pkgsrc-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: [pkgsrc-2026Q2] pkgsrc/textproc/expat



Module Name:    pkgsrc
Committed By:   bsiegert
Date:           Sun Jun 28 17:54:40 UTC 2026

Modified Files:
        pkgsrc/textproc/expat [pkgsrc-2026Q2]: Makefile distinfo

Log Message:
Pullup ticket #7146 - requested by taca
textproc/expat: security fix

Revisions pulled up:
- textproc/expat/Makefile                                       1.66
- textproc/expat/distinfo                                       1.60

---
   Module Name: pkgsrc
   Committed By:        wiz
   Date:                Thu Jun 25 20:59:15 UTC 2026

   Modified Files:
        pkgsrc/textproc/expat: Makefile distinfo

   Log Message:
   expat: update to 2.8.2.

   Release 2.8.2 Thu June 25 2026
           Security fixes:
              #1246  CVE-2026-50219 -- Disallow calls to functions
                       `XML_GetBuffer`, `XML_Parse`, `XML_ParseBuffer`,
                       `XML_ParserFree`, `XML_ParserReset` to guard e.g.
                       Expat bindings from memory corruption;
                       this CPython issue is related:
                       https://github.com/python/cpython/issues/146169
              #1267  CVE-2026-56131 -- Protect XML_ResumeParser from being called
                                       from a handler, plugging a hole in the fix
                                       to CVE-2026-50219
              #1272  CVE-2026-56132 -- Fix out-of-bound scaffolding index store
                                       in `doProlog`
        #1229 #1232  CVE-2026-56403 -- Integer overflow in `storeAtts`
              #1249  CVE-2026-56404 -- Integer overflow in `addBinding`
              #1251  CVE-2026-56405 -- Integer overflow in `getAttributeId`
              #1255  CVE-2026-56406 -- Integer overflow in `XML_ParseBuffer`
              #1262  CVE-2026-56407 -- Integer overflow in `textLen` handling
               #565  CVE-2026-56408 -- Integer overflow in `copyString`
                       (commit 16e2efd867ea8567ffa012210b52ef5918e20817)
              #1259  CVE-2026-56409 -- xmlwf: Integer overflow in output path join
              #1252  CVE-2026-56410 -- xmlwf: Integer overflow in
                       `resolveSystemId`
              #1263  CVE-2026-56411 -- xmlwf: Integer overflow in notation list
                       allocation
              #1278  CVE-2026-56412 -- Guard XML_TOK_DATA_CHARS handler calls in
                       `doCdataSection`, plugging a hole in the fix to
                       CVE-2026-50219

           Bug fixes:
              #1260  xmlwf: Escape names and base URI in meta output
              #1266  xmlwf: Pick a safe quote for notation system and public IDs

           Other changes:
              #1257  CMake|Autotools: Stop using /dev/urandom by default
        #1244 #1254  CMake: Fix guard for Unix sources of entropy
        #1183 #1270  CMake|Windows: Add missing export for symbol
                                    `XML_SetHashSalt16Bytes`
              #1236  CMake: Mark option EXPAT_OSSFUZZ_BUILD as advanced
              #1283  Limit output indentation for EXPAT_ENTITY_DEBUG=1 and
                       allow unlimited indentation via EXPAT_ENTITY_DEBUG=2
               #565  Replace some loops by use of `memcpy`, `strlen`, `wcslen`
              #1220  lib: Use a size_t for group sizes
              #1221  lib: Fix too-conservative integer overflow check when
                          appending raw name
              #1222  lib: Simplify attribute allocation/management logic
              #1224  Update fallthrough annotations to satisfy Clang and GCC
              #1226  lib: Remove unnecessary void * casts in random code
              #1228  lib: Reduce scope of locals in storeAtts
              #1230  lib: Count attributes with size_t variables
              #1238  Minor get-buffer improvements
        #1239 #1240  lib|tests: Include header expat_config.h first
              #1241  lib: Shrink size of XML_GetBuffer
              #1242  lib: Remove a legacy comment
              #1243  lib: XML_ParserReset: Extract repeated linked-list move logic
              #1243  lib: Unify entity free lists
              #1247  lib: Fix use of '0' as boolean literal
              #1248  lib: Make XML_Index overflow check more intuitive
              #1256  lib: Use size_t for counting string/URI lengths
              #1258  lib: XML_GetInputContext: Remove use of 0 for NULL
              #1261  Comment typo fixes
              #1275  Teach Memory Sanitizer semantics of randomization functions
        #1276 #1281  Version info bumped from 13:1:12 (libexpat*.so.1.12.1)
                       to 13:2:12 (libexpat*.so.1.12.2); see https://verbump.de/
                       for what these numbers do

