diff mbox series

expat: Update to version 2.7.2

Message ID 20250917110940.3378937-6-adolf.belka@ipfire.org
State Staged
Commit 59b4901d426b0f8f3747712d3f52002149822e86
Headers
Series expat: Update to version 2.7.2 |

Commit Message

Adolf Belka 17 Sep 2025, 11:09 a.m. UTC 
- Update from version 2.7.1 to 2.7.2
- Update of rootfile
- CVE fix
- Changelog
    2.7.2
        Security fixes:
		CVE-2025-59375 -- Disallow use of disproportional amounts of
                    dynamic memory from within an Expat parser (e.g. previously
                    a ~250 KiB sized document was able to cause allocation of
                    ~800 MiB from the heap, i.e. an "amplification" of factor
                    ~3,300); once a threshold (that defaults to 64 MiB) is
                    reached, a maximum amplification factor (that defaults to
                    100.0) is enforced, and violating documents are rejected
                    with an out-of-memory error.
                    There are two new API functions to fine-tune this new
                    behavior:
                      - XML_SetAllocTrackerActivationThreshold
                      - XML_SetAllocTrackerMaximumAmplification .
                    If you ever need to increase these defaults for non-attack
                    XML payload, please file a bug report with libexpat.
                      There is also a new environment variable
                    EXPAT_MALLOC_DEBUG=(0|1|2) to control the verbosity
                    of allocations debugging at runtime, disabled by default.
                      Known impact is (reliable and easy) denial of service:
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C
                    (Base Score: 7.5, Temporal Score: 7.2)
                    Please note that a layer of compression around XML can
                    significantly reduce the minimum attack payload size.
                      Distributors intending to backport (or cherry-pick) the
                    fix need to copy 99% of the related pull request, not just
                    the "lib: Implement tracking of dynamic memory allocations"
                    commit, to not end up with a state that literally does both
                    too much and too little at the same time. Appending ".diff"
                    to the pull request URL could be of help.
        Other changes:
		Autotools: Sync CMake templates with CMake 3.31 for macOS
		CMake: Drop support for CMake <3.15
		CMake: Fix off_t detection for -Werror
		CMake|Windows: Fix -DEXPAT_MSVC_STATIC_CRT=ON
		Windows: Drop support for Visual Studio <=16.0/2019
		xmlwf: Mention supported environment variables in
			--help output
		xmlwf: Fix (internal) help generator
		docs: Promote the contract to call function
			XML_FreeContentModel when registering a custom
			element declaration handler (via a call to function
			XML_SetElementDeclHandler)
		docs: Add missing <p>..</p> wrap
		docs: Drop AppVeyor badge
		tests: Fix portable_strndup
		Drop casts around malloc/free/realloc that C99 does not need
		Replace empty for-loops with while loops
		Add const with internal XmlInitUnknownEncodingNS
		Drop an OpenVMS support leftover
		Address more clang-tidy warnings
		Version info bumped from 11:2:10 (libexpat*.so.1.10.2)
			to 12:0:11 (libexpat*.so.1.11.0); see https://verbump.de/
			for what these numbers do
		        Infrastructure:
		CI: Cover compilation on FreeBSD
		CI: Upgrade Clang from 19 to 21
		CI: Make calling Cppcheck without --suppress=objectIndex
			and --suppress=unknownMacro possible
		CI|Windows: Get off of deprecated image "windows-2019"
		CI: Adapt to breaking changes in GitHub Actions

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 config/rootfiles/common/expat | 20 ++++++++++----------
 lfs/expat                     |  4 ++--
 2 files changed, 12 insertions(+), 12 deletions(-)
diff mbox series

Patch

diff --git a/config/rootfiles/common/expat b/config/rootfiles/common/expat
index 7c34af7c8..1ef7450df 100644
--- a/config/rootfiles/common/expat
+++ b/config/rootfiles/common/expat
@@ -2,21 +2,21 @@ 
 #usr/include/expat.h
 #usr/include/expat_config.h
 #usr/include/expat_external.h
-#usr/lib/cmake/expat-2.7.1
-#usr/lib/cmake/expat-2.7.1/expat-config-version.cmake
-#usr/lib/cmake/expat-2.7.1/expat-config.cmake
-#usr/lib/cmake/expat-2.7.1/expat-noconfig.cmake
-#usr/lib/cmake/expat-2.7.1/expat.cmake
+#usr/lib/cmake/expat-2.7.2
+#usr/lib/cmake/expat-2.7.2/expat-config-version.cmake
+#usr/lib/cmake/expat-2.7.2/expat-config.cmake
+#usr/lib/cmake/expat-2.7.2/expat-noconfig.cmake
+#usr/lib/cmake/expat-2.7.2/expat.cmake
 #usr/lib/libexpat.la
 #usr/lib/libexpat.so
 usr/lib/libexpat.so.1
-usr/lib/libexpat.so.1.10.2
+usr/lib/libexpat.so.1.11.0
 #usr/lib/pkgconfig/expat.pc
 #usr/share/doc/expat
-#usr/share/doc/expat-2.7.1
-#usr/share/doc/expat-2.7.1/ok.min.css
-#usr/share/doc/expat-2.7.1/reference.html
-#usr/share/doc/expat-2.7.1/style.css
+#usr/share/doc/expat-2.7.2
+#usr/share/doc/expat-2.7.2/ok.min.css
+#usr/share/doc/expat-2.7.2/reference.html
+#usr/share/doc/expat-2.7.2/style.css
 #usr/share/doc/expat/AUTHORS
 #usr/share/doc/expat/changelog
 #usr/share/man/man1/xmlwf.1
diff --git a/lfs/expat b/lfs/expat
index b88c4e197..77fd84bfc 100644
--- a/lfs/expat
+++ b/lfs/expat
@@ -24,7 +24,7 @@ 
 
 include Config
 
-VER        = 2.7.1
+VER        = 2.7.2
 
 THISAPP    = expat-$(VER)
 DL_FILE    = $(THISAPP).tar.xz
@@ -40,7 +40,7 @@  objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_BLAKE2 = 243ef1c3578234135018d31b567c88a50cadddac86441e4d4a6d6330e113596edbad13b40c79f541d49487e7df98d798032d39ec28b7d67d22f46e4290d14519
+$(DL_FILE)_BLAKE2 = 35525274817dab4d6ae8698f5f83978e633a6e4afe7cf3b126c87d5aba4b64bcb9d26ec3e4a39b1ea82a7430e290950595bfa4150266ef3806026b423a870e33
 
 install : $(TARGET)