pkgsrc-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: [pkgsrc-2021Q4] pkgsrc/textproc/expat



Module Name:    pkgsrc
Committed By:   tm
Date:           Mon Feb  7 07:09:18 UTC 2022

Modified Files:
        pkgsrc/textproc/expat [pkgsrc-2021Q4]: Makefile distinfo

Log Message:
Pullup ticket #6578 - requested by bsiegert
textproc/expat: security fix

Revisions pulled up:
- textproc/expat/Makefile                                       1.48-1.49
- textproc/expat/distinfo                                       1.40-1.41

---
   Module Name: pkgsrc
   Committed By:        wiz
   Date:                Mon Jan 17 08:49:34 UTC 2022

   Modified Files:
        pkgsrc/textproc/expat: Makefile distinfo

   Log Message:
   expat: update to 2.4.3.

   Release 2.4.3 Sun January 16 2022
           Security fixes:
          #531 #534  CVE-2021-45960 -- Fix issues with left shifts by >=29 places
                       resulting in
                         a) realloc acting as free
                         b) realloc allocating too few bytes
                         c) undefined behavior
                       depending on architecture and precise value
                       for XML documents with >=2^27+1 prefixed attributes
                       on a single XML tag a la
                       "<r xmlns:a='[..]' a:a123='[..]' [..] />"
                       where XML_ParserCreateNS is used to create the parser
                       (which needs argument "-n" when running xmlwf).
                       Impact is denial of service, or more.
          #532 #538  CVE-2021-46143 (ZDI-CAN-16157) -- Fix integer overflow
                       on variable m_groupSize in function doProlog leading
                       to realloc acting as free.
                       Impact is denial of service or more.
               #539  CVE-2022-22822 to CVE-2022-22827 -- Prevent integer overflows
                       near memory allocation at multiple places.  Mitre assigned
                       a dedicated CVE for each involved internal C function:
                       - CVE-2022-22822 for function addBinding
                       - CVE-2022-22823 for function build_model
                       - CVE-2022-22824 for function defineAttribute
                       - CVE-2022-22825 for function lookup
                       - CVE-2022-22826 for function nextScaffoldPart
                       - CVE-2022-22827 for function storeAtts
                       Impact is denial of service or more.

           Other changes:
               #535  CMake: Make call to file(GENERATE [..]) work for CMake <3.19
               #541  Autotools|CMake: MinGW: Make run.sh(.in) work for Cygwin
                       and MSYS2 by not going through Wine on these platforms
          #527 #528  Address compiler warnings
          #533 #543  Version info bumped from 9:2:8 to 9:3:8;
                       see https://verbump.de/ for what these numbers do

           Infrastructure:
               #536  CI: Check for realistic minimum CMake version
          #529 #539  CI: Cover compilation with -m32
               #529  CI: Store coverage reports as artifacts for download
               #528  CI: Upgrade Clang from 11 to 13

   Release 2.4.2 Sun December 19 2021
           Other changes:
          #509 #510  Link againgst libm for function "isnan"
          #513 #514  Include expat_config.h as early as possible
               #498  Autotools: Include files with release archives:
                       - buildconf.sh
                       - fuzz/*.c
          #507 #519  Autotools: Sync CMake templates
          #495 #524  CMake: MinGW: Fix pkg-config section "Libs" for
                       - non-release build types (e.g. -DCMAKE_BUILD_TYPE=Debug)
                       - multi-config CMake generators (e.g. Ninja Multi-Config)
          #502 #503  docs: Document that function XML_GetBuffer may return NULL
                       when asking for a buffer of 0 (zero) bytes size
          #522 #523  docs: Fix return value docs for both
                       XML_SetBillionLaughsAttackProtection* functions
          #525 #526  Version info bumped from 9:1:8 to 9:2:8;
                       see https://verbump.de/ for what these numbers do

---
   Module Name: pkgsrc
   Committed By:        wiz
   Date:                Tue Feb  1 12:10:18 UTC 2022

   Modified Files:
        pkgsrc/textproc/expat: Makefile distinfo

   Log Message:
   expat: update to 2.4.4.

