Re: [PATCH] expat: Update to version 2.4.4

public inbox for development@lists.ipfire.org
 help / color / mirror / Atom feed

From: "Peter Müller" <peter.mueller@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] expat: Update to version 2.4.4
Date: Sun, 06 Feb 2022 16:50:51 +0000	[thread overview]
Message-ID: <321040d1-3c82-ab19-5c19-7d38a81939cd@ipfire.org> (raw)
In-Reply-To: <20220206123914.3456476-1-adolf.belka@ipfire.org>

[-- Attachment #1: Type: text/plain, Size: 6563 bytes --]

Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>

> - Update from 2.4.2 to 2.4.4
> - Update of rootfile
> - Changelog
>    Release 2.4.4 Sun January 30 2022
>         Security fixes:
>             #550  CVE-2022-23852 -- Fix signed integer overflow
>                     (undefined behavior) in function XML_GetBuffer
>                     (that is also called by function XML_Parse internally)
>                     for when XML_CONTEXT_BYTES is defined to >0 (which is both
>                     common and default).
>                     Impact is denial of service or more.
>             #551  CVE-2022-23990 -- Fix unsigned integer overflow in function
>                     doProlog triggered by large content in element type
>                     declarations when there is an element declaration handler
>                     present (from a prior call to XML_SetElementDeclHandler).
>                     Impact is denial of service or more.
>         Bug fixes:
>             #544 #545  xmlwf: Fix a memory leak on output file opening error
>         Other changes:
>             #546  Autotools: Fix broken CMake support under Cygwin
>             #554  Windows: Add missing files to the installer to fix
>                     compilation with CMake from installed sources
>             #552 #554  Version info bumped from 9:3:8 to 9:4:8;
>                     see https://verbump.de/ for what these numbers do
>    Release 2.4.3 Sun January 16 2022
>         Security fixes:
>             #531 #534  CVE-2021-45960 -- Fix issues with left shifts by >=29 places
>                     resulting in
>                       a) realloc acting as free
>                       b) realloc allocating too few bytes
>                       c) undefined behavior
>                     depending on architecture and precise value
>                     for XML documents with >=2^27+1 prefixed attributes
>                     on a single XML tag a la
>                     "<r xmlns:a='[..]' a:a123='[..]' [..] />"
>                     where XML_ParserCreateNS is used to create the parser
>                     (which needs argument "-n" when running xmlwf).
>                     Impact is denial of service, or more.
>             #532 #538  CVE-2021-46143 (ZDI-CAN-16157) -- Fix integer overflow
>                     on variable m_groupSize in function doProlog leading
>                     to realloc acting as free.
>                     Impact is denial of service or more.
>             #539  CVE-2022-22822 to CVE-2022-22827 -- Prevent integer overflows
>                     near memory allocation at multiple places.  Mitre assigned
>                     a dedicated CVE for each involved internal C function:
>                     - CVE-2022-22822 for function addBinding
>                     - CVE-2022-22823 for function build_model
>                     - CVE-2022-22824 for function defineAttribute
>                     - CVE-2022-22825 for function lookup
>                     - CVE-2022-22826 for function nextScaffoldPart
>                     - CVE-2022-22827 for function storeAtts
>                     Impact is denial of service or more.
