CVS commit: pkgsrc/textproc/uriparser

["Thomas Klausner" <wiz%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   wiz
Date:           Mon Dec 15 21:10:13 UTC 2025

Modified Files:
        pkgsrc/textproc/uriparser: Makefile PLIST distinfo options.mk
Removed Files:
        pkgsrc/textproc/uriparser/patches: patch-include_uriparser_UriBase.h

Log Message:
uriparser: update to 1.0.0.

Security fix release.

2025-12-15 -- 1.0.0

>>>>>>>>>>>>> SECURITY >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
  * Fixed: [CVE-2025-67899]
      Protect from stack overflow during parsing by dissolving all 13 cases
      of recursion, both direct and indirect. The attack vector was long
      (or crafted) URI input. The known impact is denial of service or more.
      Thanks for the report to Sergey Svistunov!
      Thanks for in-depth review to Tim Düsterhus! (sponsored by Tideways GmbH)
      Thanks for C callgraph tool "egypt" (https://www.gson.org/egypt/)
        to Andreas Gustafsson and for "dot_find_cycles.py" to Jason Antman!
      (GitHub #282, GitHub #284)
>>>>>>>>>>>>> SECURITY >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
  * Changed: Start requiring a C99 compiler (GitHub #264, GitHub #273)
  * Changed: Require CMake >=3.15.0 (GitHub #270)
  * Changed: Stop building tests by default (GitHub #283)
  * Fixed: Normalization of URIs with leading dot segments
      produced ambiguous results in the sense that a reparse
      after normalization would have misinterpreted path parts
      as a host (GitHub #262, GitHub #263, GitHub #265)
      Examples of affected URIs:
      - "scheme:/.//path1/path2"
      - "/.//path1/path2"
      - ".//path1/path2"
      The fix is to not remove that dot segment.
      Thanks to Ignace Nyamagana Butera and to Tim Düsterhus for the report!
  * Fixed: Insufficient pointer alignment from allocation wrappers
      used in the implementation of function uriCompleteMemoryManager.
      (GitHub #261)
      Thanks to Matthew Fernandez and Rolf Eike Beer for the report and review!
  * Fixed: Do not set `absolutePath` for empty paths when removing host
      Thanks for the report and pull request to Tim Düsterhus!
      (GitHub #275, GitHub #276)
  * Fixed: Documentation of functions uriCompleteMemoryManager,
      uriEmulateCalloc, uriEmulateReallocarray and uriTestMemoryManager
      (GitHub #261)
  * Fixed: CMake: Remake approach to static CRT with MSVC compilers
      Old: -DURIPARSER_MSVC_RUNTIME=/MT
      New: -DURIPARSER_MSVC_STATIC_CRT=ON
      (GitHub #270)
  * Fixed: Documentation: Get CMake variables list back in sync and sorted
      in the readme (GitHub #270)
  * Fixed: Various typos found by Codespell
      (https://github.com/codespell-project/codespell) (GitHub #259)
  * Added: Add a new (and recommended to use) version of uriTestMemoryManager
      that can challenge pointer alignment (GitHub #261)
      New functions:
        uriTestMemoryManagerEx
  * Improved: Increase test coverage by mutation testing
      Thanks for the pull request to Tim Düsterhus! (GitHub #266)
  * Improved: Address compiler warning -Wunused-but-set-variable (GitHub #268)
  * Improved: Deduplicate internal char set macros (GitHub #280)
  * Infrastructure: Enable stack traces from UndefinedBehaviorSanitizer in CI
      via environment variable UBSAN_OPTIONS (GitHub #261)
  * Infrastructure: Bump GoogleTest to 1.12.0 in AppVeyor CI to fix the build
      with CMake >=3.5 (GitHub #261)
  * Infrastructure: Migrate Windows CI from AppVeyor to GitHub Actions
      (GitHub #270)
  * Infrastructure: Make GitHub Actions detect and reject known typos using
      Codespell (https://github.com/codespell-project/codespell) (GitHub #259)
  * Infrastructure: Update Clang from 20 to 21 (GitHub #267)
  * Infrastructure: Start specifying CXX and CXXFLAGS for fuzzing CI
      (GitHub #268)
  * Infrastructure: Make CI report on test coverage using LLVM, and offer
      these reports for download (GitHub #32, GitHub #269)
  * Infrastructure: Make CI enforce clang-format clean code (GitHub #272)
  * Soname: 3:0:2 — see https://verbump.de/ for what these numbers do
      (liburiparser.so.1.2.0)


To generate a diff of this commit:
cvs rdiff -u -r1.20 -r1.21 pkgsrc/textproc/uriparser/Makefile
cvs rdiff -u -r1.10 -r1.11 pkgsrc/textproc/uriparser/PLIST
cvs rdiff -u -r1.19 -r1.20 pkgsrc/textproc/uriparser/distinfo
cvs rdiff -u -r1.3 -r1.4 pkgsrc/textproc/uriparser/options.mk
cvs rdiff -u -r1.1 -r0 \
    pkgsrc/textproc/uriparser/patches/patch-include_uriparser_UriBase.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/textproc/uriparser/Makefile
diff -u pkgsrc/textproc/uriparser/Makefile:1.20 pkgsrc/textproc/uriparser/Makefile:1.21
--- pkgsrc/textproc/uriparser/Makefile:1.20     Fri Sep  5 18:53:02 2025
+++ pkgsrc/textproc/uriparser/Makefile  Mon Dec 15 21:10:12 2025
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.20 2025/09/05 18:53:02 wiz Exp $
+# $NetBSD: Makefile,v 1.21 2025/12/15 21:10:12 wiz Exp $
 
