- Update from 2.4.2 to 2.4.4 - Update of rootfile - Changelog Release 2.4.4 Sun January 30 2022 Security fixes: #550 CVE-2022-23852 -- Fix signed integer overflow (undefined behavior) in function XML_GetBuffer (that is also called by function XML_Parse internally) for when XML_CONTEXT_BYTES is defined to >0 (which is both common and default). Impact is denial of service or more. #551 CVE-2022-23990 -- Fix unsigned integer overflow in function doProlog triggered by large content in element type declarations when there is an element declaration handler present (from a prior call to XML_SetElementDeclHandler). Impact is denial of service or more. Bug fixes: #544 #545 xmlwf: Fix a memory leak on output file opening error Other changes: #546 Autotools: Fix broken CMake support under Cygwin #554 Windows: Add missing files to the installer to fix compilation with CMake from installed sources #552 #554 Version info bumped from 9:3:8 to 9:4:8; see https://verbump.de/ for what these numbers do Release 2.4.3 Sun January 16 2022 Security fixes: #531 #534 CVE-2021-45960 -- Fix issues with left shifts by >=29 places resulting in a) realloc acting as free b) realloc allocating too few bytes c) undefined behavior depending on architecture and precise value for XML documents with >=2^27+1 prefixed attributes on a single XML tag a la "<r xmlns:a='[..]' a:a123='[..]' [..] />" where XML_ParserCreateNS is used to create the parser (which needs argument "-n" when running xmlwf). Impact is denial of service, or more. #532 #538 CVE-2021-46143 (ZDI-CAN-16157) -- Fix integer overflow on variable m_groupSize in function doProlog leading to realloc acting as free. Impact is denial of service or more. #539 CVE-2022-22822 to CVE-2022-22827 -- Prevent integer overflows near memory allocation at multiple places. Mitre assigned a dedicated CVE for each involved internal C function: - CVE-2022-22822 for function addBinding - CVE-2022-22823 for function build_model - CVE-2022-22824 for function defineAttribute - CVE-2022-22825 for function lookup - CVE-2022-22826 for function nextScaffoldPart - CVE-2022-22827 for function storeAtts Impact is denial of service or more. Other changes: #535 CMake: Make call to file(GENERATE [..]) work for CMake <3.19 #541 Autotools|CMake: MinGW: Make run.sh(.in) work for Cygwin and MSYS2 by not going through Wine on these platforms #527 #528 Address compiler warnings #533 #543 Version info bumped from 9:2:8 to 9:3:8; see https://verbump.de/ for what these numbers do Infrastructure: #536 CI: Check for realistic minimum CMake version #529 #539 CI: Cover compilation with -m32 #529 CI: Store coverage reports as artifacts for download #528 CI: Upgrade Clang from 11 to 13
Signed-off-by: Adolf Belka adolf.belka@ipfire.org --- config/rootfiles/common/expat | 21 ++++++++++----------- lfs/expat | 6 +++--- 2 files changed, 13 insertions(+), 14 deletions(-)
