Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/external/mit/expat/dist Release 2.2.1 Sat June 17 2017
details: https://anonhg.NetBSD.org/src/rev/e638b7f90365
branches: trunk
changeset: 354476:e638b7f90365
user: christos <christos%NetBSD.org@localhost>
date: Sat Jun 17 21:59:01 2017 +0000
description:
Release 2.2.1 Sat June 17 2017
Security fixes:
CVE-2017-9233 -- External entity infinite loop DoS
Details: https://libexpat.github.io/doc/cve-2017-9233/
Commit c4bf96bb51dd2a1b0e185374362ee136fe2c9d7f
[MOX-002] CVE-2016-9063 -- Detect integer overflow; commit
d4f735b88d9932bd5039df2335eefdd0723dbe20
(Fixed version of existing downstream patches!)
(SF.net) #539 Fix regression from fix to CVE-2016-0718 cutting off
longer tag names; commits
* 896b6c1fd3b842f377d1b62135dccf0a579cf65d
* af507cef2c93cb8d40062a0abe43a4f4e9158fb2
#16 * 0dbbf43fdb20f593ddf4fa1ff67288000dd4a7fd
#25 More integer overflow detection (function poolGrow); commits
* 810b74e4703dcfdd8f404e3cb177d44684775143
* 44178553f3539ce69d34abee77a05e879a7982ac
[MOX-002] Detect overflow from len=INT_MAX call to XML_Parse; commits
* 4be2cb5afcc018d996f34bbbce6374b7befad47f
* 7e5b71b748491b6e459e5c9a1d090820f94544d8
[MOX-005] #30 Use high quality entropy for hash initialization:
* arc4random_buf on BSD, systems with libbsd
(when configured with --with-libbsd), CloudABI
* RtlGenRandom on Windows XP / Server 2003 and later
* getrandom on Linux 3.17+
In a way, that's still part of CVE-2016-5300.
https://github.com/libexpat/libexpat/pull/30/commits
[MOX-005] For the low quality entropy extraction fallback code,
the parser instance address can no longer leak, commit
04ad658bd3079dd15cb60fc67087900f0ff4b083
[MOX-003] Prevent use of uninitialised variable; commit
[MOX-004] a4dc944f37b664a3ca7199c624a98ee37babdb4b
Add missing parameter validation to public API functions
and dedicated error code XML_ERROR_INVALID_ARGUMENT:
[MOX-006] * NULL checks; commits
* d37f74b2b7149a3a95a680c4c4cd2a451a51d60a (merge/many)
* 9ed727064b675b7180c98cb3d4f75efba6966681
* 6a747c837c50114dfa413994e07c0ba477be4534
* Negative length (XML_Parse); commit
[MOX-002] 70db8d2538a10f4c022655d6895e4c3e78692e7f
[MOX-001] #35 Change hash algorithm to William Ahern's version of SipHash
to go further with fixing CVE-2012-0876.
https://github.com/libexpat/libexpat/pull/39/commits
Bug fixes:
#32 Fix sharing of hash salt across parsers;
relevant where XML_ExternalEntityParserCreate is called
prior to XML_Parse, in particular (e.g. FBReader)
#28 xmlwf: Auto-disable use of memory-mapping (and parsing
as a single chunk) for files larger than ~1 GB (2^30 bytes)
rather than failing with error "out of memory"
#3 Fix double free after malloc failure in DTD code; commit
7ae9c3d3af433cd4defe95234eae7dc8ed15637f
#17 Fix memory leak on parser error for unbound XML attribute
prefix with new namespaces defined in the same tag;
found by Google's OSS-Fuzz; commits
* 16f87daae5a16132e479e4f71862128c7a915c73
* b47dbc9745932c160893d433220e462bd605f8cd
xmlwf on Windows: Add missing calls to CloseHandle
New features:
#30 Introduced environment switch EXPAT_ENTROPY_DEBUG=1
for runtime debugging of entropy extraction
Other changes:
Increase code coverage
#33 Reject use of XML_UNICODE_WCHAR_T with sizeof(wchar_t) != 2;
XML_UNICODE_WCHAR_T was never meant to be used outside
of Windows; 4-byte wchar_t is common on Linux
(SF.net) #538 Start using -fno-strict-aliasing
(SF.net) #540 Support compilation against cloudlibc of CloudABI
Allow MinGW cross-compilation
(SF.net) #534 CMake: Introduce option "BUILD_doc" (enabled by default)
to bypass compilation of the xmlwf.1 man page
(SF.net) pr2 CMake: Introduce option "INSTALL" (enabled by default)
to bypass installation of expat files
CMake: Fix ninja support
Autotools: Add parameters --enable-xml-context [COUNT]
and --disable-xml-context; default of context of 1024
bytes enabled unchanged
#14 Drop AmigaOS 4.x code and includes
#14 Drop ancient build systems:
* Borland C++ Builder
* OpenVMS
* Open Watcom
* Visual Studio 6.0
* Pre-X Mac OS (MPW Makefile)
If you happen to rely on some of these, please get in
touch for joining with maintenance.
