aboutsummaryrefslogtreecommitdiff
path: root/contrib/expat/Changes
diff options
context:
space:
mode:
Diffstat (limited to 'contrib/expat/Changes')
-rw-r--r--contrib/expat/Changes135
1 files changed, 133 insertions, 2 deletions
diff --git a/contrib/expat/Changes b/contrib/expat/Changes
index 9d6c64b6a460..01e54b676416 100644
--- a/contrib/expat/Changes
+++ b/contrib/expat/Changes
@@ -15,12 +15,16 @@
!! ClusterFuzz findings with few-days-max response times in communication !!
!! in order to (1) have a sound fix ready before the end of a 90 days !!
!! grace period and (2) in a sustainable manner, !!
-!! - helping CPython Expat bindings with supporting Expat's billion laughs !!
+!! - helping CPython Expat bindings with supporting Expat's amplification !!
!! attack protection API (https://github.com/python/cpython/issues/90949): !!
+!! - XML_SetAllocTrackerActivationThreshold !!
+!! - XML_SetAllocTrackerMaximumAmplification !!
!! - XML_SetBillionLaughsAttackProtectionActivationThreshold !!
!! - XML_SetBillionLaughsAttackProtectionMaximumAmplification !!
!! - helping Perl's XML::Parser Expat bindings with supporting Expat's !!
!! security API (https://github.com/cpan-authors/XML-Parser/issues/102): !!
+!! - XML_SetAllocTrackerActivationThreshold !!
+!! - XML_SetAllocTrackerMaximumAmplification !!
!! - XML_SetBillionLaughsAttackProtectionActivationThreshold !!
!! - XML_SetBillionLaughsAttackProtectionMaximumAmplification !!
!! - XML_SetReparseDeferralEnabled !!
@@ -37,6 +41,133 @@
!! THANK YOU! Sebastian Pipping -- Berlin, 2024-03-09 !!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+Release 2.7.3 Wed September 24 2025
+ Security fixes:
+ #1046 #1048 Fix alignment of internal allocations for some non-amd64
+ architectures (e.g. sparc32); fixes up on the fix to
+ CVE-2025-59375 from #1034 (of Expat 2.7.2 and related
+ backports)
+ #1059 Fix a class of false positives where input should have been
+ rejected with error XML_ERROR_ASYNC_ENTITY; regression from
+ CVE-2024-8176 fix pull request #973 (of Expat 2.7.0 and
+ related backports). Please check the added unit tests for
+ example documents.
+
+ Other changes:
+ #1043 Prove and regression-proof absence of integer overflow
+ from function expat_realloc
+ #1062 Remove "harmless" cast that truncated a size_t to unsigned
+ #1049 Autotools: Remove "ln -s" discovery
+ #1054 docs: Be consistent with use of floating point around
+ XML_SetAllocTrackerMaximumAmplification
+ #1056 docs: Make it explicit that XML_GetCurrentColumnNumber
+ starts at 0
+ #1057 docs: Better integrate the effect of the activation
+ thresholds
+ #1058 docs: Fix an in-comment typo in expat.h
+ #1045 docs: Fix a typo in README.md
+ #1041 docs: Improve change log of release 2.7.2
+ #1053 xmlwf: Resolve use of functions XML_GetErrorLineNumber
+ and XML_GetErrorColumnNumber
+ #1032 Windows: Normalize .bat files to CRLF line endings
+ #1060 #1061 Version info bumped from 12:0:11 (libexpat*.so.1.11.0)
+ to 12:1:11 (libexpat*.so.1.11.1); see https://verbump.de/
+ for what these numbers do
+
+ Infrastructure:
+ #1047 #1050 CI: Cleanup UndefinedBehaviorSanitizer fatality
+ #1044 CI|Linux: Stop aborting at first job failure
+ #1052 CI|FreeBSD: Upgrade to FreeBSD 15.0
+ #1039 CI|FreeBSD: Do not install CMake meta-package
+
+ Special thanks to:
+ Bénédikt Tran
+ Berkay Eren Ürün
+ Daniel Engberg
+ Hanno Böck
+ Matthew Fernandez
+ Rolf Eike Beer
+ Sam James
+ Tim Bray
+ and
+ Clang/GCC UndefinedBehaviorSanitizer
+ OSS-Fuzz / ClusterFuzz
+ Z3 Theorem Prover
+
+Release 2.7.2 Tue September 16 2025
+ Security fixes:
+ #1018 #1034 CVE-2025-59375 -- Disallow use of disproportional amounts of
+ dynamic memory from within an Expat parser (e.g. previously
+ a ~250 KiB sized document was able to cause allocation of
+ ~800 MiB from the heap, i.e. an "amplification" of factor
+ ~3,300); once a threshold (that defaults to 64 MiB) is
+ reached, a maximum amplification factor (that defaults to
+ 100.0) is enforced, and violating documents are rejected
+ with an out-of-memory error.
