Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>

> On 21 Feb 2022, at 13:11, Adolf Belka <adolf.belka(a)ipfire.org> wrote:
> 
> - Update from 2.4.4 to 2.4.6
> - Update of rootfile
> - Changelog
>   Release 2.4.6 Sun February 20 2022
>      Bug fixes:
>            #566  Fix a regression introduced by the fix for CVE-2022-25313
>                    in release 2.4.5 that affects applications that (1)
>                    call function XML_SetElementDeclHandler and (2) are
>                    parsing XML that contains nested element declarations
>                    (e.g. "<!ELEMENT junk ((bar|foo|xyz+), zebra*)>").
>   Release 2.4.5 Fri February 18 2022
>      Security fixes:
>            #562  CVE-2022-25235 -- Passing malformed 2- and 3-byte UTF-8
>                    sequences (e.g. from start tag names) to the XML
>                    processing application on top of Expat can cause
>                    arbitrary damage (e.g. code execution) depending
>                    on how invalid UTF-8 is handled inside the XML
>                    processor; validation was not their job but Expat's.
>                    Exploits with code execution are known to exist.
>            #561  CVE-2022-25236 -- Passing (one or more) namespace separator
>                    characters in "xmlns[:prefix]" attribute values
>                    made Expat send malformed tag names to the XML
>                    processor on top of Expat which can cause
>                    arbitrary damage (e.g. code execution) depending
>                    on such unexpectable cases are handled inside the XML
>                    processor; validation was not their job but Expat's.
>                    Exploits with code execution are known to exist.
>            #558  CVE-2022-25313 -- Fix stack exhaustion in doctype parsing
>                    that could be triggered by e.g. a 2 megabytes
>                    file with a large number of opening braces.
>                    Expected impact is denial of service or potentially
>                    arbitrary code execution.
>            #560  CVE-2022-25314 -- Fix integer overflow in function copyString;
>                    only affects the encoding name parameter at parser creation
>                    time which is often hardcoded (rather than user input),
>                    takes a value in the gigabytes to trigger, and a 64-bit
>                    machine.  Expected impact is denial of service.
>            #559  CVE-2022-25315 -- Fix integer overflow in function storeRawNames;
>                    needs input in the gigabytes and a 64-bit machine.
>                    Expected impact is denial of service or potentially
>                    arbitrary code execution.
> 
> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
> ---
> config/rootfiles/common/expat | 21 ++++++++++-----------
> lfs/expat                     |  7 ++++---
> 2 files changed, 14 insertions(+), 14 deletions(-)
> 
> diff --git a/config/rootfiles/common/expat b/config/rootfiles/common/expat
> index 47ce600ad..9901085f2 100644
> --- a/config/rootfiles/common/expat
> +++ b/config/rootfiles/common/expat
> @@ -2,21 +2,20 @@
> #usr/include/expat.h
> #usr/include/expat_config.h
> #usr/include/expat_external.h
> -#usr/lib/cmake/expat-2.4.4
> -#usr/lib/cmake/expat-2.4.4/expat-config-version.cmake
> -#usr/lib/cmake/expat-2.4.4/expat-config.cmake
> -#usr/lib/cmake/expat-2.4.4/expat-noconfig.cmake
> -#usr/lib/cmake/expat-2.4.4/expat.cmake
> -#usr/lib/libexpat.a
> +#usr/lib/cmake/expat-2.4.6
> +#usr/lib/cmake/expat-2.4.6/expat-config-version.cmake
> +#usr/lib/cmake/expat-2.4.6/expat-config.cmake
> +#usr/lib/cmake/expat-2.4.6/expat-noconfig.cmake
> +#usr/lib/cmake/expat-2.4.6/expat.cmake
> #usr/lib/libexpat.la
> #usr/lib/libexpat.so
> usr/lib/libexpat.so.1
> -usr/lib/libexpat.so.1.8.4
> +usr/lib/libexpat.so.1.8.6
> #usr/lib/pkgconfig/expat.pc
> #usr/share/doc/expat
> -#usr/share/doc/expat-2.4.4
> -#usr/share/doc/expat-2.4.4/ok.min.css
> -#usr/share/doc/expat-2.4.4/reference.html
> -#usr/share/doc/expat-2.4.4/style.css
> +#usr/share/doc/expat-2.4.6
> +#usr/share/doc/expat-2.4.6/ok.min.css
> +#usr/share/doc/expat-2.4.6/reference.html
> +#usr/share/doc/expat-2.4.6/style.css
> #usr/share/doc/expat/AUTHORS
> #usr/share/doc/expat/changelog
> diff --git a/lfs/expat b/lfs/expat
> index 3898889ad..9e0166bd2 100644
> --- a/lfs/expat
> +++ b/lfs/expat
> @@ -24,7 +24,7 @@
> 
> include Config
> 
> -VER        = 2.4.4
> +VER        = 2.4.6
> 
> THISAPP    = expat-$(VER)
> DL_FILE    = $(THISAPP).tar.bz2
> @@ -40,7 +40,7 @@ objects = $(DL_FILE)
> 
> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
> 
> -$(DL_FILE)_MD5 = 99392ce3377777ab0dc8b0f14beda793
> +$(DL_FILE)_MD5 = eb735f87dac7d50007259929b0674aa6
> 
> install : $(TARGET)
> 
> @@ -72,7 +72,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
> 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
> 	$(UPDATE_AUTOMAKE)
> 	cd $(DIR_APP) && ./configure \
> -		--prefix=/usr
> +		              --prefix=/usr \
> +		              --disable-static
> 	cd $(DIR_APP) && make $(MAKETUNING)
> 	cd $(DIR_APP) && make install
> 	cd $(DIR_APP) && install -v -m755 -d /usr/share/doc/$(THISAPP)
> -- 
> 2.35.1
>