#10 Move from WIN32 to _WIN32
#13 Fix "make run-xmltest" order instability
Address compile warnings
Bump version info from 7:2:6 to 7:3:6
Add AUTHORS file
Infrastructure:
#1 Migrate from SourceForge to GitHub (except downloads):
https://github.com/libexpat/
#1 Re-create http://libexpat.org/ project website
Start utilizing Travis CI
Special thanks to:
Andy Wang
Don Lewis
Ed Schouten
Karl Waclawek
Pascal Cuoq
Rhodri James
Sergei Nikulov
Tobias Taschner
Viktor Szakats
and
Core Infrastructure Initiative
Mozilla Foundation (MOSS Track 3: Secure Open Source)
Radically Open Security
diffstat:
external/mit/expat/dist/AUTHORS | 10 +
external/mit/expat/dist/CMake.README | 12 +-
external/mit/expat/dist/CMakeLists.txt | 49 +-
external/mit/expat/dist/COPYING | 2 +-
external/mit/expat/dist/Changes | 130 +-
external/mit/expat/dist/MANIFEST | 62 +-
external/mit/expat/dist/Makefile.in | 35 +-
external/mit/expat/dist/README | 2 +-
external/mit/expat/dist/configure | 239 ++-
external/mit/expat/dist/configure.ac | 92 +-
external/mit/expat/dist/doc/reference.html | 2 +-
external/mit/expat/dist/examples/elements.c | 6 +-
external/mit/expat/dist/examples/outline.c | 4 -
external/mit/expat/dist/expat_config.h.in | 12 +
external/mit/expat/dist/lib/expat.h | 22 +-
external/mit/expat/dist/lib/expat_external.h | 5 +-
external/mit/expat/dist/lib/siphash.h | 344 +++
external/mit/expat/dist/lib/winconfig.h | 10 +
external/mit/expat/dist/lib/xmlrole.c | 10 +-
external/mit/expat/dist/m4/libtool.m4 | 13 +-
external/mit/expat/dist/run.sh.in | 12 +
external/mit/expat/dist/tests/benchmark/benchmark.c | 4 -
external/mit/expat/dist/tests/memcheck.c | 173 +
external/mit/expat/dist/tests/memcheck.h | 34 +
external/mit/expat/dist/tests/minicheck.c | 5 +-
external/mit/expat/dist/tests/minicheck.h | 3 +-
external/mit/expat/dist/tests/runtests.c | 1939 ++++++++++++++++++-
external/mit/expat/dist/win32/MANIFEST.txt | 2 -
external/mit/expat/dist/win32/README.txt | 21 +-
external/mit/expat/dist/win32/expat.iss | 24 +-
external/mit/expat/dist/xmlwf/codepage.c | 6 +-
external/mit/expat/dist/xmlwf/filemap.h | 12 +
external/mit/expat/dist/xmlwf/readfilemap.c | 17 +-
external/mit/expat/dist/xmlwf/unixfilemap.c | 4 +
external/mit/expat/dist/xmlwf/win32filemap.c | 7 +-
external/mit/expat/dist/xmlwf/xmlfile.c | 51 +-
external/mit/expat/dist/xmlwf/xmlwf.c | 8 +-
37 files changed, 3129 insertions(+), 254 deletions(-)
diffs (truncated from 4513 to 300 lines):
diff -r b3c21bdc09b7 -r e638b7f90365 external/mit/expat/dist/AUTHORS
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/external/mit/expat/dist/AUTHORS Sat Jun 17 21:59:01 2017 +0000
@@ -0,0 +1,10 @@
+Expat is brought to you by:
+
+Clark Cooper
+Fred L. Drake, Jr.
