subject:"CVS import\: src\/external\/mit\/expat\/dist"

CVS import: src/external/mit/expat/dist

2022-02-23 Thread Christos Zoulas

Module Name:src
Committed By:   christos
Date:   Wed Feb 23 15:21:37 UTC 2022

Update of /cvsroot/src/external/mit/expat/dist
In directory ivanova.netbsd.org:/tmp/cvs-serv27361

Log Message:
Upgrade expat from 2.2.8 -> 2.4.6 to include the security fixes from 2.4.5

Release 2.4.6 Sun February 20 2022
Bug fixes:
#566  Fix a regression introduced by the fix for CVE-2022-25313
in release 2.4.5 that affects applications that (1)
call function XML_SetElementDeclHandler and (2) are
parsing XML that contains nested element declarations
(e.g. "").

Other changes:
   #567 #568  Version info bumped from 9:5:8 to 9:6:8;
see https://verbump.de/ for what these numbers do

Special thanks to:
Matt Sergeant
Samanta Navarro
Sergei Trofimovich
 and
NixOS
Perl XML::Parser

Release 2.4.5 Fri February 18 2022
Security fixes:
#562  CVE-2022-25235 -- Passing malformed 2- and 3-byte UTF-8
sequences (e.g. from start tag names) to the XML
processing application on top of Expat can cause
arbitrary damage (e.g. code execution) depending
on how invalid UTF-8 is handled inside the XML
processor; validation was not their job but Expat's.
Exploits with code execution are known to exist.
#561  CVE-2022-25236 -- Passing (one or more) namespace separator
characters in "xmlns[:prefix]" attribute values
made Expat send malformed tag names to the XML
processor on top of Expat which can cause
arbitrary damage (e.g. code execution) depending
on such unexpectable cases are handled inside the XML
processor; validation was not their job but Expat's.
Exploits with code execution are known to exist.
#558  CVE-2022-25313 -- Fix stack exhaustion in doctype parsing
that could be triggered by e.g. a 2 megabytes
file with a large number of opening braces.
Expected impact is denial of service or potentially
arbitrary code execution.
#560  CVE-2022-25314 -- Fix integer overflow in function copyString;
only affects the encoding name parameter at parser creation
time which is often hardcoded (rather than user input),
takes a value in the gigabytes to trigger, and a 64-bit
machine.  Expected impact is denial of service.
#559  CVE-2022-25315 -- Fix integer overflow in function 
storeRawNames;
needs input in the gigabytes and a 64-bit machine.
Expected impact is denial of service or potentially
arbitrary code execution.

Other changes:
   #557 #564  Version info bumped from 9:4:8 to 9:5:8;
see https://verbump.de/ for what these numbers do

Special thanks to:
Ivan Fratric
Samanta Navarro
 and
Google Project Zero
JetBrains

Release 2.4.4 Sun January 30 2022
Security fixes:
#550  CVE-2022-23852 -- Fix signed integer overflow
(undefined behavior) in function XML_GetBuffer
(that is also called by function XML_Parse internally)
for when XML_CONTEXT_BYTES is defined to >0 (which is both
common and default).
Impact is denial of service or more.
#551  CVE-2022-23990 -- Fix unsigned integer overflow in function
doProlog triggered by large content in element type
declarations when there is an element declaration handler
present (from a prior call to XML_SetElementDeclHandler).
Impact is denial of service or more.

Bug fixes:
   #544 #545  xmlwf: Fix a memory leak on output file opening error

Other changes:
#546  Autotools: Fix broken CMake support under Cygwin
#554  Windows: Add missing files to the installer to fix
compilation with CMake from installed sources
   #552 #554  Version info bumped from 9:3:8 to 9:4:8;
see https://verbump.de/ for what these numbers do

Special thanks to:
Carlo Bramini
hwt0415
Roland Illig
Samanta Navarro
 and
Clang LeakSan and the Clang team

Release 2.4.3 Sun January 16 2022
Security fixes:
   #531 #534  CVE-2021-45960 -- Fix issues with left shifts by >=29 places

CVS import: src/external/mit/expat/dist

2022-02-23 Thread Christos Zoulas

Module Name:src
Committed By:   christos
Date:   Wed Feb 23 15:21:37 UTC 2022

Update of /cvsroot/src/external/mit/expat/dist
In directory ivanova.netbsd.org:/tmp/cvs-serv27361

Log Message:
Upgrade expat from 2.2.8 -> 2.4.6 to include the security fixes from 2.4.5

Release 2.4.6 Sun February 20 2022
Bug fixes:
#566  Fix a regression introduced by the fix for CVE-2022-25313
in release 2.4.5 that affects applications that (1)
call function XML_SetElementDeclHandler and (2) are
parsing XML that contains nested element declarations
(e.g. "").

