Skip to content
Snippets Groups Projects
  1. Jan 10, 2018
    • Elliott Hughes's avatar
      Upgrade to expat 2.2.5. · 7247294f
      Elliott Hughes authored
      From `Changes`:
      
        Release 2.2.5 Tue October 31 2017
              Bug fixes:
                    #8  If the parser runs out of memory, make sure its internal
                          state reflects the memory it actually has, not the memory
                          it wanted to have.
                   #11  The default handler wasn't being called when it should for
                          a SYSTEM or PUBLIC doctype if an entity declaration handler
                          was registered.
             #137 #138  Fix a case of mistakenly reported parsing success where
                          XML_StopParser was called from an element handler
                  #162  Function XML_ErrorString was returning NULL rather than
                          a message for code XML_ERROR_INVALID_ARGUMENT
                          introduced with release 2.2.1
      
              Other changes:
                  #106  xmlwf: Add argument -N adding notation declarations
              #75 #106  Test suite: Resolve expected failure cases where xmlwf
                          output was incomplete
                  #127  Windows: Fix test suite compilation
             #126 #127  Windows: Fix compilation for Visual Studio 2012
              #33 #132  tests: Mass-fix compilation for XML_UNICODE_WCHAR_T
                  #129  examples: Fix compilation for XML_UNICODE_WCHAR_T
                  #130  benchmark: Fix compilation for XML_UNICODE_WCHAR_T
                  #144  xmlwf: Fix compilation for XML_UNICODE_WCHAR_T; still needs
                          Windows or MinGW for 2-byte wchar_t
                    #9  Address two Clang Static Analyzer false positives
                   #59  Resolve troublesome macros hiding parser struct membership
                          and dereferencing that pointer
                    #6  Resolve superfluous internal malloc/realloc switch
             #153 #155  Improve docbook2x-man detection
                  #160  Undefine NDEBUG in the test suite (rather than rejecting it)
                  #161  Address compiler warnings
                        Version info bumped from 7:6:6 to 7:7:6
      
              Special thanks to:
                  Benbuck Nason
                  Hans Wennborg
                  José Gutiérrez de la Concha
                  Pedro Monreal Gonzalez
                  Rhodri James
                  Rolf Ade
                  Stephen Groat
                       and
                  Core Infrastructure Initiative
      
        Release 2.2.4 Sat August 19 2017
              Bug fixes:
                  #115  Fix copying of partial characters for UTF-8 input
      
              Other changes:
                  #109  Fix "make check" for non-x86 architectures that default
                          to unsigned type char (-128..127 rather than 0..255)
                  #109  coverage.sh: Cover -funsigned-char
                        Autotools: Introduce --without-xmlwf argument
                   #65  Autotools: Replace handwritten Makefile with GNU Automake
                   #43  CMake: Auto-detect high quality entropy extractors, add new
                          option USE_libbsd=ON to use arc4random_buf of libbsd
                   #74  CMake: Add -fno-strict-aliasing only where supported
                  #114  CMake: Always honor manually set BUILD_* options
                  #114  CMake: Compile man page if docbook2x-man is available, only
                  #117  Include file tests/xmltest.log.expected in source tarball
                          (required for "make run-xmltest")
                  #117  Include (existing) Visual Studio 2013 files in source tarball
                        Improve test suite error output
                  #111  Fix some typos in documentation
                        Version info bumped from 7:5:6 to 7:6:6
      
              Special thanks to:
                  Jakub Wilk
                  Joe Orton
                  Lin Tian
                  Rolf Eike Beer
      
        Release 2.2.3 Wed August 2 2017
              Security fixes:
                   #82  CVE-2017-11742 -- Windows: Fix DLL hijacking vulnerability
                          using Steve Holme's LoadLibrary wrapper for/of cURL
      
              Bug fixes:
                   #85  Fix a dangling pointer issue related to realloc
      
              Other changes:
                        Increase code coverage
                   #91  Linux: Allow getrandom to fail if nonblocking pool has not
                          yet been initialized and read /dev/urandom then, instead.
                          This is in line with what recent Python does.
                   #81  Pre-10.7/Lion macOS: Support entropy from arc4random
                   #86  Check that a UTF-16 encoding in an XML declaration has the
                          right endianness
              #4 #5 #7  Recover correctly when some reallocations fail
                        Repair "./configure && make" for systems without any
                          provider of high quality entropy
                          and try reading /dev/urandom on those
                        Ensure that user-defined character encodings have converter
                          functions when they are needed
                        Fix mis-leading description of argument -c in xmlwf.1
                        Rely on macro HAVE_ARC4RANDOM_BUF (rather than __CloudABI__)
                          for CloudABI
                  #100  Fix use of SIPHASH_MAIN in siphash.h
                   #23  Test suite: Fix memory leaks
                        Version info bumped from 7:4:6 to 7:5:6
      
