head 1.57; access; symbols pkgsrc-2023Q4:1.54.0.10 pkgsrc-2023Q4-base:1.54 pkgsrc-2023Q3:1.54.0.8 pkgsrc-2023Q3-base:1.54 pkgsrc-2023Q2:1.54.0.6 pkgsrc-2023Q2-base:1.54 pkgsrc-2023Q1:1.54.0.4 pkgsrc-2023Q1-base:1.54 pkgsrc-2022Q4:1.54.0.2 pkgsrc-2022Q4-base:1.54 pkgsrc-2022Q3:1.53.0.2 pkgsrc-2022Q3-base:1.53 pkgsrc-2022Q2:1.52.0.4 pkgsrc-2022Q2-base:1.52 pkgsrc-2022Q1:1.52.0.2 pkgsrc-2022Q1-base:1.52 pkgsrc-2021Q4:1.47.0.6 pkgsrc-2021Q4-base:1.47 pkgsrc-2021Q3:1.47.0.4 pkgsrc-2021Q3-base:1.47 pkgsrc-2021Q2:1.47.0.2 pkgsrc-2021Q2-base:1.47 pkgsrc-2021Q1:1.45.0.4 pkgsrc-2021Q1-base:1.45 pkgsrc-2020Q4:1.45.0.2 pkgsrc-2020Q4-base:1.45 pkgsrc-2020Q3:1.42.0.6 pkgsrc-2020Q3-base:1.42 pkgsrc-2020Q2:1.42.0.4 pkgsrc-2020Q2-base:1.42 pkgsrc-2020Q1:1.42.0.2 pkgsrc-2020Q1-base:1.42 pkgsrc-2019Q4:1.40.0.6 pkgsrc-2019Q4-base:1.40 pkgsrc-2019Q3:1.40.0.2 pkgsrc-2019Q3-base:1.40 pkgsrc-2019Q2:1.39.0.2 pkgsrc-2019Q2-base:1.39 pkgsrc-2019Q1:1.38.0.6 pkgsrc-2019Q1-base:1.38 pkgsrc-2018Q4:1.38.0.4 pkgsrc-2018Q4-base:1.38 pkgsrc-2018Q3:1.38.0.2 pkgsrc-2018Q3-base:1.38 pkgsrc-2018Q2:1.36.0.4 pkgsrc-2018Q2-base:1.36 pkgsrc-2018Q1:1.36.0.2 pkgsrc-2018Q1-base:1.36 pkgsrc-2017Q4:1.35.0.6 pkgsrc-2017Q4-base:1.35 pkgsrc-2017Q3:1.35.0.4 pkgsrc-2017Q3-base:1.35 pkgsrc-2017Q2:1.34.0.2 pkgsrc-2017Q2-base:1.34 pkgsrc-2017Q1:1.33.0.8 pkgsrc-2017Q1-base:1.33 pkgsrc-2016Q4:1.33.0.6 pkgsrc-2016Q4-base:1.33 pkgsrc-2016Q3:1.33.0.4 pkgsrc-2016Q3-base:1.33 pkgsrc-2016Q2:1.33.0.2 pkgsrc-2016Q2-base:1.33 pkgsrc-2016Q1:1.31.0.2 pkgsrc-2016Q1-base:1.31 pkgsrc-2015Q4:1.29.0.4 pkgsrc-2015Q4-base:1.29 pkgsrc-2015Q3:1.29.0.2 pkgsrc-2015Q3-base:1.29 pkgsrc-2015Q2:1.28.0.6 pkgsrc-2015Q2-base:1.28 pkgsrc-2015Q1:1.28.0.4 pkgsrc-2015Q1-base:1.28 pkgsrc-2014Q4:1.28.0.2 pkgsrc-2014Q4-base:1.28 pkgsrc-2014Q3:1.27.0.16 pkgsrc-2014Q3-base:1.27 pkgsrc-2014Q2:1.27.0.14 pkgsrc-2014Q2-base:1.27 pkgsrc-2014Q1:1.27.0.12 pkgsrc-2014Q1-base:1.27 pkgsrc-2013Q4:1.27.0.10 pkgsrc-2013Q4-base:1.27 pkgsrc-2013Q3:1.27.0.8 pkgsrc-2013Q3-base:1.27 pkgsrc-2013Q2:1.27.0.6 pkgsrc-2013Q2-base:1.27 pkgsrc-2013Q1:1.27.0.4 pkgsrc-2013Q1-base:1.27 pkgsrc-2012Q4:1.27.0.2 pkgsrc-2012Q4-base:1.27 pkgsrc-2012Q3:1.26.0.6 pkgsrc-2012Q3-base:1.26 pkgsrc-2012Q2:1.26.0.4 pkgsrc-2012Q2-base:1.26 pkgsrc-2012Q1:1.26.0.2 pkgsrc-2012Q1-base:1.26 pkgsrc-2011Q4:1.25.0.16 pkgsrc-2011Q4-base:1.25 pkgsrc-2011Q3:1.25.0.14 pkgsrc-2011Q3-base:1.25 pkgsrc-2011Q2:1.25.0.12 pkgsrc-2011Q2-base:1.25 TNF:1.1.1 pkgsrc-2011Q1:1.25.0.10 pkgsrc-2011Q1-base:1.25 pkgsrc-2010Q4:1.25.0.8 pkgsrc-2010Q4-base:1.25 pkgsrc-2010Q3:1.25.0.6 pkgsrc-2010Q3-base:1.25 pkgsrc-2010Q2:1.25.0.4 pkgsrc-2010Q2-base:1.25 pkgsrc-2010Q1:1.25.0.2 pkgsrc-2010Q1-base:1.25 pkgsrc-2009Q4:1.24.0.4 pkgsrc-2009Q4-base:1.24 pkgsrc-2009Q3:1.24.0.2 pkgsrc-2009Q3-base:1.24 pkgsrc-2009Q2:1.23.0.22 pkgsrc-2009Q2-base:1.23 pkgsrc-2009Q1:1.23.0.20 pkgsrc-2009Q1-base:1.23 pkgsrc-2008Q4:1.23.0.18 pkgsrc-2008Q4-base:1.23 pkgsrc-2008Q3:1.23.0.16 pkgsrc-2008Q3-base:1.23 cube-native-xorg:1.23.0.14 cube-native-xorg-base:1.23 pkgsrc-2008Q2:1.23.0.12 pkgsrc-2008Q2-base:1.23 cwrapper:1.23.0.10 pkgsrc-2008Q1:1.23.0.8 pkgsrc-2008Q1-base:1.23 pkgsrc-2007Q4:1.23.0.6 pkgsrc-2007Q4-base:1.23 pkgsrc-2007Q3:1.23.0.4 pkgsrc-2007Q3-base:1.23 pkgsrc-2007Q2:1.23.0.2 pkgsrc-2007Q2-base:1.23 pkgsrc-2007Q1:1.22.0.4 pkgsrc-2007Q1-base:1.22 pkgsrc-2006Q4:1.22.0.2 pkgsrc-2006Q4-base:1.22 pkgsrc-2006Q3:1.21.0.6 pkgsrc-2006Q3-base:1.21 pkgsrc-2006Q2:1.21.0.4 pkgsrc-2006Q2-base:1.21 pkgsrc-2006Q1:1.21.0.2 pkgsrc-2006Q1-base:1.21 pkgsrc-2005Q4:1.19.0.6 pkgsrc-2005Q4-base:1.19 pkgsrc-2005Q3:1.19.0.4 pkgsrc-2005Q3-base:1.19 pkgsrc-2005Q2:1.19.0.2 pkgsrc-2005Q2-base:1.19 pkgsrc-2005Q1:1.17.0.4 pkgsrc-2005Q1-base:1.17 pkgsrc-2004Q4:1.17.0.2 pkgsrc-2004Q4-base:1.17 pkgsrc-2004Q3:1.16.0.2 pkgsrc-2004Q3-base:1.16 pkgsrc-2004Q2:1.14.0.4 pkgsrc-2004Q2-base:1.14 pkgsrc-2004Q1:1.14.0.2 pkgsrc-2004Q1-base:1.14 pkgsrc-2003Q4:1.10.0.2 pkgsrc-2003Q4-base:1.10 netbsd-1-6-1:1.9.0.2 netbsd-1-6-1-base:1.9 netbsd-1-6:1.4.0.8 netbsd-1-6-RELEASE-base:1.4 pkgviews:1.4.0.4 pkgviews-base:1.4 buildlink2:1.4.0.2 buildlink2-base:1.5 netbsd-1-5-PATCH003:1.4 netbsd-1-5-PATCH001:1.1.1.1 tnf_010307:1.1.1.1; locks; strict; comment @# @; 1.57 date 2024.03.14.09.15.57; author wiz; state Exp; branches; next 1.56; commitid MM7MwbG948LaL62F; 1.56 date 2024.03.01.06.50.02; author adam; state Exp; branches; next 1.55; commitid J16fvaZhW9zOmq0F; 1.55 date 2024.02.07.13.19.26; author adam; state Exp; branches; next 1.54; commitid kT6QoQ32uUhggvXE; 1.54 date 2022.10.26.10.37.47; author wiz; state Exp; branches; next 1.53; commitid TKETfl8a6NeJrdZD; 1.53 date 2022.09.21.10.52.51; author wiz; state Exp; branches 1.53.2.1; next 1.52; commitid rB2v5wA6jppiEIUD; 1.52 date 2022.03.05.08.53.04; author wiz; state Exp; branches; next 1.51; commitid 0RIWk4wu48e9q0vD; 1.51 date 2022.02.21.07.59.49; author jdolecek; state Exp; branches; next 1.50; commitid 3Y4ZMcP7E9ztvstD; 1.50 date 2022.02.19.17.53.43; author wiz; state Exp; branches; next 1.49; commitid BqRVGKj4hMFqRftD; 1.49 date 2022.02.01.12.10.17; author wiz; state Exp; branches; next 1.48; commitid 8JXkTcErWmNyxUqD; 1.48 date 2022.01.17.08.49.34; author wiz; state Exp; branches; next 1.47; commitid Am1H7w2cCycCUXoD; 1.47 date 2021.05.25.06.34.08; author nia; state Exp; branches 1.47.6.1; next 1.46; commitid D7HsNNOfiaK3MuUC; 1.46 date 2021.05.10.09.33.33; author wiz; state Exp; branches; next 1.45; commitid UaJI0tX0UqTSfASC; 1.45 date 2020.10.09.12.00.56; author wiz; state Exp; branches; next 1.44; commitid cVe2m0EYG34WUdrC; 1.44 date 2020.10.08.16.55.04; author wiz; state Exp; branches; next 1.43; commitid yijKOZ58kSAKz7rC; 1.43 date 2020.10.07.19.53.02; author wiz; state Exp; branches; next 1.42; commitid m2yW4YQ5t6fTA0rC; 1.42 date 2020.03.26.11.57.10; author nia; state Exp; branches; next 1.41; commitid 5fDJkQQlt83aeU1C; 1.41 date 2020.03.23.18.39.03; author nia; state Exp; branches; next 1.40; commitid XpL4krBmpeR1yy1C; 1.40 date 2019.09.15.13.13.47; author nia; state Exp; branches; next 1.39; commitid AAUXcmOHJtM7R6DB; 1.39 date 2019.06.29.22.36.04; author wiz; state Exp; branches; next 1.38; commitid 2ypC7Q6Ms20vt8tB; 1.38 date 2018.08.20.05.24.49; author wiz; state Exp; branches; next 1.37; commitid IamqiFHHBFysPOOA; 1.37 date 2018.08.19.20.16.42; author wiz; state Exp; branches; next 1.36; commitid ABKQmSSJKd1rNLOA; 1.36 date 2018.02.18.05.09.21; author rillig; state Exp; branches; next 1.35; commitid 6WBhob7yEbzSCirA; 1.35 date 2017.09.08.07.55.17; author wiz; state Exp; branches; next 1.34; commitid pYxPsWPikTEGMm6A; 1.34 date 2017.06.18.06.01.33; author spz; state Exp; branches; next 1.33; commitid 7ebQfhqmR0J6LOVz; 1.33 date 2016.06.22.15.39.09; author drochner; state Exp; branches 1.33.8.1; next 1.32; commitid tM7iRE08pmw3Atbz; 1.32 date 2016.05.17.19.15.01; author drochner; state Exp; branches; next 1.31; commitid WLDPkHM3kKUJTR6z; 1.31 date 2016.03.16.19.55.55; author ryoon; state Exp; branches 1.31.2.1; next 1.30; commitid ZMRm3Ipf8HBY9UYy; 1.30 date 2016.01.01.01.29.30; author ryoon; state Exp; branches; next 1.29; commitid 2hKFAgtiUZpUraPy; 1.29 date 2015.08.04.08.47.19; author tnn; state Exp; branches; next 1.28; commitid ts9bWoeH5QQLGVvy; 1.28 date 2014.10.09.14.07.01; author wiz; state Exp; branches; next 1.27; commitid fBDATFVmQ3454xTx; 1.27 date 2012.10.25.06.55.49; author asau; state Exp; branches; next 1.26; 1.26 date 2012.04.01.08.52.43; author obache; state Exp; branches; next 1.25; 1.25 date 2010.01.26.18.37.01; author drochner; state Exp; branches; next 1.24; 1.24 date 2009.09.10.09.59.20; author drochner; state Exp; branches 1.24.4.1; next 1.23; 1.23 date 2007.06.08.13.14.04; author wiz; state Exp; branches 1.23.22.1; next 1.22; 1.22 date 2006.11.03.06.56.23; author joerg; state Exp; branches; next 1.21; 1.21 date 2006.02.05.23.11.01; author joerg; state Exp; branches; next 1.20; 1.20 date 2006.01.22.16.46.02; author wiz; state Exp; branches; next 1.19; 1.19 date 2005.05.22.20.08.34; author jlam; state Exp; branches; next 1.18; 1.18 date 2005.04.11.21.47.34; author tv; state Exp; branches; next 1.17; 1.17 date 2004.10.03.00.18.19; author tv; state Exp; branches; next 1.16; 1.16 date 2004.09.15.17.09.37; author jlam; state Exp; branches; next 1.15; 1.15 date 2004.08.05.22.16.59; author recht; state Exp; branches; next 1.14; 1.14 date 2004.03.02.18.13.58; author drochner; state Exp; branches; next 1.13; 1.13 date 2004.02.14.17.21.53; author jlam; state Exp; branches; next 1.12; 1.12 date 2004.01.24.15.13.19; author grant; state Exp; branches; next 1.11; 1.11 date 2004.01.05.23.43.06; author jlam; state Exp; branches; next 1.10; 1.10 date 2003.07.17.22.54.14; author grant; state Exp; branches; next 1.9; 1.9 date 2003.02.05.03.57.13; author jlam; state Exp; branches; next 1.8; 1.8 date 2003.01.30.10.49.13; author drochner; state Exp; branches; next 1.7; 1.7 date 2002.09.17.21.06.15; author drochner; state Exp; branches; next 1.6; 1.6 date 2002.08.25.18.40.01; author jlam; state Exp; branches; next 1.5; 1.5 date 2002.08.20.11.46.49; author drochner; state Exp; branches; next 1.4; 1.4 date 2001.10.01.03.07.21; author jlam; state Exp; branches 1.4.2.1; next 1.3; 1.3 date 2001.08.07.11.16.55; author drochner; state Exp; branches; next 1.2; 1.2 date 2001.05.15.10.07.17; author dillo; state Exp; branches; next 1.1; 1.1 date 2001.03.07.12.13.04; author drochner; state Exp; branches 1.1.1.1; next ; 1.53.2.1 date 2022.11.26.17.01.44; author spz; state Exp; branches; next ; commitid lSWiYg75jwJHze3E; 1.47.6.1 date 2022.02.07.07.09.18; author tm; state Exp; branches; next ; commitid TNsxgp9GksxoGErD; 1.33.8.1 date 2017.06.21.18.36.19; author bsiegert; state Exp; branches; next ; commitid ETR8KJLswwU3SgWz; 1.31.2.1 date 2016.05.21.19.13.44; author bsiegert; state Exp; branches; next ; commitid aEoftv3KBty5On7z; 1.24.4.1 date 2010.01.28.15.57.25; author spz; state Exp; branches; next ; 1.23.22.1 date 2009.09.13.11.38.44; author spz; state Exp; branches; next ; 1.4.2.1 date 2002.05.11.02.09.25; author jlam; state Exp; branches; next 1.4.2.2; 1.4.2.2 date 2002.06.21.23.05.43; author jlam; state Exp; branches; next 1.4.2.3; 1.4.2.3 date 2002.08.22.11.12.37; author jlam; state Exp; branches; next ; 1.1.1.1 date 2001.03.07.12.13.04; author drochner; state Exp; branches; next ; desc @@ 1.57 log @expat: update to 2.6.2. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !! Expat is UNDERSTAFFED and WITHOUT FUNDING. !! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Release 2.6.2 Wed March 13 2024 Security fixes: #839 #842 CVE-2024-28757 -- Prevent billion laughs attacks with isolated use of external parsers. Please see the commit message of commit 1d50b80cf31de87750103656f6eb693746854aa8 for details. Bug fixes: #839 #841 Reject direct parameter entity recursion and avoid the related undefined behavior Other changes: #847 Autotools: Fix build for DOCBOOK_TO_MAN containing spaces #837 Add missing #821 and #824 to 2.6.1 change log #838 #843 Version info bumped from 10:1:9 (libexpat*.so.1.9.1) to 10:2:9 (libexpat*.so.1.9.2); see https://verbump.de/ for what these numbers do Special thanks to: Philippe Antoine Tomas Korbar and Clang UndefinedBehaviorSanitizer OSS-Fuzz / ClusterFuzz @ text @# $NetBSD: Makefile,v 1.56 2024/03/01 06:50:02 adam Exp $ DISTNAME= expat-2.6.2 CATEGORIES= textproc MASTER_SITES= ${MASTER_SITE_GITHUB:=libexpat/} GITHUB_PROJECT= libexpat GITHUB_RELEASE= R_${PKGVERSION_NOREV:S/./_/g} MAINTAINER= pkgsrc-users@@NetBSD.org HOMEPAGE= https://libexpat.github.io/ COMMENT= XML parser library written in C LICENSE= mit USE_LANGUAGES= c c++ USE_LIBTOOL= yes USE_TOOLS+= bash:test GNU_CONFIGURE= yes CONFIGURE_ARGS+= --without-examples CONFIGURE_ARGS+= --without-tests # workaround suggested by upstream; xmlwf.1 is in tarball, so docbook not needed CONFIGURE_ENV+= DOCBOOK_TO_MAN=false CONFIGURE_ARGS+= --without-docbook TEST_TARGET= check REPLACE_BASH= test-driver-wrapper.sh # we can't use cmake due to a cyclic dependency #USE_CMAKE= yes #TEST_ENV+= LD_LIBRARY_PATH=${WRKSRC} PKGCONFIG_OVERRIDE+= expat.pc.in DOCDIR= ${PREFIX}/share/doc/expat post-install: ${INSTALL_DATA_DIR} ${DESTDIR}${DOCDIR} ${INSTALL_DATA} ${WRKSRC}/doc/reference.html ${DESTDIR}${DOCDIR} ${INSTALL_DATA} ${WRKSRC}/doc/style.css ${DESTDIR}${DOCDIR} .include "../../mk/bsd.pkg.mk" @ 1.56 log @expat: updated to 2.6.1 Release 2.6.1 Bug fixes: Make tests independent of CPU speed, and thus more robust Expose billion laughs API with XML_DTD defined and XML_GE undefined, regression from 2.6.0 Other changes: Hide test-only code behind new internal macro Autotools: Reject expat_config.h.in defining SIZEOF_VOID_P Address compiler warnings Version info bumped from 10:0:9 (libexpat*.so.1.9.0) to 10:1:9 (libexpat*.so.1.9.1); see https://verbump.de/ for what these numbers do Infrastructure: CI: Adapt to breaking changes in clang-format @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.55 2024/02/07 13:19:26 adam Exp $ d3 1 a3 1 DISTNAME= expat-2.6.1 @ 1.55 log @expat: updated to 2.6.0 Release 2.6.0 Tue February 6 2024 Security fixes: * * CVE-2023-52425 -- Fix quadratic runtime issues with big tokens that can cause denial of service, in partial where dealing with compressed XML input. Applications that parsed a document in one go -- a single call to functions XML_Parse or XML_ParseBuffer -- were not affected. The smaller the chunks/buffers you use for parsing previously, the bigger the problem prior to the fix. Backporters should be careful to no omit parts of pull request * and to include earlier pull request *, in order to not break the fix. * CVE-2023-52426 -- Fix billion laughs attacks for users compiling *without* XML_DTD defined (which is not common). Users with XML_DTD defined have been protected since Expat >=2.4.0 (and that was CVE-2013-0340 back then). Bug fixes: * Fix parse-size-dependent "invalid token" error for external entities that start with a byte order mark * Fix NULL pointer dereference in setContext via XML_ExternalEntityParserCreate for compilation with XML_DTD undefined * * Protect against closing entities out of order Other changes: * Improve support for arc4random/arc4random_buf * * Improve buffer growth in XML_GetBuffer and XML_Parse * * xmlwf: Support --help and --version * * xmlwf: Support custom buffer size for XML_GetBuffer and read * xmlwf: Improve language and URL clickability in help output * examples: Add new example "element_declarations.c" * Be stricter about macro XML_CONTEXT_BYTES at build time * Make inclusion to expat_config.h consistent * * Autotools: configure.ac: Support --disable-maintainer-mode * * .. * * * Autotools: Sync CMake templates with CMake 3.26 * Autotools: Make installation of shipped man page doc/xmlwf.1 independent of docbook2man availability * Autotools|CMake: Add missing -DXML_STATIC to pkg-config file section "Cflags.private" in order to fix compilation against static libexpat using pkg-config on Windows * * Autotools|CMake: Require a C99 compiler (a de-facto requirement already since Expat 2.2.2 of 2017) * Autotools|CMake: Fix PACKAGE_BUGREPORT variable * * Autotools|CMake: Make test suite require a C++11 compiler * CMake: Require CMake >=3.5.0 * CMake: Lowercase off_t and size_t to help a bug in Meson * CMake: Sort xmlwf sources alphabetically * CMake|Windows: Fix generation of DLL file version info * CMake: Build tests/benchmark/benchmark.c as well for a build with -DEXPAT_BUILD_TESTS=ON * * docs: Document the importance of isFinal + adjust tests accordingly * docs: Improve use of "NULL" and "null" * docs: Be specific about version of XML (XML 1.0r4) and version of C (C99); (XML 1.0r5 will need a sponsor.) * docs: reference.html: Promote function XML_ParseBuffer more * docs: reference.html: Add HTML anchors to XML_* macros * docs: reference.html: Upgrade to OK.css 1.2.0 * * docs: Fix typos * docs|CI: Use HTTPS URLs instead of HTTP at various places * * .. * * .. * * Address compiler warnings * * Address clang-tidy warnings * * Version info bumped from 9:10:8 (libexpat*.so.1.8.10) to 10:0:9 (libexpat*.so.1.9.0); see https://verbump.de/ for what these numbers do Infrastructure: * * docs: Document security policy in file SECURITY.md * docs: Improve parse buffer variables in-code documentation * * .. * * .. * * * Refactor coverage and conformance tests * * Refactor debug level variables to unsigned long * Improve handling of empty environment variable value in function getDebugLevel (without visible user effect) * * .. * * .. * * tests: Improve test coverage with regard to parse chunk size * * * Fuzzing: Improve fuzzing coverage * * Fuzzing|CI: Start running OSS-Fuzz fuzzing regression tests * * CI: Resolve some Travis CI leftovers * CI: Be robust towards absence of Git tags * * CI: Set permissions to "contents: read" for security * CI: Pin all GitHub Actions to specific commits for security * CI: Reject spelling errors using codespell * CI: Enforce clang-tidy clean code * * .. * * CI: Upgrade Clang from 15 to 18 * CI: Start using Clang's Control Flow Integrity sanitizer * * * CI: Adapt to breaking changes in GitHub Actions Ubuntu images * CI: Adapt to breaking changes in Clang/LLVM Debian packaging * CI: Adapt to breaking changes in codespell * CI: Adapt to breaking changes in Cppcheck @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.54 2022/10/26 10:37:47 wiz Exp $ d3 1 a3 1 DISTNAME= expat-2.6.0 @ 1.54 log @expat: update to 2.5.0. Release 2.5.0 Tue October 25 2022 Security fixes: #616 #649 #650 CVE-2022-43680 -- Fix heap use-after-free after overeager destruction of a shared DTD in function XML_ExternalEntityParserCreate in out-of-memory situations. Expected impact is denial of service or potentially arbitrary code execution. Bug fixes: #612 #645 Fix curruption from undefined entities #613 #654 Fix case when parsing was suspended while processing nested entities #616 #652 #653 Stop leaking opening tag bindings after a closing tag mismatch error where a parser is reset through XML_ParserReset and then reused to parse #656 CMake: Fix generation of pkg-config file #658 MinGW|CMake: Fix static library name Other changes: #663 Protect header expat_config.h from multiple inclusion #666 examples: Make use of XML_GetBuffer and be more consistent across examples #648 Address compiler warnings #667 #668 Version info bumped from 9:9:8 to 9:10:8; see https://verbump.de/ for what these numbers do Special thanks to: Jann Horn Mark Brand Osyotr Rhodri James and Google Project Zero @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.53 2022/09/21 10:52:51 wiz Exp $ d3 1 a3 1 DISTNAME= expat-2.5.0 d14 3 a17 2 USE_LIBTOOL= yes d24 1 a24 3 USE_LANGUAGES= c c++ TEST_TARGET= test USE_TOOLS+= bash:test @ 1.53 log @expat: update to 2.4.9. Release 2.4.9 Tue September 20 2022 Security fixes: #629 #640 CVE-2022-40674 -- Heap use-after-free vulnerability in function doContent. Expected impact is denial of service or potentially arbitrary code execution. Bug fixes: #634 MinGW: Fix mis-compilation for -D__USE_MINGW_ANSI_STDIO=0 #614 docs: Fix documentation on effect of switch XML_DTD on symbol visibility in doc/reference.html Other changes: #638 MinGW: Make fix-xmltest-log.sh drop more Wine bug output #596 #625 Autotools: Sync CMake templates with CMake 3.22 #608 CMake: Migrate from use of CMAKE_*_POSTFIX to dedicated variables EXPAT_*_POSTFIX to stop affecting other projects #597 #599 Windows|CMake: Add missing -DXML_STATIC to test runners and fuzzers #512 #621 Windows|CMake: Render .def