Other changes:
   #567 #568  Version info bumped from 9:5:8 to 9:6:8;
see https://verbump.de/ for what these numbers do

Special thanks to:
Matt Sergeant
Samanta Navarro
Sergei Trofimovich
 and
NixOS
Perl XML::Parser

Release 2.4.5 Fri February 18 2022
Security fixes:
#562  CVE-2022-25235 -- Passing malformed 2- and 3-byte UTF-8
sequences (e.g. from start tag names) to the XML
processing application on top of Expat can cause
arbitrary damage (e.g. code execution) depending
on how invalid UTF-8 is handled inside the XML
processor; validation was not their job but Expat's.
Exploits with code execution are known to exist.
#561  CVE-2022-25236 -- Passing (one or more) namespace separator
characters in "xmlns[:prefix]" attribute values
made Expat send malformed tag names to the XML
processor on top of Expat which can cause
arbitrary damage (e.g. code execution) depending
on such unexpectable cases are handled inside the XML
processor; validation was not their job but Expat's.
Exploits with code execution are known to exist.
#558  CVE-2022-25313 -- Fix stack exhaustion in doctype parsing
that could be triggered by e.g. a 2 megabytes
file with a large number of opening braces.
Expected impact is denial of service or potentially
arbitrary code execution.
#560  CVE-2022-25314 -- Fix integer overflow in function copyString;
only affects the encoding name parameter at parser creation
time which is often hardcoded (rather than user input),
takes a value in the gigabytes to trigger, and a 64-bit
machine.  Expected impact is denial of service.
#559  CVE-2022-25315 -- Fix integer overflow in function 
storeRawNames;
needs input in the gigabytes and a 64-bit machine.
Expected impact is denial of service or potentially
arbitrary code execution.

Other changes:
   #557 #564  Version info bumped from 9:4:8 to 9:5:8;
see https://verbump.de/ for what these numbers do

Special thanks to:
Ivan Fratric
Samanta Navarro
 and
Google Project Zero
JetBrains

Release 2.4.4 Sun January 30 2022
Security fixes:
#550  CVE-2022-23852 -- Fix signed integer overflow
(undefined behavior) in function XML_GetBuffer
(that is also called by function XML_Parse internally)
for when XML_CONTEXT_BYTES is defined to >0 (which is both
common and default).
Impact is denial of service or more.
#551  CVE-2022-23990 -- Fix unsigned integer overflow in function
doProlog triggered by large content in element type
declarations when there is an element declaration handler
present (from a prior call to XML_SetElementDeclHandler).
Impact is denial of service or more.

Bug fixes:
   #544 #545  xmlwf: Fix a memory leak on output file opening error

Other changes:
#546  Autotools: Fix broken CMake support under Cygwin
#554  Windows: Add missing files to the installer to fix
compilation with CMake from installed sources
   #552 #554  Version info bumped from 9:3:8 to 9:4:8;
see https://verbump.de/ for what these numbers do

Special thanks to:
Carlo Bramini
hwt0415
Roland Illig
Samanta Navarro
 and
Clang LeakSan and the Clang team

Release 2.4.3 Sun January 16 2022
Security fixes:
   #531 #534  CVE-2021-45960 -- Fix issues with left shifts by >=29 places

CVS import: src/external/mit/expat/dist

2019-09-16 Thread Maya Rashish

Module Name:src
Committed By:   maya
Date:   Mon Sep 16 06:22:33 UTC 2019

Update of /cvsroot/src/external/mit/expat/dist
In directory ivanova.netbsd.org:/tmp/cvs-serv9502

Log Message:
Import expat 2.2.8

Release 2.2.8 Fri Septemper 13 2019
Security fixes:
   #317 #318  CVE-2019-15903 -- Fix heap overflow triggered by
XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber),
and deny internal entities closing the doctype;
fixed in commit c20b758c332d9a13afbbb276d30db1d183a85d43

Bug fixes:
#240  Fix cases where XML_StopParser did not have any effect
when called from inside of an end element handler
#341  xmlwf: Fix exit code for operation without "-d DIRECTORY";
previously, only "-d DIRECTORY" would give you a proper
exit code:
  # xmlwf -d . <<<'' 2>/dev/null ; echo $?
  2
  # xmlwf <<<'' 2>/dev/null ; echo $?
  0
Now both cases return exit code 2.

