From 6edde8fc02601158e1ad575fdeda3561d14dd4d2 Mon Sep 17 00:00:00 2001 From: tm Date: Mon, 7 Feb 2022 07:09:18 +0000 Subject: Pullup ticket #6578 - requested by bsiegert textproc/expat: security fix Revisions pulled up: - textproc/expat/Makefile 1.48-1.49 - textproc/expat/distinfo 1.40-1.41 --- Module Name: pkgsrc Committed By: wiz Date: Mon Jan 17 08:49:34 UTC 2022 Modified Files: pkgsrc/textproc/expat: Makefile distinfo Log Message: expat: update to 2.4.3. Release 2.4.3 Sun January 16 2022 Security fixes: #531 #534 CVE-2021-45960 -- Fix issues with left shifts by >=29 places resulting in a) realloc acting as free b) realloc allocating too few bytes c) undefined behavior depending on architecture and precise value for XML documents with >=2^27+1 prefixed attributes on a single XML tag a la "" where XML_ParserCreateNS is used to create the parser (which needs argument "-n" when running xmlwf). Impact is denial of service, or more. #532 #538 CVE-2021-46143 (ZDI-CAN-16157) -- Fix integer overflow on variable m_groupSize in function doProlog leading to realloc acting as free. Impact is denial of service or more. #539 CVE-2022-22822 to CVE-2022-22827 -- Prevent integer overflows near memory allocation at multiple places. Mitre assigned a dedicated CVE for each involved internal C function: - CVE-2022-22822 for function addBinding - CVE-2022-22823 for function build_model - CVE-2022-22824 for function defineAttribute - CVE-2022-22825 for function lookup - CVE-2022-22826 for function nextScaffoldPart - CVE-2022-22827 for function storeAtts Impact is denial of service or more. Other changes: #535 CMake: Make call to file(GENERATE [..]) work for CMake <3.19 #541 Autotools|CMake: MinGW: Make run.sh(.in) work for Cygwin and MSYS2 by not going through Wine on these platforms #527 #528 Address compiler warnings #533 #543 Version info bumped from 9:2:8 to 9:3:8; see https://verbump.de/ for what these numbers do Infrastructure: #536 CI: Check for realistic minimum CMake version #529 #539 CI: Cover compilation with -m32 #529 CI: Store coverage reports as artifacts for download #528 CI: Upgrade Clang from 11 to 13 Release 2.4.2 Sun December 19 2021 Other changes: #509 #510 Link againgst libm for function "isnan" #513 #514 Include expat_config.h as early as possible #498 Autotools: Include files with release archives: - buildconf.sh - fuzz/*.c #507 #519 Autotools: Sync CMake templates #495 #524 CMake: MinGW: Fix pkg-config section "Libs" for - non-release build types (e.g. -DCMAKE_BUILD_TYPE=Debug) - multi-config CMake generators (e.g. Ninja Multi-Config) #502 #503 docs: Document that function XML_GetBuffer may return NULL when asking for a buffer of 0 (zero) bytes size #522 #523 docs: Fix return value docs for both XML_SetBillionLaughsAttackProtection* functions #525 #526 Version info bumped from 9:1:8 to 9:2:8; see https://verbump.de/ for what these numbers do --- Module Name: pkgsrc Committed By: wiz Date: Tue Feb 1 12:10:18 UTC 2022 Modified Files: pkgsrc/textproc/expat: Makefile distinfo Log Message: expat: update to 2.4.4. Release 2.4.4 Sun January 30 2022 Security fixes: #550 CVE-2022-23852 -- Fix signed integer overflow (undefined behavior) in function XML_GetBuffer (that is also called by function XML_Parse internally) for when XML_CONTEXT_BYTES is defined to >0 (which is both common and default). Impact is denial of service or more. #551 CVE-2022-23990 -- Fix unsigned integer overflow in function doProlog triggered by large content in element type declarations when there is an element declaration handler present (from a prior call to XML_SetElementDeclHandler). Impact is denial of service or more. Bug fixes: #544 #545 xmlwf: Fix a memory leak on output file opening error Other changes: #546 Autotools: Fix broken CMake support under Cygwin #554 Windows: Add missing files to the installer to fix compilation with CMake from installed sources #552 #554 Version info bumped from 9:3:8 to 9:4:8; see https://verbump.de/ for what these numbers do --- textproc/expat/Makefile | 4 ++-- textproc/expat/distinfo | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/textproc/expat/Makefile b/textproc/expat/Makefile index 4ec19608f51..f1896033b00 100644 --- a/textproc/expat/Makefile +++ b/textproc/expat/Makefile @@ -1,6 +1,6 @@ -# $NetBSD: Makefile,v 1.47 2021/05/25 06:34:08 nia Exp $ +# $NetBSD: Makefile,v 1.47.6.1 2022/02/07 07:09:18 tm Exp $ -DISTNAME= expat-2.4.1 +DISTNAME= expat-2.4.4 CATEGORIES= textproc MASTER_SITES= ${MASTER_SITE_GITHUB:=libexpat/} GITHUB_PROJECT= libexpat diff --git a/textproc/expat/distinfo b/textproc/expat/distinfo index 1bde350cfef..6c4d8156404 100644 --- a/textproc/expat/distinfo +++ b/textproc/expat/distinfo @@ -1,5 +1,5 @@ -$NetBSD: distinfo,v 1.39 2021/10/26 11:21:53 nia Exp $ +$NetBSD: distinfo,v 1.39.2.1 2022/02/07 07:09:18 tm Exp $ -BLAKE2s (expat-2.4.1.tar.gz) = 200b729d0725a700afe32a43e407f57898199f6d8ef3abc5246711f9c85d7fba -SHA512 (expat-2.4.1.tar.gz) = 7390bf8d6b3e99f3bccc5c3d92f21d02c0b8ed29f1f9556e18dbae7caa813814b4fd7bd7aa2d711da27c97141d4a627b481b18ac57cef2c2438b78bac1c31203 -Size (expat-2.4.1.tar.gz) = 697439 bytes +BLAKE2s (expat-2.4.4.tar.gz) = 8e5f1c0f84e7d725c0a885bc798411fa5e13603a6623e737ac66ba7b5e66ed33 +SHA512 (expat-2.4.4.tar.gz) = a3a4f7aec51f10bb57993f2c08ba367efcb4579e5fa11f0a85262e5d6677aba32f4a17b0436dd17d4c53f45aaff88cb5bf9cf96ba8380e7740a2728fe930c5e3 +Size (expat-2.4.4.tar.gz) = 703949 bytes -- cgit v1.2.3