file from a template to fix linking with -DEXPAT_DTD=OFF and/or -DEXPAT_ATTR_INFO=ON #611 #621 MinGW|CMake: Apply MSVC .def file when linking #622 #624 MinGW|CMake: Sync library name with GNU Autotools, i.e. produce libexpat-1.dll rather than libexpat.dll by default. Filename libexpat.dll.a is unaffected. #632 MinGW|CMake: Set missing variable CMAKE_RC_COMPILER in toolchain file "cmake/mingw-toolchain.cmake" to avoid error "windres: Command not found" on e.g. Ubuntu 20.04 #597 #627 CMake: Unify inconsistent use of set() and option() in context of public build time options to take need for set(.. FORCE) in projects using Expat by means of add_subdirectory(..) off Expat's users' shoulders #626 #641 Stop exporting API symbols when building a static library #644 Resolve use of deprecated "fgrep" by "grep -F" #620 CMake: Make documentation on variables a bit more consistent #636 CMake: Drop leading whitespace from a #cmakedefine line in file expat_config.h.cmake #594 xmlwf: Fix harmless variable mix-up in function nsattcmp #592 #593 #610 Address Cppcheck warnings #643 Address Clang 15 compiler warnings #642 #644 Version info bumped from 9:8:8 to 9:9:8; see https://verbump.de/ for what these numbers do Infrastructure: #597 #598 CI: Windows: Start covering MSVC 2022 #619 CI: macOS: Migrate off deprecated macOS 10.15 #632 CI: Linux: Make migration off deprecated Ubuntu 18.04 work #643 CI: Upgrade Clang from 14 to 15 #637 apply-clang-format.sh: Add support for BSD find #633 coverage.sh: Exclude MinGW headers #635 coverage.sh: Fix name collision for -funsigned-char Special thanks to: David Faure Felix Wilhelm Frank Bergmann Rhodri James Rosen Penev Thijs Schreijer Vincent Torri and Google Project Zero Release 2.4.8 Mon March 28 2022 Other changes: #587 pkg-config: Move "-lm" to section "Libs.private" #587 CMake|MSVC: Fix pkg-config section "Libs" #55 #582 CMake|macOS: Start using linker arguments "-compatibility_version " and "-current_version " in a way compatible with GNU Libtool #590 #591 Version info bumped from 9:7:8 to 9:8:8; see https://verbump.de/ for what these numbers do Infrastructure: #589 CI: Upgrade Clang from 13 to 14 Special thanks to: evpobr Kai Pastor Sam James @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.52 2022/03/05 08:53:04 wiz Exp $ d3 1 a3 1 DISTNAME= expat-2.4.9 @ 1.53.2.1 log @Pullup ticket #6696 - requested by bsiegert textproc/expat: security update Revisions pulled up: - textproc/expat/Makefile 1.54 - textproc/expat/distinfo 1.47 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: wiz Date: Wed Oct 26 10:37:47 UTC 2022 Modified Files: pkgsrc/textproc/expat: Makefile distinfo Log Message: expat: update to 2.5.0. Release 2.5.0 Tue October 25 2022 Security fixes: #616 #649 #650 CVE-2022-43680 -- Fix heap use-after-free after overeager destruction of a shared DTD in function XML_ExternalEntityParserCreate in out-of-memory situations. Expected impact is denial of service or potentially arbitrary code execution. Bug fixes: #612 #645 Fix curruption from undefined entities #613 #654 Fix case when parsing was suspended while processing nested entities #616 #652 #653 Stop leaking opening tag bindings after a closing tag mismatch error where a parser is reset through XML_ParserReset and then reused to parse #656 CMake: Fix generation of pkg-config file #658 MinGW|CMake: Fix static library name Other changes: #663 Protect header expat_config.h from multiple inclusion #666 examples: Make use of XML_GetBuffer and be more consistent across examples #648 Address compiler warnings #667 #668 Version info bumped from 9:9:8 to 9:10:8; see https://verbump.de/ for what these numbers do Special thanks to: Jann Horn Mark Brand Osyotr Rhodri James and Google Project Zero To generate a diff of this commit: cvs rdiff -u -r1.53 -r1.54 pkgsrc/textproc/expat/Makefile cvs rdiff -u -r1.46 -r1.47 pkgsrc/textproc/expat/distinfo @ text @d1 1 a1 1 # $NetBSD$ d3 1 a3 1 DISTNAME= expat-2.5.0 @ 1.52 log @expat: update to 2.4.7. Release 2.4.7 Fri March 4 2022 Bug fixes: #572 #577 Relax fix to CVE-2022-25236 (introduced with release 2.4.5) with regard to all valid URI characters (RFC 3986), i.e. the following set (excluding whitespace): ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz 0123456789 % -._~ :/?#[]@@ !$&'()*+,;= Other changes: #555 #570 #581 CMake|Windows: Store Expat version in the DLL #577 Document consequences of namespace separator choices not just in doc/reference.html but also in header #577 Document Expat's lack of validation of namespace URIs against RFC 3986, and that the XML 1.0r4 specification doesn't require Expat to validate namespace URIs, and that Expat may do more in that regard in future releases. If you find need for strict RFC 3986 URI validation on application level today, https://uriparser.github.io/ may be of interest. #579 Fix documentation of XML_EndDoctypeDeclHandler in #575 Document that a call to XML_FreeContentModel can be done at a later time from outside the element declaration handler #574 Make hardcoded namespace URIs easier to find in code #573 Update documentation on use of XML_POOR_ENTOPY on Solaris #569 #571 tests: Resolve use of macros NAN and INFINITY for GNU G++ 4.8.2 on Solaris. #578 #580 Version info bumped from 9:6:8 to 9:7:8; see https://verbump.de/ for what these numbers do @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.51 2022/02/21 07:59:49 jdolecek Exp $ d3 1 a3 1 DISTNAME= expat-2.4.7 @ 1.51 log @expat: update to 2.4.6 Release 2.4.6 Sun February 20 2022 Bug fixes: #566 Fix a regression introduced by the fix for CVE-2022-25313 in release 2.4.5 that affects applications that (1) call function XML_SetElementDeclHandler and (2) are parsing XML that contains nested element declarations (e.g. ""). Other changes: #567 #568 Version info bumped from 9:5:8 to 9:6:8; see https://verbump.de/ for what these numbers do @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.50 2022/02/19 17:53:43 wiz Exp $ d3 1 a3 1 DISTNAME= expat-2.4.6 @ 1.50 log @expat: update to 2.4.5. Release 2.4.5 Fri February 18 2022 Security fixes: #562 CVE-2022-25235 -- Passing malformed 2- and 3-byte UTF-8 sequences (e.g. from start tag names) to the XML processing application on top of Expat can cause arbitrary damage (e.g. code execution) depending on how invalid UTF-8 is handled inside the XML processor; validation was not their job but Expat's. Exploits with code execution are known to exist. #561 CVE-2022-25236 -- Passing (one or more) namespace separator characters in "xmlns[:prefix]" attribute values made Expat send malformed tag names to the XML processor on top of Expat which can cause arbitrary damage (e.g. code execution) depending on such unexpectable cases are handled inside the XML processor; validation was not their job but Expat's. Exploits with code execution are known to exist. #558 CVE-2022-25313 -- Fix stack exhaustion in doctype parsing that could be triggered by e.g. a 2 megabytes file with a large number of opening braces. Expected impact is denial of service or potentially arbitrary code execution. #560 CVE-2022-25314 -- Fix integer overflow in function copyString; only affects the encoding name parameter at parser creation time which is often hardcoded (rather than user input), takes a value in the gigabytes to trigger, and a 64-bit machine. Expected impact is denial of service. #559 CVE-2022-25315 -- Fix integer overflow in function storeRawNames; needs input in the gigabytes and a 64-bit machine. Expected impact is denial of service or potentially arbitrary code execution. Other changes: #557 #564 Version info bumped from 9:4:8 to 9:5:8; see https://verbump.de/ for what these numbers do @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.49 2022/02/01 12:10:17 wiz Exp $ d3 1 a3 1 DISTNAME= expat-2.4.5 @ 1.49 log @expat: update to 2.4.4. Release 2.4.4 Sun January 30 2022 Security fixes: #550 CVE-2022-23852 -- Fix signed integer overflow (undefined behavior) in function XML_GetBuffer (that is also called by function XML_Parse internally) for when XML_CONTEXT_BYTES is defined to >0 (which is both common and default). Impact is denial of service or more. #551 CVE-2022-23990 -- Fix unsigned integer overflow in function doProlog triggered by large content in element type declarations when there is an element declaration handler present (from a prior call to XML_SetElementDeclHandler). Impact is denial of service or more. Bug fixes: #544 #545 xmlwf: Fix a memory leak on output file opening error Other changes: #546 Autotools: Fix broken CMake support under Cygwin #554 Windows: Add missing files to the installer to fix compilation with CMake from installed sources #552 #554 Version info bumped from 9:3:8 to 9:4:8; see https://verbump.de/ for what these numbers do @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.48 2022/01/17 08:49:34 wiz Exp $ d3 1 a3 1 DISTNAME= expat-2.4.4 @ 1.48 log @expat: update to 2.4.3. Release 2.4.3 Sun January 16 2022 Security fixes: #531 #534 CVE-2021-45960 -- Fix issues with left shifts by >=29 places resulting in a) realloc acting as free b) realloc allocating too few bytes c) undefined behavior depending on architecture and precise value for XML documents with >=2^27+1 prefixed attributes on a single XML tag a la "" where XML_ParserCreateNS is used to create the parser (which needs argument "-n" when running xmlwf). Impact is denial of service, or more. #532 #538 CVE-2021-46143 (ZDI-CAN-16157) -- Fix integer overflow on variable m_groupSize in function doProlog leading to realloc acting as free. Impact is denial of service or more. #539 CVE-2022-22822 to CVE-2022-22827 -- Prevent integer overflows near memory allocation at multiple places. Mitre assigned a dedicated CVE for each