diff options
Diffstat (limited to 'contrib/expat/Changes')
-rw-r--r-- | contrib/expat/Changes | 642 |
1 files changed, 639 insertions, 3 deletions
diff --git a/contrib/expat/Changes b/contrib/expat/Changes index 340947118a3f..a7d4caf9ac81 100644 --- a/contrib/expat/Changes +++ b/contrib/expat/Changes @@ -2,7 +2,643 @@ NOTE: We are looking for help with a few things: https://github.com/libexpat/libexpat/labels/help%20wanted If you can help, please get in touch. Thanks! -Release 2.2.9 Wed Septemper 25 2019 +Release 2.6.0 Tue February 6 2024 + Security fixes: + #789 #814 CVE-2023-52425 -- Fix quadratic runtime issues with big tokens + that can cause denial of service, in partial where + dealing with compressed XML input. Applications + that parsed a document in one go -- a single call to + functions XML_Parse or XML_ParseBuffer -- were not affected. + The smaller the chunks/buffers you use for parsing + previously, the bigger the problem prior to the fix. + Backporters should be careful to no omit parts of + pull request #789 and to include earlier pull request #771, + in order to not break the fix. + #777 CVE-2023-52426 -- Fix billion laughs attacks for users + compiling *without* XML_DTD defined (which is not common). + Users with XML_DTD defined have been protected since + Expat >=2.4.0 (and that was CVE-2013-0340 back then). + + Bug fixes: + #753 Fix parse-size-dependent "invalid token" error for + external entities that start with a byte order mark + #780 Fix NULL pointer dereference in setContext via + XML_ExternalEntityParserCreate for compilation with + XML_DTD undefined + #812 #813 Protect against closing entities out of order + + Other changes: + #723 Improve support for arc4random/arc4random_buf + #771 #788 Improve buffer growth in XML_GetBuffer and XML_Parse + #761 #770 xmlwf: Support --help and --version + #759 #770 xmlwf: Support custom buffer size for XML_GetBuffer and read + #744 xmlwf: Improve language and URL clickability in help output + #673 examples: Add new example "element_declarations.c" + #764 Be stricter about macro XML_CONTEXT_BYTES at build time + #765 Make inclusion to expat_config.h consistent + #726 #727 Autotools: configure.ac: Support --disable-maintainer-mode + #678 #705 .. + #706 #733 #792 Autotools: Sync CMake templates with CMake 3.26 + #795 Autotools: Make installation of shipped man page doc/xmlwf.1 + independent of docbook2man availability + #815 Autotools|CMake: Add missing -DXML_STATIC to pkg-config file + section "Cflags.private" in order to fix compilation + against static libexpat using pkg-config on Windows + #724 #751 Autotools|CMake: Require a C99 compiler + (a de-facto requirement already since Expat 2.2.2 of 2017) + #793 Autotools|CMake: Fix PACKAGE_BUGREPORT variable + #750 #786 Autotools|CMake: Make test suite require a C++11 compiler + #749 CMake: Require CMake >=3.5.0 + #672 CMake: Lowercase off_t and size_t to help a bug in Meson + #746 CMake: Sort xmlwf sources alphabetically + #785 CMake|Windows: Fix generation of DLL file version info + #790 CMake: Build tests/benchmark/benchmark.c as well for + a build with -DEXPAT_BUILD_TESTS=ON + #745 #757 docs: Document the importance of isFinal + adjust tests + accordingly + #736 docs: Improve use of "NULL" and "null" + #713 docs: Be specific about version of XML (XML 1.0r4) + and version of C (C99); (XML 1.0r5 will need a sponsor.) + #762 docs: reference.html: Promote function XML_ParseBuffer more + #779 docs: reference.html: Add HTML anchors to XML_* macros + #760 docs: reference.html: Upgrade to OK.css 1.2.0 + #763 #739 docs: Fix typos + #696 docs|CI: Use HTTPS URLs instead of HTTP at various places + #669 #670 .. + #692 #703 .. + #733 #772 Address compiler warnings + #798 #800 Address clang-tidy warnings + #775 #776 Version info bumped from 