+Greg Stein
+James Clark
+Karl Waclawek
+Rhodri James
+Sebastian Pipping
+Steven Solie
diff -r b3c21bdc09b7 -r e638b7f90365 external/mit/expat/dist/CMake.README
--- a/external/mit/expat/dist/CMake.README Sat Jun 17 20:40:59 2017 +0000
+++ b/external/mit/expat/dist/CMake.README Sat Jun 17 21:59:01 2017 +0000
@@ -3,25 +3,25 @@
The cmake based buildsystem for expat works on Windows (cygwin, mingw, Visual
Studio) and should work on all other platform cmake supports.
-Assuming ~/expat-2.2.0 is the source directory of expat, add a subdirectory
+Assuming ~/expat-2.2.1 is the source directory of expat, add a subdirectory
build and change into that directory:
-~/expat-2.2.0$ mkdir build && cd build
-~/expat-2.2.0/build$
+~/expat-2.2.1$ mkdir build && cd build
+~/expat-2.2.1/build$
From that directory, call cmake first, then call make, make test and
make install in the usual way:
-~/expat-2.2.0/build$ cmake ..
+~/expat-2.2.1/build$ cmake ..
-- The C compiler identification is GNU
-- The CXX compiler identification is GNU
....
-- Configuring done
-- Generating done
--- Build files have been written to: /home/patrick/expat-2.2.0/build
+-- Build files have been written to: /home/patrick/expat-2.2.1/build
If you want to specify the install location for your files, append
-DCMAKE_INSTALL_PREFIX=/your/install/path to the cmake call.
-~/expat-2.2.0/build$ make && make test && make install
+~/expat-2.2.1/build$ make && make test && make install
Scanning dependencies of target expat
[ 5%] Building C object CMakeFiles/expat.dir/lib/xmlparse.c.o
[ 11%] Building C object CMakeFiles/expat.dir/lib/xmlrole.c.o
diff -r b3c21bdc09b7 -r e638b7f90365 external/mit/expat/dist/CMakeLists.txt
--- a/external/mit/expat/dist/CMakeLists.txt Sat Jun 17 20:40:59 2017 +0000
+++ b/external/mit/expat/dist/CMakeLists.txt Sat Jun 17 21:59:01 2017 +0000
@@ -6,7 +6,7 @@
cmake_minimum_required(VERSION 2.6)
set(PACKAGE_BUGREPORT "expat-bugs%libexpat.org@localhost")
set(PACKAGE_NAME "expat")
-set(PACKAGE_VERSION "2.2.0")
+set(PACKAGE_VERSION "2.2.1")
set(PACKAGE_STRING "${PACKAGE_NAME} ${PACKAGE_VERSION}")
set(PACKAGE_TARNAME "${PACKAGE_NAME}")
@@ -14,6 +14,8 @@
option(BUILD_examples "build the examples for expat library" ON)
option(BUILD_tests "build the tests for expat library" ON)
option(BUILD_shared "build a shared expat library" ON)
+option(BUILD_doc "build man page for xmlwf" ON)
+option(INSTALL "install expat files in cmake install target" ON)
# configuration options
set(XML_CONTEXT_BYTES 1024 CACHE STRING "Define to specify how much context to retain around the current parse point")
@@ -37,20 +39,25 @@
include(ConfigureChecks.cmake)
+set(EXTRA_LINK_AND_COMPILE_FLAGS "-fno-strict-aliasing")
