Revisions of expat
Tomáš Chvátal (scarabeus_iv)
accepted
request 713044
from
Pedro Monreal Gonzalez (pmonrealgonzalez)
(revision 75)
- Version update to 2.2.7 (CVE-2018-20843, bsc#1139937) * Security fixes: - CVE-2018-20843 - Fix extraction of namespace prefixes from XML names; XML names with multiple colons could end up in the wrong namespace, and take a high amount of RAM and CPU resources while processing, opening the door to use for denial-of-service attacks * Other changes: - Autotools/CMake: Utilize -fvisibility=hidden to stop exporting non-API symbols - Autotools: Add --without-examples and --without-tests - Autotools: Modernize configure.ac - Autotools: Fix check for -fvisibility=hidden for Clang - Autotools: Fix compilation for lack of docbook2x-man - CMake: Make libdir of pkgconfig expat.pc support multilib - CMake: Build man page in PROJECT_BINARY_DIR not _SOURCE_DIR - Remove fallback to bcopy, assume that memmove(3) exists - Use docbook2x to build the man pages - Removed expat-2.2.6-fix-make-clean.patch
buildservice-autocommit
accepted
request 672726
from
Dirk Mueller (dirkmueller)
(revision 74)
baserev update by copy to link target
Dirk Mueller (dirkmueller)
accepted
request 672442
from
Bernhard Wiedemann (bmwiedemann)
(revision 73)
Add expat-2.2.6-fix-make-clean.patch Allow profile guided optimization again Dear package maintainer: please decide if and how to upstream the new patch.
buildservice-autocommit
accepted
request 662662
from
Tomáš Chvátal (scarabeus_iv)
(revision 72)
baserev update by copy to link target
Tomáš Chvátal (scarabeus_iv)
committed
(revision 71)
Tomáš Chvátal (scarabeus_iv)
committed
(revision 70)
- Drop docbook2x dependency, the manpages are generated in the upstream archive and this way we break buildcycle
buildservice-autocommit
accepted
request 634955
from
Ismail Dönmez (namtrac)
(revision 69)
baserev update by copy to link target
Ismail Dönmez (namtrac)
accepted
request 634952
from
Pedro Monreal Gonzalez (pmonrealgonzalez)
(revision 68)
- Version update to 2.2.6 Sun August 12 2018 * Bug fixes: - Avoid doing arithmetic with NULL pointers in XML_GetBuffer - Fix 2.2.5 regression with suspend-resume while parsing a document like '<root/>' * Other changes: - Autotools: Fix docbook-related configure syntax error - Autotools: Avoid grep option `-q` for Solaris - Autotools: Support ./configure DOCBOOK_TO_MAN="xmlto man --skip-validation" - Autotools: Support DOCBOOK_TO_MAN command which produces xmlwf.1 rather than XMLWF.1; also covers case insensitive file systems - Autotools: Drop -rpath option passed to libtool - Autotools: Detect and deny SGML docbook2man as ours is XML - Autotools/CMake: Support command db2x_docbook2man as well - CMake: Introduce option WARNINGS_AS_ERRORS, defaults to OFF - CMake: Introduce option MSVC_USE_STATIC_CRT, defaults to OFF - CMake: Introduce option XML_UNICODE and XML_UNICODE_WCHAR_T, both defaulting to OFF - CMake: Prefer check_symbol_exists over check_function_exists - CMake: Create the same pkg-config file as with GNU Autotools - CMake: Use GNUInstallDirs module to set proper defaults for install directories - CMake: Utilize expat_config.h.cmake for XML_DEV_URANDOM - Address compiler warnings - Fix miscellaneous typos
buildservice-autocommit
accepted
request 542219
from
Pedro Monreal Gonzalez (pmonrealgonzalez)
(revision 67)
baserev update by copy to link target
Pedro Monreal Gonzalez (pmonrealgonzalez)
accepted
request 542216
from
Jan Engelhardt (jengelh)
(revision 66)
- Expand description of expat-devel.
