Re: expat update [was Re: HEADS UP: pkgsrc in careful mode, freezing soon]

[maya%NetBSD.org@localhost]

Thanks for keeping on top of security updates. I'd rather have this go
in after the branch and possibly pulled up some time later.

(Rationale: denial of service is a lower severity of vulnerability,
expat is used by a lot of packages, and they changed the y version which
suggests the changes weren't minimal)

On Fri, Mar 28, 2025 at 08:09:13AM +0100, Thomas Klausner wrote:
> Here's an update to the just-released 2.7.1 instead.
>  Thomas
>  
> On Fri, Mar 14, 2025 at 08:01:41PM +0100, Thomas Klausner wrote:
> > Hi!
> > 
> > On some platforms, expat has many dependencies, (on NetBSD, the
> > built-in is usually used) and it just got a security release.
> > 
> > https://blog.hartwork.org/posts/expat-2-7-0-released/
> > 
> > Should I commit this now or after the freeze?
> >  Thomas

> ? log
> Index: Makefile
> ===================================================================
> RCS file: /cvsroot/pkgsrc/textproc/expat/Makefile,v
> retrieving revision 1.58
> diff -u -r1.58 Makefile
> --- Makefile	4 Sep 2024 13:08:26 -0000	1.58
> +++ Makefile	28 Mar 2025 07:06:19 -0000
> @@ -1,6 +1,6 @@
>  # $NetBSD: Makefile,v 1.58 2024/09/04 13:08:26 adam Exp $
>  
> -DISTNAME=	expat-2.6.3
> +DISTNAME=	expat-2.7.1
>  CATEGORIES=	textproc
>  MASTER_SITES=	${MASTER_SITE_GITHUB:=libexpat/}
>  GITHUB_PROJECT=	libexpat
> Index: distinfo
> ===================================================================
> RCS file: /cvsroot/pkgsrc/textproc/expat/distinfo,v
> retrieving revision 1.52
> diff -u -r1.52 distinfo
> --- distinfo	18 Dec 2024 15:03:58 -0000	1.52
> +++ distinfo	28 Mar 2025 07:06:19 -0000
> @@ -1,6 +1,5 @@
>  $NetBSD: distinfo,v 1.52 2024/12/18 15:03:58 brook Exp $
>  
> -BLAKE2s (expat-2.6.3.tar.gz) = fcc81c1c25ef679e6c93fe93c7c1b0cc5a306f94163d3e53b506917cb6537185
> -SHA512 (expat-2.6.3.tar.gz) = 0c0f0df947bbe7084ba2bffce082bc40e061cbf02363f3043e8e6be33b71277dbf13fd54dcc0f641b704293e3faea5b8c1d3c752737db4c908097bf5df8bd02d
> -Size (expat-2.6.3.tar.gz) = 764617 bytes
> -SHA1 (patch-cmake_autotools_expat-noconfig____macos.cmake.in) = 21411931ba40ca89435a3a41b3c329039540bfa2
> +BLAKE2s (expat-2.7.1.tar.gz) = fa9600a2ac4552b3e4d6a94b34392e6a3fa4b6d1c0d704cd2e937c17ed9705d8
> +SHA512 (expat-2.7.1.tar.gz) = 1b6b94f3253ac3ab3f8c69d1c852db2334c99cb7990b9656f5f2458198d1eb854e79cce0e39151aef0d5e01a740fc965651c6a57fda585f9a24c543f2693f78c
> +Size (expat-2.7.1.tar.gz) = 785356 bytes
> Index: patches/patch-cmake_autotools_expat-noconfig____macos.cmake.in
> ===================================================================
> RCS file: patches/patch-cmake_autotools_expat-noconfig____macos.cmake.in
> diff -N patches/patch-cmake_autotools_expat-noconfig____macos.cmake.in
> --- patches/patch-cmake_autotools_expat-noconfig____macos.cmake.in	18 Dec 2024 15:03:58 -0000	1.1
> +++ /dev/null	1 Jan 1970 00:00:00 -0000
> @@ -1,41 +0,0 @@
> -$NetBSD: patch-cmake_autotools_expat-noconfig____macos.cmake.in,v 1.1 2024/12/18 15:03:58 brook Exp $
> -
> -On Darwin, the installed expat shared library includes only the major
> -version number, not minor version and patch, in the name.  The
> -corresponding configure check, however, looks for the full name with
> -all three parts and fails.
> -
> -The same problem occurs on Windows and is discussed in issue 485, even
> -mentioning that Darwin likely has the same issue:
> -
> -    https://github.com/libexpat/libexpat/issues/485
> -
> -For some reason, the fix (removing minor and patch versions from the
> -cmake file used by configure) was applied for Windows but not for
> -Darwin.
> -
> -See the upstream issue:
> -
> -    https://github.com/libexpat/libexpat/issues/935
> -
> -which was closed with
> -
> -    https://github.com/libexpat/libexpat/pull/937
> -
> ---- cmake/autotools/expat-noconfig__macos.cmake.in.orig	2023-08-26 12:27:53.000000000 +0000
> -+++ cmake/autotools/expat-noconfig__macos.cmake.in
> -@@ -8,12 +8,12 @@ set(CMAKE_IMPORT_FILE_VERSION 1)
> - # Import target "expat::expat" for configuration "NoConfig"
> - set_property(TARGET expat::expat APPEND PROPERTY IMPORTED_CONFIGURATIONS NOCONFIG)
> - set_target_properties(expat::expat PROPERTIES
> --  IMPORTED_LOCATION_NOCONFIG "${_IMPORT_PREFIX}/@LIBDIR_BASENAME@/libexpat.@SO_MAJOR@.@SO_MINOR@.@SO_PATCH@.dylib"
> -+  IMPORTED_LOCATION_NOCONFIG "${_IMPORT_PREFIX}/@LIBDIR_BASENAME@/libexpat.@SO_MAJOR@.dylib"
> -   IMPORTED_SONAME_NOCONFIG "@rpath/libexpat.@SO_MAJOR@.dylib"
> -   )
> - 
> - list(APPEND _cmake_import_check_targets expat::expat )
> --list(APPEND _cmake_import_check_files_for_expat::expat "${_IMPORT_PREFIX}/@LIBDIR_BASENAME@/libexpat.@SO_MAJOR@.@SO_MINOR@.@SO_PATCH@.dylib" )
> -+list(APPEND _cmake_import_check_files_for_expat::expat "${_IMPORT_PREFIX}/@LIBDIR_BASENAME@/libexpat.@SO_MAJOR@.dylib" )
> - 
> - # Commands beyond this point should not need to know the version.
> - set(CMAKE_IMPORT_FILE_VERSION)

