changes:
-security patches which we already had in pkgsrc are integrated
-Use more entropy for hash initialization than the original fix
to CVE-2012-0876
-Resolve troublesome internal call to srand that was introduced
with Expat 2.1.0 when addressing CVE-2012-0876
on malformed input (CVE-2016-0718)
Description: The Expat XML parser mishandles certain kinds of malformed
input documents, resulting in buffer overflows during processing and error
reporting. The overflows can manifest as a segmentation fault or as memory
corruption during a parse operation. The bugs allow for a denial of service
attack in many applications by an unauthenticated attacker, and could
conceivably result in remote code execution.
bump PKGREV
also add an improvement to the fix for CVE-2015-1283 which was part
of the 2.1.1 release -- don't rely on defined behaviour on overflows
of signed integer operations, from upstream git:
f0bec73b01/
pkgsrc change: add a hint how to run the pkg's selftest (not enabled
permanently because this would add a dependency on C++)
Changelog:
Release 2.1.1 Sat March 12 2016
Security fixes:
#582: CVE-2015-1283 - Multiple integer overflows in XML_GetBuffer
Bug fixes:
#502: Fix potential null pointer dereference
#520: Symbol XML_SetHashSalt was not exported
Output of "xmlwf -h" was incomplete
Other changes
#503: Document behavior of calling XML_SetHashSalt with salt 0
Minor improvements to man page xmlwf(1)
Improvements to the experimental CMake build system
libtool now invoked with --verbose
Problems found locating distfiles:
Package cabocha: missing distfile cabocha-0.68.tar.bz2
Package convertlit: missing distfile clit18src.zip
Package php-enchant: missing distfile php-enchant/enchant-1.1.0.tgz
Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden). All existing
SHA1 digests retained for now as an audit trail.
Release 2.1.0 Sat March 24 2012
- Bug Fixes:
#1742315: Harmful XML_ParserCreateNS suggestion.
#2895533: CVE-2012-1147 - Resource leak in readfilemap.c.
#1785430: Expat build fails on linux-amd64 with gcc version>=4.1 -O3.
#1983953, 2517952, 2517962, 2649838:
Build modifications using autoreconf instead of buildconf.sh.
#2815947, #2884086: OBJEXT and EXEEXT support while building.
#1990430: CVE-2009-3720 - Parser crash with special UTF-8 sequences.
#2517938: xmlwf should return non-zero exit status if not well-formed.
#2517946: Wrong statement about XMLDecl in xmlwf.1 and xmlwf.sgml.
#2855609: Dangling positionPtr after error.
#2894085: CVE-2009-3560 - Buffer over-read and crash in big2_toUtf8().
#2958794: CVE-2012-1148 - Memory leak in poolGrow.
#2990652: CMake support.
#3010819: UNEXPECTED_STATE with a trailing "%" in entity value.
#3206497: Unitialized memory returned from XML_Parse.
#3287849: make check fails on mingw-w64.
#3496608: CVE-2012-0876 - Hash DOS attack.
- Patches:
#1749198: pkg-config support.
#3010222: Fix for bug #3010819.
#3312568: CMake support.
#3446384: Report byte offsets for attr names and values.
- New Features / API changes:
Added new API member XML_SetHashSalt() that allows setting an intial
value (salt) for hash calculations. This is part of the fix for
bug #3496608 to randomize hash parameters.
When compiled with XML_ATTR_INFO defined, adds new API member
XML_GetAttributeInfo() that allows retrieving the byte
offsets for attribute names and values (patch #3446384).
Added CMake build system.
See bug #2990652 and patch #3312568.
Added run-benchmark target to Makefile.in - relies on testdata module
present in the same relative location as in the repository.
Release 2.0.1 Tue June 5 2007
- Fixed bugs #1515266, 1515600: The character data handler's calling
of XML_StopParser() was not handled properly; if the parser was
stopped and the handler set to NULL, the parser would segfault.
- Fixed bug #1690883: Expat failed on EBCDIC systems as it assumed
some character constants to be ASCII encoded.
- Minor cleanups of the test harness.
- Fixed xmlwf bug #1513566: "out of memory" error on file size zero.
- Fixed outline.c bug #1543233: missing a final XML_ParserFree() call.
- Fixes and improvements for Windows platform:
bugs #1409451, #1476160, 1548182, 1602769, 1717322.
- Build fixes for various platforms:
HP-UX, Tru64, Solaris 9: patch #1437840, bug #1196180.
All Unix: #1554618 (refreshed config.sub/config.guess).
#1490371, #1613457: support both, DESTDIR and INSTALL_ROOT,
without relying on GNU-Make specific features.
#1647805: Patched configure.in to work better with Intel compiler.
- Fixes to Makefile.in to have make check work correctly:
bugs #1408143, #1535603, #1536684.
- Added Open Watcom support: patch #1523242.
Release 2.0.0 Wed Jan 11 2006
- We no longer use the "check" library for C unit testing; we
always use the (partial) internal implementation of the API.
- Report XML_NS setting via XML_GetFeatureList().
- Fixed headers for use from C++.
- XML_GetCurrentLineNumber() and XML_GetCurrentColumnNumber()
now return unsigned integers.
- Added XML_LARGE_SIZE switch to enable 64-bit integers for
byte indexes and line/column numbers.
- Updated to use libtool 1.5.22 (the most recent).
- Added support for AmigaOS.
- Some mostly minor bug fixes. SF issues include: 1006708,
1021776, 1023646, 1114960, 1156398, 1221160, 1271642.
Release 1.95.8 Fri Jul 23 2004
- Major new feature: suspend/resume. Handlers can now request
that a parse be suspended for later resumption or aborted
altogether. See "Temporarily Stopping Parsing" in the
documentation for more details.
- Some mostly minor bug fixes, but compilation should no
longer generate warnings on most platforms. SF issues
include: 827319, 840173, 846309, 888329, 896188, 923913,
928113, 961698, 985192.
should be declared/defined before they are used. This should fix errors
of the form:
.../expat.h:657: use of enum `XML_Status' without previous declaration
.../expat.h:736: multiple definition of `enum XML_Status'
changes:
Added XML_UseForeignDTD() for improved SAX2 support.
Added XML_GetFeatureList().
Defined XML_Bool type and the values XML_TRUE and XML_FALSE.
Use an incomplete struct instead of a void* for the parser.
Fixed UTF-8 decoding bug that caused legal UTF-8 to be rejected.
Finally fixed bug where default handler would report DTD events that were
already handled by another handler. Initial patch
contributed by Darryl Miller.
Reduced line-length for all source code and headers to be no longer than 80
characters, to help with AS/400 support.
Reduced memory copying during parsing (SF patch #600964).
Fixed a variety of bugs.
buildlink2.mk files back into the main trunk. This provides sufficient
buildlink2 infrastructure to start merging other packages from the
buildlink2 branch that have already been converted to use the buildlink2
framework.
changes since 1.95.2:
-Added the XML_ParserReset() API function
-Allow xmlwf to read from standard input
-Install a man page for xmlwf on Unix systems
-bugfixes
-unrelated portability enhancements
changes:
- Added compile-time constants that can be used to determine the
Expat version
- Removed a lot of GNU-specific dependencies to aide portability
among the various Unix flavors.
- Fix the UTF-8 BOM bug.
- Cleaned up warning messages for several compilers.
- Added the -Wall, -Wstrict-prototypes options for GCC.