involved internal C function: - CVE-2022-22822 for function addBinding - CVE-2022-22823 for function build_model - CVE-2022-22824 for function defineAttribute - CVE-2022-22825 for function lookup - CVE-2022-22826 for function nextScaffoldPart - CVE-2022-22827 for function storeAtts Impact is denial of service or more. Other changes: #535 CMake: Make call to file(GENERATE [..]) work for CMake <3.19 #541 Autotools|CMake: MinGW: Make run.sh(.in) work for Cygwin and MSYS2 by not going through Wine on these platforms #527 #528 Address compiler warnings #533 #543 Version info bumped from 9:2:8 to 9:3:8; see https://verbump.de/ for what these numbers do Infrastructure: #536 CI: Check for realistic minimum CMake version #529 #539 CI: Cover compilation with -m32 #529 CI: Store coverage reports as artifacts for download #528 CI: Upgrade Clang from 11 to 13 Release 2.4.2 Sun December 19 2021 Other changes: #509 #510 Link againgst libm for function "isnan" #513 #514 Include expat_config.h as early as possible #498 Autotools: Include files with release archives: - buildconf.sh - fuzz/*.c #507 #519 Autotools: Sync CMake templates #495 #524 CMake: MinGW: Fix pkg-config section "Libs" for - non-release build types (e.g. -DCMAKE_BUILD_TYPE=Debug) - multi-config CMake generators (e.g. Ninja Multi-Config) #502 #503 docs: Document that function XML_GetBuffer may return NULL when asking for a buffer of 0 (zero) bytes size #522 #523 docs: Fix return value docs for both XML_SetBillionLaughsAttackProtection* functions #525 #526 Version info bumped from 9:1:8 to 9:2:8; see https://verbump.de/ for what these numbers do @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.47 2021/05/25 06:34:08 nia Exp $ d3 1 a3 1 DISTNAME= expat-2.4.3 @ 1.47 log @expat: update to 2.4.1 Release 2.4.1 Sun May 23 2021 Bug fixes: #488 #490 Autotools: Fix installed header expat_config.h for multilib systems; regression introduced in 2.4.0 by pull request #486 Other changes: #491 #492 Version info bumped from 9:0:8 to 9:1:8; see https://verbump.de/ for what these numbers do Special thanks to: Gentoo's QA check "multilib_check_headers" Release 2.4.0 Sun May 23 2021 Security fixes: #34 #466 #484 CVE-2013-0340/CWE-776 -- Protect against billion laughs attacks (denial-of-service; flavors targeting CPU time or RAM or both, leveraging general entities or parameter entities or both) by tracking and limiting the input amplification factor ( := ( + ) / ). By conservative default, amplification up to a factor of 100.0 is tolerated and rejection only starts after 8 MiB of output bytes (= + ) have been processed. The fix adds the following to the API: - A new error code XML_ERROR_AMPLIFICATION_LIMIT_BREACH to signals this specific condition. - Two new API functions .. - XML_SetBillionLaughsAttackProtectionMaximumAmplification and - XML_SetBillionLaughsAttackProtectionActivationThreshold .. to further tighten billion laughs protection parameters when desired. Please see file "doc/reference.html" for details. If you ever need to increase the defaults for non-attack XML payload, please file a bug report with libexpat. - Two new XML_FEATURE_* constants .. - that can be queried using the XML_GetFeatureList function, and - that are shown in "xmlwf -v" output. - Two new environment variable switches .. - EXPAT_ACCOUNTING_DEBUG=(0|1|2|3) and - EXPAT_ENTITY_DEBUG=(0|1) .. for runtime debugging of accounting and entity processing. Specific behavior of these values may change in the future. - Two new command line arguments "-a FACTOR" and "-b BYTES" for xmlwf to further tighten billion laughs protection parameters when desired. If you ever need to increase the defaults for non-attack XML payload, please file a bug report with libexpat. Bug fixes: #332 #470 For (non-default) compilation with -DEXPAT_MIN_SIZE=ON (CMake) or CPPFLAGS=-DXML_MIN_SIZE (GNU Autotools): Fix segfault for UTF-16 payloads containing CDATA sections. #485 #486 Autotools: Fix generated CMake files for non-64bit and non-Linux platforms (e.g. macOS and MinGW in particular) that were introduced with release 2.3.0 Other changes: #468 #469 xmlwf: Improve help output and the xmlwf man page #463 xmlwf: Improve maintainability through some refactoring #477 xmlwf: Fix man page DocBook validity #458 #459 CMake: Support absolute paths for both CMAKE_INSTALL_LIBDIR and CMAKE_INSTALL_INCLUDEDIR #471 #481 CMake: Add support for standard variable BUILD_SHARED_LIBS #457 Unexpose symbol _INTERNAL_trim_to_complete_utf8_characters #467 Resolve macro HAVE_EXPAT_CONFIG_H #472 Delete unused legacy helper file "conftools/PrintPath" #473 #483 Improve attribution #464 #465 #477 doc/reference.html: Fix XHTML validity #475 #478 doc/reference.html: Replace the 90s look by OK.css #479 Version info bumped from 8:0:7 to 9:0:8 due to addition of new symbols and error codes; see https://verbump.de/ for what these numbers do Infrastructure: #456 CI: Enable periodic runs #457 CI: Start covering the list of exported symbols #474 CI: Isolate coverage task #476 #482 CI: Adapt to breaking changes in image "ubuntu-18.04" #477 CI: Cover well-formedness and DocBook/XHTML validity of doc/reference.html and doc/xmlwf.xml Special thanks to: Dimitry Andric Eero Helenius Nick Wellnhofer Rhodri James Tomas Korbar Yury Gribov and Clang LeakSan JetBrains OSS-Fuzz @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.46 2021/05/10 09:33:33 wiz Exp $ d3 1 a3 1 DISTNAME= expat-2.4.1 @ 1.47.6.1 log @Pullup ticket #6578 - requested by bsiegert textproc/expat: security fix Revisions pulled up: - textproc/expat/Makefile 1.48-1.49 - textproc/expat/distinfo 1.40-1.41 --- Module Name: pkgsrc Committed By: wiz Date: Mon Jan 17 08:49:34 UTC 2022 Modified Files: pkgsrc/textproc/expat: Makefile distinfo Log Message: expat: update to 2.4.3. Release 2.4.3 Sun January 16 2022 Security fixes: #531 #534 CVE-2021-45960 -- Fix issues with left shifts by >=29 places resulting in a) realloc acting as free b) realloc allocating too few bytes c) undefined behavior depending on architecture and precise value for XML documents with >=2^27+1 prefixed attributes on a single XML tag a la "" where XML_ParserCreateNS is used to create the parser (which needs argument "-n" when running xmlwf). Impact is denial of service, or more. #532 #538 CVE-2021-46143 (ZDI-CAN-16157) -- Fix integer overflow on variable m_groupSize in function doProlog leading to realloc acting as free. Impact is denial of service or more. #539 CVE-2022-22822 to CVE-2022-22827 -- Prevent integer overflows near memory allocation at multiple places. Mitre assigned a dedicated CVE for each involved internal C function: - CVE-2022-22822 for function addBinding - CVE-2022-22823 for function build_model - CVE-2022-22824 for function defineAttribute - CVE-2022-22825 for function lookup - CVE-2022-22826 for function nextScaffoldPart - CVE-2022-22827 for function storeAtts Impact is denial of service or more. Other changes: #535 CMake: Make call to file(GENERATE [..]) work for CMake <3.19 #541 Autotools|CMake: MinGW: Make run.sh(.in) work for Cygwin and MSYS2 by not going through Wine on these platforms #527 #528 Address compiler warnings #533 #543 Version info bumped from 9:2:8 to 9:3:8; see https://verbump.de/ for what these numbers do Infrastructure: #536 CI: Check for realistic minimum CMake version #529 #539 CI: Cover compilation with -m32 #529 CI: Store coverage reports as artifacts for download #528 CI: Upgrade Clang from 11 to 13 Release 2.4.2 Sun December 19 2021 Other changes: #509 #510 Link againgst libm for function "isnan" #513 #514 Include expat_config.h as early as possible #498 Autotools: Include files with release archives: - buildconf.sh - fuzz/*.c #507 #519 Autotools: Sync CMake templates #495 #524 CMake: MinGW: Fix pkg-config section "Libs" for - non-release build types (e.g. -DCMAKE_BUILD_TYPE=Debug) - multi-config CMake generators (e.g. Ninja Multi-Config) #502 #503 docs: Document that function XML_GetBuffer may return NULL when asking for a buffer of 0 (zero) bytes size #522 #523 docs: Fix return value docs for both XML_SetBillionLaughsAttackProtection* functions #525 #526 Version info bumped from 9:1:8 to 9:2:8; see https://verbump.de/ for what these numbers do --- Module Name: pkgsrc Committed By: wiz Date: Tue Feb 1 12:10:18 UTC 2022 Modified Files: pkgsrc/textproc/expat: Makefile distinfo Log Message: expat: update to 2.4.4. Release 2.4.4 Sun January 30 2022 Security fixes: #550 CVE-2022-23852 -- Fix signed integer overflow (undefined behavior) in function XML_GetBuffer (that is also called by function XML_Parse internally) for when XML_CONTEXT_BYTES is defined to >0 (which is both common and default). Impact is denial of service or more. #551 CVE-2022-23990 -- Fix unsigned integer overflow in function doProlog triggered by large content in element type declarations when there is an element declaration handler present (from a prior call to XML_SetElementDeclHandler). Impact is denial of service or more. Bug fixes: #544 #545 xmlwf: Fix a memory leak on output file opening error Other changes: #546 Autotools: Fix broken CMake support under Cygwin #554 Windows: Add missing files to the installer to fix compilation with CMake from installed sources #552 #554 Version info bumped from 9:3:8 to 9:4:8; see https://verbump.de/ for what these numbers do @ text @d1 1 a1 1 # $NetBSD$ d3 1 a3 1 DISTNAME= expat-2.4.4 @ 1.46 log @expat: update to 2.3.0. Release 2.3.0 Thu March 25 2021 Bug fixes: #438 When calling XML_ParseBuffer without a prior successful call to XML_GetBuffer as a user, no longer trigger undefined behavior (by adding an integer to a NULL pointer) but rather return XML_STATUS_ERROR and set the error code to (new) code XML_ERROR_NO_BUFFER. Found by