diff options
Diffstat (limited to 'contrib/expat/Changes')
-rw-r--r-- | contrib/expat/Changes | 235 |
1 files changed, 233 insertions, 2 deletions
diff --git a/contrib/expat/Changes b/contrib/expat/Changes index 95f697b39a48..a7d4caf9ac81 100644 --- a/contrib/expat/Changes +++ b/contrib/expat/Changes @@ -2,6 +2,236 @@ NOTE: We are looking for help with a few things: https://github.com/libexpat/libexpat/labels/help%20wanted If you can help, please get in touch. Thanks! +Release 2.6.0 Tue February 6 2024 + Security fixes: + #789 #814 CVE-2023-52425 -- Fix quadratic runtime issues with big tokens + that can cause denial of service, in partial where + dealing with compressed XML input. Applications + that parsed a document in one go -- a single call to + functions XML_Parse or XML_ParseBuffer -- were not affected. + The smaller the chunks/buffers you use for parsing + previously, the bigger the problem prior to the fix. + Backporters should be careful to no omit parts of + pull request #789 and to include earlier pull request #771, + in order to not break the fix. + #777 CVE-2023-52426 -- Fix billion laughs attacks for users + compiling *without* XML_DTD defined (which is not common). + Users with XML_DTD defined have been protected since + Expat >=2.4.0 (and that was CVE-2013-0340 back then). + + Bug fixes: + #753 Fix parse-size-dependent "invalid token" error for + external entities that start with a byte order mark + #780 Fix NULL pointer dereference in setContext via + XML_ExternalEntityParserCreate for compilation with + XML_DTD undefined + #812 #813 Protect against closing entities out of order + + Other changes: + #723 Improve support for arc4random/arc4random_buf + #771 #788 Improve buffer growth in XML_GetBuffer and XML_Parse + #761 #770 xmlwf: Support --help and --version + #759 #770 xmlwf: Support custom buffer size for XML_GetBuffer and read + #744 xmlwf: Improve language and URL clickability in help output + #673 examples: Add new example "element_declarations.c" + #764 Be stricter about macro XML_CONTEXT_BYTES at build time + #765 Make inclusion to expat_config.h consistent + #726 #727 Autotools: configure.ac: Support --disable-maintainer-mode + #678 #705 .. + #706 #733 #792 Autotools: Sync CMake templates with CMake 3.26 + #795 Autotools: Make installation of shipped man page doc/xmlwf.1 + independent of docbook2man availability + #815 Autotools|CMake: Add missing -DXML_STATIC to pkg-config file + section "Cflags.private" in order to fix compilation + against static libexpat using pkg-config on Windows + #724 #751 Autotools|CMake: Require a C99 compiler + (a de-facto requirement already since Expat 2.2.2 of 2017) + #793 Autotools|CMake: Fix PACKAGE_BUGREPORT variable + #750 #786 Autotools|CMake: Make test suite require a C++11 compiler + #749 CMake: Require CMake >=3.5.0 + #672 CMake: Lowercase off_t and size_t to help a bug in Meson + #746 CMake: Sort xmlwf sources alphabetically + #785 CMake|Windows: Fix generation of DLL file version info + #790 CMake: Build tests/benchmark/benchmark.c as well for + a build with -DEXPAT_BUILD_TESTS=ON + #745 #757 docs: Document the importance of isFinal + adjust tests + accordingly + #736 docs: Improve use of "NULL" and "null" + #713 docs: Be specific about version of XML (XML 1.0r4) + and version of C (C99); (XML 1.0r5 will need a sponsor.) + #762 docs: reference.html: Promote function XML_ParseBuffer more + #779 docs: reference.html: Add HTML anchors to XML_* macros + #760 docs: reference.html: Upgrade to OK.css 1.2.0 + #763 #739 docs: Fix typos + #696 docs|CI: Use HTTPS URLs instead of HTTP at various places + #669 #670 .. + #692 #703 .. + #733 #772 Address compiler warnings + #798 #800 Address clang-tidy warnings + #775 #776 Version info bumped from 9:10:8 (libexpat*.so.1.8.10) + to 10:0:9 (libexpat*.so.1.9.0); see https://verbump.de/ + for what these numbers do + + Infrastructure: + #700 #701 docs: Document security policy in file SECURITY.md + #766 docs: Improve parse buffer variables in-code documentation + #674 #738 .. + #740 #747 .. + #748 #781 #782 Refactor coverage and conformance tests + #714 #716 Refactor debug level variables to unsigned long + #671 Improve handling of empty environment variable value + in function getDebugLevel (without visible user effect) + #755 #774 .. + #758 #783 .. + #784 #787 tests: Improve test coverage with regard to parse chunk size + #660 #797 #801 Fuzzing: Improve fuzzing coverage + #367 #799 Fuzzing|CI: Start running OSS-Fuzz fuzzing regression tests + #698 #721 CI: Resolve some Travis CI leftovers + #669 CI: Be robust towards absence of Git tags + #693 #694 CI: Set permissions to "contents: read" for security + #709 CI: Pin all GitHub Actions to specific commits for security + #739 CI: Reject spelling errors using codespell + #798 CI: Enforce clang-tidy clean code + #773 #808 .. + #809 #810 CI: Upgrade Clang from 15 to 18 + #796 CI: Start using Clang's Control Flow Integrity sanitizer + #675 #720 #722 CI: Adapt to breaking changes in GitHub Actions Ubuntu images + #689 CI: Adapt to breaking changes in Clang/LLVM Debian packaging + #763 CI: Adapt to breaking changes in codespell + #803 CI: Adapt to breaking changes in Cppcheck + + Special thanks to: + Ivan Galkin + Joyce Brum + Philippe Antoine + Rhodri James + Snild Dolkow + spookyahell + Steven Garske + and + Clang AddressSanitizer + Clang UndefinedBehaviorSanitizer + codespell + GCC Farm Project + OSS-Fuzz + Sony Mobile + +Release 2.5.0 Tue October 25 2022 + Security fixes: + #616 #649 #650 CVE-2022-43680 -- Fix heap use-after-free after overeager + destruction of a shared DTD in function + XML_ExternalEntityParserCreate in out-of-memory situations. + Expected impact is denial of service or potentially + arbitrary code execution. + + Bug fixes: + #612 #645 Fix corruption from undefined entities + #613 #654 Fix case when parsing was suspended while processing nested + entities + #616 #652 #653 Stop leaking opening tag bindings after a closing tag + mismatch error where a parser is reset through + XML_ParserReset and then reused to parse + #656 CMake: Fix generation of pkg-config file + #658 MinGW|CMake: Fix static library name + + Other changes: + #663 Protect header expat_config.h from multiple inclusion + #666 examples: Make use of XML_GetBuffer and be more + consistent across examples + #648 Address compiler warnings + #667 #668 Version info bumped from 9:9:8 to 9:10:8; + see https://verbump.de/ for what these numbers do + + Special thanks to: + Jann Horn + Mark Brand + Osyotr + Rhodri James + and + Google Project Zero + +Release 2.4.9 Tue September 20 2022 + Security fixes: + #629 #640 CVE-2022-40674 -- Heap use-after-free vulnerability in + function doContent. Expected impact is denial of service + or potentially arbitrary code execution. + + Bug fixes: + #634 MinGW: Fix mis-compilation for -D__USE_MINGW_ANSI_STDIO=0 + #614 docs: Fix documentation on effect of switch XML_DTD on + symbol visibility in doc/reference.html + + Other changes: + #638 MinGW: Make fix-xmltest-log.sh drop more Wine bug output + #596 #625 Autotools: Sync CMake templates with CMake 3.22 + #608 CMake: Migrate from use of CMAKE_*_POSTFIX to + dedicated variables EXPAT_*_POSTFIX to stop affecting + other projects + #597 #599 Windows|CMake: Add missing -DXML_STATIC to test runners + and fuzzers + #512 #621 Windows|CMake: Render .def file from a template to fix + linking with -DEXPAT_DTD=OFF and/or -DEXPAT_ATTR_INFO=ON + #611 #621 MinGW|CMake: Apply MSVC .def file when linking + #622 #624 MinGW|CMake: Sync library name with GNU Autotools, + i.e. produce libexpat-1.dll rather than libexpat.dll + by default. Filename libexpat.dll.a is unaffected. + #632 MinGW|CMake: Set missing variable CMAKE_RC_COMPILER in + toolchain file "cmake/mingw-toolchain.cmake" to avoid + error "windres: Command not found" on e.g. Ubuntu 20.04 + #597 #627 CMake: Unify inconsistent use of set() and option() in + context of public build time options to take need for + set(.. FORCE) in projects using Expat by means of + add_subdirectory(..) off Expat's users' shoulders + #626 #641 Stop exporting API symbols when building a static library + #644 Resolve use of deprecated "fgrep" by "grep -F" + #620 CMake: Make documentation on variables a bit more consistent + #636 CMake: Drop leading whitespace from a #cmakedefine line in + file expat_config.h.cmake + #594 xmlwf: Fix harmless variable mix-up in function nsattcmp + #592 #593 #610 Address Cppcheck warnings + #643 Address Clang 15 compiler warnings + #642 #644 Version info bumped from 9:8:8 to 9:9:8; + see https://verbump.de/ for what these numbers do + + Infrastructure: + #597 #598 CI: Windows: Start covering MSVC 2022 + #619 CI: macOS: Migrate off deprecated macOS 10.15 + #632 CI: Linux: Make migration off deprecated Ubuntu 18.04 work + #643 CI: Upgrade Clang from 14 to 15 + #637 apply-clang-format.sh: Add support for BSD find + #633 coverage.sh: Exclude MinGW headers + #635 coverage.sh: Fix name collision for -funsigned-char + + Special thanks to: + David Faure + Felix Wilhelm + Frank Bergmann + Rhodri James + Rosen Penev + Thijs Schreijer + Vincent Torri + and + Google Project Zero + +Release 2.4.8 Mon March 28 2022 + Other changes: + #587 pkg-config: Move "-lm" to section "Libs.private" + #587 CMake|MSVC: Fix pkg-config section "Libs" + #55 #582 CMake|macOS: Start using linker arguments + "-compatibility_version <version>" and + "-current_version <version>" in a way compatible with + GNU Libtool + #590 #591 Version info bumped from 9:7:8 to 9:8:8; + see https://verbump.de/ for what these numbers do + + Infrastructure: + #589 CI: Upgrade Clang from 13 to 14 + + Special thanks to: + evpobr + Kai Pastor + Sam James + Release 2.4.7 Fri March 4 2022 Bug fixes: #572 #577 Relax fix to CVE-2022-25236 (introduced with release 2.4.5) @@ -190,7 +420,7 @@ Release 2.4.2 Sun December 19 2021 #498 Autotools: Include files with release archives: - buildconf.sh - fuzz/*.c - #507 #519 Autotools: Sync CMake templates + #507 #519 Autotools: Sync CMake templates with CMake 3.20 #495 #524 CMake: MinGW: Fix pkg-config section "Libs" for - non-release build types (e.g. -DCMAKE_BUILD_TYPE=Debug) - multi-config CMake generators (e.g. Ninja Multi-Config) @@ -202,7 +432,7 @@ Release 2.4.2 Sun December 19 2021 see https://verbump.de/ for what these numbers do Special thanks to: - Dong-hee Na + Donghee Na Joergen Ibsen Kai Pastor @@ -264,6 +494,7 @@ Release 2.4.0 Sun May 23 2021 #468 #469 xmlwf: Improve help output and the xmlwf man page #463 xmlwf: Improve maintainability through some refactoring #477 xmlwf: Fix man page DocBook validity + #456 Autotools: Sync CMake templates with CMake 3.18 #458 #459 CMake: Support absolute paths for both CMAKE_INSTALL_LIBDIR and CMAKE_INSTALL_INCLUDEDIR #471 #481 CMake: Add support for standard variable BUILD_SHARED_LIBS |