Index index by Group index by Distribution index by Vendor index by creation date index by Name Mirrors Help Search

libexpat1-2.6.2-1.1 RPM for x86_64

From OpenSuSE Tumbleweed for x86_64

Name: libexpat1 Distribution: openSUSE Tumbleweed
Version: 2.6.2 Vendor: openSUSE
Release: 1.1 Build date: Wed Mar 13 23:23:20 2024
Group: System/Libraries Build host: reproducible
Size: 179377 Source RPM: expat-2.6.2-1.1.src.rpm
Packager: https://bugs.opensuse.org
Url: https://libexpat.github.io
Summary: XML Parser Toolkit
Expat is an XML parser library written in C. It is a stream-oriented
parser in which an application registers handlers for things the
parser might find in the XML document (like start tags).

Provides

Requires

License

MIT

Changelog

* Wed Mar 13 2024 Andreas Stieger <andreas.stieger@gmx.de>
  - update to 2.6.2:
    * CVE-2024-28757 -- Prevent billion laughs attacks with isolated
      use of external parsers (boo#1221289)
    * Reject direct parameter entity recursion and avoid the related
      undefined behavior
* Fri Mar 01 2024 Andreas Stieger <andreas.stieger@gmx.de>
  - update to 2.6.1:
    * Expose billion laughs API with XML_DTD defined and XML_GE
      undefined, regression from 2.6.0
    * Make tests independent of CPU speed, and thus more robust
  - drop libxml2-fix-xmlwf.1-handling.patch, upstream
* Tue Feb 20 2024 David Anes <david.anes@suse.com>
  - Fix handling of xmlwf.1 to avoid workarounds in specfile:
    * Added libxml2-fix-xmlwf.1-handling.patch
  - Call buildconf.sh to avoid (future) issues with expat_config.h.in
* Mon Feb 12 2024 David Anes <david.anes@suse.com>
  - Update keyring automatically from keyserver during OBS service run.
  - Explicitly use --without-docbook (before it was implicit).
  - Include missing files for documentation and examples.
  - Add manpage for xmlwf, which is now available in the released tarball.
  - Clean the spec file a bit.
  - Update to 2.6.0:
    * Security fixes:
    - CVE-2023-52425 (boo#1219559)
    - - Fix quadratic runtime issues with big tokens
      that can cause denial of service, in partial where
      dealing with compressed XML input.  Applications
      that parsed a document in one go -- a single call to
      functions XML_Parse or XML_ParseBuffer -- were not affected.
      The smaller the chunks/buffers you use for parsing
      previously, the bigger the problem prior to the fix.
      Backporters should be careful to no omit parts of
      pull request #789 and to include earlier pull request #771,
      in order to not break the fix.
    - CVE-2023-52426 (boo#1219561)
    - - Fix billion laughs attacks for users
      compiling *without* XML_DTD defined (which is not common).
      Users with XML_DTD defined have been protected since
      Expat >=2.4.0 (and that was CVE-2013-0340 back then).
    * Bug fixes:
    - Fix parse-size-dependent "invalid token" error for
      external entities that start with a byte order mark
    - Fix NULL pointer dereference in setContext via
      XML_ExternalEntityParserCreate for compilation with
      XML_DTD undefined
    - Protect against closing entities out of order
    * Other changes:
    - Improve support for arc4random/arc4random_buf
    - Improve buffer growth in XML_GetBuffer and XML_Parse
    - xmlwf: Support --help and --version
    - xmlwf: Support custom buffer size for XML_GetBuffer and read
    - xmlwf: Improve language and URL clickability in help output
    - examples: Add new example "element_declarations.c"
    - Be stricter about macro XML_CONTEXT_BYTES at build time
    - Make inclusion to expat_config.h consistent
    - Autotools: configure.ac: Support --disable-maintainer-mode
    - Autotools: Sync CMake templates with CMake 3.26
    - Autotools: Make installation of shipped man page doc/xmlwf.1
      independent of docbook2man availability
    - Autotools|CMake: Add missing -DXML_STATIC to pkg-config file
      section "Cflags.private" in order to fix compilation
      against static libexpat using pkg-config on Windows
    - Autotools|CMake: Require a C99 compiler
      (a de-facto requirement already since Expat 2.2.2 of 2017)
    - Autotools|CMake: Fix PACKAGE_BUGREPORT variable