UBSan (UndefinedBehaviorSanitizer) of Clang 11 (but not Clang 9). #444 xmlwf: Exit status 2 was used for both: - malformed input files (documented) and - invalid command-line arguments (undocumented). The case of invalid command-line arguments now has its own exit status 4, resolving the ambiguity. Other changes: #439 xmlwf: Add argument -k to allow continuing after non-fatal errors #439 xmlwf: Add section about exit status to the -h help output #422 #426 #447 Windows: Drop support for Visual Studio <=14.0/2015 #434 Windows: CMake: Detect unsupported Visual Studio at configure time (rather than at compile time) #382 #428 testrunner: Make verbose mode (argument "-v") report about passed tests, and make default mode report about failures, as well. #442 CMake: Call "enable_language(CXX)" prior to tinkering with CMAKE_CXX_* variables #448 Document use of libexpat from a CMake-based project #451 Autotools: Install CMake files as generated by CMake 3.19.6 so that users with "find_package(expat [..] CONFIG [..])" are served on distributions that are *not* using the CMake build system inside for libexpat packaging #436 #437 Autotools: Drop obsolescent macro AC_HEADER_STDC #450 #452 Autotools: Resolve use of obsolete macro AC_CONFIG_HEADER #441 Address compiler warnings #443 Version info bumped from 7:12:6 to 8:0:7 due to addition of error code XML_ERROR_NO_BUFFER (see https://verbump.de/ for what these numbers do) Infrastructure: #435 #446 Replace Travis CI by GitHub Actions Special thanks to: Alexander Richardson Oleksandr Popovych Thomas Beutlich Tim Bray and Clang LeakSan, Clang 11 UBSan and the Clang team @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.45 2020/10/09 12:00:56 wiz Exp $ d3 1 a3 1 DISTNAME= expat-2.3.0 @ 1.45 log @expat: use upstream-suggested workaround for installing man page @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.44 2020/10/08 16:55:04 wiz Exp $ d3 1 a3 2 DISTNAME= expat-2.2.10 PKGREVISION= 1 @ 1.44 log @expat: switch back to building with autoconf Manually install xmlwf.1. Fixes cyclic dependency between cmake and expat (on Solaris). Bump PKGREVISION. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.43 2020/10/07 19:53:02 wiz Exp $ d20 2 a35 2 INSTALLATION_DIRS+= ${PKGMANDIR}/man1 a39 1 ${INSTALL_DATA} ${WRKSRC}/doc/xmlwf.1 ${DESTDIR}${PREFIX}/${PKGMANDIR}/man1 @ 1.43 log @expat: update to 2.2.10. Use cmake for building. Release 2.2.10 Sat October 3 2020 Bug fixes: #390 #395 #398 Fix undefined behavior during parsing caused by pointer arithmetic with NULL pointers #404 #405 Fix reading uninitialized variable during parsing #406 xmlwf: Add missing check for malloc NULL return Other changes: #396 Windows: Drop support for Visual Studio <=8.0/2005 #409 Windows: Add missing file "Changes" to the installer to fix compilation with CMake from installed sources #403 xmlwf: Document exit codes in xmlwf manpage and exit with code 3 (rather than code 1) for output errors when used with "-d DIRECTORY" #356 #359 MinGW: Provide declaration of rand_s for mingwrt <5.3.0 #383 #392 Autotools: Use -Werror while configure tests the compiler for supported compile flags to avoid false positives #383 #393 #394 Autotools: Improve handling of user (C|CPP|CXX|LD)FLAGS, e.g. ensure that they have the last word over flags added while running ./configure #360 CMake: Create libexpatw.{dll,so} and expatw.pc (with emphasis on suffix "w") with -DEXPAT_CHAR_TYPE=(ushort|wchar_t) #360 CMake: Detect and deny unsupported build combinations involving -DEXPAT_CHAR_TYPE=(ushort|wchar_t) #360 CMake: Install pre-compiled shipped xmlwf.1 manpage in case of -DEXPAT_BUILD_DOCS=OFF #375 #380 #419 CMake: Fix use of Expat by means of add_subdirectory #407 #408 CMake: Keep expat target name constant at "expat" (i.e. refrain from using the target name to control build artifact filenames) #385 CMake: Fix compilation with -DEXPAT_SHARED_LIBS=OFF for Windows CMake: Expose man page compilation as target "xmlwf-manpage" #413 #414 CMake: Introduce option EXPAT_BUILD_PKGCONFIG to control generation of pkg-config file "expat.pc" #424 CMake: Add minimalistic support for building binary packages with CMake target "package"; based on CPack #366 CMake: Add option -DEXPAT_OSSFUZZ_BUILD=(ON|OFF) with default OFF to build fuzzer code against OSS-Fuzz and related environment variable LIB_FUZZING_ENGINE #354 Fix testsuite for -DEXPAT_DTD=OFF and -DEXPAT_NS=OFF, each #354 #355 .. #356 #412 Address compiler warnings #368 #369 Address pngcheck warnings with doc/*.png images Version info bumped from 7:11:6 to 7:12:6 Special thanks to: asavah Ben Wagner Bhargava Shastry Frank Landgraf Jeffrey Walton Joe Orton Kleber Tarcísio Ma Lin Maciej Sroczyński Mohammed Khajapasha Vadim Zeitlin and Cppcheck 2.0 and the Cppcheck team @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.42 2020/03/26 11:57:10 nia Exp $ d4 1 d15 2 a16 1 USE_CMAKE= yes d18 11 a28 5 USE_LANGUAGES= c c++ TEST_TARGET= test USE_TOOLS+= bash:test REPLACE_BASH= test-driver-wrapper.sh TEST_ENV+= LD_LIBRARY_PATH=${WRKSRC} d34 2 d40 1 @ 1.42 log @expat: Avoid detecting system docbook, resulting in PLIST conflicts Noticed by Dr. Thomas Orgis @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.41 2020/03/23 18:39:03 nia Exp $ d3 1 a3 1 DISTNAME= expat-2.2.9 d14 1 a14 2 GNU_CONFIGURE= yes USE_LIBTOOL= yes d16 5 a20 9 # C++ is needed for tests only #USE_LANGUAGES= c c++ #TEST_TARGET= check #USE_TOOLS+= bash #REPLACE_BASH= test-driver-wrapper.sh CONFIGURE_ARGS+= --without-examples CONFIGURE_ARGS+= --without-tests CONFIGURE_ARGS+= --without-docbook @ 1.41 log @expat: Update to 2.2.9 Release 2.2.9 Wed Septemper 25 2019 Other changes: examples: Drop executable bits from elements.c @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.40 2019/09/15 13:13:47 nia Exp $ d23 4 @ 1.40 log @expat: Update to 2.2.8 Release 2.2.8 Fri Septemper 13 2019 Security fixes: #317 #318 CVE-2019-15903 -- Fix heap overflow triggered by XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber), and deny internal entities closing the doctype; fixed in commit c20b758c332d9a13afbbb276d30db1d183a85d43 Bug fixes: #240 Fix cases where XML_StopParser did not have any effect when called from inside of an end element handler #341 xmlwf: Fix exit code for operation without "-d DIRECTORY"; previously, only "-d DIRECTORY" would give you a proper exit code: # xmlwf -d . <<<'' 2>/dev/null ; echo $? 2 # xmlwf <<<'' 2>/dev/null ; echo $? 0 Now both cases return exit code 2. Other changes: #299 #302 Windows: Replace LoadLibrary hack to access unofficial API function SystemFunction036 (RtlGenRandom) by using official API function rand_s (needs WinXP+) #325 Windows: Drop support for Visual Studio <=7.1/2003 and document supported compilers in README.md #286 Windows: Remove COM code from xmlwf; in case it turns out needed later, there will be a dedicated repository below https://github.com/libexpat/ for that code #322 Windows: Remove explicit MSVC solution and project files. You can generate Visual Studio solution files through CMake, e.g.: cmake -G"Visual Studio 15 2017" . #338 xmlwf: Make "xmlwf -h" help output more friendly #339 examples: Improve elements.c #244 #264 Autotools: Add argument --enable-xml-attr-info #239 #301 Autotools: Add arguments --with-getrandom --without-getrandom --with-sys-getrandom --without-sys-getrandom #312 #343 Autotools: Fix linking issues with "./configure LD=clang" Autotools: Fix "make run-xmltest" for out-of-source builds #329 #336 CMake: Pull all options from Expat <=2.2.7 into namespace prefix EXPAT_ with the exception of DOCBOOK_TO_MAN: - BUILD_doc -> EXPAT_BUILD_DOCS (plural) - BUILD_examples -> EXPAT_BUILD_EXAMPLES - BUILD_shared -> EXPAT_SHARED_LIBS - BUILD_tests -> EXPAT_BUILD_TESTS - BUILD_tools -> EXPAT_BUILD_TOOLS - DOCBOOK_TO_MAN -> DOCBOOK_TO_MAN (unchanged) - INSTALL -> EXPAT_ENABLE_INSTALL - MSVC_USE_STATIC_CRT -> EXPAT_MSVC_STATIC_CRT - USE_libbsd -> EXPAT_WITH_LIBBSD - WARNINGS_AS_ERRORS -> EXPAT_WARNINGS_AS_ERRORS - XML_CONTEXT_BYTES -> EXPAT_CONTEXT_BYTES - XML_DEV_URANDOM -> EXPAT_DEV_URANDOM - XML_DTD -> EXPAT_DTD - XML_NS -> EXPAT_NS - XML_UNICODE -> EXPAT_CHAR_TYPE=ushort (!) - XML_UNICODE_WCHAR_T -> EXPAT_CHAR_TYPE=wchar_t (!) #244 #264 CMake: Add argument -DEXPAT_ATTR_INFO=(ON|OFF), default OFF #326 CMake: Add argument -DEXPAT_LARGE_SIZE=(ON|OFF), default OFF #328 CMake: Add argument -DEXPAT_MIN_SIZE=(ON|OFF), default OFF #239 #277 CMake: Add arguments -DEXPAT_WITH_GETRANDOM=(ON|OFF|AUTO), default AUTO -DEXPAT_WITH_SYS_GETRANDOM=(ON|OFF|AUTO), default AUTO #326 CMake: Install expat_config.h to include directory #326 CMake: Generate and install configuration files for future find_package(expat [..] CONFIG [..]) CMake: Now produces a summary of applied configuration CMake: Require C++ compiler only when tests are enabled #330 CMake: Fix compilation for 16bit character types, i.e. ex -DXML_UNICODE=ON (and ex -DXML_UNICODE_WCHAR_T=ON) #265 CMake: Fix linking with MinGW #330 CMake: Add full support for MinGW; to enable, use -DCMAKE_TOOLCHAIN_FILE=[expat]/cmake/mingw-toolchain.cmake #330 CMake: Port "make run-xmltest" from GNU Autotools to CMake #316 CMake: Windows: Make binary postfix match MSVC Old: expat[d].lib New: expat[w][d][MD|MT].lib CMake: Migrate files from Windows to Unix line endings #308 CMake: Integrate OSS-Fuzz fuzzers, option -DEXPAT_BUILD_FUZZERS=(ON|OFF), default OFF #14 Drop an OpenVMS support leftover #235 #268 .. #270 #310 .. #313 #331 #333 Address compiler warnings #282 #283 .. #284 #285 Address cppcheck warnings #294 #295 Address Clang Static Analyzer warnings #24 #293 Mass-apply clang-format 9 (and ensure conformance during CI) Version info bumped from 7:9:6 to 7:10:6 Special thanks to: David Loffredo Joonun Jang Khajapasha Mohammed Kishore Kunche Marco Maggi Mitch Phillips Rolf Ade xantares Zhongyuan Zhou @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.39 2019/06/29 22:36:04 wiz Exp $ d3 1 a3 1 DISTNAME= expat-2.2.8 d7 1 a7 1 GITHUB_RELEASE= R_2_2_8 @ 1.39 log @expat: update to 2.2.7. For a security fix. Release 2.2.7 Wed June 19 2019 Security fixes: #186 #262 Fix extraction of namespace prefixes from XML names; XML names with multiple colons could end up in the wrong namespace, and take a high amount of RAM and CPU resources while processing, opening the door to use for denial-of-service attacks Other changes: #195 #197 Autotools/CMake: Utilize -fvisibility=hidden to stop exporting non-API symbols #227 Autotools: Add --without-examples and --without-tests #228 Autotools: Modernize configure.ac #245 #246 Autotools: Fix check for -fvisibility=hidden for Clang #247 #248 Autotools: Fix compilation for lack of docbook2x-man #236 #258 Autotools: Produce .tar.