SLFO-pool/expat
SHA256
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Sync from SUSE:SLFO:1.1 expat revision cd72bb6e7b9df978dc43a255e2c7c0e0

Browse Source
This commit is contained in:
Adrian Schröter 2025-02-28 10:52:43 +01:00
parent 56f2fae877
commit af55fce15f
10 changed files with 788 additions and 445 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
expat-2.5.0.tar.xz (Stored with Git LFS) Normal file
View File

Binary file not shown.

16
expat-2.5.0.tar.xz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEy43nCpDPv2w79cxWliYqz/vTrsYFAmNYAlAACgkQliYqz/vT
rsYnzw/+Nn8rFvElM2th9ex3Yt6UkNtx/hZWITig7URH7wHtShHA957xMcJiby4R
/RoKbtcb3+RNeOtDMycT4wFy2p/tmuJ3mPL0ewFkKkfw1Uk489AbYukzSbg/YmNZ
3+r6DFAd+kJOpe+6m4Nhxg2iohVQoXjQPBK02njkuKN66thrFGxnQDfi62qAbIm+
7Ac+McmOypDuG1H+E2eeRIMwgGyU2yiCvqtleKfRaF596wdfbv/gIFcETKI7wMnV
ExAhZSVDgiojGqwhW7vZOvrwmuDsZOazVSMyasntJazCynWLZ5hAkRtpNvsvIR3i
cUd904PPjrr5VFQmDQxI4HieeloI5aipl7y4wR+g7WE1JjKs4ScVA8llIsLvZie/
fZh+Fz/TS4B8hJpnkRGXc7IpovXyFDb+C0WkBxy77OvdEu7QgXaIh1+AT10FkQsF
HbJT3vHk71D3D5JlUv9DPL8YZ3gFTQF7LwpvfJVDUiYe3hn+f4u4XAt6F3zVnXok
NEs8fflALfgtIC46nPbhcrxQdO/CyWGIWhisDwoB6FHloZc8EWuWidg7SOdApK1W
s2ycdH7XLEBXCriIpKWHS9ebkWyPQHe/Ezi2pv0ieZU1TVtV6nVv5YlH2QHBoZJK
VPlgb5u2zVp9y/bthnZPgRId53kdnZCXezKLQ+wc27Taojpnzws=
=UAN0
-----END PGP SIGNATURE-----

BIN
expat-2.6.4.tar.xz (Stored with Git LFS)
View File

Binary file not shown.

16
expat-2.6.4.tar.xz.asc
View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEy43nCpDPv2w79cxWliYqz/vTrsYFAmcsGa8ACgkQliYqz/vT
rsYJMA/+NxOVa+kCFEzhMHD9RCumwFj7lfmJDPM6rroLi9GqnKc8165Ub7e+o3bq
fdPCIFiZkYTGpliU3Q9zlMEBTZ1TtsaqVGgjabK9YKf8ZTK1MUR2z/B6gWLfjo8F
knhj0KonqeRxtcKPSYs9xP+/sNlGkEQjZgrfo2Z9oX8Q7eNGn/fAxmbjhBhvILwG
mKmwwc8PSi7RCNLgaoyikhcddohclApXU1Qid1g6FwnxQ5aKXSeoPgu1bGrDiz6k
/RkO+KR1Yfkcty97CwVV5+4EHTB1aa/fk3gHgprHD9qx+NLeKyD4+44AxseCMiSS
FXP8S5Z2qaopIS6tvuKXiyH1mTCJQugFsxk3GnQBlgkvj4rypr8MnUAALam13OMh
ziRndeMR2ieJ1ASJYfkjLeXVi4pz/pnRECAUAxly5z8Zx5N+IX9bOgjpwhd6QtOt
rVbq3wgLKmlEch8KcsL4RpGGkiK5gchsqXDM/g0cCu8vNC8+pDO3sNIQJDsmySYt
X3ewzOv+Vj3LCoeospnyLjNBOh5upgm1s6iq6bsxr29FU1MfaP1awm7jtYmr7ch9
wr24fPhXopp5emWnJP3O4GQj8Q1mcPFLmGy0wmVdnr8tzKzyHx9Q2WNhQUcYdnR1
0qmKBSttGXPK4o+/7Q5zALapx+jYlUcQ0dKxhAPuBPGYxPTm5h8=
=jbKR
-----END PGP SIGNATURE-----

