tech-pkg archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
expat update [was Re: HEADS UP: pkgsrc in careful mode, freezing soon]
Here's an update to the just-released 2.7.1 instead.
Thomas
On Fri, Mar 14, 2025 at 08:01:41PM +0100, Thomas Klausner wrote:
> Hi!
>
> On some platforms, expat has many dependencies, (on NetBSD, the
> built-in is usually used) and it just got a security release.
>
> https://blog.hartwork.org/posts/expat-2-7-0-released/
>
> Should I commit this now or after the freeze?
> Thomas
? log
Index: Makefile
===================================================================
RCS file: /cvsroot/pkgsrc/textproc/expat/Makefile,v
retrieving revision 1.58
diff -u -r1.58 Makefile
--- Makefile 4 Sep 2024 13:08:26 -0000 1.58
+++ Makefile 28 Mar 2025 07:06:19 -0000
@@ -1,6 +1,6 @@
# $NetBSD: Makefile,v 1.58 2024/09/04 13:08:26 adam Exp $
-DISTNAME= expat-2.6.3
+DISTNAME= expat-2.7.1
CATEGORIES= textproc
MASTER_SITES= ${MASTER_SITE_GITHUB:=libexpat/}
GITHUB_PROJECT= libexpat
Index: distinfo
===================================================================
RCS file: /cvsroot/pkgsrc/textproc/expat/distinfo,v
retrieving revision 1.52
diff -u -r1.52 distinfo
--- distinfo 18 Dec 2024 15:03:58 -0000 1.52
+++ distinfo 28 Mar 2025 07:06:19 -0000
@@ -1,6 +1,5 @@
$NetBSD: distinfo,v 1.52 2024/12/18 15:03:58 brook Exp $
-BLAKE2s (expat-2.6.3.tar.gz) = fcc81c1c25ef679e6c93fe93c7c1b0cc5a306f94163d3e53b506917cb6537185
-SHA512 (expat-2.6.3.tar.gz) = 0c0f0df947bbe7084ba2bffce082bc40e061cbf02363f3043e8e6be33b71277dbf13fd54dcc0f641b704293e3faea5b8c1d3c752737db4c908097bf5df8bd02d
-Size (expat-2.6.3.tar.gz) = 764617 bytes
-SHA1 (patch-cmake_autotools_expat-noconfig____macos.cmake.in) = 21411931ba40ca89435a3a41b3c329039540bfa2
+BLAKE2s (expat-2.7.1.tar.gz) = fa9600a2ac4552b3e4d6a94b34392e6a3fa4b6d1c0d704cd2e937c17ed9705d8
+SHA512 (expat-2.7.1.tar.gz) = 1b6b94f3253ac3ab3f8c69d1c852db2334c99cb7990b9656f5f2458198d1eb854e79cce0e39151aef0d5e01a740fc965651c6a57fda585f9a24c543f2693f78c
+Size (expat-2.7.1.tar.gz) = 785356 bytes
Index: patches/patch-cmake_autotools_expat-noconfig____macos.cmake.in
===================================================================
RCS file: patches/patch-cmake_autotools_expat-noconfig____macos.cmake.in
diff -N patches/patch-cmake_autotools_expat-noconfig____macos.cmake.in
--- patches/patch-cmake_autotools_expat-noconfig____macos.cmake.in 18 Dec 2024 15:03:58 -0000 1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,41 +0,0 @@
-$NetBSD: patch-cmake_autotools_expat-noconfig____macos.cmake.in,v 1.1 2024/12/18 15:03:58 brook Exp $
-
-On Darwin, the installed expat shared library includes only the major
-version number, not minor version and patch, in the name. The
-corresponding configure check, however, looks for the full name with
-all three parts and fails.
-
-The same problem occurs on Windows and is discussed in issue 485, even
-mentioning that Darwin likely has the same issue:
-
- https://github.com/libexpat/libexpat/issues/485
-
-For some reason, the fix (removing minor and patch versions from the
-cmake file used by configure) was applied for Windows but not for
-Darwin.