{gz,lz,xz} release archives #212 CMake: Make libdir of pkgconfig expat.pc support multilib #158 #263 CMake: Build man page in PROJECT_BINARY_DIR not _SOURCE_DIR #219 Remove fallback to bcopy, assume that memmove(3) exists #257 Use portable "/usr/bin/env bash" shebang (e.g. for OpenBSD) #243 Windows: Fix syntax of .def module definition files Version info bumped from 7:8:6 to 7:9:6 Special thanks to: Benjamin Peterson Caolán McNamara Hanno Böck KangLin Kishore Kunche Marco Maggi Rhodri James Sebastian Dröge userwithuid Yury Gribov @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.38 2018/08/20 05:24:49 wiz Exp $ d3 1 a3 1 DISTNAME= expat-2.2.7 d5 3 a7 2 MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=expat/} EXTRACT_SUFX= .tar.bz2 d10 1 a10 1 HOMEPAGE= http://expat.sourceforge.net/ @ 1.38 log @expat: update to 2.2.6. Release 2.2.6 Sun August 12 2018 Bug fixes: #170 #206 Avoid doing arithmetic with NULL pointers in XML_GetBuffer #204 #205 Fix 2.2.5 regression with suspend-resume while parsing a document like '' Other changes: #165 #168 Autotools: Fix docbook-related configure syntax error #166 Autotools: Avoid grep option `-q` for Solaris #167 Autotools: Support ./configure DOCBOOK_TO_MAN="xmlto man --skip-validation" #159 #167 Autotools: Support DOCBOOK_TO_MAN command which produces xmlwf.1 rather than XMLWF.1; also covers case insensitive file systems #181 Autotools: Drop -rpath option passed to libtool #188 Autotools: Detect and deny SGML docbook2man as ours is XML #188 Autotools/CMake: Support command db2x_docbook2man as well #174 CMake: Introduce option WARNINGS_AS_ERRORS, defaults to OFF #184 #185 CMake: Introduce option MSVC_USE_STATIC_CRT, defaults to OFF #207 #208 CMake: Introduce option XML_UNICODE and XML_UNICODE_WCHAR_T, both defaulting to OFF #175 CMake: Prefer check_symbol_exists over check_function_exists #176 CMake: Create the same pkg-config file as with GNU Autotools #178 #179 CMake: Use GNUInstallDirs module to set proper defaults for install directories #208 CMake: Utilize expat_config.h.cmake for XML_DEV_URANDOM #180 Windows: Fix compilation of test suite for Visual Studio 2008 #131 #173 #202 Address compiler warnings #187 #190 #200 Fix miscellaneous typos Version info bumped from 7:7:6 to 7:8:6 Release 2.2.5 Tue October 31 2017 Bug fixes: #8 If the parser runs out of memory, make sure its internal state reflects the memory it actually has, not the memory it wanted to have. #11 The default handler wasn't being called when it should for a SYSTEM or PUBLIC doctype if an entity declaration handler was registered. #137 #138 Fix a case of mistakenly reported parsing success where XML_StopParser was called from an element handler #162 Function XML_ErrorString was returning NULL rather than a message for code XML_ERROR_INVALID_ARGUMENT introduced with release 2.2.1 Other changes: #106 xmlwf: Add argument -N adding notation declarations #75 #106 Test suite: Resolve expected failure cases where xmlwf output was incomplete #127 Windows: Fix test suite compilation #126 #127 Windows: Fix compilation for Visual Studio 2012 Windows: Upgrade shipped project files to Visual Studio 2017 #33 #132 tests: Mass-fix compilation for XML_UNICODE_WCHAR_T #129 examples: Fix compilation for XML_UNICODE_WCHAR_T #130 benchmark: Fix compilation for XML_UNICODE_WCHAR_T #144 xmlwf: Fix compilation for XML_UNICODE_WCHAR_T; still needs Windows or MinGW for 2-byte wchar_t #9 Address two Clang Static Analyzer false positives #59 Resolve troublesome macros hiding parser struct membership and dereferencing that pointer #6 Resolve superfluous internal malloc/realloc switch #153 #155 Improve docbook2x-man detection #160 Undefine NDEBUG in the test suite (rather than rejecting it) #161 Address compiler warnings Version info bumped from 7:6:6 to 7:7:6 @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.37 2018/08/19 20:16:42 wiz Exp $ d3 1 a3 1 DISTNAME= expat-2.2.6 @ 1.37 log @*: reset maintainer for drochner @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.36 2018/02/18 05:09:21 rillig Exp $ d3 1 a3 2 DISTNAME= expat-2.2.4 PKGREVISION= 1 @ 1.36 log @textproc/expat: move documentation to share/doc/expat @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.35 2017/09/08 07:55:17 wiz Exp $ d9 1 a9 1 MAINTAINER= drochner@@NetBSD.org @ 1.35 log @Updated expat to 2.2.4. Release 2.2.4 Sat Auguest 19 2017 Bug fixes: #115 Fix copying of partial characters for UTF-8 input Other changes: #109 Fix "make check" for non-x86 architectures that default to unsigned type char (-128..127 rather than 0..255) #109 coverage.sh: Cover -funsigned-char Autotools: Introduce --without-xmlwf argument #65 Autotools: Replace handwritten Makefile with GNU Automake #43 CMake: Auto-detect high quality entropy extractors, add new option USE_libbsd=ON to use arc4random_buf of libbsd #74 CMake: Add -fno-strict-aliasing only where supported #114 CMake: Always honor manually set BUILD_* options #114 CMake: Compile man page if docbook2x-man is available, only #117 Include file tests/xmltest.log.expected in source tarball (required for "make run-xmltest") #117 Include (existing) Visual Studio 2013 files in source tarball Improve test suite error output #111 Fix some typos in documentation Version info bumped from 7:5:6 to 7:6:6 Special thanks to: Jakub Wilk Joe Orton Lin Tian Rolf Eike Beer Release 2.2.3 Wed August 2 2017 Security fixes: #82 CVE-2017-11742 -- Windows: Fix DLL hijacking vulnerability using Steve Holme's LoadLibrary wrapper for/of cURL Bug fixes: #85 Fix a dangling pointer issue related to realloc Other changes: Increase code coverage #91 Linux: Allow getrandom to fail if nonblocking pool has not yet been initialized and read /dev/urandom then, instead. This is in line with what recent Python does. #81 Pre-10.7/Lion macOS: Support entropy from arc4random #86 Check that a UTF-16 encoding in an XML declaration has the right endianness #4 #5 #7 Recover correctly when some reallocations fail Repair "./configure && make" for systems without any provider of high quality entropy and try reading /dev/urandom on those Ensure that user-defined character encodings have converter functions when they are needed Fix mis-leading description of argument -c in xmlwf.1 Rely on macro HAVE_ARC4RANDOM_BUF (rather than __CloudABI__) for CloudABI #100 Fix use of SIPHASH_MAIN in siphash.h #23 Test suite: Fix memory leaks Version info bumped from 7:4:6 to 7:5:6 Special thanks to: Chanho Park Joe Orton Pascal Cuoq Rhodri James Simon McVittie Vadim Zeitlin Viktor Szakats and Core Infrastructure Initiative Release 2.2.2 Wed July 12 2017 Security fixes: #43 Protect against compilation without any source of high quality entropy enabled, e.g. with CMake build system; commit ff0207e6076e9828e536b8d9cd45c9c92069b895 #60 Windows with _UNICODE: Unintended use of LoadLibraryW with a non-wide string resulted in failure to load advapi32.dll and degradation in quality of used entropy when compiled with _UNICODE for Windows; you can launch existing binaries with EXPAT_ENTROPY_DEBUG=1 in the environment to inspect the quality of entropy used during runtime; commits * 95b95032f907ef1cd17ee7a9a1768010a825d61d * 73a5a2e9c081f49f2d775cf7ced864158b68dc80 [MOX-006] Fix non-NULL parser parameter validation in XML_Parse; resulted in NULL dereference, previously; commit ac256dafdffc9622ab0dc2c62fcecb0dfcfa71fe Bug fixes: #69 Fix improper use of unsigned long long integer literals Other changes: #73 Start requiring a C99 compiler #49 Fix "==" Bashism in configure script #50 Fix too eager getrandom detection for Debian GNU/kFreeBSD #52 and macOS #51 Address lack of stdint.h in Visual Studio 2003 to 2008 #58 Address compile warnings #68 Fix "./buildconf.sh && ./configure" for some versions of Dash for /bin/sh #72 CMake: Ease use of Expat in context of a parent project with multiple CMakeLists.txt files #72 CMake: Resolve mistaken executable permissions #76 Address compile warning with -DNDEBUG (not recommended!) #77 Address compile warning about macro redefinition Special thanks to: Alexander Bluhm Ben Boeckel Cătălin Răceanu Kerin Millar László Böszörményi S. P. Zeidler Segev Finer Václav Slavík Victor Stinner Viktor Szakats and Radically Open Security @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.34 2017/06/18 06:01:33 spz Exp $ d4 1 d25 1 a25 1 DOCDIR= ${PREFIX}/share/doc/html/expat @ 1.34 log @update of expat from 2.2.0 to 2.2.1 (mostly security fixes and cleanup) Security issues fixed: CVE-2017-9233, CVE-2016-9063, improve fix for CVE-2016-5300 fixed regression from fix to CVE-2016-0718 Cleanup: Drop AmigaOS 4.x, Borland C++ Builder, OpenVMS, Open Watcom, Visual Studio 6.0 and Pre-X Mac OS support @ text @d1 1 a1 2 # $NetBSD: Makefile,v 1.33 2016/06/22 15:39:09 