              Special thanks to:
                  Chanho Park
                  Joe Orton
                  Pascal Cuoq
                  Rhodri James
                  Simon McVittie
                  Vadim Zeitlin
                  Viktor Szakats
                       and
                  Core Infrastructure Initiative
      
        Release 2.2.2 Wed July 12 2017
              Security fixes:
                   #43  Protect against compilation without any source of high
                          quality entropy enabled, e.g. with CMake build system;
                          commit ff0207e6076e9828e536b8d9cd45c9c92069b895
                   #60  Windows with _UNICODE:
                          Unintended use of LoadLibraryW with a non-wide string
                          resulted in failure to load advapi32.dll and degradation
                          in quality of used entropy when compiled with _UNICODE for
                          Windows; you can launch existing binaries with
                          EXPAT_ENTROPY_DEBUG=1 in the environment to inspect the
                          quality of entropy used during runtime; commits
                          * 95b95032f907ef1cd17ee7a9a1768010a825d61d
                          * 73a5a2e9c081f49f2d775cf7ced864158b68dc80
         [MOX-006]      Fix non-NULL parser parameter validation in XML_Parse;
                          resulted in NULL dereference, previously;
                          commit ac256dafdffc9622ab0dc2c62fcecb0dfcfa71fe
      
              Bug fixes:
                   #69  Fix improper use of unsigned long long integer literals
      
              Other changes:
                   #73  Start requiring a C99 compiler
                   #49  Fix "==" Bashism in configure script
                   #50  Fix too eager getrandom detection for Debian GNU/kFreeBSD
                   #52    and macOS
                   #51  Address lack of stdint.h in Visual Studio 2003 to 2008
                   #58  Address compile warnings
                   #68  Fix "./buildconf.sh && ./configure" for some versions
                          of Dash for /bin/sh
                   #72  CMake: Ease use of Expat in context of a parent project
                          with multiple CMakeLists.txt files
                   #72  CMake: Resolve mistaken executable permissions
                   #76  Address compile warning with -DNDEBUG (not recommended!)
                   #77  Address compile warning about macro redefinition
      
              Special thanks to:
                  Alexander Bluhm
                  Ben Boeckel
                  Cătălin Răceanu
                  Kerin Millar
                  László Böszörményi
                  S. P. Zeidler
                  Segev Finer
                  Václav Slavík
                  Victor Stinner
                  Viktor Szakats
                       and
                  Radically Open Security
      
        Release 2.2.1 Sat June 17 2017
              Security fixes:
                        CVE-2017-9233 -- External entity infinite loop DoS
                          Details: https://libexpat.github.io/doc/cve-2017-9233/
                          Commit c4bf96bb51dd2a1b0e185374362ee136fe2c9d7f
         [MOX-002]      CVE-2016-9063 -- Detect integer overflow; commit
                          d4f735b88d9932bd5039df2335eefdd0723dbe20
                          (Fixed version of existing downstream patches!)
         (SF.net) #539  Fix regression from fix to CVE-2016-0718 cutting off
                          longer tag names; commits
                          * 896b6c1fd3b842f377d1b62135dccf0a579cf65d
                          * af507cef2c93cb8d40062a0abe43a4f4e9158fb2
                   #16    * 0dbbf43fdb20f593ddf4fa1ff67288000dd4a7fd
                   #25  More integer overflow detection (function poolGrow); commits
                          * 810b74e4703dcfdd8f404e3cb177d44684775143
                          * 44178553f3539ce69d34abee77a05e879a7982ac
         [MOX-002]      Detect overflow from len=INT_MAX call to XML_Parse; commits
                          * 4be2cb5afcc018d996f34bbbce6374b7befad47f
                          * 7e5b71b748491b6e459e5c9a1d090820f94544d8
         [MOX-005] #30  Use high quality entropy for hash initialization:
                          * arc4random_buf on BSD, systems with libbsd
                            (when configured with --with-libbsd), CloudABI
                          * RtlGenRandom on Windows XP / Server 2003 and later
                          * getrandom on Linux 3.17+
                          In a way, that's still part of CVE-2016-5300.
                          https://github.com/libexpat/libexpat/pull/30/commits
         [MOX-005]      For the low quality entropy extraction fallback code,
                          the parser instance address can no longer leak, commit
                          04ad658bd3079dd15cb60fc67087900f0ff4b083
         [MOX-003]      Prevent use of uninitialised variable; commit
         [MOX-004]        a4dc944f37b664a3ca7199c624a98ee37babdb4b
                        Add missing parameter validation to public API functions
                          and dedicated error code XML_ERROR_INVALID_ARGUMENT:
         [MOX-006]        * NULL checks; commits
                            * d37f74b2b7149a3a95a680c4c4cd2a451a51d60a (merge/many)
                            * 9ed727064b675b7180c98cb3d4f75efba6966681
                            * 6a747c837c50114dfa413994e07c0ba477be4534
                          * Negative length (XML_Parse); commit
         [MOX-002]          70db8d2538a10f4c022655d6895e4c3e78692e7f
         [MOX-001] #35  Change hash algorithm to William Ahern's version of SipHash
                          to go further with fixing CVE-2012-0876.
                          https://github.com/libexpat/libexpat/pull/39/commits
      
