Merge pull request #564 from libexpat/issue-557-prepare-releaseR_2_4_5

Prepare release 2.4.5 (part of #557)

14 files changed, 40 insertions, 20 deletions

diff --git a/expat/CMake.README b/expat/CMake.README
index 586f5874..e61aed1c 100644
--- a/expat/CMake.README
+++ b/expat/CMake.README
@@ -3,25 +3,25 @@
 The cmake based buildsystem for expat works on Windows (cygwin, mingw, Visual
 Studio) and should work on all other platform cmake supports.
 
-Assuming ~/expat-2.4.4 is the source directory of expat, add a subdirectory
+Assuming ~/expat-2.4.5 is the source directory of expat, add a subdirectory
 build and change into that directory:
-~/expat-2.4.4$ mkdir build && cd build
-~/expat-2.4.4/build$
+~/expat-2.4.5$ mkdir build && cd build
+~/expat-2.4.5/build$
 
 From that directory, call cmake first, then call make, make test and
 make install in the usual way:
-~/expat-2.4.4/build$ cmake ..
+~/expat-2.4.5/build$ cmake ..
 -- The C compiler identification is GNU
 -- The CXX compiler identification is GNU
 ....
 -- Configuring done
 -- Generating done
--- Build files have been written to: /home/patrick/expat-2.4.4/build
+-- Build files have been written to: /home/patrick/expat-2.4.5/build
 
 If you want to specify the install location for your files, append
 -DCMAKE_INSTALL_PREFIX=/your/install/path to the cmake call.
 
-~/expat-2.4.4/build$ make && make test && make install
+~/expat-2.4.5/build$ make && make test && make install
 Scanning dependencies of target expat
 [  5%] Building C object CMakeFiles/expat.dir/lib/xmlparse.c.o
 [ 11%] Building C object CMakeFiles/expat.dir/lib/xmlrole.c.o
diff --git a/expat/CMakeLists.txt b/expat/CMakeLists.txt
index 23a8bb0f..5e339f99 100644
--- a/expat/CMakeLists.txt
+++ b/expat/CMakeLists.txt
@@ -64,7 +64,7 @@ endif()
 
 project(expat
     VERSION
-        2.4.4
+        2.4.5
     LANGUAGES
         C
 )
@@ -408,7 +408,7 @@ if(EXPAT_WITH_LIBBSD)
 endif()
 
 set(LIBCURRENT 9)   # sync
-set(LIBREVISION 4)  # with
+set(LIBREVISION 5)  # with
 set(LIBAGE 8)       # configure.ac!
 math(EXPR LIBCURRENT_MINUS_AGE "${LIBCURRENT} - ${LIBAGE}")
 
diff --git a/expat/Changes b/expat/Changes
index 2a898778..d122ac49 100644
--- a/expat/Changes
+++ b/expat/Changes
@@ -2,7 +2,7 @@ NOTE: We are looking for help with a few things:
       https://github.com/libexpat/libexpat/labels/help%20wanted
       If you can help, please get in touch.  Thanks!
 
-Release X.X.X XXX XXXXXXX XX XXXX
+Release 2.4.5 Fri February 18 2022
         Security fixes:
             #562  CVE-2022-25235 -- Passing malformed 2- and 3-byte UTF-8
                     sequences (e.g. from start tag names) to the XML
@@ -19,11 +19,31 @@ Release X.X.X XXX XXXXXXX XX XXXX
                     on such unexpectable cases are handled inside the XML
                     processor; validation was not their job but Expat's.
                     Exploits with code execution are known to exist.
+            #558  CVE-2022-25313 -- Fix stack exhaustion in doctype parsing
+                    that could be triggered by e.g. a 2 megabytes
+                    file with a large number of opening braces.
+                    Expected impact is denial of service or potentially
+                    arbitrary code execution.
+            #560  CVE-2022-25314 -- Fix integer overflow in function copyString;
+                    only affects the encoding name parameter at parser creation
+                    time which is often hardcoded (rather than user input),
+                    takes a value in the gigabytes to trigger, and a 64-bit
+                    machine.  Expected impact is denial of service.
+            #559  CVE-2022-25315 -- Fix integer overflow in function storeRawNames;
+                    needs input in the gigabytes and a 64-bit machine.
+                    Expected impact is denial of service or potentially
+                    arbitrary code execution.
+
+        Other changes:
+       #557 #564  Version info bumped from 9:4:8 to 9:5:8;
+                    see https://verbump.de/ for what these numbers do
 
