From patchwork Tue Jun 30 11:15:17 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 9981 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail01.haj.ipfire.org", Issuer "YR2" (not verified)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4gqLDJ6qBmz3wmV for ; Tue, 30 Jun 2026 11:15:44 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail02.haj.ipfire.org", Issuer "YE1" (not verified)) by mail01.ipfire.org (Postfix) with ESMTPS id 4gqLDD4hkxz7Qb for ; Tue, 30 Jun 2026 11:15:40 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4gqLD95v8vz36WV for ; Tue, 30 Jun 2026 11:15:37 +0000 (UTC) X-Original-To: development@lists.ipfire.org Received: from mail01.ipfire.org (mail01.haj.ipfire.org [IPv6:2001:678:b28::25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail01.haj.ipfire.org", Issuer "YR2" (not verified)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4gqLD20CwLz2yZl for ; Tue, 30 Jun 2026 11:15:30 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4gqLD134R1zdr; Tue, 30 Jun 2026 11:15:29 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1782818129; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=WsN6zqRCF1WtSky2wVca/pceiOd0WvUdhayr2pADoWE=; b=GFtVaK1AxW/t/NvbioLFJu7UiiBX0cggVp953Ag5P/jp3fmgm6F/Fek0gPisZ5tE623Fah YKYqZbsdGZ1AmYBg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1782818129; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=WsN6zqRCF1WtSky2wVca/pceiOd0WvUdhayr2pADoWE=; b=wljhntDm54JWzTqFLDA8H61/XkHEPyFmHY9rTaoDPWnNVDDAmTkyc/MVyl4ArSMIh653Ih 14ApInCCkNmfYHyGAVaz0QJ+fJiT4gh0VAOnEZs4+JOmQ+fo1uUYV1a7wjL2gEOh75MPd6 I8WHxoVTfdqRyA7AC9GKY1Tviy9ZUj/EnoUQtG1+SrkFQ40qzrhicWr8KM8pJIJqD1zmaa PgH0Qcl5xRia+OQ7oWJ0c0f0dbBiQb40Wtqi77JFu7AiHywfOph0JWdCJlGFQjCCPhmNJA +/vIGnHvV3Asz06jMi5L/5InL83yKSoNqjZszTmqXXIJW6bmVd/yz4emL/j2eA== From: Adolf Belka To: development@lists.ipfire.org Cc: Adolf Belka Subject: [PATCH] expat: Update to version 2.8.2 Date: Tue, 30 Jun 2026 13:15:17 +0200 Message-ID: <20260630111523.1271203-6-adolf.belka@ipfire.org> In-Reply-To: <20260630111523.1271203-1-adolf.belka@ipfire.org> References: <20260630111523.1271203-1-adolf.belka@ipfire.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 - Update from version 2.8.1 to 2.8.2 - Update of rootfile - 13 CVE fixes - Changelog 2.8.2 Security fixes: #1246 CVE-2026-50219 -- Disallow calls to functions `XML_GetBuffer`, `XML_Parse`, `XML_ParseBuffer`, `XML_ParserFree`, `XML_ParserReset` to guard e.g. Expat bindings from memory corruption; this CPython issue is related: https://github.com/python/cpython/issues/146169 #1267 CVE-2026-56131 -- Protect XML_ResumeParser from being called from a handler, plugging a hole in the fix to CVE-2026-50219 #1272 CVE-2026-56132 -- Fix out-of-bound scaffolding index store in `doProlog` #1229 #1232 CVE-2026-56403 -- Integer overflow in `storeAtts` #1249 CVE-2026-56404 -- Integer overflow in `addBinding` #1251 CVE-2026-56405 -- Integer overflow in `getAttributeId` #1255 CVE-2026-56406 -- Integer overflow in `XML_ParseBuffer` #1262 CVE-2026-56407 -- Integer overflow in `textLen` handling #565 CVE-2026-56408 -- Integer overflow in `copyString` (commit 16e2efd867ea8567ffa012210b52ef5918e20817) #1259 CVE-2026-56409 -- xmlwf: Integer overflow in output path join #1252 CVE-2026-56410 -- xmlwf: Integer overflow in `resolveSystemId` #1263 CVE-2026-56411 -- xmlwf: Integer overflow in notation list allocation #1278 CVE-2026-56412 -- Guard XML_TOK_DATA_CHARS handler calls in `doCdataSection`, plugging a hole in the fix to CVE-2026-50219 Bug fixes: #1260 xmlwf: Escape names and base URI in meta output #1266 xmlwf: Pick a safe quote for notation system and public IDs Other changes: #1257 CMake|Autotools: Stop using /dev/urandom by default #1244 #1254 CMake: Fix guard for Unix sources of entropy #1183 #1270 CMake|Windows: Add missing export for symbol `XML_SetHashSalt16Bytes` #1236 CMake: Mark option EXPAT_OSSFUZZ_BUILD as advanced #1283 Limit output indentation for EXPAT_ENTITY_DEBUG=1 and allow unlimited indentation via EXPAT_ENTITY_DEBUG=2 #565 Replace some loops by use of `memcpy`, `strlen`, `wcslen` #1220 lib: Use a size_t for group sizes #1221 lib: Fix too-conservative integer overflow check when appending raw name #1222 lib: Simplify attribute allocation/management logic #1224 Update fallthrough annotations to satisfy Clang and GCC #1226 lib: Remove unnecessary void * casts in random code #1228 lib: Reduce scope of locals in storeAtts #1230 lib: Count attributes with size_t variables #1238 Minor get-buffer improvements #1239 #1240 lib|tests: Include header expat_config.h first #1241 lib: Shrink size of XML_GetBuffer #1242 lib: Remove a legacy comment #1243 lib: XML_ParserReset: Extract repeated linked-list move logic #1243 lib: Unify entity free lists #1247 lib: Fix use of '0' as boolean literal #1248 lib: Make XML_Index overflow check more intuitive #1256 lib: Use size_t for counting string/URI lengths #1258 lib: XML_GetInputContext: Remove use of 0 for NULL #1261 Comment typo fixes #1275 Teach Memory Sanitizer semantics of randomization functions #1276 #1281 Version info bumped from 13:1:12 (libexpat*.so.1.12.1) to 13:2:12 (libexpat*.so.1.12.2); see https://verbump.de/ for what these numbers do Infrastructure: #1231 perl-integration.yml: Bump to XML::Parser 2.59 #1237 emscripten.yml: Bump from Ubuntu 22.04 to 24.04 #1183 #1271 windows-build.yml: Cover completeness of file libexpat.def.cmake #1274 linux.yml: Make llvm-symbolizer available in CI Signed-off-by: Adolf Belka --- config/rootfiles/common/expat | 20 ++++++++++---------- lfs/expat | 4 ++-- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/config/rootfiles/common/expat b/config/rootfiles/common/expat index b13257ddb..0f15469d3 100644 --- a/config/rootfiles/common/expat +++ b/config/rootfiles/common/expat @@ -2,21 +2,21 @@ #usr/include/expat.h #usr/include/expat_config.h #usr/include/expat_external.h -#usr/lib/cmake/expat-2.8.1 -#usr/lib/cmake/expat-2.8.1/expat-config-version.cmake -#usr/lib/cmake/expat-2.8.1/expat-config.cmake -#usr/lib/cmake/expat-2.8.1/expat-noconfig.cmake -#usr/lib/cmake/expat-2.8.1/expat.cmake +#usr/lib/cmake/expat-2.8.2 +#usr/lib/cmake/expat-2.8.2/expat-config-version.cmake +#usr/lib/cmake/expat-2.8.2/expat-config.cmake +#usr/lib/cmake/expat-2.8.2/expat-noconfig.cmake +#usr/lib/cmake/expat-2.8.2/expat.cmake #usr/lib/libexpat.la #usr/lib/libexpat.so usr/lib/libexpat.so.1 -usr/lib/libexpat.so.1.12.1 +usr/lib/libexpat.so.1.12.2 #usr/lib/pkgconfig/expat.pc #usr/share/doc/expat -#usr/share/doc/expat-2.8.1 -#usr/share/doc/expat-2.8.1/ok.min.css -#usr/share/doc/expat-2.8.1/reference.html -#usr/share/doc/expat-2.8.1/style.css +#usr/share/doc/expat-2.8.2 +#usr/share/doc/expat-2.8.2/ok.min.css +#usr/share/doc/expat-2.8.2/reference.html +#usr/share/doc/expat-2.8.2/style.css #usr/share/doc/expat/AUTHORS #usr/share/doc/expat/changelog #usr/share/man/man1/xmlwf.1 diff --git a/lfs/expat b/lfs/expat index 2ba04ca09..480d98b65 100644 --- a/lfs/expat +++ b/lfs/expat @@ -24,7 +24,7 @@ include Config -VER = 2.8.1 +VER = 2.8.2 THISAPP = expat-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 529551f960a1e611be6a0e9ff579e136ccad676d7e99ef8183bbee83969bf4cd37177444759ccbccc48c1bd49d2b0c3bd8f1f91862f272b54a23ad1b932d2f9d +$(DL_FILE)_BLAKE2 = f037cb75f86652fbddd3474f2b7a1293e9b77b540475fa34432a8304ddc58b3eafbab5150a5b591fc4a889d895507b0d379032cdd0c474445ac0aa9e518bef18 install : $(TARGET)