748491b6e459e5c9a1d090820f94544d8 [MOX-005] #30 Use high quality entropy for hash initialization: * arc4random_buf on BSD, systems with libbsd (when configured with --with-libbsd), CloudABI * RtlGenRandom on Windows XP / Server 2003 and later * getrandom on Linux 3.17+ In a way, that's still part of CVE-2016-5300. https://github.com/libexpat/libexpat/pull/30/commits [MOX-005] For the low quality entropy extraction fallback code, the parser instance address can no longer leak, commit 04ad658bd3079dd15cb60fc67087900f0ff4b083 [MOX-003] Prevent use of uninitialised variable; commit [MOX-004] a4dc944f37b664a3ca7199c624a98ee37babdb4b Add missing parameter validation to public API functions and dedicated error code XML_ERROR_INVALID_ARGUMENT: [MOX-006] * NULL checks; commits * d37f74b2b7149a3a95a680c4c4cd2a451a51d60a (merge/many) * 9ed727064b675b7180c98cb3d4f75efba6966681 * 6a747c837c50114dfa413994e07c0ba477be4534 * Negative length (XML_Parse); commit [MOX-002] 70db8d2538a10f4c022655d6895e4c3e78692e7f [MOX-001] #35 Change hash algorithm to William Ahern's version of SipHash to go further with fixing CVE-2012-0876. https://github.com/libexpat/libexpat/pull/39/commits Bug fixes: #32 Fix sharing of hash salt across parsers; relevant where XML_ExternalEntityParserCreate is called prior to XML_Parse, in particular (e.g. FBReader) #28 xmlwf: Auto-disable use of memory-mapping (and parsing as a single chunk) for files larger than ~1 GB (2^30 bytes) rather than failing with error "out of memory" #3 Fix double free after malloc failure in DTD code; commit 7ae9c3d3af433cd4defe95234eae7dc8ed15637f #17 Fix memory leak on parser error for unbound XML attribute prefix with new namespaces defined in the same tag; found by Google's OSS-Fuzz; commits * 16f87daae5a16132e479e4f71862128c7a915c73 * b47dbc9745932c160893d433220e462bd605f8cd xmlwf on Windows: Add missing calls to CloseHandle New features: #30 Introduced environment switch EXPAT_ENTROPY_DEBUG=1 for runtime debugging of entropy extraction Other changes: Increase code coverage #33 Reject use of XML_UNICODE_WCHAR_T with sizeof(wchar_t) != 2; XML_UNICODE_WCHAR_T was never meant to be used outside of Windows; 4-byte wchar_t is common on Linux (SF.net) #538 Start using -fno-strict-aliasing (SF.net) #540 Support compilation against cloudlibc of CloudABI Allow MinGW cross-compilation (SF.net) #534 CMake: Introduce option "BUILD_doc" (enabled by default) to bypass compilation of the xmlwf.1 man page (SF.net) pr2 CMake: Introduce option "INSTALL" (enabled by default) to bypass installation of expat files CMake: Fix ninja support Autotools: Add parameters --enable-xml-context [COUNT] and --disable-xml-context; default of context of 1024 bytes enabled unchanged #14 Drop AmigaOS 4.x code and includes #14 Drop ancient build systems: * Borland C++ Builder * OpenVMS * Open Watcom * Visual Studio 6.0 * Pre-X Mac OS (MPW Makefile) If you happen to rely on some of these, please get in touch for joining with maintenance. #10 Move from WIN32 to _WIN32 #13 Fix "make run-xmltest" order instability Address compile warnings Bump version info from 7:2:6 to 7:3:6 Add AUTHORS file Infrastructure: #1 Migrate from SourceForge to GitHub (except downloads): https://github.com/libexpat/ #1 Re-create http://libexpat.org/ project website Start utilizing Travis CI Special thanks to: Andy Wang Don Lewis Ed Schouten Karl Waclawek Pascal Cuoq Rhodri James Sergei Nikulov Tobias Taschner Viktor Szakats and Core Infrastructure Initiative Mozilla Foundation (MOSS Track 3: Secure Open Source) Radically Open Security Status: Vendor Tag: expat Release Tags: expat-2-2-1 N src/external/mit/expat/dist/AUTHORS U src/external/mit/expat/dist/Makefile.in U src/external/mit/expat/dist/COPYING U src/external/mit/expat/dist/configure.ac U src/external/mit/expat/dist/MANIFEST U src/external/mit/expat/dist/expat_config.h.in N src/external/mit/expat/dist/run.sh.in U src/external/mit/expat/dist/configure U