         Special thanks to:
             Ivan Fratric
+            Samanta Navarro
                  and
             Google Project Zero
+            JetBrains
 
 Release 2.4.4 Sun January 30 2022
         Security fixes:
diff --git a/expat/README.md b/expat/README.md
index 00e6cca2..469b1dd8 100644
--- a/expat/README.md
+++ b/expat/README.md
@@ -5,7 +5,7 @@
 [![Downloads GitHub](https://img.shields.io/github/downloads/libexpat/libexpat/total?label=Downloads%20GitHub)](https://github.com/libexpat/libexpat/releases)
 
 
-# Expat, Release 2.4.4
+# Expat, Release 2.4.5
 
 This is Expat, a C library for parsing XML, started by
 [James Clark](https://en.wikipedia.org/wiki/James_Clark_%28programmer%29) in 1997.
diff --git a/expat/configure.ac b/expat/configure.ac
index a6573e81..2ccab028 100644
--- a/expat/configure.ac
+++ b/expat/configure.ac
@@ -82,7 +82,7 @@ dnl If the API changes incompatibly set LIBAGE back to 0
 dnl
 
 LIBCURRENT=9   # sync
-LIBREVISION=4  # with
+LIBREVISION=5  # with
 LIBAGE=8       # CMakeLists.txt!
 
 AC_CONFIG_HEADERS([expat_config.h])
diff --git a/expat/doc/Makefile.am b/expat/doc/Makefile.am
index dbcb0919..c3a3ce59 100644
--- a/expat/doc/Makefile.am
+++ b/expat/doc/Makefile.am
@@ -6,7 +6,7 @@
 #                      \___/_/\_\ .__/ \__,_|\__|
 #                               |_| XML parser
 #
-# Copyright (c) 2017-2021 Sebastian Pipping <sebastian@pipping.org>
+# Copyright (c) 2017-2022 Sebastian Pipping <sebastian@pipping.org>
 # Copyright (c) 2017      Stephen Groat <stephen@groat.us>
 # Copyright (c) 2017      Joe Orton <jorton@redhat.com>
 # Licensed under the MIT license:
diff --git a/expat/doc/reference.html b/expat/doc/reference.html
index fe09db32..ea8f7106 100644
--- a/expat/doc/reference.html
+++ b/expat/doc/reference.html
@@ -49,7 +49,7 @@
   <div>
     <h1>
       The Expat XML Parser
-      <small>Release 2.4.4</small>
+      <small>Release 2.4.5</small>
     </h1>
   </div>
 <div class="content">
diff --git a/expat/doc/xmlwf.xml b/expat/doc/xmlwf.xml
index c68aa1d8..7772bc8b 100644
--- a/expat/doc/xmlwf.xml
+++ b/expat/doc/xmlwf.xml
@@ -21,7 +21,7 @@
           "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
   <!ENTITY dhfirstname "<firstname>Scott</firstname>">
   <!ENTITY dhsurname   "<surname>Bronson</surname>">
-  <!ENTITY dhdate      "<date>January 30, 2022</date>">
+  <!ENTITY dhdate      "<date>February 18, 2022</date>">
   <!-- Please adjust this^^ date whenever cutting a new release. -->
   <!ENTITY dhsection   "<manvolnum>1</manvolnum>">
   <!ENTITY dhemail     "<email>bronson@rinspin.com</email>">
diff --git a/expat/lib/expat.h b/expat/lib/expat.h
index 4c5704fd..55e5131b 100644
--- a/expat/lib/expat.h
+++ b/expat/lib/expat.h
@@ -1041,7 +1041,7 @@ XML_SetBillionLaughsAttackProtectionActivationThreshold(
 */
 #define XML_MAJOR_VERSION 2
 #define XML_MINOR_VERSION 4
-#define XML_MICRO_VERSION 4
+#define XML_MICRO_VERSION 5
 