    - Autotools|CMake: Make test suite require a C++11 compiler
    - CMake: Require CMake >=3.5.0
    - CMake: Lowercase off_t and size_t to help a bug in Meson
    - CMake: Sort xmlwf sources alphabetically
    - CMake|Windows: Fix generation of DLL file version info
    - CMake: Build tests/benchmark/benchmark.c as well for
      a build with -DEXPAT_BUILD_TESTS=ON
    - docs: Document the importance of isFinal + adjust tests
      accordingly
    - docs: Improve use of "NULL" and "null"
    - docs: Be specific about version of XML (XML 1.0r4)
      and version of C (C99); (XML 1.0r5 will need a sponsor.)
    - docs: reference.html: Promote function XML_ParseBuffer more
    - docs: reference.html: Add HTML anchors to XML_* macros
    - docs: reference.html: Upgrade to OK.css 1.2.0
    - docs: Fix typos
    - docs|CI: Use HTTPS URLs instead of HTTP at various places
    - Address compiler warnings
    - Address clang-tidy warnings
    - Version info bumped from 9:10:8 (libexpat*.so.1.8.10)
      to 10:0:9 (libexpat*.so.1.9.0); see https://verbump.de/
      for what these numbers do
* Sun Dec 11 2022 Andreas Stieger <andreas.stieger@gmx.de>
  - add upstream signing key and validate source signature
* Wed Oct 26 2022 David Anes <david.anes@suse.com>
  - Update to 2.5.0: (bsc#1204708)
    * Security fixes:
    - CVE-2022-43680 -- Fix heap use-after-free after overeager
      destruction of a shared DTD in function
      XML_ExternalEntityParserCreate in out-of-memory situations.
      Expected impact is denial of service or potentially arbitrary
      code execution.
    * Bug fixes:
    - Fix curruption from undefined entities
    - Fix case when parsing was suspended while processing nested
      entities
    - Stop leaking opening tag bindings after a closing tag mismatch
      error where a parser is reset through XML_ParserReset and then
      reused to parse
    - CMake: Fix generation of pkg-config file
    - MinGW|CMake: Fix static library name
    * Other changes:
    - Protect header expat_config.h from multiple inclusion
    - examples: Make use of XML_GetBuffer and be more consistent
      across examples
    - Address compiler warnings
    - Version info bumped from 9:9:8 to 9:10:8; see
      https://verbump.de/ for what these numbers do
* Tue Sep 20 2022 David Anes <david.anes@suse.com>
  - update to 2.4.9: (bsc#1203438)
    * Security fixes:
    - CVE-2022-40674 -- Heap use-after-free vulnerability in
      function doContent. Expected impact is denial of service
      or potentially arbitrary code execution.
    * Bug fixes:
    - MinGW: Fix mis-compilation for -D__USE_MINGW_ANSI_STDIO=0
    - docs: Fix documentation on effect of switch XML_DTD on
      symbol visibility in doc/reference.html
    * Other changes:
    - MinGW: Make fix-xmltest-log.sh drop more Wine bug output
    - Autotools: Sync CMake templates with CMake 3.22
    - CMake: Migrate from use of CMAKE_*_POSTFIX to
      dedicated variables EXPAT_*_POSTFIX to stop affecting
      other projects
    - Windows|CMake: Add missing -DXML_STATIC to test runners
      and fuzzers
    - Windows|CMake: Render .def file from a template to fix
      linking with -DEXPAT_DTD=OFF and/or -DEXPAT_ATTR_INFO=ON
    - MinGW|CMake: Apply MSVC .def file when linking
    - MinGW|CMake: Sync library name with GNU Autotools,
      i.e. produce libexpat-1.dll rather than libexpat.dll
      by default.  Filename libexpat.dll.a is unaffected.
    - MinGW|CMake: Set missing variable CMAKE_RC_COMPILER in
      toolchain file "cmake/mingw-toolchain.cmake" to avoid
      error "windres: Command not found" on e.g. Ubuntu 20.04
    - CMake: Unify inconsistent use of set() and option() in
      context of public build time options to take need for
      set(.. FORCE) in projects using Expat by means of
      add_subdirectory(..) off Expat's users' shoulders
    - Stop exporting API symbols when building a static library
    - Resolve use of deprecated "fgrep" by "grep -F"
    - CMake: Make documentation on variables a bit more consistent
    - CMake: Drop leading whitespace from a #cmakedefine line in
      file expat_config.h.cmake