+set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${EXTRA_LINK_AND_COMPILE_FLAGS}")
+set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} ${EXTRA_LINK_AND_COMPILE_FLAGS}")
+set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} ${EXTRA_LINK_AND_COMPILE_FLAGS}")
+set(CMAKE_SHARED_LINKER_FLAGS "${CMAKE_SHARED_LINKER_FLAGS} ${EXTRA_LINK_AND_COMPILE_FLAGS}")
+
include_directories(${CMAKE_BINARY_DIR} ${CMAKE_SOURCE_DIR}/lib)
if(MSVC)
add_definitions(-D_CRT_SECURE_NO_WARNINGS -wd4996)
endif(MSVC)
if(WIN32)
- add_definitions(-DWIN32)
set(CMAKE_DEBUG_POSTFIX "d" CACHE STRING "Add a suffix, usually d on Windows")
endif(WIN32)
set(expat_SRCS
lib/xmlparse.c
lib/xmlrole.c
- lib/xmltok.c
- lib/xmltok_impl.c
+ lib/xmltok.c
+ lib/xmltok_impl.c
lib/xmltok_ns.c
)
@@ -69,7 +76,7 @@
add_library(expat ${_SHARED} ${expat_SRCS})
set(LIBCURRENT 7) # sync
-set(LIBREVISION 2) # with
+set(LIBREVISION 3) # with
set(LIBAGE 6) # configure.ac!
math(EXPR LIBCURRENT_MINUS_AGE "${LIBCURRENT} - ${LIBAGE}")
@@ -79,7 +86,13 @@
set_property(TARGET expat PROPERTY NO_SONAME ${NO_SONAME})
endif(NOT WIN32)
-install(TARGETS expat RUNTIME DESTINATION bin
+macro(expat_install)
+ if(INSTALL)
+ install(${ARGN})
+ endif()
+endmacro()
+
+expat_install(TARGETS expat RUNTIME DESTINATION bin
LIBRARY DESTINATION lib
ARCHIVE DESTINATION lib)
@@ -89,11 +102,8 @@
set(includedir "\${prefix}/include")
configure_file(expat.pc.in ${CMAKE_CURRENT_BINARY_DIR}/expat.pc)
-install(FILES lib/expat.h lib/expat_external.h DESTINATION include)
-install(FILES ${CMAKE_CURRENT_BINARY_DIR}/expat.pc DESTINATION lib/pkgconfig)
-
-
-add_custom_command(TARGET expat PRE_BUILD COMMAND $(MAKE) -C doc xmlwf.1)
+expat_install(FILES lib/expat.h lib/expat_external.h DESTINATION include)
+expat_install(FILES ${CMAKE_CURRENT_BINARY_DIR}/expat.pc DESTINATION lib/pkgconfig)
if(BUILD_tools AND NOT WINCE)
set(xmlwf_SRCS
@@ -106,8 +116,17 @@
add_executable(xmlwf ${xmlwf_SRCS})
set_property(TARGET xmlwf PROPERTY RUNTIME_OUTPUT_DIRECTORY xmlwf)
target_link_libraries(xmlwf expat)
- install(TARGETS xmlwf DESTINATION bin)
- install(FILES doc/xmlwf.1 DESTINATION share/man/man1)
+ expat_install(TARGETS xmlwf DESTINATION bin)
+ if(BUILD_doc AND NOT MSVC)
+ if(CMAKE_GENERATOR STREQUAL "Unix Makefiles")
+ set(make_command "$(MAKE)")
+ else()
+ set(make_command "make")
+ endif()
+
+ add_custom_command(TARGET expat PRE_BUILD COMMAND "${make_command}" -C "${PROJECT_SOURCE_DIR}/doc" xmlwf.1)
+ expat_install(FILES "${PROJECT_SOURCE_DIR}/doc/xmlwf.1" DESTINATION share/man/man1)
+ endif()
endif(BUILD_tools AND NOT WINCE)
if(BUILD_examples)
@@ -122,12 +141,12 @@
if(BUILD_tests)
