diff options
-rw-r--r-- | expat/CMake.README | 12 | ||||
-rw-r--r-- | expat/CMakeLists.txt | 4 | ||||
-rw-r--r-- | expat/Changes | 22 | ||||
-rw-r--r-- | expat/README.md | 2 | ||||
-rw-r--r-- | expat/configure.ac | 2 | ||||
-rw-r--r-- | expat/doc/Makefile.am | 2 | ||||
-rw-r--r-- | expat/doc/reference.html | 2 | ||||
-rw-r--r-- | expat/doc/xmlwf.xml | 2 | ||||
-rw-r--r-- | expat/lib/expat.h | 2 | ||||
-rw-r--r-- | expat/lib/xmlparse.c | 2 | ||||
-rw-r--r-- | expat/lib/xmltok.c | 2 | ||||
-rw-r--r-- | expat/lib/xmltok_impl.c | 2 | ||||
-rw-r--r-- | expat/tests/runtests.c | 2 | ||||
-rw-r--r-- | expat/win32/expat.iss | 2 |
14 files changed, 40 insertions, 20 deletions
diff --git a/expat/CMake.README b/expat/CMake.README index 586f5874..e61aed1c 100644 --- a/expat/CMake.README +++ b/expat/CMake.README @@ -3,25 +3,25 @@ The cmake based buildsystem for expat works on Windows (cygwin, mingw, Visual Studio) and should work on all other platform cmake supports. -Assuming ~/expat-2.4.4 is the source directory of expat, add a subdirectory +Assuming ~/expat-2.4.5 is the source directory of expat, add a subdirectory build and change into that directory: -~/expat-2.4.4$ mkdir build && cd build -~/expat-2.4.4/build$ +~/expat-2.4.5$ mkdir build && cd build +~/expat-2.4.5/build$ From that directory, call cmake first, then call make, make test and make install in the usual way: -~/expat-2.4.4/build$ cmake .. +~/expat-2.4.5/build$ cmake .. -- The C compiler identification is GNU -- The CXX compiler identification is GNU .... -- Configuring done -- Generating done --- Build files have been written to: /home/patrick/expat-2.4.4/build +-- Build files have been written to: /home/patrick/expat-2.4.5/build If you want to specify the install location for your files, append -DCMAKE_INSTALL_PREFIX=/your/install/path to the cmake call. -~/expat-2.4.4/build$ make && make test && make install +~/expat-2.4.5/build$ make && make test && make install Scanning dependencies of target expat [ 5%] Building C object CMakeFiles/expat.dir/lib/xmlparse.c.o [ 11%] Building C object CMakeFiles/expat.dir/lib/xmlrole.c.o diff --git a/expat/CMakeLists.txt b/expat/CMakeLists.txt index 23a8bb0f..5e339f99 100644 --- a/expat/CMakeLists.txt +++ b/expat/CMakeLists.txt @@ -64,7 +64,7 @@ endif() project(expat VERSION - 2.4.4 + 2.4.5 LANGUAGES C ) @@ -408,7 +408,7 @@ if(EXPAT_WITH_LIBBSD) endif() set(LIBCURRENT 9) # sync -set(LIBREVISION 4) # with +set(LIBREVISION 5) # with set(LIBAGE 8) # configure.ac! math(EXPR LIBCURRENT_MINUS_AGE "${LIBCURRENT} - ${LIBAGE}") diff --git a/expat/Changes b/expat/Changes index 2a898778..d122ac49 100644 --- a/expat/Changes +++ b/expat/Changes @@ -2,7 +2,7 @@ NOTE: We are looking for help with a few things: https://github.com/libexpat/libexpat/labels/help%20wanted If you can help, please get in touch. Thanks! -Release X.X.X XXX XXXXXXX XX XXXX +Release 2.4.5 Fri February 18 2022 Security fixes: #562 CVE-2022-25235 -- Passing malformed 2- and 3-byte UTF-8 sequences (e.g. from start tag names) to the XML @@ -19,11 +19,31 @@ Release X.X.X XXX XXXXXXX XX XXXX on such unexpectable cases are handled