9:10:8 (libexpat*.so.1.8.10) + to 10:0:9 (libexpat*.so.1.9.0); see https://verbump.de/ + for what these numbers do + + Infrastructure: + #700 #701 docs: Document security policy in file SECURITY.md + #766 docs: Improve parse buffer variables in-code documentation + #674 #738 .. + #740 #747 .. + #748 #781 #782 Refactor coverage and conformance tests + #714 #716 Refactor debug level variables to unsigned long + #671 Improve handling of empty environment variable value + in function getDebugLevel (without visible user effect) + #755 #774 .. + #758 #783 .. + #784 #787 tests: Improve test coverage with regard to parse chunk size + #660 #797 #801 Fuzzing: Improve fuzzing coverage + #367 #799 Fuzzing|CI: Start running OSS-Fuzz fuzzing regression tests + #698 #721 CI: Resolve some Travis CI leftovers + #669 CI: Be robust towards absence of Git tags + #693 #694 CI: Set permissions to "contents: read" for security + #709 CI: Pin all GitHub Actions to specific commits for security + #739 CI: Reject spelling errors using codespell + #798 CI: Enforce clang-tidy clean code + #773 #808 .. + #809 #810 CI: Upgrade Clang from 15 to 18 + #796 CI: Start using Clang's Control Flow Integrity sanitizer + #675 #720 #722 CI: Adapt to breaking changes in GitHub Actions Ubuntu images + #689 CI: Adapt to breaking changes in Clang/LLVM Debian packaging + #763 CI: Adapt to breaking changes in codespell + #803 CI: Adapt to breaking changes in Cppcheck + + Special thanks to: + Ivan Galkin + Joyce Brum + Philippe Antoine + Rhodri James + Snild Dolkow + spookyahell + Steven Garske + and + Clang AddressSanitizer + Clang UndefinedBehaviorSanitizer + codespell + GCC Farm Project + OSS-Fuzz + Sony Mobile + +Release 2.5.0 Tue October 25 2022 + Security fixes: + #616 #649 #650 CVE-2022-43680 -- Fix heap use-after-free after overeager + destruction of a shared DTD in function + XML_ExternalEntityParserCreate in out-of-memory situations. + Expected impact is denial of service or potentially + arbitrary code execution. + + Bug fixes: + #612 #645 Fix corruption from undefined entities + #613 #654 Fix case when parsing was suspended while processing nested + entities + #616 #652 #653 Stop leaking opening tag bindings after a closing tag + mismatch error where a parser is reset through + XML_ParserReset and then reused to parse + #656 CMake: Fix generation of pkg-config file + #658 MinGW|CMake: Fix static library name + + Other changes: + #663 Protect header expat_config.h from multiple inclusion + #666 examples: Make use of XML_GetBuffer and be more + consistent across examples + #648 Address compiler warnings + #667 #668 Version info bumped from 9:9:8 to 9:10:8; + see https://verbump.de/ for what these numbers do + + Special thanks to: + Jann Horn + Mark Brand + Osyotr + Rhodri James + and + Google Project Zero + +Release 2.4.9 Tue September 20 2022 + Security fixes: + #629 #640 CVE-2022-40674 -- Heap use-after-free vulnerability in + function doContent. Expected impact is denial of service + or potentially arbitrary code execution. + + Bug fixes: + #634 MinGW: Fix mis-compilation for -D__USE_MINGW_ANSI_STDIO=0 + #614 docs: Fix documentation on effect of switch XML_DTD on + symbol visibility in doc/reference.html + + Other changes: + #638 MinGW: Make fix-xmltest-log.sh drop more Wine bug output + #596 #625 Autotools: Sync CMake templates with CMake 3.22 + #608 CMake: Migrate from use of CMAKE_*_POSTFIX to + dedicated variables EXPAT_*_POSTFIX to stop affecting + other projects + #597 #599 Windows|CMake: Add missing -DXML_STATIC to test runners + and fuzzers + #512 #621 Windows|CMake: Render .def file from a template to fix + linking with -DEXPAT_DTD=OFF and/or -DEXPAT_ATTR_INFO=ON + #611 #621 MinGW|CMake: Apply MSVC .def file when linking + #622 #624 MinGW|CMake: Sync library