    - xmlwf: Fix harmless variable mix-up in function nsattcmp
    - Address Cppcheck warnings
    - Address Clang 15 compiler warnings
    - Version info bumped from 9:8:8 to 9:9:8;
      see https://verbump.de/ for what these numbers do
    * Infrastructure:
    - CI: Windows: Start covering MSVC 2022
    - CI: macOS: Migrate off deprecated macOS 10.15
    - CI: Linux: Make migration off deprecated Ubuntu 18.04 work
    - CI: Upgrade Clang from 14 to 15
    - apply-clang-format.sh: Add support for BSD find
    - coverage.sh: Exclude MinGW headers
    - coverage.sh: Fix name collision for -funsigned-char
* Tue Mar 29 2022 David Anes <david.anes@suse.com>
  - update to 2.4.8:
    * Other changes:
    - pkg-config: Move "-lm" to section "Libs.private"
    - CMake|MSVC: Fix pkg-config section "Libs"
    - CMake|macOS: Start using linker arguments
      "-compatibility_version <version>" and
      "-current_version <version>" in a way compatible with GNU
      Libtool
    - Version info bumped from 9:7:8 to 9:8:8;
      see https://verbump.de/ for what these numbers do
* Sat Mar 05 2022 David Anes <david.anes@suse.com>
  - update to 2.4.7 (bsc#1196784, CVE-2022-25236):
    * Bug fixes:
    - Relax fix to CVE-2022-25236 (introduced with release 2.4.5)
      with regard to all valid URI characters (RFC 3986),
      i.e. the following set (excluding whitespace):
      ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz
      0123456789 % -._~ :/?#[]@ !$&'()*+,;=
    * Other changes:
    - CMake|Windows: Store Expat version in the DLL
    - Document consequences of namespace separator choices not just
      in doc/reference.html but also in header <expat.h>
    - Document Expat's lack of validation of namespace URIs against
      RFC 3986, and that the XML 1.0r4 specification doesn't
      require Expat to validate namespace URIs, and that Expat
      may do more in that regard in future releases.
      If you find need for strict RFC 3986 URI validation on
      application level today, https://uriparser.github.io/ may
      be of interest.
    - Fix documentation of XML_EndDoctypeDeclHandler in <expat.h>
    - Document that a call to XML_FreeContentModel can be done at
      a later time from outside the element declaration handler
    - Make hardcoded namespace URIs easier to find in code
    - Update documentation on use of XML_POOR_ENTOPY on Solaris
    - tests: Resolve use of macros NAN and INFINITY for GNU G++
      4.8.2 on Solaris.
    - Version info bumped from 9:6:8 to 9:7:8;
      see https://verbump.de/ for what these numbers do
* Sun Feb 20 2022 David Anes <david.anes@suse.com>
  - update to 2.4.6 (bsc#1196168, CVE-2022-25313):
    * Bug fixes:
    - Fix a regression introduced by the fix for CVE-2022-25313
      in release 2.4.5 that affects applications that (1)
      call function XML_SetElementDeclHandler and (2) are
      parsing XML that contains nested element declarations
      (e.g. "<!ELEMENT junk ((bar|foo|xyz+), zebra*)>").
    - Version info bumped from 9:5:8 to 9:6:8;
      see https://verbump.de/ for what these numbers do.
* Sat Feb 19 2022 David Anes <david.anes@suse.com>
  - update to 2.4.5 (bsc#1196171, bsc#1196169, bsc#1196168,
    bsc#1196026, bsc#1196025):
    * Security fixes:
    - CVE-2022-25235 -- Passing malformed 2- and 3-byte UTF-8
      sequences (e.g. from start tag names) to the XML
      processing application on top of Expat can cause
      arbitrary damage (e.g. code execution) depending
      on how invalid UTF-8 is handled inside the XML
      processor; validation was not their job but Expat's.
      Exploits with code execution are known to exist.
    - CVE-2022-25236 -- Passing (one or more) namespace separator
      characters in "xmlns[:prefix]" attribute values
      made Expat send malformed tag names to the XML
      processor on top of Expat which can cause
      arbitrary damage (e.g. code execution) depending
      on such unexpectable cases are handled inside the XML
      processor; validation was not their job but Expat's.
      Exploits with code execution are known to exist.
    - CVE-2022-25313 -- Fix stack exhaustion in doctype parsing
