expat: Update to version 2.8.2
Commit Message
- Update from version 2.8.1 to 2.8.2
- Update of rootfile
- 13 CVE fixes
- Changelog
2.8.2
Security fixes:
#1246 CVE-2026-50219 -- Disallow calls to functions
`XML_GetBuffer`, `XML_Parse`, `XML_ParseBuffer`,
`XML_ParserFree`, `XML_ParserReset` to guard e.g.
Expat bindings from memory corruption;
this CPython issue is related:
https://github.com/python/cpython/issues/146169
#1267 CVE-2026-56131 -- Protect XML_ResumeParser from being called
from a handler, plugging a hole in the fix
to CVE-2026-50219
#1272 CVE-2026-56132 -- Fix out-of-bound scaffolding index store
in `doProlog`
#1229 #1232 CVE-2026-56403 -- Integer overflow in `storeAtts`
#1249 CVE-2026-56404 -- Integer overflow in `addBinding`
#1251 CVE-2026-56405 -- Integer overflow in `getAttributeId`
#1255 CVE-2026-56406 -- Integer overflow in `XML_ParseBuffer`
#1262 CVE-2026-56407 -- Integer overflow in `textLen` handling
#565 CVE-2026-56408 -- Integer overflow in `copyString`
(commit 16e2efd867ea8567ffa012210b52ef5918e20817)
#1259 CVE-2026-56409 -- xmlwf: Integer overflow in output path join
#1252 CVE-2026-56410 -- xmlwf: Integer overflow in
`resolveSystemId`
#1263 CVE-2026-56411 -- xmlwf: Integer overflow in notation list
allocation
#1278 CVE-2026-56412 -- Guard XML_TOK_DATA_CHARS handler calls in
`doCdataSection`, plugging a hole in the fix to
CVE-2026-50219
Bug fixes:
#1260 xmlwf: Escape names and base URI in meta output
#1266 xmlwf: Pick a safe quote for notation system and public IDs
Other changes:
#1257 CMake|Autotools: Stop using /dev/urandom by default
#1244 #1254 CMake: Fix guard for Unix sources of entropy
#1183 #1270 CMake|Windows: Add missing export for symbol
`XML_SetHashSalt16Bytes`
#1236 CMake: Mark option EXPAT_OSSFUZZ_BUILD as advanced
#1283 Limit output indentation for EXPAT_ENTITY_DEBUG=1 and
allow unlimited indentation via EXPAT_ENTITY_DEBUG=2
#565 Replace some loops by use of `memcpy`, `strlen`, `wcslen`
#1220 lib: Use a size_t for group sizes
#1221 lib: Fix too-conservative integer overflow check when
appending raw name
#1222 lib: Simplify attribute allocation/management logic
#1224 Update fallthrough annotations to satisfy Clang and GCC
#1226 lib: Remove unnecessary void * casts in random code
#1228 lib: Reduce scope of locals in storeAtts
#1230 lib: Count attributes with size_t variables
#1238 Minor get-buffer improvements
#1239 #1240 lib|tests: Include header expat_config.h first
#1241 lib: Shrink size of XML_GetBuffer
#1242 lib: Remove a legacy comment
#1243 lib: XML_ParserReset: Extract repeated linked-list move logic
#1243 lib: Unify entity free lists
#1247 lib: Fix use of '0' as boolean literal
#1248 lib: Make XML_Index overflow check more intuitive
#1256 lib: Use size_t for counting string/URI lengths
#1258 lib: XML_GetInputContext: Remove use of 0 for NULL
#1261 Comment typo fixes
#1275 Teach Memory Sanitizer semantics of randomization functions
#1276 #1281 Version info bumped from 13:1:12 (libexpat*.so.1.12.1)
to 13:2:12 (libexpat*.so.1.12.2); see https://verbump.de/
for what these numbers do
Infrastructure:
#1231 perl-integration.yml: Bump to XML::Parser 2.59
#1237 emscripten.yml: Bump from Ubuntu 22.04 to 24.04
#1183 #1271 windows-build.yml: Cover completeness of file
libexpat.def.cmake
#1274 linux.yml: Make llvm-symbolizer available in CI
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
config/rootfiles/common/expat | 20 ++++++++++----------
lfs/expat | 4 ++--
2 files changed, 12 insertions(+), 12 deletions(-)
@@ -2,21 +2,21 @@
#usr/include/expat.h
#usr/include/expat_config.h
#usr/include/expat_external.h
-#usr/lib/cmake/expat-2.8.1
-#usr/lib/cmake/expat-2.8.1/expat-config-version.cmake
-#usr/lib/cmake/expat-2.8.1/expat-config.cmake
-#usr/lib/cmake/expat-2.8.1/expat-noconfig.cmake
-#usr/lib/cmake/expat-2.8.1/expat.cmake
+#usr/lib/cmake/expat-2.8.2
+#usr/lib/cmake/expat-2.8.2/expat-config-version.cmake
+#usr/lib/cmake/expat-2.8.2/expat-config.cmake
+#usr/lib/cmake/expat-2.8.2/expat-noconfig.cmake
+#usr/lib/cmake/expat-2.8.2/expat.cmake
#usr/lib/libexpat.la
#usr/lib/libexpat.so
usr/lib/libexpat.so.1
-usr/lib/libexpat.so.1.12.1
+usr/lib/libexpat.so.1.12.2
#usr/lib/pkgconfig/expat.pc
#usr/share/doc/expat
-#usr/share/doc/expat-2.8.1
-#usr/share/doc/expat-2.8.1/ok.min.css
-#usr/share/doc/expat-2.8.1/reference.html
-#usr/share/doc/expat-2.8.1/style.css
+#usr/share/doc/expat-2.8.2
+#usr/share/doc/expat-2.8.2/ok.min.css
+#usr/share/doc/expat-2.8.2/reference.html
+#usr/share/doc/expat-2.8.2/style.css
#usr/share/doc/expat/AUTHORS
#usr/share/doc/expat/changelog
#usr/share/man/man1/xmlwf.1
@@ -24,7 +24,7 @@
include Config
-VER = 2.8.1
+VER = 2.8.2
THISAPP = expat-$(VER)
DL_FILE = $(THISAPP).tar.xz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = 529551f960a1e611be6a0e9ff579e136ccad676d7e99ef8183bbee83969bf4cd37177444759ccbccc48c1bd49d2b0c3bd8f1f91862f272b54a23ad1b932d2f9d
+$(DL_FILE)_BLAKE2 = f037cb75f86652fbddd3474f2b7a1293e9b77b540475fa34432a8304ddc58b3eafbab5150a5b591fc4a889d895507b0d379032cdd0c474445ac0aa9e518bef18
install : $(TARGET)