name with GNU Autotools, + i.e. produce libexpat-1.dll rather than libexpat.dll + by default. Filename libexpat.dll.a is unaffected. + #632 MinGW|CMake: Set missing variable CMAKE_RC_COMPILER in + toolchain file "cmake/mingw-toolchain.cmake" to avoid + error "windres: Command not found" on e.g. Ubuntu 20.04 + #597 #627 CMake: Unify inconsistent use of set() and option() in + context of public build time options to take need for + set(.. FORCE) in projects using Expat by means of + add_subdirectory(..) off Expat's users' shoulders + #626 #641 Stop exporting API symbols when building a static library + #644 Resolve use of deprecated "fgrep" by "grep -F" + #620 CMake: Make documentation on variables a bit more consistent + #636 CMake: Drop leading whitespace from a #cmakedefine line in + file expat_config.h.cmake + #594 xmlwf: Fix harmless variable mix-up in function nsattcmp + #592 #593 #610 Address Cppcheck warnings + #643 Address Clang 15 compiler warnings + #642 #644 Version info bumped from 9:8:8 to 9:9:8; + see https://verbump.de/ for what these numbers do + + Infrastructure: + #597 #598 CI: Windows: Start covering MSVC 2022 + #619 CI: macOS: Migrate off deprecated macOS 10.15 + #632 CI: Linux: Make migration off deprecated Ubuntu 18.04 work + #643 CI: Upgrade Clang from 14 to 15 + #637 apply-clang-format.sh: Add support for BSD find + #633 coverage.sh: Exclude MinGW headers + #635 coverage.sh: Fix name collision for -funsigned-char + + Special thanks to: + David Faure + Felix Wilhelm + Frank Bergmann + Rhodri James + Rosen Penev + Thijs Schreijer + Vincent Torri + and + Google Project Zero + +Release 2.4.8 Mon March 28 2022 + Other changes: + #587 pkg-config: Move "-lm" to section "Libs.private" + #587 CMake|MSVC: Fix pkg-config section "Libs" + #55 #582 CMake|macOS: Start using linker arguments + "-compatibility_version <version>" and + "-current_version <version>" in a way compatible with + GNU Libtool + #590 #591 Version info bumped from 9:7:8 to 9:8:8; + see https://verbump.de/ for what these numbers do + + Infrastructure: + #589 CI: Upgrade Clang from 13 to 14 + + Special thanks to: + evpobr + Kai Pastor + Sam James + +Release 2.4.7 Fri March 4 2022 + Bug fixes: + #572 #577 Relax fix to CVE-2022-25236 (introduced with release 2.4.5) + with regard to all valid URI characters (RFC 3986), + i.e. the following set (excluding whitespace): + ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz + 0123456789 % -._~ :/?#[]@ !$&'()*+,;= + + Other changes: + #555 #570 #581 CMake|Windows: Store Expat version in the DLL + #577 Document consequences of namespace separator choices not just + in doc/reference.html but also in header <expat.h> + #577 Document Expat's lack of validation of namespace URIs against + RFC 3986, and that the XML 1.0r4 specification doesn't + require Expat to validate namespace URIs, and that Expat + may do more in that regard in future releases. + If you find need for strict RFC 3986 URI validation on + application level today, https://uriparser.github.io/ may + be of interest. + #579 Fix documentation of XML_EndDoctypeDeclHandler in <expat.h> + #575 Document that a call to XML_FreeContentModel can be done at + a later time from outside the element declaration handler + #574 Make hardcoded namespace URIs easier to find in code + #573 Update documentation on use of XML_POOR_ENTOPY on Solaris + #569 #571 tests: Resolve use of macros NAN and INFINITY for GNU G++ + 4.8.2 on Solaris. + #578 #580 Version info bumped from 9:6:8 to 9:7:8; + see https://verbump.de/ for what these numbers do + + Special thanks to: + Jeffrey Walton + Johnny Jazeix + Thijs Schreijer + +Release 2.4.6 Sun February 20 2022 + Bug fixes: + #566 Fix a regression introduced by the fix for CVE-2022-25313 + in release 2.4.5 that affects applications that (1) + call function XML_SetElementDeclHandler and (2) are + parsing XML that contains nested element declarations + (e.g. "<!ELEMENT junk ((bar|foo|xyz+), zebra*)>"). + + Other changes: + #567 #568 Version info bumped from 9:5:8 to 9:6:8; + see https://verbump.de/ for what these numbers do + + Special thanks to: + Matt Sergeant + Samanta Navarro + Sergei Trofimovich + and + NixOS + Perl XML::Parser + +Release 2.4.5 Fri February 18 2022 + Security fixes: + #562 CVE-2022-25235 -- Passing malformed 2- and 3-byte UTF-8 + sequences (e.g. from start tag names) to the XML + processing application on top of Expat can cause + arbitrary damage (e.g. code execution) depending + on how invalid UTF-8 is handled inside the XML + processor; validation was not their job but Expat's. + Exploits with code execution are known to exist. + #561 CVE-2022-25236 -- Passing (one or more) namespace separator + characters in "xmlns[:prefix]" attribute values + made Expat send malformed tag names to the XML + processor on top of Expat which can cause + arbitrary damage (e.g. code execution) depending + on such unexpectable cases are handled inside the XML + processor; validation was not their job but Expat's. + Exploits with code execution are known to exist. + #558 CVE-2022-25313 -- Fix stack exhaustion in doctype parsing + that could be triggered by e.g. a 2 megabytes + file with a large number of opening braces. + Expected impact is denial of service or potentially + arbitrary code execution. + #560 CVE-2022-25314 -- Fix integer overflow in function copyString; + only affects the encoding name parameter at parser creation + time which is often hardcoded (rather than user input), + takes a value in the gigabytes to trigger, and a 64-bit + machine. Expected impact is denial of service. + #559 CVE-2022-25315 -- Fix integer overflow in function storeRawNames; + needs input in the gigabytes and a 64-bit machine. + Expected impact is denial of service or potentially + arbitrary code execution. + + Other changes: + #557 #564 Version info bumped from 9:4:8 to 9:5:8; + see https://verbump.de/ for what these numbers do + + Special thanks to: + Ivan Fratric + Samanta Navarro + and + Google Project Zero + JetBrains + +Release 2.4.4 Sun January 30 2022 + Security fixes: + #550 CVE-2022-23852 -- Fix signed integer overflow + (undefined behavior) in function XML_GetBuffer + (that is also called by function XML_Parse internally) + for when XML_CONTEXT_BYTES is defined to >0 (which is both + common and default). + Impact is denial of service or more. + #551 CVE-2022-23990 -- Fix unsigned integer overflow in function + doProlog triggered by large content in element type + declarations when there is an element declaration handler + present (from a prior call to XML_SetElementDeclHandler). + Impact is denial of service or more. + + Bug fixes: + #544 #545 xmlwf: Fix a memory leak on output file opening error + + Other changes: + #546 Autotools: Fix broken CMake support under Cygwin + #554 Windows: Add missing files to the installer to fix + compilation with CMake from installed sources + #552 #554 Version info bumped from 9:3:8 to 9:4:8; + see https://verbump.de/ for what these numbers do + + Special thanks to: + Carlo Bramini + hwt0415 + Roland Illig + Samanta Navarro + and + Clang LeakSan and the Clang team + +Release 2.4.3 Sun January 16 2022 + Security fixes: + #531 #534 CVE-2021-45960 -- Fix issues with left shifts by >=29 places + resulting in + a) realloc acting as free + b) realloc allocating too few bytes + c) undefined behavior + depending on architecture and precise value + for XML documents with >=2^27+1 prefixed attributes + on a single XML tag a la + "<r xmlns:a='[..]' a:a123='[..]' [..] />" + where XML_ParserCreateNS is used to create the parser + (which needs