      that could be triggered by e.g. a 2 megabytes
      file with a large number of opening braces.
      Expected impact is denial of service or potentially
      arbitrary code execution.
    - CVE-2022-25314 -- Fix integer overflow in function copyString;
      only affects the encoding name parameter at parser creation
      time which is often hardcoded (rather than user input),
      takes a value in the gigabytes to trigger, and a 64-bit
      machine.  Expected impact is denial of service.
    - CVE-2022-25315 -- Fix integer overflow in function storeRawNames;
      needs input in the gigabytes and a 64-bit machine.
      Expected impact is denial of service or potentially
      arbitrary code execution.
    * Other changes:
    - Version info bumped from 9:4:8 to 9:5:8;
      see https://verbump.de/ for what these numbers do
* Mon Jan 31 2022 David Anes <david.anes@suse.com>
  - update to 2.4.4 (bsc#1195217, bsc#1195054):
    * Security fixes:
    - CVE-2022-23852 -- Fix signed integer overflow
      (undefined behavior) in function XML_GetBuffer
      that is also called by function XML_Parse internally)
      for when XML_CONTEXT_BYTES is defined to >0 (which is both
      common and default).
      Impact is denial of service or more.
    - CVE-2022-23990 -- Fix unsigned integer overflow in function
      doProlog triggered by large content in element type
      declarations when there is an element declaration handler
      present (from a prior call to XML_SetElementDeclHandler).
      Impact is denial of service or more.
    * Bug fixes:
    - xmlwf: Fix a memory leak on output file opening error
    * Other changes:
    - Version info bumped from 9:3:8 to 9:4:8;
      see https://verbump.de/ for what these numbers do
    * Drop unused file valid-xhtml10.png
* Mon Jan 17 2022 Dirk Müller <dmueller@suse.com>
  - update to 2.4.3 (bsc#1194251, bsc#1194362, bsc#1194474,
      bsc#1194476, bsc#1194477, bsc#1194478, bsc#1194479, bsc#1194480):
    * CVE-2021-45960 -- Fix issues with left shifts by >=29 places
      resulting in
      a) realloc acting as free
      b) realloc allocating too few bytes
      c) undefined behavior
      depending on architecture and precise value
      for XML documents with >=2^27+1 prefixed attributes
      on a single XML tag a la
      "<r xmlns:a='[..]' a:a123='[..]' [..] />"
      where XML_ParserCreateNS is used to create the parser
      (which needs argument "-n" when running xmlwf).
      Impact is denial of service, or more.
    * CVE-2021-46143 (ZDI-CAN-16157) -- Fix integer overflow
      on variable m_groupSize in function doProlog leading
      to realloc acting as free.
      Impact is denial of service or more.
    * CVE-2022-22822 to CVE-2022-22827 -- Prevent integer overflows
      near memory allocation at multiple places.  Mitre assigned
      a dedicated CVE for each involved internal C function:
    - CVE-2022-22822 for function addBinding
    - CVE-2022-22823 for function build_model
    - CVE-2022-22824 for function defineAttribute
    - CVE-2022-22825 for function lookup
    - CVE-2022-22826 for function nextScaffoldPart
    - CVE-2022-22827 for function storeAtts
      Impact is denial of service or more.
* Mon Dec 27 2021 Dirk Müller <dmueller@suse.com>
  - update to 2.4.2:
    * Link againgst libm for function "isnan"
    * Include expat_config.h as early as possible
    * Autotools: Include files with release archives:
    - buildconf.sh
    - fuzz/*.c
    * Autotools: Sync CMake templates
    * docs: Document that function XML_GetBuffer may return NULL
      when asking for a buffer of 0 (zero) bytes size
    * docs: Fix return value docs for both
      XML_SetBillionLaughsAttackProtection* functions
    * Version info bumped from 9:1:8 to 9:2:8
* Mon May 24 2021 Pedro Monreal <pmonreal@suse.com>
  - Update to 2.4.1:
    * Bug fixes:
    - Autotools: Fix installed header expat_config.h for multilib
      systems; regression introduced in 2.4.0 by pull request #486
    * Other changes:
    - Version info bumped from 9:0:8 to 9:1:8; see
      https://verbump.de/ for what these numbers do
* Mon May 24 2021 Pedro Monreal <pmonreal@suse.com>
