From 289e1448b22757ab091a7a1d3ea2805a60bc7dcd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Wed, 11 Sep 2024 13:36:58 +0200 Subject: [PATCH] Sync from SUSE:ALP:Source:Standard:1.0 expat revision ffb0a931b05a3cd4a2ea2cd3aa574cef --- .gitattributes | 23 + baselibs.conf | 7 + expat-2.5.0.tar.xz | 3 + expat-2.5.0.tar.xz.asc | 16 + expat-CVE-2024-28757.patch | 319 +++++++++++ expat-CVE-2024-45490.patch | 60 ++ expat-CVE-2024-45491.patch | 31 + expat-CVE-2024-45492.patch | 30 + expat-fix-minicheck.patch | 57 ++ expat.changes | 1093 ++++++++++++++++++++++++++++++++++++ expat.keyring | 245 ++++++++ expat.spec | 134 +++++ expatfaq.html | 100 ++++ 13 files changed, 2118 insertions(+) create mode 100644 .gitattributes create mode 100644 baselibs.conf create mode 100644 expat-2.5.0.tar.xz create mode 100644 expat-2.5.0.tar.xz.asc create mode 100644 expat-CVE-2024-28757.patch create mode 100644 expat-CVE-2024-45490.patch create mode 100644 expat-CVE-2024-45491.patch create mode 100644 expat-CVE-2024-45492.patch create mode 100644 expat-fix-minicheck.patch create mode 100644 expat.changes create mode 100644 expat.keyring create mode 100644 expat.spec create mode 100644 expatfaq.html diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..fecc750 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/baselibs.conf b/baselibs.conf new file mode 100644 index 0000000..184fa37 --- /dev/null +++ b/baselibs.conf @@ -0,0 +1,7 @@ +expat +libexpat1 + obsoletes "expat-" + provides "expat-" +libexpat-devel + requires -libexpat- + requires "libexpat1- = " diff --git a/expat-2.5.0.tar.xz b/expat-2.5.0.tar.xz new file mode 100644 index 0000000..2fcf9ef --- /dev/null +++ b/expat-2.5.0.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ef2420f0232c087801abf705e89ae65f6257df6b7931d37846a193ef2e8cdcbe +size 460560 diff --git a/expat-2.5.0.tar.xz.asc b/expat-2.5.0.tar.xz.asc new file mode 100644 index 0000000..be79cb2 --- /dev/null +++ b/expat-2.5.0.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEEy43nCpDPv2w79cxWliYqz/vTrsYFAmNYAlAACgkQliYqz/vT +rsYnzw/+Nn8rFvElM2th9ex3Yt6UkNtx/hZWITig7URH7wHtShHA957xMcJiby4R +/RoKbtcb3+RNeOtDMycT4wFy2p/tmuJ3mPL0ewFkKkfw1Uk489AbYukzSbg/YmNZ +3+r6DFAd+kJOpe+6m4Nhxg2iohVQoXjQPBK02njkuKN66thrFGxnQDfi62qAbIm+ +7Ac+McmOypDuG1H+E2eeRIMwgGyU2yiCvqtleKfRaF596wdfbv/gIFcETKI7wMnV +ExAhZSVDgiojGqwhW7vZOvrwmuDsZOazVSMyasntJazCynWLZ5hAkRtpNvsvIR3i +cUd904PPjrr5VFQmDQxI4HieeloI5aipl7y4wR+g7WE1JjKs4ScVA8llIsLvZie/ +fZh+Fz/TS4B8hJpnkRGXc7IpovXyFDb+C0WkBxy77OvdEu7QgXaIh1+AT10FkQsF +HbJT3vHk71D3D5JlUv9DPL8YZ3gFTQF7LwpvfJVDUiYe3hn+f4u4XAt6F3zVnXok +NEs8fflALfgtIC46nPbhcrxQdO/CyWGIWhisDwoB6FHloZc8EWuWidg7SOdApK1W +s2ycdH7XLEBXCriIpKWHS9ebkWyPQHe/Ezi2pv0ieZU1TVtV6nVv5YlH2QHBoZJK +VPlgb5u2zVp9y/bthnZPgRId53kdnZCXezKLQ+wc27Taojpnzws= +=UAN0 +-----END PGP SIGNATURE----- diff --git a/expat-CVE-2024-28757.patch b/expat-CVE-2024-28757.patch new file mode 100644 index 0000000..48050c2 --- /dev/null +++ b/expat-CVE-2024-28757.patch @@ -0,0 +1,319 @@ +From 1d50b80cf31de87750103656f6eb693746854aa8 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Mon, 4 Mar 2024 23:49:06 +0100 +Subject: [PATCH 1/2] lib/xmlparse.c: Detect billion laughs attack with + isolated external parser + +When parsing DTD content with code like .. + + XML_Parser parser = XML_ParserCreate(NULL); + XML_Parser ext_parser = XML_ExternalEntityParserCreate(parser, NULL, NULL); + enum XML_Status status = XML_Parse(ext_parser, doc, (int)strlen(doc), XML_TRUE); + +.. there are 0 bytes accounted as direct input and all input from `doc` accounted +as indirect input. Now function accountingGetCurrentAmplification cannot calculate +the current amplification ratio as "(direct + indirect) / direct", and it did refuse +to divide by 0 as one would expect, but it returned 1.0 for this case to indicate +no amplification over direct input. As a result, billion laughs attacks from +DTD-only input were not detected with this isolated way of using an external parser. + +The new approach is to assume direct input of length not 0 but 22 -- derived from +ghost input "", the shortest possible way to include an external +DTD --, and do the usual "(direct + indirect) / direct" math with "direct := 22". + +GitHub issue #839 has more details on this issue and its origin in ClusterFuzz +finding 66812. +--- + +From 1d50b80cf31de87750103656f6eb693746854aa8 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Mon, 4 Mar 2024 23:49:06 +0100 +Subject: [PATCH 1/2] lib/xmlparse.c: Detect billion laughs attack with + isolated external parser + +When parsing DTD content with code like .. + + XML_Parser parser = XML_ParserCreate(NULL); + XML_Parser ext_parser = XML_ExternalEntityParserCreate(parser, NULL, NULL); + enum XML_Status status = XML_Parse(ext_parser, doc, (int)strlen(doc), XML_TRUE); + +.. there are 0 bytes accounted as direct input and all input from `doc` accounted +as indirect input. Now function accountingGetCurrentAmplification cannot calculate +the current amplification ratio as "(direct + indirect) / direct", and it did refuse +to divide by 0 as one would expect, but it returned 1.0 for this case to indicate +no amplification over direct input. As a result, billion laughs attacks from +DTD-only input were not detected with this isolated way of using an external parser. + +The new approach is to assume direct input of length not 0 but 22 -- derived from +ghost input "", the shortest possible way to include an external +DTD --, and do the usual "(direct + indirect) / direct" math with "direct := 22". + +GitHub issue #839 has more details on this issue and its origin in ClusterFuzz +finding 66812. +--- + +From 1d50b80cf31de87750103656f6eb693746854aa8 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Mon, 4 Mar 2024 23:49:06 +0100 +Subject: [PATCH 1/2] lib/xmlparse.c: Detect billion laughs attack with + isolated external parser + +When parsing DTD content with code like .. + + XML_Parser parser = XML_ParserCreate(NULL); + XML_Parser ext_parser = XML_ExternalEntityParserCreate(parser, NULL, NULL); + enum XML_Status status = XML_Parse(ext_parser, doc, (int)strlen(doc), XML_TRUE); + +.. there are 0 bytes accounted as direct input and all input from `doc` accounted +as indirect input. Now function accountingGetCurrentAmplification cannot calculate +the current amplification ratio as "(direct + indirect) / direct", and it did refuse +to divide by 0 as one would expect, but it returned 1.0 for this case to indicate +no amplification over direct input. As a result, billion laughs attacks from +DTD-only input were not detected with this isolated way of using an external parser. + +The new approach is to assume direct input of length not 0 but 22 -- derived from +ghost input "", the shortest possible way to include an external +DTD --, and do the usual "(direct + indirect) / direct" math with "direct := 22". + +GitHub issue #839 has more details on this issue and its origin in ClusterFuzz +finding 66812. +--- + +From 1d50b80cf31de87750103656f6eb693746854aa8 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Mon, 4 Mar 2024 23:49:06 +0100 +Subject: [PATCH 1/2] lib/xmlparse.c: Detect billion laughs attack with + isolated external parser + +When parsing DTD content with code like .. + + XML_Parser parser = XML_ParserCreate(NULL); + XML_Parser ext_parser = XML_ExternalEntityParserCreate(parser, NULL, NULL); + enum XML_Status status = XML_Parse(ext_parser, doc, (int)strlen(doc), XML_TRUE); + +.. there are 0 bytes accounted as direct input and all input from `doc` accounted +as indirect input. Now function accountingGetCurrentAmplification cannot calculate +the current amplification ratio as "(direct + indirect) / direct", and it did refuse +to divide by 0 as one would expect, but it returned 1.0 for this case to indicate +no amplification over direct input. As a result, billion laughs attacks from +DTD-only input were not detected with this isolated way of using an external parser. + +The new approach is to assume direct input of length not 0 but 22 -- derived from +ghost input "", the shortest possible way to include an external +DTD --, and do the usual "(direct + indirect) / direct" math with "direct := 22". + +GitHub issue #839 has more details on this issue and its origin in ClusterFuzz +finding 66812. +--- + +From 1d50b80cf31de87750103656f6eb693746854aa8 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Mon, 4 Mar 2024 23:49:06 +0100 +Subject: [PATCH 1/2] lib/xmlparse.c: Detect billion laughs attack with + isolated external parser + +When parsing DTD content with code like .. + + XML_Parser parser = XML_ParserCreate(NULL); + XML_Parser ext_parser = XML_ExternalEntityParserCreate(parser, NULL, NULL); + enum XML_Status status = XML_Parse(ext_parser, doc, (int)strlen(doc), XML_TRUE); + +.. there are 0 bytes accounted as direct input and all input from `doc` accounted +as indirect input. Now function accountingGetCurrentAmplification cannot calculate +the current amplification ratio as "(direct + indirect) / direct", and it did refuse +to divide by 0 as one would expect, but it returned 1.0 for this case to indicate +no amplification over direct input. As a result, billion laughs attacks from +DTD-only input were not detected with this isolated way of using an external parser. + +The new approach is to assume direct input of length not 0 but 22 -- derived from +ghost input "", the shortest possible way to include an external +DTD --, and do the usual "(direct + indirect) / direct" math with "direct := 22". + +GitHub issue #839 has more details on this issue and its origin in ClusterFuzz +finding 66812. +--- + +From 1d50b80cf31de87750103656f6eb693746854aa8 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Mon, 4 Mar 2024 23:49:06 +0100 +Subject: [PATCH 1/2] lib/xmlparse.c: Detect billion laughs attack with + isolated external parser + +When parsing DTD content with code like .. + + XML_Parser parser = XML_ParserCreate(NULL); + XML_Parser ext_parser = XML_ExternalEntityParserCreate(parser, NULL, NULL); + enum XML_Status status = XML_Parse(ext_parser, doc, (int)strlen(doc), XML_TRUE); + +.. there are 0 bytes accounted as direct input and all input from `doc` accounted +as indirect input. Now function accountingGetCurrentAmplification cannot calculate +the current amplification ratio as "(direct + indirect) / direct", and it did refuse +to divide by 0 as one would expect, but it returned 1.0 for this case to indicate +no amplification over direct input. As a result, billion laughs attacks from +DTD-only input were not detected with this isolated way of using an external parser. + +The new approach is to assume direct input of length not 0 but 22 -- derived from +ghost input "", the shortest possible way to include an external +DTD --, and do the usual "(direct + indirect) / direct" math with "direct := 22". + +GitHub issue #839 has more details on this issue and its origin in ClusterFuzz +finding 66812. +--- + +From 1d50b80cf31de87750103656f6eb693746854aa8 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Mon, 4 Mar 2024 23:49:06 +0100 +Subject: [PATCH 1/2] lib/xmlparse.c: Detect billion laughs attack with + isolated external parser + +When parsing DTD content with code like .. + + XML_Parser parser = XML_ParserCreate(NULL); + XML_Parser ext_parser = XML_ExternalEntityParserCreate(parser, NULL, NULL); + enum XML_Status status = XML_Parse(ext_parser, doc, (int)strlen(doc), XML_TRUE); + +.. there are 0 bytes accounted as direct input and all input from `doc` accounted +as indirect input. Now function accountingGetCurrentAmplification cannot calculate +the current amplification ratio as "(direct + indirect) / direct", and it did refuse +to divide by 0 as one would expect, but it returned 1.0 for this case to indicate +no amplification over direct input. As a result, billion laughs attacks from +DTD-only input were not detected with this isolated way of using an external parser. + +The new approach is to assume direct input of length not 0 but 22 -- derived from +ghost input "", the shortest possible way to include an external +DTD --, and do the usual "(direct + indirect) / direct" math with "direct := 22". + +GitHub issue #839 has more details on this issue and its origin in ClusterFuzz +finding 66812. +--- + +From 1d50b80cf31de87750103656f6eb693746854aa8 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Mon, 4 Mar 2024 23:49:06 +0100 +Subject: [PATCH 1/2] lib/xmlparse.c: Detect billion laughs attack with + isolated external parser + +When parsing DTD content with code like .. + + XML_Parser parser = XML_ParserCreate(NULL); + XML_Parser ext_parser = XML_ExternalEntityParserCreate(parser, NULL, NULL); + enum XML_Status status = XML_Parse(ext_parser, doc, (int)strlen(doc), XML_TRUE); + +.. there are 0 bytes accounted as direct input and all input from `doc` accounted +as indirect input. Now function accountingGetCurrentAmplification cannot calculate +the current amplification ratio as "(direct + indirect) / direct", and it did refuse +to divide by 0 as one would expect, but it returned 1.0 for this case to indicate +no amplification over direct input. As a result, billion laughs attacks from +DTD-only input were not detected with this isolated way of using an external parser. + +The new approach is to assume direct input of length not 0 but 22 -- derived from +ghost input "", the shortest possible way to include an external +DTD --, and do the usual "(direct + indirect) / direct" math with "direct := 22". + +GitHub issue #839 has more details on this issue and its origin in ClusterFuzz +finding 66812. +--- + expat/lib/xmlparse.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +Index: expat-2.5.0/lib/xmlparse.c +=================================================================== +--- expat-2.5.0.orig/lib/xmlparse.c ++++ expat-2.5.0/lib/xmlparse.c +@@ -7655,6 +7655,8 @@ copyString(const XML_Char *s, const XML_ + + static float + accountingGetCurrentAmplification(XML_Parser rootParser) { ++ // 1.........1.........12 => 22 ++ const size_t lenOfShortestInclude = sizeof("") - 1; + const XmlBigCount countBytesOutput + = rootParser->m_accounting.countBytesDirect + + rootParser->m_accounting.countBytesIndirect; +@@ -7662,7 +7664,9 @@ accountingGetCurrentAmplification(XML_Pa + = rootParser->m_accounting.countBytesDirect + ? (countBytesOutput + / (float)(rootParser->m_accounting.countBytesDirect)) +- : 1.0f; ++ : ((lenOfShortestInclude ++ + rootParser->m_accounting.countBytesIndirect) ++ / (float)lenOfShortestInclude); + assert(! rootParser->m_parentParser); + return amplificationFactor; + } +Index: expat-2.5.0/tests/runtests.c +=================================================================== +--- expat-2.5.0.orig/tests/runtests.c ++++ expat-2.5.0/tests/runtests.c +@@ -12092,6 +12092,63 @@ START_TEST(test_helper_unsigned_char_to_ + fail("unsignedCharToPrintable result mistaken"); + } + END_TEST ++ ++START_TEST(test_amplification_isolated_external_parser) { ++ // NOTE: Length 44 is precisely twice the length of "" ++ // (22) that is used in function accountingGetCurrentAmplification in ++ // xmlparse.c. ++ // 1.........1.........1.........1.........1..4 => 44 ++ const char doc[] = ""; ++ const int docLen = (int)sizeof(doc) - 1; ++ const float maximumToleratedAmplification = 2.0f; ++ ++ struct TestCase { ++ int offsetOfThreshold; ++ enum XML_Status expectedStatus; ++ }; ++ ++ struct TestCase cases[] = { ++ {-2, XML_STATUS_ERROR}, {-1, XML_STATUS_ERROR}, {0, XML_STATUS_ERROR}, ++ {+1, XML_STATUS_OK}, {+2, XML_STATUS_OK}, ++ }; ++ ++ for (size_t i = 0; i < sizeof(cases) / sizeof(cases[0]); i++) { ++ const int offsetOfThreshold = cases[i].offsetOfThreshold; ++ const enum XML_Status expectedStatus = cases[i].expectedStatus; ++ const unsigned long long activationThresholdBytes ++ = docLen + offsetOfThreshold; ++ ++ // set_subtest("offsetOfThreshold=%d, expectedStatus=%d", offsetOfThreshold, ++ // expectedStatus); ++ ++ XML_Parser parser = XML_ParserCreate(NULL); ++ assert_true(parser != NULL); ++ ++ assert_true(XML_SetBillionLaughsAttackProtectionMaximumAmplification( ++ parser, maximumToleratedAmplification) ++ == XML_TRUE); ++ assert_true(XML_SetBillionLaughsAttackProtectionActivationThreshold( ++ parser, activationThresholdBytes) ++ == XML_TRUE); ++ ++ XML_Parser ext_parser = XML_ExternalEntityParserCreate(parser, NULL, NULL); ++ assert_true(ext_parser != NULL); ++ ++ const enum XML_Status actualStatus ++ = _XML_Parse_SINGLE_BYTES(ext_parser, doc, docLen, XML_TRUE); ++ ++ assert_true(actualStatus == expectedStatus); ++ if (actualStatus != XML_STATUS_OK) { ++ assert_true(XML_GetErrorCode(ext_parser) ++ == XML_ERROR_AMPLIFICATION_LIMIT_BREACH); ++ } ++ ++ XML_ParserFree(ext_parser); ++ XML_ParserFree(parser); ++ } ++} ++END_TEST ++ + #endif // defined(XML_DTD) + + static Suite * +@@ -12485,6 +12542,8 @@ make_suite(void) { + tcase_add_test(tc_accounting, test_accounting_precision); + tcase_add_test(tc_accounting, test_billion_laughs_attack_protection_api); + tcase_add_test(tc_accounting, test_helper_unsigned_char_to_printable); ++ tcase_add_test__ifdef_xml_dtd(tc_accounting, ++ test_amplification_isolated_external_parser); + #endif + + return s; diff --git a/expat-CVE-2024-45490.patch b/expat-CVE-2024-45490.patch new file mode 100644 index 0000000..3976840 --- /dev/null +++ b/expat-CVE-2024-45490.patch @@ -0,0 +1,60 @@ +From 5c1a31642e243f4870c0bd1f2afc7597976521bf Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Mon, 19 Aug 2024 22:26:07 +0200 +Subject: [PATCH 1/3] lib: Reject negative len for XML_ParseBuffer + +Reported by TaiYou +--- + expat/lib/xmlparse.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +Index: expat-2.5.0/lib/xmlparse.c +=================================================================== +--- expat-2.5.0.orig/lib/xmlparse.c ++++ expat-2.5.0/lib/xmlparse.c +@@ -1985,6 +1985,12 @@ XML_ParseBuffer(XML_Parser parser, int l + + if (parser == NULL) + return XML_STATUS_ERROR; ++ ++ if (len < 0) { ++ parser->m_errorCode = XML_ERROR_INVALID_ARGUMENT; ++ return XML_STATUS_ERROR; ++ } ++ + switch (parser->m_parsingStatus.parsing) { + case XML_SUSPENDED: + parser->m_errorCode = XML_ERROR_SUSPENDED; +Index: expat-2.5.0/doc/reference.html +=================================================================== +--- expat-2.5.0.orig/doc/reference.html ++++ expat-2.5.0/doc/reference.html +@@ -1097,7 +1097,9 @@ containing part (or perhaps all) of the + that are part of the document is indicated by len. This means + that s doesn't have to be null terminated. It also means that + if len is larger than the number of bytes in the block of +-memory that s points at, then a memory fault is likely. The ++memory that s points at, then a memory fault is likely. ++Negative values for len are rejected since Expat 2.2.1. ++The + isFinal parameter informs the parser that this is the last + piece of the document. Frequently, the last piece is empty (i.e. + len is zero.) +@@ -1113,11 +1115,17 @@ XML_ParseBuffer(XML_Parser p, + int isFinal); + +
++

