From nobody Thu Mar 10 05:17:31 2022 X-Original-To: dev-commits-ports-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 99CC719FEA94; Thu, 10 Mar 2022 05:17:31 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KDckz3smqz3k3x; Thu, 10 Mar 2022 05:17:31 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1646889451; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=WqjK3qrsrhKxU/Zbl2QUEOwb9gbD77zwctzNijh4tV8=; b=lTqrtgCDIfPmdjMdH+qukgPBgzIyu0wb5beqmBBzI2/ABbvvX0+J26XTtDsrC3nMgZdKxv 2geOq8M07qKKk+0iN2VsZQYBgYyso5O6k5eEy1GR+OYI124kgcrJTN1WHUfNn0zqiqa/Ne rNVEJXIKQI2lgWwFXHxBAqhpk1VoxNF/j3ZI8qAxEmVcOVnfLhncF0ZzfvmDwUN+MnG1r8 z8ZT1724IdedCNAJR6XcloUsp9pIM1GH7We1H/5+A/7Ujxaaz5vEPkxK7uKr9VmwkAdAC/ 3WDrIb915X52Tq34WRXvHbjcjGId91wp+jcUAnE5+f1g6W1ccrA2Qjkhq+fGsw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 64A921EE6F; Thu, 10 Mar 2022 05:17:31 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 22A5HVdm036174; Thu, 10 Mar 2022 05:17:31 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 22A5HVKD036173; Thu, 10 Mar 2022 05:17:31 GMT (envelope-from git) Date: Thu, 10 Mar 2022 05:17:31 GMT Message-Id: <202203100517.22A5HVKD036173@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-branches@FreeBSD.org From: "Tobias C. Berner" Subject: git: 173c60497623 - 2022Q1 - textproc/expat2: update to 2.4.7 List-Id: Commits to the quarterly branches of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-branches@freebsd.org X-BeenThere: dev-commits-ports-branches@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: tcberner X-Git-Repository: ports X-Git-Refname: refs/heads/2022Q1 X-Git-Reftype: branch X-Git-Commit: 173c604976232e57f275e5092ebb82a87d5bebb6 Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1646889451; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=WqjK3qrsrhKxU/Zbl2QUEOwb9gbD77zwctzNijh4tV8=; b=nIV8O6phlfluJHVcjwoPKRLpAiyWw/erROR+h+idDhzBmE9esyjpjsVXQ/A7/smxRRdnlp +eAZ4q6Y2PByp6A9jgIY1u7Qsm+vF3+6Cs5NBALrfUG4wPrdFgMQFgINk+oBGS1AOP+8cf duHhilPdi8pkU84DLsc1fpzIxkg2/ok4F92xPBafypCtRYOu4e8+GTKYVQHiKJrLqiBxv4 pAOasjtWF47yMPtC8AMqLOK6UpxbJh72JNk8lBEbXRo0bWdw9scd6hWa3r2LSEnSD1QgXe xJkD0tGUwuploSCNfOtcSSfyGz+wRR0zH3MSuQNMxClvwzBxl/xQugab+rgZ0Q== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1646889451; a=rsa-sha256; cv=none; b=F4F1VBxXZ0uCHpQD5fvq/TzgyEI0LuN3EDgG4wFh2PjJCZaj3F0VMxQ2bmeY/BM3+jp6WA WTT86XYd8nWaKb/ZU3ncw1IMn2AsMU0UYlbvINQ39dc+Bp27aRstMHsUqPNPkSu4pSDVud Yyxhx5QqACEf1oqoogNg9IBNrTRyf1KS7f58+z91zcONXbQor0cegCBJk5nwgusrztz4EV Hfr5G5lQ/WKEIXfclip4/J+egFcKOU2+JHs4vEhlk2DO98TmUla9m96MQNzEeeTh9afm6C kKeH36EbxY3foXkAYof8ki62IQeMCiNGjv5cSibwEP7J8AQ1tKGDoCWtoAF2zA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch 2022Q1 has been updated by tcberner: URL: https://cgit.FreeBSD.org/ports/commit/?id=173c604976232e57f275e5092ebb82a87d5bebb6 commit 173c604976232e57f275e5092ebb82a87d5bebb6 Author: Tobias C. Berner AuthorDate: 2022-03-06 15:17:40 +0000 Commit: Tobias C. Berner CommitDate: 2022-03-10 05:17:18 +0000 textproc/expat2: update to 2.4.7 From [1]: Release 2.4.7 Fri March 4 2022 Bug fixes: #572 #577 Relax fix to CVE-2022-25236 (introduced with release 2.4.5) with regard to all valid URI characters (RFC 3986), i.e. the following set (excluding whitespace): ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz 0123456789 % -._~ :/?#[]@ !$&'()*+,;= Other changes: #555 #570 #581 CMake|Windows: Store Expat version in the DLL #577 Document consequences of namespace separator choices not just in doc/reference.html but also in header #577 Document Expat's lack of validation of namespace URIs against RFC 3986, and that the XML 1.0r4 specification doesn't require Expat to validate namespace URIs, and that Expat may do more in that regard in future releases. If you find need for strict RFC 3986 URI validation on application level today, https://uriparser.github.io/ may be of interest. #579 Fix documentation of XML_EndDoctypeDeclHandler in #575 Document that a call to XML_FreeContentModel can be done at a later time from outside the element declaration handler #574 Make hardcoded namespace URIs easier to find in code #573 Update documentation on use of XML_POOR_ENTOPY on Solaris #569 #571 tests: Resolve