From af55fce15fc1ac4c308c58bda87f874a06af8d34d1512081d5b1b374939f5ec8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Fri, 28 Feb 2025 10:52:43 +0100 Subject: [PATCH] Sync from SUSE:SLFO:1.1 expat revision cd72bb6e7b9df978dc43a255e2c7c0e0 --- expat-2.5.0.tar.xz | 3 + expat-2.5.0.tar.xz.asc | 16 ++ expat-2.6.4.tar.xz | 3 - expat-2.6.4.tar.xz.asc | 16 -- expat-CVE-2024-28757.patch | 319 +++++++++++++++++++++++++ expat-CVE-2024-50602.patch | 111 +++++++++ expat-fix-minicheck.patch | 57 +++++ expat.changes | 178 +------------- expat.keyring | 474 +++++++++++++++++++------------------ expat.spec | 56 +++-- 10 files changed, 788 insertions(+), 445 deletions(-) create mode 100644 expat-2.5.0.tar.xz create mode 100644 expat-2.5.0.tar.xz.asc delete mode 100644 expat-2.6.4.tar.xz delete mode 100644 expat-2.6.4.tar.xz.asc create mode 100644 expat-CVE-2024-28757.patch create mode 100644 expat-CVE-2024-50602.patch create mode 100644 expat-fix-minicheck.patch diff --git a/expat-2.5.0.tar.xz b/expat-2.5.0.tar.xz new file mode 100644 index 0000000..8493364 --- /dev/null +++ b/expat-2.5.0.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ef2420f0232c087801abf705e89ae65f6257df6b7931d37846a193ef2e8cdcbe +size 460560 diff --git a/expat-2.5.0.tar.xz.asc b/expat-2.5.0.tar.xz.asc new file mode 100644 index 0000000..057be16 --- /dev/null +++ b/expat-2.5.0.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEEy43nCpDPv2w79cxWliYqz/vTrsYFAmNYAlAACgkQliYqz/vT +rsYnzw/+Nn8rFvElM2th9ex3Yt6UkNtx/hZWITig7URH7wHtShHA957xMcJiby4R +/RoKbtcb3+RNeOtDMycT4wFy2p/tmuJ3mPL0ewFkKkfw1Uk489AbYukzSbg/YmNZ +3+r6DFAd+kJOpe+6m4Nhxg2iohVQoXjQPBK02njkuKN66thrFGxnQDfi62qAbIm+ +7Ac+McmOypDuG1H+E2eeRIMwgGyU2yiCvqtleKfRaF596wdfbv/gIFcETKI7wMnV +ExAhZSVDgiojGqwhW7vZOvrwmuDsZOazVSMyasntJazCynWLZ5hAkRtpNvsvIR3i +cUd904PPjrr5VFQmDQxI4HieeloI5aipl7y4wR+g7WE1JjKs4ScVA8llIsLvZie/ +fZh+Fz/TS4B8hJpnkRGXc7IpovXyFDb+C0WkBxy77OvdEu7QgXaIh1+AT10FkQsF +HbJT3vHk71D3D5JlUv9DPL8YZ3gFTQF7LwpvfJVDUiYe3hn+f4u4XAt6F3zVnXok +NEs8fflALfgtIC46nPbhcrxQdO/CyWGIWhisDwoB6FHloZc8EWuWidg7SOdApK1W +s2ycdH7XLEBXCriIpKWHS9ebkWyPQHe/Ezi2pv0ieZU1TVtV6nVv5YlH2QHBoZJK +VPlgb5u2zVp9y/bthnZPgRId53kdnZCXezKLQ+wc27Taojpnzws= +=UAN0 +-----END PGP SIGNATURE----- diff --git a/expat-2.6.4.tar.xz b/expat-2.6.4.tar.xz deleted file mode 100644 index 79dce87..0000000 --- a/expat-2.6.4.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:a695629dae047055b37d50a0ff4776d1d45d0a4c842cf4ccee158441f55ff7ee -size 486732 diff --git a/expat-2.6.4.tar.xz.asc b/expat-2.6.4.tar.xz.asc deleted file mode 100644 index a7f4e0a..0000000 --- a/expat-2.6.4.tar.xz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCAAdFiEEy43nCpDPv2w79cxWliYqz/vTrsYFAmcsGa8ACgkQliYqz/vT -rsYJMA/+NxOVa+kCFEzhMHD9RCumwFj7lfmJDPM6rroLi9GqnKc8165Ub7e+o3bq -fdPCIFiZkYTGpliU3Q9zlMEBTZ1TtsaqVGgjabK9YKf8ZTK1MUR2z/B6gWLfjo8F -knhj0KonqeRxtcKPSYs9xP+/sNlGkEQjZgrfo2Z9oX8Q7eNGn/fAxmbjhBhvILwG -mKmwwc8PSi7RCNLgaoyikhcddohclApXU1Qid1g6FwnxQ5aKXSeoPgu1bGrDiz6k -/RkO+KR1Yfkcty97CwVV5+4EHTB1aa/fk3gHgprHD9qx+NLeKyD4+44AxseCMiSS -FXP8S5Z2qaopIS6tvuKXiyH1mTCJQugFsxk3GnQBlgkvj4rypr8MnUAALam13OMh -ziRndeMR2ieJ1ASJYfkjLeXVi4pz/pnRECAUAxly5z8Zx5N+IX9bOgjpwhd6QtOt -rVbq3wgLKmlEch8KcsL4RpGGkiK5gchsqXDM/g0cCu8vNC8+pDO3sNIQJDsmySYt -X3ewzOv+Vj3LCoeospnyLjNBOh5upgm1s6iq6bsxr29FU1MfaP1awm7jtYmr7ch9 -wr24fPhXopp5emWnJP3O4GQj8Q1mcPFLmGy0wmVdnr8tzKzyHx9Q2WNhQUcYdnR1 -0qmKBSttGXPK4o+/7Q5zALapx+jYlUcQ0dKxhAPuBPGYxPTm5h8= -=jbKR ------END PGP SIGNATURE----- diff --git a/expat-CVE-2024-28757.patch b/expat-CVE-2024-28757.patch new file mode 100644 index 0000000..2823ee4 --- /dev/null +++ b/expat-CVE-2024-28757.patch @@ -0,0 +1,319 @@ +From 1d50b80cf31de87750103656f6eb693746854aa8 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Mon, 4 Mar 2024 23:49:06 +0100 +Subject: [PATCH 1/2] lib/xmlparse.c: Detect billion laughs attack with + isolated external parser + +When parsing DTD content with code like .. + + XML_Parser parser = XML_ParserCreate(NULL); + XML_Parser ext_parser = XML_ExternalEntityParserCreate(parser, NULL, NULL); + enum XML_Status status = XML_Parse(ext_parser, doc, (int)strlen(doc), XML_TRUE); + +.. there are 0 bytes accounted as direct input and all input from `doc` accounted +as indirect input. Now function accountingGetCurrentAmplification cannot calculate +the current amplification ratio as "(direct + indirect) / direct", and it did refuse +to divide by 0 as one would expect, but it returned 1.0 for this case to indicate +no amplification over direct input. As a result, billion laughs attacks from +DTD-only input were not detected with this isolated way of using an external parser. + +The new approach is to assume direct input of length not 0 but 22 -- derived from +ghost input "", the shortest possible way to include an external +DTD --, and do the usual "(direct + indirect) / direct" math with "direct := 22". + +GitHub issue #839 has more details on this issue and its origin in ClusterFuzz +finding 66812. +--- + +From 1d50b80cf31de87750103656f6eb693746854aa8 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Mon, 4 Mar 2024 23:49:06 +0100 +Subject: [PATCH 1/2] lib/xmlparse.c: Detect billion laughs attack with + isolated external parser + +When parsing DTD content with code like .. + + XML_Parser parser = XML_ParserCreate(NULL); + XML_Parser ext_parser = XML_ExternalEntityParserCreate(parser, NULL, NULL); + enum XML_Status status = XML_Parse(ext_parser, doc, (int)strlen(doc), XML_TRUE); + +.. there are 0 bytes accounted as direct input and all input from `doc` accounted +as indirect input. Now function accountingGetCurrentAmplification cannot calculate +the current amplification ratio as "(direct + indirect) / direct", and it did refuse +to divide by 0 as one would expect, but it returned 1.0 for this case to indicate +no amplification over direct input. As a result, billion laughs attacks from +DTD-only input were not detected with this isolated way of using an external parser. + +The new approach is to assume direct input of length not 0 but 22 -- derived from +ghost input "", the shortest possible way to include an external +DTD --, and do the usual "(direct + indirect) / direct" math with "direct := 22". + +GitHub issue #839 has more details on this issue and its origin in ClusterFuzz +finding 66812. +--- + +From 1d50b80cf31de87750103656f6eb693746854aa8 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Mon, 4 Mar 2024 23:49:06 +0100 +Subject: [PATCH 1/2] lib/xmlparse.c: Detect billion laughs attack with + isolated external parser + +When parsing DTD content with code like .. + + XML_Parser parser = XML_ParserCreate(NULL); + XML_Parser ext_parser = XML_ExternalEntityParserCreate(parser, NULL, NULL); + enum XML_Status status = XML_Parse(ext_parser, doc, (int)strlen(doc), XML_TRUE); + +.. there are 0 bytes accounted as direct input and all input from `doc` accounted +as indirect input. Now function accountingGetCurrentAmplification cannot calculate +the current amplification ratio as "(direct + indirect) / direct", and it did refuse +to divide by 0 as one would expect, but it returned 1.0 for this case to indicate +no amplification over direct input. As a result, billion laughs attacks from +DTD-only input were not detected with this isolated way of using an external parser. + +The new approach is to assume direct input of length not 0 but 22 -- derived from +ghost input "", the shortest possible way to include an external +DTD --, and do the usual "(direct + indirect) / direct" math with "direct := 22". + +GitHub issue #839 has more details on this issue and its origin in ClusterFuzz +finding 66812. +--- + +From 1d50b80cf31de87750103656f6eb693746854aa8 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Mon, 4 Mar 2024 23:49:06 +0100 +Subject: [PATCH 1/2] lib/xmlparse.c: Detect billion laughs attack with + isolated external parser + +When parsing DTD content with code like .. + + XML_Parser parser = XML_ParserCreate(NULL); + XML_Parser ext_parser = XML_ExternalEntityParserCreate(parser, NULL, NULL); + enum XML_Status status = XML_Parse(ext_parser, doc, (int)strlen(doc), XML_TRUE); + +.. there are 0 bytes accounted as direct input and all input from `doc` accounted +as indirect input. Now function accountingGetCurrentAmplification cannot calculate +the current amplification ratio as "(direct + indirect) / direct", and it did refuse +to divide by 0 as one would expect, but it returned 1.0 for this case to indicate +no amplification over direct input. As a result, billion laughs attacks from +DTD-only input were not detected with this isolated way of using an external parser. + +The new approach is to assume direct input of length not 0 but 