src/external/mit/expat/dist/README U src/external/mit/expat/dist/ConfigureChecks.cmake U src/external/mit/expat/dist/CMakeLists.txt U src/external/mit/expat/dist/aclocal.m4 U src/external/mit/expat/dist/CMake.README U src/external/mit/expat/dist/expat_config.h.cmake U src/external/mit/expat/dist/expat.pc.in U src/external/mit/expat/dist/Changes U src/external/mit/expat/dist/xmlwf/win32filemap.c U src/external/mit/expat/dist/xmlwf/xmltchar.h U src/external/mit/expat/dist/xmlwf/codepage.h U src/external/mit/expat/dist/xmlwf/xmlurl.h U src/external/mit/expat/dist/xmlwf/unixfilemap.c U src/external/mit/expat/dist/xmlwf/xmlmime.h U src/external/mit/expat/dist/xmlwf/filemap.h U src/external/mit/expat/dist/xmlwf/ct.c U src/external/mit/expat/dist/xmlwf/codepage.c U src/external/mit/expat/dist/xmlwf/xmlwin32url.cxx U src/external/mit/expat/dist/xmlwf/xmlfile.c U src/external/mit/expat/dist/xmlwf/xmlfile.h U src/external/mit/expat/dist/xmlwf/xmlwf.c U src/external/mit/expat/dist/xmlwf/readfilemap.c U src/external/mit/expat/dist/xmlwf/xmlmime.c U src/external/mit/expat/dist/m4/lt~obsolete.m4 U src/external/mit/expat/dist/m4/ltsugar.m4 U src/external/mit/expat/dist/m4/ltversion.m4 U src/external/mit/expat/dist/m4/libtool.m4 U src/external/mit/expat/dist/m4/ltoptions.m4 U src/external/mit/expat/dist/examples/elements.c U src/external/mit/expat/dist/examples/outline.c U src/external/mit/expat/dist/win32/README.txt U src/external/mit/expat/dist/win32/expat.iss U src/external/mit/expat/dist/win32/MANIFEST.txt U src/external/mit/expat/dist/conftools/mkinstalldirs U src/external/mit/expat/dist/conftools/ltmain.sh U src/external/mit/expat/dist/conftools/PrintPath U src/external/mit/expat/dist/conftools/install-sh U src/external/mit/expat/dist/conftools/expat.m4 C src/external/mit/expat/dist/conftools/config.guess U src/external/mit/expat/dist/conftools/ac_c_bigendian_cross.m4 U src/external/mit/expat/dist/conftools/get-version.sh C src/external/mit/expat/dist/conftools/config.sub U src/external/mit/expat/dist/doc/valid-xhtml10.png U src/external/mit/expat/dist/doc/reference.html U src/external/mit/expat/dist/doc/style.css U src/external/mit/expat/dist/doc/expat.png U src/external/mit/expat/dist/doc/xmlwf.1 U src/external/mit/expat/dist/doc/xmlwf.xml U src/external/mit/expat/dist/tests/README.txt C src/external/mit/expat/dist/tests/xmltest.sh U src/external/mit/expat/dist/tests/chardata.h N src/external/mit/expat/dist/tests/memcheck.c U src/external/mit/expat/dist/tests/minicheck.h U src/external/mit/expat/dist/tests/minicheck.c N src/external/mit/expat/dist/tests/memcheck.h U src/external/mit/expat/dist/tests/runtests.c U src/external/mit/expat/dist/tests/runtestspp.cpp U src/external/mit/expat/dist/tests/chardata.c U src/external/mit/expat/dist/tests/benchmark/README.txt U src/external/mit/expat/dist/tests/benchmark/benchmark.c U src/external/mit/expat/dist/lib/libexpatw.def U src/external/mit/expat/dist/lib/xmltok.h U src/external/mit/expat/dist/lib/xmlrole.h U src/external/mit/expat/dist/lib/latin1tab.h U src/external/mit/expat/dist/lib/xmltok_impl.h N src/external/mit/expat/dist/lib/siphash.h U src/external/mit/expat/dist/lib/nametab.h U src/external/mit/expat/dist/lib/expat_external.h U src/external/mit/expat/dist/lib/utf8tab.h U src/external/mit/expat/dist/lib/xmlrole.c U src/external/mit/expat/dist/lib/expat.h U src/external/mit/expat/dist/lib/winconfig.h U src/external/mit/expat/dist/lib/asciitab.h C src/external/mit/expat/dist/lib/xmltok.c U src/external/mit/expat/dist/lib/iasciitab.h U src/external/mit/expat/dist/lib/xmltok_ns.c U src/external/mit/expat/dist/lib/internal.h C src/external/mit/expat/dist/lib/xmlparse.c U src/external/mit/expat/dist/lib/xmltok_impl.c U src/external/mit/expat/dist/lib/libexpat.def U src/external/mit/expat/dist/lib/ascii.h 5 conflicts created by this import. Use the following command to help the merge: cvs checkout -jexpat:yesterday -jexpat src/external/mit/expat/dist