   Release 2.4.4 Sun January 30 2022
           Security fixes:
               #550  CVE-2022-23852 -- Fix signed integer overflow
                       (undefined behavior) in function XML_GetBuffer
                       (that is also called by function XML_Parse internally)
                       for when XML_CONTEXT_BYTES is defined to >0 (which is both
                       common and default).
                       Impact is denial of service or more.
               #551  CVE-2022-23990 -- Fix unsigned integer overflow in function
                       doProlog triggered by large content in element type
                       declarations when there is an element declaration handler
                       present (from a prior call to XML_SetElementDeclHandler).
                       Impact is denial of service or more.

           Bug fixes:
          #544 #545  xmlwf: Fix a memory leak on output file opening error

           Other changes:
               #546  Autotools: Fix broken CMake support under Cygwin
               #554  Windows: Add missing files to the installer to fix
                       compilation with CMake from installed sources
          #552 #554  Version info bumped from 9:3:8 to 9:4:8;
                       see https://verbump.de/ for what these numbers do


To generate a diff of this commit:
cvs rdiff -u -r1.47 -r1.47.6.1 pkgsrc/textproc/expat/Makefile
cvs rdiff -u -r1.39 -r1.39.2.1 pkgsrc/textproc/expat/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/textproc/expat/Makefile
diff -u pkgsrc/textproc/expat/Makefile:1.47 pkgsrc/textproc/expat/Makefile:1.47.6.1
--- pkgsrc/textproc/expat/Makefile:1.47 Tue May 25 06:34:08 2021
+++ pkgsrc/textproc/expat/Makefile      Mon Feb  7 07:09:18 2022
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.47 2021/05/25 06:34:08 nia Exp $
+# $NetBSD: Makefile,v 1.47.6.1 2022/02/07 07:09:18 tm Exp $
 
-DISTNAME=      expat-2.4.1
+DISTNAME=      expat-2.4.4
 CATEGORIES=    textproc
 MASTER_SITES=  ${MASTER_SITE_GITHUB:=libexpat/}
 GITHUB_PROJECT=        libexpat

Index: pkgsrc/textproc/expat/distinfo
diff -u pkgsrc/textproc/expat/distinfo:1.39 pkgsrc/textproc/expat/distinfo:1.39.2.1
--- pkgsrc/textproc/expat/distinfo:1.39 Tue Oct 26 11:21:53 2021
+++ pkgsrc/textproc/expat/distinfo      Mon Feb  7 07:09:18 2022
@@ -1,5 +1,5 @@
-$NetBSD: distinfo,v 1.39 2021/10/26 11:21:53 nia Exp $
+$NetBSD: distinfo,v 1.39.2.1 2022/02/07 07:09:18 tm Exp $
 
-BLAKE2s (expat-2.4.1.tar.gz) = 200b729d0725a700afe32a43e407f57898199f6d8ef3abc5246711f9c85d7fba
-SHA512 (expat-2.4.1.tar.gz) = 7390bf8d6b3e99f3bccc5c3d92f21d02c0b8ed29f1f9556e18dbae7caa813814b4fd7bd7aa2d711da27c97141d4a627b481b18ac57cef2c2438b78bac1c31203
-Size (expat-2.4.1.tar.gz) = 697439 bytes
+BLAKE2s (expat-2.4.4.tar.gz) = 8e5f1c0f84e7d725c0a885bc798411fa5e13603a6623e737ac66ba7b5e66ed33
+SHA512 (expat-2.4.4.tar.gz) = a3a4f7aec51f10bb57993f2c08ba367efcb4579e5fa11f0a85262e5d6677aba32f4a17b0436dd17d4c53f45aaff88cb5bf9cf96ba8380e7740a2728fe930c5e3
+Size (expat-2.4.4.tar.gz) = 703949 bytes



Home | Main Index | Thread Index | Old Index