           Infrastructure:
              #1231  perl-integration.yml: Bump to XML::Parser 2.59
              #1237  emscripten.yml: Bump from Ubuntu 22.04 to 24.04
        #1183 #1271  windows-build.yml: Cover completeness of file
                                        libexpat.def.cmake
              #1274  linux.yml: Make llvm-symbolizer available in CI

           Special thanks to:
               Alessandro Gario
               Asher Darden
               Christoph Reiter
               Haris Hussain
               Matthew Fernandez
               Kartik Kenchi
               Nick Begg
               Sajin S
               Yousef Shanableh
                    and
               Anthropic
               Astra Security
               Trail of Bits


To generate a diff of this commit:
cvs rdiff -u -r1.65 -r1.65.2.1 pkgsrc/textproc/expat/Makefile
cvs rdiff -u -r1.59 -r1.59.2.1 pkgsrc/textproc/expat/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/textproc/expat/Makefile
diff -u pkgsrc/textproc/expat/Makefile:1.65 pkgsrc/textproc/expat/Makefile:1.65.2.1
--- pkgsrc/textproc/expat/Makefile:1.65 Mon May 11 15:51:26 2026
+++ pkgsrc/textproc/expat/Makefile      Sun Jun 28 17:54:40 2026
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.65 2026/05/11 15:51:26 adam Exp $
+# $NetBSD: Makefile,v 1.65.2.1 2026/06/28 17:54:40 bsiegert Exp $
 
-DISTNAME=      expat-2.8.1
+DISTNAME=      expat-2.8.2
 CATEGORIES=    textproc
 MASTER_SITES=  ${MASTER_SITE_GITHUB:=libexpat/}
 GITHUB_PROJECT=        libexpat

Index: pkgsrc/textproc/expat/distinfo
diff -u pkgsrc/textproc/expat/distinfo:1.59 pkgsrc/textproc/expat/distinfo:1.59.2.1
--- pkgsrc/textproc/expat/distinfo:1.59 Mon May 11 15:51:26 2026
+++ pkgsrc/textproc/expat/distinfo      Sun Jun 28 17:54:40 2026
@@ -1,5 +1,5 @@
-$NetBSD: distinfo,v 1.59 2026/05/11 15:51:26 adam Exp $
+$NetBSD: distinfo,v 1.59.2.1 2026/06/28 17:54:40 bsiegert Exp $
 
-BLAKE2s (expat-2.8.1.tar.gz) = f4b7e78afa9094b38f09bc2381ed97c776158b2722f54065f66d6a8a47863956
-SHA512 (expat-2.8.1.tar.gz) = 2b17c1210d7267bdd0bd98d3e093279c56487efec1f2ae725bbc87b834c3f7aa789791ddb89ee324d1a823dc4e65b2f0d1555afb95cc06d64d75821e565dfc8c
-Size (expat-2.8.1.tar.gz) = 812969 bytes
+BLAKE2s (expat-2.8.2.tar.gz) = 7c09ddc0193f920b8f670caf6ca41538b0fa379ea9f154697959d56a21328a3f
+SHA512 (expat-2.8.2.tar.gz) = 378fe8b8319d1654dae09e2ce15e0dcff68e735eb9e28728b7bee7f60c81781025c3fccd6b620589529a6e63d94d0812474dc4c09721e5a3ea64dbc1efb623dd
+Size (expat-2.8.2.tar.gz) = 818391 bytes



Home | Main Index | Thread Index | Old Index