diff --git a/config/rootfiles/common/expat b/config/rootfiles/common/expat index ea0c2ded5..47ce600ad 100644 --- a/config/rootfiles/common/expat +++ b/config/rootfiles/common/expat @@ -2,22 +2,21 @@ #usr/include/expat.h #usr/include/expat_config.h #usr/include/expat_external.h -#usr/lib/cmake/expat-2.4.2 -#usr/lib/cmake/expat-2.4.2/expat-config-version.cmake -#usr/lib/cmake/expat-2.4.2/expat-config.cmake -#usr/lib/cmake/expat-2.4.2/expat-noconfig.cmake -#usr/lib/cmake/expat-2.4.2/expat.cmake +#usr/lib/cmake/expat-2.4.4 +#usr/lib/cmake/expat-2.4.4/expat-config-version.cmake +#usr/lib/cmake/expat-2.4.4/expat-config.cmake +#usr/lib/cmake/expat-2.4.4/expat-noconfig.cmake +#usr/lib/cmake/expat-2.4.4/expat.cmake #usr/lib/libexpat.a #usr/lib/libexpat.la #usr/lib/libexpat.so usr/lib/libexpat.so.1 -usr/lib/libexpat.so.1.8.2 +usr/lib/libexpat.so.1.8.4 #usr/lib/pkgconfig/expat.pc #usr/share/doc/expat -#usr/share/doc/expat-2.4.2 -#usr/share/doc/expat-2.4.2/ok.min.css -#usr/share/doc/expat-2.4.2/reference.html -#usr/share/doc/expat-2.4.2/style.css -#usr/share/doc/expat-2.4.2/valid-xhtml10.png +#usr/share/doc/expat-2.4.4 +#usr/share/doc/expat-2.4.4/ok.min.css +#usr/share/doc/expat-2.4.4/reference.html +#usr/share/doc/expat-2.4.4/style.css #usr/share/doc/expat/AUTHORS #usr/share/doc/expat/changelog diff --git a/lfs/expat b/lfs/expat index b2df59ca3..3898889ad 100644 --- a/lfs/expat +++ b/lfs/expat @@ -24,7 +24,7 @@
include Config
-VER = 2.4.2 +VER = 2.4.4
THISAPP = expat-$(VER) DL_FILE = $(THISAPP).tar.bz2 @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 58780ad6944d02f6cf6ba332838694b2 +$(DL_FILE)_MD5 = 99392ce3377777ab0dc8b0f14beda793
install : $(TARGET)
@@ -76,6 +76,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install cd $(DIR_APP) && install -v -m755 -d /usr/share/doc/$(THISAPP) - cd $(DIR_APP) && install -v -m644 doc/*.{html,png,css} /usr/share/doc/$(THISAPP) + cd $(DIR_APP) && install -v -m644 doc/*.{html,css} /usr/share/doc/$(THISAPP) @rm -rf $(DIR_APP) @$(POSTBUILD)
Reviewed-by: Peter Müller peter.mueller@ipfire.org
- Update from 2.4.2 to 2.4.4
- Update of rootfile
- Changelog Release 2.4.4 Sun January 30 2022 Security fixes: #550 CVE-2022-23852 -- Fix signed integer overflow (undefined behavior) in function XML_GetBuffer (that is also called by function XML_Parse internally) for when XML_CONTEXT_BYTES is defined to >0 (which is both common and default). Impact is denial of service or more. #551 CVE-2022-23990 -- Fix unsigned integer overflow in function doProlog triggered by large content in element type declarations when there is an element declaration handler present (from a prior call to XML_SetElementDeclHandler). Impact is denial of service or more. Bug fixes: #544 #545 xmlwf: Fix a memory leak on output file opening error Other changes: #546 Autotools: Fix broken CMake support under Cygwin #554 Windows: Add missing files to the installer to fix compilation with CMake from installed sources #552 #554 Version info bumped from 9:3:8 to 9:4:8; see https://verbump.de/ for what these numbers do Release 2.4.3 Sun January 16 2022 Security fixes: #531 #534 CVE-2021-45960 -- Fix issues with left shifts by >=29 places resulting in a) realloc acting as free b) realloc allocating too few bytes c) undefined behavior depending on architecture and precise value for XML documents with >=2^27+1 prefixed attributes on a single XML tag a la "<r xmlns:a='[..]' a:a123='[..]' [..] />" where XML_ParserCreateNS is used to create the parser (which needs argument "-n" when running xmlwf). Impact is denial of service, or more. #532 #538 CVE-2021-46143 (ZDI-CAN-16157) -- Fix integer overflow on variable m_groupSize in function doProlog