319
expat-CVE-2024-28757.patch Normal file
View File

@ -0,0 +1,319 @@
From 1d50b80cf31de87750103656f6eb693746854aa8 Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Mon, 4 Mar 2024 23:49:06 +0100
Subject: [PATCH 1/2] lib/xmlparse.c: Detect billion laughs attack with
isolated external parser
When parsing DTD content with code like ..
XML_Parser parser = XML_ParserCreate(NULL);
XML_Parser ext_parser = XML_ExternalEntityParserCreate(parser, NULL, NULL);
enum XML_Status status = XML_Parse(ext_parser, doc, (int)strlen(doc), XML_TRUE);
.. there are 0 bytes accounted as direct input and all input from `doc` accounted
as indirect input. Now function accountingGetCurrentAmplification cannot calculate
the current amplification ratio as "(direct + indirect) / direct", and it did refuse
to divide by 0 as one would expect, but it returned 1.0 for this case to indicate
no amplification over direct input. As a result, billion laughs attacks from
DTD-only input were not detected with this isolated way of using an external parser.
The new approach is to assume direct input of length not 0 but 22 -- derived from
ghost input "<!ENTITY a SYSTEM 'b'>", the shortest possible way to include an external
DTD --, and do the usual "(direct + indirect) / direct" math with "direct := 22".
GitHub issue #839 has more details on this issue and its origin in ClusterFuzz
finding 66812.
---
From 1d50b80cf31de87750103656f6eb693746854aa8 Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Mon, 4 Mar 2024 23:49:06 +0100
Subject: [PATCH 1/2] lib/xmlparse.c: Detect billion laughs attack with
isolated external parser
When parsing DTD content with code like ..
XML_Parser parser = XML_ParserCreate(NULL);
XML_Parser ext_parser = XML_ExternalEntityParserCreate(parser, NULL, NULL);
enum XML_Status status = XML_Parse(ext_parser, doc, (int)strlen(doc), XML_TRUE);
.. there are 0 bytes accounted as direct input and all input from `doc` accounted
as indirect input. Now function accountingGetCurrentAmplification cannot calculate
the current amplification ratio as "(direct + indirect) / direct", and it did refuse
to divide by 0 as one would expect, but it returned 1.0 for this case to indicate
no amplification over direct input. As a result, billion laughs attacks from
DTD-only input were not detected with this isolated way of using an external parser.
The new approach is to assume direct input of length not 0 but 22 -- derived from
ghost input "<!ENTITY a SYSTEM 'b'>", the shortest possible way to include an external
DTD --, and do the usual "(direct + indirect) / direct" math with "direct := 22".
GitHub issue #839 has more details on this issue and its origin in ClusterFuzz
finding 66812.
---
From 1d50b80cf31de87750103656f6eb693746854aa8 Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Mon, 4 Mar 2024 23:49:06 +0100
Subject: [PATCH 1/2] lib/xmlparse.c: Detect billion laughs attack with
isolated external parser
When parsing DTD content with code like ..
XML_Parser parser = XML_ParserCreate(NULL);
XML_Parser ext_parser = XML_ExternalEntityParserCreate(parser, NULL, NULL);
enum XML_Status status = XML_Parse(ext_parser, doc, (int)strlen(doc), XML_TRUE);
.. there are 0 bytes accounted as direct input and all input from `doc` accounted
as indirect input. Now function accountingGetCurrentAmplification cannot calculate
the current amplification ratio as "(direct + indirect) / direct", and it did refuse
to divide by 0 as one would expect, but it returned 1.0 for this case to indicate
no amplification over direct input. As a result, billion laughs attacks from
DTD-only input were not detected with this isolated way of using an external parser.
The new approach is to assume direct input of length not 0 but 22 -- derived from
ghost input "<!ENTITY a SYSTEM 'b'>", the shortest possible way to include an external
DTD --, and do the usual "(direct + indirect) / direct" math with "direct := 22".
GitHub issue #839 has more details on this issue and its origin in ClusterFuzz
finding 66812.
---
From 1d50b80cf31de87750103656f6eb693746854aa8 Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Mon, 4 Mar 2024 23:49:06 +0100
Subject: [PATCH 1/2] lib/xmlparse.c: Detect billion laughs attack with
isolated external parser
When parsing DTD content with code like ..
XML_Parser parser = XML_ParserCreate(NULL);
XML_Parser ext_parser = XML_ExternalEntityParserCreate(parser, NULL, NULL);
enum XML_Status status = XML_Parse(ext_parser, doc, (int)strlen(doc), XML_TRUE);
.. there are 0 bytes accounted as direct input and all input from `doc` accounted
as indirect input. Now function accountingGetCurrentAmplification cannot calculate
the current amplification ratio as "(direct + indirect) / direct", and it did refuse
to divide by 0 as one would expect, but it returned 1.0 for this case to indicate
no amplification over direct input. As a result, billion laughs attacks from
DTD-only input were not detected with this isolated way of using an external parser.
The new approach is to assume direct input of length not 0 but 22 -- derived from
ghost input "<!ENTITY a SYSTEM 'b'>", the shortest possible way to include an external
DTD --, and do the usual "(direct + indirect) / direct" math with "direct := 22".
GitHub issue #839 has more details on this issue and its origin in ClusterFuzz
finding 66812.
---
From 1d50b80cf31de87750103656f6eb693746854aa8 Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Mon, 4 Mar 2024 23:49:06 +0100
Subject: [PATCH 1/2] lib/xmlparse.c: Detect billion laughs attack with
isolated external parser
When parsing DTD content with code like ..
XML_Parser parser = XML_ParserCreate(NULL);
XML_Parser ext_parser = XML_ExternalEntityParserCreate(parser, NULL, NULL);
enum XML_Status status = XML_Parse(ext_parser, doc, (int)strlen(doc), XML_TRUE);
.. there are 0 bytes accounted as direct input and all input from `doc` accounted
as indirect input. Now function accountingGetCurrentAmplification cannot calculate
the current amplification ratio as "(direct + indirect) / direct", and it did refuse
to divide by 0 as one would expect, but it returned 1.0 for this case to indicate
no amplification over direct input. As a result, billion laughs attacks from
DTD-only input were not detected with this isolated way of using an external parser.
The new approach is to assume direct input of length not 0 but 22 -- derived from
ghost input "<!ENTITY a SYSTEM 'b'>", the shortest possible way to include an external
DTD --, and do the usual "(direct + indirect) / direct" math with "direct := 22".
GitHub issue #839 has more details on this issue and its origin in ClusterFuzz
finding 66812.
---
From 1d50b80cf31de87750103656f6eb693746854aa8 Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Mon, 4 Mar 2024 23:49:06 +0100
Subject: [PATCH 1/2] lib/xmlparse.c: Detect billion laughs attack with
isolated external parser
When parsing DTD content with code like ..
XML_Parser parser = XML_ParserCreate(NULL);
XML_Parser ext_parser = XML_ExternalEntityParserCreate(parser, NULL, NULL);
enum XML_Status status = XML_Parse(ext_parser, doc, (int)strlen(doc), XML_TRUE);
.. there are 0 bytes accounted as direct input and all input from `doc` accounted
as indirect input. Now function accountingGetCurrentAmplification cannot calculate
the current amplification ratio as "(direct + indirect) / direct", and it did refuse
to divide by 0 as one would expect, but it returned 1.0 for this case to indicate
no amplification over direct input. As a result, billion laughs attacks from
DTD-only input were not detected with this isolated way of using an external parser.
The new approach is to assume direct input of length not 0 but 22 -- derived from
ghost input "<!ENTITY a SYSTEM 'b'>", the shortest possible way to include an external
DTD --, and do the usual "(direct + indirect) / direct" math with "direct := 22".
GitHub issue #839 has more details on this issue and its origin in ClusterFuzz
finding 66812.
---
From 1d50b80cf31de87750103656f6eb693746854aa8 Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Mon, 4 Mar 2024 23:49:06 +0100
Subject: [PATCH 1/2] lib/xmlparse.c: Detect billion laughs attack with
isolated external parser
When parsing DTD content with code like ..
XML_Parser parser = XML_ParserCreate(NULL);
XML_Parser ext_parser = XML_ExternalEntityParserCreate(parser, NULL, NULL);
enum XML_Status status = XML_Parse(ext_parser, doc, (int)strlen(doc), XML_TRUE);
.. there are 0 bytes accounted as direct input and all input from `doc` accounted
as indirect input. Now function accountingGetCurrentAmplification cannot calculate
the current amplification ratio as "(direct + indirect) / direct", and it did refuse
to divide by 0 as one would expect, but it returned 1.0 for this case to indicate
no amplification over direct input. As a result, billion laughs attacks from
DTD-only input were not detected with this isolated way of using an external parser.
The new approach is to assume direct input of length not 0 but 22 -- derived from
ghost input "<!ENTITY a SYSTEM 'b'>", the shortest possible way to include an external
DTD --, and do the usual "(direct + indirect) / direct" math with "direct := 22".
GitHub issue #839 has more details on this issue and its origin in ClusterFuzz
finding 66812.
---
From 1d50b80cf31de87750103656f6eb693746854aa8 Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Mon, 4 Mar 2024 23:49:06 +0100
Subject: [PATCH 1/2] lib/xmlparse.c: Detect billion laughs attack with
isolated external parser
When parsing DTD content with code like ..
XML_Parser parser = XML_ParserCreate(NULL);
XML_Parser ext_parser = XML_ExternalEntityParserCreate(parser, NULL, NULL);
enum XML_Status status = XML_Parse(ext_parser, doc, (int)strlen(doc), XML_TRUE);
.. there are 0 bytes accounted as direct input and all input from `doc` accounted
as indirect input. Now function accountingGetCurrentAmplification cannot calculate
the current amplification ratio as "(direct + indirect) / direct", and it did refuse
to divide by 0 as one would expect, but it returned 1.0 for this case to indicate
no amplification over direct input. As a result, billion laughs attacks from
DTD-only input were not detected with this isolated way of using an external parser.
The new approach is to assume direct input of length not 0 but 22 -- derived from
ghost input "<!ENTITY a SYSTEM 'b'>", the shortest possible way to include an external
DTD --, and do the usual "(direct + indirect) / direct" math with "direct := 22".
GitHub issue #839 has more details on this issue and its origin in ClusterFuzz
finding 66812.
---
expat/lib/xmlparse.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
Index: expat-2.5.0/lib/xmlparse.c
===================================================================
--- expat-2.5.0.orig/lib/xmlparse.c
+++ expat-2.5.0/lib/xmlparse.c
@@ -7655,6 +7655,8 @@ copyString(const XML_Char *s, const XML_
static float
accountingGetCurrentAmplification(XML_Parser rootParser) {
+ // 1.........1.........12 => 22
+ const size_t lenOfShortestInclude = sizeof("<!ENTITY a SYSTEM 'b'>") - 1;
const XmlBigCount countBytesOutput
= rootParser->m_accounting.countBytesDirect
+ rootParser->m_accounting.countBytesIndirect;
@@ -7662,7 +7664,9 @@ accountingGetCurrentAmplification(XML_Pa
= rootParser->m_accounting.countBytesDirect
? (countBytesOutput
/ (float)(rootParser->m_accounting.countBytesDirect))
- : 1.0f;
+ : ((lenOfShortestInclude
+ + rootParser->m_accounting.countBytesIndirect)
+ / (float)lenOfShortestInclude);
assert(! rootParser->m_parentParser);
return amplificationFactor;
}
Index: expat-2.5.0/tests/runtests.c
===================================================================
--- expat-2.5.0.orig/tests/runtests.c
+++ expat-2.5.0/tests/runtests.c
@@ -12092,6 +12092,63 @@ START_TEST(test_helper_unsigned_char_to_
fail("unsignedCharToPrintable result mistaken");
}
END_TEST
+
+START_TEST(test_amplification_isolated_external_parser) {
+ // NOTE: Length 44 is precisely twice the length of "<!ENTITY a SYSTEM 'b'>"
+ // (22) that is used in function accountingGetCurrentAmplification in
+ // xmlparse.c.
+ // 1.........1.........1.........1.........1..4 => 44
+ const char doc[] = "<!ENTITY % p1 '123456789_123456789_1234567'>";
+ const int docLen = (int)sizeof(doc) - 1;
+ const float maximumToleratedAmplification = 2.0f;
+
+ struct TestCase {
+ int offsetOfThreshold;
+ enum XML_Status expectedStatus;
+ };
+
+ struct TestCase cases[] = {
+ {-2, XML_STATUS_ERROR}, {-1, XML_STATUS_ERROR}, {0, XML_STATUS_ERROR},
+ {+1, XML_STATUS_OK}, {+2, XML_STATUS_OK},
+ };
+
+ for (size_t i = 0; i < sizeof(cases) / sizeof(cases[0]); i++) {
+ const int offsetOfThreshold = cases[i].offsetOfThreshold;
+ const enum XML_Status expectedStatus = cases[i].expectedStatus;
+ const unsigned long long activationThresholdBytes
+ = docLen + offsetOfThreshold;
+
+ // set_subtest("offsetOfThreshold=%d, expectedStatus=%d", offsetOfThreshold,
+ // expectedStatus);
+
+ XML_Parser parser = XML_ParserCreate(NULL);
+ assert_true(parser != NULL);
+
+ assert_true(XML_SetBillionLaughsAttackProtectionMaximumAmplification(
+ parser, maximumToleratedAmplification)
+ == XML_TRUE);
+ assert_true(XML_SetBillionLaughsAttackProtectionActivationThreshold(
+ parser, activationThresholdBytes)
+ == XML_TRUE);
+
+ XML_Parser ext_parser = XML_ExternalEntityParserCreate(parser, NULL, NULL);
+ assert_true(ext_parser != NULL);
+
+ const enum XML_Status actualStatus
+ = _XML_Parse_SINGLE_BYTES(ext_parser, doc, docLen, XML_TRUE);
+
+ assert_true(actualStatus == expectedStatus);
+ if (actualStatus != XML_STATUS_OK) {
+ assert_true(XML_GetErrorCode(ext_parser)
+ == XML_ERROR_AMPLIFICATION_LIMIT_BREACH);
+ }
+
+ XML_ParserFree(ext_parser);
+ XML_ParserFree(parser);
+ }
+}
+END_TEST
+
#endif // defined(XML_DTD)
static Suite *
@@ -12485,6 +12542,8 @@ make_suite(void) {
tcase_add_test(tc_accounting, test_accounting_precision);
tcase_add_test(tc_accounting, test_billion_laughs_attack_protection_api);
tcase_add_test(tc_accounting, test_helper_unsigned_char_to_printable);
+ tcase_add_test__ifdef_xml_dtd(tc_accounting,
+ test_amplification_isolated_external_parser);
#endif
return s;

111
expat-CVE-2024-50602.patch Normal file
View File

@ -0,0 +1,111 @@
From 51c7019069b862e88d94ed228659e70bddd5de09 Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Mon, 21 Oct 2024 01:42:54 +0200
Subject: [PATCH 1/3] lib: Make XML_StopParser refuse to stop/suspend an
unstarted parser
---
expat/lib/expat.h | 4 +++-
expat/lib/xmlparse.c | 6 ++++++
2 files changed, 9 insertions(+), 1 deletion(-)
Index: expat-2.5.0/lib/expat.h
===================================================================
--- expat-2.5.0.orig/lib/expat.h
+++ expat-2.5.0/lib/expat.h
@@ -127,7 +127,9 @@ enum XML_Error {
/* Added in 2.3.0. */
XML_ERROR_NO_BUFFER,
/* Added in 2.4.0. */
- XML_ERROR_AMPLIFICATION_LIMIT_BREACH
+ XML_ERROR_AMPLIFICATION_LIMIT_BREACH,
+ /* Added in 2.6.4. */
+ XML_ERROR_NOT_STARTED,
};
enum XML_Content_Type {
Index: expat-2.5.0/lib/xmlparse.c
===================================================================
--- expat-2.5.0.orig/lib/xmlparse.c
+++ expat-2.5.0/lib/xmlparse.c
@@ -2171,6 +2171,9 @@ XML_StopParser(XML_Parser parser, XML_Bo
if (parser == NULL)
return XML_STATUS_ERROR;
switch (parser->m_parsingStatus.parsing) {
+ case XML_INITIALIZED:
+ parser->m_errorCode = XML_ERROR_NOT_STARTED;
+ return XML_STATUS_ERROR;
case XML_SUSPENDED:
if (resumable) {
parser->m_errorCode = XML_ERROR_SUSPENDED;
@@ -2181,7 +2184,7 @@ XML_StopParser(XML_Parser parser, XML_Bo
case XML_FINISHED:
parser->m_errorCode = XML_ERROR_FINISHED;
return XML_STATUS_ERROR;
- default:
+ case XML_PARSING:
if (resumable) {
#ifdef XML_DTD
if (parser->m_isParamEntity) {
@@ -2192,6 +2195,9 @@ XML_StopParser(XML_Parser parser, XML_Bo
parser->m_parsingStatus.parsing = XML_SUSPENDED;
} else
parser->m_parsingStatus.parsing = XML_FINISHED;
+ break;
+ default:
+ assert(0);
}
return XML_STATUS_OK;
}
@@ -2456,6 +2462,9 @@ XML_ErrorString(enum XML_Error code) {
case XML_ERROR_AMPLIFICATION_LIMIT_BREACH:
return XML_L(
"limit on input amplification factor (from DTD and entities) breached");
+ /* Added in 2.6.4. */
+ case XML_ERROR_NOT_STARTED:
+ return XML_L("parser not started");
}
return NULL;
}
Index: expat-2.5.0/tests/runtests.c
===================================================================
--- expat-2.5.0.orig/tests/runtests.c
+++ expat-2.5.0/tests/runtests.c
@@ -7991,6 +7991,28 @@ START_TEST(test_misc_tag_mismatch_reset_
}
END_TEST
+START_TEST(test_misc_resumeparser_not_crashing) {
+ XML_Parser parser = XML_ParserCreate(NULL);
+ XML_GetBuffer(parser, 1);
+ XML_StopParser(parser, /*resumable=*/XML_TRUE);
+ XML_ResumeParser(parser); // could crash here, previously
+ XML_ParserFree(parser);
+}
+END_TEST
+
+START_TEST(test_misc_stopparser_rejects_unstarted_parser) {
+ const XML_Bool cases[] = {XML_TRUE, XML_FALSE};
+ for (size_t i = 0; i < sizeof(cases) / sizeof(cases[0]); i++) {
+ const XML_Bool resumable = cases[i];
+ XML_Parser parser = XML_ParserCreate(NULL);
+ assert_true(XML_GetErrorCode(parser) == XML_ERROR_NONE);
+ assert_true(XML_StopParser(parser, resumable) == XML_STATUS_ERROR);
+ assert_true(XML_GetErrorCode(parser) == XML_ERROR_NOT_STARTED);
+ XML_ParserFree(parser);
+ }
+}
+END_TEST
+
static void
alloc_setup(void) {
XML_Memory_Handling_Suite memsuite = {duff_allocator, duff_reallocator, free};
@@ -12447,6 +12469,8 @@ make_suite(void) {
tcase_add_test__ifdef_xml_dtd(
tc_misc, test_misc_deny_internal_entity_closing_doctype_issue_317);
tcase_add_test(tc_misc, test_misc_tag_mismatch_reset_leak);
+ tcase_add_test(tc_misc, test_misc_resumeparser_not_crashing);
+ tcase_add_test(tc_misc, test_misc_stopparser_rejects_unstarted_parser);
suite_add_tcase(s, tc_alloc);
tcase_add_checked_fixture(tc_alloc, alloc_setup, alloc_teardown);