Other changes:
   #299 #302  Windows: Replace LoadLibrary hack to access
unofficial API function SystemFunction036 (RtlGenRandom)
by using official API function rand_s (needs WinXP+)
#325  Windows: Drop support for Visual Studio <=7.1/2003
and document supported compilers in README.md
#286  Windows: Remove COM code from xmlwf; in case it turns
out needed later, there will be a dedicated repository
below https://github.com/libexpat/ for that code
#322  Windows: Remove explicit MSVC solution and project files.
You can generate Visual Studio solution files through
CMake, e.g.: cmake -G"Visual Studio 15 2017" .
#338  xmlwf: Make "xmlwf -h" help output more friendly
#339  examples: Improve elements.c
   #244 #264  Autotools: Add argument --enable-xml-attr-info
   #239 #301  Autotools: Add arguments
--with-getrandom
--without-getrandom
--with-sys-getrandom
--without-sys-getrandom
   #312 #343  Autotools: Fix linking issues with "./configure LD=clang"
  Autotools: Fix "make run-xmltest" for out-of-source builds
   #329 #336  CMake: Pull all options from Expat <=2.2.7 into namespace
prefix EXPAT_ with the exception of DOCBOOK_TO_MAN:
- BUILD_doc-> EXPAT_BUILD_DOCS (plural)
- BUILD_examples   -> EXPAT_BUILD_EXAMPLES
- BUILD_shared -> EXPAT_SHARED_LIBS
- BUILD_tests  -> EXPAT_BUILD_TESTS
- BUILD_tools  -> EXPAT_BUILD_TOOLS
- DOCBOOK_TO_MAN   -> DOCBOOK_TO_MAN (unchanged)
- INSTALL  -> EXPAT_ENABLE_INSTALL
- MSVC_USE_STATIC_CRT  -> EXPAT_MSVC_STATIC_CRT
- USE_libbsd   -> EXPAT_WITH_LIBBSD
- WARNINGS_AS_ERRORS   -> EXPAT_WARNINGS_AS_ERRORS
- XML_CONTEXT_BYTES-> EXPAT_CONTEXT_BYTES
- XML_DEV_URANDOM  -> EXPAT_DEV_URANDOM
- XML_DTD  -> EXPAT_DTD
- XML_NS   -> EXPAT_NS
- XML_UNICODE  -> EXPAT_CHAR_TYPE=ushort (!)
- XML_UNICODE_WCHAR_T  -> EXPAT_CHAR_TYPE=wchar_t (!)
   #244 #264  CMake: Add argument -DEXPAT_ATTR_INFO=(ON|OFF),
default OFF
#326  CMake: Add argument -DEXPAT_LARGE_SIZE=(ON|OFF),
default OFF
#328  CMake: Add argument -DEXPAT_MIN_SIZE=(ON|OFF),
default OFF
   #239 #277  CMake: Add arguments
-DEXPAT_WITH_GETRANDOM=(ON|OFF|AUTO), default AUTO
-DEXPAT_WITH_SYS_GETRANDOM=(ON|OFF|AUTO), default AUTO
#326  CMake: Install expat_config.h to include directory
#326  CMake: Generate and install configuration files for
future find_package(expat [..] CONFIG [..])
  CMake: Now produces a summary of applied configuration
  CMake: Require C++ compiler only when tests are enabled
#330  CMake: Fix compilation for 16bit character types,
i.e. ex -DXML_UNICODE=ON (and ex -DXML_UNICODE_WCHAR_T=ON)
#265  CMake: Fix linking with MinGW
#330  CMake: Add full support for MinGW; to enable, use
-DCMAKE_TOOLCHAIN_FILE=[expat]/cmake/mingw-toolchain.cmake
#330  CMake: Port "make run-xmltest" from GNU Autotools to CMake
#316  CMake: Windows: Make binary postfix match

CVS import: src/external/mit/expat/dist

2019-09-16 Thread Maya Rashish

Module Name:src
Committed By:   maya
Date:   Mon Sep 16 06:22:33 UTC 2019

Update of /cvsroot/src/external/mit/expat/dist
In directory ivanova.netbsd.org:/tmp/cvs-serv9502

Log Message:
Import expat 2.2.8

Release 2.2.8 Fri Septemper 13 2019
Security fixes:
   #317 #318  CVE-2019-15903 -- Fix heap overflow triggered by
XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber),
and deny internal entities closing the doctype;
fixed in commit c20b758c332d9a13afbbb276d30db1d183a85d43

Bug fixes:
#240  Fix cases where XML_StopParser did not have any effect
when called from inside of an end element handler
#341  xmlwf: Fix exit code for operation without "-d DIRECTORY";
previously, only "-d DIRECTORY" would give you a proper
exit code:
  # xmlwf -d . <<<'' 2>/dev/null ; echo $?
  2
  # xmlwf <<<'' 2>/dev/null ; echo $?
  0
Now both cases return exit code 2.