## these are unittests that can be run on any platform
- add_executable(runtests tests/runtests.c tests/chardata.c tests/minicheck.c)
+ add_executable(runtests tests/runtests.c tests/chardata.c tests/minicheck.c tests/memcheck.c)
set_property(TARGET runtests PROPERTY RUNTIME_OUTPUT_DIRECTORY tests)
target_link_libraries(runtests expat)
add_test(runtests tests/runtests)
- add_executable(runtestspp tests/runtestspp.cpp tests/chardata.c tests/minicheck.c)
+ add_executable(runtestspp tests/runtestspp.cpp tests/chardata.c tests/minicheck.c tests/memcheck.c)
set_property(TARGET runtestspp PROPERTY RUNTIME_OUTPUT_DIRECTORY tests)
target_link_libraries(runtestspp expat)
add_test(runtestspp tests/runtestspp)
diff -r b3c21bdc09b7 -r e638b7f90365 external/mit/expat/dist/COPYING
--- a/external/mit/expat/dist/COPYING Sat Jun 17 20:40:59 2017 +0000
+++ b/external/mit/expat/dist/COPYING Sat Jun 17 21:59:01 2017 +0000
@@ -1,5 +1,5 @@
Copyright (c) 1998-2000 Thai Open Source Software Center Ltd and Clark Cooper
-Copyright (c) 2001-2016 Expat maintainers
+Copyright (c) 2001-2017 Expat maintainers
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
diff -r b3c21bdc09b7 -r e638b7f90365 external/mit/expat/dist/Changes
--- a/external/mit/expat/dist/Changes Sat Jun 17 20:40:59 2017 +0000
+++ b/external/mit/expat/dist/Changes Sat Jun 17 21:59:01 2017 +0000
@@ -1,3 +1,122 @@
+NOTE: We are looking for help with a few things:
+ https://github.com/libexpat/libexpat/labels/help%20wanted
+ If you can help, please get in touch. Thanks!
+
+Release 2.2.1 Sat June 17 2017
+ Security fixes:
+ CVE-2017-9233 -- External entity infinite loop DoS
+ Details: https://libexpat.github.io/doc/cve-2017-9233/
+ Commit c4bf96bb51dd2a1b0e185374362ee136fe2c9d7f
+ [MOX-002] CVE-2016-9063 -- Detect integer overflow; commit
+ d4f735b88d9932bd5039df2335eefdd0723dbe20
+ (Fixed version of existing downstream patches!)
+ (SF.net) #539 Fix regression from fix to CVE-2016-0718 cutting off
+ longer tag names; commits
+ * 896b6c1fd3b842f377d1b62135dccf0a579cf65d
+ * af507cef2c93cb8d40062a0abe43a4f4e9158fb2
+ #16 * 0dbbf43fdb20f593ddf4fa1ff67288000dd4a7fd
+ #25 More integer overflow detection (function poolGrow); commits
+ * 810b74e4703dcfdd8f404e3cb177d44684775143
+ * 44178553f3539ce69d34abee77a05e879a7982ac
+ [MOX-002] Detect overflow from len=INT_MAX call to XML_Parse; commits
+ * 4be2cb5afcc018d996f34bbbce6374b7befad47f
+ * 7e5b71b748491b6e459e5c9a1d090820f94544d8
+ [MOX-005] #30 Use high quality entropy for hash initialization:
+ * arc4random_buf on BSD, systems with libbsd
+ (when configured with --with-libbsd), CloudABI
+ * RtlGenRandom on Windows XP / Server 2003 and later
+ * getrandom on Linux 3.17+
+ In a way, that's still part of CVE-2016-5300.