57
expat-fix-minicheck.patch Normal file
View File

@ -0,0 +1,57 @@
Index: expat-2.5.0/tests/minicheck.h
===================================================================
--- expat-2.5.0.orig/tests/minicheck.h
+++ expat-2.5.0/tests/minicheck.h
@@ -64,7 +64,13 @@ extern "C" {
} \
}
-#define fail(msg) _fail_unless(0, __FILE__, __LINE__, msg)
+#define fail(msg) _fail(__FILE__, __LINE__, msg)
+#define assert_true(cond) \
+ do { \
+ if (! (cond)) { \
+ _fail(__FILE__, __LINE__, "check failed: " #cond); \
+ } \
+ } while (0)
typedef void (*tcase_setup_function)(void);
typedef void (*tcase_teardown_function)(void);
@@ -104,6 +110,10 @@ void _check_set_test_info(char const *fu
*/
void _fail_unless(int condition, const char *file, int line, const char *msg);
+# if defined(__GNUC__)
+__attribute__((noreturn))
+# endif
+void _fail(const char *file, int line, const char *msg);
Suite *suite_create(const char *name);
TCase *tcase_create(const char *name);
void suite_add_tcase(Suite *suite, TCase *tc);
Index: expat-2.5.0/tests/minicheck.c
===================================================================
--- expat-2.5.0.orig/tests/minicheck.c
+++ expat-2.5.0/tests/minicheck.c
@@ -224,6 +224,22 @@ _fail_unless(int condition, const char *
longjmp(env, 1);
}
+void
+_fail(const char *file, int line, const char *msg) {
+ /* Always print the error message so it isn't lost. In this case,
+ we have a failure, so there's no reason to be quiet about what
+ it is.
+ */
+ _check_current_filename = file;
+ _check_current_lineno = line;
+ if (msg != NULL) {
+ const int has_newline = (msg[strlen(msg) - 1] == '\n');
+ fprintf(stderr, "ERROR: %s%s", msg, has_newline ? "" : "\n");
+ }
+ longjmp(env, 1);
+}
+
+
int
srunner_ntests_failed(SRunner *runner) {
assert(runner != NULL);

178
expat.changes
View File

@ -1,176 +1,18 @@
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Nov 7 11:39:56 UTC 2024 - pgajdos@suse.com Fri Nov 8 12:03:02 UTC 2024 - pgajdos@suse.com
- version update to 2.6.4 - security update
* Security fixes: [bsc#1232601] - added patches
#915 CVE-2024-50602 -- Fix crash within function XML_ResumeParser fix CVE-2024-50602 [bsc#1232579], DoS via XML_ResumeParser
from a NULL pointer dereference by disallowing function + expat-CVE-2024-50602.patch
XML_StopParser to (stop or) suspend an unstarted parser.
A new error code XML_ERROR_NOT_STARTED was introduced to
properly communicate this situation. // CWE-476 CWE-754
* Other changes:
#903 CMake: Add alias target "expat::expat"
#905 docs: Document use via CMake >=3.18 with FetchContent
and SOURCE_SUBDIR and its consequences
#902 tests: Reduce use of global parser instance
#904 tests: Resolve duplicate handler
#317 #918 tests: Improve tests on doctype closing (ex CVE-2019-15903)
#914 Fix signedness of format strings
#919 #920 Version info bumped from 10:3:9 (libexpat*.so.1.9.3)
to 11:0:10 (libexpat*.so.1.10.0); see https://verbump.de/
for what these numbers do
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Sep 26 08:29:45 UTC 2024 - pgajdos@suse.com Mon Mar 18 06:39:02 UTC 2024 - David Anes <david.anes@suse.com>
- updated keyring [https://build.suse.de/request/show/345282] - Security fix (boo#1221289, CVE-2024-28757): XML Entity Expansion
- modified sources attack when there is isolated use of external parsers.
% expat.keyring * Added expat-CVE-2024-28757.patch
* Added expat-fix-minicheck.patch
-------------------------------------------------------------------
Thu Sep 5 09:21:17 UTC 2024 - David Anes <david.anes@suse.com>
- Update to 2.6.3:
* Security fixes:
- CVE-2024-45490, bsc#1229930 -- Calling function XML_ParseBuffer with
len < 0 without noticing and then calling XML_GetBuffer
will have XML_ParseBuffer fail to recognize the problem
and XML_GetBuffer corrupt memory.
With the fix, XML_ParseBuffer now complains with error
XML_ERROR_INVALID_ARGUMENT just like sibling XML_Parse
has been doing since Expat 2.2.1, and now documented.
Impact is denial of service to potentially artitrary code
execution.
- CVE-2024-45491, bsc#1229931 -- Internal function dtdCopy can have an
integer overflow for nDefaultAtts on 32-bit platforms
(where UINT_MAX equals SIZE_MAX).
Impact is denial of service to potentially artitrary code
execution.
- CVE-2024-45492, bsc#1229932 -- Internal function nextScaffoldPart can
have an integer overflow for m_groupSize on 32-bit
platforms (where UINT_MAX equals SIZE_MAX).
Impact is denial of service to potentially artitrary code
execution.
* Other changes:
- Autotools: Sync CMake templates with CMake 3.28
- Autotools: Always provide path to find(1) for portability
- Autotools: Ensure that the m4 directory always exists.
- Autotools: Simplify handling of SIZEOF_VOID_P
- Autotools: Support non-GNU sed
- Autotools|CMake: Fix main() to main(void)
- Autotools|CMake: Fix compile tests for HAVE_SYSCALL_GETRANDOM
- Autotools|CMake: Stop requiring dos2unix
- CMake: Fix check for symbols size_t and off_t
- docs|tests: Convert README to Markdown and update
- Windows: Drop support for Visual Studio <=15.0/2017
- Drop needless XML_DTD guards around is_param access
- Fix typo in a code comment
- Version info bumped from 10:2:9 (libexpat*.so.1.9.2)
to 10:3:9 (libexpat*.so.1.9.3); see https://verbump.de/
for what these numbers do
-------------------------------------------------------------------
Wed Mar 13 22:23:20 UTC 2024 - Andreas Stieger <andreas.stieger@gmx.de>
- update to 2.6.2:
* CVE-2024-28757 -- Prevent billion laughs attacks with isolated
use of external parsers (boo#1221289)
* Reject direct parameter entity recursion and avoid the related
undefined behavior
-------------------------------------------------------------------
Fri Mar 1 16:45:35 UTC 2024 - Andreas Stieger <andreas.stieger@gmx.de>
- update to 2.6.1:
* Expose billion laughs API with XML_DTD defined and XML_GE
undefined, regression from 2.6.0
* Make tests independent of CPU speed, and thus more robust
- drop libxml2-fix-xmlwf.1-handling.patch, upstream
-------------------------------------------------------------------
Tue Feb 20 12:21:17 UTC 2024 - David Anes <david.anes@suse.com>
- Fix handling of xmlwf.1 to avoid workarounds in specfile:
* Added libxml2-fix-xmlwf.1-handling.patch
- Call buildconf.sh to avoid (future) issues with expat_config.h.in
-------------------------------------------------------------------
Mon Feb 12 20:44:14 UTC 2024 - David Anes <david.anes@suse.com>
- Update keyring automatically from keyserver during OBS service run.
- Explicitly use --without-docbook (before it was implicit).
- Include missing files for documentation and examples.
- Add manpage for xmlwf, which is now available in the released tarball.
- Clean the spec file a bit.
- Update to 2.6.0:
* Security fixes:
- CVE-2023-52425 (boo#1219559)
-- Fix quadratic runtime issues with big tokens
that can cause denial of service, in partial where
dealing with compressed XML input. Applications
that parsed a document in one go -- a single call to
functions XML_Parse or XML_ParseBuffer -- were not affected.
The smaller the chunks/buffers you use for parsing
previously, the bigger the problem prior to the fix.
Backporters should be careful to no omit parts of
pull request #789 and to include earlier pull request #771,
in order to not break the fix.
- CVE-2023-52426 (boo#1219561)
-- Fix billion laughs attacks for users
compiling *without* XML_DTD defined (which is not common).
Users with XML_DTD defined have been protected since
Expat >=2.4.0 (and that was CVE-2013-0340 back then).
* Bug fixes:
- Fix parse-size-dependent "invalid token" error for
external entities that start with a byte order mark
- Fix NULL pointer dereference in setContext via
XML_ExternalEntityParserCreate for compilation with
XML_DTD undefined
- Protect against closing entities out of order
* Other changes:
- Improve support for arc4random/arc4random_buf
- Improve buffer growth in XML_GetBuffer and XML_Parse
- xmlwf: Support --help and --version
- xmlwf: Support custom buffer size for XML_GetBuffer and read
- xmlwf: Improve language and URL clickability in help output
- examples: Add new example "element_declarations.c"
- Be stricter about macro XML_CONTEXT_BYTES at build time
- Make inclusion to expat_config.h consistent
- Autotools: configure.ac: Support --disable-maintainer-mode
- Autotools: Sync CMake templates with CMake 3.26
- Autotools: Make installation of shipped man page doc/xmlwf.1
independent of docbook2man availability
- Autotools|CMake: Add missing -DXML_STATIC to pkg-config file
section "Cflags.private" in order to fix compilation
against static libexpat using pkg-config on Windows
- Autotools|CMake: Require a C99 compiler
(a de-facto requirement already since Expat 2.2.2 of 2017)
- Autotools|CMake: Fix PACKAGE_BUGREPORT variable
- Autotools|CMake: Make test suite require a C++11 compiler
- CMake: Require CMake >=3.5.0
- CMake: Lowercase off_t and size_t to help a bug in Meson
- CMake: Sort xmlwf sources alphabetically
- CMake|Windows: Fix generation of DLL file version info
- CMake: Build tests/benchmark/benchmark.c as well for
a build with -DEXPAT_BUILD_TESTS=ON
- docs: Document the importance of isFinal + adjust tests
accordingly
- docs: Improve use of "NULL" and "null"
- docs: Be specific about version of XML (XML 1.0r4)
and version of C (C99); (XML 1.0r5 will need a sponsor.)
- docs: reference.html: Promote function XML_ParseBuffer more
- docs: reference.html: Add HTML anchors to XML_* macros
- docs: reference.html: Upgrade to OK.css 1.2.0
- docs: Fix typos
- docs|CI: Use HTTPS URLs instead of HTTP at various places
- Address compiler warnings
- Address clang-tidy warnings
- Version info bumped from 9:10:8 (libexpat*.so.1.8.10)
to 10:0:9 (libexpat*.so.1.9.0); see https://verbump.de/
for what these numbers do
------------------------------------------------------------------- -------------------------------------------------------------------
Sun Dec 11 20:35:38 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de> Sun Dec 11 20:35:38 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de>

