From patchwork Sun Apr 26 21:37:41 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 9736 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (secp384r1 raw public key) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (not verified)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4g3g636NCwz3wbJ for ; Sun, 26 Apr 2026 21:37:47 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail02.haj.ipfire.org", Issuer "E8" (not verified)) by mail01.ipfire.org (Postfix) with ESMTPS id 4g3g635181z769 for ; Sun, 26 Apr 2026 21:37:47 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4g3g634GXVz30Z5 for ; Sun, 26 Apr 2026 21:37:47 +0000 (UTC) X-Original-To: development@lists.ipfire.org Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (secp384r1 raw public key) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (not verified)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4g3g610Cjkz2xSM for ; Sun, 26 Apr 2026 21:37:45 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4g3g600N4nz15g; Sun, 26 Apr 2026 21:37:43 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1777239464; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=uw+XEEQnEyA2nmVvWVaTJxOJJxhmxhzZHYXdzyiyHnQ=; b=qxMPYzf2sh397hKdyVQLkrVNddKRR9+qtNTVRfsyAl6zc4YF4KGb5Dt+QIyjRgm3gsLjuR 2r3gYZRuNmGwJUCA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1777239464; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=uw+XEEQnEyA2nmVvWVaTJxOJJxhmxhzZHYXdzyiyHnQ=; b=qCIuZ0rdsPS9AxdOsSdV1eXtPN+4ZocdHLGeVobe+SDjyBXS4C259GEt0w7CBk1l36ZZwK 84tDr/KVWCkn72YcO7Oe6MsQLuR3cUuDwGqHIA/NM2ZYSvJWQstp3jhSEQGNbYz/4AR4Z1 nSAT8TKSaecu6+seTuOgHEPwTcGUAzasrNeeiJTqaGEEJ2h+K++r6DPQZYDIER557sEgaN vDPUE1E04AO93h+um+5539W7MIFig89jTCd/figzjhi3twTBEk1V/r3drZyfvBD80VOF9G h0QwazOfHkvoJyGbc1xN8jK7U6p+nGC/Oqc9HvCK6BDmWNRdC7g4UTOkgPuJwg== From: Adolf Belka To: development@lists.ipfire.org Cc: Adolf Belka Subject: [PATCH] expat: Update to version 2.8.0 Date: Sun, 26 Apr 2026 23:37:41 +0200 Message-ID: <20260426213741.2816601-1-adolf.belka@ipfire.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 - Update from version 2.7.5 to 2.8.0 - Update of rootfile - CVE fix - Changelog 2.8.0 Security fixes: 47 1183 CVE-2026-41080 -- The existing hash flooding protection (based on SipHash) only used 4 to 8 bytes of entropy for a salt, when 16 bytes of salt are supported by the implementation of SipHash used by Expat. Now full 16 bytes of entropy are used to improve protection against hash flooding attacks. Existing API function XML_SetHashSalt is now deprecated because of its limitations, and its use should be considered a vulnerability. Please either use the new API function XML_SetHashSalt16Bytes (with known-high-quality entropy input only!) instead, or leave the derivation of a 16-bytes hash salt from high quality entropy to Expat's internal machinery (by *not* calling either of the two XML_SetHashSalt* functions). Bug fixes: 1188 Avoid propagating /dev/urandom file descriptor to child processes 1193 Fix interpretation of `errno` after randomization calls 1195 Avoid assuming uint8_t is a character type Other changes: 1180 1199 Add support for `getentropy(3)` as a source of entropy; this helps with protecting against hash flooding attacks, in particular with WASI SDK (where none of the other entropy sources supported by libexpat are available). 