 #ifdef __cplusplus
 }
diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
index c98e2e9f..c479a258 100644
--- a/expat/lib/xmlparse.c
+++ b/expat/lib/xmlparse.c
@@ -1,4 +1,4 @@
-/* 2e2c8ce5f11a473d65ec313ab20ceee6afefb355f5405afc06e7204e2e41c8c0 (2.4.4+)
+/* 042615face2b8727e23bb27cf4f56baa292a1f91df47c1bca8f09dff49067888 (2.4.5+)
                             __  __            _
                          ___\ \/ /_ __   __ _| |_
                         / _ \\  /| '_ \ / _` | __|
diff --git a/expat/lib/xmltok.c b/expat/lib/xmltok.c
index 3bddf125..c659983b 100644
--- a/expat/lib/xmltok.c
+++ b/expat/lib/xmltok.c
@@ -12,7 +12,7 @@
    Copyright (c) 2002      Greg Stein <gstein@users.sourceforge.net>
    Copyright (c) 2002-2016 Karl Waclawek <karl@waclawek.net>
    Copyright (c) 2005-2009 Steven Solie <steven@solie.ca>
-   Copyright (c) 2016-2021 Sebastian Pipping <sebastian@pipping.org>
+   Copyright (c) 2016-2022 Sebastian Pipping <sebastian@pipping.org>
    Copyright (c) 2016      Pascal Cuoq <cuoq@trust-in-soft.com>
    Copyright (c) 2016      Don Lewis <truckman@apache.org>
    Copyright (c) 2017      Rhodri James <rhodri@wildebeest.org.uk>
diff --git a/expat/lib/xmltok_impl.c b/expat/lib/xmltok_impl.c
index 84ff35f9..4072b064 100644
--- a/expat/lib/xmltok_impl.c
+++ b/expat/lib/xmltok_impl.c
@@ -10,7 +10,7 @@
    Copyright (c) 2000      Clark Cooper <coopercc@users.sourceforge.net>
    Copyright (c) 2002      Fred L. Drake, Jr. <fdrake@users.sourceforge.net>
    Copyright (c) 2002-2016 Karl Waclawek <karl@waclawek.net>
-   Copyright (c) 2016-2021 Sebastian Pipping <sebastian@pipping.org>
+   Copyright (c) 2016-2022 Sebastian Pipping <sebastian@pipping.org>
    Copyright (c) 2017      Rhodri James <rhodri@wildebeest.org.uk>
    Copyright (c) 2018      Benjamin Peterson <benjamin@python.org>
    Copyright (c) 2018      Anton Maklakov <antmak.pub@gmail.com>
diff --git a/expat/tests/runtests.c b/expat/tests/runtests.c
index 9b155b82..2cd4acbe 100644
--- a/expat/tests/runtests.c
+++ b/expat/tests/runtests.c
@@ -7512,7 +7512,7 @@ START_TEST(test_misc_version) {
     fail("Version mismatch");
 
 #if ! defined(XML_UNICODE) || defined(XML_UNICODE_WCHAR_T)
-  if (xcstrcmp(version_text, XCS("expat_2.4.4"))) /* needs bump on releases */
+  if (xcstrcmp(version_text, XCS("expat_2.4.5"))) /* needs bump on releases */
     fail("XML_*_VERSION in expat.h out of sync?\n");
 #else
   /* If we have XML_UNICODE defined but not XML_UNICODE_WCHAR_T
diff --git a/expat/win32/expat.iss b/expat/win32/expat.iss
index e5e945b7..e04eaa52 100644
--- a/expat/win32/expat.iss
+++ b/expat/win32/expat.iss
@@ -36,7 +36,7 @@
 ; OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
 ; USE OR OTHER DEALINGS IN THE SOFTWARE.
 
-#define expatVer "2.4.4"
+#define expatVer "2.4.5"
 
 [Setup]
 AppName=Expat