+ There are two new API functions to fine-tune this new
+ behavior:
+ - XML_SetAllocTrackerActivationThreshold
+ - XML_SetAllocTrackerMaximumAmplification .
+ If you ever need to increase these defaults for non-attack
+ XML payload, please file a bug report with libexpat.
+ There is also a new environment variable
+ EXPAT_MALLOC_DEBUG=(0|1|2) to control the verbosity
+ of allocations debugging at runtime, disabled by default.
+ Known impact is (reliable and easy) denial of service:
+ CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C
+ (Base Score: 7.5, Temporal Score: 7.2)
+ Please note that a layer of compression around XML can
+ significantly reduce the minimum attack payload size.
+ Distributors intending to backport (or cherry-pick) the
+ fix need to copy 99% of the related pull request, not just
+ the "lib: Implement tracking of dynamic memory allocations"
+ commit, to not end up with a state that literally does both
+ too much and too little at the same time. Appending ".diff"
+ to the pull request URL could be of help.
+
+ Other changes:
+ #1008 #1017 Autotools|macOS: Sync CMake templates with CMake 3.31
+ #1007 CMake: Drop support for CMake <3.15
+ #1004 CMake: Fix off_t detection for -Werror
+ #1007 CMake|Windows: Fix -DEXPAT_MSVC_STATIC_CRT=ON
+ #1013 Windows: Drop support for Visual Studio <=16.0/2019
+ #1026 xmlwf: Mention supported environment variables in
+ --help output
+ #1024 xmlwf: Fix (internal) help generator
+ #1034 docs: Promote the contract to call function
+ XML_FreeContentModel when registering a custom
+ element declaration handler (via a call to function
+ XML_SetElementDeclHandler)
+ #1027 docs: Add missing <p>..</p> wrap
+ #994 docs: Drop AppVeyor badge
+ #1000 tests: Fix portable_strndup
+ #1036 Drop casts around malloc/free/realloc that C99 does not need
+ #1010 Replace empty for loops with while loops
+ #1011 Add const with internal XmlInitUnknownEncodingNS
+ #14 #1037 Drop an OpenVMS support leftover
+ #999 #1001 Address more clang-tidy warnings
+ #1030 #1038 Version info bumped from 11:2:10 (libexpat*.so.1.10.2)
+ to 12:0:11 (libexpat*.so.1.11.0); see https://verbump.de/
+ for what these numbers do
+
+ Infrastructure:
+ #1003 CI: Cover compilation on FreeBSD
+ #1009 #1035 CI: Upgrade Clang from 19 to 21
+ #1031 CI: Make calling Cppcheck without --suppress=objectIndex
+ and --suppress=unknownMacro possible
+ #1013 CI|Windows: Get off of deprecated image "windows-2019"
+ #1008 #1017 ..
+ #1023 #1025 CI: Adapt to breaking changes in GitHub Actions
+
+ Special thanks to:
+ Alexander Bluhm
+ Neil Pang
+ Theo Buehler
+ and
+ GNU Time
+ OSS-Fuzz / ClusterFuzz
+ Perl XML::Parser
+
Release 2.7.1 Thu March 27 2025
Bug fixes:
#980 #989 Restore event pointer behavior from Expat 2.6.4
@@ -54,7 +185,7 @@ Release 2.7.1 Thu March 27 2025
#983 #984 Fix printf format specifiers for 32bit Emscripten
#992 docs: Promote OpenSSF Best Practices self-certification
#978 tests/benchmark: Resolve mistaken double close
- #986 Address compiler warnings
+ #986 Address Frama-C warnings
#990 #993 Version info bumped from 11:1:10 (libexpat*.so.1.10.1)
to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/
for what these numbers do
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-16 15:26:13 +0000