From patchwork Wed Sep 17 11:09:36 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 9107 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail01.haj.ipfire.org", Issuer "R13" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4cRbdh6NkMz3wk2 for ; Wed, 17 Sep 2025 11:10:00 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [IPv6:2001:678:b28::201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail02.haj.ipfire.org", Issuer "E8" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4cRbdb3BX2z3R3 for ; Wed, 17 Sep 2025 11:09:55 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4cRbdY20D0z3371 for ; Wed, 17 Sep 2025 11:09:53 +0000 (UTC) X-Original-To: development@lists.ipfire.org Received: from mail01.ipfire.org (mail01.haj.ipfire.org [IPv6:2001:678:b28::25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail01.haj.ipfire.org", Issuer "R13" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4cRbdQ4M0hz32yY for ; Wed, 17 Sep 2025 11:09:46 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4cRbdQ1Cslz2MY; Wed, 17 Sep 2025 11:09:46 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1758107386; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=6HZxdRjvwmx+YSHcBHT6uae2C7UiorhkzoXSaCScGDI=; b=XkjHwrsR2RxEi3rgS97+mBbVjVhK7SiEJoyWrFseRJHTyEub+RGuN9CPnrsJQz5aWtjHxV /v+/PScN3s2YY1Bw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1758107386; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=6HZxdRjvwmx+YSHcBHT6uae2C7UiorhkzoXSaCScGDI=; b=heAS+tyRKYs0knc4EwHpTBA2CP87c+NTINXzrPSEz2t964KFs1s/1+/hPhGDDm/GzDARge +E1Tp6WsVHPITcsXjJIctqOiwVam/tr9KQQuTN+w4x2o22yF+2rFyCxbmzwDgoZkBguHdP vuogiHmAANSlFjQmi28Y96FyWms4V2ePjfvPCw9dmIURSRBKhra8RhpIzWb8rK/9bESb1z XNDbu8m2iqAtcKO5Nz30tzkdzJPcIr0SaO4Za7+Ix/aBluaF7wJLhWeleF9JZ2XzWLWj7R J7gmAufDcD42/tchb/0apWM/J62rHwlKqj7Fudp71ae2nd+eMgCj6LTwcSy4/w== From: Adolf Belka To: development@lists.ipfire.org Cc: Adolf Belka Subject: [PATCH] expat: Update to version 2.7.2 Date: Wed, 17 Sep 2025 13:09:36 +0200 Message-ID: <20250917110940.3378937-6-adolf.belka@ipfire.org> In-Reply-To: <20250917110940.3378937-1-adolf.belka@ipfire.org> References: <20250917110940.3378937-1-adolf.belka@ipfire.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 - Update from version 2.7.1 to 2.7.2 - Update of rootfile - CVE fix - Changelog 2.7.2 Security fixes: CVE-2025-59375 -- Disallow use of disproportional amounts of dynamic memory from within an Expat parser (e.g. previously a ~250 KiB sized document was able to cause allocation of ~800 MiB from the heap, i.e. an "amplification" of factor ~3,300); once a threshold (that defaults to 64 MiB) is reached, a maximum amplification factor (that defaults to 100.0) is enforced, and violating documents are rejected with an out-of-memory error. There are two new API functions to fine-tune this new behavior: - XML_SetAllocTrackerActivationThreshold - XML_SetAllocTrackerMaximumAmplification . If you ever need to increase these defaults for non-attack XML payload, please file a bug report with libexpat. There is also a new environment variable EXPAT_MALLOC_DEBUG=(0|1|2) to control the verbosity of allocations debugging at runtime, disabled by default. Known impact is (reliable and easy) denial of service: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C (Base Score: 7.5, Temporal Score: 7.2) Please note that a layer of compression around XML can significantly reduce the minimum attack payload size. Distributors intending to backport (or cherry-pick) the fix need to copy 99% of the related pull request, not just the "lib: Implement tracking of dynamic memory allocations" commit, to not end up with a state that literally does both too much and too little at the same time. Appending ".diff" to the pull request URL could be of help. Other changes: Autotools: Sync CMake templates with CMake 3.31 for macOS CMake: Drop support for CMake <3.15 CMake: Fix off_t detection for -Werror CMake|Windows: Fix -DEXPAT_MSVC_STATIC_CRT=ON Windows: Drop support for Visual Studio <=16.0/2019 xmlwf: Mention supported environment variables in --help output xmlwf: Fix (internal) help generator docs: Promote the contract to call function XML_FreeContentModel when registering a custom element declaration handler (via a call to function XML_SetElementDeclHandler) docs: Add missing

..