22 -- derived from +ghost input "", the shortest possible way to include an external +DTD --, and do the usual "(direct + indirect) / direct" math with "direct := 22". + +GitHub issue #839 has more details on this issue and its origin in ClusterFuzz +finding 66812. +--- + +From 1d50b80cf31de87750103656f6eb693746854aa8 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Mon, 4 Mar 2024 23:49:06 +0100 +Subject: [PATCH 1/2] lib/xmlparse.c: Detect billion laughs attack with + isolated external parser + +When parsing DTD content with code like .. + + XML_Parser parser = XML_ParserCreate(NULL); + XML_Parser ext_parser = XML_ExternalEntityParserCreate(parser, NULL, NULL); + enum XML_Status status = XML_Parse(ext_parser, doc, (int)strlen(doc), XML_TRUE); + +.. there are 0 bytes accounted as direct input and all input from `doc` accounted +as indirect input. Now function accountingGetCurrentAmplification cannot calculate +the current amplification ratio as "(direct + indirect) / direct", and it did refuse +to divide by 0 as one would expect, but it returned 1.0 for this case to indicate +no amplification over direct input. As a result, billion laughs attacks from +DTD-only input were not detected with this isolated way of using an external parser. + +The new approach is to assume direct input of length not 0 but 22 -- derived from +ghost input "", the shortest possible way to include an external +DTD --, and do the usual "(direct + indirect) / direct" math with "direct := 22". + +GitHub issue #839 has more details on this issue and its origin in ClusterFuzz +finding 66812. +--- + +From 1d50b80cf31de87750103656f6eb693746854aa8 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Mon, 4 Mar 2024 23:49:06 +0100 +Subject: [PATCH 1/2] lib/xmlparse.c: Detect billion laughs attack with + isolated external parser + +When parsing DTD content with code like .. + + XML_Parser parser = XML_ParserCreate(NULL); + XML_Parser ext_parser = XML_ExternalEntityParserCreate(parser, NULL, NULL); + enum XML_Status status = XML_Parse(ext_parser, doc, (int)strlen(doc), XML_TRUE); + +.. there are 0 bytes accounted as direct input and all input from `doc` accounted +as indirect input. Now function accountingGetCurrentAmplification cannot calculate +the current amplification ratio as "(direct + indirect) / direct", and it did refuse +to divide by 0 as one would expect, but it returned 1.0 for this case to indicate +no amplification over direct input. As a result, billion laughs attacks from +DTD-only input were not detected with this isolated way of using an external parser. + +The new approach is to assume direct input of length not 0 but 22 -- derived from +ghost input "", the shortest possible way to include an external +DTD --, and do the usual "(direct + indirect) / direct" math with "direct := 22". + +GitHub issue #839 has more details on this issue and its origin in ClusterFuzz +finding 66812. +--- + +From 1d50b80cf31de87750103656f6eb693746854aa8 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Mon, 4 Mar 2024 23:49:06 +0100 +Subject: [PATCH 1/2] lib/xmlparse.c: Detect billion laughs attack with + isolated external parser + +When parsing DTD content with code like .. + + XML_Parser parser = XML_ParserCreate(NULL); + XML_Parser ext_parser = XML_ExternalEntityParserCreate(parser, NULL, NULL); + enum XML_Status status = XML_Parse(ext_parser, doc, (int)strlen(doc), XML_TRUE); + +.. there are 0 bytes accounted as direct input and all input from `doc` accounted +as indirect input. Now function accountingGetCurrentAmplification cannot calculate +the current amplification ratio as "(direct + indirect) / direct", and it did refuse +to divide by 0 as one would expect, but it returned 1.0 for this case to indicate +no amplification over direct input. As a result, billion laughs attacks from +DTD-only input were not detected with this isolated way of using an external parser. + +The new approach is to assume direct input of length not 0 but 22 -- derived from +ghost input "", the shortest possible way to include an external +DTD --, and do the usual "(direct + indirect) / direct" math with "direct := 22". + +GitHub issue #839 has more details on this issue and its origin in ClusterFuzz +finding 66812. +--- + +From 1d50b80cf31de87750103656f6eb693746854aa8 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Mon, 4 Mar 2024 23:49:06 +0100 +Subject: [PATCH 1/2] lib/xmlparse.c: Detect billion laughs attack with + isolated external parser + +When parsing DTD content with code like .. + + XML_Parser parser = XML_ParserCreate(NULL); + XML_Parser ext_parser = XML_ExternalEntityParserCreate(parser, NULL, NULL); + enum XML_Status status = XML_Parse(ext_parser, doc, (int)strlen(doc), XML_TRUE); + +.. there are 0 bytes accounted as direct input and all input from `doc` accounted +as indirect input. Now function accountingGetCurrentAmplification cannot calculate +the current amplification ratio as "(direct + indirect) / direct", and it did refuse +to divide by 0 as one would expect, but it returned 1.0 for this case to indicate +no amplification over direct input. As a result, billion laughs attacks from +DTD-only input were not detected with this isolated way of using an external parser. + +The new approach is to assume direct input of length not 0 but 22 -- derived from +ghost input "", the shortest possible way to include an external +DTD --, and do the usual "(direct + indirect) / direct" math with "direct := 22". + +GitHub issue #839 has more details on this issue and its origin in ClusterFuzz +finding 66812. +--- + expat/lib/xmlparse.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +Index: expat-2.5.0/lib/xmlparse.c +=================================================================== +--- expat-2.5.0.orig/lib/xmlparse.c ++++ expat-2.5.0/lib/xmlparse.c +@@ -7655,6 +7655,8 @@ copyString(const XML_Char *s, const XML_ + + static float + accountingGetCurrentAmplification(XML_Parser rootParser) { ++ // 1.........1.........12 => 22 ++ const size_t lenOfShortestInclude = sizeof("") - 1; + const XmlBigCount countBytesOutput + = rootParser->m_accounting.countBytesDirect + + rootParser->m_accounting.countBytesIndirect; +@@ -7662,7 +7664,9 @@ accountingGetCurrentAmplification(XML_Pa + = rootParser->m_accounting.countBytesDirect + ? (countBytesOutput + / (float)(rootParser->m_accounting.countBytesDirect)) +- : 1.0f; ++ : ((lenOfShortestInclude ++ + rootParser->m_accounting.countBytesIndirect) ++ / (float)lenOfShortestInclude); + assert(! rootParser->m_parentParser); + return amplificationFactor; + } +Index: expat-2.5.0/tests/runtests.c +=================================================================== +--- expat-2.5.0.orig/tests/runtests.c ++++ expat-2.5.0/tests/runtests.c +@@ -12092,6 +12092,63 @@ START_TEST(test_helper_unsigned_char_to_ + fail("unsignedCharToPrintable result mistaken"); + } + END_TEST ++ ++START_TEST(test_amplification_isolated_external_parser) { ++ // NOTE: Length 44 is precisely twice the length of "" ++ // (22) that is used in function accountingGetCurrentAmplification in ++ // xmlparse.c. ++ // 1.........1.........1.........1.........1..4 => 44 ++ const char doc[] = ""; ++ const int docLen = (int)sizeof(doc) - 1; ++ const float maximumToleratedAmplification = 2.0f; ++ ++ struct TestCase { ++ int offsetOfThreshold; ++ enum XML_Status expectedStatus; ++ }; ++ ++ struct TestCase cases[] = { ++ {-2, XML_STATUS_ERROR}, {-1, XML_STATUS_ERROR}, {0, XML_STATUS_ERROR}, ++ {+1, XML_STATUS_OK}, {+2, XML_STATUS_OK}, ++ }; ++ ++ for (size_t i = 0; i < sizeof(cases) / sizeof(cases[0]); i++) { ++ const int offsetOfThreshold = cases[i].offsetOfThreshold; ++ const enum XML_Status expectedStatus = cases[i].expectedStatus; ++ const unsigned long long activationThresholdBytes ++ = docLen + offsetOfThreshold; ++ ++ // set_subtest("offsetOfThreshold=%d, expectedStatus=%d", offsetOfThreshold, ++ // expectedStatus); ++ ++ XML_Parser parser = XML_ParserCreate(NULL); ++ assert_true(parser != NULL); ++ ++ assert_true(XML_SetBillionLaughsAttackProtectionMaximumAmplification( ++ parser, maximumToleratedAmplification) ++ == XML_TRUE); ++ assert_true(XML_SetBillionLaughsAttackProtectionActivationThreshold( ++ parser, activationThresholdBytes) ++ == XML_TRUE); ++ ++ XML_Parser ext_parser = XML_ExternalEntityParserCreate(parser, NULL, NULL); ++ assert_true(ext_parser != NULL); ++ ++ const enum XML_Status actualStatus ++ = _XML_Parse_SINGLE_BYTES(ext_parser, doc, docLen, XML_TRUE); ++ ++ assert_true(actualStatus == expectedStatus); ++ if (actualStatus != XML_STATUS_OK) { ++ assert_true(XML_GetErrorCode(ext_parser) ++ == XML_ERROR_AMPLIFICATION_LIMIT_BREACH); ++ } ++ ++ XML_ParserFree(ext_parser); ++ XML_ParserFree(parser); ++ } ++} ++END_TEST ++ + #endif // defined(XML_DTD) + + static Suite * +@@ -12485,6 +12542,8 @@ make_suite(void) { + tcase_add_test(tc_accounting, test_accounting_precision); + tcase_add_test(tc_accounting, test_billion_laughs_attack_protection_api); + tcase_add_test(tc_accounting, test_helper_unsigned_char_to_printable); ++ tcase_add_test__ifdef_xml_dtd(tc_accounting, ++ test_amplification_isolated_external_parser); + #endif + + return s; diff --git a/expat-CVE-2024-50602.patch b/expat-CVE-2024-50602.patch new file mode 100644 index 0000000..8d14d6c --- /dev/null +++ b/expat-CVE-2024-50602.patch @@ -0,0 +1,111 @@ +From 51c7019069b862e88d94ed228659e70bddd5de09 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Mon, 21 Oct 2024 01:42:54 +0200 +Subject: [PATCH 1/3] lib: Make XML_StopParser refuse to stop/suspend an + unstarted parser + +--- + expat/lib/expat.h | 4 +++- + expat/lib/xmlparse.c | 6 ++++++ + 2 files changed, 9 insertions(+), 1 deletion(-) + +Index: expat-2.5.0/lib/expat.h +=================================================================== +--- expat-2.5.0.orig/lib/expat.h ++++ expat-2.5.0/lib/expat.h +@@ -127,7 +127,9 @@ enum XML_Error { + /* Added in 2.3.0. */ + XML_ERROR_NO_BUFFER, + /* Added in 2.4.0. */ +- XML_ERROR_AMPLIFICATION_LIMIT_BREACH ++ XML_ERROR_AMPLIFICATION_LIMIT_BREACH, ++ /* Added in 2.6.4. */ ++ XML_ERROR_NOT_STARTED, + }; + + enum XML_Content_Type { +Index: expat-2.5.0/lib/xmlparse.c +=================================================================== +--- expat-2.5.0.orig/lib/xmlparse.c ++++ expat-2.5.0/lib/xmlparse.c +@@ -2171,6 +2171,9 @@ XML_StopParser(XML_Parser parser, XML_Bo + if (parser == NULL) + return XML_STATUS_ERROR; + switch (parser->m_parsingStatus.parsing) { ++ case XML_INITIALIZED: ++ parser->m_errorCode = XML_ERROR_NOT_STARTED; ++ return XML_STATUS_ERROR; + case XML_SUSPENDED: + if (resumable) { + parser->m_errorCode = XML_ERROR_SUSPENDED; +@@ -2181,7 +2184,7 @@ XML_StopParser(XML_Parser parser, XML_Bo + case XML_FINISHED: + parser->m_errorCode = XML_ERROR_FINISHED; + return XML_STATUS_ERROR; +- default: ++ case XML_PARSING: + if (resumable) { + #ifdef XML_DTD + if (parser->m_isParamEntity) { +@@ -2192,6 +2195,9 @@ XML_StopParser(XML_Parser parser, XML_Bo + parser->m_parsingStatus.parsing = XML_SUSPENDED; + } else + parser->m_parsingStatus.parsing = XML_FINISHED; ++ break; ++ default: ++ assert(0); + } + return XML_STATUS_OK; + } +@@ -2456,6 +2462,9 @@ XML_ErrorString(enum XML_Error code) { + case XML_ERROR_AMPLIFICATION_LIMIT_BREACH: + return XML_L( + "limit on input amplification factor (from DTD and entities) breached"); ++ /* Added in 2.6.4. */ ++ case XML_ERROR_NOT_STARTED: ++ return XML_L("parser not started"); + } + return NULL; + } +Index: expat-2.5.0/tests/runtests.c +=================================================================== +--- expat-2.5.0.orig/tests/runtests.c ++++ expat-2.5.0/tests/runtests.c +@@ -7991,6 +7991,28 @@ START_TEST(test_misc_tag_mismatch_reset_ + } + END_TEST + ++START_TEST(test_misc_resumeparser_not_crashing) { ++ XML_Parser parser = XML_ParserCreate(NULL); ++ XML_GetBuffer(parser, 1); ++ XML_StopParser(parser, /*resumable=*/XML_TRUE); ++ XML_ResumeParser(parser); // could crash here, previously ++ XML_ParserFree(parser); ++} ++END_TEST ++ ++START_TEST(test_misc_stopparser_rejects_unstarted_parser) { ++ const XML_Bool cases[] = {XML_TRUE, XML_FALSE}; ++ for (size_t i = 0; i < sizeof(cases) / sizeof(cases[0]); i++) { ++ const XML_Bool resumable = cases[i]; ++ XML_Parser parser = XML_ParserCreate(NULL); ++ assert_true(XML_GetErrorCode(parser) == XML_ERROR_NONE); ++ assert_true(XML_StopParser(parser, resumable) == XML_STATUS_ERROR); ++ assert_true(XML_GetErrorCode(parser) == XML_ERROR_NOT_STARTED); ++ XML_ParserFree(parser); ++ } ++} ++END_TEST ++ + static void + alloc_setup(void) { + XML_Memory_Handling_Suite memsuite = {duff_allocator, duff_reallocator, free}; +@@ -12447,6 +12469,8 @@ make_suite(void) { + tcase_add_test__ifdef_xml_dtd( + tc_misc, test_misc_deny_internal_entity_closing_doctype_issue_317); + tcase_add_test(tc_misc, test_misc_tag_mismatch_reset_leak); ++ tcase_add_test(tc_misc, test_misc_resumeparser_not_crashing); ++ tcase_add_test(tc_misc, test_misc_stopparser_rejects_unstarted_parser); + + suite_add_tcase(s, tc_alloc); + tcase_add_checked_fixture(tc_alloc, alloc_setup, alloc_teardown); diff --git a/expat-fix-minicheck.patch b/expat-fix-minicheck.patch new file mode 100644 index 0000000..e58c502 --- /dev/null +++ b/expat-fix-minicheck.patch @@ -0,0 +1,57 @@ +Index: expat-2.5.0/tests/minicheck.h +=================================================================== +--- expat-2.5.0.orig/tests/minicheck.h ++++ expat-2.5.0/tests/minicheck.h +@@ -64,7 +64,13 @@ extern "C" { + } \ + } + +-#define fail(msg) _fail_unless(0, __FILE__, __LINE__, msg) ++#define fail(msg) _fail(__FILE__, __LINE__, msg) ++#define assert_true(cond) \ ++ do { \ ++ if (! (cond)) { \ ++ _fail(__FILE__, __LINE__, "check failed: " #cond); \ ++ } \ ++ } while (0) + + typedef void (*tcase_setup_function)(void); + typedef void (*tcase_teardown_function)(void); +@@ -104,6 +110,10 @@ void _check_set_test_info(char const *fu + */ + + void _fail_unless(int condition, const char *file, int line, const char *msg); ++# if defined(__GNUC__) ++__attribute__((noreturn)) ++# endif ++void _fail(const char *file, int line, const char *msg); + Suite *suite_create(const char *name); + TCase *tcase_create(const char *name); + void suite_add_tcase(Suite *suite, TCase *tc); +Index: expat-2.5.0/tests/minicheck.c +=================================================================== +--- expat-2.5.0.orig/tests/minicheck.c ++++ expat-2.5.0/tests/minicheck.c +@@ -224,6 +224,22 @@ _fail_unless(int condition, const char * + longjmp(env, 1); + } + ++void ++_fail(const char *file, int line, const char *msg) { ++ /* Always print the error message so it isn't lost. In this case, ++ we have a failure, so there's no reason to be quiet about what ++ it is. ++ */ ++ _check_current_filename = file; ++ _check_current_lineno = line; ++ if (msg != NULL) { ++ const int has_newline = (msg[strlen(msg) - 1] == '\n'); ++ fprintf(stderr, "ERROR: %s%s", msg, has_newline ? "" : "\n"); ++ } ++ longjmp(env, 1); ++} ++ ++ + int + srunner_ntests_failed(SRunner *runner) { + assert(runner != NULL); diff --git a/expat.changes b/expat.changes index 51ce0e5..2405e6f 100644 --- a/expat.changes +++ b/expat.changes @@ -1,176 +1,18 @@ ------------------------------------------------------------------- -Thu Nov 7 11:39:56 UTC 2024 - pgajdos@suse.com +Fri Nov 8 12:03:02 UTC 2024 - pgajdos@suse.com -- version update to 2.6.4 - * Security fixes: [bsc#1232601] - #915 CVE-2024-50602 -- Fix crash within function XML_ResumeParser - from a NULL pointer dereference by disallowing function - XML_StopParser to (stop or) suspend an unstarted parser. - A new error code XML_ERROR_NOT_STARTED was introduced to - properly communicate this situation. // CWE-476 CWE-754 - * Other changes: - #903 CMake: Add alias target "expat::expat" - #905 docs: Document use via CMake >=3.18 with FetchContent - and SOURCE_SUBDIR and its consequences - #902 tests: Reduce use of global parser instance - #904 tests: Resolve duplicate handler - #317 #918 tests: Improve tests on doctype closing (ex CVE-2019-15903) - #914 Fix signedness of format strings - #919 #920 Version info bumped from 10:3:9 (libexpat*.so.1.9.3) - to 11:0:10 (libexpat*.so.1.10.0); see https://verbump.de/ - for what these numbers do +- security update +- added patches + fix CVE-2024-50602 [bsc#1232579], DoS via XML_ResumeParser + + expat-CVE-2024-50602.patch ------------------------------------------------------------------- -Thu Sep 26 08:29:45 UTC 2024 - pgajdos@suse.com +Mon Mar 18 06:39:02 UTC 2024 - David Anes -- updated keyring [https://build.suse.de/request/show/345282] -- modified sources - % expat.keyring - -------------------------------------------------------------------- -Thu Sep 5 09:21:17 UTC 2024 - David Anes - -- Update to 2.6.3: - * Security fixes: - - CVE-2024-45490, bsc#1229930 -- Calling function XML_ParseBuffer with - len < 0 without noticing and then calling XML_GetBuffer - will have XML_ParseBuffer fail to recognize the problem - and XML_GetBuffer corrupt memory. - With the fix, XML_ParseBuffer now complains with error - XML_ERROR_INVALID_ARGUMENT just like sibling XML_Parse - has been doing since Expat 2.2.1, and now documented. - Impact is denial of service to potentially artitrary code - execution. - - CVE-2024-45491, bsc#1229931 -- Internal function dtdCopy can have an - integer