pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: pkgsrc/textproc/expat
Module Name: pkgsrc
Committed By: wiz
Date: Thu Jun 25 20:59:15 UTC 2026
Modified Files:
pkgsrc/textproc/expat: Makefile distinfo
Log Message:
expat: update to 2.8.2.
Release 2.8.2 Thu June 25 2026
Security fixes:
#1246 CVE-2026-50219 -- Disallow calls to functions
`XML_GetBuffer`, `XML_Parse`, `XML_ParseBuffer`,
`XML_ParserFree`, `XML_ParserReset` to guard e.g.
Expat bindings from memory corruption;
this CPython issue is related:
https://github.com/python/cpython/issues/146169
#1267 CVE-2026-56131 -- Protect XML_ResumeParser from being called
from a handler, plugging a hole in the fix
to CVE-2026-50219
#1272 CVE-2026-56132 -- Fix out-of-bound scaffolding index store
in `doProlog`
#1229 #1232 CVE-2026-56403 -- Integer overflow in `storeAtts`
#1249 CVE-2026-56404 -- Integer overflow in `addBinding`
#1251 CVE-2026-56405 -- Integer overflow in `getAttributeId`
#1255 CVE-2026-56406 -- Integer overflow in `XML_ParseBuffer`
#1262 CVE-2026-56407 -- Integer overflow in `textLen` handling
#565 CVE-2026-56408 -- Integer overflow in `copyString`
(commit 16e2efd867ea8567ffa012210b52ef5918e20817)
#1259 CVE-2026-56409 -- xmlwf: Integer overflow in output path join
#1252 CVE-2026-56410 -- xmlwf: Integer overflow in
`resolveSystemId`
#1263 CVE-2026-56411 -- xmlwf: Integer overflow in notation list
allocation
#1278 CVE-2026-56412 -- Guard XML_TOK_DATA_CHARS handler calls in
`doCdataSection`, plugging a hole in the fix to
CVE-2026-50219
Bug fixes:
#1260 xmlwf: Escape names and base URI in meta output
#1266 xmlwf: Pick a safe quote for notation system and public IDs
Other changes:
#1257 CMake|Autotools: Stop using /dev/urandom by default
#1244 #1254 CMake: Fix guard for Unix sources of entropy
#1183 #1270 CMake|Windows: Add missing export for symbol
`XML_SetHashSalt16Bytes`
#1236 CMake: Mark option EXPAT_OSSFUZZ_BUILD as advanced
#1283 Limit output indentation for EXPAT_ENTITY_DEBUG=1 and
allow unlimited indentation via EXPAT_ENTITY_DEBUG=2
#565 Replace some loops by use of `memcpy`, `strlen`, `wcslen`
#1220 lib: Use a size_t for group sizes
#1221 lib: Fix too-conservative integer overflow check when
appending raw name
#1222 lib: Simplify attribute allocation/management logic
#1224 Update fallthrough annotations to satisfy Clang and GCC
#1226 lib: Remove unnecessary void * casts in random code
#1228 lib: Reduce scope of locals in storeAtts
#1230 lib: Count attributes with size_t variables
#1238 Minor get-buffer improvements
#1239 #1240 lib|tests: Include header expat_config.h first
#1241 lib: Shrink size of XML_GetBuffer
#1242 lib: Remove a legacy comment
#1243 lib: XML_ParserReset: Extract repeated linked-list move logic
#1243 lib: Unify entity free lists
#1247 lib: Fix use of '0' as boolean literal
#1248 lib: Make XML_Index overflow check more intuitive
#1256 lib: Use size_t for counting string/URI lengths
#1258 lib: XML_GetInputContext: Remove use of 0 for NULL
#1261 Comment typo fixes
#1275 Teach Memory Sanitizer semantics of randomization functions
#1276 #1281 Version info bumped from 13:1:12 (libexpat*.so.1.12.1)
to 13:2:12 (libexpat*.so.1.12.2); see https://verbump.de/
for what these numbers do
Infrastructure:
#1231 perl-integration.yml: Bump to XML::Parser 2.59
#1237 emscripten.yml: Bump from Ubuntu 22.04 to 24.04
#1183 #1271 windows-build.yml: Cover completeness of file
libexpat.def.cmake
#1274 linux.yml: Make llvm-symbolizer available in CI
Special thanks to:
Alessandro Gario
Asher Darden
Christoph Reiter
Haris Hussain
Matthew Fernandez
Kartik Kenchi
Nick Begg
Sajin S
Yousef Shanableh
and
Anthropic
Astra Security
Trail of Bits
To generate a diff of this commit:
cvs rdiff -u -r1.65 -r1.66 pkgsrc/textproc/expat/Makefile
cvs rdiff -u -r1.59 -r1.60 pkgsrc/textproc/expat/distinfo
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/textproc/expat/Makefile
diff -u pkgsrc/textproc/expat/Makefile:1.65 pkgsrc/textproc/expat/Makefile:1.66
--- pkgsrc/textproc/expat/Makefile:1.65 Mon May 11 15:51:26 2026
+++ pkgsrc/textproc/expat/Makefile Thu Jun 25 20:59:15 2026
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.65 2026/05/11 15:51:26 adam Exp $
+# $NetBSD: Makefile,v 1.66 2026/06/25 20:59:15 wiz Exp $
-DISTNAME= expat-2.8.1
+DISTNAME= expat-2.8.2
CATEGORIES= textproc
MASTER_SITES= ${MASTER_SITE_GITHUB:=libexpat/}
GITHUB_PROJECT= libexpat
Index: pkgsrc/textproc/expat/distinfo
diff -u pkgsrc/textproc/expat/distinfo:1.59 pkgsrc/textproc/expat/distinfo:1.60
--- pkgsrc/textproc/expat/distinfo:1.59 Mon May 11 15:51:26 2026
+++ pkgsrc/textproc/expat/distinfo Thu Jun 25 20:59:15 2026
@@ -1,5 +1,5 @@
-$NetBSD: distinfo,v 1.59 2026/05/11 15:51:26 adam Exp $
+$NetBSD: distinfo,v 1.60 2026/06/25 20:59:15 wiz Exp $
-BLAKE2s (expat-2.8.1.tar.gz) = f4b7e78afa9094b38f09bc2381ed97c776158b2722f54065f66d6a8a47863956
-SHA512 (expat-2.8.1.tar.gz) = 2b17c1210d7267bdd0bd98d3e093279c56487efec1f2ae725bbc87b834c3f7aa789791ddb89ee324d1a823dc4e65b2f0d1555afb95cc06d64d75821e565dfc8c
-Size (expat-2.8.1.tar.gz) = 812969 bytes
+BLAKE2s (expat-2.8.2.tar.gz) = 7c09ddc0193f920b8f670caf6ca41538b0fa379ea9f154697959d56a21328a3f
+SHA512 (expat-2.8.2.tar.gz) = 378fe8b8319d1654dae09e2ce15e0dcff68e735eb9e28728b7bee7f60c81781025c3fccd6b620589529a6e63d94d0812474dc4c09721e5a3ea64dbc1efb623dd
+Size (expat-2.8.2.tar.gz) = 818391 bytes
Home |
Main Index |
Thread Index |
Old Index