wrap docs: Drop AppVeyor badge tests: Fix portable_strndup Drop casts around malloc/free/realloc that C99 does not need Replace empty for-loops with while loops Add const with internal XmlInitUnknownEncodingNS Drop an OpenVMS support leftover Address more clang-tidy warnings Version info bumped from 11:2:10 (libexpat*.so.1.10.2) to 12:0:11 (libexpat*.so.1.11.0); see https://verbump.de/ for what these numbers do Infrastructure: CI: Cover compilation on FreeBSD CI: Upgrade Clang from 19 to 21 CI: Make calling Cppcheck without --suppress=objectIndex and --suppress=unknownMacro possible CI|Windows: Get off of deprecated image "windows-2019" CI: Adapt to breaking changes in GitHub Actions Signed-off-by: Adolf Belka --- config/rootfiles/common/expat | 20 ++++++++++---------- lfs/expat | 4 ++-- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/config/rootfiles/common/expat b/config/rootfiles/common/expat index 7c34af7c8..1ef7450df 100644 --- a/config/rootfiles/common/expat +++ b/config/rootfiles/common/expat @@ -2,21 +2,21 @@ #usr/include/expat.h #usr/include/expat_config.h #usr/include/expat_external.h -#usr/lib/cmake/expat-2.7.1 -#usr/lib/cmake/expat-2.7.1/expat-config-version.cmake -#usr/lib/cmake/expat-2.7.1/expat-config.cmake -#usr/lib/cmake/expat-2.7.1/expat-noconfig.cmake -#usr/lib/cmake/expat-2.7.1/expat.cmake +#usr/lib/cmake/expat-2.7.2 +#usr/lib/cmake/expat-2.7.2/expat-config-version.cmake +#usr/lib/cmake/expat-2.7.2/expat-config.cmake +#usr/lib/cmake/expat-2.7.2/expat-noconfig.cmake +#usr/lib/cmake/expat-2.7.2/expat.cmake #usr/lib/libexpat.la #usr/lib/libexpat.so usr/lib/libexpat.so.1 -usr/lib/libexpat.so.1.10.2 +usr/lib/libexpat.so.1.11.0 #usr/lib/pkgconfig/expat.pc #usr/share/doc/expat -#usr/share/doc/expat-2.7.1 -#usr/share/doc/expat-2.7.1/ok.min.css -#usr/share/doc/expat-2.7.1/reference.html -#usr/share/doc/expat-2.7.1/style.css +#usr/share/doc/expat-2.7.2 +#usr/share/doc/expat-2.7.2/ok.min.css +#usr/share/doc/expat-2.7.2/reference.html +#usr/share/doc/expat-2.7.2/style.css #usr/share/doc/expat/AUTHORS #usr/share/doc/expat/changelog #usr/share/man/man1/xmlwf.1 diff --git a/lfs/expat b/lfs/expat index b88c4e197..77fd84bfc 100644 --- a/lfs/expat +++ b/lfs/expat @@ -24,7 +24,7 @@ include Config -VER = 2.7.1 +VER = 2.7.2 THISAPP = expat-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 243ef1c3578234135018d31b567c88a50cadddac86441e4d4a6d6330e113596edbad13b40c79f541d49487e7df98d798032d39ec28b7d67d22f46e4290d14519 +$(DL_FILE)_BLAKE2 = 35525274817dab4d6ae8698f5f83978e633a6e4afe7cf3b126c87d5aba4b64bcb9d26ec3e4a39b1ea82a7430e290950595bfa4150266ef3806026b423a870e33 install : $(TARGET)