474
expat.keyring
View File

@ -1,235 +1,245 @@
-----BEGIN PGP PUBLIC KEY BLOCK----- -----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: Hostname:
Version: Hockeypuck 2.2
xsFNBFzUcE0BEACzkr4qR9zoM63YCJU/oQTJEtt7SR9Hcvntk351O5QQbNJS55Za mQINBFzUcE0BEACzkr4qR9zoM63YCJU/oQTJEtt7SR9Hcvntk351O5QQbNJS55Zah+XfiAl1
h+XfiAl1j45yrxP+ve3xU64Cl/GctZMLgkx8Qd3JECZCUkm72cvlBF1bJ0hkvcJR j45yrxP+ve3xU64Cl/GctZMLgkx8Qd3JECZCUkm72cvlBF1bJ0hkvcJRtTyuc9XXBBQBNoRS
tTyuc9XXBBQBNoRS1Tn4Gc/QE8L7669mS0FPPKpy4m7yY9SLtkauUTVkeKVz65Wo 1Tn4Gc/QE8L7669mS0FPPKpy4m7yY9SLtkauUTVkeKVz65Wo9jEB4cc4hJGzqeBndSmPbznO
9jEB4cc4hJGzqeBndSmPbznOPkATSadeLX7xNFG4nM20wCGZ1+UmY4j1NTBJnbxt PkATSadeLX7xNFG4nM20wCGZ1+UmY4j1NTBJnbxtxcPQ4/OiAKvAsfAzvZrlAMhJtFAfnooP
xcPQ4/OiAKvAsfAzvZrlAMhJtFAfnooP7VkIsbZyQqPeUznhGOK1nVpjl7DZ5c4g 7VkIsbZyQqPeUznhGOK1nVpjl7DZ5c4geJa3OLfeDM5c1mSx3VsU8SkKbBqNeog5dV9yHAKF
eJa3OLfeDM5c1mSx3VsU8SkKbBqNeog5dV9yHAKFBa10M+VAylwlRg5i6TE/5JP4 Ba10M+VAylwlRg5i6TE/5JP4LneWoh/dZP6216MMelDcZeXn6JCgLWmjbCmuwDgA5S7y2cew
LneWoh/dZP6216MMelDcZeXn6JCgLWmjbCmuwDgA5S7y2cewRU3hopGvCpTkgEg8 RU3hopGvCpTkgEg8XuXZgP8O1ZAOOqBWOt/mk71Bm6LdIe501f60aVcnODJDSb6tDwYTxkn5
XuXZgP8O1ZAOOqBWOt/mk71Bm6LdIe501f60aVcnODJDSb6tDwYTxkn5vGPvu8bi vGPvu8biu2K+zdFqZskPTZo44qZDjLd7HpN5SigFMCCSk9LTWcwpa4eSFcezmfku+dB5T79Y
u2K+zdFqZskPTZo44qZDjLd7HpN5SigFMCCSk9LTWcwpa4eSFcezmfku+dB5T79Y 0W0qCKJKBtNLOj5atVk9j+BA0BNTmE8e95bTdPW3UbmXPhQQt8J+6UXsUC0brn3/9pXTXHvP
0W0qCKJKBtNLOj5atVk9j+BA0BNTmE8e95bTdPW3UbmXPhQQt8J+6UXsUC0brn3/ iQsYMKcMzOnbdXKvlMxF+dN3BT+uhEF5tyYgqSDaF07EnIJzdwARAQABtCRTZWJhc3RpYW4g
9pXTXHvPiQsYMKcMzOnbdXKvlMxF+dN3BT+uhEF5tyYgqSDaF07EnIJzdwARAQAB UGlwcGluZyA8c3BpbmdAZ2VudG9vLm9yZz6IXQQTEQIAHRYhBD1+lZ2J+s/uODcZIbALxmpA
zSRTZWJhc3RpYW4gUGlwcGluZyA8c3BpbmdAZ2VudG9vLm9yZz7CwZQEEwEIAD4C GhYABQJc1HOXAAoJELALxmpAGhYAwxYAniPJOey52Zkpy2ULNZXpLnMfU4ccAKCRtqJckPvS
GwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AWIQQxdu99sjZ/H8pPMGsfmw6QmvNy BE69v8XIF9imvxX09YkBZQQQAQoATxYhBCwTgjuCNzEPohMDSTDRMv8P9Q7rBQJc1cMyBYMB
hQUCZZgh3wUJDIYYkgAKCRAfmw6QmvNyhfRcEACU3hFFTVRyZTB+/Phui6bFhhbH 4TOAKxpodHRwczovL3d3dy5nZW50b28ub3JnL2dsZXAvZ2xlcC0wMDc5Lmh0bWwACgkQMNEy
oRVMZl7llwGdtmUR76moGAnOilKK3UG4Xn+yHk0Au0kMDciDzET1KL5pTk3FYaX5 /w/1DusYEQf/YoER3M3OLkUT7DgWiZBakNs3ifv63fvBDVhwZcerobSxlqjFFQK6CC+vFumk
SdhMK5P3CQIRvGVQGEyzm2riGMGBQwbMTN1cWSrW39lORPDanDKIzzu0mvAe9Ufs xV0hFIvS9yfCTLNYMcLa8C9TuWJSqOtTXLGoYDbD6tEOQbMnKJ+W/vypbf1VqVHlptwkPpNd
M5Ecrz6xTIxMcMfBEaYH0snwMGFLowcDETk8DIM8qn6oOrH86S2+HP3LKeCM1DOI 5R6acsEv4rNK1bbzDVWzrCvLBRsHHiyr8MFHVjJjPZFqQfc56K2CHNv7Yhk6h3DG/0LQl2Lb
uAILj438lTgaHKfOmtAMxqwXzVtknQN5upIBvfDtYXeLH/zSztt3XIcDYrBVCFd+ pxxcYKkF+gw5AwJazBf/DwpomwyrMRRmiqcgJ0kDyDO9ktMd+7z81t12G6tiEFVoiyPCmYkU
7wxvelu0C6e1yG3vQ6eQt4OAeSNBOXUAcIWsCti9uGL2//pE9gQs4s1ijJYFQuuE 0CjpArg0nMBWMzocrr3i7RNO5675VwefF5+i/hBykyaGiunmpJ5G16JaPAvs1eLOiYkBZQQQ
er3sTTqg4JU5y9NkDo6p9roZt+uDFSyj3wgOinfxMipNLniJpjrvV+tmqGhYZY0R AQoATxYhBCwTgjuCNzEPohMDSTDRMv8P9Q7rBQJetvbPBYMB4TOAKxpodHRwczovL3d3dy5n
WEP757A1M/xVaf89d9rp5pJ9QawNUIDfM8gH+m0FuX5YKlSvFak+uB9/Oeu+BKy+ ZW50b28ub3JnL2dsZXAvZ2xlcC0wMDc5Lmh0bWwACgkQMNEy/w/1DuvGIAf/ZFdVDmJBa77p
wWyBiEM3fOjnFBpAGz1nKGQFYvUuRtqFAmlLUhN3EA2ixL6tMvlkWmHS0o0o+YGX Dgws9TDAg373Q4t4t26Dimp/GAejP9L85HRGE3cBwpp0U5N2uoEyBQmrQnoe+ggaEOcQXbv6
tANGcsS3KwWILlRarfhkHuc0s+gFiTKvfS/pTbiy6XbtYTtQ0n1HkLz32zwdnFig q2GIeA4LRpM7Yw/Umfbcd7KQhRstZiJXb2ectkSliDveAnrSfS4yB6pjnM64XTCZaKMCXOp1
/do+xYVyb9w1IZSc3HZAA2h8NlW2crMbzHr4FlSF5p/Zk5gVdfnhuKqWsE/nKAjg 4oiR6e8sL+p4QI9y8JFRvzMtgQCbmFW5JpSeOhLdnbjb6yqWZ8zQEx3lL/TdOzk9z4UsL2pi
/GwACVGzFbZiD2CqsMLBlAQTAQgAPgIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIX dytcUMezYH3IzqJR+xTMMt3ELQWUtEIlagy4GvXkKMTOK3tqtd3nPKCBfALYEfhuuoHokTLk
gBYhBDF2732yNn8fyk8wax+bDpCa83KFBQJjxyuuBQkI0+7hAAoJEB+bDpCa83KF obvAMXtiNJgWUCbeJPaW+bMZO3T07bVCYqwq7B3KZIkBZQQQAQoATxYhBCwTgjuCNzEPohMD
cesQAK0yPR7YSvy+uumbMJ02Be/7bu60yUk5O8nngpmebzQLEDAOyp1/HTcNk8VO STDRMv8P9Q7rBQJgmXuwBYMB4TOAKxpodHRwczovL3d3dy5nZW50b28ub3JnL2dsZXAvZ2xl
zyKsQfWOsCvupAvPpdlaTfXanJQa0kOBjos1B/hoc4lQg3UwpSxUbmAml8MZfWgs cC0wMDc5Lmh0bWwACgkQMNEy/w/1Duvq9ggAwdatYPY0gb4LaDqUT8fSa9AOCWEqBb+XF3Di
QOexENXh3kGQBHTQS7fObCx8P96BLgOvCzq/wo7dUf4cugfg0RQSVI6yQNUIesRq GVaLsSAsMHM71MSdkxvXXVb5QVwnFPTRGC30LXs7HzEqzBqIi3Qvp53g4X/BcNYrHPMCvNhD
NSDHTRAKy6hWieW3itZRs/DCD9e/aesDAIGaFlxOWb5wl0mHHbYw2IhgK/RbSY7K tKn9t27uncO+zcxlY90x6x58liyxQjS2SbolzwRYRthisNzxA45EgJcU2R3l1rgjcwt/X/W3
kt24SPEom7rc7dD/ToG2qNv/5uUujSQdjQu0WE+5JVVOaYsKWkWTcdKVURhhRJQt FuBt37YkEFFgK5Oj3RiH2PjNs2d2f1vft//1Cxig3/sLNIhvj/xVfyeHlAnor+Z/Q+vwxcXC
FmBA+CQyC/gUmrPvjfWFk9LpbFi/5cFWaqWQpMjz0pQPyKcLRNNotYMaPWpxqIpt dnOR0tS4DCbP49dD2XNNdCpJuu1NswasS86cjjhruchg+22wwQFFiWLvsiXjfXD9qdMY6bCN
