Date: Thu, 10 Mar 2022 05:16:15 +0000 From: bugzilla-noreply@freebsd.org To: desktop@FreeBSD.org Subject: [Bug 262381] [exp-run] update texproc/expat2 to 2.4.7 Message-ID: <bug-262381-39348-33ehZwGzB0@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-262381-39348@https.bugs.freebsd.org/bugzilla/> References: <bug-262381-39348@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D262381 --- Comment #2 from commit-hook@FreeBSD.org --- A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=3D5a4db4dfb5abda7978bcb9cb146cd6e= 74725e43e commit 5a4db4dfb5abda7978bcb9cb146cd6e74725e43e Author: Tobias C. Berner <tcberner@FreeBSD.org> AuthorDate: 2022-03-06 15:17:40 +0000 Commit: Tobias C. Berner <tcberner@FreeBSD.org> CommitDate: 2022-03-10 05:14:18 +0000 textproc/expat2: update to 2.4.7 From [1]: Release 2.4.7 Fri March 4 2022 Bug fixes: #572 #577 Relax fix to CVE-2022-25236 (introduced with release 2.4.5) with regard to all valid URI characters (RFC 3986), i.e. the following set (excluding whitespace): ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwx= yz 0123456789 % -._~ :/?#[]@ !$&'()*+,;=3D Other changes: #555 #570 #581 CMake|Windows: Store Expat version in the DLL #577 Document consequences of namespace separator choices = not just in doc/reference.html but also in header <expat.h> #577 Document Expat's lack of validation of namespace URIs against RFC 3986, and that the XML 1.0r4 specification does= n't require Expat to validate namespace URIs, and that Expat may do more in that regard in future releases. If you find need for strict RFC 3986 URI validation= on application level today, https://uriparser.github.i= o/ may be of interest. #579 Fix documentation of XML_EndDoctypeDeclHandler in <expat.h> #575 Document that a call to XML_FreeContentModel can be d= one at a later time from outside the element declaration handler #574 Make hardcoded namespace URIs easier to find in code #573 Update documentation on use of XML_POOR_ENTOPY on Sol= aris #569 #571 tests: Resolve use of macros NAN and INFINITY for GNU= G++ 4.8.2 on Solaris. #578 #580 Version info bumped from 9:6:8 to 9:7:8; see https://verbump.de/ for what these numbers do Special thanks to: Jeffrey Walton Johnny Jazeix Thijs Schreijer Release 2.4.6 Sun February 20 2022 Bug fixes: #566 Fix a regression introduced by the fix for CVE-2022-2= 5313 in release 2.4.5 that affects applications that (1) call function XML_SetElementDeclHandler and (2) are parsing XML that contains nested element declaratio= ns (e.g. "<!ELEMENT junk ((bar|foo|xyz+), zebra*)>"). Other changes: #567 #568 Version info bumped from 9:5:8 to 9:6:8; see https://verbump.de/ for what these numbers do Special thanks to: Matt Sergeant Samanta Navarro Sergei Trofimovich and NixOS Perl XML::Parser Release 2.4.5 Fri February 18 2022 Security fixes: #562 CVE-2022-25235 -- Passing malformed 2- and 3-byte UTF= -8 sequences (e.g. from start tag names) to the XML processing application on top of Expat can cause arbitrary damage (e.g. code execution) depending on how invalid UTF-8 is handled inside the XML processor; validation was not their job but Expat's. Exploits with code execution are known to exist. #561 CVE-2022-25236 -- Passing (one or more) namespace separator characters in "xmlns[:prefix]" attribute values made Expat send malformed tag names to the XML processor on top of Expat which can cause arbitrary damage (e.g. code execution) depending on such unexpectable cases are handled inside the X= ML processor; validation was not their job but Expat's. Exploits with code execution are known to exist. #558 CVE-2022-25313 -- Fix stack exhaustion in doctype par= sing that could be triggered by e.g. a 2 megabytes file with a large number of opening braces. Expected impact is denial of service or potentially arbitrary code execution. #560 CVE-2022-25314 -- Fix integer overflow in function copyString; only affects the encoding name parameter at parser creation time which is often hardcoded (rather than user inp= ut), takes a value in the gigabytes to trigger, and a 64= -bit machine. Expected impact is denial of service. #559 CVE-2022-25315 -- Fix integer overflow in function storeRawNames; needs input in the gigabytes and a 64-bit machine. Expected impact is denial of service or potentially arbitrary code execution. Other changes: #557 #564 Version info bumped from 9:4:8 to 9:5:8; see https://verbump.de/ for what these numbers do Special thanks to: Ivan Fratric Samanta Navarro and Google Project Zero JetBrains [1] Changelog: https://github.com/libexpat/libexpat/blob/R_2_4_7/expat/Changes Exp-run by: antoine PR: 262381 Security: CVE-2022-25235 Security: CVE-2022-25236 Security: CVE-2022-25313 Security: CVE-2022-25314 Security: CVE-2022-25315 textproc/expat2/Makefile | 2 +- textproc/expat2/distinfo | 6 +++--- textproc/expat2/pkg-plist | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) --=20 You are receiving this mail because: You are on the CC list for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-262381-39348-33ehZwGzB0>