argument "-n" when running xmlwf). + Impact is denial of service, or more. + #532 #538 CVE-2021-46143 (ZDI-CAN-16157) -- Fix integer overflow + on variable m_groupSize in function doProlog leading + to realloc acting as free. + Impact is denial of service or more. + #539 CVE-2022-22822 to CVE-2022-22827 -- Prevent integer overflows + near memory allocation at multiple places. Mitre assigned + a dedicated CVE for each involved internal C function: + - CVE-2022-22822 for function addBinding + - CVE-2022-22823 for function build_model + - CVE-2022-22824 for function defineAttribute + - CVE-2022-22825 for function lookup + - CVE-2022-22826 for function nextScaffoldPart + - CVE-2022-22827 for function storeAtts + Impact is denial of service or more. + + Other changes: + #535 CMake: Make call to file(GENERATE [..]) work for CMake <3.19 + #541 Autotools|CMake: MinGW: Make run.sh(.in) work for Cygwin + and MSYS2 by not going through Wine on these platforms + #527 #528 Address compiler warnings + #533 #543 Version info bumped from 9:2:8 to 9:3:8; + see https://verbump.de/ for what these numbers do + + Infrastructure: + #536 CI: Check for realistic minimum CMake version + #529 #539 CI: Cover compilation with -m32 + #529 CI: Store coverage reports as artifacts for download + #528 CI: Upgrade Clang from 11 to 13 + + Special thanks to: + An anonymous whitehat + Christopher Degawa + J. Peter Mugaas + Tyson Smith + and + GCC Farm Project + Trend Micro Zero Day Initiative + +Release 2.4.2 Sun December 19 2021 + Other changes: + #509 #510 Link againgst libm for function "isnan" + #513 #514 Include expat_config.h as early as possible + #498 Autotools: Include files with release archives: + - buildconf.sh + - fuzz/*.c + #507 #519 Autotools: Sync CMake templates with CMake 3.20 + #495 #524 CMake: MinGW: Fix pkg-config section "Libs" for + - non-release build types (e.g. -DCMAKE_BUILD_TYPE=Debug) + - multi-config CMake generators (e.g. Ninja Multi-Config) + #502 #503 docs: Document that function XML_GetBuffer may return NULL + when asking for a buffer of 0 (zero) bytes size + #522 #523 docs: Fix return value docs for both + XML_SetBillionLaughsAttackProtection* functions + #525 #526 Version info bumped from 9:1:8 to 9:2:8; + see https://verbump.de/ for what these numbers do + + Special thanks to: + Donghee Na + Joergen Ibsen + Kai Pastor + +Release 2.4.1 Sun May 23 2021 + Bug fixes: + #488 #490 Autotools: Fix installed header expat_config.h for multilib + systems; regression introduced in 2.4.0 by pull request #486 + + Other changes: + #491 #492 Version info bumped from 9:0:8 to 9:1:8; + see https://verbump.de/ for what these numbers do + + Special thanks to: + Gentoo's QA check "multilib_check_headers" + +Release 2.4.0 Sun May 23 2021 + Security fixes: + #34 #466 #484 CVE-2013-0340/CWE-776 -- Protect against billion laughs attacks + (denial-of-service; flavors targeting CPU time or RAM or both, + leveraging general entities or parameter entities or both) + by tracking and limiting the input amplification factor + (<amplification> := (<direct> + <indirect>) / <direct>). + By conservative default, amplification up to a factor of 100.0 + is tolerated and rejection only starts after 8 MiB of output bytes + (=<direct> + <indirect>) have been processed. + The fix adds the following to the API: + - A new error code XML_ERROR_AMPLIFICATION_LIMIT_BREACH to + signals this specific condition. + - Two new API functions .. + - XML_SetBillionLaughsAttackProtectionMaximumAmplification and + - XML_SetBillionLaughsAttackProtectionActivationThreshold + .. to further tighten billion laughs protection parameters + when desired. Please see file "doc/reference.html" for details. + If you ever need to increase the defaults for non-attack XML + payload, please file a bug report with