From patchwork Wed Feb 7 11:13:19 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 7542 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4TVHYB3D4cz3wvs for ; Wed, 7 Feb 2024 11:13:34 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4TVHY43Vk2zyP; Wed, 7 Feb 2024 11:13:28 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4TVHY40qtsz30HR; Wed, 7 Feb 2024 11:13:28 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4TVHY11syBz2yDy for ; Wed, 7 Feb 2024 11:13:25 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4TVHY03WZ1z84; Wed, 7 Feb 2024 11:13:24 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1707304404; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=qIwSPlP5WaGgdNbynuckJKSV+zzNIyqIWE3tXNLxXxg=; b=4lsEcJ1G+sp2JsaOCrPgPXtLqcYdhIjMxL7vvplLWRvc1Rx6M3IOmrWy9IrysBdHeVdooM qNUy22iVBHurg6BA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1707304404; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=qIwSPlP5WaGgdNbynuckJKSV+zzNIyqIWE3tXNLxXxg=; b=VaLiQMmvIou9yJFsgLvMzQypNMGfnxKTJabRiocUofGg+bRpvh81e3WDGg79PBdtaz2oBa I3lD8S8K/xufhMFTPkMaRCrPACuPN+SNj8mYDHmBN35FuSwFQWbrJjct6tVhoEjXKpPqTe +GYX5U5t1Kh9Mxn28xlWCizVtvMFzmx28eoZNt8gn8VSRFfCor8AXUStsVfNMqrSzp1KYU SXK/XYzWLic7rKMojS2GEKJh34gXrPknr8cTJqB77caXapP8ADURPhxzBsjrpOSLnYMho4 x/aapop4/cgLfun05Gfj/kgTbp1fVjt/th13GYDiyXYfMFLh28NLRqaQJtI/yw== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH] expat: Update to version 2.6.0 Date: Wed, 7 Feb 2024 12:13:19 +0100 Message-ID: <20240207111319.3279645-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: KXUXU4P2SR4JR3LKRR5WZXMMVOHHNMPU X-Message-ID-Hash: KXUXU4P2SR4JR3LKRR5WZXMMVOHHNMPU X-MailFrom: adolf.belka@ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: - Update from version 2.5.0 to 2.6.0 - Update of rootfile - This update fixes two CVE's. Not sure if IPFire would be vulnerable or not but safer to update anyway. - Changelog 2.6.0 Security fixes: #789 #814 CVE-2023-52425 -- Fix quadratic runtime issues with big tokens that can cause denial of service, in partial where dealing with compressed XML input. Applications that parsed a document in one go -- a single call to functions XML_Parse or XML_ParseBuffer -- were not affected. The smaller the chunks/buffers you use for parsing previously, the bigger the problem prior to the fix. Backporters should be careful to no omit parts of pull request #789 and to include earlier pull request #771, in order to not break the fix. #777 CVE-2023-52426 -- Fix billion laughs attacks for users compiling *without* XML_DTD defined (which is not common). Users with XML_DTD defined have been protected since Expat >=2.4.0 (and that was CVE-2013-0340 back then). Bug fixes: #753 Fix parse-size-dependent "invalid token" error for external entities that start with a byte order mark #780 Fix NULL pointer dereference in setContext via XML_ExternalEntityParserCreate for compilation with XML_DTD undefined #812 #813 Protect against closing entities out of order Other changes: #723 Improve support for arc4random/arc4random_buf #771 #788 Improve buffer growth in XML_GetBuffer and XML_Parse #761 #770 xmlwf: Support --help and --version #759 #770 xmlwf: Support custom buffer size for XML_GetBuffer and read #744 xmlwf: Improve language and URL clickability in help output #673 examples: Add new example "element_declarations.c" #764 Be stricter about macro XML_CONTEXT_BYTES at build time #765 Make inclusion to expat_config.h consistent #726 #727 Autotools: configure.ac: Support --disable-maintainer-mode #678 #705 .. #706 #733 #792 Autotools: Sync CMake templates with CMake 3.26 #795 Autotools: Make installation of shipped man page doc/xmlwf.1 independent of docbook2man availability #815 Autotools|CMake: Add missing -DXML_STATIC to pkg-config file section "Cflags.private" in order to fix compilation against static libexpat using pkg-config on Windows #724 #751 Autotools|CMake: Require a C99 compiler (a de-facto requirement already since Expat 2.2.2 of 2017) #793 Autotools|CMake: Fix PACKAGE_BUGREPORT variable #750 #786 Autotools|CMake: Make test suite require a C++11 compiler #749 CMake: Require CMake >=3.5.0 #672 CMake: Lowercase off_t and size_t to help a bug in Meson #746 CMake: Sort xmlwf sources alphabetically #785 CMake|Windows: Fix generation of DLL file