Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 10 Mar 2022 05:15:54 GMT
From:      "Tobias C. Berner" <tcberner@FreeBSD.org>
To:        ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org
Subject:   git: 5a4db4dfb5ab - main - textproc/expat2: update to 2.4.7
Message-ID:  <202203100515.22A5Fs9h035936@gitrepo.freebsd.org>

next in thread | raw e-mail | index | archive | help
The branch main has been updated by tcberner:

URL: https://cgit.FreeBSD.org/ports/commit/?id=5a4db4dfb5abda7978bcb9cb146cd6e74725e43e

commit 5a4db4dfb5abda7978bcb9cb146cd6e74725e43e
Author:     Tobias C. Berner <tcberner@FreeBSD.org>
AuthorDate: 2022-03-06 15:17:40 +0000
Commit:     Tobias C. Berner <tcberner@FreeBSD.org>
CommitDate: 2022-03-10 05:14:18 +0000

    textproc/expat2: update to 2.4.7
    
    From [1]:
    
    Release 2.4.7 Fri March 4 2022
            Bug fixes:
           #572 #577  Relax fix to CVE-2022-25236 (introduced with release 2.4.5)
                        with regard to all valid URI characters (RFC 3986),
                        i.e. the following set (excluding whitespace):
                        ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz
                        0123456789 % -._~ :/?#[]@ !$&'()*+,;=
    
            Other changes:
      #555 #570 #581  CMake|Windows: Store Expat version in the DLL
                #577  Document consequences of namespace separator choices not just
                        in doc/reference.html but also in header <expat.h>
                #577  Document Expat's lack of validation of namespace URIs against
                        RFC 3986, and that the XML 1.0r4 specification doesn't
                        require Expat to validate namespace URIs, and that Expat
                        may do more in that regard in future releases.
                        If you find need for strict RFC 3986 URI validation on
                        application level today, https://uriparser.github.io/ may
                        be of interest.
                #579  Fix documentation of XML_EndDoctypeDeclHandler in <expat.h>
                #575  Document that a call to XML_FreeContentModel can be done at
                        a later time from outside the element declaration handler
                #574  Make hardcoded namespace URIs easier to find in code
                #573  Update documentation on use of XML_POOR_ENTOPY on Solaris
           #569 #571  tests: Resolve use of macros NAN and INFINITY for GNU G++
                        4.8.2 on Solaris.
           #578 #580  Version info bumped from 9:6:8 to 9:7:8;
                        see https://verbump.de/ for what these numbers do
    
            Special thanks to:
                Jeffrey Walton
                Johnny Jazeix
                Thijs Schreijer
    
    Release 2.4.6 Sun February 20 2022
            Bug fixes:
                #566  Fix a regression introduced by the fix for CVE-2022-25313
                        in release 2.4.5 that affects applications that (1)
                        call function XML_SetElementDeclHandler and (2) are
                        parsing XML that contains nested element declarations
                        (e.g. "<!ELEMENT junk ((bar|foo|xyz+), zebra*)>").
    
            Other changes:
           #567 #568  Version info bumped from 9:5:8 to 9:6:8;
                        see https://verbump.de/ for what these numbers do
    
            Special thanks to:
                Matt Sergeant
                Samanta Navarro
                Sergei Trofimovich
                     and
                NixOS
                Perl XML::Parser
    