inside the XML processor; validation was not their job but Expat's. Exploits with code execution are known to exist. + #558 CVE-2022-25313 -- Fix stack exhaustion in doctype parsing + that could be triggered by e.g. a 2 megabytes + file with a large number of opening braces. + Expected impact is denial of service or potentially + arbitrary code execution. + #560 CVE-2022-25314 -- Fix integer overflow in function copyString; + only affects the encoding name parameter at parser creation + time which is often hardcoded (rather than user input), + takes a value in the gigabytes to trigger, and a 64-bit + machine. Expected impact is denial of service. + #559 CVE-2022-25315 -- Fix integer overflow in function storeRawNames; + needs input in the gigabytes and a 64-bit machine. + Expected impact is denial of service or potentially + arbitrary code execution. + + Other changes: + #557 #564 Version info bumped from 9:4:8 to 9:5:8; + see https://verbump.de/ for what these numbers do Special thanks to: Ivan Fratric + Samanta Navarro and Google Project Zero + JetBrains Release 2.4.4 Sun January 30 2022 Security fixes: diff --git a/expat/README.md b/expat/README.md index 00e6cca2..469b1dd8 100644 --- a/expat/README.md +++ b/expat/README.md @@ -5,7 +5,7 @@ [![Downloads GitHub](https://img.shields.io/github/downloads/libexpat/libexpat/total?label=Downloads%20GitHub)](https://github.com/libexpat/libexpat/releases) -# Expat, Release 2.4.4 +# Expat, Release 2.4.5 This is Expat, a C library for parsing XML, started by [James Clark](https://en.wikipedia.org/wiki/James_Clark_%28programmer%29) in 1997. diff --git a/expat/configure.ac b/expat/configure.ac index a6573e81..2ccab028 100644 --- a/expat/configure.ac +++ b/expat/configure.ac @@ -82,7 +82,7 @@ dnl If the API changes incompatibly set LIBAGE back to 0 dnl LIBCURRENT=9 # sync -LIBREVISION=4 # with +LIBREVISION=5 # with LIBAGE=8 # CMakeLists.txt! AC_CONFIG_HEADERS([expat_config.h]) diff --git a/expat/doc/Makefile.am b/expat/doc/Makefile.am index dbcb0919..c3a3ce59 100644 --- a/expat/doc/Makefile.am +++ b/expat/doc/Makefile.am @@ -6,7 +6,7 @@ # \___/_/\_\ .__/ \__,_|\__| # |_| XML parser # -# Copyright (c) 2017-2021 Sebastian Pipping <sebastian@pipping.org> +# Copyright (c) 2017-2022 Sebastian Pipping <sebastian@pipping.org> # Copyright (c) 2017 Stephen Groat <stephen@groat.us> # Copyright (c) 2017 Joe Orton <jorton@redhat.com> # Licensed under the MIT license: diff --git a/expat/doc/reference.html b/expat/doc/reference.html index fe09db32..ea8f7106 100644 --- a/expat/doc/reference.html +++ b/expat/doc/reference.html @@ -49,7 +49,7 @@ <div> <h1> The Expat XML Parser - <small>Release 2.4.4</small> + <small>Release 2.4.5</small> </h1> </div> <div class="content"> diff --git a/expat/doc/xmlwf.xml b/expat/doc/xmlwf.xml index c68aa1d8..7772bc8b 100644 --- a/expat/doc/xmlwf.xml +++ b/expat/doc/xmlwf.xml @@ -21,7 +21,7 @@ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [ <!ENTITY dhfirstname "<firstname>Scott</firstname>"> <!ENTITY dhsurname "<surname>Bronson</surname>"> - <!ENTITY dhdate "<date>January 30, 2022</date>"> + <!ENTITY dhdate "<date>February 18, 2022</date>"> <!