CVS commit: [pkgsrc-2025Q1] pkgsrc/textproc/expat

["Benny Siegert" <bsiegert%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   bsiegert
Date:           Mon Apr  7 16:34:05 UTC 2025

Modified Files:
        pkgsrc/textproc/expat [pkgsrc-2025Q1]: Makefile distinfo
Removed Files:
        pkgsrc/textproc/expat/patches [pkgsrc-2025Q1]:
            patch-cmake_autotools_expat-noconfig____macos.cmake.in

Log Message:
Pullup ticket #6953 - requested by wiz
textproc/expat: security fix

Revisions pulled up:
- textproc/expat/Makefile                                       1.59
- textproc/expat/distinfo                                       1.53
- textproc/expat/patches/patch-cmake_autotools_expat-noconfig____macos.cmake.in deleted

---
   Module Name: pkgsrc
   Committed By:        wiz
   Date:                Sun Mar 30 07:48:15 UTC 2025

   Modified Files:
        pkgsrc/textproc/expat: Makefile distinfo
   Removed Files:
        pkgsrc/textproc/expat/patches:
            patch-cmake_autotools_expat-noconfig____macos.cmake.in

   Log Message:
   expat: update to 2.7.1.

   Release 2.7.1 Thu March 27 2025
           Bug fixes:
          #980 #989  Restore event pointer behavior from Expat 2.6.4
                       (that the fix to CVE-2024-8176 changed in 2.7.0);
                       affected API functions are:
                       - XML_GetCurrentByteCount
                       - XML_GetCurrentByteIndex
                       - XML_GetCurrentColumnNumber
                       - XML_GetCurrentLineNumber
                       - XML_GetInputContext

           Other changes:
          #976 #977  Autotools: Integrate files "fuzz/xml_lpm_fuzzer.{cpp,proto}"
                       with Automake that were missing from 2.7.0 release tarballs
          #983 #984  Fix printf format specifiers for 32bit Emscripten
               #992  docs: Promote OpenSSF Best Practices self-certification
               #978  tests/benchmark: Resolve mistaken double close
               #986  Address compiler warnings
          #990 #993  Version info bumped from 11:1:10 (libexpat*.so.1.10.1)
                       to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/
                       for what these numbers do

           Infrastructure:
               #982  CI: Start running Perl XML::Parser integration tests
               #987  CI: Enforce Clang Static Analyzer clean code
               #991  CI: Re-enable warning clang-analyzer-valist.Uninitialized
                       for clang-tidy
               #981  CI: Cover compilation with musl
          #983 #984  CI: Cover compilation with 32bit Emscripten
          #976 #977  CI: Protect against fuzzer files missing from future
                       release archives

   Release 2.7.0 Thu March 13 2025
           Security fixes:
          #893 #973  CVE-2024-8176 -- Fix crash from chaining a large number
                       of entities caused by stack overflow by resolving use of
                       recursion, for all three uses of entities:
                       - general entities in character data ("<e>&g1;</e>")
                       - general entities in attribute values ("<e k1='&g1;'/>")
                       - parameter entities ("%p1;")
                       Known impact is (reliable and easy) denial of service:
                       CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C
                       (Base Score: 7.5, Temporal Score: 7.2)
                       Please note that a layer of compression around XML can
                       significantly reduce the minimum attack payload size.

           Other changes:
          #935 #937  Autotools: Make generated CMake files look for
                       libexpat.@SO_MAJOR@.dylib on macOS
               #925  Autotools: Sync CMake templates with CMake 3.29
     #945 #962 #966  CMake: Drop support for CMake <3.13
               #942  CMake: Small fuzzing related improvements
               #921  docs: Add missing documentation of error code
                       XML_ERROR_NOT_STARTED that was introduced with 2.6.4
               #941  docs: Document need for C++11 compiler for use from C++
               #959  tests/benchmark: Fix a (harmless) TOCTTOU
               #944  Windows: Fix installer target location of file xmlwf.xml
                       for CMake
               #953  Windows: Address warning -Wunknown-warning-option
                       about -Wno-pedantic-ms-format from LLVM MinGW
               #971  Address Cppcheck warnings
          #969 #970  Mass-migrate links from http:// to https://
       #947 #958 ..
          #974 #975  Document changes since the previous release
          #974 #975  Version info bumped from 11:0:10 (libexpat*.so.1.10.0)
                       to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/
                       for what these numbers do