Pedro Monreal Gonzalez (pmonrealgonzalez)
accepted
request 542191
from
Martin Pluskal (pluskalm)
(revision 65)
- Do not generate manpages from docbook - Temporarily disable profiling due to bug in build system
Tomáš Chvátal (scarabeus_iv)
accepted
request 540028
from
Avindra Goolcharan (avindra)
(revision 64)
- Version update to 2.2.5 Tue October 31 2017 * Bug fixes: - If the parser runs out of memory, make sure its internal state reflects the memory it actually has, not the memory it wanted to have. - The default handler wasn't being called when it should for a SYSTEM or PUBLIC doctype if an entity declaration handler was registered. - Fix a case of mistakenly reported parsing success where XML_StopParser was called from an element handler - Function XML_ErrorString was returning NULL rather than a message for code XML_ERROR_INVALID_ARGUMENT introduced with release 2.2.1 * Other changes: - Add argument -N adding notation declarations - various compiler-specific fixes - Improve docbook2x-man detection - drop expat-docbook.patch * fixed in 0f5186c7b8e503c669e332d944712de010b265f3 - switch to github for release tarballs and website - Version update to 2.2.4 Sat August 19 2017 * Bug fixes: #115 Fix copying of partial characters for UTF-8 input * Other changes: #109 Fix "make check" for non-x86 architectures that default to unsigned type char (-128..127 rather than 0..255) #109 coverage.sh: Cover -funsigned-char Autotools: Introduce --without-xmlwf argument #65 Autotools: Replace handwritten Makefile with GNU Automake #43 CMake: Auto-detect high quality entropy extractors, add new option USE_libbsd=ON to use arc4random_buf of libbsd #74 CMake: Add -fno-strict-aliasing only where supported #114 CMake: Always honor manually set BUILD_* options #114 CMake: Compile man page if docbook2x-man is available, only #117 Include file tests/xmltest.log.expected in source tarball (required for "make run-xmltest") #111 Fix some typos in documentation Version info bumped from 7:5:6 to 7:6:6 - Release 2.2.3 Wed August 2 2017 * Bug fixes: #85 Fix a dangling pointer issue related to realloc * Other changes: #91 Linux: Allow getrandom to fail if nonblocking pool has not yet been initialized and read /dev/urandom then, instead. This is in line with what recent Python does. #86 Check that a UTF-16 encoding in an XML declaration has the right endianness #4 #5 #7 Recover correctly when some reallocations fail Repair "./configure && make" for systems without any provider of high quality entropy and try reading /dev/urandom on those Ensure that user-defined character encodings have converter functions when they are needed Fix mis-leading description of argument -c in xmlwf.1 Rely on macro HAVE_ARC4RANDOM_BUF (rather than __CloudABI__) for CloudABI #100 Fix use of SIPHASH_MAIN in siphash.h #23 Test suite: Fix memory leaks Version info bumped from 7:4:6 to 7:5:6 - Release 2.2.2 Wed July 12 2017 * Security fixes: #43 Protect against compilation without any source of high quality entropy enabled, e.g. with CMake build system; * [MOX-006] Fix non-NULL parser parameter validation in XML_Parse; resulted in NULL dereference, previously; * Bug fixes: #69 Fix improper use of unsigned long long integer literals * Other changes: #73 Start requiring a C99 compiler #49 Fix "==" Bashism in configure script #58 Address compile warnings #68 Fix "./buildconf.sh && ./configure" for some versions of Dash for /bin/sh #72 CMake: Ease use of Expat in context of a parent project with multiple CMakeLists.txt files #72 CMake: Resolve mistaken executable permissions #76 Address compile warning with -DNDEBUG (not recommended!) #77 Address compile warning about macro redefinition * Added patch expat-docbook.patch to compile the man pages with docbook-to-man * Cleaned spec file with spec-cleaner - Allow building when do_profiling is undefined - Build with profiling when possible - Version update to 2.2.1 Sat June 17 2017 - Security fixes: CVE-2017-9233 / bsc#1047236 -- External entity infinite loop DoS Details: https://libexpat.github.io/doc/cve-2017-9233/ Commit c4bf96bb51dd2a1b0e185374362ee136fe2c9d7f - [MOX-002] CVE-2016-9063 / bsc#1047240 -- Detect integer overflow; (Fixed version of existing downstream patches!) - (SF.net) #539 Fix regression from fix to CVE-2016-0718 cutting off longer tag names; #25 More integer overflow detection (function poolGrow); - [MOX-002] Detect overflow from len=INT_MAX call to XML_Parse; - [MOX-005] #30 Use high quality entropy for hash initialization: * arc4random_buf on BSD, systems with libbsd (when configured with --with-libbsd), CloudABI * RtlGenRandom on Windows XP / Server 2003 and later * getrandom on Linux 3.17+ In a way, that's still part of CVE-2016-5300. https://github.com/libexpat/libexpat/pull/30/commits - [MOX-005] For the low quality entropy extraction fallback code, the parser instance address can no longer leak, - [MOX-003] Prevent use of uninitialised variable; commit - [MOX-004] a4dc944f37b664a3ca7199c624a98ee37babdb4b Add missing parameter validation to public API functions and dedicated error code XML_ERROR_INVALID_ARGUMENT: - [MOX-006] * NULL checks; commits * Negative length (XML_Parse); commit - [MOX-002] 70db8d2538a10f4c022655d6895e4c3e78692e7f - [MOX-001] #35 Change hash algorithm to William Ahern's version of SipHash to go further with fixing CVE-2012-0876. https://github.com/libexpat/libexpat/pull/39/commits - Bug fixes: #32 Fix sharing of hash salt across parsers; relevant where XML_ExternalEntityParserCreate is called prior to XML_Parse, in particular (e.g. FBReader) #28 xmlwf: Auto-disable use of memory-mapping (and parsing as a single chunk) for files larger than ~1 GB (2^30 bytes) rather than failing with error "out of memory" #3 Fix double free after malloc failure in DTD code; commit 7ae9c3d3af433cd4defe95234eae7dc8ed15637f #17 Fix memory leak on parser error for unbound XML attribute prefix with new namespaces defined in the same tag; found by Google's OSS-Fuzz; commits xmlwf on Windows: Add missing calls to CloseHandle - New features: #30 Introduced environment switch EXPAT_ENTROPY_DEBUG=1 for runtime debugging of entropy extraction Bump version info from 7:2:6 to 7:3:6 - Remove pointless --with-pic (for static only) - Version update to 2.2.0: * Fixes bnc#983215 CVE-2012-6702 * Fixes bnc#983216 CVE-2016-5300 * Various cmake and autotools script updates * Fix detection of utf8 character boundaries - Remove all patches merged upstream: * expat-2.1.1-avoid_relying_on_undef_behaviour.patch * expat-2.1.1-parser_crashes_on_malformed_input.patch * expat-alloc-size.patch * expat-visibility.patch - add expat-2.1.1-avoid_relying_on_undef_behaviour.patch to avoid relying on undefined behavior in the original CVE-2015-1283 fix [bnc#980391], [bnc#983985], [CVE-2016-4472] - add expat-2.1.1-parser_crashes_on_malformed_input.patch to fix Expat XML parser that mishandles certain kinds of malformed input documents [bnc#979441], [CVE-2016-0718] - use spec-cleaner to clean specfile - After simplification of expat-visibility.patch, it became uneffective as no symbols are getting hidden. add -fvisibility=hidden to CFLAGS again. - expat-alloc-size.patch: fix braino, realloc()-like functions should not take __attribute__(malloc) - Update to version 2.1.1 * Fixes CVE-2015-1283 — Multiple integer overflows in the XML_GetBuffer function * Fix potential null pointer dereference * Symbol XML_SetHashSalt was not exported * Output of xmlwf -h was incomplete * Document behavior of calling XML_SetHashSalt with salt 0 * Minor improvements to man page xmlwf(1) - Simplify expat-visibility.patch, refresh expat-alloc-size.patch - Drop config-guess-sub-update.patch, fixed upstream. - Cleanup spec file with spec-cleaner - Remove old ppc obsoletes/provides - Added url as source. Please see http://en.opensuse.org/SourceUrls - Sanitize description of expat (replace it with a more current one from the homepage) - Update config.guess/sub for aarch64 - fix of fix of [bnc#798644] - according to upstream changelog: - Improved ability to build without the configure-generated expat_config.h header. This is useful for applications which embed Expat rather than linking in the library. because I am not exactly sure about implication of this, rather use -DXML_HAVE_VISIBILITY in CFLAG_VISIBILITY in expat-visibility.patch - Executing autoreconf requires autoconf BuildRequire - really hide private Xml* symbols [bnc#798644] * modified visibility.patch - update to 2.1.0 - Bug Fixes: #1742315: Harmful XML_ParserCreateNS suggestion. #2895533: CVE-2012-1147 - Resource leak in readfilemap.c. #1785430: Expat build fails on linux-amd64 with gcc version>=4.1 -O3. #1983953, 2517952, 2517962, 2649838: Build modifications using autoreconf instead of buildconf.sh. #2815947, #2884086: OBJEXT and EXEEXT support while building. #1990430: CVE-2009-3720 - Parser crash with special UTF-8 sequences. #2517938: xmlwf should return non-zero exit status if not well-formed. #2517946: Wrong statement about XMLDecl in xmlwf.1 and xmlwf.sgml. #2855609: Dangling positionPtr after error. #2894085: CVE-2009-3560 - Buffer over-read and crash in big2_toUtf8(). #2958794: CVE-2012-1148 - Memory leak in poolGrow. #2990652: CMake support. #3010819: UNEXPECTED_STATE with a trailing "%" in entity value. #3206497: Unitialized memory returned from XML_Parse. #3287849: make check fails on mingw-w64. #3496608: CVE-2012-0876 - Hash DOS attack. - Patches: #1749198: pkg-config support. #3010222: Fix for bug #3010819. #3312568: CMake support. #3446384: Report byte offsets for attr names and values. - New Features / API changes: * Added new API member XML_SetHashSalt() that allows setting an intial value (salt) for hash calculations. This is part of the fix for bug #3496608 to randomize hash parameters. * When compiled with XML_ATTR_INFO defined, adds new API member XML_GetAttributeInfo() that allows retrieving the byte offsets for attribute names and values (patch #3446384). * Added CMake build system. See bug #2990652 and patch #3312568. * Added run-benchmark target to Makefile.in - relies on testdata module present in the same relative location as in the repository. - update to 2.1.0 beta * refreshed expat-visibility.patch * removed obsolete expat-CVE-2009-3560.patch * removed obsolete expat-CVE-2009-2625.patch - hash table DOS attack fix - accumulated bug fixes and some changes to the build system - new conditional feature to make byte offsets for attributes and attribute names available - Put libraries back to %{_libdir}, /usr merge project - add automake as buildrequire to avoid implicit dependency - Hide non public symbols reusing existing win32 API export/imports - annotate malloc/realloc-like functions with attribute alloc_size to catch possible misuses in calling code. - Remove redundant/obsolete tags/sections from specfile (cf. packaging guidelines) - Use %_smp_mflags for parallel build - Add libexpat-devel to baselibs - fix license (MIT) in spec file - fix CVE-2009-3560.patch [bnc#566434] - add baselibs.conf as a source - fix DoS (CVE-2009-3560.patch) [bnc#558892] - fix DoS (CVE-2009-2625.patch) [bnc#550664] - test suite requires gcc-c++ to compile - remove static libraries, shouldnt be needed anymore. - run make check - use Obsoletes: -XXbit only for ppc64 to help solver during distupgrade (bnc#437293) - obsolete old -XXbit packages (bnc#437293) - added baselibs.conf file to build xxbit packages for multilib support - fix devel symlink - move libraries from /usr/lib to /lib [#285472] - replace deprecated %run_ldconfig with /sbin/ldconfig - update to 2.0.1: ( from Changes ) * Fixed bugs #1515266, 1515600: The character data handler's calling of XML_StopParser() was not handled properly; if the parser was stopped and the handler set to NULL, the parser would segfault. * Fixed bug #1690883: Expat failed on EBCDIC systems as it assumed some character constants to be ASCII encoded. * Minor cleanups of the test harness. * Fixed xmlwf bug #1513566: "out of memory" error on file size zero. * Fixed outline.c bug #1543233: missing a final XML_ParserFree() call. * Fixes and improvements for Windows platform: bugs #1409451, #1476160, 1548182, 1602769, 1717322. * Build fixes for various platforms: HP-UX, Tru64, Solaris 9: patch #1437840, bug #1196180. All Unix: #1554618 (refreshed config.sub/config.guess). #1490371, #1613457: support both, DESTDIR and INSTALL_ROOT, without relying on GNU-Make specific features. #1647805: Patched configure.in to work better with Intel compiler. * Fixes to Makefile.in to have make check work correctly: bugs #1408143, #1535603, #1536684. * Added Open Watcom support: patch #1523242. - split libexpat1 and libexpat-devel subpackages [#260214] - strip .la file - converted neededforbuild to BuildRequires - fixed file list for debuginfo package (do not pack all of libdir) - update to 2.0.0 - update to 2.0 pre release - fixed filelist - update to 1.95.8 - Build as user - update to version 1.95.7 - in expat.h, declare enum XML_Status before using it; put into patch "...-header.diff" [bug #23742] - updated to version 1.95.6 - update to version 1.95.5 - update to version 1.95.4 - added parameter --target to configure - use %{_libdir} and %{_lib} - fix URL in spec file - update to version 1.95.2 - spec file cleanup - added DESTDIR - fixed links for soname of libexpat.so* - fixed soname of libexpat.so.1.2 - back on stable version 1.2 added build shared libexpat.so - update on 1.95.1 on sourgeforge needed for midgard - new description - Don't "install" symlinks; use "cp"; reported by bs; proposed fix by ro. - Cleanup the spec file: better Group tag; more accurate files list. - first SuSE package: version 1.1. - apply Debian patch to build shared libs. - build libexpat.a.
