From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Re: [PATCH] expat: Update to version 2.4.4 Date: Sun, 06 Feb 2022 16:50:51 +0000 Message-ID: <321040d1-3c82-ab19-5c19-7d38a81939cd@ipfire.org> In-Reply-To: <20220206123914.3456476-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6044628877316570738==" List-Id: --===============6044628877316570738== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Reviewed-by: Peter M=C3=BCller > - Update from 2.4.2 to 2.4.4 > - Update of rootfile > - Changelog > Release 2.4.4 Sun January 30 2022 > Security fixes: > #550 CVE-2022-23852 -- Fix signed integer overflow > (undefined behavior) in function XML_GetBuffer > (that is also called by function XML_Parse internally) > for when XML_CONTEXT_BYTES is defined to >0 (which is b= oth > common and default). > Impact is denial of service or more. > #551 CVE-2022-23990 -- Fix unsigned integer overflow in functi= on > doProlog triggered by large content in element type > declarations when there is an element declaration handl= er > present (from a prior call to XML_SetElementDeclHandler= ). > Impact is denial of service or more. > Bug fixes: > #544 #545 xmlwf: Fix a memory leak on output file opening error > Other changes: > #546 Autotools: Fix broken CMake support under Cygwin > #554 Windows: Add missing files to the installer to fix > compilation with CMake from installed sources > #552 #554 Version info bumped from 9:3:8 to 9:4:8; > see https://verbump.de/ for what these numbers do > Release 2.4.3 Sun January 16 2022 > Security fixes: > #531 #534 CVE-2021-45960 -- Fix issues with left shifts by >= =3D29 places > resulting in > a) realloc acting as free > b) realloc allocating too few bytes > c) undefined behavior > depending on architecture and precise value > for XML documents with >=3D2^27+1 prefixed attributes > on a single XML tag a la > "" > where XML_ParserCreateNS is used to create the parser > (which needs argument "-n" when running xmlwf). > Impact is denial of service, or more. > #532 #538 CVE-2021-46143 (ZDI-CAN-16157) -- Fix integer overfl= ow > on variable m_groupSize in function doProlog leading > to realloc acting as free. > Impact is denial of service or more. > #539 CVE-2022-22822 to CVE-2022-22827 -- Prevent integer overf= lows > near memory allocation at multiple places. Mitre assig= ned > a dedicated CVE for each involved internal C function: > - CVE-2022-22822 for function addBinding > - CVE-2022-22823 for function build_model > - CVE-2022-22824 for function defineAttribute > - CVE-2022-22825 for function lookup > - CVE-2022-22826 for function nextScaffoldPart > - CVE-2022-22827 for function storeAtts > Impact is denial of service or more. > Other changes: > #535 CMake: Make call to file(GENERATE [..]) work for CMake <3= .19 > #541 Autotools|CMake: MinGW: Make run.sh(.in) work for Cygwin > and MSYS2 by not going through Wine on these platforms > #527 #528 Address compiler warnings > #533 #543 Version info bumped from 9:2:8 to 9:3:8; > see https://verbump.de/ for what these numbers do > Infrastructure: > #536 CI: Check for realistic minimum CMake version > #529 #539 CI: Cover compilation with -m32 > #529 CI: Store coverage reports as artifacts for download > #528 CI: Upgrade Clang from 11 to 13 >=20 > Signed-off-by: Adolf Belka > --- > config/rootfiles/common/expat | 21 ++++++++++----------- > lfs/expat | 6 +++--- > 2 files changed, 13 insertions(+), 14 deletions(-) >=20 > diff --git a/config/rootfiles/common/expat b/config/rootfiles/common/expat > index ea0c2ded5..47ce600ad 100644 > --- a/config/rootfiles/common/expat > +++ b/config/rootfiles/common/expat > @@ -2,22 +2,21 @@ > #usr/include/expat.h > #usr/include/expat_config.h > #usr/include/expat_external.h > -#usr/lib/cmake/expat-2.4.2 > -#usr/lib/cmake/expat-2.4.2/expat-config-version.cmake > -#usr/lib/cmake/expat-2.4.2/expat-config.cmake > -#usr/lib/cmake/expat-2.4.2/expat-noconfig.cmake > -#usr/lib/cmake/expat-2.4.2/expat.cmake > +#usr/lib/cmake/expat-2.4.4 > +#usr/lib/cmake/expat-2.4.4/expat-config-version.cmake > +#usr/lib/cmake/expat-2.4.4/expat-config.cmake > +#usr/lib/cmake/expat-2.4.4/expat-noconfig.cmake > +#usr/lib/cmake/expat-2.4.4/expat.cmake > #usr/lib/libexpat.a > #usr/lib/libexpat.la > #usr/lib/libexpat.so > usr/lib/libexpat.so.1 > -usr/lib/libexpat.so.1.8.2 > +usr/lib/libexpat.so.1.8.4 > #usr/lib/pkgconfig/expat.pc > #usr/share/doc/expat > -#usr/share/doc/expat-2.4.2 > -#usr/share/doc/expat-2.4.2/ok.min.css > -#usr/share/doc/expat-2.4.2/reference.html > -#usr/share/doc/expat-2.4.2/style.css > -#usr/share/doc/expat-2.4.2/valid-xhtml10.png > +#usr/share/doc/expat-2.4.4 > +#usr/share/doc/expat-2.4.4/ok.min.css > +#usr/share/doc/expat-2.4.4/reference.html > +#usr/share/doc/expat-2.4.4/style.css > #usr/share/doc/expat/AUTHORS > #usr/share/doc/expat/changelog > diff --git a/lfs/expat b/lfs/expat > index b2df59ca3..3898889ad 100644 > --- a/lfs/expat > +++ b/lfs/expat > @@ -24,7 +24,7 @@ > =20 > include Config > =20 > -VER =3D 2.4.2 > +VER =3D 2.4.4 > =20 > THISAPP =3D expat-$(VER) > DL_FILE =3D $(THISAPP).tar.bz2 > @@ -40,7 +40,7 @@ objects =3D $(DL_FILE) > =20 > $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) > =20 > -$(DL_FILE)_MD5 =3D 58780ad6944d02f6cf6ba332838694b2 > +$(DL_FILE)_MD5 =3D 99392ce3377777ab0dc8b0f14beda793 > =20 > install : $(TARGET) > =20 > @@ -76,6 +76,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) > cd $(DIR_APP) && make $(MAKETUNING) > cd $(DIR_APP) && make install > cd $(DIR_APP) && install -v -m755 -d /usr/share/doc/$(THISAPP) > - cd $(DIR_APP) && install -v -m644 doc/*.{html,png,css} /usr/share/doc/$(T= HISAPP) > + cd $(DIR_APP) && install -v -m644 doc/*.{html,css} /usr/share/doc/$(THISA= PP) > @rm -rf $(DIR_APP) > @$(POSTBUILD) --===============6044628877316570738==--