Merge pull request #534 from libexpat/issue-531-troublesome-shifts

[CVE-2021-45960] lib: Detect and prevent troublesome left shifts in function storeAtts (fixes #531)

1 files changed, 19 insertions, 0 deletions

diff --git a/expat/Changes b/expat/Changes
index 2cfb5ecd..bd620a7d 100644
--- a/expat/Changes
+++ b/expat/Changes
@@ -3,6 +3,20 @@ NOTE: We are looking for help with a few things:
       If you can help, please get in touch.  Thanks!
 
 Release x.x.x xxx xxxxxxxx xx xxxx
+        Security fixes:
+       #531 #534  CVE-2021-45960 -- Fix issues with left shifts by >=29 places
+                    resulting in
+                      a) realloc acting as free
+                      b) realloc allocating too few bytes
+                      c) undefined behavior
+                    depending on architecture and precise value
+                    for XML documents with >=2^27+1 prefixed attributes
+                    on a single XML tag a la
+                    "<r xmlns:a='[..]' a:a123='[..]' [..] />"
+                    where XML_ParserCreateNS is used to create the parser
+                    (which needs argument "-n" when running xmlwf).
+                    Impact is denial of service, or more.
+
         Other changes:
             #535  CMake: Make call to file(GENERATE [..]) work for CMake <3.19
        #527 #528  Address compiler warnings
@@ -10,6 +24,11 @@ Release x.x.x xxx xxxxxxxx xx xxxx
         Infrastructure:
             #536  CI: Check for realistic minimum CMake version
 
+        Special thanks to:
+            Tyson Smith
+                 and
+            GCC Farm Project
+
 Release 2.4.2 Sun December 19 2021
         Other changes:
        #509 #510  Link againgst libm for function "isnan"