version info #790 CMake: Build tests/benchmark/benchmark.c as well for a build with -DEXPAT_BUILD_TESTS=ON #745 #757 docs: Document the importance of isFinal + adjust tests accordingly #736 docs: Improve use of "NULL" and "null" #713 docs: Be specific about version of XML (XML 1.0r4) and version of C (C99); (XML 1.0r5 will need a sponsor.) #762 docs: reference.html: Promote function XML_ParseBuffer more #779 docs: reference.html: Add HTML anchors to XML_* macros #760 docs: reference.html: Upgrade to OK.css 1.2.0 #763 #739 docs: Fix typos #696 docs|CI: Use HTTPS URLs instead of HTTP at various places #669 #670 .. #692 #703 .. #733 #772 Address compiler warnings #798 #800 Address clang-tidy warnings #775 #776 Version info bumped from 9:10:8 (libexpat*.so.1.8.10) to 10:0:9 (libexpat*.so.1.9.0); see https://verbump.de/ for what these numbers do Infrastructure: #700 #701 docs: Document security policy in file SECURITY.md #766 docs: Improve parse buffer variables in-code documentation #674 #738 .. #740 #747 .. #748 #781 #782 Refactor coverage and conformance tests #714 #716 Refactor debug level variables to unsigned long #671 Improve handling of empty environment variable value in function getDebugLevel (without visible user effect) #755 #774 .. #758 #783 .. #784 #787 tests: Improve test coverage with regard to parse chunk size #660 #797 #801 Fuzzing: Improve fuzzing coverage #367 #799 Fuzzing|CI: Start running OSS-Fuzz fuzzing regression tests #698 #721 CI: Resolve some Travis CI leftovers #669 CI: Be robust towards absence of Git tags #693 #694 CI: Set permissions to "contents: read" for security #709 CI: Pin all GitHub Actions to specific commits for security #739 CI: Reject spelling errors using codespell #798 CI: Enforce clang-tidy clean code #773 #808 .. #809 #810 CI: Upgrade Clang from 15 to 18 #796 CI: Start using Clang's Control Flow Integrity sanitizer #675 #720 #722 CI: Adapt to breaking changes in GitHub Actions Ubuntu images #689 CI: Adapt to breaking changes in Clang/LLVM Debian packaging #763 CI: Adapt to breaking changes in codespell #803 CI: Adapt to breaking changes in Cppcheck Signed-off-by: Adolf Belka --- config/rootfiles/common/expat | 21 +++++++++++---------- lfs/expat | 8 ++++---- 2 files changed, 15 insertions(+), 14 deletions(-) diff --git a/config/rootfiles/common/expat b/config/rootfiles/common/expat index 233c46283..499f99f8e 100644 --- a/config/rootfiles/common/expat +++ b/config/rootfiles/common/expat @@ -3,20 +3,21 @@ #usr/include/expat_config.h #usr/include/expat_external.h #usr/lib/cmake -#usr/lib/cmake/expat-2.5.0 -#usr/lib/cmake/expat-2.5.0/expat-config-version.cmake -#usr/lib/cmake/expat-2.5.0/expat-config.cmake -#usr/lib/cmake/expat-2.5.0/expat-noconfig.cmake -#usr/lib/cmake/expat-2.5.0/expat.cmake +#usr/lib/cmake/expat-2.6.0 +#usr/lib/cmake/expat-2.6.0/expat-config-version.cmake +#usr/lib/cmake/expat-2.6.0/expat-config.cmake +#usr/lib/cmake/expat-2.6.0/expat-noconfig.cmake +#usr/lib/cmake/expat-2.6.0/expat.cmake #usr/lib/libexpat.la #usr/lib/libexpat.so usr/lib/libexpat.so.1 -usr/lib/libexpat.so.1.8.10 +usr/lib/libexpat.so.1.9.0 #usr/lib/pkgconfig/expat.pc #usr/share/doc/expat -#usr/share/doc/expat-2.5.0 -#usr/share/doc/expat-2.5.0/ok.min.css -#usr/share/doc/expat-2.5.0/reference.html -#usr/share/doc/expat-2.5.0/style.css +#usr/share/doc/expat-2.6.0 +#usr/share/doc/expat-2.6.0/ok.min.css +#usr/share/doc/expat-2.6.0/reference.html +#usr/share/doc/expat-2.6.0/style.css #usr/share/doc/expat/AUTHORS #usr/share/doc/expat/changelog +#usr/share/man/man1/xmlwf.1 diff --git a/lfs/expat b/lfs/expat index a89b6d114..acfdba6ea 100644 --- a/lfs/expat +++ b/lfs/expat @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2018 IPFire Team # +# Copyright (C) 2007-2024 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,10 +24,10 @@ include Config -VER = 2.5.0 +VER = 2.6.0 THISAPP = expat-$(VER) -DL_FILE = $(THISAPP).tar.bz2 +DL_FILE = $(THISAPP).tar.xz DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 15a5dcd3af17995fb4299301710b38d609c1fe7a8d6a6284581fedd96e89e0c16526d0342fb55773ac9d678cd65dc5cdb1532c764eeb3a20ccdf1e168b96e337 +$(DL_FILE)_BLAKE2 = 2f0117317bde4e03d8662bcac1ff6c2bbb1af694846b21a82ac12d11ccd43032b481af72fa35298c3cb19b7426dba6a67e703904ca7b05663ffd854a42348bd0 install : $(TARGET)