    Release 2.4.5 Fri February 18 2022
            Security fixes:
                #562  CVE-2022-25235 -- Passing malformed 2- and 3-byte UTF-8
                        sequences (e.g. from start tag names) to the XML
                        processing application on top of Expat can cause
                        arbitrary damage (e.g. code execution) depending
                        on how invalid UTF-8 is handled inside the XML
                        processor; validation was not their job but Expat's.
                        Exploits with code execution are known to exist.
                #561  CVE-2022-25236 -- Passing (one or more) namespace separator
                        characters in "xmlns[:prefix]" attribute values
                        made Expat send malformed tag names to the XML
                        processor on top of Expat which can cause
                        arbitrary damage (e.g. code execution) depending
                        on such unexpectable cases are handled inside the XML
                        processor; validation was not their job but Expat's.
                        Exploits with code execution are known to exist.
                #558  CVE-2022-25313 -- Fix stack exhaustion in doctype parsing
                        that could be triggered by e.g. a 2 megabytes
                        file with a large number of opening braces.
                        Expected impact is denial of service or potentially
                        arbitrary code execution.
                #560  CVE-2022-25314 -- Fix integer overflow in function copyString;
                        only affects the encoding name parameter at parser creation
                        time which is often hardcoded (rather than user input),
                        takes a value in the gigabytes to trigger, and a 64-bit
                        machine.  Expected impact is denial of service.
                #559  CVE-2022-25315 -- Fix integer overflow in function storeRawNames;
                        needs input in the gigabytes and a 64-bit machine.
                        Expected impact is denial of service or potentially
                        arbitrary code execution.
    
            Other changes:
           #557 #564  Version info bumped from 9:4:8 to 9:5:8;
                        see https://verbump.de/ for what these numbers do
    
            Special thanks to:
                Ivan Fratric
                Samanta Navarro
                     and
                Google Project Zero
                JetBrains
    
    [1] Changelog:
            https://github.com/libexpat/libexpat/blob/R_2_4_7/expat/Changes
    
    Exp-run by:     antoine
    PR:             262381
    
    Security: CVE-2022-25235
    Security: CVE-2022-25236
    Security: CVE-2022-25313
    Security: CVE-2022-25314
    Security: CVE-2022-25315
---
 textproc/expat2/Makefile  | 2 +-
 textproc/expat2/distinfo  | 6 +++---
 textproc/expat2/pkg-plist | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/textproc/expat2/Makefile b/textproc/expat2/Makefile
index bdfb93289f4b..26c8e71a70b1 100644
--- a/textproc/expat2/Makefile
+++ b/textproc/expat2/Makefile
@@ -1,7 +1,7 @@
 # Created by: Dirk Froemberg <dirk@FreeBSD.org>
 
 PORTNAME=	expat
-DISTVERSION=	2.4.4
+DISTVERSION=	2.4.7
 CATEGORIES=	textproc
 MASTER_SITES=	https://github.com/libexpat/libexpat/releases/download/R_${DISTVERSION:S|.|_|g}/
 
diff --git a/textproc/expat2/distinfo b/textproc/expat2/distinfo
index b344016f42c2..5da315f47be6 100644
--- a/textproc/expat2/distinfo
+++ b/textproc/expat2/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1643620923
-SHA256 (expat-2.4.4.tar.xz) = b5d25d6e373351c2ed19b562b4732d01d2589ac8c8e9e7962d8df1207cc311b8
-SIZE (expat-2.4.4.tar.xz) = 449448
+TIMESTAMP = 1646447376
+SHA256 (expat-2.4.7.tar.xz) = 9875621085300591f1e64c18fd3da3a0eeca4a74f884b9abac2758ad1bd07a7d
+SIZE (expat-2.4.7.tar.xz) = 454136
diff --git a/textproc/expat2/pkg-plist b/textproc/expat2/pkg-plist
index bfeae6d8c604..775d1749dfde 100644
--- a/textproc/expat2/pkg-plist
+++ b/textproc/expat2/pkg-plist
@@ -9,7 +9,7 @@ lib/cmake/expat-%%EXPAT_VERSION%%/expat.cmake
 %%STATIC%%lib/libexpat.a
 lib/libexpat.so
 lib/libexpat.so.1
-lib/libexpat.so.1.8.4
+lib/libexpat.so.1.8.7
 libdata/pkgconfig/expat.pc
 man/man1/xmlwf.1.gz
 %%PORTDOCS%%%%DOCSDIR%%/AUTHORS



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202203100515.22A5Fs9h035936>