drochner Exp $ # d3 1 a3 1 DISTNAME= expat-2.2.1 d13 2 a14 2 GNU_CONFIGURE= YES USE_LIBTOOL= YES d19 2 @ 1.33 log @update to 2.2.0 changes: -security patches which we already had in pkgsrc are integrated -Use more entropy for hash initialization than the original fix to CVE-2012-0876 -Resolve troublesome internal call to srand that was introduced with Expat 2.1.0 when addressing CVE-2012-0876 @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.32 2016/05/17 19:15:01 drochner Exp $ d4 1 a4 1 DISTNAME= expat-2.2.0 @ 1.33.8.1 log @Pullup ticket #5486 - requested by sevan textproc/expat: security fix Revisions pulled up: - textproc/expat/Makefile 1.34 - textproc/expat/distinfo 1.27 - textproc/expat/patches/patch-configure 1.1 - textproc/expat/patches/patch-configure.ac 1.1 --- Module Name: pkgsrc Committed By: spz Date: Sun Jun 18 06:01:33 UTC 2017 Modified Files: pkgsrc/textproc/expat: Makefile distinfo Added Files: pkgsrc/textproc/expat/patches: patch-configure patch-configure.ac Log Message: update of expat from 2.2.0 to 2.2.1 (mostly security fixes and cleanup) Security issues fixed: CVE-2017-9233, CVE-2016-9063, improve fix for CVE-2016-5300 fixed regression from fix to CVE-2016-0718 Cleanup: Drop AmigaOS 4.x, Borland C++ Builder, OpenVMS, Open Watcom, Visual Studio 6.0 and Pre-X Mac OS support @ text @d1 1 a1 1 # $NetBSD$ d4 1 a4 1 DISTNAME= expat-2.2.1 @ 1.32 log @add patches from upstream to fix possible crashes and memory corruption on malformed input (CVE-2016-0718) Description: The Expat XML parser mishandles certain kinds of malformed input documents, resulting in buffer overflows during processing and error reporting. The overflows can manifest as a segmentation fault or as memory corruption during a parse operation. The bugs allow for a denial of service attack in many applications by an unauthenticated attacker, and could conceivably result in remote code execution. bump PKGREV also add an improvement to the fix for CVE-2015-1283 which was part of the 2.1.1 release -- don't rely on defined behaviour on overflows of signed integer operations, from upstream git: https://sourceforge.net/p/expat/code_git/ci/f0bec73b018caa07d3e75ec8dd967f3785d71bde/ pkgsrc change: add a hint how to run the pkg's selftest (not enabled permanently because this would add a dependency on C++) @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.31 2016/03/16 19:55:55 ryoon Exp $ d4 1 a4 2 DISTNAME= expat-2.1.1 PKGREVISION= 1 @ 1.31 log @Update to 2.1.1 Changelog: Release 2.1.1 Sat March 12 2016 Security fixes: #582: CVE-2015-1283 - Multiple integer overflows in XML_GetBuffer Bug fixes: #502: Fix potential null pointer dereference #520: Symbol XML_SetHashSalt was not exported Output of "xmlwf -h" was incomplete Other changes #503: Document behavior of calling XML_SetHashSalt with salt 0 Minor improvements to man page xmlwf(1) Improvements to the experimental CMake build system libtool now invoked with --verbose @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.30 2016/01/01 01:29:30 ryoon Exp $ d5 1 d18 4 @ 1.31.2.1 log @Pullup ticket #5026 - requested by drochner textproc/expat: security fix Revisions pulled up: - textproc/expat/Makefile 1.32 - textproc/expat/distinfo 1.25 - textproc/expat/patches/patch-CVE-2016-0718-1 1.1 - textproc/expat/patches/patch-CVE-2016-0718-2 1.1 - textproc/expat/patches/patch-CVE-2016-0718-3 1.1 - textproc/expat/patches/patch-CVE-2016-0718-4 1.1 --- Module Name: pkgsrc Committed By: drochner Date: Tue May 17 19:15:01 UTC 2016 Modified Files: pkgsrc/textproc/expat: Makefile distinfo Added Files: pkgsrc/textproc/expat/patches: patch-CVE-2016-0718-1 patch-CVE-2016-0718-2 patch-CVE-2016-0718-3 patch-CVE-2016-0718-4 Log Message: add patches from upstream to fix possible crashes and memory corruption on malformed input (CVE-2016-0718) Description: The Expat XML parser mishandles certain kinds of malformed input documents, resulting in buffer overflows during processing and error reporting. The overflows can manifest as a segmentation fault or as memory corruption during a parse operation. The bugs allow for a denial of service attack in many applications by an unauthenticated attacker, and could conceivably result in remote code execution. bump PKGREV also add an improvement to the fix for CVE-2015-1283 which was part of the 2.1.1 release -- don't rely on defined behaviour on overflows of signed integer operations, from upstream git: https://sourceforge.net/p/expat/code_git/ci/f0bec73b018caa07d3e75ec8dd967f3785d71bde/ pkgsrc change: add a hint how to run the pkg's selftest (not enabled permanently because this would add a dependency on C++) @ text @d1 1 a1 1 # $NetBSD$ a4 1 PKGREVISION= 1 a16 4 # C++ is needed for tests only #USE_LANGUAGES= c c++ #TEST_TARGET= check @ 1.30 log @Do not use GNU make, bump PKGREVISION Fix circular dependency of PREFER_PKGSRC=yes case. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.29 2015/08/04 08:47:19 tnn Exp $ d4 1 a4 2 DISTNAME= expat-2.1.0 PKGREVISION= 2 d7 1 @ 1.29 log @CVE-2015-1283 heap based buffer overflow in expat. Patch via Debian bug#793484 and Mozilla. Bump. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.28 2014/10/09 14:07:01 wiz Exp $ d5 1 a5 1 PKGREVISION= 1 a15 1 USE_TOOLS+= gmake @ 1.28 log @Remove pkgviews: don't set PKG_INSTALLATION_TYPES in Makefiles. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.27 2012/10/25 06:55:49 asau Exp $ d5 1 @ 1.27 log @Drop superfluous PKG_DESTDIR_SUPPORT, "user-destdir" is default these days. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.26 2012/04/01 08:52:43 obache Exp $ a12 2 PKG_INSTALLATION_TYPES= overwrite pkgviews @ 1.26 log @Update expat to 2.1.0, contains security fixes. Release 2.1.0 Sat March 24 2012 - Bug Fixes: #1742315: Harmful XML_ParserCreateNS suggestion. #2895533: CVE-2012-1147 - Resource leak in readfilemap.c. #1785430: Expat build fails on linux-amd64 with gcc version>=4.1 -O3. #1983953, 2517952, 2517962, 2649838: Build modifications using autoreconf instead of buildconf.sh. #2815947, #2884086: OBJEXT and EXEEXT support while building. #1990430: CVE-2009-3720 - Parser crash with special UTF-8 sequences. #2517938: xmlwf should return non-zero exit status if not well-formed. #2517946: Wrong statement about XMLDecl in xmlwf.1 and xmlwf.sgml. #2855609: Dangling positionPtr after error. #2894085: CVE-2009-3560 - Buffer over-read and crash in big2_toUtf8(). #2958794: CVE-2012-1148 - Memory leak in poolGrow. #2990652: CMake support. #3010819: UNEXPECTED_STATE with a trailing "%" in entity value. #3206497: Unitialized memory returned from XML_Parse. #3287849: make check fails on mingw-w64. #3496608: CVE-2012-0876 - Hash DOS attack. - Patches: #1749198: pkg-config support. #3010222: Fix for bug #3010819. #3312568: CMake support. #3446384: Report byte offsets for attr names and values. - New Features / API changes: Added new API member XML_SetHashSalt() that allows setting an intial value (salt) for hash calculations. This is part of the fix for bug #3496608 to randomize hash parameters. When compiled with XML_ATTR_INFO defined, adds new API member XML_GetAttributeInfo() that allows retrieving the byte offsets for attribute names and values (patch #3446384). Added CMake build system. See bug #2990652 and patch #3312568. Added run-benchmark target to Makefile.in - relies on testdata module present in the same relative location as in the repository. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.25 2010/01/26 18:37:01 drochner Exp $ a13 1 PKG_DESTDIR_SUPPORT= user-destdir @ 1.25 log @add patch from upstream CVS to fix CVE-2009-3560 (possible DOS due to crash on bad input) bump PKGREVISION @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.24 2009/09/10 09:59:20 drochner Exp $ d4 1 a4 2 DISTNAME= expat-2.0.1 PKGREVISION= 2 d11 1 d20 2 @ 1.24 log @fix SA36425: possible DoS due to an error when parsing certain UTF-8 sequences (patch from Python CVS) bump PKGREVISION @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.23 2007/06/08 13:14:04 wiz Exp $ d5 1 a5 1 PKGREVISION= 1 @ 1.24.4.1 log @Pullup ticket 2978 - requested by tron security patch Revisions pulled up: - pkgsrc/textproc/expat/Makefile 1.25 - pkgsrc/textproc/expat/distinfo 1.19 Files added: - pkgsrc/textproc/expat/patches/patch-ab ------------------------------------------------------------------------- Module Name: pkgsrc Committed By: drochner Date: Tue Jan 26 18:37:02 UTC 2010 Modified Files: pkgsrc/textproc/expat: Makefile distinfo Added Files: pkgsrc/textproc/expat/patches: patch-ab Log Message: add patch from upstream CVS to fix CVE-2009-3560 (possible DOS due to crash on bad input) bump PKGREVISION To generate a diff of this commit: cvs rdiff -u -r1.24 -r1.25 pkgsrc/textproc/expat/Makefile cvs rdiff -u -r1.18 -r1.19 pkgsrc/textproc/expat/distinfo cvs rdiff -u -r0 -r1.1 pkgsrc/textproc/expat/patches/patch-ab @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.25 2010/01/26 18:37:01 drochner Exp $ d5 1 a5 1 PKGREVISION= 2 @ 1.23 log @Update to 2.0.1: Release 2.0.1 Tue June 5 2007 - Fixed bugs #1515266, 1515600: The character data handler's calling of XML_StopParser() was not handled properly; if the parser was stopped and the handler set to NULL, the parser would segfault. - Fixed bug #1690883: Expat failed on EBCDIC systems as it assumed some character constants to be ASCII encoded. - Minor cleanups of the test harness. - Fixed xmlwf bug #1513566: "out of memory" error on file size zero. - Fixed outline.c bug #1543233: missing a final XML_ParserFree() call. - Fixes and improvements for Windows platform: bugs #1409451, #1476160, 1548182, 1602769, 1717322. - Build fixes for various platforms: HP-UX, Tru64, Solaris 9: patch #1437840, bug #1196180. All Unix: #1554618 (refreshed config.sub/config.guess). #1490371, #1613457: support both, DESTDIR and INSTALL_ROOT, without relying on GNU-Make specific features. #1647805: Patched configure.in to work better with Intel compiler. - Fixes to Makefile.in to have make check work correctly: bugs #1408143, #1535603, #1536684. - Added Open Watcom support: patch #1523242. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.22 2006/11/03 06:56:23 joerg Exp $ d5 1 @ 1.23.22.1 log @Pullup ticket 2886 - requested by drochner security fix Revisions pulled up: - pkgsrc/textproc/expat/Makefile 1.24 - pkgsrc/textproc/expat/distinfo 1.17 Files added: pkgsrc/textproc/expat/patches/patch-aa 1.7 Module Name: pkgsrc Committed By: drochner Date: Thu Sep 10 09:59:21 UTC 2009 Modified Files: pkgsrc/textproc/expat: Makefile distinfo Added Files: pkgsrc/textproc/expat/patches: patch-aa Log Message: fix SA36425: possible DoS due to an error when parsing certain UTF-8 sequences (patch from Python CVS) bump PKGREVISION To generate a diff of this commit: cvs rdiff -u -r1.23 -r1.24 pkgsrc/textproc/expat/Makefile cvs rdiff -u -r1.16 -r1.17 pkgsrc/textproc/expat/distinfo cvs rdiff -u -r0 -r1.7 pkgsrc/textproc/expat/patches/patch-aa @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.24 2009/09/10 09:59:20 drochner Exp $ a4 1 PKGREVISION= 1 @ 1.22 log @DESTDIR support. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.21 2006/02/05 23:11:01 joerg Exp $ d4 1 a4 2 DISTNAME= expat-2.0.0 PKGREVISION= 1 @ 1.21 log @Recursive revision bump / recommended bump for gettext ABI change. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.20 2006/01/22 16:46:02 wiz Exp $ d14 1 d23 3 a25 3 ${INSTALL_DATA_DIR} ${DOCDIR} ${INSTALL_DATA} ${WRKSRC}/doc/reference.html ${DOCDIR} ${INSTALL_DATA} ${WRKSRC}/doc/style.css ${DOCDIR} @ 1.20 log @Update to 2.0.0: Release 2.0.0 Wed Jan 11 2006 - We no longer use the "check" library for C unit testing; we always use the (partial) internal implementation of the API. - Report XML_NS setting via XML_GetFeatureList(). - Fixed headers for use from C++. - XML_GetCurrentLineNumber() and XML_GetCurrentColumnNumber() now return unsigned integers. - Added XML_LARGE_SIZE switch to enable 64-bit integers for byte indexes and line/column numbers. - Updated to use libtool 1.5.22 (the most recent). - Added support for AmigaOS. - Some mostly minor bug fixes. SF issues include: 1006708, 1021776, 1023646, 1114960, 1156398, 1221160, 1271642. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.19 2005/05/22 20:08:34 jlam Exp $ d5 1 @ 1.19 log @Remove USE_GNU_TOOLS and replace with the correct USE_TOOLS definitions: USE_GNU_TOOLS -> USE_TOOLS awk -> gawk m4 -> gm4 make -> gmake sed -> gsed yacc -> bison @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.18 2005/04/11 21:47:34 tv Exp $ d4 1 a4 2 DISTNAME= expat-1.95.8 PKGREVISION= 2 @ 1.18 log @Remove USE_BUILDLINK3 and NO_BUILDLINK; these are no longer used. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.17 2004/10/03 00:18:19 tv Exp $ d17 1 a17 1 USE_GNU_TOOLS+= make @ 1.17 log @Libtool fix for PR pkg/26633, and other issues. Update libtool to 1.5.10 in the process. (More information on tech-pkg.) Bump PKGREVISION and BUILDLINK_DEPENDS of all packages using libtool and installing .la files. Bump PKGREVISION (only) of all packages depending directly on the above via a buildlink3 include. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.16 2004/09/15 17:09:37 jlam Exp $ a17 1 USE_BUILDLINK3= YES @ 1.16 log @Don't have a comma end an enumeration list, which is apparently not allowed by GCC with -pedantic -ansi. Bump the PKGREVISION. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.15 2004/08/05 22:16:59 recht Exp $ d5 1 a5 1 PKGREVISION= 1 @ 1.15 log @update to expat-1.95.8 Release 1.95.8 Fri Jul 23 2004 - Major new feature: suspend/resume. Handlers can now request that a parse be suspended for later resumption or aborted altogether. See "Temporarily Stopping Parsing" in the documentation for more details. - Some mostly minor bug fixes, but compilation should no longer generate warnings on most platforms. SF issues include: 827319, 840173, 846309, 888329, 896188, 923913, 928113, 961698, 985192. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.14 2004/03/02 18:13:58 drochner Exp $ d5 1 @ 1.14 log @update to 1.95.7 bugfixes and compatibility improvements @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.13 2004/02/14 17:21:53 jlam Exp $ d4 1 a4 1 DISTNAME= expat-1.95.7 @ 1.13 log @LIBTOOL_OVERRIDE and SHLIBTOOL_OVERRIDE are now lists of shell globs relative to ${WRKSRC}. Remove redundant LIBTOOL_OVERRIDE settings that are automatically handled by the default setting in bsd.pkg.mk. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.12 2004/01/24 15:13:19 grant Exp $ d4 1 a4 2 DISTNAME= expat-1.95.6 PKGREVISION= 1 @ 1.12 log @replace deprecated USE_GMAKE with USE_GNU_TOOLS+=make. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.11 2004/01/05 23:43:06 jlam Exp $ a16 1 LIBTOOL_OVERRIDE= ${WRKSRC}/libtool @ 1.11 log @bl3ify @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.10 2003/07/17 22:54:14 grant Exp $ d18 1 a18 1 USE_GMAKE= YES @ 1.10 log @s/netbsd.org/NetBSD.org/ @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.9 2003/02/05 03:57:13 jlam Exp $ d13 2 d19 1 a19 1 USE_BUILDLINK2= YES @ 1.9 log @Bump PKGREVISION of textproc/expat to 1: fix an obvious C bug where types should be declared/defined before they are used. This should fix errors of the form: .../expat.h:657: use of enum `XML_Status' without previous declaration .../expat.h:736: multiple definition of `enum XML_Status' @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.8 2003/01/30 10:49:13 drochner Exp $ d9 1 a9 1 MAINTAINER= drochner@@netbsd.org @ 1.8 log @update to 1.95.6 changes: -Added XML_FreeContentModel(). -Added XML_MemMalloc(), XML_MemRealloc(), XML_MemFree(). -Enhanced the regression test suite. -bugfixes @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.7 2002/09/17 21:06:15 drochner Exp $ d5 1 @ 1.7 log @update to 1.95.5 changes: Added XML_UseForeignDTD() for improved SAX2 support. Added XML_GetFeatureList(). Defined XML_Bool type and the values XML_TRUE and XML_FALSE. Use an incomplete struct instead of a void* for the parser. Fixed UTF-8 decoding bug that caused legal UTF-8 to be rejected. Finally fixed bug where default handler would report DTD events that were already handled by another handler. Initial patch contributed by Darryl Miller. Reduced line-length for all source code and headers to be no longer than 80 characters, to help with AS/400 support. Reduced memory copying during parsing (SF patch #600964). Fixed a variety of bugs. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.6 2002/08/25 18:40:01 jlam Exp $ d4 1 a4 1 DISTNAME= expat-1.95.5 @ 1.6 log @Merge changes in packages from the buildlink2 branch that have buildlink2.mk files back into the main trunk. This provides sufficient buildlink2 infrastructure to start merging other packages from the buildlink2 branch that have already been converted to use the buildlink2 framework. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.4.2.3 2002/08/22 11:12:37 jlam Exp $ d4 1 a4 1 DISTNAME= expat-1.95.4 @ 1.5 log @update to 1.95.4 changes since 1.95.2: -Added the XML_ParserReset() API function -Allow xmlwf to read from standard input -Install a man page for xmlwf on Unix systems -bugfixes -unrelated portability enhancements @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.4 2001/10/01 03:07:21 jlam Exp $ d16 1 a16 1 USE_BUILDLINK_ONLY= YES @ 1.4 log @Mark as USE_BUILDLINK_ONLY as this package is strongly-buildlinked. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.3 2001/08/07 11:16:55 drochner Exp $ d4 1 a4 1 DISTNAME= expat-1.95.2 d14 1 a14 1 LTCONFIG_OVERRIDE= ${WRKSRC}/conftools/ltconfig @ 1.4.2.1 log @First pass at conversion of various packages to use the buildlink2 framework. Add many buildlink2.mk files to add to the framework. Please see buildlink2.txt for more details. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.4 2001/10/01 03:07:21 jlam Exp $ d16 1 a16 1 USE_BUILDLINK2_ONLY= YES @ 1.4.2.2 log @Rename USE_BUILDLINK2_ONLY to USE_BUILDLINK2 for less verbosity. Also convert a few more packages to use the buildlink2 framework. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.4.2.1 2002/05/11 02:09:25 jlam Exp $ d16 1 a16 1 USE_BUILDLINK2= YES @ 1.4.2.3 log @Merge changes from pkgsrc-current into the buildlink2 branch for the packages that have buildlink2.mk files. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.4.2.2 2002/06/21 23:05:43 jlam Exp $ d4 1 a4 1 DISTNAME= expat-1.95.4 d14 1 a14 1 LIBTOOL_OVERRIDE= ${WRKSRC}/libtool @ 1.3 log @update to 1.95.2 changes: - Added compile-time constants that can be used to determine the Expat version - Removed a lot of GNU-specific dependencies to aide portability among the various Unix flavors. - Fix the UTF-8 BOM bug. - Cleaned up warning messages for several compilers. - Added the -Wall, -Wstrict-prototypes options for GCC. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.2 2001/05/15 10:07:17 dillo Exp $ d12 2 a13 2 GNU_CONFIGURE= YES USE_LIBTOOL= yes d15 2 a16 1 USE_GMAKE= yes @ 1.2 log @install the html documentation, bump version to 1.95.1nb1 @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.1.1.1 2001/03/07 12:13:04 drochner Exp $ d4 1 a4 2 DISTNAME= expat-1.95.1 PKGNAME= expat-1.95.1nb1 d15 1 @ 1.1 log @Initial revision @ text @d1 1 a1 1 # $NetBSD$ d5 1 d16 7 @ 1.1.1.1 log @This is James Clark's expat XML parser library in C. It is a stream oriented parser that requires setting handlers to deal with the structure that the parser discovers in the document. @ text @@