use of macros NAN and INFINITY for GNU G++ 4.8.2 on Solaris. #578 #580 Version info bumped from 9:6:8 to 9:7:8; see https://verbump.de/ for what these numbers do Special thanks to: Jeffrey Walton Johnny Jazeix Thijs Schreijer Release 2.4.6 Sun February 20 2022 Bug fixes: #566 Fix a regression introduced by the fix for CVE-2022-25313 in release 2.4.5 that affects applications that (1) call function XML_SetElementDeclHandler and (2) are parsing XML that contains nested element declarations (e.g. ""). Other changes: #567 #568 Version info bumped from 9:5:8 to 9:6:8; see https://verbump.de/ for what these numbers do Special thanks to: Matt Sergeant Samanta Navarro Sergei Trofimovich and NixOS Perl XML::Parser Release 2.4.5 Fri February 18 2022 Security fixes: #562 CVE-2022-25235 -- Passing malformed 2- and 3-byte UTF-8 sequences (e.g. from start tag names) to the XML processing application on top of Expat can cause arbitrary damage (e.g. code execution) depending on how invalid UTF-8 is handled inside the XML processor; validation was not their job but Expat's. Exploits with code execution are known to exist. #561 CVE-2022-25236 -- Passing (one or more) namespace separator characters in "xmlns[:prefix]" attribute values made Expat send malformed tag names to the XML processor on top of Expat which can cause arbitrary damage (e.g. code execution) depending on such unexpectable cases are handled inside the XML processor; validation was not their job but Expat's. Exploits with code execution are known to exist. #558 CVE-2022-25313 -- Fix stack exhaustion in doctype parsing that could be triggered by e.g. a 2 megabytes file with a large number of opening braces. Expected impact is denial of service or potentially arbitrary code execution. #560 CVE-2022-25314 -- Fix integer overflow in function copyString; only affects the encoding name parameter at parser creation time which is often hardcoded (rather than user input), takes a value in the gigabytes to trigger, and a 64-bit machine. Expected impact is denial of service. #559 CVE-2022-25315 -- Fix integer overflow in function storeRawNames; needs input in the gigabytes and a 64-bit machine. Expected impact is denial of service or potentially arbitrary code execution. Other changes: #557 #564 Version info bumped from 9:4:8 to 9:5:8; see https://verbump.de/ for what these numbers do Special thanks to: Ivan Fratric Samanta Navarro and Google Project Zero JetBrains [1] Changelog: https://github.com/libexpat/libexpat/blob/R_2_4_7/expat/Changes Exp-run by: antoine PR: 262381 Security: CVE-2022-25235 Security: CVE-2022-25236 Security: CVE-2022-25313 Security: CVE-2022-25314 Security: CVE-2022-25315 (cherry picked from commit 5a4db4dfb5abda7978bcb9cb146cd6e74725e43e) --- textproc/expat2/Makefile | 2 +- textproc/expat2/distinfo | 6 +++--- textproc/expat2/pkg-plist | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/textproc/expat2/Makefile b/textproc/expat2/Makefile index bdfb93289f4b..26c8e71a70b1 100644 --- a/textproc/expat2/Makefile +++ b/textproc/expat2/Makefile @@ -1,7 +1,7 @@ # Created by: Dirk Froemberg PORTNAME= expat -DISTVERSION= 2.4.4 +DISTVERSION= 2.4.7 CATEGORIES= textproc MASTER_SITES= https://github.com/libexpat/libexpat/releases/download/R_${DISTVERSION:S|.|_|g}/ diff --git a/textproc/expat2/distinfo b/textproc/expat2/distinfo index b344016f42c2..5da315f47be6 100644 --- a/textproc/expat2/distinfo +++ b/textproc/expat2/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1643620923 -SHA256 (expat-2.4.4.tar.xz) = b5d25d6e373351c2ed19b562b4732d01d2589ac8c8e9e7962d8df1207cc311b8 -SIZE (expat-2.4.4.tar.xz) = 449448 +TIMESTAMP = 1646447376 +SHA256 (expat-2.4.7.tar.xz) = 9875621085300591f1e64c18fd3da3a0eeca4a74f884b9abac2758ad1bd07a7d +SIZE (expat-2.4.7.tar.xz) = 454136 diff --git a/textproc/expat2/pkg-plist b/textproc/expat2/pkg-plist index bfeae6d8c604..775d1749dfde 100644 --- a/textproc/expat2/pkg-plist +++ b/textproc/expat2/pkg-plist @@ -9,7 +9,7 @@ lib/cmake/expat-%%EXPAT_VERSION%%/expat.cmake %%STATIC%%lib/libexpat.a lib/libexpat.so lib/libexpat.so.1 -lib/libexpat.so.1.8.4 +lib/libexpat.so.1.8.7 libdata/pkgconfig/expat.pc man/man1/xmlwf.1.gz %%PORTDOCS%%%%DOCSDIR%%/AUTHORS