+ https://github.com/libexpat/libexpat/pull/30/commits
+ [MOX-005] For the low quality entropy extraction fallback code,
+ the parser instance address can no longer leak, commit
+ 04ad658bd3079dd15cb60fc67087900f0ff4b083
+ [MOX-003] Prevent use of uninitialised variable; commit
+ [MOX-004] a4dc944f37b664a3ca7199c624a98ee37babdb4b
+ Add missing parameter validation to public API functions
+ and dedicated error code XML_ERROR_INVALID_ARGUMENT:
+ [MOX-006] * NULL checks; commits
+ * d37f74b2b7149a3a95a680c4c4cd2a451a51d60a (merge/many)
+ * 9ed727064b675b7180c98cb3d4f75efba6966681
+ * 6a747c837c50114dfa413994e07c0ba477be4534
+ * Negative length (XML_Parse); commit
+ [MOX-002] 70db8d2538a10f4c022655d6895e4c3e78692e7f
+ [MOX-001] #35 Change hash algorithm to William Ahern's version of SipHash
+ to go further with fixing CVE-2012-0876.
+ https://github.com/libexpat/libexpat/pull/39/commits
+
+ Bug fixes:
+ #32 Fix sharing of hash salt across parsers;
+ relevant where XML_ExternalEntityParserCreate is called
+ prior to XML_Parse, in particular (e.g. FBReader)
+ #28 xmlwf: Auto-disable use of memory-mapping (and parsing
+ as a single chunk) for files larger than ~1 GB (2^30 bytes)
+ rather than failing with error "out of memory"
+ #3 Fix double free after malloc failure in DTD code; commit
+ 7ae9c3d3af433cd4defe95234eae7dc8ed15637f
+ #17 Fix memory leak on parser error for unbound XML attribute
+ prefix with new namespaces defined in the same tag;
+ found by Google's OSS-Fuzz; commits
+ * 16f87daae5a16132e479e4f71862128c7a915c73
+ * b47dbc9745932c160893d433220e462bd605f8cd
+ xmlwf on Windows: Add missing calls to CloseHandle
+
+ New features:
+ #30 Introduced environment switch EXPAT_ENTROPY_DEBUG=1
+ for runtime debugging of entropy extraction
+
+ Other changes:
+ Increase code coverage
+ #33 Reject use of XML_UNICODE_WCHAR_T with sizeof(wchar_t) != 2;
+ XML_UNICODE_WCHAR_T was never meant to be used outside
+ of Windows; 4-byte wchar_t is common on Linux
+ (SF.net) #538 Start using -fno-strict-aliasing
+ (SF.net) #540 Support compilation against cloudlibc of CloudABI
+ Allow MinGW cross-compilation
+ (SF.net) #534 CMake: Introduce option "BUILD_doc" (enabled by default)
+ to bypass compilation of the xmlwf.1 man page
+ (SF.net) pr2 CMake: Introduce option "INSTALL" (enabled by default)
+ to bypass installation of expat files
+ CMake: Fix ninja support
+ Autotools: Add parameters --enable-xml-context [COUNT]
+ and --disable-xml-context; default of context of 1024
+ bytes enabled unchanged
+ #14 Drop AmigaOS 4.x code and includes
+ #14 Drop ancient build systems:
+ * Borland C++ Builder
+ * OpenVMS
+ * Open Watcom
+ * Visual Studio 6.0
+ * Pre-X Mac OS (MPW Makefile)
+ If you happen to rely on some of these, please get in
+ touch for joining with maintenance.
+ #10 Move from WIN32 to _WIN32
+ #13 Fix "make run-xmltest" order instability
+ Address compile warnings
+ Bump version info from 7:2:6 to 7:3:6
+ Add AUTHORS file
+
+ Infrastructure:
+ #1 Migrate from SourceForge to GitHub (except downloads):
+ https://github.com/libexpat/
+ #1 Re-create http://libexpat.org/ project website
+ Start utilizing Travis CI
+
+ Special thanks to:
+ Andy Wang
+ Don Lewis
+ Ed Schouten
+ Karl Waclawek
+ Pascal Cuoq
+ Rhodri James
+ Sergei Nikulov
+ Tobias Taschner
+ Viktor Szakats
Home |
Main Index |
Thread Index |
Old Index