libexpat. + - Two new XML_FEATURE_* constants .. + - that can be queried using the XML_GetFeatureList function, and + - that are shown in "xmlwf -v" output. + - Two new environment variable switches .. + - EXPAT_ACCOUNTING_DEBUG=(0|1|2|3) and + - EXPAT_ENTITY_DEBUG=(0|1) + .. for runtime debugging of accounting and entity processing. + Specific behavior of these values may change in the future. + - Two new command line arguments "-a FACTOR" and "-b BYTES" + for xmlwf to further tighten billion laughs protection + parameters when desired. + If you ever need to increase the defaults for non-attack XML + payload, please file a bug report with libexpat. + + Bug fixes: + #332 #470 For (non-default) compilation with -DEXPAT_MIN_SIZE=ON (CMake) + or CPPFLAGS=-DXML_MIN_SIZE (GNU Autotools): Fix segfault + for UTF-16 payloads containing CDATA sections. + #485 #486 Autotools: Fix generated CMake files for non-64bit and + non-Linux platforms (e.g. macOS and MinGW in particular) + that were introduced with release 2.3.0 + + Other changes: + #468 #469 xmlwf: Improve help output and the xmlwf man page + #463 xmlwf: Improve maintainability through some refactoring + #477 xmlwf: Fix man page DocBook validity + #456 Autotools: Sync CMake templates with CMake 3.18 + #458 #459 CMake: Support absolute paths for both CMAKE_INSTALL_LIBDIR + and CMAKE_INSTALL_INCLUDEDIR + #471 #481 CMake: Add support for standard variable BUILD_SHARED_LIBS + #457 Unexpose symbol _INTERNAL_trim_to_complete_utf8_characters + #467 Resolve macro HAVE_EXPAT_CONFIG_H + #472 Delete unused legacy helper file "conftools/PrintPath" + #473 #483 Improve attribution + #464 #465 #477 doc/reference.html: Fix XHTML validity + #475 #478 doc/reference.html: Replace the 90s look by OK.css + #479 Version info bumped from 8:0:7 to 9:0:8 + due to addition of new symbols and error codes; + see https://verbump.de/ for what these numbers do + + Infrastructure: + #456 CI: Enable periodic runs + #457 CI: Start covering the list of exported symbols + #474 CI: Isolate coverage task + #476 #482 CI: Adapt to breaking changes in image "ubuntu-18.04" + #477 CI: Cover well-formedness and DocBook/XHTML validity + of doc/reference.html and doc/xmlwf.xml + + Special thanks to: + Dimitry Andric + Eero Helenius + Nick Wellnhofer + Rhodri James + Tomas Korbar + Yury Gribov + and + Clang LeakSan + JetBrains + OSS-Fuzz + +Release 2.3.0 Thu March 25 2021 + Bug fixes: + #438 When calling XML_ParseBuffer without a prior successful call to + XML_GetBuffer as a user, no longer trigger undefined behavior + (by adding an integer to a NULL pointer) but rather return + XML_STATUS_ERROR and set the error code to (new) code + XML_ERROR_NO_BUFFER. Found by UBSan (UndefinedBehaviorSanitizer) + of Clang 11 (but not Clang 9). + #444 xmlwf: Exit status 2 was used for both: + - malformed input files (documented) and + - invalid command-line arguments (undocumented). + The case of invalid command-line arguments now + has its own exit status 4, resolving the ambiguity. + + Other changes: + #439 xmlwf: Add argument -k to allow continuing after + non-fatal errors + #439 xmlwf: Add section about exit status to the -h help output + #422 #426 #447 Windows: Drop support for Visual Studio <=14.0/2015 + #434 Windows: CMake: Detect unsupported Visual Studio at + configure time (rather than at compile time) + #382 #428 testrunner: Make verbose mode (argument "-v") report + about passed tests, and make default mode report about + failures, as well. + #442 CMake: Call "enable_language(CXX)" prior to tinkering + with CMAKE_CXX_* variables + #448 Document use of libexpat from a CMake-based project + #451 Autotools: Install CMake files as generated by CMake 3.19.6 + so that users with "find_package(expat [..] CONFIG [..])" + are served on distributions