+ This is just like XML_Parse, + except in this case Expat provides the buffer. By obtaining the + buffer from Expat with the XML_GetBuffer function, the application can avoid double + copying of the input. ++

++ ++

++Negative values for len are rejected since Expat 2.6.3. ++

+
+ +

XML_GetBuffer

diff --git a/expat-CVE-2024-45491.patch b/expat-CVE-2024-45491.patch new file mode 100644 index 0000000..c58baf2 --- /dev/null +++ b/expat-CVE-2024-45491.patch @@ -0,0 +1,31 @@ +From 8e439a9947e9dc80a395c0c7456545d8d9d9e421 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Mon, 19 Aug 2024 22:34:13 +0200 +Subject: [PATCH] lib: Detect integer overflow in dtdCopy + +Reported by TaiYou +--- + expat/lib/xmlparse.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c +index 91682c188..e2327bdcf 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -7016,6 +7016,16 @@ dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd, + if (! newE) + return 0; + if (oldE->nDefaultAtts) { ++ /* Detect and prevent integer overflow. ++ * The preprocessor guard addresses the "always false" warning ++ * from -Wtype-limits on platforms where ++ * sizeof(int) < sizeof(size_t), e.g. on x86_64. */ ++#if UINT_MAX >= SIZE_MAX ++ if ((size_t)oldE->nDefaultAtts ++ > ((size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE))) { ++ return 0; ++ } ++#endif + newE->defaultAtts + = ms->malloc_fcn(oldE->nDefaultAtts * sizeof(DEFAULT_ATTRIBUTE)); + if (! newE->defaultAtts) { diff --git a/expat-CVE-2024-45492.patch b/expat-CVE-2024-45492.patch new file mode 100644 index 0000000..7161bdb --- /dev/null +++ b/expat-CVE-2024-45492.patch @@ -0,0 +1,30 @@ +From 9bf0f2c16ee86f644dd1432507edff94c08dc232 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Mon, 19 Aug 2024 22:37:16 +0200 +Subject: [PATCH] lib: Detect integer overflow in function nextScaffoldPart + +Reported by TaiYou +--- + expat/lib/xmlparse.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c +index 91682c188..f737575ea 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -7558,6 +7558,15 @@ nextScaffoldPart(XML_Parser parser) { + int next; + + if (! dtd->scaffIndex) { ++ /* Detect and prevent integer overflow. ++ * The preprocessor guard addresses the "always false" warning ++ * from -Wtype-limits on platforms where ++ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ ++#if UINT_MAX >= SIZE_MAX ++ if (parser->m_groupSize > ((size_t)(-1) / sizeof(int))) { ++ return -1; ++ } ++#endif + dtd->scaffIndex = (int *)MALLOC(parser, parser->m_groupSize * sizeof(int)); + if (! dtd->scaffIndex) + return -1; diff --git a/expat-fix-minicheck.patch b/expat-fix-minicheck.patch new file mode 100644 index 0000000..05666dc --- /dev/null +++ b/expat-fix-minicheck.patch @@ -0,0 +1,57 @@ +Index: expat-2.5.0/tests/minicheck.h +=================================================================== +--- expat-2.5.0.orig/tests/minicheck.h ++++ expat-2.5.0/tests/minicheck.h +@@ -64,7 +64,13 @@ extern "C" { + } \ + } + +-#define fail(msg) _fail_unless(0, __FILE__, __LINE__, msg) ++#define fail(msg) _fail(__FILE__, __LINE__, msg) ++#define assert_true(cond) \ ++ do { \ ++ if (! (cond)) { \ ++ _fail(__FILE__, __LINE__, "check failed: " #cond); \ ++ } \ ++ } while (0) + + typedef void (*tcase_setup_function)(void); + typedef void (*tcase_teardown_function)(void); +@@ -104,6 +110,10 @@ void _check_set_test_info(char const *fu + */ + + void _fail_unless(int condition, const char *file, int line, const char *msg); ++# if defined(__GNUC__) ++__attribute__((noreturn)) ++# endif ++void _fail(const char *file, int line, const char *msg); + Suite *suite_create(const char *name); + TCase *tcase_create(const char *name); + void suite_add_tcase(Suite *suite, TCase *tc); +Index: expat-2.5.0/tests/minicheck.c +=================================================================== +--- expat-2.5.0.orig/tests/minicheck.c ++++ expat-2.5.0/tests/minicheck.c +@@ -224,6 +224,22 @@ _fail_unless(int condition, const char * + longjmp(env, 1); + } + ++void ++_fail(const char *file, int line, const char *msg) { ++ /* Always print the error message so it isn't lost. In this case, ++ we have a failure, so there's no reason to be quiet about what ++ it is. ++ */ ++ _check_current_filename = file; ++ _check_current_lineno = line; ++ if (msg != NULL) { ++ const int has_newline = (msg[strlen(msg) - 1] == '\n'); ++ fprintf(stderr, "ERROR: %s%s", msg, has_newline ? "" : "\n"); ++ } ++ longjmp(env, 1); ++} ++ ++ + int + srunner_ntests_failed(SRunner *runner) { + assert(runner != NULL); diff --git a/expat.changes b/expat.changes new file mode 100644 index 0000000..860832d --- /dev/null +++ b/expat.changes @@ -0,0 +1,1093 @@ +------------------------------------------------------------------- +Tue Sep 3 11:54:56 UTC 2024 - David Anes + +- Security fix (bsc#1229932, CVE-2024-45492): detect integer + overflow in function nextScaffoldPart + * Added expat-CVE-2024-45492.patch + +- Security fix (bsc#1229931, CVE-2024-45491): detect integer + overflow in dtdCopy + * Added expat-CVE-2024-45491.patch + +- Security fix (bsc#1229930, CVE-2024-45490): reject negative + len for XML_ParseBuffer + * Added expat-CVE-2024-45490.patch + +------------------------------------------------------------------- +Mon Mar 18 06:39:02 UTC 2024 - David Anes + +- Security fix (boo#1221289, CVE-2024-28757): XML Entity Expansion +attack when there is isolated use of external parsers. + * Added expat-CVE-2024-28757.patch + * Added expat-fix-minicheck.patch + +------------------------------------------------------------------- +Sun Dec 11 20:35:38 UTC 2022 - Andreas Stieger + +- add upstream signing key and validate source signature + +------------------------------------------------------------------- +Wed Oct 26 06:19:38 UTC 2022 - David Anes + +- Update to 2.5.0: (bsc#1204708) + * Security fixes: + - CVE-2022-43680 -- Fix heap use-after-free after overeager + destruction of a shared DTD in function + XML_ExternalEntityParserCreate in out-of-memory situations. + Expected impact is denial of service or potentially arbitrary + code execution. + * Bug fixes: + - Fix curruption from undefined entities + - Fix case when parsing was suspended while processing nested + entities + - Stop leaking opening tag bindings after a closing tag mismatch + error where a parser is reset through XML_ParserReset and then + reused to parse + - CMake: Fix generation of pkg-config file + - MinGW|CMake: Fix static library name + * Other changes: + - Protect header expat_config.h from multiple inclusion + - examples: Make use of XML_GetBuffer and be more consistent + across examples + - Address compiler warnings + - Version info bumped from 9:9:8 to 9:10:8; see + https://verbump.de/ for what these numbers do + +------------------------------------------------------------------- +Tue Sep 20 15:54:12 UTC 2022 - David Anes + +- update to 2.4.9: (bsc#1203438) + * Security fixes: + - CVE-2022-40674 -- Heap use-after-free vulnerability in + function doContent. Expected impact is denial of service + or potentially arbitrary code execution. + * Bug fixes: + - MinGW: Fix mis-compilation for -D__USE_MINGW_ANSI_STDIO=0 + - docs: Fix documentation on effect of switch XML_DTD on + symbol visibility in doc/reference.html + * Other changes: + - MinGW: Make fix-xmltest-log.sh drop more Wine bug output + - Autotools: Sync CMake templates with CMake 3.22 + - CMake: Migrate from use of CMAKE_*_POSTFIX to + dedicated variables EXPAT_*_POSTFIX to stop affecting + other projects + - Windows|CMake: Add missing -DXML_STATIC to test runners + and fuzzers + - Windows|CMake: Render .def file from a template to fix + linking with -DEXPAT_DTD=OFF and/or -DEXPAT_ATTR_INFO=ON + - MinGW|CMake: Apply MSVC .def file when linking + - MinGW|CMake: Sync library name with GNU Autotools, + i.e. produce libexpat-1.dll rather than libexpat.dll + by default. Filename libexpat.dll.a is unaffected. + - MinGW|CMake: Set missing variable CMAKE_RC_COMPILER in + toolchain file "cmake/mingw-toolchain.cmake" to avoid + error "windres: Command not found" on e.g. Ubuntu 20.04 + - CMake: Unify inconsistent use of set() and option() in + context of public build time options to take need for + set(.. FORCE) in projects using Expat by means of + add_subdirectory(..) off Expat's users' shoulders + - Stop exporting API symbols when building a static library + - Resolve use of deprecated "fgrep" by "grep -F" + - CMake: Make documentation on variables a bit more consistent + - CMake: Drop leading whitespace from a #cmakedefine line in + file expat_config.h.cmake + - xmlwf: Fix harmless variable mix-up in function nsattcmp + - Address Cppcheck warnings + - Address Clang 15 compiler warnings + - Version info bumped from 9:8:8 to 9:9:8; + see https://verbump.de/ for what these numbers do + * Infrastructure: + - CI: Windows: Start covering MSVC 2022 + - CI: macOS: Migrate off deprecated macOS 10.15 + - CI: Linux: Make migration off deprecated Ubuntu 18.04 work + - CI: Upgrade Clang from 14 to 15 + - apply-clang-format.sh: Add support for BSD find + - coverage.sh: Exclude MinGW headers + - coverage.sh: Fix name collision for -funsigned-char + +------------------------------------------------------------------- +Tue Mar 29 05:26:59 UTC 2022 - David Anes + +- update to 2.4.8: + * Other changes: + - pkg-config: Move "-lm" to section "Libs.private" + - CMake|MSVC: Fix pkg-config section "Libs" + - CMake|macOS: Start using linker arguments + "-compatibility_version " and + "-current_version " in a way compatible with GNU + Libtool + - Version info bumped from 9:7:8 to 9:8:8; + see https://verbump.de/ for what these numbers do + +------------------------------------------------------------------- +Sat Mar 5 06:34:13 UTC 2022 - David Anes + +- update to 2.4.7 (bsc#1196784, CVE-2022-25236): + * Bug fixes: + - Relax fix to CVE-2022-25236 (introduced with release 2.4.5) + with regard to all valid URI characters (RFC 3986), + i.e. the following set (excluding whitespace): + ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz + 0123456789 % -._~ :/?#[]@ !$&'()*+,;= + * Other changes: + - CMake|Windows: Store Expat version in the DLL + - Document consequences of namespace separator choices not just + in doc/reference.html but also in header + - Document Expat's lack of validation of namespace URIs against + RFC 3986, and that the XML 1.0r4 specification doesn't + require Expat to validate namespace URIs, and that Expat + may do more in that regard in future releases. + If you find need for strict RFC 3986 URI validation on + application level today, https://uriparser.github.io/ may + be of interest. + - Fix documentation of XML_EndDoctypeDeclHandler in + - Document that a call to XML_FreeContentModel can be done at + a later time from outside the element declaration handler + - Make hardcoded namespace URIs easier to find in code + - Update documentation on use of XML_POOR_ENTOPY on Solaris + - tests: Resolve use of macros NAN and INFINITY for GNU G++ + 4.8.2 on Solaris. + - Version info bumped from 9:6:8 to 9:7:8; + see https://verbump.de/ for what these numbers do + +------------------------------------------------------------------- +Sun Feb 20 19:48:53 UTC 2022 - David Anes + +- update to 2.4.6 (bsc#1196168, CVE-2022-25313): + * Bug fixes: + - Fix a regression introduced by the fix for CVE-2022-25313 + in release 2.4.5 that affects applications that (1) + call function XML_SetElementDeclHandler and (2) are + parsing XML that contains nested element declarations + (e.g. ""). + - Version info bumped from 9:5:8 to 9:6:8; + see https://verbump.de/ for what these numbers do. + +------------------------------------------------------------------- +Sat Feb 19 09:21:21 UTC 2022 - David Anes + +- update to 2.4.5 (bsc#1196171, bsc#1196169, bsc#1196168, + bsc#1196026, bsc#1196025): + * Security fixes: + - CVE-2022-25235 -- Passing malformed 2- and 3-byte UTF-8 + sequences (e.g. from start tag names) to the XML + processing application on top of Expat can cause + arbitrary damage (e.g. code execution) depending + on how