0sBtVBZSVHv1emyMkYccxgP49lfHpzWIdILZwKJyJ6PPtojV3lrcXc53ILsOTGi7 DyQF2dMheNU4IYQ5sYkBZQQQAQoATxYhBCwTgjuCNzEPohMDSTDRMv8P9Q7rBQJieq8xBYMB
iSSQDEmxwJ6hT0lzrJ0bGnTidO4pN6VqtpQUt3HsODtivodxfkGskuSMkPVunZLG 4TOAKxpodHRwczovL3d3dy5nZW50b28ub3JnL2dsZXAvZ2xlcC0wMDc5Lmh0bWwACgkQMNEy
4OIsdco/mdKpEEc6g2+dQnYl2tYFZ8w/l0gEakLbkFVIvsYdzCJpR39OJgRWE+YD /w/1DutE+QgA5iKPPK5OHxyMFVBGl2EFd9HpWbEY7QS0rSWYu79z8uB4p6pFkN3BosUIEuEQ
aWWitak50L30tu5gXcIMw4+79s0gqUBBxYRo79bx31uV1fPcj+ajovLQD9o5lwfY W7NYLI5pwnRX07eqIvtGCeE22JeGCLH0AI5eyiJcXA6OrJRuLtLt/GM3Ob0lL8Zl1zVbXXv3
TdPIaNPmQh6oyz9CVzTovUgsHP8Ji0Yepma09p89Ov1NFPlawsGUBBMBCAA+AhsD 3d6kUVCiPctmYB1SnsJAHXHlhWq4PEr8WLsfG3jocvIwJeTF89Ft6evb6gyZSl0+wibWJYzD
BQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAFiEEMXbvfbI2fx/KTzBrH5sOkJrzcoUF L0hrTyBlcNBxjTh64CbJ4TgoXgoSjqjGinl9ac2Hipj721Wlxnzye2t3VsMwiQEw0H01W9Zy
AmHSMvMFCQb/66YACgkQH5sOkJrzcoVQXQ//bVDypVzLbR1pbJKy0ZrxxHzJQVBI Ma4fVzX5daFeX5olg9GJihniX9zayXxo7wGV3rcg3qZgIEFsbkIrNSew6CZkr0cZrYkCMwQT
6Ji2f4NsByIGV75Eci+cFyaR3JGZE021CHCDpzfBevxffz+Oyikftzb2/2Qq8GgF AQgAHRYhBGPrBPqjDHbilS5u1lZZU7lTcnVsBQJeLf7nAAoJEFZZU7lTcnVsdKQQAJFajikh
MTj3lLzkgq5py7H/498vyK1JmwXroQ8RX0X3iwAZncT5U5QI+GYZA9SkJe3ETFIn 3xSQ/n4/LRz2eAEiI4TePxmkDKxml1MpZpkxI1SryF0Dd67wPxiZ45z0YZ2GO/FcP2BVei5A
fkqZUdYXR0ZH3kt5ci+PxnwmD+HXAJUx/MWAX74Hi2/i+fkirpQ2tE0Kbo484Biy 8etgQ0/aFt1WZ565ZgjtZf+entraAqU7EEy6MhNV53/uRBtFGfDHSmGrP/2HtPJzcvqmnPVt
WTtfebajNLv97Sw/8TpGKgcLJKgBL0aY5QQoJ8dE8YQn8LNRDFk79YyZRHrXGpOs yUBMKGDBOxCNB3ivPcDsu80f+Xd+junrwEi1p7pxlmCP0ZmJFj0U5Bf2QRkfVfXvL6QqEAOB
TpzEsQZD2ZS8YC3LmyWKhm/1lzYbKs1mlVbkodU6kkaJn8p19s5bI79gajjnoMm3 TUqCXTfmTmZ1TpenB8muWDgqok/3Qme8Y+0oTe3O+t+0IRxi2V1lDkB1Dd1QOfEXp3WV4Le1
Yh7q/Fp3nC2HpIpxWKnKqMdok/u+McivV7ue4VfRrKV7mXJ/0XUtcc8KYehDlDpn b6O/rOgT5fW0XUEQJ9CN58zVEqPTw6aPW/qLA65UfbkiO/H54BnOeHSlFU9YPrEcCf2qooTH
nbqETUkQPU/DGpUIxB3BR3ihEZJ6EpIkysXfgfpBPNvPpjnaV7+uPFgAzlst44FL qZyUEgEdB5A61NhravO78/uwgaHGiIKzopjLr8D5Le9YTD54DAlbP6X+0Jb93buVcvm2rm9c
RqQH0gI7IsBLABrgX+yioF1zQzOkp8iI8PJkuBmxeA1Q/M68VIIF4Wma3ej677M2 KIbN6mwbH5gri7USDI0UAUySVYebB1UdFmOOYLovzDN7Us/sWJYksmWXpw70IZLmSVxEWR+I
ATdwX5cFqgrhvbwiBSst67YJjbyehwnl/tRAexV6/lIk4NnTKHPE2domgeAR+uLk urbzPgl+twksZv5EPOPhVa3plyRY+ARakisVmtdRWzBNwbd6RMG1urRiWXyD60r5XbiXN3sP
mMO/o/G5Gk1cYbRXG38RM3vDqAAFEznec1pLla9UV6LrugJCHErnxI9Pm9h0njwG vTdvYkgFKWDQ8WS/+AyewznnU4ZU2eLFYRZi4TWugzaZVyAv7CRJi1UMOXSafqW/MlcWlM2G
NJWpgz1NDMLlyvLCwZQEEwEIAD4WIQQxdu99sjZ/H8pPMGsfmw6QmvNyhQUCXNRw qw4WhEHX70YKQRJwC2yGWF2P0T3fiQJUBBMBCAA+AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4B
TQIbAwUJAeEzgAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRAfmw6QmvNyhVgV AheAFiEEMXbvfbI2fx/KTzBrH5sOkJrzcoUFAl6yxZwFCQO/iM8ACgkQH5sOkJrzcoU6ag//
EACqcR2lm9HDyjUy+ChqGicRBDQqg0rZDohBPWICUWDjeGx/ZDouPU3yBoKWu3Lk TGp12gxPSfLEf+J4W5YlcFggkDhYBXdXzlgzgBOOz7LEZIFOJqWBXjlem/5tWhfHLPRv19Ve
0ouIPF0VshDOfab8H4UlV+06WcIEsYhV7zrUUPszCDrVsZt+2XSKsSBpdPaoBIVr cGfXQyaRm4tfu61DINECdaZBzHcFaAqdiV7pF+TtuDtZkYlkY4mLpo6H+dcHiQggJMB5bBGi
0UxbN8ls/sS6TBNaN/1wdmTOqUXr62lwoF/cu+K4BzaRT5yaKs0SYb0mcqg4MSmt i+3b5feV4ioD8kPvSLIH4JbCfu9/PsW0MF3xV8dUhiqZoVj/qqEPi/ZvDtLSZKs5egEX3VBQ
RPAWjlwZBvHwFZYyhaQap060uV5OGizfwZ3QLFldMtsSM5juQAok4Wod1OCOHYY+ CkrmUKOVO0i3ch+1pPr4hz0jEl6HfRZdCpvELGHDQtAP/9ckR/SvPUvQrXfra6bKLkGOWbBk
RahRaj/Z5bPgYE3ycM84G2j9N7nJu6MJLyyt2mOW49jjkgeKJ7aPledvuuyt3EJ0 NIMmWSpzwfX7exl/mh8FASUyhJUM/S+9aBq+hSLBt+P6+WO4j1oR9pJITkr3X5g6ZEx7Zv/X
GQiJSQgjLXG/6wjmN+XmBJkcydalpMRxk/Yt6N7VHfet46vP8mC/jNbtUb5wFSGr xkKQJcgII9T8OpLsICS8WTB6IkEb4/R2AzNOClEpys5fQYhCZFUhjDjMGXDOibEG9pnh9LoZ
RJcyZP0elzvO6VhSh1mlRoqEUHKkb1CFVCYGorfGdUuiRhTXKwPcjIqe1ZJQaIKy KCRfezRb/B1zu39XD06Qpk9ysizXzjlEf92y7N1ppVbDUEqzWeoBXwyhF8nZgskqSPGgGOhL
KOcy2CoItLNkcCNHtTloN5378Y6hO+IP3BIyRtlBcD3v9RIYsQj2Tu9Vnluk/Awb eilDBNWPXZuFS4GJ4xf5KaoTXztvOZGamsNwfwTyZC/xJOKH7emPEP1Dw1W6kCMHfOUITJN4
wLkmOnC6wAsDmmmhK6y0AVn3FpAZ7m17DpFiIlNpumNkjaULfEKFL2PPHB8VbYi1 okhZi//aLFgvvPUJs35gB1FQQDRgK6lHhHu18V4den5u/2/5qT4c2SIaUX1TvZZzer7Luts4
V1IAG69X+91JKxzTU83s+B2Rz8hei2jNbtYbj/E/VsiatOucOf9Yj8g0tnS4Xfjh Op8T72liyB5zWZt0NUZ5p7OzVV+iw6kKIjiJAlQEEwEIAD4CGwMFCwkIBwIGFQoJCAsCBBYC
a2VPXQQShBT2uhm+hF6esBappDgjoh9/AGEKD4Jhx47vLsJdBBMRAgAdFiEEPX6V AwECHgECF4AWIQQxdu99sjZ/H8pPMGsfmw6QmvNyhQUCYIszpgUJBZf22QAKCRAfmw6QmvNy
nYn6z+44NxkhsAvGakAaFgAFAlzUc5cACgkQsAvGakAaFgDDFgCeI8k57LnZmSnL hTjFD/0XjMa2vEePxvJG5upokP5yzVQoMqAi1nryvXTiC8yzJWXD8/E9C+/K9AnHv1cvp3ko
ZQs1lekucx9ThxwAoJG2olyQ+9IETr2/xcgX2Ka/FfT1zsFNBFzUck0BEADgwnBJ jQmbqnP/1B2o/IYzJVJdLZR9F7yVmB2H6Z/C13X27u811DuEWEt4KYQSdNuTO9qZdtL2xS3W
BHWBnKwHhEJLYei4PMImRJSjoiYZi1EmiCT3u9+qEW/IOy+VJPyf2OyLM9RoLzMr TNiCx3Tu9N2sE5jXR+6JKZvU1+gCyM+GqWhFWIRphVUngoeTFcy1/2C9C5d7fg3IzcQ9Vxdi
CRmYi41eFZryWsenpzHQVP28KbMHP+mdJOTyvX9Lt8Ohxa/m+ZG0vjhXLDBsRFmh nheYMLcPg4mumjMRMV7MqRZUCzPYkXulm5YBYDVATHfRWBmR+MP+0jrciVDkEYONKzeVRv9Q