Pedro Monreal Gonzalez (pmonrealgonzalez)
accepted
request 536855
from
Pedro Monreal Gonzalez (pmonrealgonzalez)
(revision 63)
- Version update to 2.2.4 Sat Auguest 19 2017 * Bug fixes: #115 Fix copying of partial characters for UTF-8 input * Other changes: #109 Fix "make check" for non-x86 architectures that default to unsigned type char (-128..127 rather than 0..255) #109 coverage.sh: Cover -funsigned-char Autotools: Introduce --without-xmlwf argument #65 Autotools: Replace handwritten Makefile with GNU Automake #43 CMake: Auto-detect high quality entropy extractors, add new option USE_libbsd=ON to use arc4random_buf of libbsd #74 CMake: Add -fno-strict-aliasing only where supported #114 CMake: Always honor manually set BUILD_* options #114 CMake: Compile man page if docbook2x-man is available, only #117 Include file tests/xmltest.log.expected in source tarball (required for "make run-xmltest") #111 Fix some typos in documentation Version info bumped from 7:5:6 to 7:6:6 - Release 2.2.3 Wed August 2 2017 * Bug fixes: #85 Fix a dangling pointer issue related to realloc * Other changes: #91 Linux: Allow getrandom to fail if nonblocking pool has not yet been initialized and read /dev/urandom then, instead. This is in line with what recent Python does. #86 Check that a UTF-16 encoding in an XML declaration has the right endianness #4 #5 #7 Recover correctly when some reallocations fail Repair "./configure && make" for systems without any provider of high quality entropy
buildservice-autocommit
accepted
request 532443
from
Tomáš Chvátal (scarabeus_iv)
(revision 62)
baserev update by copy to link target
Tomáš Chvátal (scarabeus_iv)
accepted
request 532435
from
John Vandenberg (jayvdb)
(revision 61)
- Allow building when do_profiling is undefined
buildservice-autocommit
accepted
request 509586
from
Tomáš Chvátal (scarabeus_iv)
(revision 60)
baserev update by copy to link target
Tomáš Chvátal (scarabeus_iv)
accepted
request 509510
from
Martin Pluskal (pluskalm)
(revision 59)
- Build with profiling when possible
buildservice-autocommit
accepted
request 508187
from
Tomáš Chvátal (scarabeus_iv)
(revision 58)
baserev update by copy to link target
Tomáš Chvátal (scarabeus_iv)
accepted
request 508174
from
Marcus Meissner (msmeissn)
(revision 57)
- Version update to 2.2.1 Sat June 17 2017 - Security fixes: CVE-2017-9233 / bsc#1047236 -- External entity infinite loop DoS Details: https://libexpat.github.io/doc/cve-2017-9233/ Commit c4bf96bb51dd2a1b0e185374362ee136fe2c9d7f - [MOX-002] CVE-2016-9063 / bsc#1047240 -- Detect integer overflow; (Fixed version of existing downstream patches!) - (SF.net) #539 Fix regression from fix to CVE-2016-0718 cutting off longer tag names; #25 More integer overflow detection (function poolGrow); - [MOX-002] Detect overflow from len=INT_MAX call to XML_Parse; - [MOX-005] #30 Use high quality entropy for hash initialization: * arc4random_buf on BSD, systems with libbsd (when configured with --with-libbsd), CloudABI * RtlGenRandom on Windows XP / Server 2003 and later * getrandom on Linux 3.17+ In a way, that's still part of CVE-2016-5300. https://github.com/libexpat/libexpat/pull/30/commits - [MOX-005] For the low quality entropy extraction fallback code, the parser instance address can no longer leak, - [MOX-003] Prevent use of uninitialised variable; commit - [MOX-004] a4dc944f37b664a3ca7199c624a98ee37babdb4b Add missing parameter validation to public API functions and dedicated error code XML_ERROR_INVALID_ARGUMENT: - [MOX-006] * NULL checks; commits * Negative length (XML_Parse); commit - [MOX-002] 70db8d2538a10f4c022655d6895e4c3e78692e7f - [MOX-001] #35 Change hash algorithm to William Ahern's version of SipHash to go further with fixing CVE-2012-0876. https://github.com/libexpat/libexpat/pull/39/commits
buildservice-autocommit
accepted
request 441164
from
Tomáš Chvátal (scarabeus_iv)
(revision 56)
baserev update by copy to link target
Displaying revisions 41 - 60 of 115