invalid UTF-8 is handled inside the XML + processor; validation was not their job but Expat's. + Exploits with code execution are known to exist. + - CVE-2022-25236 -- Passing (one or more) namespace separator + characters in "xmlns[:prefix]" attribute values + made Expat send malformed tag names to the XML + processor on top of Expat which can cause + arbitrary damage (e.g. code execution) depending + on such unexpectable cases are handled inside the XML + processor; validation was not their job but Expat's. + Exploits with code execution are known to exist. + - CVE-2022-25313 -- Fix stack exhaustion in doctype parsing + that could be triggered by e.g. a 2 megabytes + file with a large number of opening braces. + Expected impact is denial of service or potentially + arbitrary code execution. + - CVE-2022-25314 -- Fix integer overflow in function copyString; + only affects the encoding name parameter at parser creation + time which is often hardcoded (rather than user input), + takes a value in the gigabytes to trigger, and a 64-bit + machine. Expected impact is denial of service. + - CVE-2022-25315 -- Fix integer overflow in function storeRawNames; + needs input in the gigabytes and a 64-bit machine. + Expected impact is denial of service or potentially + arbitrary code execution. + * Other changes: + - Version info bumped from 9:4:8 to 9:5:8; + see https://verbump.de/ for what these numbers do + +------------------------------------------------------------------- +Mon Jan 31 06:13:13 UTC 2022 - David Anes + +- update to 2.4.4 (bsc#1195217, bsc#1195054): + * Security fixes: + - CVE-2022-23852 -- Fix signed integer overflow + (undefined behavior) in function XML_GetBuffer + that is also called by function XML_Parse internally) + for when XML_CONTEXT_BYTES is defined to >0 (which is both + common and default). + Impact is denial of service or more. + - CVE-2022-23990 -- Fix unsigned integer overflow in function + doProlog triggered by large content in element type + declarations when there is an element declaration handler + present (from a prior call to XML_SetElementDeclHandler). + Impact is denial of service or more. + * Bug fixes: + - xmlwf: Fix a memory leak on output file opening error + * Other changes: + - Version info bumped from 9:3:8 to 9:4:8; + see https://verbump.de/ for what these numbers do + * Drop unused file valid-xhtml10.png + +------------------------------------------------------------------- +Mon Jan 17 09:14:10 UTC 2022 - Dirk Müller + +- update to 2.4.3 (bsc#1194251, bsc#1194362, bsc#1194474, + bsc#1194476, bsc#1194477, bsc#1194478, bsc#1194479, bsc#1194480): + * CVE-2021-45960 -- Fix issues with left shifts by >=29 places + resulting in + a) realloc acting as free + b) realloc allocating too few bytes + c) undefined behavior + depending on architecture and precise value + for XML documents with >=2^27+1 prefixed attributes + on a single XML tag a la + "" + where XML_ParserCreateNS is used to create the parser + (which needs argument "-n" when running xmlwf). + Impact is denial of service, or more. + * CVE-2021-46143 (ZDI-CAN-16157) -- Fix integer overflow + on variable m_groupSize in function doProlog leading + to realloc acting as free. + Impact is denial of service or more. + * CVE-2022-22822 to CVE-2022-22827 -- Prevent integer overflows + near memory allocation at multiple places. Mitre assigned + a dedicated CVE for each involved internal C function: + - CVE-2022-22822 for function addBinding + - CVE-2022-22823 for function build_model + - CVE-2022-22824 for function defineAttribute + - CVE-2022-22825 for function lookup + - CVE-2022-22826 for function nextScaffoldPart + - CVE-2022-22827 for function storeAtts + Impact is denial of service or more. + +------------------------------------------------------------------- +Mon Dec 27 16:02:14 UTC 2021 - Dirk Müller + +- update to 2.4.2: + * Link againgst libm for function "isnan" + * Include expat_config.h as early as possible + * Autotools: Include files with release archives: + - buildconf.sh + - fuzz/*.c + * Autotools: Sync CMake templates + * docs: Document that function XML_GetBuffer may return NULL + when asking for a buffer of 0 (zero) bytes size + * docs: Fix return value docs for both + XML_SetBillionLaughsAttackProtection* functions + * Version info bumped from 9:1:8 to 9:2:8 + +------------------------------------------------------------------- +Mon May 24 08:17:12 UTC 2021 - Pedro Monreal + +- Update to 2.4.1: + * Bug fixes: + - Autotools: Fix installed header expat_config.h for multilib + systems; regression introduced in 2.4.0 by pull request #486 + * Other changes: + - Version info bumped from 9:0:8 to 9:1:8; see + https://verbump.de/ for what these numbers do + +------------------------------------------------------------------- +Mon May 24 08:15:42 UTC 2021 - Pedro Monreal + +- Update to 2.4.0: [CVE-2013-0340 "Billion Laughs"] + * Security fixes: + - CVE-2013-0340/CWE-776 -- Protect against billion laughs attacks + (denial-of-service; flavors targeting CPU time or RAM or both, + leveraging general entities or parameter entities or both) + by tracking and limiting the input amplification factor + ( := ( + ) / ). + By conservative default, amplification up to a factor of 100.0 + is tolerated and rejection only starts after 8 MiB of output bytes + (= + ) have been processed. + The fix adds the following to the API: + - A new error code XML_ERROR_AMPLIFICATION_LIMIT_BREACH to + signals this specific condition. + - Two new API functions .. + - XML_SetBillionLaughsAttackProtectionMaximumAmplification and + - XML_SetBillionLaughsAttackProtectionActivationThreshold + .. to further tighten billion laughs protection parameters + when desired. Please see file "doc/reference.html" for details. + If you ever need to increase the defaults for non-attack XML + payload, please file a bug report with libexpat. + - Two new XML_FEATURE_* constants .. + - that can be queried using the XML_GetFeatureList function, and + - that are shown in "xmlwf -v" output. + - Two new environment variable switches .. + - EXPAT_ACCOUNTING_DEBUG=(0|1|2|3) and + - EXPAT_ENTITY_DEBUG=(0|1) + .. for runtime debugging of accounting and entity processing. + Specific behavior of these values may change in the future. + - Two new command line arguments "-a FACTOR" and "-b BYTES" + for xmlwf to further tighten billion laughs protection + parameters when desired. + If you ever need to increase the defaults for non-attack XML + payload, please file a bug report with libexpat. + * Bug fixes: + - For (non-default) compilation with -DEXPAT_MIN_SIZE=ON (CMake) + or CPPFLAGS=-DXML_MIN_SIZE (GNU Autotools): Fix segfault + for UTF-16 payloads containing CDATA sections. + - Autotools: Fix generated CMake files for non-64bit and + non-Linux platforms (e.g. macOS and MinGW in particular) + that were introduced with release 2.3.0 + * Other changes: + - xmlwf: Improve help output and the xmlwf man page + - xmlwf: Improve maintainability through some refactoring + - xmlwf: Fix man page DocBook validity + - CMake: Support absolute paths for both CMAKE_INSTALL_LIBDIR + and CMAKE_INSTALL_INCLUDEDIR + - CMake: Add support for standard variable BUILD_SHARED_LIBS + - Unexpose symbol _INTERNAL_trim_to_complete_utf8_characters + - Resolve macro HAVE_EXPAT_CONFIG_H + - Delete unused legacy helper file "conftools/PrintPath" + - doc/reference.html: Fix XHTML validity + - doc/reference.html: Replace the 90s look by OK.css + - Version info bumped from 8:0:7 to 9:0:8 due to addition of + new symbols and error codes; see https://verbump.de/ for + what these numbers do + +------------------------------------------------------------------- +Tue Apr 13 06:04:38 UTC 2021 - Dominique Leuenberger + +- Do not BuildRequire cmake: expat is part of the distro bootstrap + cycle and any additional dependency makes the ring larger. In + this case here, cmake was even only used to own a directory. + +------------------------------------------------------------------- +Tue Apr 6 02:16:20 UTC 2021 - Dirk Müller + +- update to 2.3.0: + * When calling XML_ParseBuffer without a prior successful call to + XML_GetBuffer as a user, no longer trigger undefined behavior + (by adding an integer to a NULL pointer) but rather return + XML_STATUS_ERROR and set the error code to (new) code + XML_ERROR_NO_BUFFER. Found by UBSan (UndefinedBehaviorSanitizer) + of Clang 11 (but not Clang 9). + * xmlwf: Exit status 2 was used for both: + - malformed input files (documented) and + - invalid command-line arguments (undocumented). + case of invalid command-line arguments now + has its own exit status 4, resolving the ambiguity. + * Other changes + +------------------------------------------------------------------- +Sun Oct 4 19:19:55 UTC 2020 - Pedro Monreal + +- Update to 2.2.10: + * Bug fixes: + - Fix undefined behavior during parsing caused by pointer + arithmetic with NULL pointers + - Fix reading uninitialized variable during parsing + - xmlwf: Add missing check for malloc NULL return + * Other changes: + - xmlwf: Document exit codes in xmlwf manpage and exit with code 3 + (rather than code 1) for output errors when used with "-d DIRECTORY" + - Autotools: Use -Werror while configure tests the compiler for + supported compile flags to avoid false positives + - Autotools: Improve handling of user (C|CPP|CXX|LD)FLAGS, e.g. + ensure that they have the last word over flags added while + running ./configure + - CMake: Create libexpatw.{dll,so} and expatw.pc (with emphasis + on suffix "w") with -DEXPAT_CHAR_TYPE=(ushort|wchar_t) + - CMake: Detect and deny unsupported build combinations + involving -DEXPAT_CHAR_TYPE=(ushort|wchar_t) + - CMake: Install pre-compiled shipped xmlwf.1 manpage in case + of -DEXPAT_BUILD_DOCS=OFF + - CMake: Fix use of Expat by means of add_subdirectory + - CMake: Keep expat target name constant at "expat" (i.e. refrain + from using the target name to control build artifact filenames) + - CMake: Expose man page compilation as target "xmlwf-manpage" + - CMake: Introduce option EXPAT_BUILD_PKGCONFIG to control + generation of pkg-config file "expat.pc" + - CMake: Add minimalistic support for building binary packages + with CMake target "package"; based on CPack + - CMake: Add option -DEXPAT_OSSFUZZ_BUILD=(ON|OFF) with default + OFF to build fuzzer code against OSS-Fuzz and related + environment variable LIB_FUZZING_ENGINE + - Fix testsuite for -DEXPAT_DTD=OFF and -DEXPAT_NS=OFF + - Address compiler warnings + - Address pngcheck warnings with doc/*.png images: Version info + bumped from 7:11:6 to 7:12:6 + +------------------------------------------------------------------- +Fri Nov 29 18:30:43 UTC 2019 - Pedro Monreal Gonzalez + +- Version update to 2.2.9 + * Other changes: + - examples: Drop executable bits from elements.c + #349 Windows: Change the name of the Windows DLLs from expat*.dll + to libexpat*.dll once more (regression from 2.2.8, first + fixed in 1.95.3, issue #61 on SourceForge today, + was issue #432456 back then); needs a fix due + case-insensitive file systems on Windows and the fact that + Perl's XML::Parser::Expat compiles into Expat.dll. + #347 Windows: Only define _CRT_RAND_S if not defined + Version info bumped from 7:10:6 to 7:11:6 + +------------------------------------------------------------------- +Mon Sep 16 08:21:52 UTC 2019 - Pedro Monreal Gonzalez + +- Version update to 2.2.8 + * Security fixes: (CVE-2019-15903, bsc#1149429) + - CVE-2019-15903 -- Fix heap overflow triggered by XML_GetCurrentLineNumber + (or XML_GetCurrentColumnNumber), and deny internal entities closing the doctype; + * Bug fixes: + - Fix cases where XML_StopParser did not have any effect + when called from inside of an end element handler + - xmlwf: Fix exit code for operation without "-d DIRECTORY"; + previously, only "-d DIRECTORY" would give you a proper exit code: + Now both cases return exit code 2. + * Other changes: + - examples: Improve elements.c + - Autotools: Add argument --enable-xml-attr-info + - Autotools: Add arguments --with-getrandom --without-getrandom --with-sys-getrandom --without-sys-getrandom + - Autotools: Fix linking issues with "./configure LD=clang" + - Autotools: Fix "make run-xmltest" for out-of-source builds + - CMake: Pull all options from Expat <=2.2.7 into namespace + - CMake: Add argument -DEXPAT_ATTR_INFO=(ON|OFF), default OFF + - CMake: Add argument -DEXPAT_LARGE_SIZE=(ON|OFF), default OFF + - CMake: Add argument -DEXPAT_MIN_SIZE=(ON|OFF), default OFF + - CMake: Add arguments -DEXPAT_WITH_GETRANDOM=(ON|OFF|AUTO), default AUTO + - CMake: Add arguments -DEXPAT_WITH_SYS_GETRANDOM=(ON|OFF|AUTO), default AUTO + - CMake: Install expat_config.h to include directory + - CMake: Generate and install configuration files for future find_package(expat [..] CONFIG [..]) + - CMake: Now produces a summary of applied configuration + - CMake: Require C++ compiler only when tests are enabled + - CMake: Fix compilation for 16bit character types, i.e. ex -DXML_UNICODE=ON (and ex -DXML_UNICODE_WCHAR_T=ON) + - CMake: Port "make run-xmltest" from GNU Autotools to CMake + - CMake: Integrate OSS-Fuzz fuzzers, option -DEXPAT_BUILD_FUZZERS=(ON|OFF), default OFF +- Removed patches fixed in the update: + * expat-CVE-2019-15903.patch + * expat-CVE-2019-15903-tests.patch + +------------------------------------------------------------------- +Wed Sep 4 17:11:38 UTC 2019 - Pedro Monreal Gonzalez + +- Security fix (CVE-2019-15903, bsc#1149429) + * Crafted XML input results in heap-based buffer over-read by fooling + the parser into changing from DTD parsing to document parsing + * Added patches: + - expat-CVE-2019-15903.patch + - expat-CVE-2019-15903-tests.patch + +------------------------------------------------------------------- +Tue Jul 2 10:33:51 UTC 2019 - Pedro Monreal Gonzalez + +- Version update to 2.2.7 (CVE-2018-20843, bsc#1139937) + * Security fixes: + - CVE-2018-20843 - Fix extraction of namespace prefixes from + XML names; XML names with multiple colons could end up in + the wrong namespace, and take a high amount of RAM and CPU + resources while processing, opening the door to use for + denial-of-service attacks + * Other changes: + - Autotools/CMake: Utilize -fvisibility=hidden to stop + exporting non-API symbols + - Autotools: Add --without-examples and --without-tests + - Autotools: Modernize configure.ac + - Autotools: Fix check for -fvisibility=hidden for Clang + - Autotools: Fix compilation for lack of docbook2x-man + - CMake: Make libdir of pkgconfig expat.pc support multilib + - CMake: Build man page in PROJECT_BINARY_DIR not _SOURCE_DIR + - Remove fallback to bcopy, assume that memmove(3) exists +- Removed expat-2.2.6-fix-make-clean.patch + +------------------------------------------------------------------- +Thu Feb 7 10:45:14 UTC 2019 - Bernhard Wiedemann + +- Add expat-2.2.6-fix-make-clean.patch +- Allow profile guided optimization again + +------------------------------------------------------------------- +Thu Jan 3 13:08:57 UTC 2019 - Tomáš Chvátal + +- Drop docbook2x dependency, the manpages are generated in + the upstream archive and this way we break buildcycle + +------------------------------------------------------------------- +Tue Sep 11 11:32:10 UTC 2018 - pmonrealgonzalez@suse.com + +- Version update to 2.2.6 Sun August 12 2018 + * Bug fixes: + - Avoid doing arithmetic with NULL pointers in XML_GetBuffer + - Fix 2.2.5 regression with suspend-resume while parsing + a document like '' + * Other changes: + - Autotools: Fix docbook-related configure syntax error + - Autotools: Avoid grep option `-q` for Solaris + - Autotools: Support + ./configure DOCBOOK_TO_MAN="xmlto man --skip-validation" + - Autotools: Support DOCBOOK_TO_MAN command which produces + xmlwf.1 rather than XMLWF.1; also covers case insensitive + file systems + - Autotools: Drop -rpath option passed to libtool + - Autotools: Detect and deny SGML docbook2man as ours is XML + - Autotools/CMake: Support command db2x_docbook2man as well + - CMake: Introduce option WARNINGS_AS_ERRORS, defaults to OFF + - CMake: Introduce option MSVC_USE_STATIC_CRT, defaults to OFF + - CMake: Introduce option XML_UNICODE and XML_UNICODE_WCHAR_T, + both defaulting to OFF + - CMake: Prefer check_symbol_exists over check_function_exists + - CMake: Create the same pkg-config file as with GNU Autotools + - CMake: Use GNUInstallDirs module to set proper defaults for + install directories + - CMake: Utilize expat_config.h.cmake for XML_DEV_URANDOM + - Address compiler warnings + - Fix miscellaneous typos + +------------------------------------------------------------------- +Thu Nov 16 10:22:18 UTC 2017 - jengelh@inai.de + +- Expand description of expat-devel. + +------------------------------------------------------------------- +Thu Nov 16 09:04:25 UTC 2017 - mpluskal@suse.com + +- Do not generate manpages from docbook +- Temporarily disable profiling due to bug in build system + +------------------------------------------------------------------- +Wed Nov 8 20:01:31 UTC 2017 - aavindraa@gmail.com + +- Version update to 2.2.5 Tue October 31 2017 + * Bug fixes: + - If the parser runs out of memory, make sure its internal + state reflects the memory it actually has, not the memory + it wanted to have. + - The default handler wasn't being called when it should for + a SYSTEM or PUBLIC doctype if an entity declaration handler + was registered. + - Fix a case of mistakenly reported parsing success where + XML_StopParser was called from an element handler + - Function XML_ErrorString was returning NULL rather than + a message for code XML_ERROR_INVALID_ARGUMENT + introduced with release 2.2.1 + * Other changes: + - Add argument -N adding notation declarations + - various compiler-specific fixes + - Improve docbook2x-man detection +- drop expat-docbook.patch + * fixed in 0f5186c7b8e503c669e332d944712de010b265f3 +- switch to github for release tarballs and website + +------------------------------------------------------------------- +Thu Oct 26 09:53:50 UTC 2017 - pmonrealgonzalez@suse.com + +- Version update to 2.2.4 Sat August 19 2017 + * Bug fixes: + #115 Fix copying of partial characters for UTF-8 input + * Other changes: + #109 Fix "make check" for non-x86 architectures that default + to unsigned type char (-128..127 rather than 0..255) + #109 coverage.sh: Cover -funsigned-char + Autotools: Introduce --without-xmlwf argument + #65 Autotools: Replace handwritten Makefile with GNU Automake + #43 CMake: Auto-detect high quality entropy extractors, add new + option USE_libbsd=ON to use arc4random_buf of libbsd + #74 CMake: Add -fno-strict-aliasing only where supported + #114 CMake: Always honor manually set BUILD_* options + #114 CMake: Compile man page if docbook2x-man is available, only + #117 Include file tests/xmltest.log.expected in source tarball + (required for "make run-xmltest") + #111 Fix some typos in documentation + Version info bumped from 7:5:6 to 7:6:6 + +- Release 2.2.3 Wed August 2 2017 + * Bug fixes: + #85 Fix a dangling pointer issue related to realloc + * Other changes: + #91 Linux: Allow getrandom to fail if nonblocking pool has not + yet been initialized and read /dev/urandom then, instead. + This is in line with what recent Python does. + #86 Check that a UTF-16 encoding in an XML declaration has the + right endianness +#4 #5 #7 Recover correctly when some reallocations fail + Repair "./configure && make" for systems without any + provider of high quality entropy + and try reading /dev/urandom on those + Ensure that user-defined character encodings have converter + functions when they are needed + Fix mis-leading description of argument -c in xmlwf.1 + Rely on macro HAVE_ARC4RANDOM_BUF (rather than __CloudABI__) + for CloudABI + #100 Fix use of SIPHASH_MAIN in siphash.h + #23 Test suite: Fix memory leaks + Version info bumped from 7:4:6 to 7:5:6 + +- Release 2.2.2 Wed July 12 2017 + * Security fixes: + #43 Protect against compilation without any source of high + quality entropy enabled, e.g. with CMake build system; + * [MOX-006] Fix non-NULL parser parameter validation in XML_Parse; + resulted in NULL dereference, previously; + * Bug fixes: + #69 Fix improper use of unsigned long long integer literals + * Other changes: + #73 Start requiring a C99 compiler + #49 Fix "==" Bashism in configure script + #58 Address compile warnings + #68 Fix "./buildconf.sh && ./configure" for some versions + of Dash for /bin/sh + #72 CMake: Ease use of Expat in context of a parent project + with multiple CMakeLists.txt files + #72 CMake: Resolve mistaken executable permissions + #76 Address compile warning with -DNDEBUG (not recommended!) + #77 Address compile warning about macro redefinition + + * Added patch expat-docbook.patch to compile the man pages with + docbook-to-man + + * Cleaned spec file with spec-cleaner + +------------------------------------------------------------------- +Sat Oct 7 14:32:27 UTC 2017 - jayvdb@gmail.com + +- Allow building when do_profiling is undefined + +------------------------------------------------------------------- +Tue Jul 11 15:02:55 UTC 2017 - mpluskal@suse.com + +- Build with profiling when possible + +------------------------------------------------------------------- +Tue Jul 4 14:33:00 UTC 2017 - meissner@suse.com + +- Version update to 2.2.1 Sat June 17 2017 + - Security fixes: + CVE-2017-9233 / bsc#1047236 -- External entity infinite loop DoS + Details: https://libexpat.github.io/doc/cve-2017-9233/ + Commit c4bf96bb51dd2a1b0e185374362ee136fe2c9d7f + - [MOX-002] CVE-2016-9063 / bsc#1047240 -- Detect integer overflow; + (Fixed version of existing downstream patches!) + - (SF.net) #539 Fix regression from fix to CVE-2016-0718 cutting off + longer tag names; + #25 More integer overflow detection (function poolGrow); + - [MOX-002] Detect overflow from len=INT_MAX call to XML_Parse; + - [MOX-005] #30 Use high quality entropy for hash initialization: + * arc4random_buf on BSD, systems with libbsd + (when configured with --with-libbsd), CloudABI + * RtlGenRandom on Windows XP / Server 2003 and later + * getrandom on Linux 3.17+ + In a way, that's still part of CVE-2016-5300. + https://github.com/libexpat/libexpat/pull/30/commits + - [MOX-005] For the low quality entropy extraction fallback code, + the parser instance address can no longer leak, + - [MOX-003] Prevent use of uninitialised variable; commit + - [MOX-004] a4dc944f37b664a3ca7199c624a98ee37babdb4b + Add missing parameter validation to public API functions + and dedicated error code XML_ERROR_INVALID_ARGUMENT: + - [MOX-006] * NULL checks; commits + * Negative length (XML_Parse); commit + - [MOX-002] 70db8d2538a10f4c022655d6895e4c3e78692e7f + - [MOX-001] #35 Change hash algorithm to William Ahern's version of SipHash + to go further with fixing CVE-2012-0876. + https://github.com/libexpat/libexpat/pull/39/commits + - Bug fixes: + #32 Fix sharing of hash salt across parsers; + relevant where XML_ExternalEntityParserCreate is called + prior to XML_Parse, in particular (e.g. FBReader) + #28 xmlwf: Auto-disable use of memory-mapping (and parsing + as a single chunk) for files larger than ~1 GB (2^30 bytes) + rather than failing with error "out of memory" + #3 Fix double free after malloc failure in DTD code; commit + 7ae9c3d3af433cd4defe95234eae7dc8ed15637f + #17 Fix memory leak on parser error for unbound XML attribute + prefix with new namespaces defined in the same tag; + found by Google's OSS-Fuzz; commits + xmlwf on Windows: Add missing calls to CloseHandle + - New features: + #30 Introduced environment switch EXPAT_ENTROPY_DEBUG=1 + for runtime debugging of entropy extraction + Bump version info from 7:2:6 to 7:3:6 + +------------------------------------------------------------------- +Mon Jul 18 23:02:23 UTC 2016 - jengelh@inai.de + +- Remove pointless --with-pic (for static only) + +------------------------------------------------------------------- +Thu Jul 14 08:43:31 UTC 2016 - tchvatal@suse.com + +- Version update to 2.2.0: + * Fixes bnc#983215 CVE-2012-6702 + * Fixes bnc#983216 CVE-2016-5300 + * Various cmake and autotools script updates + * Fix detection of utf8 character boundaries +- Remove all patches merged upstream: + * expat-2.1.1-avoid_relying_on_undef_behaviour.patch + * expat-2.1.1-parser_crashes_on_malformed_input.patch + * expat-alloc-size.patch + * expat-visibility.patch + +------------------------------------------------------------------- +Wed May 18 11:43:51 UTC 2016 - kstreitova@suse.com + +- add expat-2.1.1-avoid_relying_on_undef_behaviour.patch to avoid + relying on undefined behavior in the original CVE-2015-1283 fix + [bnc#980391], [bnc#983985], [CVE-2016-4472] +- add expat-2.1.1-parser_crashes_on_malformed_input.patch to fix + Expat XML parser that mishandles certain kinds of malformed input + documents [bnc#979441], [CVE-2016-0718] +- use spec-cleaner to clean specfile + +------------------------------------------------------------------- +Fri Apr 1 16:32:27 UTC 2016 - crrodriguez@opensuse.org + +- After simplification of expat-visibility.patch, it became + uneffective as no symbols are getting hidden. add + -fvisibility=hidden to CFLAGS again. +- expat-alloc-size.patch: fix braino, realloc()-like functions + should not take __attribute__(malloc) + +------------------------------------------------------------------- +Wed Mar 23 08:31:29 UTC 2016 - idonmez@suse.com + +- Update to version 2.1.1 + * Fixes CVE-2015-1283 — Multiple integer overflows in the + XML_GetBuffer function + * Fix potential null pointer dereference + * Symbol XML_SetHashSalt was not exported + * Output of xmlwf -h was incomplete + * Document behavior of calling XML_SetHashSalt with salt 0 + * Minor improvements to man page xmlwf(1) +- Simplify expat-visibility.patch, refresh expat-alloc-size.patch +- Drop config-guess-sub-update.patch, fixed upstream. + +------------------------------------------------------------------- +Sat Jul 11 12:10:03 UTC 2015 - mpluskal@suse.com + +- Cleanup spec file with spec-cleaner +- Remove old ppc obsoletes/provides + +------------------------------------------------------------------- +Tue Mar 26 13:10:01 UTC 2013 - mmeister@suse.com + +- Added url as source. + Please see http://en.opensuse.org/SourceUrls + +------------------------------------------------------------------- +Thu Feb 21 16:02:17 UTC 2013 - jengelh@inai.de + +- Sanitize description of expat (replace it with a more current + one from the homepage) + +------------------------------------------------------------------- +Mon Feb 4 12:59:44 UTC 2013 - schwab@suse.de + +- Update config.guess/sub for aarch64 + +------------------------------------------------------------------- +Wed Jan 23 09:07:25 UTC 2013 - pgajdos@suse.com + +- fix of fix of [bnc#798644] +- according to upstream changelog: + - Improved ability to build without the configure-generated + expat_config.h header. This is useful for applications + which embed Expat rather than linking in the library. + + because I am not exactly sure about implication of this, rather use + -DXML_HAVE_VISIBILITY in CFLAG_VISIBILITY in expat-visibility.patch + +------------------------------------------------------------------- +Tue Jan 22 12:40:02 UTC 2013 - jengelh@inai.de + +- Executing autoreconf requires autoconf BuildRequire + +------------------------------------------------------------------- +Fri Jan 18 08:53:33 UTC 2013 - pgajdos@suse.com + +- really hide private Xml* symbols [bnc#798644] + * modified visibility.patch + +------------------------------------------------------------------- +Tue Apr 10 19:06:34 UTC 2012 - tabraham@novell.com + +- update to 2.1.0 + - Bug Fixes: + #1742315: Harmful XML_ParserCreateNS suggestion. + #2895533: CVE-2012-1147 - Resource leak in readfilemap.c. + #1785430: Expat build fails on linux-amd64 with gcc version>=4.1 -O3. + #1983953, 2517952, 2517962, 2649838: + Build modifications using autoreconf instead of buildconf.sh. + #2815947, #2884086: OBJEXT and EXEEXT support while building. + #1990430: CVE-2009-3720 - Parser crash with special UTF-8 sequences. + #2517938: xmlwf should return non-zero exit status if not well-formed. + #2517946: Wrong statement about XMLDecl in xmlwf.1 and xmlwf.sgml. + #2855609: Dangling positionPtr after error. + #2894085: CVE-2009-3560 - Buffer over-read and crash in big2_toUtf8(). + #2958794: CVE-2012-1148 - Memory leak in poolGrow. + #2990652: CMake support. + #3010819: UNEXPECTED_STATE with a trailing "%" in entity value. + #3206497: Unitialized memory returned from XML_Parse. + #3287849: make check fails on mingw-w64. + #3496608: CVE-2012-0876 - Hash DOS attack. + + - Patches: + #1749198: pkg-config support. + #3010222: Fix for bug #3010819. + #3312568: CMake support. + #3446384: Report byte offsets for attr names and values. + + - New Features / API changes: + * Added new API member XML_SetHashSalt() that allows setting an + intial value (salt) for hash calculations. This is part of the + fix for bug #3496608 to randomize hash parameters. + * When compiled with XML_ATTR_INFO defined, adds new API member + XML_GetAttributeInfo() that allows retrieving the byte + offsets for attribute names and values (patch #3446384). + * Added CMake build system. See bug #2990652 and patch #3312568. + * Added run-benchmark target to Makefile.in - relies on testdata + module present in the same relative location as in the repository. + +------------------------------------------------------------------- +Tue Mar 6 03:01:08 UTC 2012 - tabraham@novell.com + +- update to 2.1.0 beta + * refreshed expat-visibility.patch + * removed obsolete expat-CVE-2009-3560.patch + * removed obsolete expat-CVE-2009-2625.patch + + - hash table DOS attack fix + - accumulated bug fixes and some changes to the build system + - new conditional feature to make byte offsets for attributes + and attribute names available + +------------------------------------------------------------------- +Sun Feb 12 14:42:34 UTC 2012 - crrodriguez@opensuse.org + +- Put libraries back to %{_libdir}, /usr merge project + +------------------------------------------------------------------- +Fri Dec 2 12:43:19 UTC 2011 - coolo@suse.com + +- add automake as buildrequire to avoid implicit dependency + +------------------------------------------------------------------- +Sun Oct 30 22:03:29 UTC 2011 - crrodriguez@opensuse.org + +- Hide non public symbols reusing existing win32 API export/imports +- annotate malloc/realloc-like functions with attribute alloc_size + to catch possible misuses in calling code. + +------------------------------------------------------------------- +Sun Sep 18 17:17:12 UTC 2011 - jengelh@medozas.de + +- Remove redundant/obsolete tags/sections from specfile + (cf. packaging guidelines) +- Use %_smp_mflags for parallel build +- Add libexpat-devel to baselibs + +------------------------------------------------------------------- +Fri Feb 25 16:01:01 UTC 2011 - prusnak@opensuse.org + +- fix license (MIT) in spec file + +------------------------------------------------------------------- +Fri Jan 8 15:04:28 CET 2010 - prusnak@suse.cz + +- fix CVE-2009-3560.patch [bnc#566434] + +------------------------------------------------------------------- +Sun Dec 13 19:28:22 CET 2009 - jengelh@medozas.de + +- add baselibs.conf as a source + +------------------------------------------------------------------- +Fri Dec 4 15:43:29 CET 2009 - prusnak@suse.cz + +- fix DoS (CVE-2009-3560.patch) [bnc#558892] + +------------------------------------------------------------------- +Thu Oct 29 14:22:47 CET 2009 - prusnak@suse.cz + +- fix DoS (CVE-2009-2625.patch) [bnc#550664] + +------------------------------------------------------------------- +Sun Apr 5 15:45:49 CEST 2009 - crrodriguez@suse.de + +- test suite requires gcc-c++ to compile + +------------------------------------------------------------------- +Thu Feb 19 04:55:08 CET 2009 - crrodriguez@suse.de + +- remove static libraries, shouldnt be needed anymore. +- run make check + +------------------------------------------------------------------- +Wed Dec 10 12:34:56 CET 2008 - olh@suse.de + +- use Obsoletes: -XXbit only for ppc64 to help solver during distupgrade + (bnc#437293) + +------------------------------------------------------------------- +Thu Oct 30 12:34:56 CET 2008 - olh@suse.de + +- obsolete old -XXbit packages (bnc#437293) + +------------------------------------------------------------------- +Thu Apr 10 12:54:45 CEST 2008 - ro@suse.de + +- added baselibs.conf file to build xxbit packages + for multilib support + +------------------------------------------------------------------- +Sat Jul 28 19:38:40 CEST 2007 - coolo@suse.de + +- fix devel symlink + +------------------------------------------------------------------- +Wed Jul 25 11:29:59 CEST 2007 - prusnak@suse.cz + +- move libraries from /usr/lib to /lib [#285472] +- replace deprecated %run_ldconfig with /sbin/ldconfig + +------------------------------------------------------------------- +Thu Jun 7 16:46:32 CEST 2007 - prusnak@suse.cz + +- update to 2.0.1: + ( from Changes ) + * Fixed bugs #1515266, 1515600: The character data handler's calling + of XML_StopParser() was not handled properly; if the parser was + stopped and the handler set to NULL, the parser would segfault. + * Fixed bug #1690883: Expat failed on EBCDIC systems as it assumed + some character constants to be ASCII encoded. + * Minor cleanups of the test harness. + * Fixed xmlwf bug #1513566: "out of memory" error on file size zero. + * Fixed outline.c bug #1543233: missing a final XML_ParserFree() call. + * Fixes and improvements for Windows platform: + bugs #1409451, #1476160, 1548182, 1602769, 1717322. + * Build fixes for various platforms: + HP-UX, Tru64, Solaris 9: patch #1437840, bug #1196180. + All Unix: #1554618 (refreshed config.sub/config.guess). + #1490371, #1613457: support both, DESTDIR and INSTALL_ROOT, + without relying on GNU-Make specific features. + #1647805: Patched configure.in to work better with Intel compiler. + * Fixes to Makefile.in to have make check work correctly: + bugs #1408143, #1535603, #1536684. + * Added Open Watcom support: patch #1523242. + +------------------------------------------------------------------- +Tue Apr 17 18:49:10 CEST 2007 - prusnak@suse.cz + +- split libexpat1 and libexpat-devel subpackages [#260214] + +------------------------------------------------------------------- +Thu Oct 19 12:37:07 CEST 2006 - dmueller@suse.de + +- strip .la file + +------------------------------------------------------------------- +Wed Jan 25 21:30:10 CET 2006 - mls@suse.de + +- converted neededforbuild to BuildRequires + +------------------------------------------------------------------- +Fri Jan 13 00:21:55 CET 2006 - ro@suse.de + +- fixed file list for debuginfo package (do not pack all of libdir) + +------------------------------------------------------------------- +Wed Jan 11 17:43:46 CET 2006 - mjancar@suse.cz + +- update to 2.0.0 + +------------------------------------------------------------------- +Mon Jan 9 13:25:07 CET 2006 - mjancar@suse.cz + +- update to 2.0 pre release + +------------------------------------------------------------------- +Wed Nov 10 11:54:21 CET 2004 - ro@suse.de + +- fixed filelist + +------------------------------------------------------------------- +Mon Aug 09 16:26:05 CEST 2004 - tcrhak@suse.cz + +- update to 1.95.8 + +------------------------------------------------------------------- +Thu Feb 5 18:28:34 CET 2004 - kukuk@suse.de + +- Build as user + +------------------------------------------------------------------- +Thu Feb 05 18:00:24 CET 2004 - tcrhak@suse.cz + +- update to version 1.95.7 + +------------------------------------------------------------------- +Tue Feb 18 15:36:28 CET 2003 - tcrhak@suse.cz + +- in expat.h, declare enum XML_Status before using it; + put into patch "...-header.diff" [bug #23742] + +------------------------------------------------------------------- +Mon Feb 17 18:05:52 CET 2003 - tcrhak@suse.cz + +- updated to version 1.95.6 + +------------------------------------------------------------------- +Sun Dec 22 18:21:13 CET 2002 - tcrhak@suse.cz + +- update to version 1.95.5 + +------------------------------------------------------------------- +Sat Jul 13 15:14:59 CEST 2002 - tcrhak@suse.cz + +- update to version 1.95.4 + +------------------------------------------------------------------- +Thu Mar 28 15:17:43 CET 2002 - tcrhak@suse.cz + +- added parameter --target to configure + +------------------------------------------------------------------- +Mon Jan 14 13:25:11 CET 2002 - rvasice@suse.cz + +- use %{_libdir} and %{_lib} + +------------------------------------------------------------------- +Tue Nov 20 18:41:35 CET 2001 - rvasice@suse.cz + +- fix URL in spec file + +------------------------------------------------------------------- +Wed Aug 15 19:54:16 CEST 2001 - rvasice@suse.cz + +- update to version 1.95.2 +- spec file cleanup +- added DESTDIR + +------------------------------------------------------------------- +Mon May 14 12:08:01 CEST 2001 - pblaha@suse.cz + +- fixed links for soname of libexpat.so* + +------------------------------------------------------------------- +Fri May 11 09:03:03 CEST 2001 - cihlar@suse.cz + +- fixed soname of libexpat.so.1.2 + +------------------------------------------------------------------- +Fri Jan 5 10:13:20 CET 2001 - pblaha@suse.cz + +- back on stable version 1.2 added build shared libexpat.so + +------------------------------------------------------------------- +Thu Jan 4 15:46:21 CET 2001 - pblaha@suse.cz + +- update on 1.95.1 on sourgeforge needed for midgard +- new description + +------------------------------------------------------------------- +Thu Mar 9 11:01:23 CET 2000 - ke@suse.de + +- Don't "install" symlinks; use "cp"; reported by bs; proposed fix + by ro. +- Cleanup the spec file: better Group tag; more accurate files list. + +------------------------------------------------------------------- +Tue Nov 23 14:59:17 CET 1999 - ke@suse.de + +- first SuSE package: version 1.1. +- apply Debian patch to build shared libs. +- build libexpat.a. + diff --git a/expat.keyring b/expat.keyring new file mode 100644 index 0000000..2638ca8 --- /dev/null +++ b/expat.keyring @@ -0,0 +1,245 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBFzUcE0BEACzkr4qR9zoM63YCJU/oQTJEtt7SR9Hcvntk351O5QQbNJS55Zah+XfiAl1 +j45yrxP+ve3xU64Cl/GctZMLgkx8Qd3JECZCUkm72cvlBF1bJ0hkvcJRtTyuc9XXBBQBNoRS +1Tn4Gc/QE8L7669mS0FPPKpy4m7yY9SLtkauUTVkeKVz65Wo9jEB4cc4hJGzqeBndSmPbznO +PkATSadeLX7xNFG4nM20wCGZ1+UmY4j1NTBJnbxtxcPQ4/OiAKvAsfAzvZrlAMhJtFAfnooP +7VkIsbZyQqPeUznhGOK1nVpjl7DZ5c4geJa3OLfeDM5c1mSx3VsU8SkKbBqNeog5dV9yHAKF +Ba10M+VAylwlRg5i6TE/5JP4LneWoh/dZP6216MMelDcZeXn6JCgLWmjbCmuwDgA5S7y2cew +RU3hopGvCpTkgEg8XuXZgP8O1ZAOOqBWOt/mk71Bm6LdIe501f60aVcnODJDSb6tDwYTxkn5 +vGPvu8biu2K+zdFqZskPTZo44qZDjLd7HpN5SigFMCCSk9LTWcwpa4eSFcezmfku+dB5T79Y +0W0qCKJKBtNLOj5atVk9j+BA0BNTmE8e95bTdPW3UbmXPhQQt8J+6UXsUC0brn3/9pXTXHvP +iQsYMKcMzOnbdXKvlMxF+dN3BT+uhEF5tyYgqSDaF07EnIJzdwARAQABtCRTZWJhc3RpYW4g +UGlwcGluZyA8c3BpbmdAZ2VudG9vLm9yZz6IXQQTEQIAHRYhBD1+lZ2J+s/uODcZIbALxmpA +GhYABQJc1HOXAAoJELALxmpAGhYAwxYAniPJOey52Zkpy2ULNZXpLnMfU4ccAKCRtqJckPvS +BE69v8XIF9imvxX09YkBZQQQAQoATxYhBCwTgjuCNzEPohMDSTDRMv8P9Q7rBQJc1cMyBYMB +4TOAKxpodHRwczovL3d3dy5nZW50b28ub3JnL2dsZXAvZ2xlcC0wMDc5Lmh0bWwACgkQMNEy +/w/1DusYEQf/YoER3M3OLkUT7DgWiZBakNs3ifv63fvBDVhwZcerobSxlqjFFQK6CC+vFumk +xV0hFIvS9yfCTLNYMcLa8C9TuWJSqOtTXLGoYDbD6tEOQbMnKJ+W/vypbf1VqVHlptwkPpNd +5R6acsEv4rNK1bbzDVWzrCvLBRsHHiyr8MFHVjJjPZFqQfc56K2CHNv7Yhk6h3DG/0LQl2Lb +pxxcYKkF+gw5AwJazBf/DwpomwyrMRRmiqcgJ0kDyDO9ktMd+7z81t12G6tiEFVoiyPCmYkU +0CjpArg0nMBWMzocrr3i7RNO5675VwefF5+i/hBykyaGiunmpJ5G16JaPAvs1eLOiYkBZQQQ +AQoATxYhBCwTgjuCNzEPohMDSTDRMv8P9Q7rBQJetvbPBYMB4TOAKxpodHRwczovL3d3dy5n +ZW50b28ub3JnL2dsZXAvZ2xlcC0wMDc5Lmh0bWwACgkQMNEy/w/1DuvGIAf/ZFdVDmJBa77p +Dgws9TDAg373Q4t4t26Dimp/GAejP9L85HRGE3cBwpp0U5N2uoEyBQmrQnoe+ggaEOcQXbv6 +q2GIeA4LRpM7Yw/Umfbcd7KQhRstZiJXb2ectkSliDveAnrSfS4yB6pjnM64XTCZaKMCXOp1 +4oiR6e8sL+p4QI9y8JFRvzMtgQCbmFW5JpSeOhLdnbjb6yqWZ8zQEx3lL/TdOzk9z4UsL2pi +dytcUMezYH3IzqJR+xTMMt3ELQWUtEIlagy4GvXkKMTOK3tqtd3nPKCBfALYEfhuuoHokTLk +obvAMXtiNJgWUCbeJPaW+bMZO3T07bVCYqwq7B3KZIkBZQQQAQoATxYhBCwTgjuCNzEPohMD +STDRMv8P9Q7rBQJgmXuwBYMB4TOAKxpodHRwczovL3d3dy5nZW50b28ub3JnL2dsZXAvZ2xl +cC0wMDc5Lmh0bWwACgkQMNEy/w/1Duvq9ggAwdatYPY0gb4LaDqUT8fSa9AOCWEqBb+XF3Di +GVaLsSAsMHM71MSdkxvXXVb5QVwnFPTRGC30LXs7HzEqzBqIi3Qvp53g4X/BcNYrHPMCvNhD +tKn9t27uncO+zcxlY90x6x58liyxQjS2SbolzwRYRthisNzxA45EgJcU2R3l1rgjcwt/X/W3 +FuBt37YkEFFgK5Oj3RiH2PjNs2d2f1vft//1Cxig3/sLNIhvj/xVfyeHlAnor+Z/Q+vwxcXC +dnOR0tS4DCbP49dD2XNNdCpJuu1NswasS86cjjhruchg+22wwQFFiWLvsiXjfXD9qdMY6bCN +DyQF2dMheNU4IYQ5sYkBZQQQAQoATxYhBCwTgjuCNzEPohMDSTDRMv8P9Q7rBQJieq8xBYMB +4TOAKxpodHRwczovL3d3dy5nZW50b28ub3JnL2dsZXAvZ2xlcC0wMDc5Lmh0bWwACgkQMNEy +/w/1DutE+QgA5iKPPK5OHxyMFVBGl2EFd9HpWbEY7QS0rSWYu79z8uB4p6pFkN3BosUIEuEQ +W7NYLI5pwnRX07eqIvtGCeE22JeGCLH0AI5eyiJcXA6OrJRuLtLt/GM3Ob0lL8Zl1zVbXXv3 +3d6kUVCiPctmYB1SnsJAHXHlhWq4PEr8WLsfG3jocvIwJeTF89Ft6evb6gyZSl0+wibWJYzD +L0hrTyBlcNBxjTh64CbJ4TgoXgoSjqjGinl9ac2Hipj721Wlxnzye2t3VsMwiQEw0H01W9Zy +Ma4fVzX5daFeX5olg9GJihniX9zayXxo7wGV3rcg3qZgIEFsbkIrNSew6CZkr0cZrYkCMwQT +AQgAHRYhBGPrBPqjDHbilS5u1lZZU7lTcnVsBQJeLf7nAAoJEFZZU7lTcnVsdKQQAJFajikh +3xSQ/n4/LRz2eAEiI4TePxmkDKxml1MpZpkxI1SryF0Dd67wPxiZ45z0YZ2GO/FcP2BVei5A +8etgQ0/aFt1WZ565ZgjtZf+entraAqU7EEy6MhNV53/uRBtFGfDHSmGrP/2HtPJzcvqmnPVt +yUBMKGDBOxCNB3ivPcDsu80f+Xd+junrwEi1p7pxlmCP0ZmJFj0U5Bf2QRkfVfXvL6QqEAOB +TUqCXTfmTmZ1TpenB8muWDgqok/3Qme8Y+0oTe3O+t+0IRxi2V1lDkB1Dd1QOfEXp3WV4Le1 +b6O/rOgT5fW0XUEQJ9CN58zVEqPTw6aPW/qLA65UfbkiO/H54BnOeHSlFU9YPrEcCf2qooTH +qZyUEgEdB5A61NhravO78/uwgaHGiIKzopjLr8D5Le9YTD54DAlbP6X+0Jb93buVcvm2rm9c +KIbN6mwbH5gri7USDI0UAUySVYebB1UdFmOOYLovzDN7Us/sWJYksmWXpw70IZLmSVxEWR+I +urbzPgl+twksZv5EPOPhVa3plyRY+ARakisVmtdRWzBNwbd6RMG1urRiWXyD60r5XbiXN3sP +vTdvYkgFKWDQ8WS/+AyewznnU4ZU2eLFYRZi4TWugzaZVyAv7CRJi1UMOXSafqW/MlcWlM2G +qw4WhEHX70YKQRJwC2yGWF2P0T3fiQJUBBMBCAA+AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4B +AheAFiEEMXbvfbI2fx/KTzBrH5sOkJrzcoUFAl6yxZwFCQO/iM8ACgkQH5sOkJrzcoU6ag// +TGp12gxPSfLEf+J4W5YlcFggkDhYBXdXzlgzgBOOz7LEZIFOJqWBXjlem/5tWhfHLPRv19Ve +cGfXQyaRm4tfu61DINECdaZBzHcFaAqdiV7pF+TtuDtZkYlkY4mLpo6H+dcHiQggJMB5bBGi +i+3b5feV4ioD8kPvSLIH4JbCfu9/PsW0MF3xV8dUhiqZoVj/qqEPi/ZvDtLSZKs5egEX3VBQ +CkrmUKOVO0i3ch+1pPr4hz0jEl6HfRZdCpvELGHDQtAP/9ckR/SvPUvQrXfra6bKLkGOWbBk +NIMmWSpzwfX7exl/mh8FASUyhJUM/S+9aBq+hSLBt+P6+WO4j1oR9pJITkr3X5g6ZEx7Zv/X +xkKQJcgII9T8OpLsICS8WTB6IkEb4/R2AzNOClEpys5fQYhCZFUhjDjMGXDOibEG9pnh9LoZ +KCRfezRb/B1zu39XD06Qpk9ysizXzjlEf92y7N1ppVbDUEqzWeoBXwyhF8nZgskqSPGgGOhL +eilDBNWPXZuFS4GJ4xf5KaoTXztvOZGamsNwfwTyZC/xJOKH7emPEP1Dw1W6kCMHfOUITJN4 +okhZi//aLFgvvPUJs35gB1FQQDRgK6lHhHu18V4den5u/2/5qT4c2SIaUX1TvZZzer7Luts4 +Op8T72liyB5zWZt0NUZ5p7OzVV+iw6kKIjiJAlQEEwEIAD4CGwMFCwkIBwIGFQoJCAsCBBYC +AwECHgECF4AWIQQxdu99sjZ/H8pPMGsfmw6QmvNyhQUCYIszpgUJBZf22QAKCRAfmw6QmvNy +hTjFD/0XjMa2vEePxvJG5upokP5yzVQoMqAi1nryvXTiC8yzJWXD8/E9C+/K9AnHv1cvp3ko +jQmbqnP/1B2o/IYzJVJdLZR9F7yVmB2H6Z/C13X27u811DuEWEt4KYQSdNuTO9qZdtL2xS3W +TNiCx3Tu9N2sE5jXR+6JKZvU1+gCyM+GqWhFWIRphVUngoeTFcy1/2C9C5d7fg3IzcQ9Vxdi +nheYMLcPg4mumjMRMV7MqRZUCzPYkXulm5YBYDVATHfRWBmR+MP+0jrciVDkEYONKzeVRv9Q +VCoppJ5D26t/Cw6COJJAKDfsUngkWFOIIz7rvSdxe2KcVxWQU7COB2Pf7oeV1Yay7onSrYbl +6dTvQyBXBmCD77w1jl8DyrgwLJIwm7Hx7/T5StSO0W2B+rpZDpceNou7TUDok3ZagIbKhsiO +uLEofkV+Mg4KIBdvnn/QOqAeeu7OWIyyXUFWbTHYqDzucPoy98zUP+J73mm90B6/q9HFl7d2 +eCOXucvyUUrw1Qh7K562Ye1v0q9dEyaDecM/4zeioTShzMfqtPUXtS+inUiEjis8YtnwTmIW +KZaDK4eGnO9IndXbkeox19z86tPepu/JvnAUXIhgzct4IIHGKo1RG55HIAIpMrRaNMG6JScW +OkzDU9slgOZFSbnTsSTHzrJlkxn6kagdTC2rvXKrI4kCVAQTAQgAPgIbAwULCQgHAgYVCgkI +CwIEFgIDAQIeAQIXgBYhBDF2732yNn8fyk8wax+bDpCa83KFBQJh0jLzBQkG/+umAAoJEB+b +DpCa83KFUF0P/21Q8qVcy20daWySstGa8cR8yUFQSOiYtn+DbAciBle+RHIvnBcmkdyRmRNN +tQhwg6c3wXr8X38/jsopH7c29v9kKvBoBTE495S85IKuacux/+PfL8itSZsF66EPEV9F94sA +GZ3E+VOUCPhmGQPUpCXtxExSJ35KmVHWF0dGR95LeXIvj8Z8Jg/h1wCVMfzFgF++B4tv4vn5 +Iq6UNrRNCm6OPOAYslk7X3m2ozS7/e0sP/E6RioHCySoAS9GmOUEKCfHRPGEJ/CzUQxZO/WM +mUR61xqTrE6cxLEGQ9mUvGAty5slioZv9Zc2GyrNZpVW5KHVOpJGiZ/KdfbOWyO/YGo456DJ +t2Ie6vxad5wth6SKcVipyqjHaJP7vjHIr1e7nuFX0ayle5lyf9F1LXHPCmHoQ5Q6Z526hE1J +ED1PwxqVCMQdwUd4oRGSehKSJMrF34H6QTzbz6Y52le/rjxYAM5bLeOBS0akB9ICOyLASwAa +4F/soqBdc0MzpKfIiPDyZLgZsXgNUPzOvFSCBeFpmt3o+u+zNgE3cF+XBaoK4b28IgUrLeu2 +CY28nocJ5f7UQHsVev5SJODZ0yhzxNnaJoHgEfri5JjDv6PxuRpNXGG0Vxt/ETN7w6gABRM5 +3nNaS5WvVFei67oCQhxK58SPT5vYdJ48BjSVqYM9TQzC5cryiQJUBBMBCAA+FiEEMXbvfbI2 +fx/KTzBrH5sOkJrzcoUFAlzUcE0CGwMFCQHhM4AFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AA +CgkQH5sOkJrzcoVYFRAAqnEdpZvRw8o1MvgoahonEQQ0KoNK2Q6IQT1iAlFg43hsf2Q6Lj1N +8gaClrty5NKLiDxdFbIQzn2m/B+FJVftOlnCBLGIVe861FD7Mwg61bGbftl0irEgaXT2qASF +a9FMWzfJbP7EukwTWjf9cHZkzqlF6+tpcKBf3LviuAc2kU+cmirNEmG9JnKoODEprUTwFo5c +GQbx8BWWMoWkGqdOtLleThos38Gd0CxZXTLbEjOY7kAKJOFqHdTgjh2GPkWoUWo/2eWz4GBN +8nDPOBto/Te5ybujCS8srdpjluPY45IHiie2j5Xnb7rsrdxCdBkIiUkIIy1xv+sI5jfl5gSZ +HMnWpaTEcZP2Leje1R33reOrz/Jgv4zW7VG+cBUhq0SXMmT9Hpc7zulYUodZpUaKhFBypG9Q +hVQmBqK3xnVLokYU1ysD3IyKntWSUGiCsijnMtgqCLSzZHAjR7U5aDed+/GOoTviD9wSMkbZ +QXA97/USGLEI9k7vVZ5bpPwMG8C5JjpwusALA5ppoSustAFZ9xaQGe5tew6RYiJTabpjZI2l +C3xChS9jzxwfFW2ItVdSABuvV/vdSSsc01PN7Pgdkc/IXotozW7WG4/xP1bImrTrnDn/WI/I +NLZ0uF344WtlT10EEoQU9roZvoRenrAWqaQ4I6IffwBhCg+CYceO7y65Ag0EXNRwTQEQAOhM +wHA6FxDjdxLDnPYZZ/HRCB3j+Fn5s+c/qiK3J54G4yYP91871FjDeF7pDsmcQRgCz0k6GeZO +zFOkpCTGg6aMPkOiBo931OqckzhlACnLSCzR5b2bILTaUGnf4t41D6+tCFK2dfJBdQ0yYfB3 +la8kg9a7vtnlaM9UO0Tr+o9NYOWysUAa5fxS9jSF2CzgeZ6k9Wa0bj90u8N9cfsGrMB7F6TV +PG4Tf7GbCvgMwaBfSQK74hXVWd0wjTW0VGIpxRfAYudJyB/2da5rOsMWh5hEe6dShwEQ1tJH +njuBIJI1UZSyVtFqMj8NysftD7+Vrd6N3Fp5umUzc6tViag+u6s8Q8TxCXMaSwoVtBV1HHbq +KiCzwd4XNwHfv/h0VrgM0SXrYVmHwUkLUNdOlAKWRZ7ExaTMx0oNaKwjr3FhV7W5utf6kQ9l +MfS8gV0dJM1nZp0Zkgi/ojuIecqBQXJwTp1YQo1QmJHM0sKTu6pOOlTxizaT4Ak0etQf9SLi +nltMeYEdCoFavWkWXIIP4YM94fuD5Ekc03b2iiCMKVONSr4dKaAPFEtV3uFIoS/VwG5QQ8mE +hZZH9ymOeUrm+YvljFSfp1TDp9dGiYNKCx52Zj7wChqswzVEVFTqGEZqsYtyuuDQM0JhX6TG +T75zmsqiJhBGl6nigGrdaRCnWvWv0n0dABEBAAGJAjsEGAEIACYCGwwWIQQxdu99sjZ/H8pP +MGsfmw6QmvNyhQUCYdIzCwUJBv/rvgAKCRAfmw6QmvNyhXK5D/jBMCAdoJVW9ai4tKgNac3s +xFjrtnLPo6lEzB4AXnltkC1VwULeDL+O3IueYCt7kyRr9vvogG/y/e8kpVIGvH8TcZd71EvU +kM7Df9X88I5bPrA78MpWAEQGE1RxsFLQVppzAOeiXVTXy/nwS/8LKP28W5FNFH0M9qYmvTje +S0YYwxr7DJU526B0JGiis4kXl81tYnd2H46cx1qjSMmWMV0dPWMbUG5gs3HtU4u5DpBgn7a+ +klihpmtxebWNV2vO3TCqYJps+WbvDPHpUsHFpW+wYvE0VosB9jYKzhOS94aGz4Yl7fTZq/tF +4atBReoeESJi6RJWpvNmdSQPYrJu3BAGWnYTuniW9xhHhSYnCSrH3WfZSermU6XiAmKtZB5X +w4HyjuJgKjUDjzVDOvpTQVcnpkBXkOdw0dIZDk61cq81p/R6bmxEGsIkMHNpxRfA1PNwjypg +ioLF2Cyq5kB3IVc8KdpW4O3XaVSiMfvXlkvpQJmCPtxup8IqUmgL+ILTqLJaHOhpbb6bsikT +DekUC9DIV58xQ5HuHI0qaTrDyZsG8CK6f+OwxKbXJh5QDFarM5YrOIHaOaBSICQtCgCBH/Jp +388LOm8rTDqSHAQxp9ZjQafyLBaGHlHR2rvnztfV1LHS+9Pvven6J3Fj4r5hztJXuKUrOZ/B +sLw8c7DnOI0UiQI8BBgBCAAmAhsMFiEEMXbvfbI2fx/KTzBrH5sOkJrzcoUFAl6yxcUFCQO/ +iPgACgkQH5sOkJrzcoW5Jg/9E2/nvRIKXQCR8t7BhzMr4qcI5rqAY/pA/SxuI6G3zqyJ14dk +2g6QN7khdesFaYbJjak2pTVyBiffm5UBz9NzD6Aai6MYUSJnKBE9432gaVYv5L1PaVlybwHF +bK3ayo+dI4gkN0gYlrA4l1BUX6SsDumawlTMWTB3/4fqKN5c4u+XL/ccT7z+BRQu12kYLmUj +3xXjh3LxH9xuwJ6qj0Kq9cNZMHCfO5YJV8dhxA00GvdNCIZfgmmGbZFjoDR1qzM53SykqcFC +9UXK0IzEv0p2zSRJ3UZwkbxP7CWm2xEWLv9glVQM5wTULcRhdARtgzeyq82fMS7DyEmshYKE +L4o/kAcRwaOy8Kyl5PSadpEQdEBwX3DutGAPt/V5Vumdx8vKl2JX44F1euiNCYeQEmNYd1F8 +T2a8xSdQV1TUIoHugQ3QGex2+scR2SdOVdpey+VJLN7hxk5xUx957E7SQVf7tCVqq6BElUkv +kQAr48XRfj2+KFPEhmb140VLJ/ilBITQ9CyhCYkywar9SDh9xf4q/cfBdhBXn9nK+vOgS1mP +Tdjgd/RuR3n3n7RUKTnOBdx8744fgLNKfJ/MWxVQqufPUX73xxqNZDjXDKe8b5YgHMmgJj2R +DNqnBj/+uKhcVPoI7y2DQU+aeBLlqxypmU74H04EdD8ikbByrMV2lBFwIfyJAjwEGAEIACYC +GwwWIQQxdu99sjZ/H8pPMGsfmw6QmvNyhQUCYIszjgUJBZf2wQAKCRAfmw6QmvNyhU1fD/9m +JGguTFO4J1nJAR2/n4DRV62L/IjaORhePqiiw5FOBNr5/9+ggj8yV7Il4MU9oWTM1DRcYMfH +OvsA2yS5hrHPyifWHpcTqkudnecPBT1JnVvMivzX+s4x1ol4EyOQRByBoYCFsEYaRscNrDIT +Mid4zWPy7rkVPDr1RB+cJb4lQzfRx6XG8bJuF8MymEd9S5GNxeHNigdnFP3v3QwhiqSabWHp +ul+k5VelSRqOlfVPNCoCABIfd5nEEwkzpndsmRRjx3Qidkh7Dwp/l/PQC/QM6RM+m/3LpXJ+ +Xah3DqkZHq4EYhmq4QmLljzMoT9EUXxWhiB6r8Xfg9kXHLEw7fed5nB9lXo1UgnEiWiL9Fpc +/7Zfm3hmkO9p1CO4SJCO6zHYNpL463Z6USnN/tLFcJFAJJNpChXRHPF4g2YEy4gs8IDNmzjy +OMLDcnt9v6DNt23SVxdi5PrxlPvLTA09tjOQlR2jTCsfEW96F7AE3XKorvdm4GkU7jWFeIzv +3RlpZZIZxGgfHvJ0gEA1UGKhdV9qZh46y5i2MwGILp7DZgr1ew9ekotmoqkO6Gh6SxI1d3c+ +IeS26+VNocVjQFjQvfoJ0CtR29AVCP5jYZtFeVIhwpLmoaIdfTKgo/QVOtzldK4dCxFNShiC +Yj3gDv5ZyAzx4QYWqCT7kmJ70fDzMgnipYkCPAQYAQgAJhYhBDF2732yNn8fyk8wax+bDpCa +83KFBQJc1HBNAhsMBQkB4TOAAAoJEB+bDpCa83KFDGMP/j/LjzcdTfiHWHc6E7EUM3qPWf8o +bSL7Ft4l77x0vUGf2G3pQcngTI1SIMTTLAKkXhd6qPqCVPmM6kHK6IzwFcnMRFoMyoH/bVnZ +kUs0NyU3DPg3OUc1Iunvcg27nHdZPLFRv8ey/qSyNiIEJu3hzyBIUO0ZDdOtUwkqnznrri+I +pToD7gWoYM0CC/Aero/OaC20c6dU1s4zwmAjqfzb0Nqiv3CDrrvF0p3g6fn7BAyHxnYbS7ZX +S8nPQEY0qp+yC0CR3jceXCwv9C1PhQiSfqiPBTL7CglOz02WSAxY7GInh3VitM2rruKcacpL +VfjiZmFH4SUCys/7c1Sn+pJTfiqO/2sV4vutxfu3Q0xDYmcf7DK9BN7bZ01m3szTX/+5Ief0 +kpY+e5ZrfcRHUOAzA/dXeW8sErf+YvCU9Hyi/e5iWvbhaMg9HwMA37cEfhBmVwGBOS6nuFHn +7TFoZrCNnFWEpfUJY++TThhNaVKlz5n3PXERFCJlfZtXf097cJJRJniBoA2jdfQqSJAgXArb +ZPxRW0ohIfgj+lnvqNwB27trdnKKpxC6k6P1k0QZ1MP3tDRaz/k0WrVi4Sxps78/RzA7I9nA +R1ovVUx8Tw2I9ru64SyyyYuaA2M5nQs4kMzA3P3oeFO9t91by/d/O1lj9HtGYEn5xLzb40Oy +TfeDSyTpuQINBFzUck0BEADgwnBJBHWBnKwHhEJLYei4PMImRJSjoiYZi1EmiCT3u9+qEW/I +Oy+VJPyf2OyLM9RoLzMrCRmYi41eFZryWsenpzHQVP28KbMHP+mdJOTyvX9Lt8Ohxa/m+ZG0 +vjhXLDBsRFmhEFDV14As8NcI1GivnpyNxTFDDWbmxDMw7zTSkjH8dqeB/Z/HTXWu0pdOrhXb +85iZMsOZDUzmbKwBQTAOX7zPtmi4zheP49VXHGn3fNgvUb6QuzSQNtAKS7C2qPlIMug/vYyX +RNM4dnC9aGYdjwXuEyNYLN131lqG6q98xxPRsbdnzDqTgPCZqk2dZq033Ad2zhNbhynycxXD +pxQsRn4PQfKBgpr+IdNEP4UevaOueaVLSwtvcvXcqMYtrzSYIcNu0tnbDDZRxhgKM+3TkpZc +107qowq6+SSPzWbg6hUY7vxKzDAgvYhn5Oin59sARfo0KkSAM1H8/ozYxdNGySqIQFewcjjL +DpQnI2x/ZAU8nk0hltEzj+KmkJdJJI3becentmrdODySLO0fidrCmzhiuk8HLodDQ9apY+54 +fWwDDUws33yE4DtX5Y2/1nUvwDNpil6dRknAVGdc3OvIe+WAnsGR9SMSy4HruP/Yf+OZSCFt +OSloe4MtP+qdyfx0vDg/mLffZxE8r+zSeB5IAp0BSbwUhdbeWGd+UpWCCwARAQABiQRyBBgB +CAAmAhsCFiEEMXbvfbI2fx/KTzBrH5sOkJrzcoUFAl6yxcUFCQO/hvgCQMF0IAQZAQgAHRYh +BMuN5wqQz79sO/XMVpYmKs/7067GBQJc1HJNAAoJEJYmKs/7067G2s8QAIP/MH/Xzbuhz7uO ++6FFNS7kk00zQImC1Y0yYyeyy2UWsSD4HUdE05CoJCMSwHXpTNzDs/aackTsKivEINYPvTwb +EGPMPqv9MVD78T46iwSuA+Qg32CDLAjubby8Q55DXYS/q40CZaLzg7OQT8IH03ewxzrtpdLr +nXnYN1ktwBFokv5ZsxB5BhEJfbEHEqdoNk2STQv5p/Ikrc5C/hefHSKXV4cJRYoPkrdnr0ZH +yevB5iGuR9zMxmkLD+NyIqqVqxjWQNjLoEdY+xKnezHiIZvGb6nH55DosZY5/IHgLUJsLFcY +NfLFSVdAzF0py+A5nY0PJarlZptOi22tSsSXX5EKWHLTZUUcs1uBrmydVFMsT3ZC+8pHxLyK +Gn+f+89jdUCzidQ+545OYnNTzxTjGytG9Y/KEVDYUWAm9OSSLJjDpt4RDVF6yte8cHJfdC9Y +pazet2Z2GMtGa6g6dv7NhDF+JCEhnMraPaLHbWnABP47AJZ1cRvYfE2lyHBzfKWyWJ56BWH9 +Sf7p6DwehqIAo0erPAcnBDcbrfrHaSnFLvW9UpIGAGvBMXZqAoZNNsXqq7OMHRt9rWZXOGke +GAINnwlQIT3ffKMounUS9xzLM0kZdf7BS7K5+5gcjJPh1b1yvBYApioBAXbnaTmqvdwr03FL +noGi5/0671t0iUGSqbF4CRAfmw6QmvNyhXnWD/4h3rEK6AkbcZ5EMiWdCphpje+vbjIBGj2o +XaJIKSWiXrvI+ueWfrFcdOfl4vq2CGMp/rjKTR26xkTk+JQws7mcXX6xHCODQreQEfOFQnpG +kQBxJ/Mlx3dqjKlEgHCUp9sDYS2UaYMM4b6D3WWohSbFK/KhC/qH+51cviBcCFoaXtCaGy6v +gFzhwUpXmmk3aMaPvJ/yWFa5qfP3IcSVd2mK6QPSUkRjqqUEnXk79Q3j2tmvh2Dl4+KOlt+2 +aPvs4oITr3bhHHK4nvbwc/JAl744mxg8EE/dlkS+uHGlNfHzzQuud75dLxGeyjLCr/FGUUrA +g12D4Z4tDPtJHLwWOs9rIZWk3W16VpVSyzP+7bREuiNsCat0saGQm5T4TCBn7JiuHu5R/jG0 +gHBjrEZ0EvQxUyRqmT2irnCQ8EY6icuVA6oJGjX+nt1HO7n/5XFFb32ZZueX575zg47VGgUY +18z5tURzHRS0/OkYjKlCau6JPqe4tmePSHTi51KfpnlzZ5f7L3vYVFlh4i30TQVX3qoZw8R4 +qOTkashJCDOnB2Y4Ll8gww5ttfuC7Kc3H5P/QvcEQj6G5m895QlVyD7keyssKA2hycTp81OH +kNd9bxkkxFXw+ebVTii8R4Fu3uFLDD7nPPIJyES5rzHuQDGwZ+GdQs+a9lDQrBfNKGy0tGGI +sYkEcgQYAQgAJgIbAhYhBDF2732yNn8fyk8wax+bDpCa83KFBQJgizOSBQkFl/TBAkDBdCAE +GQEIAB0WIQTLjecKkM+/bDv1zFaWJirP+9OuxgUCXNRyTQAKCRCWJirP+9OuxtrPEACD/zB/ +1827oc+7jvuhRTUu5JNNM0CJgtWNMmMnsstlFrEg+B1HRNOQqCQjEsB16Uzcw7P2mnJE7Cor +xCDWD708GxBjzD6r/TFQ+/E+OosErgPkIN9ggywI7m28vEOeQ12Ev6uNAmWi84OzkE/CB9N3 +sMc67aXS65152DdZLcARaJL+WbMQeQYRCX2xBxKnaDZNkk0L+afyJK3OQv4Xnx0il1eHCUWK +D5K3Z69GR8nrweYhrkfczMZpCw/jciKqlasY1kDYy6BHWPsSp3sx4iGbxm+px+eQ6LGWOfyB +4C1CbCxXGDXyxUlXQMxdKcvgOZ2NDyWq5WabTottrUrEl1+RClhy02VFHLNbga5snVRTLE92 +QvvKR8S8ihp/n/vPY3VAs4nUPueOTmJzU88U4xsrRvWPyhFQ2FFgJvTkkiyYw6beEQ1ResrX +vHByX3QvWKWs3rdmdhjLRmuoOnb+zYQxfiQhIZzK2j2ix21pwAT+OwCWdXEb2HxNpchwc3yl +slieegVh/Un+6eg8HoaiAKNHqzwHJwQ3G636x2kpxS71vVKSBgBrwTF2agKGTTbF6quzjB0b +fa1mVzhpHhgCDZ8JUCE933yjKLp1EvccyzNJGXX+wUuyufuYHIyT4dW9crwWAKYqAQF252k5 +qr3cK9NxS56Bouf9Ou9bdIlBkqmxeAkQH5sOkJrzcoXLuA/9E35tq9kEQLfVk/XIPaNcK1cY +thOICf/LfZVcNvlGxIfMGfuEbQ+1eWcdVa/UW1Kff3VUOZaAjyRbpdrVbEUCyoFnnMEs/GbC +G5+gWGpgwD6jt7tESCCpQIssp3b8vf69SWNH8jKY4LXPkeSaxuhFWlUjaJXnvCMYWeHTPTke +BKHVMoAKYWKr7t6jgLDGoNO+B0l4vVGq2K8M0obd5Wn8HV1IgYu9yP5CX8KzYkSyg9Vc2djQ +4k9aKfCthVwwKJ+OH1MJFpEKYihmUweaGo9+32sHdT4ifyn6zS+K8HHZGlK6DeBlqrWkx7GP +wHZWtq6v2DxcobZieLoLmyDZlJFJHjbKZ9Bg/OqUaqCyuFzHoVC0UTRIgvblButt1agaMPz/ +7+VdXZUKmXjZjopW6R7ScxK/q4uvKykY+r0eDTihLp6Nyb7m96Xv8HvlBe9Vzxm//PtosZUs +sQatJHMecKePEhkY0i/bqm4CAur7ESfWatgZhZC0MIG0jTCB6O7ueBVTKX80eXeyErYt+Wra +iH6wuBW8GCLuuMnAiaVkoknx75Oyqirr3Una2xoGGMcER2+QTWTxD/GuiPIOK6z1ktglCjIH +hK+bedsSrv6pnJtcdc42btv57ZmslyjiSIOwnCHQNfODjc9Ke4/FtVnsRmIhn/NXI8OdL5oH +vI4Hu/sWWdGJBHIEGAEIACYCGwIWIQQxdu99sjZ/H8pPMGsfmw6QmvNyhQUCYdIzLgUJBv/p +4QJAwXQgBBkBCAAdFiEEy43nCpDPv2w79cxWliYqz/vTrsYFAlzUck0ACgkQliYqz/vTrsba +zxAAg/8wf9fNu6HPu477oUU1LuSTTTNAiYLVjTJjJ7LLZRaxIPgdR0TTkKgkIxLAdelM3MOz +9ppyROwqK8Qg1g+9PBsQY8w+q/0xUPvxPjqLBK4D5CDfYIMsCO5tvLxDnkNdhL+rjQJlovOD +s5BPwgfTd7DHOu2l0uudedg3WS3AEWiS/lmzEHkGEQl9sQcSp2g2TZJNC/mn8iStzkL+F58d +IpdXhwlFig+St2evRkfJ68HmIa5H3MzGaQsP43IiqpWrGNZA2MugR1j7Eqd7MeIhm8Zvqcfn +kOixljn8geAtQmwsVxg18sVJV0DMXSnL4DmdjQ8lquVmm06Lba1KxJdfkQpYctNlRRyzW4Gu +bJ1UUyxPdkL7ykfEvIoaf5/7z2N1QLOJ1D7njk5ic1PPFOMbK0b1j8oRUNhRYCb05JIsmMOm +3hENUXrK17xwcl90L1ilrN63ZnYYy0ZrqDp2/s2EMX4kISGcyto9osdtacAE/jsAlnVxG9h8 +TaXIcHN8pbJYnnoFYf1J/unoPB6GogCjR6s8BycENxut+sdpKcUu9b1SkgYAa8ExdmoChk02 +xeqrs4wdG32tZlc4aR4YAg2fCVAhPd98oyi6dRL3HMszSRl1/sFLsrn7mByMk+HVvXK8FgCm +KgEBdudpOaq93CvTcUuegaLn/TrvW3SJQZKpsXgJEB+bDpCa83KFsXUP/2EnRVBTcGNoFUlM +pix9my9IMvGCoYcV3PlPPIucZqmyFH1ky+jKNRlTKW6lim+dsrHrKnFkQ/swv6dZnjkph0tK +xqpcc3yYIieUPoy9ypddxy5Q199yBBceGU/+UTYMWqVgOOELXeblTICoV+GTveQ9DkxpRf2U +9kJ8Vhb5hUA4mUC2Wez99ucljwQl72ayP7RoDIQ12GrrX5fFQi+1mnwqJPu8y2AUeCSC7Dzz +yfgZC9hJD8O8KeH03XCefoSfxAO4HH9Er1UN9TSFSzsIftK/G4cW8Xoqh7S/5tLaRk7/dCGc +tmEM06SbacwiZFgYP7xAkYgg55tGX8ULxVQI4KpjXP3RLaw5a3RUUm9Sg7+bQgU1jB0qxq2L +uXpPMWmapiX6uWx8PJrWJ21XNnHmcszwStyTWCYMaH1Zcdqy5bWe9oklIKVBus8k2Iu0Rk34 +hmPgaB3TG/wyOraUnNZewccxFc9mls5o1v48lrm4ZERW9djwUIj/eCU5Z3fbubdk32R5E9Nv +MlcxcE+5SHKFJd0H2cVZPnhI5G90P/eQFAkmGhpGtpSQ9AmH9rP+K/GB1Jj4GM2u3IDwMgds +JhTGUfJh1UW6phBx6x5WMN/nrylFv7U7spggFfStlK3AmKy6zR3xlugmmmKc65XCTl/KG7wu +nG5VutE9BCxlviVKeE5eiQRyBBgBCAAmFiEEMXbvfbI2fx/KTzBrH5sOkJrzcoUFAlzUck0C +GwIFCQHhM4ACQAkQH5sOkJrzcoXBdCAEGQEIAB0WIQTLjecKkM+/bDv1zFaWJirP+9OuxgUC +XNRyTQAKCRCWJirP+9OuxtrPEACD/zB/1827oc+7jvuhRTUu5JNNM0CJgtWNMmMnsstlFrEg ++B1HRNOQqCQjEsB16Uzcw7P2mnJE7CorxCDWD708GxBjzD6r/TFQ+/E+OosErgPkIN9ggywI +7m28vEOeQ12Ev6uNAmWi84OzkE/CB9N3sMc67aXS65152DdZLcARaJL+WbMQeQYRCX2xBxKn +aDZNkk0L+afyJK3OQv4Xnx0il1eHCUWKD5K3Z69GR8nrweYhrkfczMZpCw/jciKqlasY1kDY +y6BHWPsSp3sx4iGbxm+px+eQ6LGWOfyB4C1CbCxXGDXyxUlXQMxdKcvgOZ2NDyWq5WabTott +rUrEl1+RClhy02VFHLNbga5snVRTLE92QvvKR8S8ihp/n/vPY3VAs4nUPueOTmJzU88U4xsr +RvWPyhFQ2FFgJvTkkiyYw6beEQ1ResrXvHByX3QvWKWs3rdmdhjLRmuoOnb+zYQxfiQhIZzK +2j2ix21pwAT+OwCWdXEb2HxNpchwc3ylslieegVh/Un+6eg8HoaiAKNHqzwHJwQ3G636x2kp +xS71vVKSBgBrwTF2agKGTTbF6quzjB0bfa1mVzhpHhgCDZ8JUCE933yjKLp1EvccyzNJGXX+ +wUuyufuYHIyT4dW9crwWAKYqAQF252k5qr3cK9NxS56Bouf9Ou9bdIlBkqmxeKcnD/4+1HUg +5cKrfSTXZNsuOU7AnlybWpU7Jl8YdxfeuCCe+I5W3jTYqljpCRGWBAHtE3udB37JXKSn8yH7 +0JzXQDWL9+G1wqk5iwkvtmKqAapzJFuZ9lYNlNGYDxI9foTq99f+OheFnT3nUm8IA9N0MwjG +CIJ5501HM+NO8WylVoy0Y+erxbyQGC2Ey7YjVZSuCTZo3BuYiSCP8Bmd9qHxCJmBGQgbtA/2 +QBcLZ8o/z9w0U39Iwsei8oacZncVTIFnBDsU3E25M1eyQ8VdcAqLL7v3UFOi+20zBBs+g8jB +BdzXUVhp+RAsXldo8i/qtdD4/90UXT7FBXmImGtzOVmza23v7Dyq7P/ZueEAqhr7vtW97UQ7 ++YkXDa4rHi4HrGJClrdxixEyCTPrD++SvwxAud3hAUKZF9hOb0fD9A7cn63EERVgaJGAi7p9 +Oqqbqni8JOssQF6TeCUFP+X3nR4+iy8EX4scfN6LUB6/mnhoRVZ3GNEzPAZi9PGe8RqWJqUM +trBVUPVxcwAgfijPmmMIXIUyZk5ysTQeT3eJVd3R3yxORfaHSD5kuHnXWwsp/yYltsLI/hBt +Va8N7XZdzZ9JDT8fIWj5515DsfunTtksrObpRdiq4lxAoYqiboI+L1BCHwvaTy9ghXhhpgny +m0DJk2bmucRair96apTzdYoszd7iLA== +=DiYK +-----END PGP PUBLIC KEY BLOCK----- diff --git a/expat.spec b/expat.spec new file mode 100644 index 0000000..4e7ca54 --- /dev/null +++ b/expat.spec @@ -0,0 +1,134 @@ +# +# spec file for package expat +# +# Copyright (c) 2022 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%global unversion 2_5_0 +Name: expat +Version: 2.5.0 +Release: 0 +Summary: XML Parser Toolkit +License: MIT +Group: Development/Libraries/C and C++ +URL: https://libexpat.github.io +Source0: https://github.com/libexpat/libexpat/releases/download/R_%{unversion}/expat-%{version}.tar.xz +Source1: https://github.com/libexpat/libexpat/releases/download/R_%{unversion}/expat-%{version}.tar.xz.asc +Source2: baselibs.conf +Source3: %{name}faq.html +# https://www.gentoo.org/inside-gentoo/developers/index.html#sping +# https://keys.gentoo.org/pks/lookup?op=get&search=0x1F9B0E909AF37285#/%{name}.keyring +Source4: %{name}.keyring +# PATCH FIX-UPSTREAM: bsc#1221289 (CVE-2024-28757) +# https://github.com/libexpat/libexpat/pull/842 +Patch0: expat-CVE-2024-28757.patch +Patch1: expat-fix-minicheck.patch + +# detect integer overflow in function nextScaffoldPart +# UPSTREAM-FIX: (CVE-2024-45492, bsc#1229932) https://github.com/libexpat/libexpat/pull/892 +Patch2: expat-CVE-2024-45492.patch + +# detect integer overflow in dtdCopy +# UPSTREAM-FIX: (bsc#1229931, CVE-2024-45491) https://github.com/libexpat/libexpat/pull/891 +Patch3: expat-CVE-2024-45491.patch + +# reject negative len for XML_ParseBuffer +# UPSTREAM-FIX: (bsc#1229930, CVE-2024-45490) https://github.com/libexpat/libexpat/pull/890 +Patch4: expat-CVE-2024-45490.patch + + +BuildRequires: gcc-c++ +BuildRequires: libtool +BuildRequires: pkgconfig + +%description +Expat is an XML parser library written in C. It is a stream-oriented +parser in which an application registers handlers for things the +parser might find in the XML document (like start tags). + +%package -n libexpat1 +Summary: XML Parser Toolkit +Group: System/Libraries + +%description -n libexpat1 +Expat is an XML parser library written in C. It is a stream-oriented +parser in which an application registers handlers for things the +parser might find in the XML document (like start tags). + +%package -n libexpat-devel +Summary: Development files for expat, an XML parser toolkit +Group: Development/Libraries/C and C++ +Requires: glibc-devel +Requires: libexpat1 = %{version} + +%description -n libexpat-devel +Expat is an XML parser library written in C. It is a stream-oriented +parser in which an application registers handlers for things the +parser might find in the XML document (like start tags). + +This package contains the development headers for the library found +in libexpat. + +%prep +%autosetup -p1 + +cp %{SOURCE3} . +rm -f examples/*.dsp + +%build +%configure \ + --disable-silent-rules \ + --docdir="%{_docdir}/%{name}" \ + --disable-static +%if 0%{?do_profiling} + %make_build CFLAGS="%{optflags} %{cflags_profile_generate}" + %make_build CFLAGS="%{optflags} %{cflags_profile_generate}" LDFLAGS="%{optflags} %{cflags_profile_generate}" check + %make_build clean + %make_build CFLAGS="%{optflags} %{cflags_profile_feedback}" +%else + %make_build CFLAGS="%{optflags}" +%endif + +%install +%make_install +find %{buildroot} -type f -name "*.la" -delete -print +# Fix permissions error: spurious-executable-perm +chmod 0644 examples/elements.c + +%check +%make_build check + +%post -n libexpat1 -p /sbin/ldconfig +%postun -n libexpat1 -p /sbin/ldconfig + +%files +%license COPYING +%doc AUTHORS README.md expatfaq.html +%doc doc/reference.html doc/style.css +%doc examples/elements.c examples/outline.c examples/Makefile.am examples/Makefile.in +%doc changelog +%{_bindir}/xmlwf + +%files -n libexpat1 +%{_libdir}/libexpat.so.* + +%files -n libexpat-devel +%{_includedir}/* +%{_libdir}/libexpat.so +%{_libdir}/pkgconfig/expat.pc +%dir %{_libdir}/cmake +%{_libdir}/cmake/expat-%{version} + +%changelog diff --git a/expatfaq.html b/expatfaq.html new file mode 100644 index 0000000..89772b9 --- /dev/null +++ b/expatfaq.html @@ -0,0 +1,100 @@ + + + + + + +expat FAQ + + + +

Frequently Asked Questions about Expat

+ +

Where can I get help in using expat?

+ +

Try the xml-dev mailing list (subscribe by mailing to majordomo@xml.org +with the message subscribe xml-dev). Alternatively try +the mailing lists hosted by sourceforge.net.

+ +

Where is expat's API documented?

+ +

In xmlparse/xmlparse.h. There's also an advanced, +low-level API you can use which is documented in +xmltok/xmltok.h.

+ +

There's also an excellent article +about expat on XML.com by Clark Cooper.

+ +

Is there a simple example of using expat's API?

+ +

See sample/elements.c

+ +

How can I get expat to deal with non-ASCII characters?

+ +

By default, expat assumes that documents are encoded in UTF-8. In +UTF-8, ASCII characters are represented by a single byte as they would +be in ASCII, but non-ASCII characters are represented by a sequence of +two or more bytes all with the 8th bit set. The encoding most widely +used for European languages is ISO 8859-1 which is not compatible with +UTF-8. To use this encoding, expat must be told either by supplying +an argument of "iso-8859-1" to +XML_ParserCreate, or by starting the document with +<?xml version="1.0" encoding="iso-8859-1"?>.

+ +

What encodings does expat support?

+ +

expat has built in support for the following encodings:

+ +
    +
  • utf-8
    • +
  • utf-16
    • +
  • iso-8859-1
    • +
  • us-ascii
    • +
+ +

Additional encodings can be supported by using +XML_SetUnknownEncodingHandler.

+ +

How can I get expat to validate my XML documents?

+ +

You can't. expat is not a validating parser.

+ +

How can I get expat to read my DTD?

+ +

Compile with -DXML_DTD and call +XML_SetParamEntityParsing.

+ +

How can I get expat to recover from errors?

+ +

You can't. All well-formedness errors stop processing. Note that +the XML Recommendation does not permit conforming XML processors to +continue normal processing after a fatal error.

+ +

How do I get at the characters between tags?

+ +

Use XML_SetCharacterDataHandler.

+ +

How can I minimize the size of expat?

+ +

Compile with -DXML_MIN_SIZE. With Visual C++, use the +Win32 MinSize configuration: this creates an +xmlparse.dll that does not require +xmltok.dll.

+ +
+ +James Clark + +
+ + + +