> Release 2.7.1 Thu March 27 2025
>         Bug fixes:
>        #980 #989  Restore event pointer behavior from Expat 2.6.4
>                     (that the fix to CVE-2024-8176 changed in 2.7.0);
>                     affected API functions are:
>                     - XML_GetCurrentByteCount
>                     - XML_GetCurrentByteIndex
>                     - XML_GetCurrentColumnNumber
>                     - XML_GetCurrentLineNumber
>                     - XML_GetInputContext
> 
>         Other changes:
>        #976 #977  Autotools: Integrate files "fuzz/xml_lpm_fuzzer.{cpp,proto}"
>                     with Automake that were missing from 2.7.0 release tarballs
>        #983 #984  Fix printf format specifiers for 32bit Emscripten
>             #992  docs: Promote OpenSSF Best Practices self-certification
>             #978  tests/benchmark: Resolve mistaken double close
>             #986  Address compiler warnings
>        #990 #993  Version info bumped from 11:1:10 (libexpat*.so.1.10.1)
>                     to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/
>                     for what these numbers do
> 
>         Infrastructure:
>             #982  CI: Start running Perl XML::Parser integration tests
>             #987  CI: Enforce Clang Static Analyzer clean code
>             #991  CI: Re-enable warning clang-analyzer-valist.Uninitialized
>                     for clang-tidy
>             #981  CI: Cover compilation with musl
>        #983 #984  CI: Cover compilation with 32bit Emscripten
>        #976 #977  CI: Protect against fuzzer files missing from future
>                     release archives
> 
> Release 2.7.0 Thu March 13 2025
>         Security fixes:
>        #893 #973  CVE-2024-8176 -- Fix crash from chaining a large number
>                     of entities caused by stack overflow by resolving use of
>                     recursion, for all three uses of entities:
>                     - general entities in character data ("<e>&g1;</e>")
>                     - general entities in attribute values ("<e k1='&g1;'/>")
>                     - parameter entities ("%p1;")
>                     Known impact is (reliable and easy) denial of service:
>                     CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C
>                     (Base Score: 7.5, Temporal Score: 7.2)
>                     Please note that a layer of compression around XML can
>                     significantly reduce the minimum attack payload size.
> 
>         Other changes:
>        #935 #937  Autotools: Make generated CMake files look for
>                     libexpat.@SO_MAJOR@.dylib on macOS
>             #925  Autotools: Sync CMake templates with CMake 3.29
>   #945 #962 #966  CMake: Drop support for CMake <3.13
>             #942  CMake: Small fuzzing related improvements
>             #921  docs: Add missing documentation of error code
>                     XML_ERROR_NOT_STARTED that was introduced with 2.6.4
>             #941  docs: Document need for C++11 compiler for use from C++
>             #959  tests/benchmark: Fix a (harmless) TOCTTOU
>             #944  Windows: Fix installer target location of file xmlwf.xml
>                     for CMake
>             #953  Windows: Address warning -Wunknown-warning-option
>                     about -Wno-pedantic-ms-format from LLVM MinGW
>             #971  Address Cppcheck warnings
>        #969 #970  Mass-migrate links from http:// to https://
>     #947 #958 ..
>        #974 #975  Document changes since the previous release
>        #974 #975  Version info bumped from 11:0:10 (libexpat*.so.1.10.0)
>                     to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/
>                     for what these numbers do
> 
>         Infrastructure:
>             #926  tests: Increase robustness
>     #927 #932 ..
>        #930 #933  tests: Increase test coverage
>     #617 #950 ..
>     #951 #952 ..
>     #954 #955 ..  Fuzzing: Add new fuzzer "xml_lpm_fuzzer" based on
>             #961    Google's libprotobuf-mutator ("LPM")
>             #957  Fuzzing|CI: Start producing fuzzing code coverage reports
>             #936  CI: Pass -q -q for LCOV >=2.1 in coverage.sh
>             #942  CI: Small fuzzing related improvements
>     #139 #203 ..
>        #791 #946  CI: Make GitHub Actions build using MSVC on Windows and
>                       produce 32bit and 64bit Windows binaries
>             #956  CI: Get off of about-to-be-removed Ubuntu 20.04
>        #960 #964  CI: Start uploading to Coverity Scan for static analysis
>             #972  CI: Stop loading DTD from the internet to address flaky CI
>             #971  CI: Adapt to breaking changes in Cppcheck