  - Update to 2.4.0: [CVE-2013-0340 "Billion Laughs"]
    * Security fixes:
    - CVE-2013-0340/CWE-776 -- Protect against billion laughs attacks
      (denial-of-service; flavors targeting CPU time or RAM or both,
      leveraging general entities or parameter entities or both)
      by tracking and limiting the input amplification factor
      (<amplification> := (<direct> + <indirect>) / <direct>).
      By conservative default, amplification up to a factor of 100.0
      is tolerated and rejection only starts after 8 MiB of output bytes
      (=<direct> + <indirect>) have been processed.
      The fix adds the following to the API:
    - A new error code XML_ERROR_AMPLIFICATION_LIMIT_BREACH to
      signals this specific condition.
    - Two new API functions ..
    - XML_SetBillionLaughsAttackProtectionMaximumAmplification and
    - XML_SetBillionLaughsAttackProtectionActivationThreshold
      .. to further tighten billion laughs protection parameters
      when desired.  Please see file "doc/reference.html" for details.
      If you ever need to increase the defaults for non-attack XML
      payload, please file a bug report with libexpat.
    - Two new XML_FEATURE_* constants ..
    - that can be queried using the XML_GetFeatureList function, and
    - that are shown in "xmlwf -v" output.
    - Two new environment variable switches ..
    - EXPAT_ACCOUNTING_DEBUG=(0|1|2|3) and
    - EXPAT_ENTITY_DEBUG=(0|1)
      .. for runtime debugging of accounting and entity processing.
      Specific behavior of these values may change in the future.
    - Two new command line arguments "-a FACTOR" and "-b BYTES"
      for xmlwf to further tighten billion laughs protection
      parameters when desired.
      If you ever need to increase the defaults for non-attack XML
      payload, please file a bug report with libexpat.
    * Bug fixes:
    - For (non-default) compilation with -DEXPAT_MIN_SIZE=ON (CMake)
      or CPPFLAGS=-DXML_MIN_SIZE (GNU Autotools): Fix segfault
      for UTF-16 payloads containing CDATA sections.
    - Autotools: Fix generated CMake files for non-64bit and
      non-Linux platforms (e.g. macOS and MinGW in particular)
      that were introduced with release 2.3.0
    * Other changes:
    - xmlwf: Improve help output and the xmlwf man page
    - xmlwf: Improve maintainability through some refactoring
    - xmlwf: Fix man page DocBook validity
    - CMake: Support absolute paths for both CMAKE_INSTALL_LIBDIR
      and CMAKE_INSTALL_INCLUDEDIR
    - CMake: Add support for standard variable BUILD_SHARED_LIBS
    - Unexpose symbol _INTERNAL_trim_to_complete_utf8_characters
    - Resolve macro HAVE_EXPAT_CONFIG_H
    - Delete unused legacy helper file "conftools/PrintPath"
    - doc/reference.html: Fix XHTML validity
    - doc/reference.html: Replace the 90s look by OK.css
    - Version info bumped from 8:0:7 to 9:0:8 due to addition of
      new symbols and error codes; see https://verbump.de/ for
      what these numbers do
* Tue Apr 13 2021 Dominique Leuenberger <dimstar@opensuse.org>
  - Do not BuildRequire cmake: expat is part of the distro bootstrap
    cycle and any additional dependency makes the ring larger. In
    this case here, cmake was even only used to own a directory.
* Tue Apr 06 2021 Dirk Müller <dmueller@suse.com>
  - update to 2.3.0:
    * When calling XML_ParseBuffer without a prior successful call to
      XML_GetBuffer as a user, no longer trigger undefined behavior
      (by adding an integer to a NULL pointer) but rather return
      XML_STATUS_ERROR and set the error code to (new) code
      XML_ERROR_NO_BUFFER. Found by UBSan (UndefinedBehaviorSanitizer)
      of Clang 11 (but not Clang 9).
    * xmlwf: Exit status 2 was used for both:
    - malformed input files (documented) and
    - invalid command-line arguments (undocumented).
      case of invalid command-line arguments now
      has its own exit status 4, resolving the ambiguity.
    * Other changes

Files

/usr/lib64/libexpat.so.1
/usr/lib64/libexpat.so.1.9.2
/usr/share/licenses/libexpat1
/usr/share/licenses/libexpat1/COPYING


Generated by rpm2html 1.8.1

Fabrice Bellet, Thu Jul 18 01:03:01 2024