-DISTNAME=      uriparser-0.9.9
+DISTNAME=      uriparser-1.0.0
 CATEGORIES=    textproc
 MASTER_SITES=  ${MASTER_SITE_GITHUB:=uriparser/}
 GITHUB_RELEASE=        ${DISTNAME}

Index: pkgsrc/textproc/uriparser/PLIST
diff -u pkgsrc/textproc/uriparser/PLIST:1.10 pkgsrc/textproc/uriparser/PLIST:1.11
--- pkgsrc/textproc/uriparser/PLIST:1.10        Fri Sep  5 18:53:02 2025
+++ pkgsrc/textproc/uriparser/PLIST     Mon Dec 15 21:10:12 2025
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.10 2025/09/05 18:53:02 wiz Exp $
+@comment $NetBSD: PLIST,v 1.11 2025/12/15 21:10:12 wiz Exp $
 bin/uriparse
 include/uriparser/Uri.h
 include/uriparser/UriBase.h
@@ -12,5 +12,5 @@ lib/cmake/${PKGNAME}/uriparser-noconfig.
 lib/cmake/${PKGNAME}/uriparser.cmake
 lib/liburiparser.so
 lib/liburiparser.so.1
-lib/liburiparser.so.1.1.0
+lib/liburiparser.so.1.2.0
 lib/pkgconfig/liburiparser.pc

Index: pkgsrc/textproc/uriparser/distinfo
diff -u pkgsrc/textproc/uriparser/distinfo:1.19 pkgsrc/textproc/uriparser/distinfo:1.20
--- pkgsrc/textproc/uriparser/distinfo:1.19     Fri Sep  5 18:53:02 2025
+++ pkgsrc/textproc/uriparser/distinfo  Mon Dec 15 21:10:12 2025
@@ -1,6 +1,5 @@
-$NetBSD: distinfo,v 1.19 2025/09/05 18:53:02 wiz Exp $
+$NetBSD: distinfo,v 1.20 2025/12/15 21:10:12 wiz Exp $
 
-BLAKE2s (uriparser-0.9.9.tar.xz) = 159df4d8d79156aa95ec4d3065e3424a62d389053439f80418d36f184670bdcf
-SHA512 (uriparser-0.9.9.tar.xz) = e032fa5d119fbad000194dc0fa5182c41c1ba8ee237ea5cd197d94f7c75cc1dff89105be68398dfadc6f1a03ec0e6721ad02dc47b3d18a754bf1346380e467ca
-Size (uriparser-0.9.9.tar.xz) = 193436 bytes
-SHA1 (patch-include_uriparser_UriBase.h) = 71f3582a2988c6c35a1a2b1995d50f47f22939bd
+BLAKE2s (uriparser-1.0.0.tar.xz) = 5924e510caa3be515f84970a7921a81be6a50cae2d1f99a77a3f1743110f13cc
+SHA512 (uriparser-1.0.0.tar.xz) = 1b124eb7762af0a0bb39272578a74c745e58d5c23d58fb25b314c34cf7ce3cf679674cd47245d1b6dc9416c97882bdadee6a7a860058275de223974ce35338df
+Size (uriparser-1.0.0.tar.xz) = 200048 bytes

Index: pkgsrc/textproc/uriparser/options.mk
diff -u pkgsrc/textproc/uriparser/options.mk:1.3 pkgsrc/textproc/uriparser/options.mk:1.4
--- pkgsrc/textproc/uriparser/options.mk:1.3    Sun Aug 25 06:19:17 2024
+++ pkgsrc/textproc/uriparser/options.mk        Mon Dec 15 21:10:12 2025
@@ -1,4 +1,4 @@
-# $NetBSD: options.mk,v 1.3 2024/08/25 06:19:17 wiz Exp $
+# $NetBSD: options.mk,v 1.4 2025/12/15 21:10:12 wiz Exp $
 
 PKG_OPTIONS_VAR=       PKG_OPTIONS.uriparser
 
@@ -14,9 +14,10 @@ PKG_SUPPORTED_OPTIONS=       tests
 # Tests are default-off in order to help building this on systems
 # with older C++ compilers.
 #
-TEST_TARGET=   test
+TEST_TARGET=           test
 CMAKE_CONFIGURE_ARGS+= -DURIPARSER_BUILD_TESTS=ON
-USE_LANGUAGES= c c++14
+USE_LANGUAGES=         c c++
+USE_CXX_FEATURES+=     c++14
 .  include "../../devel/googletest/buildlink3.mk"
 .else
 CMAKE_CONFIGURE_ARGS+= -DURIPARSER_BUILD_TESTS=OFF