EFDV14As8NcI1GivnpyNxTFDDWbmxDMw7zTSkjH8dqeB/Z/HTXWu0pdOrhXb85iZ VCoppJ5D26t/Cw6COJJAKDfsUngkWFOIIz7rvSdxe2KcVxWQU7COB2Pf7oeV1Yay7onSrYbl
MsOZDUzmbKwBQTAOX7zPtmi4zheP49VXHGn3fNgvUb6QuzSQNtAKS7C2qPlIMug/ 6dTvQyBXBmCD77w1jl8DyrgwLJIwm7Hx7/T5StSO0W2B+rpZDpceNou7TUDok3ZagIbKhsiO
vYyXRNM4dnC9aGYdjwXuEyNYLN131lqG6q98xxPRsbdnzDqTgPCZqk2dZq033Ad2 uLEofkV+Mg4KIBdvnn/QOqAeeu7OWIyyXUFWbTHYqDzucPoy98zUP+J73mm90B6/q9HFl7d2
zhNbhynycxXDpxQsRn4PQfKBgpr+IdNEP4UevaOueaVLSwtvcvXcqMYtrzSYIcNu eCOXucvyUUrw1Qh7K562Ye1v0q9dEyaDecM/4zeioTShzMfqtPUXtS+inUiEjis8YtnwTmIW
0tnbDDZRxhgKM+3TkpZc107qowq6+SSPzWbg6hUY7vxKzDAgvYhn5Oin59sARfo0 KZaDK4eGnO9IndXbkeox19z86tPepu/JvnAUXIhgzct4IIHGKo1RG55HIAIpMrRaNMG6JScW
KkSAM1H8/ozYxdNGySqIQFewcjjLDpQnI2x/ZAU8nk0hltEzj+KmkJdJJI3becen OkzDU9slgOZFSbnTsSTHzrJlkxn6kagdTC2rvXKrI4kCVAQTAQgAPgIbAwULCQgHAgYVCgkI
tmrdODySLO0fidrCmzhiuk8HLodDQ9apY+54fWwDDUws33yE4DtX5Y2/1nUvwDNp CwIEFgIDAQIeAQIXgBYhBDF2732yNn8fyk8wax+bDpCa83KFBQJh0jLzBQkG/+umAAoJEB+b
il6dRknAVGdc3OvIe+WAnsGR9SMSy4HruP/Yf+OZSCFtOSloe4MtP+qdyfx0vDg/ DpCa83KFUF0P/21Q8qVcy20daWySstGa8cR8yUFQSOiYtn+DbAciBle+RHIvnBcmkdyRmRNN
mLffZxE8r+zSeB5IAp0BSbwUhdbeWGd+UpWCCwARAQABwsOyBBgBCAAmAhsCFiEE tQhwg6c3wXr8X38/jsopH7c29v9kKvBoBTE495S85IKuacux/+PfL8itSZsF66EPEV9F94sA
MXbvfbI2fx/KTzBrH5sOkJrzcoUFAmWYIgoFCQyGFr0CQMF0IAQZAQgAHRYhBMuN GZ3E+VOUCPhmGQPUpCXtxExSJ35KmVHWF0dGR95LeXIvj8Z8Jg/h1wCVMfzFgF++B4tv4vn5
5wqQz79sO/XMVpYmKs/7067GBQJc1HJNAAoJEJYmKs/7067G2s8QAIP/MH/Xzbuh Iq6UNrRNCm6OPOAYslk7X3m2ozS7/e0sP/E6RioHCySoAS9GmOUEKCfHRPGEJ/CzUQxZO/WM
z7uO+6FFNS7kk00zQImC1Y0yYyeyy2UWsSD4HUdE05CoJCMSwHXpTNzDs/aackTs mUR61xqTrE6cxLEGQ9mUvGAty5slioZv9Zc2GyrNZpVW5KHVOpJGiZ/KdfbOWyO/YGo456DJ
KivEINYPvTwbEGPMPqv9MVD78T46iwSuA+Qg32CDLAjubby8Q55DXYS/q40CZaLz t2Ie6vxad5wth6SKcVipyqjHaJP7vjHIr1e7nuFX0ayle5lyf9F1LXHPCmHoQ5Q6Z526hE1J
g7OQT8IH03ewxzrtpdLrnXnYN1ktwBFokv5ZsxB5BhEJfbEHEqdoNk2STQv5p/Ik ED1PwxqVCMQdwUd4oRGSehKSJMrF34H6QTzbz6Y52le/rjxYAM5bLeOBS0akB9ICOyLASwAa
rc5C/hefHSKXV4cJRYoPkrdnr0ZHyevB5iGuR9zMxmkLD+NyIqqVqxjWQNjLoEdY 4F/soqBdc0MzpKfIiPDyZLgZsXgNUPzOvFSCBeFpmt3o+u+zNgE3cF+XBaoK4b28IgUrLeu2
+xKnezHiIZvGb6nH55DosZY5/IHgLUJsLFcYNfLFSVdAzF0py+A5nY0PJarlZptO CY28nocJ5f7UQHsVev5SJODZ0yhzxNnaJoHgEfri5JjDv6PxuRpNXGG0Vxt/ETN7w6gABRM5
i22tSsSXX5EKWHLTZUUcs1uBrmydVFMsT3ZC+8pHxLyKGn+f+89jdUCzidQ+545O 3nNaS5WvVFei67oCQhxK58SPT5vYdJ48BjSVqYM9TQzC5cryiQJUBBMBCAA+FiEEMXbvfbI2
YnNTzxTjGytG9Y/KEVDYUWAm9OSSLJjDpt4RDVF6yte8cHJfdC9Ypazet2Z2GMtG fx/KTzBrH5sOkJrzcoUFAlzUcE0CGwMFCQHhM4AFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AA
a6g6dv7NhDF+JCEhnMraPaLHbWnABP47AJZ1cRvYfE2lyHBzfKWyWJ56BWH9Sf7p CgkQH5sOkJrzcoVYFRAAqnEdpZvRw8o1MvgoahonEQQ0KoNK2Q6IQT1iAlFg43hsf2Q6Lj1N
6DwehqIAo0erPAcnBDcbrfrHaSnFLvW9UpIGAGvBMXZqAoZNNsXqq7OMHRt9rWZX 8gaClrty5NKLiDxdFbIQzn2m/B+FJVftOlnCBLGIVe861FD7Mwg61bGbftl0irEgaXT2qASF
OGkeGAINnwlQIT3ffKMounUS9xzLM0kZdf7BS7K5+5gcjJPh1b1yvBYApioBAXbn a9FMWzfJbP7EukwTWjf9cHZkzqlF6+tpcKBf3LviuAc2kU+cmirNEmG9JnKoODEprUTwFo5c
aTmqvdwr03FLnoGi5/0671t0iUGSqbF4CRAfmw6QmvNyhZ1ND/42zg+uIvWKjbpy GQbx8BWWMoWkGqdOtLleThos38Gd0CxZXTLbEjOY7kAKJOFqHdTgjh2GPkWoUWo/2eWz4GBN
lkq7sIymXCQmfnEjKhX60UkduuCZntyx2jVCAsfIjQsID+8jDbZcKtPT2K3xqdBi 8nDPOBto/Te5ybujCS8srdpjluPY45IHiie2j5Xnb7rsrdxCdBkIiUkIIy1xv+sI5jfl5gSZ
RvP/ckdACcy2wk5kjyPqP+IhOiY1VxlkvffhjEPQ0H5oUkRmK8hr04K8VTmBAKAh HMnWpaTEcZP2Leje1R33reOrz/Jgv4zW7VG+cBUhq0SXMmT9Hpc7zulYUodZpUaKhFBypG9Q
vOKjU8/oO3Y+jMpHre//qG/SSndJWWSdYtFOQrcLBu1iE+Z+Ss30clXPLP7oltSZ hVQmBqK3xnVLokYU1ysD3IyKntWSUGiCsijnMtgqCLSzZHAjR7U5aDed+/GOoTviD9wSMkbZ
M+TbwBqeezO6Y9IDt8gx4gqamCRN4OyjM3q2VyoEPNGSzSRCUczOEaTm6kJ+BZ/t QXA97/USGLEI9k7vVZ5bpPwMG8C5JjpwusALA5ppoSustAFZ9xaQGe5tew6RYiJTabpjZI2l
qKpMX5yVVIzJOJctb7fGM34BAefiAdEHxu4ChZo9X4nm9kXzFTpUvrLd97B8BGRg C3xChS9jzxwfFW2ItVdSABuvV/vdSSsc01PN7Pgdkc/IXotozW7WG4/xP1bImrTrnDn/WI/I
uZk3LlKnfRq1oG7ks9U8/rU8xvSCySEAP+1gQLWhO4JJft5ZJgQD8YaNSQA1dtHL NLZ0uF344WtlT10EEoQU9roZvoRenrAWqaQ4I6IffwBhCg+CYceO7y65Ag0EXNRwTQEQAOhM
VYvxi4O5yQrlT0Ue6mRve1kW1+7D9mnPmt/5HOMEA+sC0IORQJAPlaDYX8p9U+tH wHA6FxDjdxLDnPYZZ/HRCB3j+Fn5s+c/qiK3J54G4yYP91871FjDeF7pDsmcQRgCz0k6GeZO
EoInW9r7bULqeDCZAqCEOIhyMxSmz2+d+LEE6FNTaGD7Chicqc46SD7RMPvMk87S zFOkpCTGg6aMPkOiBo931OqckzhlACnLSCzR5b2bILTaUGnf4t41D6+tCFK2dfJBdQ0yYfB3
BX2zf1bkH/Z90N8imuerp2Tm0ldyohVS2fGWpRqbVwwEqSCpJdDEvC8xQ6MUEfoz la8kg9a7vtnlaM9UO0Tr+o9NYOWysUAa5fxS9jSF2CzgeZ6k9Wa0bj90u8N9cfsGrMB7F6TV
FeYnBbc5UFk34ZhcWxWcO0Jwc2psQYSJAwiH6GEFutK1z4+JEJq52SJnXWW3HXWe PG4Tf7GbCvgMwaBfSQK74hXVWd0wjTW0VGIpxRfAYudJyB/2da5rOsMWh5hEe6dShwEQ1tJH
MR1XtVtsbF6m6zeZNC7FXFTUYV1LeMLDsgQYAQgAJgIbAhYhBDF2732yNn8fyk8w njuBIJI1UZSyVtFqMj8NysftD7+Vrd6N3Fp5umUzc6tViag+u6s8Q8TxCXMaSwoVtBV1HHbq