Other changes:
   #299 #302  Windows: Replace LoadLibrary hack to access
unofficial API function SystemFunction036 (RtlGenRandom)
by using official API function rand_s (needs WinXP+)
#325  Windows: Drop support for Visual Studio <=7.1/2003
and document supported compilers in README.md
#286  Windows: Remove COM code from xmlwf; in case it turns
out needed later, there will be a dedicated repository
below https://github.com/libexpat/ for that code
#322  Windows: Remove explicit MSVC solution and project files.
You can generate Visual Studio solution files through
CMake, e.g.: cmake -G"Visual Studio 15 2017" .
#338  xmlwf: Make "xmlwf -h" help output more friendly
#339  examples: Improve elements.c
   #244 #264  Autotools: Add argument --enable-xml-attr-info
   #239 #301  Autotools: Add arguments
--with-getrandom
--without-getrandom
--with-sys-getrandom
--without-sys-getrandom
   #312 #343  Autotools: Fix linking issues with "./configure LD=clang"
  Autotools: Fix "make run-xmltest" for out-of-source builds
   #329 #336  CMake: Pull all options from Expat <=2.2.7 into namespace
prefix EXPAT_ with the exception of DOCBOOK_TO_MAN:
- BUILD_doc-> EXPAT_BUILD_DOCS (plural)
- BUILD_examples   -> EXPAT_BUILD_EXAMPLES
- BUILD_shared -> EXPAT_SHARED_LIBS
- BUILD_tests  -> EXPAT_BUILD_TESTS
- BUILD_tools  -> EXPAT_BUILD_TOOLS
- DOCBOOK_TO_MAN   -> DOCBOOK_TO_MAN (unchanged)
- INSTALL  -> EXPAT_ENABLE_INSTALL
- MSVC_USE_STATIC_CRT  -> EXPAT_MSVC_STATIC_CRT
- USE_libbsd   -> EXPAT_WITH_LIBBSD
- WARNINGS_AS_ERRORS   -> EXPAT_WARNINGS_AS_ERRORS
- XML_CONTEXT_BYTES-> EXPAT_CONTEXT_BYTES
- XML_DEV_URANDOM  -> EXPAT_DEV_URANDOM
- XML_DTD  -> EXPAT_DTD
- XML_NS   -> EXPAT_NS
- XML_UNICODE  -> EXPAT_CHAR_TYPE=ushort (!)
- XML_UNICODE_WCHAR_T  -> EXPAT_CHAR_TYPE=wchar_t (!)
   #244 #264  CMake: Add argument -DEXPAT_ATTR_INFO=(ON|OFF),
default OFF
#326  CMake: Add argument -DEXPAT_LARGE_SIZE=(ON|OFF),
default OFF
#328  CMake: Add argument -DEXPAT_MIN_SIZE=(ON|OFF),
default OFF
   #239 #277  CMake: Add arguments
-DEXPAT_WITH_GETRANDOM=(ON|OFF|AUTO), default AUTO
-DEXPAT_WITH_SYS_GETRANDOM=(ON|OFF|AUTO), default AUTO
#326  CMake: Install expat_config.h to include directory
#326  CMake: Generate and install configuration files for
future find_package(expat [..] CONFIG [..])
  CMake: Now produces a summary of applied configuration
  CMake: Require C++ compiler only when tests are enabled
#330  CMake: Fix compilation for 16bit character types,
i.e. ex -DXML_UNICODE=ON (and ex -DXML_UNICODE_WCHAR_T=ON)
#265  CMake: Fix linking with MinGW
#330  CMake: Add full support for MinGW; to enable, use
-DCMAKE_TOOLCHAIN_FILE=[expat]/cmake/mingw-toolchain.cmake
#330  CMake: Port "make run-xmltest" from GNU Autotools to CMake
#316  CMake: Windows: Make binary postfix match

CVS import: src/external/mit/expat/dist

CVS import: src/external/mit/expat/dist

CVS import: src/external/mit/expat/dist

CVS import: src/external/mit/expat/dist

4 matches

Site Navigation

Mail list logo

Footer information