              Bug fixes:
                   #32  Fix sharing of hash salt across parsers;
                          relevant where XML_ExternalEntityParserCreate is called
                          prior to XML_Parse, in particular (e.g. FBReader)
                   #28  xmlwf: Auto-disable use of memory-mapping (and parsing
                          as a single chunk) for files larger than ~1 GB (2^30 bytes)
                          rather than failing with error "out of memory"
                    #3  Fix double free after malloc failure in DTD code; commit
                          7ae9c3d3af433cd4defe95234eae7dc8ed15637f
                   #17  Fix memory leak on parser error for unbound XML attribute
                          prefix with new namespaces defined in the same tag;
                          found by Google's OSS-Fuzz; commits
                          * 16f87daae5a16132e479e4f71862128c7a915c73
                          * b47dbc9745932c160893d433220e462bd605f8cd
                        xmlwf on Windows: Add missing calls to CloseHandle
      
              New features:
                   #30  Introduced environment switch EXPAT_ENTROPY_DEBUG=1
                          for runtime debugging of entropy extraction
      
              Other changes:
                        Increase code coverage
                   #33  Reject use of XML_UNICODE_WCHAR_T with sizeof(wchar_t) != 2;
                          XML_UNICODE_WCHAR_T was never meant to be used outside
                          of Windows; 4-byte wchar_t is common on Linux
         (SF.net) #538  Start using -fno-strict-aliasing
         (SF.net) #540  Support compilation against cloudlibc of CloudABI
                        Allow MinGW cross-compilation
         (SF.net) #534  CMake: Introduce option "BUILD_doc" (enabled by default)
                          to bypass compilation of the xmlwf.1 man page
         (SF.net)  pr2  CMake: Introduce option "INSTALL" (enabled by default)
                          to bypass installation of expat files
                        CMake: Fix ninja support
                        Autotools: Add parameters --enable-xml-context [COUNT]
                          and --disable-xml-context; default of context of 1024
                          bytes enabled unchanged
                   #14  Drop AmigaOS 4.x code and includes
                   #14  Drop ancient build systems:
                          * Borland C++ Builder
                          * OpenVMS
                          * Open Watcom
                          * Visual Studio 6.0
                          * Pre-X Mac OS (MPW Makefile)
                          If you happen to rely on some of these, please get in
                          touch for joining with maintenance.
                   #10  Move from WIN32 to _WIN32
                   #13  Fix "make run-xmltest" order instability
                        Address compile warnings
                        Bump version info from 7:2:6 to 7:3:6
                        Add AUTHORS file
      
              Infrastructure:
                    #1  Migrate from SourceForge to GitHub (except downloads):
                          https://github.com/libexpat/
                    #1  Re-create http://libexpat.org/ project website
                        Start utilizing Travis CI
      
              Special thanks to:
                  Andy Wang
                  Don Lewis
                  Ed Schouten
                  Karl Waclawek
                  Pascal Cuoq
                  Rhodri James
                  Sergei Nikulov
                  Tobias Taschner
                  Viktor Szakats
                       and
                  Core Infrastructure Initiative
                  Mozilla Foundation (MOSS Track 3: Secure Open Source)
                  Radically Open Security
      
      Bug: N/A
      Test: cts-tradefed run cts -m CtsLibcoreTestCases -t libcore.xml.ExpatSaxParserTest
      Change-Id: Ide6a7b30ed05cbd712cc88350381e9dbbc5d79ad
      7247294f
  2. Feb 27, 2017
    • Paul Duffin's avatar
      Upgrade to expat 2.2.0 · ba34a0c0
      Paul Duffin authored
      The version of 2.2.0 from upstream. This will not yet compile on
      Android. Following changes will fix issues that prevent
      compilation.
      
      Bug: 30157673
      Test: cannot test as does not yet compile
      Change-Id: I50a7fc074cff17367177cc733ab1e7286f4b63d6
      ba34a0c0
  3. Mar 04, 2009
  4. Oct 21, 2008
  5. Jan 12, 1970