overflow for nDefaultAtts on 32-bit platforms - (where UINT_MAX equals SIZE_MAX). - Impact is denial of service to potentially artitrary code - execution. - - CVE-2024-45492, bsc#1229932 -- Internal function nextScaffoldPart can - have an integer overflow for m_groupSize on 32-bit - platforms (where UINT_MAX equals SIZE_MAX). - Impact is denial of service to potentially artitrary code - execution. - - * Other changes: - - Autotools: Sync CMake templates with CMake 3.28 - - Autotools: Always provide path to find(1) for portability - - Autotools: Ensure that the m4 directory always exists. - - Autotools: Simplify handling of SIZEOF_VOID_P - - Autotools: Support non-GNU sed - - Autotools|CMake: Fix main() to main(void) - - Autotools|CMake: Fix compile tests for HAVE_SYSCALL_GETRANDOM - - Autotools|CMake: Stop requiring dos2unix - - CMake: Fix check for symbols size_t and off_t - - docs|tests: Convert README to Markdown and update - - Windows: Drop support for Visual Studio <=15.0/2017 - - Drop needless XML_DTD guards around is_param access - - Fix typo in a code comment - - Version info bumped from 10:2:9 (libexpat*.so.1.9.2) - to 10:3:9 (libexpat*.so.1.9.3); see https://verbump.de/ - for what these numbers do - -------------------------------------------------------------------- -Wed Mar 13 22:23:20 UTC 2024 - Andreas Stieger - -- update to 2.6.2: - * CVE-2024-28757 -- Prevent billion laughs attacks with isolated - use of external parsers (boo#1221289) - * Reject direct parameter entity recursion and avoid the related - undefined behavior - -------------------------------------------------------------------- -Fri Mar 1 16:45:35 UTC 2024 - Andreas Stieger - -- update to 2.6.1: - * Expose billion laughs API with XML_DTD defined and XML_GE - undefined, regression from 2.6.0 - * Make tests independent of CPU speed, and thus more robust -- drop libxml2-fix-xmlwf.1-handling.patch, upstream - -------------------------------------------------------------------- -Tue Feb 20 12:21:17 UTC 2024 - David Anes - -- Fix handling of xmlwf.1 to avoid workarounds in specfile: - * Added libxml2-fix-xmlwf.1-handling.patch - -- Call buildconf.sh to avoid (future) issues with expat_config.h.in - -------------------------------------------------------------------- -Mon Feb 12 20:44:14 UTC 2024 - David Anes - -- Update keyring automatically from keyserver during OBS service run. -- Explicitly use --without-docbook (before it was implicit). -- Include missing files for documentation and examples. -- Add manpage for xmlwf, which is now available in the released tarball. -- Clean the spec file a bit. - -- Update to 2.6.0: - * Security fixes: - - CVE-2023-52425 (boo#1219559) - -- Fix quadratic runtime issues with big tokens - that can cause denial of service, in partial where - dealing with compressed XML input. Applications - that parsed a document in one go -- a single call to - functions XML_Parse or XML_ParseBuffer -- were not affected. - The smaller the chunks/buffers you use for parsing - previously, the bigger the problem prior to the fix. - Backporters should be careful to no omit parts of - pull request #789 and to include earlier pull request #771, - in order to not break the fix. - - CVE-2023-52426 (boo#1219561) - -- Fix billion laughs attacks for users - compiling *without* XML_DTD defined (which is not common). - Users with XML_DTD defined have been protected since - Expat >=2.4.0 (and that was CVE-2013-0340 back then). - * Bug fixes: - - Fix parse-size-dependent "invalid token" error for - external entities that start with a byte order mark - - Fix NULL pointer dereference in setContext via - XML_ExternalEntityParserCreate for compilation with - XML_DTD undefined - - Protect against closing entities out of order - * Other changes: - - Improve support for arc4random/arc4random_buf - - Improve buffer growth in XML_GetBuffer and XML_Parse - - xmlwf: Support --help and --version - - xmlwf: Support custom buffer size for XML_GetBuffer and read - - xmlwf: Improve language and URL clickability in help output - - examples: Add new example "element_declarations.c" - - Be stricter about macro XML_CONTEXT_BYTES at build time - - Make inclusion to expat_config.h consistent - - Autotools: configure.ac: Support --disable-maintainer-mode - - Autotools: Sync CMake templates with CMake 3.26 - - Autotools: Make installation of shipped man page doc/xmlwf.1 - independent of docbook2man availability - - Autotools|CMake: Add missing -DXML_STATIC to pkg-config file - section "Cflags.private" in order to fix compilation - against static libexpat using pkg-config on Windows - - Autotools|CMake: Require a C99 compiler - (a de-facto requirement already since Expat 2.2.2 of 2017) - - Autotools|CMake: Fix PACKAGE_BUGREPORT variable - - Autotools|CMake: Make test suite require a C++11 compiler - - CMake: Require CMake >=3.5.0 - - CMake: Lowercase off_t and size_t to help a bug in Meson - - CMake: Sort xmlwf sources alphabetically - - CMake|Windows: Fix generation of DLL file version info - - CMake: Build tests/benchmark/benchmark.c as well for - a build with -DEXPAT_BUILD_TESTS=ON - - docs: Document the importance of isFinal + adjust tests - accordingly - - docs: Improve use of "NULL" and "null" - - docs: Be specific about version of XML (XML 1.0r4) - and version of C (C99); (XML 1.0r5 will need a sponsor.) - - docs: reference.html: Promote function XML_ParseBuffer more - - docs: reference.html: Add HTML anchors to XML_* macros - - docs: reference.html: Upgrade to OK.css 1.2.0 - - docs: Fix typos - - docs|CI: Use HTTPS URLs instead of HTTP at various places - - Address compiler warnings - - Address clang-tidy warnings - - Version info bumped from 9:10:8 (libexpat*.so.1.8.10) - to 10:0:9 (libexpat*.so.1.9.0); see https://verbump.de/ - for what these numbers do +- Security fix (boo#1221289, CVE-2024-28757): XML Entity Expansion +attack when there is isolated use of external parsers. + * Added expat-CVE-2024-28757.patch + * Added expat-fix-minicheck.patch ------------------------------------------------------------------- Sun Dec 11 20:35:38 UTC 2022 - Andreas Stieger diff --git a/expat.keyring b/expat.keyring index e40fc46..bbe9150 100644 --- a/expat.keyring +++ b/expat.keyring @@ -1,235 +1,245 @@ -----BEGIN PGP PUBLIC KEY BLOCK----- -Comment: Hostname: -Version: Hockeypuck 2.2 -xsFNBFzUcE0BEACzkr4qR9zoM63YCJU/oQTJEtt7SR9Hcvntk351O5QQbNJS55Za -h+XfiAl1j45yrxP+ve3xU64Cl/GctZMLgkx8Qd3JECZCUkm72cvlBF1bJ0hkvcJR -tTyuc9XXBBQBNoRS1Tn4Gc/QE8L7669mS0FPPKpy4m7yY9SLtkauUTVkeKVz65Wo -9jEB4cc4hJGzqeBndSmPbznOPkATSadeLX7xNFG4nM20wCGZ1+UmY4j1NTBJnbxt -xcPQ4/OiAKvAsfAzvZrlAMhJtFAfnooP7VkIsbZyQqPeUznhGOK1nVpjl7DZ5c4g -eJa3OLfeDM5c1mSx3VsU8SkKbBqNeog5dV9yHAKFBa10M+VAylwlRg5i6TE/5JP4 -LneWoh/dZP6216MMelDcZeXn6JCgLWmjbCmuwDgA5S7y2cewRU3hopGvCpTkgEg8 -XuXZgP8O1ZAOOqBWOt/mk71Bm6LdIe501f60aVcnODJDSb6tDwYTxkn5vGPvu8bi -u2K+zdFqZskPTZo44qZDjLd7HpN5SigFMCCSk9LTWcwpa4eSFcezmfku+dB5T79Y -0W0qCKJKBtNLOj5atVk9j+BA0BNTmE8e95bTdPW3UbmXPhQQt8J+6UXsUC0brn3/ -9pXTXHvPiQsYMKcMzOnbdXKvlMxF+dN3BT+uhEF5tyYgqSDaF07EnIJzdwARAQAB -zSRTZWJhc3RpYW4gUGlwcGluZyA8c3BpbmdAZ2VudG9vLm9yZz7CwZQEEwEIAD4C -GwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AWIQQxdu99sjZ/H8pPMGsfmw6QmvNy -hQUCZZgh3wUJDIYYkgAKCRAfmw6QmvNyhfRcEACU3hFFTVRyZTB+/Phui6bFhhbH -oRVMZl7llwGdtmUR76moGAnOilKK3UG4Xn+yHk0Au0kMDciDzET1KL5pTk3FYaX5 -SdhMK5P3CQIRvGVQGEyzm2riGMGBQwbMTN1cWSrW39lORPDanDKIzzu0mvAe9Ufs -M5Ecrz6xTIxMcMfBEaYH0snwMGFLowcDETk8DIM8qn6oOrH86S2+HP3LKeCM1DOI -uAILj438lTgaHKfOmtAMxqwXzVtknQN5upIBvfDtYXeLH/zSztt3XIcDYrBVCFd+ -7wxvelu0C6e1yG3vQ6eQt4OAeSNBOXUAcIWsCti9uGL2//pE9gQs4s1ijJYFQuuE -er3sTTqg4JU5y9NkDo6p9roZt+uDFSyj3wgOinfxMipNLniJpjrvV+tmqGhYZY0R -WEP757A1M/xVaf89d9rp5pJ9QawNUIDfM8gH+m0FuX5YKlSvFak+uB9/Oeu+BKy+ -wWyBiEM3fOjnFBpAGz1nKGQFYvUuRtqFAmlLUhN3EA2ixL6tMvlkWmHS0o0o+YGX -tANGcsS3KwWILlRarfhkHuc0s+gFiTKvfS/pTbiy6XbtYTtQ0n1HkLz32zwdnFig -/do+xYVyb9w1IZSc3HZAA2h8NlW2crMbzHr4FlSF5p/Zk5gVdfnhuKqWsE/nKAjg -/GwACVGzFbZiD2CqsMLBlAQTAQgAPgIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIX -gBYhBDF2732yNn8fyk8wax+bDpCa83KFBQJjxyuuBQkI0+7hAAoJEB+bDpCa83KF -cesQAK0yPR7YSvy+uumbMJ02Be/7bu60yUk5O8nngpmebzQLEDAOyp1/HTcNk8VO -zyKsQfWOsCvupAvPpdlaTfXanJQa0kOBjos1B/hoc4lQg3UwpSxUbmAml8MZfWgs -QOexENXh3kGQBHTQS7fObCx8P96BLgOvCzq/wo7dUf4cugfg0RQSVI6yQNUIesRq -NSDHTRAKy6hWieW3itZRs/DCD9e/aesDAIGaFlxOWb5wl0mHHbYw2IhgK/RbSY7K -kt24SPEom7rc7dD/ToG2qNv/5uUujSQdjQu0WE+5JVVOaYsKWkWTcdKVURhhRJQt -FmBA+CQyC/gUmrPvjfWFk9LpbFi/5cFWaqWQpMjz0pQPyKcLRNNotYMaPWpxqIpt -0sBtVBZSVHv1emyMkYccxgP49lfHpzWIdILZwKJyJ6PPtojV3lrcXc53ILsOTGi7 -iSSQDEmxwJ6hT0lzrJ0bGnTidO4pN6VqtpQUt3HsODtivodxfkGskuSMkPVunZLG -4OIsdco/mdKpEEc6g2+dQnYl2tYFZ8w/l0gEakLbkFVIvsYdzCJpR39OJgRWE+YD -aWWitak50L30tu5gXcIMw4+79s0gqUBBxYRo79bx31uV1fPcj+ajovLQD9o5lwfY -TdPIaNPmQh6oyz9CVzTovUgsHP8Ji0Yepma09p89Ov1NFPlawsGUBBMBCAA+AhsD -BQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAFiEEMXbvfbI2fx/KTzBrH5sOkJrzcoUF -AmHSMvMFCQb/66YACgkQH5sOkJrzcoVQXQ//bVDypVzLbR1pbJKy0ZrxxHzJQVBI -6Ji2f4NsByIGV75Eci+cFyaR3JGZE021CHCDpzfBevxffz+Oyikftzb2/2Qq8GgF -MTj3lLzkgq5py7H/498vyK1JmwXroQ8RX0X3iwAZncT5U5QI+GYZA9SkJe3ETFIn -fkqZUdYXR0ZH3kt5ci+PxnwmD+HXAJUx/MWAX74Hi2/i+fkirpQ2tE0Kbo484Biy -WTtfebajNLv97Sw/8TpGKgcLJKgBL0aY5QQoJ8dE8YQn8LNRDFk79YyZRHrXGpOs -TpzEsQZD2ZS8YC3LmyWKhm/1lzYbKs1mlVbkodU6kkaJn8p19s5bI79gajjnoMm3 -Yh7q/Fp3nC2HpIpxWKnKqMdok/u+McivV7ue4VfRrKV7mXJ/0XUtcc8KYehDlDpn -nbqETUkQPU/DGpUIxB3BR3ihEZJ6EpIkysXfgfpBPNvPpjnaV7+uPFgAzlst44FL -RqQH0gI7IsBLABrgX+yioF1zQzOkp8iI8PJkuBmxeA1Q/M68VIIF4Wma3ej677M2 -ATdwX5cFqgrhvbwiBSst67YJjbyehwnl/tRAexV6/lIk4NnTKHPE2domgeAR+uLk -mMO/o/G5Gk1cYbRXG38RM3vDqAAFEznec1pLla9UV6LrugJCHErnxI9Pm9h0njwG -NJWpgz1NDMLlyvLCwZQEEwEIAD4WIQQxdu99sjZ/H8pPMGsfmw6QmvNyhQUCXNRw -TQIbAwUJAeEzgAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRAfmw6QmvNyhVgV -EACqcR2lm9HDyjUy+ChqGicRBDQqg0rZDohBPWICUWDjeGx/ZDouPU3yBoKWu3Lk -0ouIPF0VshDOfab8H4UlV+06WcIEsYhV7zrUUPszCDrVsZt+2XSKsSBpdPaoBIVr -0UxbN8ls/sS6TBNaN/1wdmTOqUXr62lwoF/cu+K4BzaRT5yaKs0SYb0mcqg4MSmt -RPAWjlwZBvHwFZYyhaQap060uV5OGizfwZ3QLFldMtsSM5juQAok4Wod1OCOHYY+ -RahRaj/Z5bPgYE3ycM84G2j9N7nJu6MJLyyt2mOW49jjkgeKJ7aPledvuuyt3EJ0 -GQiJSQgjLXG/6wjmN+XmBJkcydalpMRxk/Yt6N7VHfet46vP8mC/jNbtUb5wFSGr -RJcyZP0elzvO6VhSh1mlRoqEUHKkb1CFVCYGorfGdUuiRhTXKwPcjIqe1ZJQaIKy -KOcy2CoItLNkcCNHtTloN5378Y6hO+IP3BIyRtlBcD3v9RIYsQj2Tu9Vnluk/Awb -wLkmOnC6wAsDmmmhK6y0AVn3FpAZ7m17DpFiIlNpumNkjaULfEKFL2PPHB8VbYi1 -V1IAG69X+91JKxzTU83s+B2Rz8hei2jNbtYbj/E/VsiatOucOf9Yj8g0tnS4Xfjh -a2VPXQQShBT2uhm+hF6esBappDgjoh9/AGEKD4Jhx47vLsJdBBMRAgAdFiEEPX6V -nYn6z+44NxkhsAvGakAaFgAFAlzUc5cACgkQsAvGakAaFgDDFgCeI8k57LnZmSnL -ZQs1lekucx9ThxwAoJG2olyQ+9IETr2/xcgX2Ka/FfT1zsFNBFzUck0BEADgwnBJ -BHWBnKwHhEJLYei4PMImRJSjoiYZi1EmiCT3u9+qEW/IOy+VJPyf2OyLM9RoLzMr -CRmYi41eFZryWsenpzHQVP28KbMHP+mdJOTyvX9Lt8Ohxa/m+ZG0vjhXLDBsRFmh -EFDV14As8NcI1GivnpyNxTFDDWbmxDMw7zTSkjH8dqeB/Z/HTXWu0pdOrhXb85iZ -MsOZDUzmbKwBQTAOX7zPtmi4zheP49VXHGn3fNgvUb6QuzSQNtAKS7C2qPlIMug/ -vYyXRNM4dnC9aGYdjwXuEyNYLN131lqG6q98xxPRsbdnzDqTgPCZqk2dZq033Ad2 -zhNbhynycxXDpxQsRn4PQfKBgpr+IdNEP4UevaOueaVLSwtvcvXcqMYtrzSYIcNu -0tnbDDZRxhgKM+3TkpZc107qowq6+SSPzWbg6hUY7vxKzDAgvYhn5Oin59sARfo0 -KkSAM1H8/ozYxdNGySqIQFewcjjLDpQnI2x/ZAU8nk0hltEzj+KmkJdJJI3becen -tmrdODySLO0fidrCmzhiuk8HLodDQ9apY+54fWwDDUws33yE4DtX5Y2/1nUvwDNp -il6dRknAVGdc3OvIe+WAnsGR9SMSy4HruP/Yf+OZSCFtOSloe4MtP+qdyfx0vDg/ -mLffZxE8r+zSeB5IAp0BSbwUhdbeWGd+UpWCCwARAQABwsOyBBgBCAAmAhsCFiEE -MXbvfbI2fx/KTzBrH5sOkJrzcoUFAmWYIgoFCQyGFr0CQMF0IAQZAQgAHRYhBMuN -5wqQz79sO/XMVpYmKs/7067GBQJc1HJNAAoJEJYmKs/7067G2s8QAIP/MH/Xzbuh -z7uO+6FFNS7kk00zQImC1Y0yYyeyy2UWsSD4HUdE05CoJCMSwHXpTNzDs/aackTs -KivEINYPvTwbEGPMPqv9MVD78T46iwSuA+Qg32CDLAjubby8Q55DXYS/q40CZaLz -g7OQT8IH03ewxzrtpdLrnXnYN1ktwBFokv5ZsxB5BhEJfbEHEqdoNk2STQv5p/Ik -rc5C/hefHSKXV4cJRYoPkrdnr0ZHyevB5iGuR9zMxmkLD+NyIqqVqxjWQNjLoEdY -+xKnezHiIZvGb6nH55DosZY5/IHgLUJsLFcYNfLFSVdAzF0py+A5nY0PJarlZptO -i22tSsSXX5EKWHLTZUUcs1uBrmydVFMsT3ZC+8pHxLyKGn+f+89jdUCzidQ+545O -YnNTzxTjGytG9Y/KEVDYUWAm9OSSLJjDpt4RDVF6yte8cHJfdC9Ypazet2Z2GMtG -a6g6dv7NhDF+JCEhnMraPaLHbWnABP47AJZ1cRvYfE2lyHBzfKWyWJ56BWH9Sf7p -6DwehqIAo0erPAcnBDcbrfrHaSnFLvW9UpIGAGvBMXZqAoZNNsXqq7OMHRt9rWZX -OGkeGAINnwlQIT3ffKMounUS9xzLM0kZdf7BS7K5+5gcjJPh1b1yvBYApioBAXbn -aTmqvdwr03FLnoGi5/0671t0iUGSqbF4CRAfmw6QmvNyhZ1ND/42zg+uIvWKjbpy -lkq7sIymXCQmfnEjKhX60UkduuCZntyx2jVCAsfIjQsID+8jDbZcKtPT2K3xqdBi -RvP/ckdACcy2wk5kjyPqP+IhOiY1VxlkvffhjEPQ0H5oUkRmK8hr04K8VTmBAKAh -vOKjU8/oO3Y+jMpHre//qG/SSndJWWSdYtFOQrcLBu1iE+Z+Ss30clXPLP7oltSZ -M+TbwBqeezO6Y9IDt8gx4gqamCRN4OyjM3q2VyoEPNGSzSRCUczOEaTm6kJ+BZ/t -qKpMX5yVVIzJOJctb7fGM34BAefiAdEHxu4ChZo9X4nm9kXzFTpUvrLd97B8BGRg -uZk3LlKnfRq1oG7ks9U8/rU8xvSCySEAP+1gQLWhO4JJft5ZJgQD8YaNSQA1dtHL -VYvxi4O5yQrlT0Ue6mRve1kW1+7D9mnPmt/5HOMEA+sC0IORQJAPlaDYX8p9U+tH -EoInW9r7bULqeDCZAqCEOIhyMxSmz2+d+LEE6FNTaGD7Chicqc46SD7RMPvMk87S -BX2zf1bkH/Z90N8imuerp2Tm0ldyohVS2fGWpRqbVwwEqSCpJdDEvC8xQ6MUEfoz -FeYnBbc5UFk34ZhcWxWcO0Jwc2psQYSJAwiH6GEFutK1z4+JEJq52SJnXWW3HXWe -MR1XtVtsbF6m6zeZNC7FXFTUYV1LeMLDsgQYAQgAJgIbAhYhBDF2732yNn8fyk8w -ax+bDpCa83KFBQJjxyuUBQkI0+zDAkDBdCAEGQEIAB0WIQTLjecKkM+/bDv1zFaW -JirP+9OuxgUCXNRyTQAKCRCWJirP+9OuxtrPEACD/zB/1827oc+7jvuhRTUu5JNN -M0CJgtWNMmMnsstlFrEg+B1HRNOQqCQjEsB16Uzcw7P2mnJE7CorxCDWD708GxBj -zD6r/TFQ+/E+OosErgPkIN9ggywI7m28vEOeQ12Ev6uNAmWi84OzkE/CB9N3sMc6 -7aXS65152DdZLcARaJL+WbMQeQYRCX2xBxKnaDZNkk0L+afyJK3OQv4Xnx0il1eH -CUWKD5K3Z69GR8nrweYhrkfczMZpCw/jciKqlasY1kDYy6BHWPsSp3sx4iGbxm+p -x+eQ6LGWOfyB4C1CbCxXGDXyxUlXQMxdKcvgOZ2NDyWq5WabTottrUrEl1+RClhy -02VFHLNbga5snVRTLE92QvvKR8S8ihp/n/vPY3VAs4nUPueOTmJzU88U4xsrRvWP -yhFQ2FFgJvTkkiyYw6beEQ1ResrXvHByX3QvWKWs3rdmdhjLRmuoOnb+zYQxfiQh -IZzK2j2ix21pwAT+OwCWdXEb2HxNpchwc3ylslieegVh/Un+6eg8HoaiAKNHqzwH -JwQ3G636x2kpxS71vVKSBgBrwTF2agKGTTbF6quzjB0bfa1mVzhpHhgCDZ8JUCE9 -33yjKLp1EvccyzNJGXX+wUuyufuYHIyT4dW9crwWAKYqAQF252k5qr3cK9NxS56B -ouf9Ou9bdIlBkqmxeAkQH5sOkJrzcoWCNg/+M45NZDXoiYrEBtAYuhK2uVTeSwMS -+ATc63UEeQf6MtlYizt/84D1Iz2PxpipwdP5QKCICKoOhTVrER/YB5+lCL7m3kqW -WDja8dPdUguRYhvLouV1hnNFw8oN2KzZhfvxaVEKlw3qmhlNwDHnPoyy+PQzdR1y -COyEGCq1pral/Ckan6mZSHe2XPgqqn7BOuihSzK24EsT+m9IThyC3zePVO7RtTBB -Cl9oWt+oZZt71EZtJE2ovE+orJpyRK6Ya/OY6NdSvONvbn9EBtZnMLXFVBPT8Tsd -tBI212LxoT03GCwRV8f2Jce7E46QokyoeSuYWjKsVKFiyMPw6YcJ6zdawRUWC27p -5xQ+8BysOfdJMLlDvUaSh7uyVtPy8EQmgQ0BEKjVsqXzPOAiI2K4pDirsP9ygJME -RvDjlAVUlX5igOpZRumJtscLg7H2F4ejWqSOdceMSxM3JSn1U3avhopVetZ2ZvZ5 -z4sXQu3xJlJygtyv84/htedwdyiSpOHjfTgDubIleRJmqJWOyx2SS2zgo8qQwCjZ -bHfRmNoENOjihGbaIretcUjotLgKVQEbXQmXA+j3wOST3LNDEK8gwgYBL89MKbWi -zHLuRlYOmIlvjAYGrQFmILLbeT/tOR6qQL/nXPtTiYZkBF9Aj3nDDAfEtRGAnMmy -6HwbuCRNwcvTWSTCw7IEGAEIACYCGwIWIQQxdu99sjZ/H8pPMGsfmw6QmvNyhQUC -YdIzLgUJBv/p4QJAwXQgBBkBCAAdFiEEy43nCpDPv2w79cxWliYqz/vTrsYFAlzU -ck0ACgkQliYqz/vTrsbazxAAg/8wf9fNu6HPu477oUU1LuSTTTNAiYLVjTJjJ7LL -ZRaxIPgdR0TTkKgkIxLAdelM3MOz9ppyROwqK8Qg1g+9PBsQY8w+q/0xUPvxPjqL -BK4D5CDfYIMsCO5tvLxDnkNdhL+rjQJlovODs5BPwgfTd7DHOu2l0uudedg3WS3A -EWiS/lmzEHkGEQl9sQcSp2g2TZJNC/mn8iStzkL+F58dIpdXhwlFig+St2evRkfJ -68HmIa5H3MzGaQsP43IiqpWrGNZA2MugR1j7Eqd7MeIhm8ZvqcfnkOixljn8geAt -QmwsVxg18sVJV0DMXSnL4DmdjQ8lquVmm06Lba1KxJdfkQpYctNlRRyzW4GubJ1U -UyxPdkL7ykfEvIoaf5/7z2N1QLOJ1D7njk5ic1PPFOMbK0b1j8oRUNhRYCb05JIs -mMOm3hENUXrK17xwcl90L1ilrN63ZnYYy0ZrqDp2/s2EMX4kISGcyto9osdtacAE -/jsAlnVxG9h8TaXIcHN8pbJYnnoFYf1J/unoPB6GogCjR6s8BycENxut+sdpKcUu -9b1SkgYAa8ExdmoChk02xeqrs4wdG32tZlc4aR4YAg2fCVAhPd98oyi6dRL3HMsz -SRl1/sFLsrn7mByMk+HVvXK8FgCmKgEBdudpOaq93CvTcUuegaLn/TrvW3SJQZKp -sXgJEB+bDpCa83KFsXUP/2EnRVBTcGNoFUlMpix9my9IMvGCoYcV3PlPPIucZqmy -FH1ky+jKNRlTKW6lim+dsrHrKnFkQ/swv6dZnjkph0tKxqpcc3yYIieUPoy9ypdd -xy5Q199yBBceGU/+UTYMWqVgOOELXeblTICoV+GTveQ9DkxpRf2U9kJ8Vhb5hUA4 -mUC2Wez99ucljwQl72ayP7RoDIQ12GrrX5fFQi+1mnwqJPu8y2AUeCSC7DzzyfgZ -C9hJD8O8KeH03XCefoSfxAO4HH9Er1UN9TSFSzsIftK/G4cW8Xoqh7S/5tLaRk7/ -dCGctmEM06SbacwiZFgYP7xAkYgg55tGX8ULxVQI4KpjXP3RLaw5a3RUUm9Sg7+b -QgU1jB0qxq2LuXpPMWmapiX6uWx8PJrWJ21XNnHmcszwStyTWCYMaH1Zcdqy5bWe -9oklIKVBus8k2Iu0Rk34hmPgaB3TG/wyOraUnNZewccxFc9mls5o1v48lrm4ZERW -9djwUIj/eCU5Z3fbubdk32R5E9NvMlcxcE+5SHKFJd0H2cVZPnhI5G90P/eQFAkm -GhpGtpSQ9AmH9rP+K/GB1Jj4GM2u3IDwMgdsJhTGUfJh1UW6phBx6x5WMN/nrylF -v7U7spggFfStlK3AmKy6zR3xlugmmmKc65XCTl/KG7wunG5VutE9BCxlviVKeE5e -wsOyBBgBCAAmFiEEMXbvfbI2fx/KTzBrH5sOkJrzcoUFAlzUck0CGwIFCQHhM4AC -QAkQH5sOkJrzcoXBdCAEGQEIAB0WIQTLjecKkM+/bDv1zFaWJirP+9OuxgUCXNRy -TQAKCRCWJirP+9OuxtrPEACD/zB/1827oc+7jvuhRTUu5JNNM0CJgtWNMmMnsstl -FrEg+B1HRNOQqCQjEsB16Uzcw7P2mnJE7CorxCDWD708GxBjzD6r/TFQ+/E+OosE -rgPkIN9ggywI7m28vEOeQ12Ev6uNAmWi84OzkE/CB9N3sMc67aXS65152DdZLcAR -aJL+WbMQeQYRCX2xBxKnaDZNkk0L+afyJK3OQv4Xnx0il1eHCUWKD5K3Z69GR8nr -weYhrkfczMZpCw/jciKqlasY1kDYy6BHWPsSp3sx4iGbxm+px+eQ6LGWOfyB4C1C -bCxXGDXyxUlXQMxdKcvgOZ2NDyWq5WabTottrUrEl1+RClhy02VFHLNbga5snVRT -LE92QvvKR8S8ihp/n/vPY3VAs4nUPueOTmJzU88U4xsrRvWPyhFQ2FFgJvTkkiyY -w6beEQ1ResrXvHByX3QvWKWs3rdmdhjLRmuoOnb+zYQxfiQhIZzK2j2ix21pwAT+ -OwCWdXEb2HxNpchwc3ylslieegVh/Un+6eg8HoaiAKNHqzwHJwQ3G636x2kpxS71 -vVKSBgBrwTF2agKGTTbF6quzjB0bfa1mVzhpHhgCDZ8JUCE933yjKLp1EvccyzNJ -GXX+wUuyufuYHIyT4dW9crwWAKYqAQF252k5qr3cK9NxS56Bouf9Ou9bdIlBkqmx -eKcnD/4+1HUg5cKrfSTXZNsuOU7AnlybWpU7Jl8YdxfeuCCe+I5W3jTYqljpCRGW -BAHtE3udB37JXKSn8yH70JzXQDWL9+G1wqk5iwkvtmKqAapzJFuZ9lYNlNGYDxI9 -foTq99f+OheFnT3nUm8IA9N0MwjGCIJ5501HM+NO8WylVoy0Y+erxbyQGC2Ey7Yj -VZSuCTZo3BuYiSCP8Bmd9qHxCJmBGQgbtA/2QBcLZ8o/z9w0U39Iwsei8oacZncV -TIFnBDsU3E25M1eyQ8VdcAqLL7v3UFOi+20zBBs+g8jBBdzXUVhp+RAsXldo8i/q -tdD4/90UXT7FBXmImGtzOVmza23v7Dyq7P/ZueEAqhr7vtW97UQ7+YkXDa4rHi4H -rGJClrdxixEyCTPrD++SvwxAud3hAUKZF9hOb0fD9A7cn63EERVgaJGAi7p9Oqqb -qni8JOssQF6TeCUFP+X3nR4+iy8EX4scfN6LUB6/mnhoRVZ3GNEzPAZi9PGe8RqW -JqUMtrBVUPVxcwAgfijPmmMIXIUyZk5ysTQeT3eJVd3R3yxORfaHSD5kuHnXWwsp -/yYltsLI/hBtVa8N7XZdzZ9JDT8fIWj5515DsfunTtksrObpRdiq4lxAoYqiboI+ -L1BCHwvaTy9ghXhhpgnym0DJk2bmucRair96apTzdYoszd7iLM7BTQRc1HBNARAA -6EzAcDoXEON3EsOc9hln8dEIHeP4Wfmz5z+qIrcnngbjJg/3XzvUWMN4XukOyZxB -GALPSToZ5k7MU6SkJMaDpow+Q6IGj3fU6pyTOGUAKctILNHlvZsgtNpQad/i3jUP -r60IUrZ18kF1DTJh8HeVrySD1ru+2eVoz1Q7ROv6j01g5bKxQBrl/FL2NIXYLOB5 -nqT1ZrRuP3S7w31x+waswHsXpNU8bhN/sZsK+AzBoF9JArviFdVZ3TCNNbRUYinF -F8Bi50nIH/Z1rms6wxaHmER7p1KHARDW0keeO4EgkjVRlLJW0WoyPw3Kx+0Pv5Wt -3o3cWnm6ZTNzq1WJqD67qzxDxPEJcxpLChW0FXUcduoqILPB3hc3Ad+/+HRWuAzR -JethWYfBSQtQ106UApZFnsTFpMzHSg1orCOvcWFXtbm61/qRD2Ux9LyBXR0kzWdm -nRmSCL+iO4h5yoFBcnBOnVhCjVCYkczSwpO7qk46VPGLNpPgCTR61B/1IuKeW0x5 -gR0KgVq9aRZcgg/hgz3h+4PkSRzTdvaKIIwpU41Kvh0poA8US1Xe4UihL9XAblBD -yYSFlkf3KY55Sub5i+WMVJ+nVMOn10aJg0oLHnZmPvAKGqzDNURUVOoYRmqxi3K6 -4NAzQmFfpMZPvnOayqImEEaXqeKAat1pEKda9a/SfR0AEQEAAcLBfAQYAQgAJgIb -DBYhBDF2732yNn8fyk8wax+bDpCa83KFBQJlmCIKBQkMhhi9AAoJEB+bDpCa83KF -43IP/24REKNHAnMFoXt46XrhGq3buZguAkpT14D7jGK3lkQBM8CVO4htuqnR51hA -ujal4w6AAANaZJi6M5NQrv57T+EejsyOvZHBtOco60qsbu2Ph6apJDiVrQsaQngn -VGhEc8tDD5UM5LtceSJ1fBThEnPPbSdkZdV8IeZu807OipuFQLfpKHp040VzJQ0u -TfRysAGHq8ZWopEv0ozYDcIfdFT2t4tviSEqBNSUNa3SD2K1TlXquKHZ3ISQCkO3 -Q44/eSzLBMKok0FKdViilWfUiWQQZsIoR94A0m14NCm7c/lGQK7yl++Ric52KT4V -uZ+Y0K197ruWaBPS7N18xHNH0/P7bhOSGu7PGW3fSbXif7xAfB9moICR50GLIbe9 -/iC466eu2fpGB55dkd8oGDL/GGyCD9EmkNSSgZ4YNKt2fR6VFtJdzntZrK2ichrY -uyGXQ9UiJNtAUM60eF4CmJX99nfStc2VZXXNSy6D/fNkWbMgJz7uINL0jFICihXo -kwAiaO+y364WOSzk/NQPZcIZ/fnPZPKnWIReQfMdPAHr4pVS7fYv5AMFonR3fUSe -jroXeIyZB6Dgt/v13sOBQ61GFt0n75sX2wSlc8NvkXLG3xpwqPZ7Js8Tadc7HK3R -7ksCpRwz+rJHn6sEvVZSx6+S5EzTw7TNWqDeczsmR+YPYRvewsF8BBgBCAAmAhsM -FiEEMXbvfbI2fx/KTzBrH5sOkJrzcoUFAmPHK5AFCQjT7sMACgkQH5sOkJrzcoUX -Xg/9Hz4S2vwSa15mrrW3syDWt0aZ10loLNi3kL9ZJ4Q95Mj64JKR7qAkzfQ3Q7mw -ini/2tdDeMg8kg4yQ+eOCAYhySE3eiE0ThaFlUYXnCSNVSgOyT6YtAs6Fjx3rNxS -9+J5E3zbyBwO8TpWvkT2jr7lKU5XZp0L1RQuKN0DB3i1tg0cgJLbdFkLr72lQoDY -QTVMaiv3Iu/mdgAk4mCSnR9URFNxCbLYWUBLhH1KtCACbDhXXSfVnGUVc0b/jVTn -HsHm+D2c0tn9krZ9ONZ9J22aIZQQg80xxSz66kW0bWnzhdAge/3T0joeegZLyROE -TrBFbLW+Rcit0SX6G+mCg1J3FALIsEtB9nG9a5Tum+bML021wiTH+MVLH0GP1ckt -DZH/zNuR6CtxLsrw2vgLsRd1QGiB9LN96sKYBQHF4Ys79V54ASBVBTK77vxcW4dI -d2ZPxi0LU57jL3mJf6SQBVA1s0/HNaNc7rtueilYqcIkU6wpYtbtV5+G7MHv3RwX -mRdA1kYbc3EM/YfjEjK2bGCKRrK4cpjr8BIfxP/H6mioTtLZqVb5O3ui7kA11GS4 -fWXurGLMWOVPmcVAUm/lZ86I5rX9p9V45Z1ViOkGIKGfq5QqZvxdDRpv+hftpOrW -eICB/FZB9FhkS3WS2EKHaqcWk5lKtpRgPcsVD4Zk1Tlmi6DCwXsEGAEIACYCGwwW -IQQxdu99sjZ/H8pPMGsfmw6QmvNyhQUCYdIzCwUJBv/rvgAKCRAfmw6QmvNyhXK5 -D/jBMCAdoJVW9ai4tKgNac3sxFjrtnLPo6lEzB4AXnltkC1VwULeDL+O3IueYCt7 -kyRr9vvogG/y/e8kpVIGvH8TcZd71EvUkM7Df9X88I5bPrA78MpWAEQGE1RxsFLQ -VppzAOeiXVTXy/nwS/8LKP28W5FNFH0M9qYmvTjeS0YYwxr7DJU526B0JGiis4kX -l81tYnd2H46cx1qjSMmWMV0dPWMbUG5gs3HtU4u5DpBgn7a+klihpmtxebWNV2vO -3TCqYJps+WbvDPHpUsHFpW+wYvE0VosB9jYKzhOS94aGz4Yl7fTZq/tF4atBReoe -ESJi6RJWpvNmdSQPYrJu3BAGWnYTuniW9xhHhSYnCSrH3WfZSermU6XiAmKtZB5X -w4HyjuJgKjUDjzVDOvpTQVcnpkBXkOdw0dIZDk61cq81p/R6bmxEGsIkMHNpxRfA -1PNwjypgioLF2Cyq5kB3IVc8KdpW4O3XaVSiMfvXlkvpQJmCPtxup8IqUmgL+ILT -qLJaHOhpbb6bsikTDekUC9DIV58xQ5HuHI0qaTrDyZsG8CK6f+OwxKbXJh5QDFar -M5YrOIHaOaBSICQtCgCBH/Jp388LOm8rTDqSHAQxp9ZjQafyLBaGHlHR2rvnztfV -1LHS+9Pvven6J3Fj4r5hztJXuKUrOZ/BsLw8c7DnOI0UwsF8BBgBCAAmFiEEMXbv -fbI2fx/KTzBrH5sOkJrzcoUFAlzUcE0CGwwFCQHhM4AACgkQH5sOkJrzcoUMYw/+ -P8uPNx1N+IdYdzoTsRQzeo9Z/yhtIvsW3iXvvHS9QZ/YbelByeBMjVIgxNMsAqRe -F3qo+oJU+YzqQcrojPAVycxEWgzKgf9tWdmRSzQ3JTcM+Dc5RzUi6e9yDbucd1k8 -sVG/x7L+pLI2IgQm7eHPIEhQ7RkN061TCSqfOeuuL4ilOgPuBahgzQIL8B6uj85o -LbRzp1TWzjPCYCOp/NvQ2qK/cIOuu8XSneDp+fsEDIfGdhtLtldLyc9ARjSqn7IL -QJHeNx5cLC/0LU+FCJJ+qI8FMvsKCU7PTZZIDFjsYieHdWK0zauu4pxpyktV+OJm -YUfhJQLKz/tzVKf6klN+Ko7/axXi+63F+7dDTENiZx/sMr0E3ttnTWbezNNf/7kh -5/SSlj57lmt9xEdQ4DMD91d5bywSt/5i8JT0fKL97mJa9uFoyD0fAwDftwR+EGZX -AYE5Lqe4UeftMWhmsI2cVYSl9Qlj75NOGE1pUqXPmfc9cREUImV9m1d/T3twklEm -eIGgDaN19CpIkCBcCttk/FFbSiEh+CP6We+o3AHbu2t2coqnELqTo/WTRBnUw/e0 -NFrP+TRatWLhLGmzvz9HMDsj2cBHWi9VTHxPDYj2u7rhLLLJi5oDYzmdCziQzMDc -/eh4U7233VvL9387WWP0e0ZgSfnEvNvjQ7JN94NLJOk= -=2AOW +mQINBFzUcE0BEACzkr4qR9zoM63YCJU/oQTJEtt7SR9Hcvntk351O5QQbNJS55Zah+XfiAl1 +j45yrxP+ve3xU64Cl/GctZMLgkx8Qd3JECZCUkm72cvlBF1bJ0hkvcJRtTyuc9XXBBQBNoRS +1Tn4Gc/QE8L7669mS0FPPKpy4m7yY9SLtkauUTVkeKVz65Wo9jEB4cc4hJGzqeBndSmPbznO +PkATSadeLX7xNFG4nM20wCGZ1+UmY4j1NTBJnbxtxcPQ4/OiAKvAsfAzvZrlAMhJtFAfnooP +7VkIsbZyQqPeUznhGOK1nVpjl7DZ5c4geJa3OLfeDM5c1mSx3VsU8SkKbBqNeog5dV9yHAKF +Ba10M+VAylwlRg5i6TE/5JP4LneWoh/dZP6216MMelDcZeXn6JCgLWmjbCmuwDgA5S7y2cew +RU3hopGvCpTkgEg8XuXZgP8O1ZAOOqBWOt/mk71Bm6LdIe501f60aVcnODJDSb6tDwYTxkn5 +vGPvu8biu2K+zdFqZskPTZo44qZDjLd7HpN5SigFMCCSk9LTWcwpa4eSFcezmfku+dB5T79Y +0W0qCKJKBtNLOj5atVk9j+BA0BNTmE8e95bTdPW3UbmXPhQQt8J+6UXsUC0brn3/9pXTXHvP +iQsYMKcMzOnbdXKvlMxF+dN3BT+uhEF5tyYgqSDaF07EnIJzdwARAQABtCRTZWJhc3RpYW4g +UGlwcGluZyA8c3BpbmdAZ2VudG9vLm9yZz6IXQQTEQIAHRYhBD1+lZ2J+s/uODcZIbALxmpA +GhYABQJc1HOXAAoJELALxmpAGhYAwxYAniPJOey52Zkpy2ULNZXpLnMfU4ccAKCRtqJckPvS +BE69v8XIF9imvxX09YkBZQQQAQoATxYhBCwTgjuCNzEPohMDSTDRMv8P9Q7rBQJc1cMyBYMB +4TOAKxpodHRwczovL3d3dy5nZW50b28ub3JnL2dsZXAvZ2xlcC0wMDc5Lmh0bWwACgkQMNEy +/w/1DusYEQf/YoER3M3OLkUT7DgWiZBakNs3ifv63fvBDVhwZcerobSxlqjFFQK6CC+vFumk +xV0hFIvS9yfCTLNYMcLa8C9TuWJSqOtTXLGoYDbD6tEOQbMnKJ+W/vypbf1VqVHlptwkPpNd +5R6acsEv4rNK1bbzDVWzrCvLBRsHHiyr8MFHVjJjPZFqQfc56K2CHNv7Yhk6h3DG/0LQl2Lb +pxxcYKkF+gw5AwJazBf/DwpomwyrMRRmiqcgJ0kDyDO9ktMd+7z81t12G6tiEFVoiyPCmYkU +0CjpArg0nMBWMzocrr3i7RNO5675VwefF5+i/hBykyaGiunmpJ5G16JaPAvs1eLOiYkBZQQQ +AQoATxYhBCwTgjuCNzEPohMDSTDRMv8P9Q7rBQJetvbPBYMB4TOAKxpodHRwczovL3d3dy5n +ZW50b28ub3JnL2dsZXAvZ2xlcC0wMDc5Lmh0bWwACgkQMNEy/w/1DuvGIAf/ZFdVDmJBa77p +Dgws9TDAg373Q4t4t26Dimp/GAejP9L85HRGE3cBwpp0U5N2uoEyBQmrQnoe+ggaEOcQXbv6 +q2GIeA4LRpM7Yw/Umfbcd7KQhRstZiJXb2ectkSliDveAnrSfS4yB6pjnM64XTCZaKMCXOp1 +4oiR6e8sL+p4QI9y8JFRvzMtgQCbmFW5JpSeOhLdnbjb6yqWZ8zQEx3lL/TdOzk9z4UsL2pi +dytcUMezYH3IzqJR+xTMMt3ELQWUtEIlagy4GvXkKMTOK3tqtd3nPKCBfALYEfhuuoHokTLk +obvAMXtiNJgWUCbeJPaW+bMZO3T07bVCYqwq7B3KZIkBZQQQAQoATxYhBCwTgjuCNzEPohMD +STDRMv8P9Q7rBQJgmXuwBYMB4TOAKxpodHRwczovL3d3dy5nZW50b28ub3JnL2dsZXAvZ2xl +cC0wMDc5Lmh0bWwACgkQMNEy/w/1Duvq9ggAwdatYPY0gb4LaDqUT8fSa9AOCWEqBb+XF3Di +GVaLsSAsMHM71MSdkxvXXVb5QVwnFPTRGC30LXs7HzEqzBqIi3Qvp53g4X/BcNYrHPMCvNhD +tKn9t27uncO+zcxlY90x6x58liyxQjS2SbolzwRYRthisNzxA45EgJcU2R3l1rgjcwt/X/W3 +FuBt37YkEFFgK5Oj3RiH2PjNs2d2f1vft//1Cxig3/sLNIhvj/xVfyeHlAnor+Z/Q+vwxcXC +dnOR0tS4DCbP49dD2XNNdCpJuu1NswasS86cjjhruchg+22wwQFFiWLvsiXjfXD9qdMY6bCN +DyQF2dMheNU4IYQ5sYkBZQQQAQoATxYhBCwTgjuCNzEPohMDSTDRMv8P9Q7rBQJieq8xBYMB +4TOAKxpodHRwczovL3d3dy5nZW50b28ub3JnL2dsZXAvZ2xlcC0wMDc5Lmh0bWwACgkQMNEy +/w/1DutE+QgA5iKPPK5OHxyMFVBGl2EFd9HpWbEY7QS0rSWYu79z8uB4p6pFkN3BosUIEuEQ +W7NYLI5pwnRX07eqIvtGCeE22JeGCLH0AI5eyiJcXA6OrJRuLtLt/GM3Ob0lL8Zl1zVbXXv3 +3d6kUVCiPctmYB1SnsJAHXHlhWq4PEr8WLsfG3jocvIwJeTF89Ft6evb6gyZSl0+wibWJYzD +L0hrTyBlcNBxjTh64CbJ4TgoXgoSjqjGinl9ac2Hipj721Wlxnzye2t3VsMwiQEw0H01W9Zy +Ma4fVzX5daFeX5olg9GJihniX9zayXxo7wGV3rcg3qZgIEFsbkIrNSew6CZkr0cZrYkCMwQT +AQgAHRYhBGPrBPqjDHbilS5u1lZZU7lTcnVsBQJeLf7nAAoJEFZZU7lTcnVsdKQQAJFajikh +3xSQ/n4/LRz2eAEiI4TePxmkDKxml1MpZpkxI1SryF0Dd67wPxiZ45z0YZ2GO/FcP2BVei5A +8etgQ0/aFt1WZ565ZgjtZf+entraAqU7EEy6MhNV53/uRBtFGfDHSmGrP/2HtPJzcvqmnPVt +yUBMKGDBOxCNB3ivPcDsu80f+Xd+junrwEi1p7pxlmCP0ZmJFj0U5Bf2QRkfVfXvL6QqEAOB +TUqCXTfmTmZ1TpenB8muWDgqok/3Qme8Y+0oTe3O+t+0IRxi2V1lDkB1Dd1QOfEXp3WV4Le1 +b6O/rOgT5fW0XUEQJ9CN58zVEqPTw6aPW/qLA65UfbkiO/H54BnOeHSlFU9YPrEcCf2qooTH +qZyUEgEdB5A61NhravO78/uwgaHGiIKzopjLr8D5Le9YTD54DAlbP6X+0Jb93buVcvm2rm9c +KIbN6mwbH5gri7USDI0UAUySVYebB1UdFmOOYLovzDN7Us/sWJYksmWXpw70IZLmSVxEWR+I +urbzPgl+twksZv5EPOPhVa3plyRY+ARakisVmtdRWzBNwbd6RMG1urRiWXyD60r5XbiXN3sP +vTdvYkgFKWDQ8WS/+AyewznnU4ZU2eLFYRZi4TWugzaZVyAv7CRJi1UMOXSafqW/MlcWlM2G +qw4WhEHX70YKQRJwC2yGWF2P0T3fiQJUBBMBCAA+AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4B +AheAFiEEMXbvfbI2fx/KTzBrH5sOkJrzcoUFAl6yxZwFCQO/iM8ACgkQH5sOkJrzcoU6ag// +TGp12gxPSfLEf+J4W5YlcFggkDhYBXdXzlgzgBOOz7LEZIFOJqWBXjlem/5tWhfHLPRv19Ve +cGfXQyaRm4tfu61DINECdaZBzHcFaAqdiV7pF+TtuDtZkYlkY4mLpo6H+dcHiQggJMB5bBGi +i+3b5feV4ioD8kPvSLIH4JbCfu9/PsW0MF3xV8dUhiqZoVj/qqEPi/ZvDtLSZKs5egEX3VBQ +CkrmUKOVO0i3ch+1pPr4hz0jEl6HfRZdCpvELGHDQtAP/9ckR/SvPUvQrXfra6bKLkGOWbBk +NIMmWSpzwfX7exl/mh8FASUyhJUM/S+9aBq+hSLBt+P6+WO4j1oR9pJITkr3X5g6ZEx7Zv/X +xkKQJcgII9T8OpLsICS8WTB6IkEb4/R2AzNOClEpys5fQYhCZFUhjDjMGXDOibEG9pnh9LoZ +KCRfezRb/B1zu39XD06Qpk9ysizXzjlEf92y7N1ppVbDUEqzWeoBXwyhF8nZgskqSPGgGOhL +eilDBNWPXZuFS4GJ4xf5KaoTXztvOZGamsNwfwTyZC/xJOKH7emPEP1Dw1W6kCMHfOUITJN4 +okhZi//aLFgvvPUJs35gB1FQQDRgK6lHhHu18V4den5u/2/5qT4c2SIaUX1TvZZzer7Luts4 +Op8T72liyB5zWZt0NUZ5p7OzVV+iw6kKIjiJAlQEEwEIAD4CGwMFCwkIBwIGFQoJCAsCBBYC +AwECHgECF4AWIQQxdu99sjZ/H8pPMGsfmw6QmvNyhQUCYIszpgUJBZf22QAKCRAfmw6QmvNy +hTjFD/0XjMa2vEePxvJG5upokP5yzVQoMqAi1nryvXTiC8yzJWXD8/E9C+/K9AnHv1cvp3ko +jQmbqnP/1B2o/IYzJVJdLZR9F7yVmB2H6Z/C13X27u811DuEWEt4KYQSdNuTO9qZdtL2xS3W +TNiCx3Tu9N2sE5jXR+6JKZvU1+gCyM+GqWhFWIRphVUngoeTFcy1/2C9C5d7fg3IzcQ9Vxdi +nheYMLcPg4mumjMRMV7MqRZUCzPYkXulm5YBYDVATHfRWBmR+MP+0jrciVDkEYONKzeVRv9Q +VCoppJ5D26t/Cw6COJJAKDfsUngkWFOIIz7rvSdxe2KcVxWQU7COB2Pf7oeV1Yay7onSrYbl +6dTvQyBXBmCD77w1jl8DyrgwLJIwm7Hx7/T5StSO0W2B+rpZDpceNou7TUDok3ZagIbKhsiO +uLEofkV+Mg4KIBdvnn/QOqAeeu7OWIyyXUFWbTHYqDzucPoy98zUP+J73mm90B6/q9HFl7d2 +eCOXucvyUUrw1Qh7K562Ye1v0q9dEyaDecM/4zeioTShzMfqtPUXtS+inUiEjis8YtnwTmIW +KZaDK4eGnO9IndXbkeox19z86tPepu/JvnAUXIhgzct4IIHGKo1RG55HIAIpMrRaNMG6JScW +OkzDU9slgOZFSbnTsSTHzrJlkxn6kagdTC2rvXKrI4kCVAQTAQgAPgIbAwULCQgHAgYVCgkI +CwIEFgIDAQIeAQIXgBYhBDF2732yNn8fyk8wax+bDpCa83KFBQJh0jLzBQkG/+umAAoJEB+b +DpCa83KFUF0P/21Q8qVcy20daWySstGa8cR8yUFQSOiYtn+DbAciBle+RHIvnBcmkdyRmRNN +tQhwg6c3wXr8X38/jsopH7c29v9kKvBoBTE495S85IKuacux/+PfL8itSZsF66EPEV9F94sA +GZ3E+VOUCPhmGQPUpCXtxExSJ35KmVHWF0dGR95LeXIvj8Z8Jg/h1wCVMfzFgF++B4tv4vn5 +Iq6UNrRNCm6OPOAYslk7X3m2ozS7/e0sP/E6RioHCySoAS9GmOUEKCfHRPGEJ/CzUQxZO/WM +mUR61xqTrE6cxLEGQ9mUvGAty5slioZv9Zc2GyrNZpVW5KHVOpJGiZ/KdfbOWyO/YGo456DJ +t2Ie6vxad5wth6SKcVipyqjHaJP7vjHIr1e7nuFX0ayle5lyf9F1LXHPCmHoQ5Q6Z526hE1J +ED1PwxqVCMQdwUd4oRGSehKSJMrF34H6QTzbz6Y52le/rjxYAM5bLeOBS0akB9ICOyLASwAa +4F/soqBdc0MzpKfIiPDyZLgZsXgNUPzOvFSCBeFpmt3o+u+zNgE3cF+XBaoK4b28IgUrLeu2 +CY28nocJ5f7UQHsVev5SJODZ0yhzxNnaJoHgEfri5JjDv6PxuRpNXGG0Vxt/ETN7w6gABRM5 +3nNaS5WvVFei67oCQhxK58SPT5vYdJ48BjSVqYM9TQzC5cryiQJUBBMBCAA+FiEEMXbvfbI2 +fx/KTzBrH5sOkJrzcoUFAlzUcE0CGwMFCQHhM4AFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AA +CgkQH5sOkJrzcoVYFRAAqnEdpZvRw8o1MvgoahonEQQ0KoNK2Q6IQT1iAlFg43hsf2Q6Lj1N +8gaClrty5NKLiDxdFbIQzn2m/B+FJVftOlnCBLGIVe861FD7Mwg61bGbftl0irEgaXT2qASF +a9FMWzfJbP7EukwTWjf9cHZkzqlF6+tpcKBf3LviuAc2kU+cmirNEmG9JnKoODEprUTwFo5c +GQbx8BWWMoWkGqdOtLleThos38Gd0CxZXTLbEjOY7kAKJOFqHdTgjh2GPkWoUWo/2eWz4GBN +8nDPOBto/Te5ybujCS8srdpjluPY45IHiie2j5Xnb7rsrdxCdBkIiUkIIy1xv+sI5jfl5gSZ +HMnWpaTEcZP2Leje1R33reOrz/Jgv4zW7VG+cBUhq0SXMmT9Hpc7zulYUodZpUaKhFBypG9Q +hVQmBqK3xnVLokYU1ysD3IyKntWSUGiCsijnMtgqCLSzZHAjR7U5aDed+/GOoTviD9wSMkbZ +QXA97/USGLEI9k7vVZ5bpPwMG8C5JjpwusALA5ppoSustAFZ9xaQGe5tew6RYiJTabpjZI2l +C3xChS9jzxwfFW2ItVdSABuvV/vdSSsc01PN7Pgdkc/IXotozW7WG4/xP1bImrTrnDn/WI/I +NLZ0uF344WtlT10EEoQU9roZvoRenrAWqaQ4I6IffwBhCg+CYceO7y65Ag0EXNRwTQEQAOhM +wHA6FxDjdxLDnPYZZ/HRCB3j+Fn5s+c/qiK3J54G4yYP91871FjDeF7pDsmcQRgCz0k6GeZO +zFOkpCTGg6aMPkOiBo931OqckzhlACnLSCzR5b2bILTaUGnf4t41D6+tCFK2dfJBdQ0yYfB3 +la8kg9a7vtnlaM9UO0Tr+o9NYOWysUAa5fxS9jSF2CzgeZ6k9Wa0bj90u8N9cfsGrMB7F6TV +PG4Tf7GbCvgMwaBfSQK74hXVWd0wjTW0VGIpxRfAYudJyB/2da5rOsMWh5hEe6dShwEQ1tJH +njuBIJI1UZSyVtFqMj8NysftD7+Vrd6N3Fp5umUzc6tViag+u6s8Q8TxCXMaSwoVtBV1HHbq +KiCzwd4XNwHfv/h0VrgM0SXrYVmHwUkLUNdOlAKWRZ7ExaTMx0oNaKwjr3FhV7W5utf6kQ9l +MfS8gV0dJM1nZp0Zkgi/ojuIecqBQXJwTp1YQo1QmJHM0sKTu6pOOlTxizaT4Ak0etQf9SLi +nltMeYEdCoFavWkWXIIP4YM94fuD5Ekc03b2iiCMKVONSr4dKaAPFEtV3uFIoS/VwG5QQ8mE +hZZH9ymOeUrm+YvljFSfp1TDp9dGiYNKCx52Zj7wChqswzVEVFTqGEZqsYtyuuDQM0JhX6TG +T75zmsqiJhBGl6nigGrdaRCnWvWv0n0dABEBAAGJAjsEGAEIACYCGwwWIQQxdu99sjZ/H8pP +MGsfmw6QmvNyhQUCYdIzCwUJBv/rvgAKCRAfmw6QmvNyhXK5D/jBMCAdoJVW9ai4tKgNac3s +xFjrtnLPo6lEzB4AXnltkC1VwULeDL+O3IueYCt7kyRr9vvogG/y/e8kpVIGvH8TcZd71EvU +kM7Df9X88I5bPrA78MpWAEQGE1RxsFLQVppzAOeiXVTXy/nwS/8LKP28W5FNFH0M9qYmvTje +S0YYwxr7DJU526B0JGiis4kXl81tYnd2H46cx1qjSMmWMV0dPWMbUG5gs3HtU4u5DpBgn7a+ +klihpmtxebWNV2vO3TCqYJps+WbvDPHpUsHFpW+wYvE0VosB9jYKzhOS94aGz4Yl7fTZq/tF +4atBReoeESJi6RJWpvNmdSQPYrJu3BAGWnYTuniW9xhHhSYnCSrH3WfZSermU6XiAmKtZB5X +w4HyjuJgKjUDjzVDOvpTQVcnpkBXkOdw0dIZDk61cq81p/R6bmxEGsIkMHNpxRfA1PNwjypg +ioLF2Cyq5kB3IVc8KdpW4O3XaVSiMfvXlkvpQJmCPtxup8IqUmgL+ILTqLJaHOhpbb6bsikT +DekUC9DIV58xQ5HuHI0qaTrDyZsG8CK6f+OwxKbXJh5QDFarM5YrOIHaOaBSICQtCgCBH/Jp +388LOm8rTDqSHAQxp9ZjQafyLBaGHlHR2rvnztfV1LHS+9Pvven6J3Fj4r5hztJXuKUrOZ/B +sLw8c7DnOI0UiQI8BBgBCAAmAhsMFiEEMXbvfbI2fx/KTzBrH5sOkJrzcoUFAl6yxcUFCQO/ +iPgACgkQH5sOkJrzcoW5Jg/9E2/nvRIKXQCR8t7BhzMr4qcI5rqAY/pA/SxuI6G3zqyJ14dk +2g6QN7khdesFaYbJjak2pTVyBiffm5UBz9NzD6Aai6MYUSJnKBE9432gaVYv5L1PaVlybwHF +bK3ayo+dI4gkN0gYlrA4l1BUX6SsDumawlTMWTB3/4fqKN5c4u+XL/ccT7z+BRQu12kYLmUj +3xXjh3LxH9xuwJ6qj0Kq9cNZMHCfO5YJV8dhxA00GvdNCIZfgmmGbZFjoDR1qzM53SykqcFC +9UXK0IzEv0p2zSRJ3UZwkbxP7CWm2xEWLv9glVQM5wTULcRhdARtgzeyq82fMS7DyEmshYKE +L4o/kAcRwaOy8Kyl5PSadpEQdEBwX3DutGAPt/V5Vumdx8vKl2JX44F1euiNCYeQEmNYd1F8 +T2a8xSdQV1TUIoHugQ3QGex2+scR2SdOVdpey+VJLN7hxk5xUx957E7SQVf7tCVqq6BElUkv +kQAr48XRfj2+KFPEhmb140VLJ/ilBITQ9CyhCYkywar9SDh9xf4q/cfBdhBXn9nK+vOgS1mP +Tdjgd/RuR3n3n7RUKTnOBdx8744fgLNKfJ/MWxVQqufPUX73xxqNZDjXDKe8b5YgHMmgJj2R +DNqnBj/+uKhcVPoI7y2DQU+aeBLlqxypmU74H04EdD8ikbByrMV2lBFwIfyJAjwEGAEIACYC +GwwWIQQxdu99sjZ/H8pPMGsfmw6QmvNyhQUCYIszjgUJBZf2wQAKCRAfmw6QmvNyhU1fD/9m +JGguTFO4J1nJAR2/n4DRV62L/IjaORhePqiiw5FOBNr5/9+ggj8yV7Il4MU9oWTM1DRcYMfH +OvsA2yS5hrHPyifWHpcTqkudnecPBT1JnVvMivzX+s4x1ol4EyOQRByBoYCFsEYaRscNrDIT +Mid4zWPy7rkVPDr1RB+cJb4lQzfRx6XG8bJuF8MymEd9S5GNxeHNigdnFP3v3QwhiqSabWHp +ul+k5VelSRqOlfVPNCoCABIfd5nEEwkzpndsmRRjx3Qidkh7Dwp/l/PQC/QM6RM+m/3LpXJ+ +Xah3DqkZHq4EYhmq4QmLljzMoT9EUXxWhiB6r8Xfg9kXHLEw7fed5nB9lXo1UgnEiWiL9Fpc +/7Zfm3hmkO9p1CO4SJCO6zHYNpL463Z6USnN/tLFcJFAJJNpChXRHPF4g2YEy4gs8IDNmzjy +OMLDcnt9v6DNt23SVxdi5PrxlPvLTA09tjOQlR2jTCsfEW96F7AE3XKorvdm4GkU7jWFeIzv +3RlpZZIZxGgfHvJ0gEA1UGKhdV9qZh46y5i2MwGILp7DZgr1ew9ekotmoqkO6Gh6SxI1d3c+ +IeS26+VNocVjQFjQvfoJ0CtR29AVCP5jYZtFeVIhwpLmoaIdfTKgo/QVOtzldK4dCxFNShiC +Yj3gDv5ZyAzx4QYWqCT7kmJ70fDzMgnipYkCPAQYAQgAJhYhBDF2732yNn8fyk8wax+bDpCa +83KFBQJc1HBNAhsMBQkB4TOAAAoJEB+bDpCa83KFDGMP/j/LjzcdTfiHWHc6E7EUM3qPWf8o +bSL7Ft4l77x0vUGf2G3pQcngTI1SIMTTLAKkXhd6qPqCVPmM6kHK6IzwFcnMRFoMyoH/bVnZ +kUs0NyU3DPg3OUc1Iunvcg27nHdZPLFRv8ey/qSyNiIEJu3hzyBIUO0ZDdOtUwkqnznrri+I +pToD7gWoYM0CC/Aero/OaC20c6dU1s4zwmAjqfzb0Nqiv3CDrrvF0p3g6fn7BAyHxnYbS7ZX +S8nPQEY0qp+yC0CR3jceXCwv9C1PhQiSfqiPBTL7CglOz02WSAxY7GInh3VitM2rruKcacpL +VfjiZmFH4SUCys/7c1Sn+pJTfiqO/2sV4vutxfu3Q0xDYmcf7DK9BN7bZ01m3szTX/+5Ief0 +kpY+e5ZrfcRHUOAzA/dXeW8sErf+YvCU9Hyi/e5iWvbhaMg9HwMA37cEfhBmVwGBOS6nuFHn +7TFoZrCNnFWEpfUJY++TThhNaVKlz5n3PXERFCJlfZtXf097cJJRJniBoA2jdfQqSJAgXArb +ZPxRW0ohIfgj+lnvqNwB27trdnKKpxC6k6P1k0QZ1MP3tDRaz/k0WrVi4Sxps78/RzA7I9nA +R1ovVUx8Tw2I9ru64SyyyYuaA2M5nQs4kMzA3P3oeFO9t91by/d/O1lj9HtGYEn5xLzb40Oy +TfeDSyTpuQINBFzUck0BEADgwnBJBHWBnKwHhEJLYei4PMImRJSjoiYZi1EmiCT3u9+qEW/I +Oy+VJPyf2OyLM9RoLzMrCRmYi41eFZryWsenpzHQVP28KbMHP+mdJOTyvX9Lt8Ohxa/m+ZG0 +vjhXLDBsRFmhEFDV14As8NcI1GivnpyNxTFDDWbmxDMw7zTSkjH8dqeB/Z/HTXWu0pdOrhXb +85iZMsOZDUzmbKwBQTAOX7zPtmi4zheP49VXHGn3fNgvUb6QuzSQNtAKS7C2qPlIMug/vYyX +RNM4dnC9aGYdjwXuEyNYLN131lqG6q98xxPRsbdnzDqTgPCZqk2dZq033Ad2zhNbhynycxXD +pxQsRn4PQfKBgpr+IdNEP4UevaOueaVLSwtvcvXcqMYtrzSYIcNu0tnbDDZRxhgKM+3TkpZc +107qowq6+SSPzWbg6hUY7vxKzDAgvYhn5Oin59sARfo0KkSAM1H8/ozYxdNGySqIQFewcjjL +DpQnI2x/ZAU8nk0hltEzj+KmkJdJJI3becentmrdODySLO0fidrCmzhiuk8HLodDQ9apY+54 +fWwDDUws33yE4DtX5Y2/1nUvwDNpil6dRknAVGdc3OvIe+WAnsGR9SMSy4HruP/Yf+OZSCFt +OSloe4MtP+qdyfx0vDg/mLffZxE8r+zSeB5IAp0BSbwUhdbeWGd+UpWCCwARAQABiQRyBBgB +CAAmAhsCFiEEMXbvfbI2fx/KTzBrH5sOkJrzcoUFAl6yxcUFCQO/hvgCQMF0IAQZAQgAHRYh +BMuN5wqQz79sO/XMVpYmKs/7067GBQJc1HJNAAoJEJYmKs/7067G2s8QAIP/MH/Xzbuhz7uO ++6FFNS7kk00zQImC1Y0yYyeyy2UWsSD4HUdE05CoJCMSwHXpTNzDs/aackTsKivEINYPvTwb +EGPMPqv9MVD78T46iwSuA+Qg32CDLAjubby8Q55DXYS/q40CZaLzg7OQT8IH03ewxzrtpdLr +nXnYN1ktwBFokv5ZsxB5BhEJfbEHEqdoNk2STQv5p/Ikrc5C/hefHSKXV4cJRYoPkrdnr0ZH +yevB5iGuR9zMxmkLD+NyIqqVqxjWQNjLoEdY+xKnezHiIZvGb6nH55DosZY5/IHgLUJsLFcY +NfLFSVdAzF0py+A5nY0PJarlZptOi22tSsSXX5EKWHLTZUUcs1uBrmydVFMsT3ZC+8pHxLyK +Gn+f+89jdUCzidQ+545OYnNTzxTjGytG9Y/KEVDYUWAm9OSSLJjDpt4RDVF6yte8cHJfdC9Y +pazet2Z2GMtGa6g6dv7NhDF+JCEhnMraPaLHbWnABP47AJZ1cRvYfE2lyHBzfKWyWJ56BWH9 +Sf7p6DwehqIAo0erPAcnBDcbrfrHaSnFLvW9UpIGAGvBMXZqAoZNNsXqq7OMHRt9rWZXOGke +GAINnwlQIT3ffKMounUS9xzLM0kZdf7BS7K5+5gcjJPh1b1yvBYApioBAXbnaTmqvdwr03FL +noGi5/0671t0iUGSqbF4CRAfmw6QmvNyhXnWD/4h3rEK6AkbcZ5EMiWdCphpje+vbjIBGj2o +XaJIKSWiXrvI+ueWfrFcdOfl4vq2CGMp/rjKTR26xkTk+JQws7mcXX6xHCODQreQEfOFQnpG +kQBxJ/Mlx3dqjKlEgHCUp9sDYS2UaYMM4b6D3WWohSbFK/KhC/qH+51cviBcCFoaXtCaGy6v +gFzhwUpXmmk3aMaPvJ/yWFa5qfP3IcSVd2mK6QPSUkRjqqUEnXk79Q3j2tmvh2Dl4+KOlt+2 +aPvs4oITr3bhHHK4nvbwc/JAl744mxg8EE/dlkS+uHGlNfHzzQuud75dLxGeyjLCr/FGUUrA +g12D4Z4tDPtJHLwWOs9rIZWk3W16VpVSyzP+7bREuiNsCat0saGQm5T4TCBn7JiuHu5R/jG0 +gHBjrEZ0EvQxUyRqmT2irnCQ8EY6icuVA6oJGjX+nt1HO7n/5XFFb32ZZueX575zg47VGgUY +18z5tURzHRS0/OkYjKlCau6JPqe4tmePSHTi51KfpnlzZ5f7L3vYVFlh4i30TQVX3qoZw8R4 +qOTkashJCDOnB2Y4Ll8gww5ttfuC7Kc3H5P/QvcEQj6G5m895QlVyD7keyssKA2hycTp81OH +kNd9bxkkxFXw+ebVTii8R4Fu3uFLDD7nPPIJyES5rzHuQDGwZ+GdQs+a9lDQrBfNKGy0tGGI +sYkEcgQYAQgAJgIbAhYhBDF2732yNn8fyk8wax+bDpCa83KFBQJgizOSBQkFl/TBAkDBdCAE +GQEIAB0WIQTLjecKkM+/bDv1zFaWJirP+9OuxgUCXNRyTQAKCRCWJirP+9OuxtrPEACD/zB/ +1827oc+7jvuhRTUu5JNNM0CJgtWNMmMnsstlFrEg+B1HRNOQqCQjEsB16Uzcw7P2mnJE7Cor +xCDWD708GxBjzD6r/TFQ+/E+OosErgPkIN9ggywI7m28vEOeQ12Ev6uNAmWi84OzkE/CB9N3 +sMc67aXS65152DdZLcARaJL+WbMQeQYRCX2xBxKnaDZNkk0L+afyJK3OQv4Xnx0il1eHCUWK +D5K3Z69GR8nrweYhrkfczMZpCw/jciKqlasY1kDYy6BHWPsSp3sx4iGbxm+px+eQ6LGWOfyB +4C1CbCxXGDXyxUlXQMxdKcvgOZ2NDyWq5WabTottrUrEl1+RClhy02VFHLNbga5snVRTLE92 +QvvKR8S8ihp/n/vPY3VAs4nUPueOTmJzU88U4xsrRvWPyhFQ2FFgJvTkkiyYw6beEQ1ResrX +vHByX3QvWKWs3rdmdhjLRmuoOnb+zYQxfiQhIZzK2j2ix21pwAT+OwCWdXEb2HxNpchwc3yl +slieegVh/Un+6eg8HoaiAKNHqzwHJwQ3G636x2kpxS71vVKSBgBrwTF2agKGTTbF6quzjB0b +fa1mVzhpHhgCDZ8JUCE933yjKLp1EvccyzNJGXX+wUuyufuYHIyT4dW9crwWAKYqAQF252k5 +qr3cK9NxS56Bouf9Ou9bdIlBkqmxeAkQH5sOkJrzcoXLuA/9E35tq9kEQLfVk/XIPaNcK1cY +thOICf/LfZVcNvlGxIfMGfuEbQ+1eWcdVa/UW1Kff3VUOZaAjyRbpdrVbEUCyoFnnMEs/GbC +G5+gWGpgwD6jt7tESCCpQIssp3b8vf69SWNH8jKY4LXPkeSaxuhFWlUjaJXnvCMYWeHTPTke +BKHVMoAKYWKr7t6jgLDGoNO+B0l4vVGq2K8M0obd5Wn8HV1IgYu9yP5CX8KzYkSyg9Vc2djQ +4k9aKfCthVwwKJ+OH1MJFpEKYihmUweaGo9+32sHdT4ifyn6zS+K8HHZGlK6DeBlqrWkx7GP +wHZWtq6v2DxcobZieLoLmyDZlJFJHjbKZ9Bg/OqUaqCyuFzHoVC0UTRIgvblButt1agaMPz/ +7+VdXZUKmXjZjopW6R7ScxK/q4uvKykY+r0eDTihLp6Nyb7m96Xv8HvlBe9Vzxm//PtosZUs +sQatJHMecKePEhkY0i/bqm4CAur7ESfWatgZhZC0MIG0jTCB6O7ueBVTKX80eXeyErYt+Wra +iH6wuBW8GCLuuMnAiaVkoknx75Oyqirr3Una2xoGGMcER2+QTWTxD/GuiPIOK6z1ktglCjIH +hK+bedsSrv6pnJtcdc42btv57ZmslyjiSIOwnCHQNfODjc9Ke4/FtVnsRmIhn/NXI8OdL5oH +vI4Hu/sWWdGJBHIEGAEIACYCGwIWIQQxdu99sjZ/H8pPMGsfmw6QmvNyhQUCYdIzLgUJBv/p +4QJAwXQgBBkBCAAdFiEEy43nCpDPv2w79cxWliYqz/vTrsYFAlzUck0ACgkQliYqz/vTrsba +zxAAg/8wf9fNu6HPu477oUU1LuSTTTNAiYLVjTJjJ7LLZRaxIPgdR0TTkKgkIxLAdelM3MOz +9ppyROwqK8Qg1g+9PBsQY8w+q/0xUPvxPjqLBK4D5CDfYIMsCO5tvLxDnkNdhL+rjQJlovOD +s5BPwgfTd7DHOu2l0uudedg3WS3AEWiS/lmzEHkGEQl9sQcSp2g2TZJNC/mn8iStzkL+F58d +IpdXhwlFig+St2evRkfJ68HmIa5H3MzGaQsP43IiqpWrGNZA2MugR1j7Eqd7MeIhm8Zvqcfn +kOixljn8geAtQmwsVxg18sVJV0DMXSnL4DmdjQ8lquVmm06Lba1KxJdfkQpYctNlRRyzW4Gu +bJ1UUyxPdkL7ykfEvIoaf5/7z2N1QLOJ1D7njk5ic1PPFOMbK0b1j8oRUNhRYCb05JIsmMOm +3hENUXrK17xwcl90L1ilrN63ZnYYy0ZrqDp2/s2EMX4kISGcyto9osdtacAE/jsAlnVxG9h8 +TaXIcHN8pbJYnnoFYf1J/unoPB6GogCjR6s8BycENxut+sdpKcUu9b1SkgYAa8ExdmoChk02 +xeqrs4wdG32tZlc4aR4YAg2fCVAhPd98oyi6dRL3HMszSRl1/sFLsrn7mByMk+HVvXK8FgCm +KgEBdudpOaq93CvTcUuegaLn/TrvW3SJQZKpsXgJEB+bDpCa83KFsXUP/2EnRVBTcGNoFUlM +pix9my9IMvGCoYcV3PlPPIucZqmyFH1ky+jKNRlTKW6lim+dsrHrKnFkQ/swv6dZnjkph0tK +xqpcc3yYIieUPoy9ypddxy5Q199yBBceGU/+UTYMWqVgOOELXeblTICoV+GTveQ9DkxpRf2U +9kJ8Vhb5hUA4mUC2Wez99ucljwQl72ayP7RoDIQ12GrrX5fFQi+1mnwqJPu8y2AUeCSC7Dzz +yfgZC9hJD8O8KeH03XCefoSfxAO4HH9Er1UN9TSFSzsIftK/G4cW8Xoqh7S/5tLaRk7/dCGc +tmEM06SbacwiZFgYP7xAkYgg55tGX8ULxVQI4KpjXP3RLaw5a3RUUm9Sg7+bQgU1jB0qxq2L +uXpPMWmapiX6uWx8PJrWJ21XNnHmcszwStyTWCYMaH1Zcdqy5bWe9oklIKVBus8k2Iu0Rk34 +hmPgaB3TG/wyOraUnNZewccxFc9mls5o1v48lrm4ZERW9djwUIj/eCU5Z3fbubdk32R5E9Nv +MlcxcE+5SHKFJd0H2cVZPnhI5G90P/eQFAkmGhpGtpSQ9AmH9rP+K/GB1Jj4GM2u3IDwMgds +JhTGUfJh1UW6phBx6x5WMN/nrylFv7U7spggFfStlK3AmKy6zR3xlugmmmKc65XCTl/KG7wu +nG5VutE9BCxlviVKeE5eiQRyBBgBCAAmFiEEMXbvfbI2fx/KTzBrH5sOkJrzcoUFAlzUck0C +GwIFCQHhM4ACQAkQH5sOkJrzcoXBdCAEGQEIAB0WIQTLjecKkM+/bDv1zFaWJirP+9OuxgUC +XNRyTQAKCRCWJirP+9OuxtrPEACD/zB/1827oc+7jvuhRTUu5JNNM0CJgtWNMmMnsstlFrEg ++B1HRNOQqCQjEsB16Uzcw7P2mnJE7CorxCDWD708GxBjzD6r/TFQ+/E+OosErgPkIN9ggywI +7m28vEOeQ12Ev6uNAmWi84OzkE/CB9N3sMc67aXS65152DdZLcARaJL+WbMQeQYRCX2xBxKn +aDZNkk0L+afyJK3OQv4Xnx0il1eHCUWKD5K3Z69GR8nrweYhrkfczMZpCw/jciKqlasY1kDY +y6BHWPsSp3sx4iGbxm+px+eQ6LGWOfyB4C1CbCxXGDXyxUlXQMxdKcvgOZ2NDyWq5WabTott +rUrEl1+RClhy02VFHLNbga5snVRTLE92QvvKR8S8ihp/n/vPY3VAs4nUPueOTmJzU88U4xsr +RvWPyhFQ2FFgJvTkkiyYw6beEQ1ResrXvHByX3QvWKWs3rdmdhjLRmuoOnb+zYQxfiQhIZzK +2j2ix21pwAT+OwCWdXEb2HxNpchwc3ylslieegVh/Un+6eg8HoaiAKNHqzwHJwQ3G636x2kp +xS71vVKSBgBrwTF2agKGTTbF6quzjB0bfa1mVzhpHhgCDZ8JUCE933yjKLp1EvccyzNJGXX+ +wUuyufuYHIyT4dW9crwWAKYqAQF252k5qr3cK9NxS56Bouf9Ou9bdIlBkqmxeKcnD/4+1HUg +5cKrfSTXZNsuOU7AnlybWpU7Jl8YdxfeuCCe+I5W3jTYqljpCRGWBAHtE3udB37JXKSn8yH7 +0JzXQDWL9+G1wqk5iwkvtmKqAapzJFuZ9lYNlNGYDxI9foTq99f+OheFnT3nUm8IA9N0MwjG +CIJ5501HM+NO8WylVoy0Y+erxbyQGC2Ey7YjVZSuCTZo3BuYiSCP8Bmd9qHxCJmBGQgbtA/2 +QBcLZ8o/z9w0U39Iwsei8oacZncVTIFnBDsU3E25M1eyQ8VdcAqLL7v3UFOi+20zBBs+g8jB +BdzXUVhp+RAsXldo8i/qtdD4/90UXT7FBXmImGtzOVmza23v7Dyq7P/ZueEAqhr7vtW97UQ7 ++YkXDa4rHi4HrGJClrdxixEyCTPrD++SvwxAud3hAUKZF9hOb0fD9A7cn63EERVgaJGAi7p9 +Oqqbqni8JOssQF6TeCUFP+X3nR4+iy8EX4scfN6LUB6/mnhoRVZ3GNEzPAZi9PGe8RqWJqUM +trBVUPVxcwAgfijPmmMIXIUyZk5ysTQeT3eJVd3R3yxORfaHSD5kuHnXWwsp/yYltsLI/hBt +Va8N7XZdzZ9JDT8fIWj5515DsfunTtksrObpRdiq4lxAoYqiboI+L1BCHwvaTy9ghXhhpgny +m0DJk2bmucRair96apTzdYoszd7iLA== +=DiYK -----END PGP PUBLIC KEY BLOCK----- diff --git a/expat.spec b/expat.spec index 4e6e587..9e98481 100644 --- a/expat.spec +++ b/expat.spec @@ -1,8 +1,7 @@ # # spec file for package expat # -# Copyright (c) 2024 SUSE LLC -# Copyright (c) 2024 Andreas Stieger +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,10 +16,9 @@ # -%global unversion 2_6_4 -%define sover 1 +%global unversion 2_5_0 Name: expat -Version: 2.6.4 +Version: 2.5.0 Release: 0 Summary: XML Parser Toolkit License: MIT @@ -31,9 +29,16 @@ Source1: https://github.com/libexpat/libexpat/releases/download/R_%{unver Source2: baselibs.conf Source3: %{name}faq.html # https://www.gentoo.org/inside-gentoo/developers/index.html#sping -# https://github.com/libexpat/libexpat/issues/537#issuecomment-1003796884 -Source4: https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x3176ef7db2367f1fca4f306b1f9b0e909af37285#/expat.keyring -BuildRequires: c++_compiler +# https://keys.gentoo.org/pks/lookup?op=get&search=0x1F9B0E909AF37285#/%{name}.keyring +Source4: %{name}.keyring +# PATCH FIX-UPSTREAM: bsc#1221289 (CVE-2024-28757) +# https://github.com/libexpat/libexpat/pull/842 +Patch0: expat-CVE-2024-28757.patch +Patch1: expat-fix-minicheck.patch +# CVE-2024-50602 [bsc#1232579], DoS via XML_ResumeParser +Patch2: expat-CVE-2024-50602.patch +BuildRequires: gcc-c++ +BuildRequires: libtool BuildRequires: pkgconfig %description @@ -41,11 +46,11 @@ Expat is an XML parser library written in C. It is a stream-oriented parser in which an application registers handlers for things the parser might find in the XML document (like start tags). -%package -n libexpat%{sover} +%package -n libexpat1 Summary: XML Parser Toolkit Group: System/Libraries -%description -n libexpat%{sover} +%description -n libexpat1 Expat is an XML parser library written in C. It is a stream-oriented parser in which an application registers handlers for things the parser might find in the XML document (like start tags). @@ -54,7 +59,7 @@ parser might find in the XML document (like start tags). Summary: Development files for expat, an XML parser toolkit Group: Development/Libraries/C and C++ Requires: glibc-devel -Requires: libexpat%{sover} = %{version} +Requires: libexpat1 = %{version} %description -n libexpat-devel Expat is an XML parser library written in C. It is a stream-oriented @@ -66,17 +71,17 @@ in libexpat. %prep %autosetup -p1 + cp %{SOURCE3} . +rm -f examples/*.dsp %build %configure \ --disable-silent-rules \ --docdir="%{_docdir}/%{name}" \ - --disable-static \ - --without-docbook - + --disable-static %if 0%{?do_profiling} - %make_build CFLAGS="%{optflags} %{cflags_profile_generate}" LDFLAGS="%{optflags} %{cflags_profile_generate}" + %make_build CFLAGS="%{optflags} %{cflags_profile_generate}" %make_build CFLAGS="%{optflags} %{cflags_profile_generate}" LDFLAGS="%{optflags} %{cflags_profile_generate}" check %make_build clean %make_build CFLAGS="%{optflags} %{cflags_profile_feedback}" @@ -84,31 +89,30 @@ cp %{SOURCE3} . %make_build CFLAGS="%{optflags}" %endif -%check -%make_build check - %install %make_install find %{buildroot} -type f -name "*.la" -delete -print +# Fix permissions error: spurious-executable-perm +chmod 0644 examples/elements.c -%ldconfig_scriptlets -n libexpat%{sover} +%check +%make_build check + +%post -n libexpat1 -p /sbin/ldconfig +%postun -n libexpat1 -p /sbin/ldconfig %files %license COPYING %doc AUTHORS README.md expatfaq.html -%doc doc/reference.html doc/*.css -%doc examples/*.c examples/Makefile.am examples/Makefile.in +%doc doc/reference.html doc/style.css +%doc examples/elements.c examples/outline.c examples/Makefile.am examples/Makefile.in %doc changelog %{_bindir}/xmlwf -%{_mandir}/man1/xmlwf.1%{?ext_man} %files -n libexpat1 -%license COPYING -%{_libdir}/libexpat.so.%{sover} -%{_libdir}/libexpat.so.%{sover}.* +%{_libdir}/libexpat.so.* %files -n libexpat-devel -%license COPYING %{_includedir}/* %{_libdir}/libexpat.so %{_libdir}/pkgconfig/expat.pc