1200 Autotools: Add `--without-arc4random` and `--without-arc4random-buf` 1200 Autotools: Make `./configure` output report on available high quality entropy sources 1173 Autotools|macOS: Sync CMake templates with CMake 4.3.0 1201 Autotools|CMake: Improve checks for `arc4random` and `arc4random_buf` e.g. with modern glibc 1201 CMake: Report on availability of functions `arc4random` and `arc4random_buf` 1201 CMake: Mark entropy related build switches as advanced 1189 .. 1203 1204 Extract new files from entropy extraction code 1194 Stop duplicating C tests 1:1 as C++ ("runtests_cxx") 1202 Fix a comment typo in expat_external.h 1187 Fix grammar in compile error message 1192 examples: Build warning-free with -Wwrite-strings 1171 tests: Address harmless warning from Coverity 1170 1176 Sync file headers 1190 1206 Version info bumped from 12:3:11 (libexpat*.so.1.11.3) to 13:0:12 (libexpat*.so.1.12.0); see https://verbump.de/ for what these numbers do Infrastructure: 1166 1167 .. 1172 1175 .. 1178 1179 .. 1185 1205 CI: Make Perl XML::Parser integration tests run against both version 2.47 and the latest release 2.58 1169 CI: Adapt to breaking changes regarding Inno Setup 1173 CI: Adapt to breaking changes regarding CMake 1174 CI: Include public corpus of fuzzer `xml_lpm_fuzzer` with regression testing 1181 1182 CI: Bump WASI SDK from 30 to 32 Signed-off-by: Adolf Belka --- config/rootfiles/common/expat | 20 ++++++++++---------- lfs/expat | 4 ++-- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/config/rootfiles/common/expat b/config/rootfiles/common/expat index 93b23090b..611c2a203 100644 --- a/config/rootfiles/common/expat +++ b/config/rootfiles/common/expat @@ -2,21 +2,21 @@ #usr/include/expat.h #usr/include/expat_config.h #usr/include/expat_external.h -#usr/lib/cmake/expat-2.7.5 -#usr/lib/cmake/expat-2.7.5/expat-config-version.cmake -#usr/lib/cmake/expat-2.7.5/expat-config.cmake -#usr/lib/cmake/expat-2.7.5/expat-noconfig.cmake -#usr/lib/cmake/expat-2.7.5/expat.cmake +#usr/lib/cmake/expat-2.8.0 +#usr/lib/cmake/expat-2.8.0/expat-config-version.cmake +#usr/lib/cmake/expat-2.8.0/expat-config.cmake +#usr/lib/cmake/expat-2.8.0/expat-noconfig.cmake +#usr/lib/cmake/expat-2.8.0/expat.cmake #usr/lib/libexpat.la #usr/lib/libexpat.so usr/lib/libexpat.so.1 -usr/lib/libexpat.so.1.11.3 +usr/lib/libexpat.so.1.12.0 #usr/lib/pkgconfig/expat.pc #usr/share/doc/expat -#usr/share/doc/expat-2.7.5 -#usr/share/doc/expat-2.7.5/ok.min.css -#usr/share/doc/expat-2.7.5/reference.html -#usr/share/doc/expat-2.7.5/style.css +#usr/share/doc/expat-2.8.0 +#usr/share/doc/expat-2.8.0/ok.min.css +#usr/share/doc/expat-2.8.0/reference.html +#usr/share/doc/expat-2.8.0/style.css #usr/share/doc/expat/AUTHORS #usr/share/doc/expat/changelog #usr/share/man/man1/xmlwf.1 diff --git a/lfs/expat b/lfs/expat index 3f00072bd..f14e48ab5 100644 --- a/lfs/expat +++ b/lfs/expat @@ -24,7 +24,7 @@ include Config -VER = 2.7.5 +VER = 2.8.0 THISAPP = expat-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 97adfd7cb056066e3a3ec9ef1808d298bc935eb0d17ffca23bcf75810290c8ed8377b21d67b2e1b4a27773057f49f95da9a8f2e368d02d266c980bebbeb1b009 +$(DL_FILE)_BLAKE2 = e7b5f20e9960085d2bcfd88ac590e70a9aaebcc4b1411064d008af638bdf4189730d6fd9772d518dc4c38c3cefc649ed31c1e3ad7de64125377dba8c6d2e01b8 install : $(TARGET)