CVS commit: pkgsrc/textproc/expat

["Thomas Klausner" <wiz%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   wiz
Date:           Tue Sep 16 21:33:17 UTC 2025

Modified Files:
        pkgsrc/textproc/expat: Makefile distinfo

Log Message:
expat: update to 2.7.2.

Release 2.7.2 Tue September 16 2025
        Security fixes:
     #1018 #1034  CVE-2025-59375 -- Disallow use of disproportional amounts of
                    dynamic memory from within an Expat parser (e.g. previously
                    a ~250 KiB sized document was able to cause allocation of
                    ~800 MiB from the heap, i.e. an "amplification" of factor
                    ~3,300); once a threshold (that defaults to 64 MiB) is
                    reached, a maximum amplification factor (that defaults to
                    100.0) is enforced, and violating documents are rejected
                    with an out-of-memory error.
                    There are two new API functions to fine-tune this new
                    behavior:
                      - XML_SetAllocTrackerActivationThreshold
                      - XML_SetAllocTrackerMaximumAmplification .
                    If you ever need to increase these defaults for non-attack
                    XML payload, please file a bug report with libexpat.
                      There is also a new environment variable
                    EXPAT_MALLOC_DEBUG=(0|1|2) to control the verbosity
                    of allocations debugging at runtime, disabled by default.
                      Known impact is (reliable and easy) denial of service:
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C
                    (Base Score: 7.5, Temporal Score: 7.2)
                    Please note that a layer of compression around XML can
                    significantly reduce the minimum attack payload size.
                      Distributors intending to backport (or cherry-pick) the
                    fix need to copy 99% of the related pull request, not just
                    the "lib: Implement tracking of dynamic memory allocations"
                    commit, to not end up with a state that literally does both
                    too much and too little at the same time. Appending ".diff"
                    to the pull request URL could be of help.

        Other changes:
     #1008 #1017  Autotools: Sync CMake templates with CMake 3.31 for macOS
           #1007  CMake: Drop support for CMake <3.15
           #1004  CMake: Fix off_t detection for -Werror
           #1007  CMake|Windows: Fix -DEXPAT_MSVC_STATIC_CRT=ON
           #1013  Windows: Drop support for Visual Studio <=16.0/2019
           #1026  xmlwf: Mention supported environment variables in
                    --help output
           #1024  xmlwf: Fix (internal) help generator
           #1034  docs: Promote the contract to call function
                    XML_FreeContentModel when registering a custom
                    element declaration handler (via a call to function
                    XML_SetElementDeclHandler)
           #1027  docs: Add missing <p>..</p> wrap
            #994  docs: Drop AppVeyor badge
           #1000  tests: Fix portable_strndup
           #1036  Drop casts around malloc/free/realloc that C99 does not need
           #1010  Replace empty for-loops with while loops
           #1011  Add const with internal XmlInitUnknownEncodingNS
       #14 #1037  Drop an OpenVMS support leftover
      #999 #1001  Address more clang-tidy warnings
     #1030 #1038  Version info bumped from 11:2:10 (libexpat*.so.1.10.2)
                    to 12:0:11 (libexpat*.so.1.11.0); see https://verbump.de/
                    for what these numbers do

        Infrastructure:
           #1003  CI: Cover compilation on FreeBSD
     #1009 #1035  CI: Upgrade Clang from 19 to 21
           #1031  CI: Make calling Cppcheck without --suppress=objectIndex
                    and --suppress=unknownMacro possible
           #1013  CI|Windows: Get off of deprecated image "windows-2019"
  #1008 #1017 ..
     #1023 #1025  CI: Adapt to breaking changes in GitHub Actions


To generate a diff of this commit:
cvs rdiff -u -r1.59 -r1.60 pkgsrc/textproc/expat/Makefile
cvs rdiff -u -r1.53 -r1.54 pkgsrc/textproc/expat/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/textproc/expat/Makefile
diff -u pkgsrc/textproc/expat/Makefile:1.59 pkgsrc/textproc/expat/Makefile:1.60
--- pkgsrc/textproc/expat/Makefile:1.59 Sun Mar 30 07:48:15 2025
+++ pkgsrc/textproc/expat/Makefile      Tue Sep 16 21:33:17 2025
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.59 2025/03/30 07:48:15 wiz Exp $
+# $NetBSD: Makefile,v 1.60 2025/09/16 21:33:17 wiz Exp $
 
-DISTNAME=      expat-2.7.1
+DISTNAME=      expat-2.7.2
 CATEGORIES=    textproc
 MASTER_SITES=  ${MASTER_SITE_GITHUB:=libexpat/}
 GITHUB_PROJECT=        libexpat

Index: pkgsrc/textproc/expat/distinfo
diff -u pkgsrc/textproc/expat/distinfo:1.53 pkgsrc/textproc/expat/distinfo:1.54
--- pkgsrc/textproc/expat/distinfo:1.53 Sun Mar 30 07:48:15 2025
+++ pkgsrc/textproc/expat/distinfo      Tue Sep 16 21:33:17 2025
@@ -1,5 +1,5 @@
-$NetBSD: distinfo,v 1.53 2025/03/30 07:48:15 wiz Exp $
+$NetBSD: distinfo,v 1.54 2025/09/16 21:33:17 wiz Exp $
 
-BLAKE2s (expat-2.7.1.tar.gz) = fa9600a2ac4552b3e4d6a94b34392e6a3fa4b6d1c0d704cd2e937c17ed9705d8
-SHA512 (expat-2.7.1.tar.gz) = 1b6b94f3253ac3ab3f8c69d1c852db2334c99cb7990b9656f5f2458198d1eb854e79cce0e39151aef0d5e01a740fc965651c6a57fda585f9a24c543f2693f78c
-Size (expat-2.7.1.tar.gz) = 785356 bytes
+BLAKE2s (expat-2.7.2.tar.gz) = da5db4ce4d4ad9fb9b1c1c60a938047c7dd4448d0ffba17221e7aa07aa858d61
+SHA512 (expat-2.7.2.tar.gz) = 34a1601d2164809bf7db186b1608afb450025ebb2e802a3ae202979c5d76074526c731b5bb9a0c87db43da0a68ac986a1a346e27cf2abb0d3e2ee45ac6a24857
+Size (expat-2.7.2.tar.gz) = 798712 bytes