ax+bDpCa83KFBQJjxyuUBQkI0+zDAkDBdCAEGQEIAB0WIQTLjecKkM+/bDv1zFaW KiCzwd4XNwHfv/h0VrgM0SXrYVmHwUkLUNdOlAKWRZ7ExaTMx0oNaKwjr3FhV7W5utf6kQ9l
JirP+9OuxgUCXNRyTQAKCRCWJirP+9OuxtrPEACD/zB/1827oc+7jvuhRTUu5JNN MfS8gV0dJM1nZp0Zkgi/ojuIecqBQXJwTp1YQo1QmJHM0sKTu6pOOlTxizaT4Ak0etQf9SLi
M0CJgtWNMmMnsstlFrEg+B1HRNOQqCQjEsB16Uzcw7P2mnJE7CorxCDWD708GxBj nltMeYEdCoFavWkWXIIP4YM94fuD5Ekc03b2iiCMKVONSr4dKaAPFEtV3uFIoS/VwG5QQ8mE
zD6r/TFQ+/E+OosErgPkIN9ggywI7m28vEOeQ12Ev6uNAmWi84OzkE/CB9N3sMc6 hZZH9ymOeUrm+YvljFSfp1TDp9dGiYNKCx52Zj7wChqswzVEVFTqGEZqsYtyuuDQM0JhX6TG
7aXS65152DdZLcARaJL+WbMQeQYRCX2xBxKnaDZNkk0L+afyJK3OQv4Xnx0il1eH T75zmsqiJhBGl6nigGrdaRCnWvWv0n0dABEBAAGJAjsEGAEIACYCGwwWIQQxdu99sjZ/H8pP
CUWKD5K3Z69GR8nrweYhrkfczMZpCw/jciKqlasY1kDYy6BHWPsSp3sx4iGbxm+p MGsfmw6QmvNyhQUCYdIzCwUJBv/rvgAKCRAfmw6QmvNyhXK5D/jBMCAdoJVW9ai4tKgNac3s
x+eQ6LGWOfyB4C1CbCxXGDXyxUlXQMxdKcvgOZ2NDyWq5WabTottrUrEl1+RClhy xFjrtnLPo6lEzB4AXnltkC1VwULeDL+O3IueYCt7kyRr9vvogG/y/e8kpVIGvH8TcZd71EvU
02VFHLNbga5snVRTLE92QvvKR8S8ihp/n/vPY3VAs4nUPueOTmJzU88U4xsrRvWP kM7Df9X88I5bPrA78MpWAEQGE1RxsFLQVppzAOeiXVTXy/nwS/8LKP28W5FNFH0M9qYmvTje
yhFQ2FFgJvTkkiyYw6beEQ1ResrXvHByX3QvWKWs3rdmdhjLRmuoOnb+zYQxfiQh S0YYwxr7DJU526B0JGiis4kXl81tYnd2H46cx1qjSMmWMV0dPWMbUG5gs3HtU4u5DpBgn7a+
IZzK2j2ix21pwAT+OwCWdXEb2HxNpchwc3ylslieegVh/Un+6eg8HoaiAKNHqzwH klihpmtxebWNV2vO3TCqYJps+WbvDPHpUsHFpW+wYvE0VosB9jYKzhOS94aGz4Yl7fTZq/tF
JwQ3G636x2kpxS71vVKSBgBrwTF2agKGTTbF6quzjB0bfa1mVzhpHhgCDZ8JUCE9 4atBReoeESJi6RJWpvNmdSQPYrJu3BAGWnYTuniW9xhHhSYnCSrH3WfZSermU6XiAmKtZB5X
33yjKLp1EvccyzNJGXX+wUuyufuYHIyT4dW9crwWAKYqAQF252k5qr3cK9NxS56B w4HyjuJgKjUDjzVDOvpTQVcnpkBXkOdw0dIZDk61cq81p/R6bmxEGsIkMHNpxRfA1PNwjypg
ouf9Ou9bdIlBkqmxeAkQH5sOkJrzcoWCNg/+M45NZDXoiYrEBtAYuhK2uVTeSwMS ioLF2Cyq5kB3IVc8KdpW4O3XaVSiMfvXlkvpQJmCPtxup8IqUmgL+ILTqLJaHOhpbb6bsikT
+ATc63UEeQf6MtlYizt/84D1Iz2PxpipwdP5QKCICKoOhTVrER/YB5+lCL7m3kqW DekUC9DIV58xQ5HuHI0qaTrDyZsG8CK6f+OwxKbXJh5QDFarM5YrOIHaOaBSICQtCgCBH/Jp
WDja8dPdUguRYhvLouV1hnNFw8oN2KzZhfvxaVEKlw3qmhlNwDHnPoyy+PQzdR1y 388LOm8rTDqSHAQxp9ZjQafyLBaGHlHR2rvnztfV1LHS+9Pvven6J3Fj4r5hztJXuKUrOZ/B
COyEGCq1pral/Ckan6mZSHe2XPgqqn7BOuihSzK24EsT+m9IThyC3zePVO7RtTBB sLw8c7DnOI0UiQI8BBgBCAAmAhsMFiEEMXbvfbI2fx/KTzBrH5sOkJrzcoUFAl6yxcUFCQO/
Cl9oWt+oZZt71EZtJE2ovE+orJpyRK6Ya/OY6NdSvONvbn9EBtZnMLXFVBPT8Tsd iPgACgkQH5sOkJrzcoW5Jg/9E2/nvRIKXQCR8t7BhzMr4qcI5rqAY/pA/SxuI6G3zqyJ14dk
tBI212LxoT03GCwRV8f2Jce7E46QokyoeSuYWjKsVKFiyMPw6YcJ6zdawRUWC27p 2g6QN7khdesFaYbJjak2pTVyBiffm5UBz9NzD6Aai6MYUSJnKBE9432gaVYv5L1PaVlybwHF
5xQ+8BysOfdJMLlDvUaSh7uyVtPy8EQmgQ0BEKjVsqXzPOAiI2K4pDirsP9ygJME bK3ayo+dI4gkN0gYlrA4l1BUX6SsDumawlTMWTB3/4fqKN5c4u+XL/ccT7z+BRQu12kYLmUj
RvDjlAVUlX5igOpZRumJtscLg7H2F4ejWqSOdceMSxM3JSn1U3avhopVetZ2ZvZ5 3xXjh3LxH9xuwJ6qj0Kq9cNZMHCfO5YJV8dhxA00GvdNCIZfgmmGbZFjoDR1qzM53SykqcFC
z4sXQu3xJlJygtyv84/htedwdyiSpOHjfTgDubIleRJmqJWOyx2SS2zgo8qQwCjZ 9UXK0IzEv0p2zSRJ3UZwkbxP7CWm2xEWLv9glVQM5wTULcRhdARtgzeyq82fMS7DyEmshYKE
bHfRmNoENOjihGbaIretcUjotLgKVQEbXQmXA+j3wOST3LNDEK8gwgYBL89MKbWi L4o/kAcRwaOy8Kyl5PSadpEQdEBwX3DutGAPt/V5Vumdx8vKl2JX44F1euiNCYeQEmNYd1F8
zHLuRlYOmIlvjAYGrQFmILLbeT/tOR6qQL/nXPtTiYZkBF9Aj3nDDAfEtRGAnMmy T2a8xSdQV1TUIoHugQ3QGex2+scR2SdOVdpey+VJLN7hxk5xUx957E7SQVf7tCVqq6BElUkv
6HwbuCRNwcvTWSTCw7IEGAEIACYCGwIWIQQxdu99sjZ/H8pPMGsfmw6QmvNyhQUC kQAr48XRfj2+KFPEhmb140VLJ/ilBITQ9CyhCYkywar9SDh9xf4q/cfBdhBXn9nK+vOgS1mP
YdIzLgUJBv/p4QJAwXQgBBkBCAAdFiEEy43nCpDPv2w79cxWliYqz/vTrsYFAlzU Tdjgd/RuR3n3n7RUKTnOBdx8744fgLNKfJ/MWxVQqufPUX73xxqNZDjXDKe8b5YgHMmgJj2R
ck0ACgkQliYqz/vTrsbazxAAg/8wf9fNu6HPu477oUU1LuSTTTNAiYLVjTJjJ7LL DNqnBj/+uKhcVPoI7y2DQU+aeBLlqxypmU74H04EdD8ikbByrMV2lBFwIfyJAjwEGAEIACYC
ZRaxIPgdR0TTkKgkIxLAdelM3MOz9ppyROwqK8Qg1g+9PBsQY8w+q/0xUPvxPjqL GwwWIQQxdu99sjZ/H8pPMGsfmw6QmvNyhQUCYIszjgUJBZf2wQAKCRAfmw6QmvNyhU1fD/9m
BK4D5CDfYIMsCO5tvLxDnkNdhL+rjQJlovODs5BPwgfTd7DHOu2l0uudedg3WS3A JGguTFO4J1nJAR2/n4DRV62L/IjaORhePqiiw5FOBNr5/9+ggj8yV7Il4MU9oWTM1DRcYMfH
EWiS/lmzEHkGEQl9sQcSp2g2TZJNC/mn8iStzkL+F58dIpdXhwlFig+St2evRkfJ OvsA2yS5hrHPyifWHpcTqkudnecPBT1JnVvMivzX+s4x1ol4EyOQRByBoYCFsEYaRscNrDIT
68HmIa5H3MzGaQsP43IiqpWrGNZA2MugR1j7Eqd7MeIhm8ZvqcfnkOixljn8geAt Mid4zWPy7rkVPDr1RB+cJb4lQzfRx6XG8bJuF8MymEd9S5GNxeHNigdnFP3v3QwhiqSabWHp
QmwsVxg18sVJV0DMXSnL4DmdjQ8lquVmm06Lba1KxJdfkQpYctNlRRyzW4GubJ1U ul+k5VelSRqOlfVPNCoCABIfd5nEEwkzpndsmRRjx3Qidkh7Dwp/l/PQC/QM6RM+m/3LpXJ+
UyxPdkL7ykfEvIoaf5/7z2N1QLOJ1D7njk5ic1PPFOMbK0b1j8oRUNhRYCb05JIs Xah3DqkZHq4EYhmq4QmLljzMoT9EUXxWhiB6r8Xfg9kXHLEw7fed5nB9lXo1UgnEiWiL9Fpc
mMOm3hENUXrK17xwcl90L1ilrN63ZnYYy0ZrqDp2/s2EMX4kISGcyto9osdtacAE /7Zfm3hmkO9p1CO4SJCO6zHYNpL463Z6USnN/tLFcJFAJJNpChXRHPF4g2YEy4gs8IDNmzjy
/jsAlnVxG9h8TaXIcHN8pbJYnnoFYf1J/unoPB6GogCjR6s8BycENxut+sdpKcUu OMLDcnt9v6DNt23SVxdi5PrxlPvLTA09tjOQlR2jTCsfEW96F7AE3XKorvdm4GkU7jWFeIzv