           Infrastructure:
               #926  tests: Increase robustness
       #927 #932 ..
          #930 #933  tests: Increase test coverage
       #617 #950 ..
       #951 #952 ..
       #954 #955 ..  Fuzzing: Add new fuzzer "xml_lpm_fuzzer" based on
               #961    Google's libprotobuf-mutator ("LPM")
               #957  Fuzzing|CI: Start producing fuzzing code coverage reports
               #936  CI: Pass -q -q for LCOV >=2.1 in coverage.sh
               #942  CI: Small fuzzing related improvements
       #139 #203 ..
          #791 #946  CI: Make GitHub Actions build using MSVC on Windows and
                         produce 32bit and 64bit Windows binaries
               #956  CI: Get off of about-to-be-removed Ubuntu 20.04
          #960 #964  CI: Start uploading to Coverity Scan for static analysis
               #972  CI: Stop loading DTD from the internet to address flaky CI
               #971  CI: Adapt to breaking changes in Cppcheck


To generate a diff of this commit:
cvs rdiff -u -r1.58 -r1.58.6.1 pkgsrc/textproc/expat/Makefile
cvs rdiff -u -r1.52 -r1.52.4.1 pkgsrc/textproc/expat/distinfo
cvs rdiff -u -r1.1 -r0 \
    pkgsrc/textproc/expat/patches/patch-cmake_autotools_expat-noconfig____macos.cmake.in

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/textproc/expat/Makefile
diff -u pkgsrc/textproc/expat/Makefile:1.58 pkgsrc/textproc/expat/Makefile:1.58.6.1
--- pkgsrc/textproc/expat/Makefile:1.58 Wed Sep  4 13:08:26 2024
+++ pkgsrc/textproc/expat/Makefile      Mon Apr  7 16:34:05 2025
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.58 2024/09/04 13:08:26 adam Exp $
+# $NetBSD: Makefile,v 1.58.6.1 2025/04/07 16:34:05 bsiegert Exp $
 
-DISTNAME=      expat-2.6.3
+DISTNAME=      expat-2.7.1
 CATEGORIES=    textproc
 MASTER_SITES=  ${MASTER_SITE_GITHUB:=libexpat/}
 GITHUB_PROJECT=        libexpat

Index: pkgsrc/textproc/expat/distinfo
diff -u pkgsrc/textproc/expat/distinfo:1.52 pkgsrc/textproc/expat/distinfo:1.52.4.1
--- pkgsrc/textproc/expat/distinfo:1.52 Wed Dec 18 15:03:58 2024
+++ pkgsrc/textproc/expat/distinfo      Mon Apr  7 16:34:05 2025
@@ -1,6 +1,5 @@
-$NetBSD: distinfo,v 1.52 2024/12/18 15:03:58 brook Exp $
+$NetBSD: distinfo,v 1.52.4.1 2025/04/07 16:34:05 bsiegert Exp $
 
-BLAKE2s (expat-2.6.3.tar.gz) = fcc81c1c25ef679e6c93fe93c7c1b0cc5a306f94163d3e53b506917cb6537185
-SHA512 (expat-2.6.3.tar.gz) = 0c0f0df947bbe7084ba2bffce082bc40e061cbf02363f3043e8e6be33b71277dbf13fd54dcc0f641b704293e3faea5b8c1d3c752737db4c908097bf5df8bd02d
-Size (expat-2.6.3.tar.gz) = 764617 bytes
-SHA1 (patch-cmake_autotools_expat-noconfig____macos.cmake.in) = 21411931ba40ca89435a3a41b3c329039540bfa2
+BLAKE2s (expat-2.7.1.tar.gz) = fa9600a2ac4552b3e4d6a94b34392e6a3fa4b6d1c0d704cd2e937c17ed9705d8
+SHA512 (expat-2.7.1.tar.gz) = 1b6b94f3253ac3ab3f8c69d1c852db2334c99cb7990b9656f5f2458198d1eb854e79cce0e39151aef0d5e01a740fc965651c6a57fda585f9a24c543f2693f78c
+Size (expat-2.7.1.tar.gz) = 785356 bytes