-
-See the upstream issue:
-
- https://github.com/libexpat/libexpat/issues/935
-
-which was closed with
-
- https://github.com/libexpat/libexpat/pull/937
-
---- cmake/autotools/expat-noconfig__macos.cmake.in.orig 2023-08-26 12:27:53.000000000 +0000
-+++ cmake/autotools/expat-noconfig__macos.cmake.in
-@@ -8,12 +8,12 @@ set(CMAKE_IMPORT_FILE_VERSION 1)
- # Import target "expat::expat" for configuration "NoConfig"
- set_property(TARGET expat::expat APPEND PROPERTY IMPORTED_CONFIGURATIONS NOCONFIG)
- set_target_properties(expat::expat PROPERTIES
-- IMPORTED_LOCATION_NOCONFIG "${_IMPORT_PREFIX}/@LIBDIR_BASENAME@/libexpat.@SO_MAJOR@.@SO_MINOR@.@SO_PATCH@.dylib"
-+ IMPORTED_LOCATION_NOCONFIG "${_IMPORT_PREFIX}/@LIBDIR_BASENAME@/libexpat.@SO_MAJOR@.dylib"
- IMPORTED_SONAME_NOCONFIG "@rpath/libexpat.@SO_MAJOR@.dylib"
- )
-
- list(APPEND _cmake_import_check_targets expat::expat )
--list(APPEND _cmake_import_check_files_for_expat::expat "${_IMPORT_PREFIX}/@LIBDIR_BASENAME@/libexpat.@SO_MAJOR@.@SO_MINOR@.@SO_PATCH@.dylib" )
-+list(APPEND _cmake_import_check_files_for_expat::expat "${_IMPORT_PREFIX}/@LIBDIR_BASENAME@/libexpat.@SO_MAJOR@.dylib" )
-
- # Commands beyond this point should not need to know the version.
- set(CMAKE_IMPORT_FILE_VERSION)
Release 2.7.1 Thu March 27 2025
Bug fixes:
#980 #989 Restore event pointer behavior from Expat 2.6.4
(that the fix to CVE-2024-8176 changed in 2.7.0);
affected API functions are:
- XML_GetCurrentByteCount
- XML_GetCurrentByteIndex
- XML_GetCurrentColumnNumber
- XML_GetCurrentLineNumber
- XML_GetInputContext
Other changes:
#976 #977 Autotools: Integrate files "fuzz/xml_lpm_fuzzer.{cpp,proto}"
with Automake that were missing from 2.7.0 release tarballs
#983 #984 Fix printf format specifiers for 32bit Emscripten
#992 docs: Promote OpenSSF Best Practices self-certification
#978 tests/benchmark: Resolve mistaken double close
#986 Address compiler warnings
#990 #993 Version info bumped from 11:1:10 (libexpat*.so.1.10.1)
to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/
for what these numbers do
Infrastructure:
#982 CI: Start running Perl XML::Parser integration tests
#987 CI: Enforce Clang Static Analyzer clean code
#991 CI: Re-enable warning clang-analyzer-valist.Uninitialized
for clang-tidy
#981 CI: Cover compilation with musl
#983 #984 CI: Cover compilation with 32bit Emscripten
#976 #977 CI: Protect against fuzzer files missing from future
release archives
Release 2.7.0 Thu March 13 2025
Security fixes:
#893 #973 CVE-2024-8176 -- Fix crash from chaining a large number
of entities caused by stack overflow by resolving use of
recursion, for all three uses of entities:
- general entities in character data ("<e>&g1;</e>")
- general entities in attribute values ("<e k1='&g1;'/>")
- parameter entities ("%p1;")
Known impact is (reliable and easy) denial of service:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C
(Base Score: 7.5, Temporal Score: 7.2)
Please note that a layer of compression around XML can
significantly reduce the minimum attack payload size.
Other changes:
#935 #937 Autotools: Make generated CMake files look for
libexpat.@SO_MAJOR@.dylib on macOS
#925 Autotools: Sync CMake templates with CMake 3.29
#945 #962 #966 CMake: Drop support for CMake <3.13
#942 CMake: Small fuzzing related improvements
#921 docs: Add missing documentation of error code
XML_ERROR_NOT_STARTED that was introduced with 2.6.4
#941 docs: Document need for C++11 compiler for use from C++
#959 tests/benchmark: Fix a (harmless) TOCTTOU
#944 Windows: Fix installer target location of file xmlwf.xml
for CMake
#953 Windows: Address warning -Wunknown-warning-option
about -Wno-pedantic-ms-format from LLVM MinGW
#971 Address Cppcheck warnings
#969 #970 Mass-migrate links from http:// to https://
#947 #958 ..
#974 #975 Document changes since the previous release
#974 #975 Version info bumped from 11:0:10 (libexpat*.so.1.10.0)
to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/
for what these numbers do
Infrastructure:
#926 tests: Increase robustness
#927 #932 ..
#930 #933 tests: Increase test coverage
#617 #950 ..
#951 #952 ..
#954 #955 .. Fuzzing: Add new fuzzer "xml_lpm_fuzzer" based on
#961 Google's libprotobuf-mutator ("LPM")
#957 Fuzzing|CI: Start producing fuzzing code coverage reports
#936 CI: Pass -q -q for LCOV >=2.1 in coverage.sh
#942 CI: Small fuzzing related improvements
#139 #203 ..
#791 #946 CI: Make GitHub Actions build using MSVC on Windows and
produce 32bit and 64bit Windows binaries
#956 CI: Get off of about-to-be-removed Ubuntu 20.04
#960 #964 CI: Start uploading to Coverity Scan for static analysis
#972 CI: Stop loading DTD from the internet to address flaky CI
#971 CI: Adapt to breaking changes in Cppcheck
Home |
Main Index |
Thread Index |
Old Index