pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/pkgsrc-2021Q4]: pkgsrc/textproc/expat Pullup ticket #6578 - requested...
details: https://anonhg.NetBSD.org/pkgsrc/rev/65db5f893658
branches: pkgsrc-2021Q4
changeset: 373138:65db5f893658
user: tm <tm%pkgsrc.org@localhost>
date: Mon Feb 07 07:09:18 2022 +0000
description:
Pullup ticket #6578 - requested by bsiegert
textproc/expat: security fix
Revisions pulled up:
- textproc/expat/Makefile 1.48-1.49
- textproc/expat/distinfo 1.40-1.41
---
Module Name: pkgsrc
Committed By: wiz
Date: Mon Jan 17 08:49:34 UTC 2022
Modified Files:
pkgsrc/textproc/expat: Makefile distinfo
Log Message:
expat: update to 2.4.3.
Release 2.4.3 Sun January 16 2022
Security fixes:
#531 #534 CVE-2021-45960 -- Fix issues with left shifts by >=29 places
resulting in
a) realloc acting as free
b) realloc allocating too few bytes
c) undefined behavior
depending on architecture and precise value
for XML documents with >=2^27+1 prefixed attributes
on a single XML tag a la
"<r xmlns:a='[..]' a:a123='[..]' [..] />"
where XML_ParserCreateNS is used to create the parser
(which needs argument "-n" when running xmlwf).
Impact is denial of service, or more.
#532 #538 CVE-2021-46143 (ZDI-CAN-16157) -- Fix integer overflow
on variable m_groupSize in function doProlog leading
to realloc acting as free.
Impact is denial of service or more.
#539 CVE-2022-22822 to CVE-2022-22827 -- Prevent integer overflows
near memory allocation at multiple places. Mitre assigned
a dedicated CVE for each involved internal C function:
- CVE-2022-22822 for function addBinding
- CVE-2022-22823 for function build_model
- CVE-2022-22824 for function defineAttribute
- CVE-2022-22825 for function lookup
- CVE-2022-22826 for function nextScaffoldPart
- CVE-2022-22827 for function storeAtts
Impact is denial of service or more.
Other changes:
#535 CMake: Make call to file(GENERATE [..]) work for CMake <3.19
#541 Autotools|CMake: MinGW: Make run.sh(.in) work for Cygwin
and MSYS2 by not going through Wine on these platforms
#527 #528 Address compiler warnings
#533 #543 Version info bumped from 9:2:8 to 9:3:8;
see https://verbump.de/ for what these numbers do
Infrastructure:
#536 CI: Check for realistic minimum CMake version
#529 #539 CI: Cover compilation with -m32
#529 CI: Store coverage reports as artifacts for download
#528 CI: Upgrade Clang from 11 to 13
Release 2.4.2 Sun December 19 2021
Other changes:
#509 #510 Link againgst libm for function "isnan"
#513 #514 Include expat_config.h as early as possible
#498 Autotools: Include files with release archives:
- buildconf.sh
- fuzz/*.c
#507 #519 Autotools: Sync CMake templates
#495 #524 CMake: MinGW: Fix pkg-config section "Libs" for
- non-release build types (e.g. -DCMAKE_BUILD_TYPE=Debug)
- multi-config CMake generators (e.g. Ninja Multi-Config)
#502 #503 docs: Document that function XML_GetBuffer may return NULL
when asking for a buffer of 0 (zero) bytes size
#522 #523 docs: Fix return value docs for both
XML_SetBillionLaughsAttackProtection* functions
#525 #526 Version info bumped from 9:1:8 to 9:2:8;
see https://verbump.de/ for what these numbers do
---
Module Name: pkgsrc
Committed By: wiz
Date: Tue Feb 1 12:10:18 UTC 2022
Modified Files:
pkgsrc/textproc/expat: Makefile distinfo
Log Message:
expat: update to 2.4.4.
Release 2.4.4 Sun January 30 2022
Security fixes:
#550 CVE-2022-23852 -- Fix signed integer overflow
(undefined behavior) in function XML_GetBuffer
(that is also called by function XML_Parse internally)
for when XML_CONTEXT_BYTES is defined to >0 (which is both
common and default).
Impact is denial of service or more.
#551 CVE-2022-23990 -- Fix unsigned integer overflow in function
doProlog triggered by large content in element type
declarations when there is an element declaration handler
present (from a prior call to XML_SetElementDeclHandler).
Impact is denial of service or more.
Bug fixes:
#544 #545 xmlwf: Fix a memory leak on output file opening error
Other changes:
#546 Autotools: Fix broken CMake support under Cygwin
#554 Windows: Add missing files to the installer to fix
compilation with CMake from installed sources
#552 #554 Version info bumped from 9:3:8 to 9:4:8;
see https://verbump.de/ for what these numbers do
diffstat:
textproc/expat/Makefile | 4 ++--
textproc/expat/distinfo | 8 ++++----
2 files changed, 6 insertions(+), 6 deletions(-)
diffs (25 lines):
diff -r 14a0c90c4c4b -r 65db5f893658 textproc/expat/Makefile
--- a/textproc/expat/Makefile Sun Feb 06 19:28:36 2022 +0000
+++ b/textproc/expat/Makefile Mon Feb 07 07:09:18 2022 +0000
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.47 2021/05/25 06:34:08 nia Exp $
+# $NetBSD: Makefile,v 1.47.6.1 2022/02/07 07:09:18 tm Exp $
-DISTNAME= expat-2.4.1
+DISTNAME= expat-2.4.4
CATEGORIES= textproc
MASTER_SITES= ${MASTER_SITE_GITHUB:=libexpat/}
GITHUB_PROJECT= libexpat
diff -r 14a0c90c4c4b -r 65db5f893658 textproc/expat/distinfo
--- a/textproc/expat/distinfo Sun Feb 06 19:28:36 2022 +0000
+++ b/textproc/expat/distinfo Mon Feb 07 07:09:18 2022 +0000
@@ -1,5 +1,5 @@
-$NetBSD: distinfo,v 1.39 2021/10/26 11:21:53 nia Exp $
+$NetBSD: distinfo,v 1.39.2.1 2022/02/07 07:09:18 tm Exp $
-BLAKE2s (expat-2.4.1.tar.gz) = 200b729d0725a700afe32a43e407f57898199f6d8ef3abc5246711f9c85d7fba
-SHA512 (expat-2.4.1.tar.gz) = 7390bf8d6b3e99f3bccc5c3d92f21d02c0b8ed29f1f9556e18dbae7caa813814b4fd7bd7aa2d711da27c97141d4a627b481b18ac57cef2c2438b78bac1c31203
-Size (expat-2.4.1.tar.gz) = 697439 bytes
+BLAKE2s (expat-2.4.4.tar.gz) = 8e5f1c0f84e7d725c0a885bc798411fa5e13603a6623e737ac66ba7b5e66ed33
+SHA512 (expat-2.4.4.tar.gz) = a3a4f7aec51f10bb57993f2c08ba367efcb4579e5fa11f0a85262e5d6677aba32f4a17b0436dd17d4c53f45aaff88cb5bf9cf96ba8380e7740a2728fe930c5e3
+Size (expat-2.4.4.tar.gz) = 703949 bytes
Home |
Main Index |
Thread Index |
Old Index