-- Please adjust this^^ date whenever cutting a new release. --> <!ENTITY dhsection "<manvolnum>1</manvolnum>"> <!ENTITY dhemail "<email>bronson@rinspin.com</email>"> diff --git a/expat/lib/expat.h b/expat/lib/expat.h index 4c5704fd..55e5131b 100644 --- a/expat/lib/expat.h +++ b/expat/lib/expat.h @@ -1041,7 +1041,7 @@ XML_SetBillionLaughsAttackProtectionActivationThreshold( */ #define XML_MAJOR_VERSION 2 #define XML_MINOR_VERSION 4 -#define XML_MICRO_VERSION 4 +#define XML_MICRO_VERSION 5 #ifdef __cplusplus } diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c index c98e2e9f..c479a258 100644 --- a/expat/lib/xmlparse.c +++ b/expat/lib/xmlparse.c @@ -1,4 +1,4 @@ -/* 2e2c8ce5f11a473d65ec313ab20ceee6afefb355f5405afc06e7204e2e41c8c0 (2.4.4+) +/* 042615face2b8727e23bb27cf4f56baa292a1f91df47c1bca8f09dff49067888 (2.4.5+) __ __ _ ___\ \/ /_ __ __ _| |_ / _ \\ /| '_ \ / _` | __| diff --git a/expat/lib/xmltok.c b/expat/lib/xmltok.c index 3bddf125..c659983b 100644 --- a/expat/lib/xmltok.c +++ b/expat/lib/xmltok.c @@ -12,7 +12,7 @@ Copyright (c) 2002 Greg Stein <gstein@users.sourceforge.net> Copyright (c) 2002-2016 Karl Waclawek <karl@waclawek.net> Copyright (c) 2005-2009 Steven Solie <steven@solie.ca> - Copyright (c) 2016-2021 Sebastian Pipping <sebastian@pipping.org> + Copyright (c) 2016-2022 Sebastian Pipping <sebastian@pipping.org> Copyright (c) 2016 Pascal Cuoq <cuoq@trust-in-soft.com> Copyright (c) 2016 Don Lewis <truckman@apache.org> Copyright (c) 2017 Rhodri James <rhodri@wildebeest.org.uk> diff --git a/expat/lib/xmltok_impl.c b/expat/lib/xmltok_impl.c index 84ff35f9..4072b064 100644 --- a/expat/lib/xmltok_impl.c +++ b/expat/lib/xmltok_impl.c @@ -10,7 +10,7 @@ Copyright (c) 2000 Clark Cooper <coopercc@users.sourceforge.net> Copyright (c) 2002 Fred L. Drake, Jr. <fdrake@users.sourceforge.net> Copyright (c) 2002-2016 Karl Waclawek <karl@waclawek.net> - Copyright (c) 2016-2021 Sebastian Pipping <sebastian@pipping.org> + Copyright (c) 2016-2022 Sebastian Pipping <sebastian@pipping.org> Copyright (c) 2017 Rhodri James <rhodri@wildebeest.org.uk> Copyright (c) 2018 Benjamin Peterson <benjamin@python.org> Copyright (c) 2018 Anton Maklakov <antmak.pub@gmail.com> diff --git a/expat/tests/runtests.c b/expat/tests/runtests.c index 9b155b82..2cd4acbe 100644 --- a/expat/tests/runtests.c +++ b/expat/tests/runtests.c @@ -7512,7 +7512,7 @@ START_TEST(test_misc_version) { fail("Version mismatch"); #if ! defined(XML_UNICODE) || defined(XML_UNICODE_WCHAR_T) - if (xcstrcmp(version_text, XCS("expat_2.4.4"))) /* needs bump on releases */ + if (xcstrcmp(version_text, XCS("expat_2.4.5"))) /* needs bump on releases */ fail("XML_*_VERSION in expat.h out of sync?\n"); #else /* If we have XML_UNICODE defined but not XML_UNICODE_WCHAR_T diff --git a/expat/win32/expat.iss b/expat/win32/expat.iss index e5e945b7..e04eaa52 100644 --- a/expat/win32/expat.iss +++ b/expat/win32/expat.iss @@ -36,7 +36,7 @@ ; OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE ; USE OR OTHER DEALINGS IN THE SOFTWARE. -#define expatVer "2.4.4" +#define expatVer "2.4.5" [Setup] AppName=Expat |