that are *not* using the CMake + build system inside for libexpat packaging + #436 #437 Autotools: Drop obsolescent macro AC_HEADER_STDC + #450 #452 Autotools: Resolve use of obsolete macro AC_CONFIG_HEADER + #441 Address compiler warnings + #443 Version info bumped from 7:12:6 to 8:0:7 + due to addition of error code XML_ERROR_NO_BUFFER + (see https://verbump.de/ for what these numbers do) + + Infrastructure: + #435 #446 Replace Travis CI by GitHub Actions + + Special thanks to: + Alexander Richardson + Oleksandr Popovych + Thomas Beutlich + Tim Bray + and + Clang LeakSan, Clang 11 UBSan and the Clang team + +Release 2.2.10 Sat October 3 2020 + Bug fixes: + #390 #395 #398 Fix undefined behavior during parsing caused by + pointer arithmetic with NULL pointers + #404 #405 Fix reading uninitialized variable during parsing + #406 xmlwf: Add missing check for malloc NULL return + + Other changes: + #396 Windows: Drop support for Visual Studio <=8.0/2005 + #409 Windows: Add missing file "Changes" to the installer + to fix compilation with CMake from installed sources + #403 xmlwf: Document exit codes in xmlwf manpage and + exit with code 3 (rather than code 1) for output errors + when used with "-d DIRECTORY" + #356 #359 MinGW: Provide declaration of rand_s for mingwrt <5.3.0 + #383 #392 Autotools: Use -Werror while configure tests the compiler + for supported compile flags to avoid false positives + #383 #393 #394 Autotools: Improve handling of user (C|CPP|CXX|LD)FLAGS, + e.g. ensure that they have the last word over flags added + while running ./configure + #360 CMake: Create libexpatw.{dll,so} and expatw.pc (with emphasis + on suffix "w") with -DEXPAT_CHAR_TYPE=(ushort|wchar_t) + #360 CMake: Detect and deny unsupported build combinations + involving -DEXPAT_CHAR_TYPE=(ushort|wchar_t) + #360 CMake: Install pre-compiled shipped xmlwf.1 manpage in case + of -DEXPAT_BUILD_DOCS=OFF + #375 #380 #419 CMake: Fix use of Expat by means of add_subdirectory + #407 #408 CMake: Keep expat target name constant at "expat" + (i.e. refrain from using the target name to control + build artifact filenames) + #385 CMake: Fix compilation with -DEXPAT_SHARED_LIBS=OFF for + Windows + CMake: Expose man page compilation as target "xmlwf-manpage" + #413 #414 CMake: Introduce option EXPAT_BUILD_PKGCONFIG + to control generation of pkg-config file "expat.pc" + #424 CMake: Add minimalistic support for building binary packages + with CMake target "package"; based on CPack + #366 CMake: Add option -DEXPAT_OSSFUZZ_BUILD=(ON|OFF) with + default OFF to build fuzzer code against OSS-Fuzz and + related environment variable LIB_FUZZING_ENGINE + #354 Fix testsuite for -DEXPAT_DTD=OFF and -DEXPAT_NS=OFF, each + #354 #355 .. + #356 #412 Address compiler warnings + #368 #369 Address pngcheck warnings with doc/*.png images + #425 Version info bumped from 7:11:6 to 7:12:6 + + Special thanks to: + asavah + Ben Wagner + Bhargava Shastry + Frank Landgraf + Jeffrey Walton + Joe Orton + Kleber Tarcísio + Ma Lin + Maciej Sroczyński + Mohammed Khajapasha + Vadim Zeitlin + and + Cppcheck 2.0 and the Cppcheck team + +Release 2.2.9 Wed September 25 2019 Other changes: examples: Drop executable bits from elements.c #349 Windows: Change the name of the Windows DLLs from expat*.dll @@ -17,7 +653,7 @@ Release 2.2.9 Wed Septemper 25 2019 Special thanks to: Ben Wagner -Release 2.2.8 Fri Septemper 13 2019 +Release 2.2.8 Fri September 13 2019 Security fixes: #317 #318 CVE-2019-15903 -- Fix heap overflow triggered by XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber), @@ -115,10 +751,10 @@ Release 2.2.8 Fri Septemper 13 2019 Special thanks to: David Loffredo Joonun Jang - Khajapasha Mohammed Kishore Kunche Marco Maggi Mitch Phillips + Mohammed Khajapasha Rolf Ade xantares Zhongyuan Zhou |