pkgsrc-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: pkgsrc/textproc/expat



Module Name:    pkgsrc
Committed By:   wiz
Date:           Thu Jun 25 20:59:15 UTC 2026

Modified Files:
        pkgsrc/textproc/expat: Makefile distinfo

Log Message:
expat: update to 2.8.2.

Release 2.8.2 Thu June 25 2026
        Security fixes:
           #1246  CVE-2026-50219 -- Disallow calls to functions
                    `XML_GetBuffer`, `XML_Parse`, `XML_ParseBuffer`,
                    `XML_ParserFree`, `XML_ParserReset` to guard e.g.
                    Expat bindings from memory corruption;
                    this CPython issue is related:
                    https://github.com/python/cpython/issues/146169
           #1267  CVE-2026-56131 -- Protect XML_ResumeParser from being called
                                    from a handler, plugging a hole in the fix
                                    to CVE-2026-50219
           #1272  CVE-2026-56132 -- Fix out-of-bound scaffolding index store
                                    in `doProlog`
     #1229 #1232  CVE-2026-56403 -- Integer overflow in `storeAtts`
           #1249  CVE-2026-56404 -- Integer overflow in `addBinding`
           #1251  CVE-2026-56405 -- Integer overflow in `getAttributeId`
           #1255  CVE-2026-56406 -- Integer overflow in `XML_ParseBuffer`
           #1262  CVE-2026-56407 -- Integer overflow in `textLen` handling
            #565  CVE-2026-56408 -- Integer overflow in `copyString`
                    (commit 16e2efd867ea8567ffa012210b52ef5918e20817)
           #1259  CVE-2026-56409 -- xmlwf: Integer overflow in output path join
           #1252  CVE-2026-56410 -- xmlwf: Integer overflow in
                    `resolveSystemId`
           #1263  CVE-2026-56411 -- xmlwf: Integer overflow in notation list
                    allocation
           #1278  CVE-2026-56412 -- Guard XML_TOK_DATA_CHARS handler calls in
                    `doCdataSection`, plugging a hole in the fix to
                    CVE-2026-50219

        Bug fixes:
           #1260  xmlwf: Escape names and base URI in meta output
           #1266  xmlwf: Pick a safe quote for notation system and public IDs

        Other changes:
           #1257  CMake|Autotools: Stop using /dev/urandom by default
     #1244 #1254  CMake: Fix guard for Unix sources of entropy
     #1183 #1270  CMake|Windows: Add missing export for symbol
                                 `XML_SetHashSalt16Bytes`
           #1236  CMake: Mark option EXPAT_OSSFUZZ_BUILD as advanced
           #1283  Limit output indentation for EXPAT_ENTITY_DEBUG=1 and
                    allow unlimited indentation via EXPAT_ENTITY_DEBUG=2
            #565  Replace some loops by use of `memcpy`, `strlen`, `wcslen`
           #1220  lib: Use a size_t for group sizes
           #1221  lib: Fix too-conservative integer overflow check when
                       appending raw name
           #1222  lib: Simplify attribute allocation/management logic
           #1224  Update fallthrough annotations to satisfy Clang and GCC
           #1226  lib: Remove unnecessary void * casts in random code
           #1228  lib: Reduce scope of locals in storeAtts
           #1230  lib: Count attributes with size_t variables
           #1238  Minor get-buffer improvements
     #1239 #1240  lib|tests: Include header expat_config.h first
           #1241  lib: Shrink size of XML_GetBuffer
           #1242  lib: Remove a legacy comment
           #1243  lib: XML_ParserReset: Extract repeated linked-list move logic
           #1243  lib: Unify entity free lists
           #1247  lib: Fix use of '0' as boolean literal
           #1248  lib: Make XML_Index overflow check more intuitive
           #1256  lib: Use size_t for counting string/URI lengths
           #1258  lib: XML_GetInputContext: Remove use of 0 for NULL
           #1261  Comment typo fixes
           #1275  Teach Memory Sanitizer semantics of randomization functions
     #1276 #1281  Version info bumped from 13:1:12 (libexpat*.so.1.12.1)
                    to 13:2:12 (libexpat*.so.1.12.2); see https://verbump.de/
                    for what these numbers do

        Infrastructure:
           #1231  perl-integration.yml: Bump to XML::Parser 2.59
           #1237  emscripten.yml: Bump from Ubuntu 22.04 to 24.04
     #1183 #1271  windows-build.yml: Cover completeness of file
                                     libexpat.def.cmake
           #1274  linux.yml: Make llvm-symbolizer available in CI

        Special thanks to:
            Alessandro Gario
            Asher Darden
            Christoph Reiter
            Haris Hussain
            Matthew Fernandez
            Kartik Kenchi
            Nick Begg
            Sajin S
            Yousef Shanableh
                 and
            Anthropic
            Astra Security
            Trail of Bits


To generate a diff of this commit:
cvs rdiff -u -r1.65 -r1.66 pkgsrc/textproc/expat/Makefile
cvs rdiff -u -r1.59 -r1.60 pkgsrc/textproc/expat/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/textproc/expat/Makefile
diff -u pkgsrc/textproc/expat/Makefile:1.65 pkgsrc/textproc/expat/Makefile:1.66
--- pkgsrc/textproc/expat/Makefile:1.65 Mon May 11 15:51:26 2026
+++ pkgsrc/textproc/expat/Makefile      Thu Jun 25 20:59:15 2026
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.65 2026/05/11 15:51:26 adam Exp $
+# $NetBSD: Makefile,v 1.66 2026/06/25 20:59:15 wiz Exp $
 
-DISTNAME=      expat-2.8.1
+DISTNAME=      expat-2.8.2
 CATEGORIES=    textproc
 MASTER_SITES=  ${MASTER_SITE_GITHUB:=libexpat/}
 GITHUB_PROJECT=        libexpat

Index: pkgsrc/textproc/expat/distinfo
diff -u pkgsrc/textproc/expat/distinfo:1.59 pkgsrc/textproc/expat/distinfo:1.60
--- pkgsrc/textproc/expat/distinfo:1.59 Mon May 11 15:51:26 2026
+++ pkgsrc/textproc/expat/distinfo      Thu Jun 25 20:59:15 2026
@@ -1,5 +1,5 @@
-$NetBSD: distinfo,v 1.59 2026/05/11 15:51:26 adam Exp $
+$NetBSD: distinfo,v 1.60 2026/06/25 20:59:15 wiz Exp $
 
-BLAKE2s (expat-2.8.1.tar.gz) = f4b7e78afa9094b38f09bc2381ed97c776158b2722f54065f66d6a8a47863956
-SHA512 (expat-2.8.1.tar.gz) = 2b17c1210d7267bdd0bd98d3e093279c56487efec1f2ae725bbc87b834c3f7aa789791ddb89ee324d1a823dc4e65b2f0d1555afb95cc06d64d75821e565dfc8c
-Size (expat-2.8.1.tar.gz) = 812969 bytes
+BLAKE2s (expat-2.8.2.tar.gz) = 7c09ddc0193f920b8f670caf6ca41538b0fa379ea9f154697959d56a21328a3f
+SHA512 (expat-2.8.2.tar.gz) = 378fe8b8319d1654dae09e2ce15e0dcff68e735eb9e28728b7bee7f60c81781025c3fccd6b620589529a6e63d94d0812474dc4c09721e5a3ea64dbc1efb623dd
+Size (expat-2.8.2.tar.gz) = 818391 bytes



Home | Main Index | Thread Index | Old Index