leading to realloc acting as free. Impact is denial of service or more. #539 CVE-2022-22822 to CVE-2022-22827 -- Prevent integer overflows near memory allocation at multiple places. Mitre assigned a dedicated CVE for each involved internal C function: - CVE-2022-22822 for function addBinding - CVE-2022-22823 for function build_model - CVE-2022-22824 for function defineAttribute - CVE-2022-22825 for function lookup - CVE-2022-22826 for function nextScaffoldPart - CVE-2022-22827 for function storeAtts Impact is denial of service or more. Other changes: #535 CMake: Make call to file(GENERATE [..]) work for CMake <3.19 #541 Autotools|CMake: MinGW: Make run.sh(.in) work for Cygwin and MSYS2 by not going through Wine on these platforms #527 #528 Address compiler warnings #533 #543 Version info bumped from 9:2:8 to 9:3:8; see https://verbump.de/ for what these numbers do Infrastructure: #536 CI: Check for realistic minimum CMake version #529 #539 CI: Cover compilation with -m32 #529 CI: Store coverage reports as artifacts for download #528 CI: Upgrade Clang from 11 to 13
Signed-off-by: Adolf Belka adolf.belka@ipfire.org
config/rootfiles/common/expat | 21 ++++++++++----------- lfs/expat | 6 +++--- 2 files changed, 13 insertions(+), 14 deletions(-)
diff --git a/config/rootfiles/common/expat b/config/rootfiles/common/expat index ea0c2ded5..47ce600ad 100644 --- a/config/rootfiles/common/expat +++ b/config/rootfiles/common/expat @@ -2,22 +2,21 @@ #usr/include/expat.h #usr/include/expat_config.h #usr/include/expat_external.h -#usr/lib/cmake/expat-2.4.2 -#usr/lib/cmake/expat-2.4.2/expat-config-version.cmake -#usr/lib/cmake/expat-2.4.2/expat-config.cmake -#usr/lib/cmake/expat-2.4.2/expat-noconfig.cmake -#usr/lib/cmake/expat-2.4.2/expat.cmake +#usr/lib/cmake/expat-2.4.4 +#usr/lib/cmake/expat-2.4.4/expat-config-version.cmake +#usr/lib/cmake/expat-2.4.4/expat-config.cmake +#usr/lib/cmake/expat-2.4.4/expat-noconfig.cmake +#usr/lib/cmake/expat-2.4.4/expat.cmake #usr/lib/libexpat.a #usr/lib/libexpat.la #usr/lib/libexpat.so usr/lib/libexpat.so.1 -usr/lib/libexpat.so.1.8.2 +usr/lib/libexpat.so.1.8.4 #usr/lib/pkgconfig/expat.pc #usr/share/doc/expat -#usr/share/doc/expat-2.4.2 -#usr/share/doc/expat-2.4.2/ok.min.css -#usr/share/doc/expat-2.4.2/reference.html -#usr/share/doc/expat-2.4.2/style.css -#usr/share/doc/expat-2.4.2/valid-xhtml10.png +#usr/share/doc/expat-2.4.4 +#usr/share/doc/expat-2.4.4/ok.min.css +#usr/share/doc/expat-2.4.4/reference.html +#usr/share/doc/expat-2.4.4/style.css #usr/share/doc/expat/AUTHORS #usr/share/doc/expat/changelog diff --git a/lfs/expat b/lfs/expat index b2df59ca3..3898889ad 100644 --- a/lfs/expat +++ b/lfs/expat @@ -24,7 +24,7 @@
include Config
-VER = 2.4.2 +VER = 2.4.4
THISAPP = expat-$(VER) DL_FILE = $(THISAPP).tar.bz2 @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 58780ad6944d02f6cf6ba332838694b2 +$(DL_FILE)_MD5 = 99392ce3377777ab0dc8b0f14beda793
install : $(TARGET)
@@ -76,6 +76,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install cd $(DIR_APP) && install -v -m755 -d /usr/share/doc/$(THISAPP)
- cd $(DIR_APP) && install -v -m644 doc/*.{html,png,css} /usr/share/doc/$(THISAPP)
- cd $(DIR_APP) && install -v -m644 doc/*.{html,css} /usr/share/doc/$(THISAPP) @rm -rf $(DIR_APP) @$(POSTBUILD)
-
Adolf Belka -
Peter Müller