>         Other changes:
>             #535  CMake: Make call to file(GENERATE [..]) work for CMake <3.19
>             #541  Autotools|CMake: MinGW: Make run.sh(.in) work for Cygwin
>                     and MSYS2 by not going through Wine on these platforms
>             #527 #528  Address compiler warnings
>             #533 #543  Version info bumped from 9:2:8 to 9:3:8;
>                     see https://verbump.de/ for what these numbers do
>         Infrastructure:
>             #536  CI: Check for realistic minimum CMake version
>             #529 #539  CI: Cover compilation with -m32
>             #529  CI: Store coverage reports as artifacts for download
>             #528  CI: Upgrade Clang from 11 to 13
> 
> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
> ---
>  config/rootfiles/common/expat | 21 ++++++++++-----------
>  lfs/expat                     |  6 +++---
>  2 files changed, 13 insertions(+), 14 deletions(-)
> 
> diff --git a/config/rootfiles/common/expat b/config/rootfiles/common/expat
> index ea0c2ded5..47ce600ad 100644
> --- a/config/rootfiles/common/expat
> +++ b/config/rootfiles/common/expat
> @@ -2,22 +2,21 @@
>  #usr/include/expat.h
>  #usr/include/expat_config.h
>  #usr/include/expat_external.h
> -#usr/lib/cmake/expat-2.4.2
> -#usr/lib/cmake/expat-2.4.2/expat-config-version.cmake
> -#usr/lib/cmake/expat-2.4.2/expat-config.cmake
> -#usr/lib/cmake/expat-2.4.2/expat-noconfig.cmake
> -#usr/lib/cmake/expat-2.4.2/expat.cmake
> +#usr/lib/cmake/expat-2.4.4
> +#usr/lib/cmake/expat-2.4.4/expat-config-version.cmake
> +#usr/lib/cmake/expat-2.4.4/expat-config.cmake
> +#usr/lib/cmake/expat-2.4.4/expat-noconfig.cmake
> +#usr/lib/cmake/expat-2.4.4/expat.cmake
>  #usr/lib/libexpat.a
>  #usr/lib/libexpat.la
>  #usr/lib/libexpat.so
>  usr/lib/libexpat.so.1
> -usr/lib/libexpat.so.1.8.2
> +usr/lib/libexpat.so.1.8.4
>  #usr/lib/pkgconfig/expat.pc
>  #usr/share/doc/expat
> -#usr/share/doc/expat-2.4.2
> -#usr/share/doc/expat-2.4.2/ok.min.css
> -#usr/share/doc/expat-2.4.2/reference.html
> -#usr/share/doc/expat-2.4.2/style.css
> -#usr/share/doc/expat-2.4.2/valid-xhtml10.png
> +#usr/share/doc/expat-2.4.4
> +#usr/share/doc/expat-2.4.4/ok.min.css
> +#usr/share/doc/expat-2.4.4/reference.html
> +#usr/share/doc/expat-2.4.4/style.css
>  #usr/share/doc/expat/AUTHORS
>  #usr/share/doc/expat/changelog
> diff --git a/lfs/expat b/lfs/expat
> index b2df59ca3..3898889ad 100644
> --- a/lfs/expat
> +++ b/lfs/expat
> @@ -24,7 +24,7 @@
>  
>  include Config
>  
> -VER        = 2.4.2
> +VER        = 2.4.4
>  
>  THISAPP    = expat-$(VER)
>  DL_FILE    = $(THISAPP).tar.bz2
> @@ -40,7 +40,7 @@ objects = $(DL_FILE)
>  
>  $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>  
> -$(DL_FILE)_MD5 = 58780ad6944d02f6cf6ba332838694b2
> +$(DL_FILE)_MD5 = 99392ce3377777ab0dc8b0f14beda793
>  
>  install : $(TARGET)
>  
> @@ -76,6 +76,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>  	cd $(DIR_APP) && make $(MAKETUNING)
>  	cd $(DIR_APP) && make install
>  	cd $(DIR_APP) && install -v -m755 -d /usr/share/doc/$(THISAPP)
> -	cd $(DIR_APP) && install -v -m644 doc/*.{html,png,css} /usr/share/doc/$(THISAPP)
> +	cd $(DIR_APP) && install -v -m644 doc/*.{html,css} /usr/share/doc/$(THISAPP)
>  	@rm -rf $(DIR_APP)
>  	@$(POSTBUILD)

     prev parent reply	other threads:[~2022-02-06 16:50 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-02-06 12:39 Adolf Belka
2022-02-06 16:50 ` Peter Müller [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=321040d1-3c82-ab19-5c19-7d38a81939cd@ipfire.org \
    --to=peter.mueller@ipfire.org \
    --cc=development@lists.ipfire.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox