Sync from SUSE:ALP:Source:Standard:1.0 expat revision ffb0a931b05a3cd4a2ea2cd3aa574cef

.gitattributes

@@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text

baselibs.conf

@@ -0,0 +1,7 @@
+expat
+libexpat1
+  obsoletes "expat-<targettype>"
+  provides  "expat-<targettype>"
+libexpat-devel
+  requires -libexpat-<targettype>
+  requires "libexpat1-<targettype> = <version>"

expat-2.5.0.tar.xz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEEy43nCpDPv2w79cxWliYqz/vTrsYFAmNYAlAACgkQliYqz/vT
+rsYnzw/+Nn8rFvElM2th9ex3Yt6UkNtx/hZWITig7URH7wHtShHA957xMcJiby4R
+/RoKbtcb3+RNeOtDMycT4wFy2p/tmuJ3mPL0ewFkKkfw1Uk489AbYukzSbg/YmNZ
+3+r6DFAd+kJOpe+6m4Nhxg2iohVQoXjQPBK02njkuKN66thrFGxnQDfi62qAbIm+
+7Ac+McmOypDuG1H+E2eeRIMwgGyU2yiCvqtleKfRaF596wdfbv/gIFcETKI7wMnV
+ExAhZSVDgiojGqwhW7vZOvrwmuDsZOazVSMyasntJazCynWLZ5hAkRtpNvsvIR3i
+cUd904PPjrr5VFQmDQxI4HieeloI5aipl7y4wR+g7WE1JjKs4ScVA8llIsLvZie/
+fZh+Fz/TS4B8hJpnkRGXc7IpovXyFDb+C0WkBxy77OvdEu7QgXaIh1+AT10FkQsF
+HbJT3vHk71D3D5JlUv9DPL8YZ3gFTQF7LwpvfJVDUiYe3hn+f4u4XAt6F3zVnXok
+NEs8fflALfgtIC46nPbhcrxQdO/CyWGIWhisDwoB6FHloZc8EWuWidg7SOdApK1W
+s2ycdH7XLEBXCriIpKWHS9ebkWyPQHe/Ezi2pv0ieZU1TVtV6nVv5YlH2QHBoZJK
+VPlgb5u2zVp9y/bthnZPgRId53kdnZCXezKLQ+wc27Taojpnzws=
+=UAN0
+-----END PGP SIGNATURE-----

expat-CVE-2024-28757.patch

@@ -0,0 +1,319 @@
+From 1d50b80cf31de87750103656f6eb693746854aa8 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 4 Mar 2024 23:49:06 +0100
+Subject: [PATCH 1/2] lib/xmlparse.c: Detect billion laughs attack with
+ isolated external parser
+
+When parsing DTD content with code like ..
+
+  XML_Parser parser = XML_ParserCreate(NULL);
+  XML_Parser ext_parser = XML_ExternalEntityParserCreate(parser, NULL, NULL);
+  enum XML_Status status = XML_Parse(ext_parser, doc, (int)strlen(doc), XML_TRUE);
+
+.. there are 0 bytes accounted as direct input and all input from `doc` accounted
+as indirect input.  Now function accountingGetCurrentAmplification cannot calculate
+the current amplification ratio as "(direct + indirect) / direct", and it did refuse
+to divide by 0 as one would expect, but it returned 1.0 for this case to indicate
+no amplification over direct input.  As a result, billion laughs attacks from
+DTD-only input were not detected with this isolated way of using an external parser.
+
+The new approach is to assume direct input of length not 0 but 22 -- derived from
+ghost input "<!ENTITY a SYSTEM 'b'>", the shortest possible way to include an external
+DTD --, and do the usual "(direct + indirect) / direct" math with "direct := 22".
+
+GitHub issue #839 has more details on this issue and its origin in ClusterFuzz
+finding 66812.
+---
+
+From 1d50b80cf31de87750103656f6eb693746854aa8 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 4 Mar 2024 23:49:06 +0100
+Subject: [PATCH 1/2] lib/xmlparse.c: Detect billion laughs attack with
+ isolated external parser
+
+When parsing DTD content with code like ..
+
+  XML_Parser parser = XML_ParserCreate(NULL);
+  XML_Parser ext_parser = XML_ExternalEntityParserCreate(parser, NULL, NULL);
+  enum XML_Status status = XML_Parse(ext_parser, doc, (int)strlen(doc), XML_TRUE);
+
+.. there are 0 bytes accounted as direct input and all input from `doc` accounted
+as indirect input.  Now function accountingGetCurrentAmplification cannot calculate
+the current amplification ratio as "(direct + indirect) / direct", and it did refuse
+to divide by 0 as one would expect, but it returned 1.0 for this case to indicate
+no amplification over direct input.  As a result, billion laughs attacks from
+DTD-only input were not detected with this isolated way of using an external parser.
+
+The new approach is to assume direct input of length not 0 but 22 -- derived from
+ghost input "<!ENTITY a SYSTEM 'b'>", the shortest possible way to include an external
+DTD --, and do the usual "(direct + indirect) / direct" math with "direct := 22".
+
+GitHub issue #839 has more details on this issue and its origin in ClusterFuzz
+finding 66812.
+---
+
+From 1d50b80cf31de87750103656f6eb693746854aa8 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 4 Mar 2024 23:49:06 +0100
+Subject: [PATCH 1/2] lib/xmlparse.c: Detect billion laughs attack with
+ isolated external parser
+
+When parsing DTD content with code like ..
+
+  XML_Parser parser = XML_ParserCreate(NULL);
+  XML_Parser ext_parser = XML_ExternalEntityParserCreate(parser, NULL, NULL);
+  enum XML_Status status = XML_Parse(ext_parser, doc, (int)strlen(doc), XML_TRUE);
+
+.. there are 0 bytes accounted as direct input and all input from `doc` accounted
+as indirect input.  Now function accountingGetCurrentAmplification cannot calculate
+the current amplification ratio as "(direct + indirect) / direct", and it did refuse
+to divide by 0 as one would expect, but it returned 1.0 for this case to indicate
+no amplification over direct input.  As a result, billion laughs attacks from
+DTD-only input were not detected with this isolated way of using an external parser.
+
+The new approach is to assume direct input of length not 0 but 22 -- derived from
+ghost input "<!ENTITY a SYSTEM 'b'>", the shortest possible way to include an external
+DTD --, and do the usual "(direct + indirect) / direct" math with "direct := 22".
+
+GitHub issue #839 has more details on this issue and its origin in ClusterFuzz
+finding 66812.
+---
+
+From 1d50b80cf31de87750103656f6eb693746854aa8 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 4 Mar 2024 23:49:06 +0100
+Subject: [PATCH 1/2] lib/xmlparse.c: Detect billion laughs attack with
+ isolated external parser
+
+When parsing DTD content with code like ..
+
+  XML_Parser parser = XML_ParserCreate(NULL);
+  XML_Parser ext_parser = XML_ExternalEntityParserCreate(parser, NULL, NULL);
+  enum XML_Status status = XML_Parse(ext_parser, doc, (int)strlen(doc), XML_TRUE);
+
+.. there are 0 bytes accounted as direct input and all input from `doc` accounted
+as indirect input.  Now function accountingGetCurrentAmplification cannot calculate
+the current amplification ratio as "(direct + indirect) / direct", and it did refuse
+to divide by 0 as one would expect, but it returned 1.0 for this case to indicate
+no amplification over direct input.  As a result, billion laughs attacks from
+DTD-only input were not detected with this isolated way of using an external parser.
+
+The new approach is to assume direct input of length not 0 but 22 -- derived from
+ghost input "<!ENTITY a SYSTEM 'b'>", the shortest possible way to include an external
+DTD --, and do the usual "(direct + indirect) / direct" math with "direct := 22".
+
+GitHub issue #839 has more details on this issue and its origin in ClusterFuzz
+finding 66812.
+---
+
+From 1d50b80cf31de87750103656f6eb693746854aa8 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 4 Mar 2024 23:49:06 +0100
+Subject: [PATCH 1/2] lib/xmlparse.c: Detect billion laughs attack with
+ isolated external parser
+
+When parsing DTD content with code like ..
+
+  XML_Parser parser = XML_ParserCreate(NULL);
+  XML_Parser ext_parser = XML_ExternalEntityParserCreate(parser, NULL, NULL);
+  enum XML_Status status = XML_Parse(ext_parser, doc, (int)strlen(doc), XML_TRUE);
+
+.. there are 0 bytes accounted as direct input and all input from `doc` accounted
+as indirect input.  Now function accountingGetCurrentAmplification cannot calculate
+the current amplification ratio as "(direct + indirect) / direct", and it did refuse
+to divide by 0 as one would expect, but it returned 1.0 for this case to indicate
+no amplification over direct input.  As a result, billion laughs attacks from
+DTD-only input were not detected with this isolated way of using an external parser.
+
+The new approach is to assume direct input of length not 0 but 22 -- derived from
+ghost input "<!ENTITY a SYSTEM 'b'>", the shortest possible way to include an external
+DTD --, and do the usual "(direct + indirect) / direct" math with "direct := 22".
+
+GitHub issue #839 has more details on this issue and its origin in ClusterFuzz
+finding 66812.
+---
+
+From 1d50b80cf31de87750103656f6eb693746854aa8 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 4 Mar 2024 23:49:06 +0100
+Subject: [PATCH 1/2] lib/xmlparse.c: Detect billion laughs attack with
+ isolated external parser
+
+When parsing DTD content with code like ..
+
+  XML_Parser parser = XML_ParserCreate(NULL);
+  XML_Parser ext_parser = XML_ExternalEntityParserCreate(parser, NULL, NULL);
+  enum XML_Status status = XML_Parse(ext_parser, doc, (int)strlen(doc), XML_TRUE);
+
+.. there are 0 bytes accounted as direct input and all input from `doc` accounted
+as indirect input.  Now function accountingGetCurrentAmplification cannot calculate
+the current amplification ratio as "(direct + indirect) / direct", and it did refuse
+to divide by 0 as one would expect, but it returned 1.0 for this case to indicate
+no amplification over direct input.  As a result, billion laughs attacks from
+DTD-only input were not detected with this isolated way of using an external parser.
+
+The new approach is to assume direct input of length not 0 but 22 -- derived from
+ghost input "<!ENTITY a SYSTEM 'b'>", the shortest possible way to include an external
+DTD --, and do the usual "(direct + indirect) / direct" math with "direct := 22".
+
+GitHub issue #839 has more details on this issue and its origin in ClusterFuzz
+finding 66812.
+---
+
+From 1d50b80cf31de87750103656f6eb693746854aa8 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 4 Mar 2024 23:49:06 +0100
+Subject: [PATCH 1/2] lib/xmlparse.c: Detect billion laughs attack with
+ isolated external parser
+
+When parsing DTD content with code like ..
+
+  XML_Parser parser = XML_ParserCreate(NULL);
+  XML_Parser ext_parser = XML_ExternalEntityParserCreate(parser, NULL, NULL);
+  enum XML_Status status = XML_Parse(ext_parser, doc, (int)strlen(doc), XML_TRUE);
+
+.. there are 0 bytes accounted as direct input and all input from `doc` accounted
+as indirect input.  Now function accountingGetCurrentAmplification cannot calculate
+the current amplification ratio as "(direct + indirect) / direct", and it did refuse
+to divide by 0 as one would expect, but it returned 1.0 for this case to indicate
+no amplification over direct input.  As a result, billion laughs attacks from
+DTD-only input were not detected with this isolated way of using an external parser.
+
+The new approach is to assume direct input of length not 0 but 22 -- derived from
+ghost input "<!ENTITY a SYSTEM 'b'>", the shortest possible way to include an external
+DTD --, and do the usual "(direct + indirect) / direct" math with "direct := 22".
+
+GitHub issue #839 has more details on this issue and its origin in ClusterFuzz
+finding 66812.
+---
+
+From 1d50b80cf31de87750103656f6eb693746854aa8 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 4 Mar 2024 23:49:06 +0100
+Subject: [PATCH 1/2] lib/xmlparse.c: Detect billion laughs attack with
+ isolated external parser
+
+When parsing DTD content with code like ..
+
+  XML_Parser parser = XML_ParserCreate(NULL);
+  XML_Parser ext_parser = XML_ExternalEntityParserCreate(parser, NULL, NULL);
+  enum XML_Status status = XML_Parse(ext_parser, doc, (int)strlen(doc), XML_TRUE);
+
+.. there are 0 bytes accounted as direct input and all input from `doc` accounted
+as indirect input.  Now function accountingGetCurrentAmplification cannot calculate
+the current amplification ratio as "(direct + indirect) / direct", and it did refuse
+to divide by 0 as one would expect, but it returned 1.0 for this case to indicate
+no amplification over direct input.  As a result, billion laughs attacks from
+DTD-only input were not detected with this isolated way of using an external parser.
+
+The new approach is to assume direct input of length not 0 but 22 -- derived from
+ghost input "<!ENTITY a SYSTEM 'b'>", the shortest possible way to include an external
+DTD --, and do the usual "(direct + indirect) / direct" math with "direct := 22".
+
+GitHub issue #839 has more details on this issue and its origin in ClusterFuzz
+finding 66812.
+---
+ expat/lib/xmlparse.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+Index: expat-2.5.0/lib/xmlparse.c
+===================================================================
+--- expat-2.5.0.orig/lib/xmlparse.c
++++ expat-2.5.0/lib/xmlparse.c
+@@ -7655,6 +7655,8 @@ copyString(const XML_Char *s, const XML_
+ 
+ static float
+ accountingGetCurrentAmplification(XML_Parser rootParser) {
++  //                                          1.........1.........12 => 22
++  const size_t lenOfShortestInclude = sizeof("<!ENTITY a SYSTEM 'b'>") - 1;
+   const XmlBigCount countBytesOutput
+       = rootParser->m_accounting.countBytesDirect
+         + rootParser->m_accounting.countBytesIndirect;
+@@ -7662,7 +7664,9 @@ accountingGetCurrentAmplification(XML_Pa
+       = rootParser->m_accounting.countBytesDirect
+             ? (countBytesOutput
+                / (float)(rootParser->m_accounting.countBytesDirect))
+-            : 1.0f;
++            : ((lenOfShortestInclude
++                + rootParser->m_accounting.countBytesIndirect)
++               / (float)lenOfShortestInclude);
+   assert(! rootParser->m_parentParser);
+   return amplificationFactor;
+ }
+Index: expat-2.5.0/tests/runtests.c
+===================================================================
+--- expat-2.5.0.orig/tests/runtests.c
++++ expat-2.5.0/tests/runtests.c
+@@ -12092,6 +12092,63 @@ START_TEST(test_helper_unsigned_char_to_
+     fail("unsignedCharToPrintable result mistaken");
+ }
+ END_TEST
++
++START_TEST(test_amplification_isolated_external_parser) {
++  // NOTE: Length 44 is precisely twice the length of "<!ENTITY a SYSTEM 'b'>"
++  // (22) that is used in function accountingGetCurrentAmplification in
++  // xmlparse.c.
++  //                  1.........1.........1.........1.........1..4 => 44
++  const char doc[] = "<!ENTITY % p1 '123456789_123456789_1234567'>";
++  const int docLen = (int)sizeof(doc) - 1;
++  const float maximumToleratedAmplification = 2.0f;
++
++  struct TestCase {
++    int offsetOfThreshold;
++    enum XML_Status expectedStatus;
++  };
++
++  struct TestCase cases[] = {
++      {-2, XML_STATUS_ERROR}, {-1, XML_STATUS_ERROR}, {0, XML_STATUS_ERROR},
++      {+1, XML_STATUS_OK},    {+2, XML_STATUS_OK},
++  };
++
++  for (size_t i = 0; i < sizeof(cases) / sizeof(cases[0]); i++) {
++    const int offsetOfThreshold = cases[i].offsetOfThreshold;
++    const enum XML_Status expectedStatus = cases[i].expectedStatus;
++    const unsigned long long activationThresholdBytes
++        = docLen + offsetOfThreshold;
++
++    // set_subtest("offsetOfThreshold=%d, expectedStatus=%d", offsetOfThreshold,
++    //             expectedStatus);
++
++    XML_Parser parser = XML_ParserCreate(NULL);
++    assert_true(parser != NULL);
++
++    assert_true(XML_SetBillionLaughsAttackProtectionMaximumAmplification(
++                    parser, maximumToleratedAmplification)
++                == XML_TRUE);
++    assert_true(XML_SetBillionLaughsAttackProtectionActivationThreshold(
++                    parser, activationThresholdBytes)
++                == XML_TRUE);
++
++    XML_Parser ext_parser = XML_ExternalEntityParserCreate(parser, NULL, NULL);
++    assert_true(ext_parser != NULL);
++
++    const enum XML_Status actualStatus
++        = _XML_Parse_SINGLE_BYTES(ext_parser, doc, docLen, XML_TRUE);
++
++    assert_true(actualStatus == expectedStatus);
++    if (actualStatus != XML_STATUS_OK) {
++      assert_true(XML_GetErrorCode(ext_parser)
++                  == XML_ERROR_AMPLIFICATION_LIMIT_BREACH);
++    }
++
++    XML_ParserFree(ext_parser);
++    XML_ParserFree(parser);
++  }
++}
++END_TEST
++
+ #endif // defined(XML_DTD)
+ 
+ static Suite *
+@@ -12485,6 +12542,8 @@ make_suite(void) {
+   tcase_add_test(tc_accounting, test_accounting_precision);
+   tcase_add_test(tc_accounting, test_billion_laughs_attack_protection_api);
+   tcase_add_test(tc_accounting, test_helper_unsigned_char_to_printable);
++  tcase_add_test__ifdef_xml_dtd(tc_accounting,
++                                test_amplification_isolated_external_parser);
+ #endif
+ 
+   return s;

expat-CVE-2024-45490.patch

@@ -0,0 +1,60 @@
+From 5c1a31642e243f4870c0bd1f2afc7597976521bf Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 19 Aug 2024 22:26:07 +0200
+Subject: [PATCH 1/3] lib: Reject negative len for XML_ParseBuffer
+
+Reported by TaiYou
+---
+ expat/lib/xmlparse.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+Index: expat-2.5.0/lib/xmlparse.c
+===================================================================
+--- expat-2.5.0.orig/lib/xmlparse.c
++++ expat-2.5.0/lib/xmlparse.c
+@@ -1985,6 +1985,12 @@ XML_ParseBuffer(XML_Parser parser, int l
+ 
+   if (parser == NULL)
+     return XML_STATUS_ERROR;
++
++  if (len < 0) {
++    parser->m_errorCode = XML_ERROR_INVALID_ARGUMENT;
++    return XML_STATUS_ERROR;
++  }
++
+   switch (parser->m_parsingStatus.parsing) {
+   case XML_SUSPENDED:
+     parser->m_errorCode = XML_ERROR_SUSPENDED;
+Index: expat-2.5.0/doc/reference.html
+===================================================================
+--- expat-2.5.0.orig/doc/reference.html
++++ expat-2.5.0/doc/reference.html
+@@ -1097,7 +1097,9 @@ containing part (or perhaps all) of the
+ that are part of the document is indicated by <code>len</code>. This means
+ that <code>s</code> doesn't have to be null terminated. It also means that
+ if <code>len</code> is larger than the number of bytes in the block of
+-memory that <code>s</code> points at, then a memory fault is likely. The
++memory that <code>s</code> points at, then a memory fault is likely.
++Negative values for <code>len</code> are rejected since Expat 2.2.1.
++The
+ <code>isFinal</code> parameter informs the parser that this is the last
+ piece of the document. Frequently, the last piece is empty (i.e.
+ <code>len</code> is zero.)
+@@ -1113,11 +1115,17 @@ XML_ParseBuffer(XML_Parser p,
+                 int isFinal);
+ </pre>
+ <div class="fcndef">
++<p>
+ This is just like <code><a href= "#XML_Parse" >XML_Parse</a></code>,
+ except in this case Expat provides the buffer.  By obtaining the
+ buffer from Expat with the <code><a href= "#XML_GetBuffer"
+ >XML_GetBuffer</a></code> function, the application can avoid double
+ copying of the input.
++</p>
++
++<p>
++Negative values for <code>len</code> are rejected since Expat 2.6.3.
++</p>
+ </div>
+ 
+ <h4 id="XML_GetBuffer">XML_GetBuffer</h4>

expat-CVE-2024-45491.patch

@@ -0,0 +1,31 @@
+From 8e439a9947e9dc80a395c0c7456545d8d9d9e421 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 19 Aug 2024 22:34:13 +0200
+Subject: [PATCH] lib: Detect integer overflow in dtdCopy
+
+Reported by TaiYou
+---
+ expat/lib/xmlparse.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
+index 91682c188..e2327bdcf 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -7016,6 +7016,16 @@ dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd,
+     if (! newE)
+       return 0;
+     if (oldE->nDefaultAtts) {
++      /* Detect and prevent integer overflow.
++       * The preprocessor guard addresses the "always false" warning
++       * from -Wtype-limits on platforms where
++       * sizeof(int) < sizeof(size_t), e.g. on x86_64. */
++#if UINT_MAX >= SIZE_MAX
++      if ((size_t)oldE->nDefaultAtts
++          > ((size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE))) {
++        return 0;
++      }
++#endif
+       newE->defaultAtts
+           = ms->malloc_fcn(oldE->nDefaultAtts * sizeof(DEFAULT_ATTRIBUTE));
+       if (! newE->defaultAtts) {

expat-CVE-2024-45492.patch

@@ -0,0 +1,30 @@
+From 9bf0f2c16ee86f644dd1432507edff94c08dc232 Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Mon, 19 Aug 2024 22:37:16 +0200
+Subject: [PATCH] lib: Detect integer overflow in function nextScaffoldPart
+
+Reported by TaiYou
+---
+ expat/lib/xmlparse.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c
+index 91682c188..f737575ea 100644
+--- a/lib/xmlparse.c
++++ b/lib/xmlparse.c
+@@ -7558,6 +7558,15 @@ nextScaffoldPart(XML_Parser parser) {
+   int next;
+ 
+   if (! dtd->scaffIndex) {
++    /* Detect and prevent integer overflow.
++     * The preprocessor guard addresses the "always false" warning
++     * from -Wtype-limits on platforms where
++     * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
++#if UINT_MAX >= SIZE_MAX
++    if (parser->m_groupSize > ((size_t)(-1) / sizeof(int))) {
++      return -1;
++    }
++#endif
+     dtd->scaffIndex = (int *)MALLOC(parser, parser->m_groupSize * sizeof(int));
+     if (! dtd->scaffIndex)
+       return -1;

expat-fix-minicheck.patch

@@ -0,0 +1,57 @@
+Index: expat-2.5.0/tests/minicheck.h
+===================================================================
+--- expat-2.5.0.orig/tests/minicheck.h
++++ expat-2.5.0/tests/minicheck.h
+@@ -64,7 +64,13 @@ extern "C" {
+   }                                                                            \
+   }
+ 
+-#define fail(msg) _fail_unless(0, __FILE__, __LINE__, msg)
++#define fail(msg) _fail(__FILE__, __LINE__, msg)
++#define assert_true(cond)                                                    \
++  do {                                                                       \
++    if (! (cond)) {                                                          \
++      _fail(__FILE__, __LINE__, "check failed: " #cond);                     \
++    }                                                                        \
++  } while (0)
+ 
+ typedef void (*tcase_setup_function)(void);
+ typedef void (*tcase_teardown_function)(void);
+@@ -104,6 +110,10 @@ void _check_set_test_info(char const *fu
+  */
+ 
+ void _fail_unless(int condition, const char *file, int line, const char *msg);
++#  if defined(__GNUC__)
++__attribute__((noreturn))
++#  endif
++void _fail(const char *file, int line, const char *msg);
+ Suite *suite_create(const char *name);
+ TCase *tcase_create(const char *name);
+ void suite_add_tcase(Suite *suite, TCase *tc);
+Index: expat-2.5.0/tests/minicheck.c
+===================================================================
+--- expat-2.5.0.orig/tests/minicheck.c
++++ expat-2.5.0/tests/minicheck.c
+@@ -224,6 +224,22 @@ _fail_unless(int condition, const char *
+   longjmp(env, 1);
+ }
+ 
++void
++_fail(const char *file, int line, const char *msg) {
++  /* Always print the error message so it isn't lost.  In this case,
++     we have a failure, so there's no reason to be quiet about what
++     it is.
++  */
++  _check_current_filename = file;
++  _check_current_lineno = line;
++  if (msg != NULL) {
++    const int has_newline = (msg[strlen(msg) - 1] == '\n');
++    fprintf(stderr, "ERROR: %s%s", msg, has_newline ? "" : "\n");
++  }
++  longjmp(env, 1);
++}
++
++
+ int
+ srunner_ntests_failed(SRunner *runner) {
+   assert(runner != NULL);

expat.keyring

@@ -0,0 +1,245 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBFzUcE0BEACzkr4qR9zoM63YCJU/oQTJEtt7SR9Hcvntk351O5QQbNJS55Zah+XfiAl1
+j45yrxP+ve3xU64Cl/GctZMLgkx8Qd3JECZCUkm72cvlBF1bJ0hkvcJRtTyuc9XXBBQBNoRS
+1Tn4Gc/QE8L7669mS0FPPKpy4m7yY9SLtkauUTVkeKVz65Wo9jEB4cc4hJGzqeBndSmPbznO
+PkATSadeLX7xNFG4nM20wCGZ1+UmY4j1NTBJnbxtxcPQ4/OiAKvAsfAzvZrlAMhJtFAfnooP
+7VkIsbZyQqPeUznhGOK1nVpjl7DZ5c4geJa3OLfeDM5c1mSx3VsU8SkKbBqNeog5dV9yHAKF
+Ba10M+VAylwlRg5i6TE/5JP4LneWoh/dZP6216MMelDcZeXn6JCgLWmjbCmuwDgA5S7y2cew
+RU3hopGvCpTkgEg8XuXZgP8O1ZAOOqBWOt/mk71Bm6LdIe501f60aVcnODJDSb6tDwYTxkn5
+vGPvu8biu2K+zdFqZskPTZo44qZDjLd7HpN5SigFMCCSk9LTWcwpa4eSFcezmfku+dB5T79Y
+0W0qCKJKBtNLOj5atVk9j+BA0BNTmE8e95bTdPW3UbmXPhQQt8J+6UXsUC0brn3/9pXTXHvP
+iQsYMKcMzOnbdXKvlMxF+dN3BT+uhEF5tyYgqSDaF07EnIJzdwARAQABtCRTZWJhc3RpYW4g
+UGlwcGluZyA8c3BpbmdAZ2VudG9vLm9yZz6IXQQTEQIAHRYhBD1+lZ2J+s/uODcZIbALxmpA
+GhYABQJc1HOXAAoJELALxmpAGhYAwxYAniPJOey52Zkpy2ULNZXpLnMfU4ccAKCRtqJckPvS
+BE69v8XIF9imvxX09YkBZQQQAQoATxYhBCwTgjuCNzEPohMDSTDRMv8P9Q7rBQJc1cMyBYMB
+4TOAKxpodHRwczovL3d3dy5nZW50b28ub3JnL2dsZXAvZ2xlcC0wMDc5Lmh0bWwACgkQMNEy
+/w/1DusYEQf/YoER3M3OLkUT7DgWiZBakNs3ifv63fvBDVhwZcerobSxlqjFFQK6CC+vFumk
+xV0hFIvS9yfCTLNYMcLa8C9TuWJSqOtTXLGoYDbD6tEOQbMnKJ+W/vypbf1VqVHlptwkPpNd
+5R6acsEv4rNK1bbzDVWzrCvLBRsHHiyr8MFHVjJjPZFqQfc56K2CHNv7Yhk6h3DG/0LQl2Lb
+pxxcYKkF+gw5AwJazBf/DwpomwyrMRRmiqcgJ0kDyDO9ktMd+7z81t12G6tiEFVoiyPCmYkU
+0CjpArg0nMBWMzocrr3i7RNO5675VwefF5+i/hBykyaGiunmpJ5G16JaPAvs1eLOiYkBZQQQ
+AQoATxYhBCwTgjuCNzEPohMDSTDRMv8P9Q7rBQJetvbPBYMB4TOAKxpodHRwczovL3d3dy5n
+ZW50b28ub3JnL2dsZXAvZ2xlcC0wMDc5Lmh0bWwACgkQMNEy/w/1DuvGIAf/ZFdVDmJBa77p
+Dgws9TDAg373Q4t4t26Dimp/GAejP9L85HRGE3cBwpp0U5N2uoEyBQmrQnoe+ggaEOcQXbv6
+q2GIeA4LRpM7Yw/Umfbcd7KQhRstZiJXb2ectkSliDveAnrSfS4yB6pjnM64XTCZaKMCXOp1
+4oiR6e8sL+p4QI9y8JFRvzMtgQCbmFW5JpSeOhLdnbjb6yqWZ8zQEx3lL/TdOzk9z4UsL2pi
+dytcUMezYH3IzqJR+xTMMt3ELQWUtEIlagy4GvXkKMTOK3tqtd3nPKCBfALYEfhuuoHokTLk
+obvAMXtiNJgWUCbeJPaW+bMZO3T07bVCYqwq7B3KZIkBZQQQAQoATxYhBCwTgjuCNzEPohMD
+STDRMv8P9Q7rBQJgmXuwBYMB4TOAKxpodHRwczovL3d3dy5nZW50b28ub3JnL2dsZXAvZ2xl
+cC0wMDc5Lmh0bWwACgkQMNEy/w/1Duvq9ggAwdatYPY0gb4LaDqUT8fSa9AOCWEqBb+XF3Di
+GVaLsSAsMHM71MSdkxvXXVb5QVwnFPTRGC30LXs7HzEqzBqIi3Qvp53g4X/BcNYrHPMCvNhD
+tKn9t27uncO+zcxlY90x6x58liyxQjS2SbolzwRYRthisNzxA45EgJcU2R3l1rgjcwt/X/W3
+FuBt37YkEFFgK5Oj3RiH2PjNs2d2f1vft//1Cxig3/sLNIhvj/xVfyeHlAnor+Z/Q+vwxcXC
+dnOR0tS4DCbP49dD2XNNdCpJuu1NswasS86cjjhruchg+22wwQFFiWLvsiXjfXD9qdMY6bCN
+DyQF2dMheNU4IYQ5sYkBZQQQAQoATxYhBCwTgjuCNzEPohMDSTDRMv8P9Q7rBQJieq8xBYMB
+4TOAKxpodHRwczovL3d3dy5nZW50b28ub3JnL2dsZXAvZ2xlcC0wMDc5Lmh0bWwACgkQMNEy
+/w/1DutE+QgA5iKPPK5OHxyMFVBGl2EFd9HpWbEY7QS0rSWYu79z8uB4p6pFkN3BosUIEuEQ
+W7NYLI5pwnRX07eqIvtGCeE22JeGCLH0AI5eyiJcXA6OrJRuLtLt/GM3Ob0lL8Zl1zVbXXv3
+3d6kUVCiPctmYB1SnsJAHXHlhWq4PEr8WLsfG3jocvIwJeTF89Ft6evb6gyZSl0+wibWJYzD
+L0hrTyBlcNBxjTh64CbJ4TgoXgoSjqjGinl9ac2Hipj721Wlxnzye2t3VsMwiQEw0H01W9Zy
+Ma4fVzX5daFeX5olg9GJihniX9zayXxo7wGV3rcg3qZgIEFsbkIrNSew6CZkr0cZrYkCMwQT
+AQgAHRYhBGPrBPqjDHbilS5u1lZZU7lTcnVsBQJeLf7nAAoJEFZZU7lTcnVsdKQQAJFajikh
+3xSQ/n4/LRz2eAEiI4TePxmkDKxml1MpZpkxI1SryF0Dd67wPxiZ45z0YZ2GO/FcP2BVei5A
+8etgQ0/aFt1WZ565ZgjtZf+entraAqU7EEy6MhNV53/uRBtFGfDHSmGrP/2HtPJzcvqmnPVt
+yUBMKGDBOxCNB3ivPcDsu80f+Xd+junrwEi1p7pxlmCP0ZmJFj0U5Bf2QRkfVfXvL6QqEAOB
+TUqCXTfmTmZ1TpenB8muWDgqok/3Qme8Y+0oTe3O+t+0IRxi2V1lDkB1Dd1QOfEXp3WV4Le1
+b6O/rOgT5fW0XUEQJ9CN58zVEqPTw6aPW/qLA65UfbkiO/H54BnOeHSlFU9YPrEcCf2qooTH
+qZyUEgEdB5A61NhravO78/uwgaHGiIKzopjLr8D5Le9YTD54DAlbP6X+0Jb93buVcvm2rm9c
+KIbN6mwbH5gri7USDI0UAUySVYebB1UdFmOOYLovzDN7Us/sWJYksmWXpw70IZLmSVxEWR+I
+urbzPgl+twksZv5EPOPhVa3plyRY+ARakisVmtdRWzBNwbd6RMG1urRiWXyD60r5XbiXN3sP
+vTdvYkgFKWDQ8WS/+AyewznnU4ZU2eLFYRZi4TWugzaZVyAv7CRJi1UMOXSafqW/MlcWlM2G
+qw4WhEHX70YKQRJwC2yGWF2P0T3fiQJUBBMBCAA+AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4B
+AheAFiEEMXbvfbI2fx/KTzBrH5sOkJrzcoUFAl6yxZwFCQO/iM8ACgkQH5sOkJrzcoU6ag//
+TGp12gxPSfLEf+J4W5YlcFggkDhYBXdXzlgzgBOOz7LEZIFOJqWBXjlem/5tWhfHLPRv19Ve
+cGfXQyaRm4tfu61DINECdaZBzHcFaAqdiV7pF+TtuDtZkYlkY4mLpo6H+dcHiQggJMB5bBGi
+i+3b5feV4ioD8kPvSLIH4JbCfu9/PsW0MF3xV8dUhiqZoVj/qqEPi/ZvDtLSZKs5egEX3VBQ
+CkrmUKOVO0i3ch+1pPr4hz0jEl6HfRZdCpvELGHDQtAP/9ckR/SvPUvQrXfra6bKLkGOWbBk
+NIMmWSpzwfX7exl/mh8FASUyhJUM/S+9aBq+hSLBt+P6+WO4j1oR9pJITkr3X5g6ZEx7Zv/X
+xkKQJcgII9T8OpLsICS8WTB6IkEb4/R2AzNOClEpys5fQYhCZFUhjDjMGXDOibEG9pnh9LoZ
+KCRfezRb/B1zu39XD06Qpk9ysizXzjlEf92y7N1ppVbDUEqzWeoBXwyhF8nZgskqSPGgGOhL
+eilDBNWPXZuFS4GJ4xf5KaoTXztvOZGamsNwfwTyZC/xJOKH7emPEP1Dw1W6kCMHfOUITJN4
+okhZi//aLFgvvPUJs35gB1FQQDRgK6lHhHu18V4den5u/2/5qT4c2SIaUX1TvZZzer7Luts4
+Op8T72liyB5zWZt0NUZ5p7OzVV+iw6kKIjiJAlQEEwEIAD4CGwMFCwkIBwIGFQoJCAsCBBYC
+AwECHgECF4AWIQQxdu99sjZ/H8pPMGsfmw6QmvNyhQUCYIszpgUJBZf22QAKCRAfmw6QmvNy
+hTjFD/0XjMa2vEePxvJG5upokP5yzVQoMqAi1nryvXTiC8yzJWXD8/E9C+/K9AnHv1cvp3ko
+jQmbqnP/1B2o/IYzJVJdLZR9F7yVmB2H6Z/C13X27u811DuEWEt4KYQSdNuTO9qZdtL2xS3W
+TNiCx3Tu9N2sE5jXR+6JKZvU1+gCyM+GqWhFWIRphVUngoeTFcy1/2C9C5d7fg3IzcQ9Vxdi
+nheYMLcPg4mumjMRMV7MqRZUCzPYkXulm5YBYDVATHfRWBmR+MP+0jrciVDkEYONKzeVRv9Q
+VCoppJ5D26t/Cw6COJJAKDfsUngkWFOIIz7rvSdxe2KcVxWQU7COB2Pf7oeV1Yay7onSrYbl
+6dTvQyBXBmCD77w1jl8DyrgwLJIwm7Hx7/T5StSO0W2B+rpZDpceNou7TUDok3ZagIbKhsiO
+uLEofkV+Mg4KIBdvnn/QOqAeeu7OWIyyXUFWbTHYqDzucPoy98zUP+J73mm90B6/q9HFl7d2
+eCOXucvyUUrw1Qh7K562Ye1v0q9dEyaDecM/4zeioTShzMfqtPUXtS+inUiEjis8YtnwTmIW
+KZaDK4eGnO9IndXbkeox19z86tPepu/JvnAUXIhgzct4IIHGKo1RG55HIAIpMrRaNMG6JScW
+OkzDU9slgOZFSbnTsSTHzrJlkxn6kagdTC2rvXKrI4kCVAQTAQgAPgIbAwULCQgHAgYVCgkI
+CwIEFgIDAQIeAQIXgBYhBDF2732yNn8fyk8wax+bDpCa83KFBQJh0jLzBQkG/+umAAoJEB+b
+DpCa83KFUF0P/21Q8qVcy20daWySstGa8cR8yUFQSOiYtn+DbAciBle+RHIvnBcmkdyRmRNN
+tQhwg6c3wXr8X38/jsopH7c29v9kKvBoBTE495S85IKuacux/+PfL8itSZsF66EPEV9F94sA
+GZ3E+VOUCPhmGQPUpCXtxExSJ35KmVHWF0dGR95LeXIvj8Z8Jg/h1wCVMfzFgF++B4tv4vn5
+Iq6UNrRNCm6OPOAYslk7X3m2ozS7/e0sP/E6RioHCySoAS9GmOUEKCfHRPGEJ/CzUQxZO/WM
+mUR61xqTrE6cxLEGQ9mUvGAty5slioZv9Zc2GyrNZpVW5KHVOpJGiZ/KdfbOWyO/YGo456DJ
+t2Ie6vxad5wth6SKcVipyqjHaJP7vjHIr1e7nuFX0ayle5lyf9F1LXHPCmHoQ5Q6Z526hE1J
+ED1PwxqVCMQdwUd4oRGSehKSJMrF34H6QTzbz6Y52le/rjxYAM5bLeOBS0akB9ICOyLASwAa
+4F/soqBdc0MzpKfIiPDyZLgZsXgNUPzOvFSCBeFpmt3o+u+zNgE3cF+XBaoK4b28IgUrLeu2
+CY28nocJ5f7UQHsVev5SJODZ0yhzxNnaJoHgEfri5JjDv6PxuRpNXGG0Vxt/ETN7w6gABRM5
+3nNaS5WvVFei67oCQhxK58SPT5vYdJ48BjSVqYM9TQzC5cryiQJUBBMBCAA+FiEEMXbvfbI2
+fx/KTzBrH5sOkJrzcoUFAlzUcE0CGwMFCQHhM4AFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AA
+CgkQH5sOkJrzcoVYFRAAqnEdpZvRw8o1MvgoahonEQQ0KoNK2Q6IQT1iAlFg43hsf2Q6Lj1N
+8gaClrty5NKLiDxdFbIQzn2m/B+FJVftOlnCBLGIVe861FD7Mwg61bGbftl0irEgaXT2qASF
+a9FMWzfJbP7EukwTWjf9cHZkzqlF6+tpcKBf3LviuAc2kU+cmirNEmG9JnKoODEprUTwFo5c
+GQbx8BWWMoWkGqdOtLleThos38Gd0CxZXTLbEjOY7kAKJOFqHdTgjh2GPkWoUWo/2eWz4GBN
+8nDPOBto/Te5ybujCS8srdpjluPY45IHiie2j5Xnb7rsrdxCdBkIiUkIIy1xv+sI5jfl5gSZ
+HMnWpaTEcZP2Leje1R33reOrz/Jgv4zW7VG+cBUhq0SXMmT9Hpc7zulYUodZpUaKhFBypG9Q
+hVQmBqK3xnVLokYU1ysD3IyKntWSUGiCsijnMtgqCLSzZHAjR7U5aDed+/GOoTviD9wSMkbZ
+QXA97/USGLEI9k7vVZ5bpPwMG8C5JjpwusALA5ppoSustAFZ9xaQGe5tew6RYiJTabpjZI2l
+C3xChS9jzxwfFW2ItVdSABuvV/vdSSsc01PN7Pgdkc/IXotozW7WG4/xP1bImrTrnDn/WI/I
+NLZ0uF344WtlT10EEoQU9roZvoRenrAWqaQ4I6IffwBhCg+CYceO7y65Ag0EXNRwTQEQAOhM
+wHA6FxDjdxLDnPYZZ/HRCB3j+Fn5s+c/qiK3J54G4yYP91871FjDeF7pDsmcQRgCz0k6GeZO
+zFOkpCTGg6aMPkOiBo931OqckzhlACnLSCzR5b2bILTaUGnf4t41D6+tCFK2dfJBdQ0yYfB3
+la8kg9a7vtnlaM9UO0Tr+o9NYOWysUAa5fxS9jSF2CzgeZ6k9Wa0bj90u8N9cfsGrMB7F6TV
+PG4Tf7GbCvgMwaBfSQK74hXVWd0wjTW0VGIpxRfAYudJyB/2da5rOsMWh5hEe6dShwEQ1tJH
+njuBIJI1UZSyVtFqMj8NysftD7+Vrd6N3Fp5umUzc6tViag+u6s8Q8TxCXMaSwoVtBV1HHbq
+KiCzwd4XNwHfv/h0VrgM0SXrYVmHwUkLUNdOlAKWRZ7ExaTMx0oNaKwjr3FhV7W5utf6kQ9l
+MfS8gV0dJM1nZp0Zkgi/ojuIecqBQXJwTp1YQo1QmJHM0sKTu6pOOlTxizaT4Ak0etQf9SLi
+nltMeYEdCoFavWkWXIIP4YM94fuD5Ekc03b2iiCMKVONSr4dKaAPFEtV3uFIoS/VwG5QQ8mE
+hZZH9ymOeUrm+YvljFSfp1TDp9dGiYNKCx52Zj7wChqswzVEVFTqGEZqsYtyuuDQM0JhX6TG
+T75zmsqiJhBGl6nigGrdaRCnWvWv0n0dABEBAAGJAjsEGAEIACYCGwwWIQQxdu99sjZ/H8pP
+MGsfmw6QmvNyhQUCYdIzCwUJBv/rvgAKCRAfmw6QmvNyhXK5D/jBMCAdoJVW9ai4tKgNac3s
+xFjrtnLPo6lEzB4AXnltkC1VwULeDL+O3IueYCt7kyRr9vvogG/y/e8kpVIGvH8TcZd71EvU
+kM7Df9X88I5bPrA78MpWAEQGE1RxsFLQVppzAOeiXVTXy/nwS/8LKP28W5FNFH0M9qYmvTje
+S0YYwxr7DJU526B0JGiis4kXl81tYnd2H46cx1qjSMmWMV0dPWMbUG5gs3HtU4u5DpBgn7a+
+klihpmtxebWNV2vO3TCqYJps+WbvDPHpUsHFpW+wYvE0VosB9jYKzhOS94aGz4Yl7fTZq/tF
+4atBReoeESJi6RJWpvNmdSQPYrJu3BAGWnYTuniW9xhHhSYnCSrH3WfZSermU6XiAmKtZB5X
+w4HyjuJgKjUDjzVDOvpTQVcnpkBXkOdw0dIZDk61cq81p/R6bmxEGsIkMHNpxRfA1PNwjypg
+ioLF2Cyq5kB3IVc8KdpW4O3XaVSiMfvXlkvpQJmCPtxup8IqUmgL+ILTqLJaHOhpbb6bsikT
+DekUC9DIV58xQ5HuHI0qaTrDyZsG8CK6f+OwxKbXJh5QDFarM5YrOIHaOaBSICQtCgCBH/Jp
+388LOm8rTDqSHAQxp9ZjQafyLBaGHlHR2rvnztfV1LHS+9Pvven6J3Fj4r5hztJXuKUrOZ/B
+sLw8c7DnOI0UiQI8BBgBCAAmAhsMFiEEMXbvfbI2fx/KTzBrH5sOkJrzcoUFAl6yxcUFCQO/
+iPgACgkQH5sOkJrzcoW5Jg/9E2/nvRIKXQCR8t7BhzMr4qcI5rqAY/pA/SxuI6G3zqyJ14dk
+2g6QN7khdesFaYbJjak2pTVyBiffm5UBz9NzD6Aai6MYUSJnKBE9432gaVYv5L1PaVlybwHF
+bK3ayo+dI4gkN0gYlrA4l1BUX6SsDumawlTMWTB3/4fqKN5c4u+XL/ccT7z+BRQu12kYLmUj
+3xXjh3LxH9xuwJ6qj0Kq9cNZMHCfO5YJV8dhxA00GvdNCIZfgmmGbZFjoDR1qzM53SykqcFC
+9UXK0IzEv0p2zSRJ3UZwkbxP7CWm2xEWLv9glVQM5wTULcRhdARtgzeyq82fMS7DyEmshYKE
+L4o/kAcRwaOy8Kyl5PSadpEQdEBwX3DutGAPt/V5Vumdx8vKl2JX44F1euiNCYeQEmNYd1F8
+T2a8xSdQV1TUIoHugQ3QGex2+scR2SdOVdpey+VJLN7hxk5xUx957E7SQVf7tCVqq6BElUkv
+kQAr48XRfj2+KFPEhmb140VLJ/ilBITQ9CyhCYkywar9SDh9xf4q/cfBdhBXn9nK+vOgS1mP
+Tdjgd/RuR3n3n7RUKTnOBdx8744fgLNKfJ/MWxVQqufPUX73xxqNZDjXDKe8b5YgHMmgJj2R
+DNqnBj/+uKhcVPoI7y2DQU+aeBLlqxypmU74H04EdD8ikbByrMV2lBFwIfyJAjwEGAEIACYC
+GwwWIQQxdu99sjZ/H8pPMGsfmw6QmvNyhQUCYIszjgUJBZf2wQAKCRAfmw6QmvNyhU1fD/9m
+JGguTFO4J1nJAR2/n4DRV62L/IjaORhePqiiw5FOBNr5/9+ggj8yV7Il4MU9oWTM1DRcYMfH
+OvsA2yS5hrHPyifWHpcTqkudnecPBT1JnVvMivzX+s4x1ol4EyOQRByBoYCFsEYaRscNrDIT
+Mid4zWPy7rkVPDr1RB+cJb4lQzfRx6XG8bJuF8MymEd9S5GNxeHNigdnFP3v3QwhiqSabWHp
+ul+k5VelSRqOlfVPNCoCABIfd5nEEwkzpndsmRRjx3Qidkh7Dwp/l/PQC/QM6RM+m/3LpXJ+
+Xah3DqkZHq4EYhmq4QmLljzMoT9EUXxWhiB6r8Xfg9kXHLEw7fed5nB9lXo1UgnEiWiL9Fpc
+/7Zfm3hmkO9p1CO4SJCO6zHYNpL463Z6USnN/tLFcJFAJJNpChXRHPF4g2YEy4gs8IDNmzjy
+OMLDcnt9v6DNt23SVxdi5PrxlPvLTA09tjOQlR2jTCsfEW96F7AE3XKorvdm4GkU7jWFeIzv
+3RlpZZIZxGgfHvJ0gEA1UGKhdV9qZh46y5i2MwGILp7DZgr1ew9ekotmoqkO6Gh6SxI1d3c+
+IeS26+VNocVjQFjQvfoJ0CtR29AVCP5jYZtFeVIhwpLmoaIdfTKgo/QVOtzldK4dCxFNShiC
+Yj3gDv5ZyAzx4QYWqCT7kmJ70fDzMgnipYkCPAQYAQgAJhYhBDF2732yNn8fyk8wax+bDpCa
+83KFBQJc1HBNAhsMBQkB4TOAAAoJEB+bDpCa83KFDGMP/j/LjzcdTfiHWHc6E7EUM3qPWf8o
+bSL7Ft4l77x0vUGf2G3pQcngTI1SIMTTLAKkXhd6qPqCVPmM6kHK6IzwFcnMRFoMyoH/bVnZ
+kUs0NyU3DPg3OUc1Iunvcg27nHdZPLFRv8ey/qSyNiIEJu3hzyBIUO0ZDdOtUwkqnznrri+I
+pToD7gWoYM0CC/Aero/OaC20c6dU1s4zwmAjqfzb0Nqiv3CDrrvF0p3g6fn7BAyHxnYbS7ZX
+S8nPQEY0qp+yC0CR3jceXCwv9C1PhQiSfqiPBTL7CglOz02WSAxY7GInh3VitM2rruKcacpL
+VfjiZmFH4SUCys/7c1Sn+pJTfiqO/2sV4vutxfu3Q0xDYmcf7DK9BN7bZ01m3szTX/+5Ief0
+kpY+e5ZrfcRHUOAzA/dXeW8sErf+YvCU9Hyi/e5iWvbhaMg9HwMA37cEfhBmVwGBOS6nuFHn
+7TFoZrCNnFWEpfUJY++TThhNaVKlz5n3PXERFCJlfZtXf097cJJRJniBoA2jdfQqSJAgXArb
+ZPxRW0ohIfgj+lnvqNwB27trdnKKpxC6k6P1k0QZ1MP3tDRaz/k0WrVi4Sxps78/RzA7I9nA
+R1ovVUx8Tw2I9ru64SyyyYuaA2M5nQs4kMzA3P3oeFO9t91by/d/O1lj9HtGYEn5xLzb40Oy
+TfeDSyTpuQINBFzUck0BEADgwnBJBHWBnKwHhEJLYei4PMImRJSjoiYZi1EmiCT3u9+qEW/I
+Oy+VJPyf2OyLM9RoLzMrCRmYi41eFZryWsenpzHQVP28KbMHP+mdJOTyvX9Lt8Ohxa/m+ZG0
+vjhXLDBsRFmhEFDV14As8NcI1GivnpyNxTFDDWbmxDMw7zTSkjH8dqeB/Z/HTXWu0pdOrhXb
+85iZMsOZDUzmbKwBQTAOX7zPtmi4zheP49VXHGn3fNgvUb6QuzSQNtAKS7C2qPlIMug/vYyX
+RNM4dnC9aGYdjwXuEyNYLN131lqG6q98xxPRsbdnzDqTgPCZqk2dZq033Ad2zhNbhynycxXD
+pxQsRn4PQfKBgpr+IdNEP4UevaOueaVLSwtvcvXcqMYtrzSYIcNu0tnbDDZRxhgKM+3TkpZc
+107qowq6+SSPzWbg6hUY7vxKzDAgvYhn5Oin59sARfo0KkSAM1H8/ozYxdNGySqIQFewcjjL
+DpQnI2x/ZAU8nk0hltEzj+KmkJdJJI3becentmrdODySLO0fidrCmzhiuk8HLodDQ9apY+54
+fWwDDUws33yE4DtX5Y2/1nUvwDNpil6dRknAVGdc3OvIe+WAnsGR9SMSy4HruP/Yf+OZSCFt
+OSloe4MtP+qdyfx0vDg/mLffZxE8r+zSeB5IAp0BSbwUhdbeWGd+UpWCCwARAQABiQRyBBgB
+CAAmAhsCFiEEMXbvfbI2fx/KTzBrH5sOkJrzcoUFAl6yxcUFCQO/hvgCQMF0IAQZAQgAHRYh
+BMuN5wqQz79sO/XMVpYmKs/7067GBQJc1HJNAAoJEJYmKs/7067G2s8QAIP/MH/Xzbuhz7uO
++6FFNS7kk00zQImC1Y0yYyeyy2UWsSD4HUdE05CoJCMSwHXpTNzDs/aackTsKivEINYPvTwb
+EGPMPqv9MVD78T46iwSuA+Qg32CDLAjubby8Q55DXYS/q40CZaLzg7OQT8IH03ewxzrtpdLr
+nXnYN1ktwBFokv5ZsxB5BhEJfbEHEqdoNk2STQv5p/Ikrc5C/hefHSKXV4cJRYoPkrdnr0ZH
+yevB5iGuR9zMxmkLD+NyIqqVqxjWQNjLoEdY+xKnezHiIZvGb6nH55DosZY5/IHgLUJsLFcY
+NfLFSVdAzF0py+A5nY0PJarlZptOi22tSsSXX5EKWHLTZUUcs1uBrmydVFMsT3ZC+8pHxLyK
+Gn+f+89jdUCzidQ+545OYnNTzxTjGytG9Y/KEVDYUWAm9OSSLJjDpt4RDVF6yte8cHJfdC9Y
+pazet2Z2GMtGa6g6dv7NhDF+JCEhnMraPaLHbWnABP47AJZ1cRvYfE2lyHBzfKWyWJ56BWH9
+Sf7p6DwehqIAo0erPAcnBDcbrfrHaSnFLvW9UpIGAGvBMXZqAoZNNsXqq7OMHRt9rWZXOGke
+GAINnwlQIT3ffKMounUS9xzLM0kZdf7BS7K5+5gcjJPh1b1yvBYApioBAXbnaTmqvdwr03FL
+noGi5/0671t0iUGSqbF4CRAfmw6QmvNyhXnWD/4h3rEK6AkbcZ5EMiWdCphpje+vbjIBGj2o
+XaJIKSWiXrvI+ueWfrFcdOfl4vq2CGMp/rjKTR26xkTk+JQws7mcXX6xHCODQreQEfOFQnpG
+kQBxJ/Mlx3dqjKlEgHCUp9sDYS2UaYMM4b6D3WWohSbFK/KhC/qH+51cviBcCFoaXtCaGy6v
+gFzhwUpXmmk3aMaPvJ/yWFa5qfP3IcSVd2mK6QPSUkRjqqUEnXk79Q3j2tmvh2Dl4+KOlt+2
+aPvs4oITr3bhHHK4nvbwc/JAl744mxg8EE/dlkS+uHGlNfHzzQuud75dLxGeyjLCr/FGUUrA
+g12D4Z4tDPtJHLwWOs9rIZWk3W16VpVSyzP+7bREuiNsCat0saGQm5T4TCBn7JiuHu5R/jG0
+gHBjrEZ0EvQxUyRqmT2irnCQ8EY6icuVA6oJGjX+nt1HO7n/5XFFb32ZZueX575zg47VGgUY
+18z5tURzHRS0/OkYjKlCau6JPqe4tmePSHTi51KfpnlzZ5f7L3vYVFlh4i30TQVX3qoZw8R4
+qOTkashJCDOnB2Y4Ll8gww5ttfuC7Kc3H5P/QvcEQj6G5m895QlVyD7keyssKA2hycTp81OH
+kNd9bxkkxFXw+ebVTii8R4Fu3uFLDD7nPPIJyES5rzHuQDGwZ+GdQs+a9lDQrBfNKGy0tGGI
+sYkEcgQYAQgAJgIbAhYhBDF2732yNn8fyk8wax+bDpCa83KFBQJgizOSBQkFl/TBAkDBdCAE
+GQEIAB0WIQTLjecKkM+/bDv1zFaWJirP+9OuxgUCXNRyTQAKCRCWJirP+9OuxtrPEACD/zB/
+1827oc+7jvuhRTUu5JNNM0CJgtWNMmMnsstlFrEg+B1HRNOQqCQjEsB16Uzcw7P2mnJE7Cor
+xCDWD708GxBjzD6r/TFQ+/E+OosErgPkIN9ggywI7m28vEOeQ12Ev6uNAmWi84OzkE/CB9N3
+sMc67aXS65152DdZLcARaJL+WbMQeQYRCX2xBxKnaDZNkk0L+afyJK3OQv4Xnx0il1eHCUWK
+D5K3Z69GR8nrweYhrkfczMZpCw/jciKqlasY1kDYy6BHWPsSp3sx4iGbxm+px+eQ6LGWOfyB
+4C1CbCxXGDXyxUlXQMxdKcvgOZ2NDyWq5WabTottrUrEl1+RClhy02VFHLNbga5snVRTLE92
+QvvKR8S8ihp/n/vPY3VAs4nUPueOTmJzU88U4xsrRvWPyhFQ2FFgJvTkkiyYw6beEQ1ResrX
+vHByX3QvWKWs3rdmdhjLRmuoOnb+zYQxfiQhIZzK2j2ix21pwAT+OwCWdXEb2HxNpchwc3yl
+slieegVh/Un+6eg8HoaiAKNHqzwHJwQ3G636x2kpxS71vVKSBgBrwTF2agKGTTbF6quzjB0b
+fa1mVzhpHhgCDZ8JUCE933yjKLp1EvccyzNJGXX+wUuyufuYHIyT4dW9crwWAKYqAQF252k5
+qr3cK9NxS56Bouf9Ou9bdIlBkqmxeAkQH5sOkJrzcoXLuA/9E35tq9kEQLfVk/XIPaNcK1cY
+thOICf/LfZVcNvlGxIfMGfuEbQ+1eWcdVa/UW1Kff3VUOZaAjyRbpdrVbEUCyoFnnMEs/GbC
+G5+gWGpgwD6jt7tESCCpQIssp3b8vf69SWNH8jKY4LXPkeSaxuhFWlUjaJXnvCMYWeHTPTke
+BKHVMoAKYWKr7t6jgLDGoNO+B0l4vVGq2K8M0obd5Wn8HV1IgYu9yP5CX8KzYkSyg9Vc2djQ
+4k9aKfCthVwwKJ+OH1MJFpEKYihmUweaGo9+32sHdT4ifyn6zS+K8HHZGlK6DeBlqrWkx7GP
+wHZWtq6v2DxcobZieLoLmyDZlJFJHjbKZ9Bg/OqUaqCyuFzHoVC0UTRIgvblButt1agaMPz/
+7+VdXZUKmXjZjopW6R7ScxK/q4uvKykY+r0eDTihLp6Nyb7m96Xv8HvlBe9Vzxm//PtosZUs
+sQatJHMecKePEhkY0i/bqm4CAur7ESfWatgZhZC0MIG0jTCB6O7ueBVTKX80eXeyErYt+Wra
+iH6wuBW8GCLuuMnAiaVkoknx75Oyqirr3Una2xoGGMcER2+QTWTxD/GuiPIOK6z1ktglCjIH
+hK+bedsSrv6pnJtcdc42btv57ZmslyjiSIOwnCHQNfODjc9Ke4/FtVnsRmIhn/NXI8OdL5oH
+vI4Hu/sWWdGJBHIEGAEIACYCGwIWIQQxdu99sjZ/H8pPMGsfmw6QmvNyhQUCYdIzLgUJBv/p
+4QJAwXQgBBkBCAAdFiEEy43nCpDPv2w79cxWliYqz/vTrsYFAlzUck0ACgkQliYqz/vTrsba
+zxAAg/8wf9fNu6HPu477oUU1LuSTTTNAiYLVjTJjJ7LLZRaxIPgdR0TTkKgkIxLAdelM3MOz
+9ppyROwqK8Qg1g+9PBsQY8w+q/0xUPvxPjqLBK4D5CDfYIMsCO5tvLxDnkNdhL+rjQJlovOD
+s5BPwgfTd7DHOu2l0uudedg3WS3AEWiS/lmzEHkGEQl9sQcSp2g2TZJNC/mn8iStzkL+F58d
+IpdXhwlFig+St2evRkfJ68HmIa5H3MzGaQsP43IiqpWrGNZA2MugR1j7Eqd7MeIhm8Zvqcfn
+kOixljn8geAtQmwsVxg18sVJV0DMXSnL4DmdjQ8lquVmm06Lba1KxJdfkQpYctNlRRyzW4Gu
+bJ1UUyxPdkL7ykfEvIoaf5/7z2N1QLOJ1D7njk5ic1PPFOMbK0b1j8oRUNhRYCb05JIsmMOm
+3hENUXrK17xwcl90L1ilrN63ZnYYy0ZrqDp2/s2EMX4kISGcyto9osdtacAE/jsAlnVxG9h8
+TaXIcHN8pbJYnnoFYf1J/unoPB6GogCjR6s8BycENxut+sdpKcUu9b1SkgYAa8ExdmoChk02
+xeqrs4wdG32tZlc4aR4YAg2fCVAhPd98oyi6dRL3HMszSRl1/sFLsrn7mByMk+HVvXK8FgCm
+KgEBdudpOaq93CvTcUuegaLn/TrvW3SJQZKpsXgJEB+bDpCa83KFsXUP/2EnRVBTcGNoFUlM
+pix9my9IMvGCoYcV3PlPPIucZqmyFH1ky+jKNRlTKW6lim+dsrHrKnFkQ/swv6dZnjkph0tK
+xqpcc3yYIieUPoy9ypddxy5Q199yBBceGU/+UTYMWqVgOOELXeblTICoV+GTveQ9DkxpRf2U
+9kJ8Vhb5hUA4mUC2Wez99ucljwQl72ayP7RoDIQ12GrrX5fFQi+1mnwqJPu8y2AUeCSC7Dzz
+yfgZC9hJD8O8KeH03XCefoSfxAO4HH9Er1UN9TSFSzsIftK/G4cW8Xoqh7S/5tLaRk7/dCGc
+tmEM06SbacwiZFgYP7xAkYgg55tGX8ULxVQI4KpjXP3RLaw5a3RUUm9Sg7+bQgU1jB0qxq2L
+uXpPMWmapiX6uWx8PJrWJ21XNnHmcszwStyTWCYMaH1Zcdqy5bWe9oklIKVBus8k2Iu0Rk34
+hmPgaB3TG/wyOraUnNZewccxFc9mls5o1v48lrm4ZERW9djwUIj/eCU5Z3fbubdk32R5E9Nv
+MlcxcE+5SHKFJd0H2cVZPnhI5G90P/eQFAkmGhpGtpSQ9AmH9rP+K/GB1Jj4GM2u3IDwMgds
+JhTGUfJh1UW6phBx6x5WMN/nrylFv7U7spggFfStlK3AmKy6zR3xlugmmmKc65XCTl/KG7wu
+nG5VutE9BCxlviVKeE5eiQRyBBgBCAAmFiEEMXbvfbI2fx/KTzBrH5sOkJrzcoUFAlzUck0C
+GwIFCQHhM4ACQAkQH5sOkJrzcoXBdCAEGQEIAB0WIQTLjecKkM+/bDv1zFaWJirP+9OuxgUC
+XNRyTQAKCRCWJirP+9OuxtrPEACD/zB/1827oc+7jvuhRTUu5JNNM0CJgtWNMmMnsstlFrEg
++B1HRNOQqCQjEsB16Uzcw7P2mnJE7CorxCDWD708GxBjzD6r/TFQ+/E+OosErgPkIN9ggywI
+7m28vEOeQ12Ev6uNAmWi84OzkE/CB9N3sMc67aXS65152DdZLcARaJL+WbMQeQYRCX2xBxKn
+aDZNkk0L+afyJK3OQv4Xnx0il1eHCUWKD5K3Z69GR8nrweYhrkfczMZpCw/jciKqlasY1kDY
+y6BHWPsSp3sx4iGbxm+px+eQ6LGWOfyB4C1CbCxXGDXyxUlXQMxdKcvgOZ2NDyWq5WabTott
+rUrEl1+RClhy02VFHLNbga5snVRTLE92QvvKR8S8ihp/n/vPY3VAs4nUPueOTmJzU88U4xsr
+RvWPyhFQ2FFgJvTkkiyYw6beEQ1ResrXvHByX3QvWKWs3rdmdhjLRmuoOnb+zYQxfiQhIZzK
+2j2ix21pwAT+OwCWdXEb2HxNpchwc3ylslieegVh/Un+6eg8HoaiAKNHqzwHJwQ3G636x2kp
+xS71vVKSBgBrwTF2agKGTTbF6quzjB0bfa1mVzhpHhgCDZ8JUCE933yjKLp1EvccyzNJGXX+
+wUuyufuYHIyT4dW9crwWAKYqAQF252k5qr3cK9NxS56Bouf9Ou9bdIlBkqmxeKcnD/4+1HUg
+5cKrfSTXZNsuOU7AnlybWpU7Jl8YdxfeuCCe+I5W3jTYqljpCRGWBAHtE3udB37JXKSn8yH7
+0JzXQDWL9+G1wqk5iwkvtmKqAapzJFuZ9lYNlNGYDxI9foTq99f+OheFnT3nUm8IA9N0MwjG
+CIJ5501HM+NO8WylVoy0Y+erxbyQGC2Ey7YjVZSuCTZo3BuYiSCP8Bmd9qHxCJmBGQgbtA/2
+QBcLZ8o/z9w0U39Iwsei8oacZncVTIFnBDsU3E25M1eyQ8VdcAqLL7v3UFOi+20zBBs+g8jB
+BdzXUVhp+RAsXldo8i/qtdD4/90UXT7FBXmImGtzOVmza23v7Dyq7P/ZueEAqhr7vtW97UQ7
++YkXDa4rHi4HrGJClrdxixEyCTPrD++SvwxAud3hAUKZF9hOb0fD9A7cn63EERVgaJGAi7p9
+Oqqbqni8JOssQF6TeCUFP+X3nR4+iy8EX4scfN6LUB6/mnhoRVZ3GNEzPAZi9PGe8RqWJqUM
+trBVUPVxcwAgfijPmmMIXIUyZk5ysTQeT3eJVd3R3yxORfaHSD5kuHnXWwsp/yYltsLI/hBt
+Va8N7XZdzZ9JDT8fIWj5515DsfunTtksrObpRdiq4lxAoYqiboI+L1BCHwvaTy9ghXhhpgny
+m0DJk2bmucRair96apTzdYoszd7iLA==
+=DiYK
+-----END PGP PUBLIC KEY BLOCK-----

expat.spec

@@ -0,0 +1,134 @@
+#
+# spec file for package expat
+#
+# Copyright (c) 2022 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+%global unversion 2_5_0
+Name:           expat
+Version:        2.5.0
+Release:        0
+Summary:        XML Parser Toolkit
+License:        MIT
+Group:          Development/Libraries/C and C++
+URL:            https://libexpat.github.io
+Source0:        https://github.com/libexpat/libexpat/releases/download/R_%{unversion}/expat-%{version}.tar.xz
+Source1:        https://github.com/libexpat/libexpat/releases/download/R_%{unversion}/expat-%{version}.tar.xz.asc
+Source2:        baselibs.conf
+Source3:        %{name}faq.html
+# https://www.gentoo.org/inside-gentoo/developers/index.html#sping
+# https://keys.gentoo.org/pks/lookup?op=get&search=0x1F9B0E909AF37285#/%{name}.keyring
+Source4:        %{name}.keyring
+# PATCH FIX-UPSTREAM: bsc#1221289 (CVE-2024-28757)
+# https://github.com/libexpat/libexpat/pull/842
+Patch0:         expat-CVE-2024-28757.patch
+Patch1:         expat-fix-minicheck.patch
+
+# detect integer overflow in function nextScaffoldPart
+# UPSTREAM-FIX: (CVE-2024-45492, bsc#1229932) https://github.com/libexpat/libexpat/pull/892
+Patch2:         expat-CVE-2024-45492.patch
+
+# detect integer overflow in dtdCopy
+# UPSTREAM-FIX: (bsc#1229931, CVE-2024-45491) https://github.com/libexpat/libexpat/pull/891
+Patch3:         expat-CVE-2024-45491.patch
+
+# reject negative len for XML_ParseBuffer
+# UPSTREAM-FIX: (bsc#1229930, CVE-2024-45490) https://github.com/libexpat/libexpat/pull/890
+Patch4:         expat-CVE-2024-45490.patch
+
+
+BuildRequires:  gcc-c++
+BuildRequires:  libtool
+BuildRequires:  pkgconfig
+
+%description
+Expat is an XML parser library written in C. It is a stream-oriented
+parser in which an application registers handlers for things the
+parser might find in the XML document (like start tags).
+
+%package -n libexpat1
+Summary:        XML Parser Toolkit
+Group:          System/Libraries
+
+%description -n libexpat1
+Expat is an XML parser library written in C. It is a stream-oriented
+parser in which an application registers handlers for things the
+parser might find in the XML document (like start tags).
+
+%package -n libexpat-devel
+Summary:        Development files for expat, an XML parser toolkit
+Group:          Development/Libraries/C and C++
+Requires:       glibc-devel
+Requires:       libexpat1 = %{version}
+
+%description -n libexpat-devel
+Expat is an XML parser library written in C. It is a stream-oriented
+parser in which an application registers handlers for things the
+parser might find in the XML document (like start tags).
+
+This package contains the development headers for the library found
+in libexpat.
+
+%prep
+%autosetup -p1
+
+cp %{SOURCE3} .
+rm -f examples/*.dsp
+
+%build
+%configure \
+  --disable-silent-rules \
+  --docdir="%{_docdir}/%{name}" \
+  --disable-static
+%if 0%{?do_profiling}
+  %make_build CFLAGS="%{optflags} %{cflags_profile_generate}"
+  %make_build CFLAGS="%{optflags} %{cflags_profile_generate}" LDFLAGS="%{optflags} %{cflags_profile_generate}" check
+  %make_build clean
+  %make_build CFLAGS="%{optflags} %{cflags_profile_feedback}"
+%else
+  %make_build CFLAGS="%{optflags}"
+%endif
+
+%install
+%make_install
+find %{buildroot} -type f -name "*.la" -delete -print
+# Fix permissions error: spurious-executable-perm
+chmod 0644 examples/elements.c
+
+%check
+%make_build check
+
+%post -n libexpat1 -p /sbin/ldconfig
+%postun -n libexpat1 -p /sbin/ldconfig
+
+%files
+%license COPYING
+%doc AUTHORS README.md expatfaq.html
+%doc doc/reference.html doc/style.css
+%doc examples/elements.c examples/outline.c examples/Makefile.am examples/Makefile.in
+%doc changelog
+%{_bindir}/xmlwf
+
+%files -n libexpat1
+%{_libdir}/libexpat.so.*
+
+%files -n libexpat-devel
+%{_includedir}/*
+%{_libdir}/libexpat.so
+%{_libdir}/pkgconfig/expat.pc
+%dir %{_libdir}/cmake
+%{_libdir}/cmake/expat-%{version}
+
+%changelog

expatfaq.html

@@ -0,0 +1,100 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"
+"http://www.w3.org/TR/REC-html40/loose.dtd">
+
+<!--
+   Note for SuSE package maintainers: this file was taken
+   verbatim from http://www.jclark.com/xml/expatfaq.html
+   and has since has obsolete information removed.
+-->
+
+<HTML>
+
+<TITLE>expat FAQ</TITLE>
+
+<BODY>
+
+<H1>Frequently Asked Questions about Expat</H1>
+
+<H4>Where can I get help in using expat?</H4>
+
+<p>Try the xml-dev mailing list (subscribe by mailing to <a
+href="mailto:majordomo@xml.org&BODY=subscribe%20xml-dev">majordomo@xml.org</a>
+with the message <code>subscribe xml-dev</code>).  Alternatively try
+the mailing lists hosted by <A
+href="http://expat.sourceforge.net">sourceforge.net</A>.</P>
+
+<H4>Where is expat's API documented?</H4>
+
+<p>In <code>xmlparse/xmlparse.h</code>.  There's also an advanced,
+low-level API you can use which is documented in
+<code>xmltok/xmltok.h</code>.</p>
+
+<p>There's also an excellent <a
+href="http://www.xml.com/pub/1999/09/expat/index.html">article</a>
+about expat on XML.com by Clark Cooper.</p>
+
+<H4>Is there a simple example of using expat's API?</H4>
+
+<p>See <code>sample/elements.c</code></p>
+
+<H4>How can I get expat to deal with non-ASCII characters?</H4>
+
+<P>By default, expat assumes that documents are encoded in UTF-8.  In
+UTF-8, ASCII characters are represented by a single byte as they would
+be in ASCII, but non-ASCII characters are represented by a sequence of
+two or more bytes all with the 8th bit set.  The encoding most widely
+used for European languages is ISO 8859-1 which is not compatible with
+UTF-8.  To use this encoding, expat must be told either by supplying
+an argument of <code>"iso-8859-1"</code> to
+<code>XML_ParserCreate</code>, or by starting the document with
+<code>&lt;?xml version="1.0" encoding="iso-8859-1"?&gt;</code>.</P>
+
+<H4>What encodings does expat support?</H4>
+
+<P>expat has built in support for the following encodings:</P>
+
+<ul>
+<li><code>utf-8</code></li>
+<li><code>utf-16</code></li>
+<li><code>iso-8859-1</code></li>
+<li><code>us-ascii</code></li>
+</ul>
+
+<P>Additional encodings can be supported by using
+<code>XML_SetUnknownEncodingHandler</code>.</P>
+
+<H4>How can I get expat to validate my XML documents?</H4>
+
+<p>You can't.  expat is not a validating parser.</p>
+
+<H4>How can I get expat to read my DTD?</H4>
+
+<p>Compile with <code>-DXML_DTD</code> and call
+<code>XML_SetParamEntityParsing</code>.</p>
+
+<H4>How can I get expat to recover from errors?</H4>
+
+<p>You can't.  All well-formedness errors stop processing.  Note that
+the XML Recommendation does not permit conforming XML processors to
+continue normal processing after a fatal error.</p>
+
+<H4>How do I get at the characters between tags?</H4>
+
+<p>Use <code>XML_SetCharacterDataHandler</code>.</p>
+
+<H4>How can I minimize the size of expat?</H4>
+
+<p>Compile with <code>-DXML_MIN_SIZE</code>. With Visual C++, use the
+<code>Win32 MinSize</code> configuration: this creates an
+<code>xmlparse.dll</code> that does not require
+<code>xmltok.dll</code>.</p>
+
+<ADDRESS>
+
+<A HREF="mailto:jjc@jclark.com">James Clark</A>
+
+</ADDRESS>
+
+</BODY>
+
+</HTML>