Revisions of expat

Ana Guerrero's avatar Ana Guerrero (anag+factory) accepted request 1223742 from Petr Gajdos's avatar Petr Gajdos (pgajdos) (revision 79)
- no source changes, just adding jira reference: jsc#SLE-21253
Ana Guerrero's avatar Ana Guerrero (anag+factory) accepted request 1222170 from Petr Gajdos's avatar Petr Gajdos (pgajdos) (revision 78)
- version update to 2.6.4 
  * Security fixes: [bsc#1232601]
        #915  CVE-2024-50602 -- Fix crash within function XML_ResumeParser
                from a NULL pointer dereference by disallowing function
                XML_StopParser to (stop or) suspend an unstarted parser.
                A new error code XML_ERROR_NOT_STARTED was introduced to
                properly communicate this situation.  // CWE-476 CWE-754
  * Other changes:
        #903  CMake: Add alias target "expat::expat"
        #905  docs: Document use via CMake >=3.18 with FetchContent
                and SOURCE_SUBDIR and its consequences
        #902  tests: Reduce use of global parser instance
        #904  tests: Resolve duplicate handler
   #317 #918  tests: Improve tests on doctype closing (ex CVE-2019-15903)
        #914  Fix signedness of format strings
   #919 #920  Version info bumped from 10:3:9 (libexpat*.so.1.9.3)
                to 11:0:10 (libexpat*.so.1.10.0); see https://verbump.de/
                for what these numbers do (forwarded request 1222166 from pgajdos)
Ana Guerrero's avatar Ana Guerrero (anag+factory) accepted request 1203777 from Petr Gajdos's avatar Petr Gajdos (pgajdos) (revision 77)
- updated keyring [https://build.suse.de/request/show/345282]
- modified sources
  % expat.keyring
Dominique Leuenberger's avatar Dominique Leuenberger (dimstar_suse) accepted request 956337 from Pedro Monreal Gonzalez's avatar Pedro Monreal Gonzalez (pmonrealgonzalez) (revision 66)
- update to 2.4.6 (bsc#1196168, CVE-2022-25313):
  * Bug fixes:
    - Fix a regression introduced by the fix for CVE-2022-25313
      in release 2.4.5 that affects applications that (1)
      call function XML_SetElementDeclHandler and (2) are
      parsing XML that contains nested element declarations
      (e.g. "<!ELEMENT junk ((bar|foo|xyz+), zebra*)>").
    - Version info bumped from 9:5:8 to 9:6:8;
      see https://verbump.de/ for what these numbers do.

- update to 2.4.5 (bsc#1196171, bsc#1196169, bsc#1196168, 
  bsc#1196026, bsc#1196025):
    * Security fixes:
      - CVE-2022-25235 -- Passing malformed 2- and 3-byte UTF-8
        sequences (e.g. from start tag names) to the XML
        processing application on top of Expat can cause
        arbitrary damage (e.g. code execution) depending
        on how invalid UTF-8 is handled inside the XML
        processor; validation was not their job but Expat's.
        Exploits with code execution are known to exist.
      - CVE-2022-25236 -- Passing (one or more) namespace separator
        characters in "xmlns[:prefix]" attribute values
        made Expat send malformed tag names to the XML
        processor on top of Expat which can cause
        arbitrary damage (e.g. code execution) depending
        on such unexpectable cases are handled inside the XML
        processor; validation was not their job but Expat's.
        Exploits with code execution are known to exist.
      - CVE-2022-25313 -- Fix stack exhaustion in doctype parsing
        that could be triggered by e.g. a 2 megabytes
Displaying revisions 1 - 20 of 79
openSUSE Build Service is sponsored by