9b1SkgYAa8ExdmoChk02xeqrs4wdG32tZlc4aR4YAg2fCVAhPd98oyi6dRL3HMsz 3RlpZZIZxGgfHvJ0gEA1UGKhdV9qZh46y5i2MwGILp7DZgr1ew9ekotmoqkO6Gh6SxI1d3c+
SRl1/sFLsrn7mByMk+HVvXK8FgCmKgEBdudpOaq93CvTcUuegaLn/TrvW3SJQZKp IeS26+VNocVjQFjQvfoJ0CtR29AVCP5jYZtFeVIhwpLmoaIdfTKgo/QVOtzldK4dCxFNShiC
sXgJEB+bDpCa83KFsXUP/2EnRVBTcGNoFUlMpix9my9IMvGCoYcV3PlPPIucZqmy Yj3gDv5ZyAzx4QYWqCT7kmJ70fDzMgnipYkCPAQYAQgAJhYhBDF2732yNn8fyk8wax+bDpCa
FH1ky+jKNRlTKW6lim+dsrHrKnFkQ/swv6dZnjkph0tKxqpcc3yYIieUPoy9ypdd 83KFBQJc1HBNAhsMBQkB4TOAAAoJEB+bDpCa83KFDGMP/j/LjzcdTfiHWHc6E7EUM3qPWf8o
xy5Q199yBBceGU/+UTYMWqVgOOELXeblTICoV+GTveQ9DkxpRf2U9kJ8Vhb5hUA4 bSL7Ft4l77x0vUGf2G3pQcngTI1SIMTTLAKkXhd6qPqCVPmM6kHK6IzwFcnMRFoMyoH/bVnZ
mUC2Wez99ucljwQl72ayP7RoDIQ12GrrX5fFQi+1mnwqJPu8y2AUeCSC7DzzyfgZ kUs0NyU3DPg3OUc1Iunvcg27nHdZPLFRv8ey/qSyNiIEJu3hzyBIUO0ZDdOtUwkqnznrri+I
C9hJD8O8KeH03XCefoSfxAO4HH9Er1UN9TSFSzsIftK/G4cW8Xoqh7S/5tLaRk7/ pToD7gWoYM0CC/Aero/OaC20c6dU1s4zwmAjqfzb0Nqiv3CDrrvF0p3g6fn7BAyHxnYbS7ZX
dCGctmEM06SbacwiZFgYP7xAkYgg55tGX8ULxVQI4KpjXP3RLaw5a3RUUm9Sg7+b S8nPQEY0qp+yC0CR3jceXCwv9C1PhQiSfqiPBTL7CglOz02WSAxY7GInh3VitM2rruKcacpL
QgU1jB0qxq2LuXpPMWmapiX6uWx8PJrWJ21XNnHmcszwStyTWCYMaH1Zcdqy5bWe VfjiZmFH4SUCys/7c1Sn+pJTfiqO/2sV4vutxfu3Q0xDYmcf7DK9BN7bZ01m3szTX/+5Ief0
9oklIKVBus8k2Iu0Rk34hmPgaB3TG/wyOraUnNZewccxFc9mls5o1v48lrm4ZERW kpY+e5ZrfcRHUOAzA/dXeW8sErf+YvCU9Hyi/e5iWvbhaMg9HwMA37cEfhBmVwGBOS6nuFHn
9djwUIj/eCU5Z3fbubdk32R5E9NvMlcxcE+5SHKFJd0H2cVZPnhI5G90P/eQFAkm 7TFoZrCNnFWEpfUJY++TThhNaVKlz5n3PXERFCJlfZtXf097cJJRJniBoA2jdfQqSJAgXArb
GhpGtpSQ9AmH9rP+K/GB1Jj4GM2u3IDwMgdsJhTGUfJh1UW6phBx6x5WMN/nrylF ZPxRW0ohIfgj+lnvqNwB27trdnKKpxC6k6P1k0QZ1MP3tDRaz/k0WrVi4Sxps78/RzA7I9nA
v7U7spggFfStlK3AmKy6zR3xlugmmmKc65XCTl/KG7wunG5VutE9BCxlviVKeE5e R1ovVUx8Tw2I9ru64SyyyYuaA2M5nQs4kMzA3P3oeFO9t91by/d/O1lj9HtGYEn5xLzb40Oy
wsOyBBgBCAAmFiEEMXbvfbI2fx/KTzBrH5sOkJrzcoUFAlzUck0CGwIFCQHhM4AC TfeDSyTpuQINBFzUck0BEADgwnBJBHWBnKwHhEJLYei4PMImRJSjoiYZi1EmiCT3u9+qEW/I
QAkQH5sOkJrzcoXBdCAEGQEIAB0WIQTLjecKkM+/bDv1zFaWJirP+9OuxgUCXNRy Oy+VJPyf2OyLM9RoLzMrCRmYi41eFZryWsenpzHQVP28KbMHP+mdJOTyvX9Lt8Ohxa/m+ZG0
TQAKCRCWJirP+9OuxtrPEACD/zB/1827oc+7jvuhRTUu5JNNM0CJgtWNMmMnsstl vjhXLDBsRFmhEFDV14As8NcI1GivnpyNxTFDDWbmxDMw7zTSkjH8dqeB/Z/HTXWu0pdOrhXb
FrEg+B1HRNOQqCQjEsB16Uzcw7P2mnJE7CorxCDWD708GxBjzD6r/TFQ+/E+OosE 85iZMsOZDUzmbKwBQTAOX7zPtmi4zheP49VXHGn3fNgvUb6QuzSQNtAKS7C2qPlIMug/vYyX
rgPkIN9ggywI7m28vEOeQ12Ev6uNAmWi84OzkE/CB9N3sMc67aXS65152DdZLcAR RNM4dnC9aGYdjwXuEyNYLN131lqG6q98xxPRsbdnzDqTgPCZqk2dZq033Ad2zhNbhynycxXD
aJL+WbMQeQYRCX2xBxKnaDZNkk0L+afyJK3OQv4Xnx0il1eHCUWKD5K3Z69GR8nr pxQsRn4PQfKBgpr+IdNEP4UevaOueaVLSwtvcvXcqMYtrzSYIcNu0tnbDDZRxhgKM+3TkpZc
weYhrkfczMZpCw/jciKqlasY1kDYy6BHWPsSp3sx4iGbxm+px+eQ6LGWOfyB4C1C 107qowq6+SSPzWbg6hUY7vxKzDAgvYhn5Oin59sARfo0KkSAM1H8/ozYxdNGySqIQFewcjjL
bCxXGDXyxUlXQMxdKcvgOZ2NDyWq5WabTottrUrEl1+RClhy02VFHLNbga5snVRT DpQnI2x/ZAU8nk0hltEzj+KmkJdJJI3becentmrdODySLO0fidrCmzhiuk8HLodDQ9apY+54
LE92QvvKR8S8ihp/n/vPY3VAs4nUPueOTmJzU88U4xsrRvWPyhFQ2FFgJvTkkiyY fWwDDUws33yE4DtX5Y2/1nUvwDNpil6dRknAVGdc3OvIe+WAnsGR9SMSy4HruP/Yf+OZSCFt
w6beEQ1ResrXvHByX3QvWKWs3rdmdhjLRmuoOnb+zYQxfiQhIZzK2j2ix21pwAT+ OSloe4MtP+qdyfx0vDg/mLffZxE8r+zSeB5IAp0BSbwUhdbeWGd+UpWCCwARAQABiQRyBBgB
OwCWdXEb2HxNpchwc3ylslieegVh/Un+6eg8HoaiAKNHqzwHJwQ3G636x2kpxS71 CAAmAhsCFiEEMXbvfbI2fx/KTzBrH5sOkJrzcoUFAl6yxcUFCQO/hvgCQMF0IAQZAQgAHRYh
vVKSBgBrwTF2agKGTTbF6quzjB0bfa1mVzhpHhgCDZ8JUCE933yjKLp1EvccyzNJ BMuN5wqQz79sO/XMVpYmKs/7067GBQJc1HJNAAoJEJYmKs/7067G2s8QAIP/MH/Xzbuhz7uO
GXX+wUuyufuYHIyT4dW9crwWAKYqAQF252k5qr3cK9NxS56Bouf9Ou9bdIlBkqmx +6FFNS7kk00zQImC1Y0yYyeyy2UWsSD4HUdE05CoJCMSwHXpTNzDs/aackTsKivEINYPvTwb
eKcnD/4+1HUg5cKrfSTXZNsuOU7AnlybWpU7Jl8YdxfeuCCe+I5W3jTYqljpCRGW EGPMPqv9MVD78T46iwSuA+Qg32CDLAjubby8Q55DXYS/q40CZaLzg7OQT8IH03ewxzrtpdLr
BAHtE3udB37JXKSn8yH70JzXQDWL9+G1wqk5iwkvtmKqAapzJFuZ9lYNlNGYDxI9 nXnYN1ktwBFokv5ZsxB5BhEJfbEHEqdoNk2STQv5p/Ikrc5C/hefHSKXV4cJRYoPkrdnr0ZH
foTq99f+OheFnT3nUm8IA9N0MwjGCIJ5501HM+NO8WylVoy0Y+erxbyQGC2Ey7Yj yevB5iGuR9zMxmkLD+NyIqqVqxjWQNjLoEdY+xKnezHiIZvGb6nH55DosZY5/IHgLUJsLFcY
VZSuCTZo3BuYiSCP8Bmd9qHxCJmBGQgbtA/2QBcLZ8o/z9w0U39Iwsei8oacZncV NfLFSVdAzF0py+A5nY0PJarlZptOi22tSsSXX5EKWHLTZUUcs1uBrmydVFMsT3ZC+8pHxLyK
TIFnBDsU3E25M1eyQ8VdcAqLL7v3UFOi+20zBBs+g8jBBdzXUVhp+RAsXldo8i/q Gn+f+89jdUCzidQ+545OYnNTzxTjGytG9Y/KEVDYUWAm9OSSLJjDpt4RDVF6yte8cHJfdC9Y
tdD4/90UXT7FBXmImGtzOVmza23v7Dyq7P/ZueEAqhr7vtW97UQ7+YkXDa4rHi4H pazet2Z2GMtGa6g6dv7NhDF+JCEhnMraPaLHbWnABP47AJZ1cRvYfE2lyHBzfKWyWJ56BWH9
rGJClrdxixEyCTPrD++SvwxAud3hAUKZF9hOb0fD9A7cn63EERVgaJGAi7p9Oqqb Sf7p6DwehqIAo0erPAcnBDcbrfrHaSnFLvW9UpIGAGvBMXZqAoZNNsXqq7OMHRt9rWZXOGke
qni8JOssQF6TeCUFP+X3nR4+iy8EX4scfN6LUB6/mnhoRVZ3GNEzPAZi9PGe8RqW GAINnwlQIT3ffKMounUS9xzLM0kZdf7BS7K5+5gcjJPh1b1yvBYApioBAXbnaTmqvdwr03FL
JqUMtrBVUPVxcwAgfijPmmMIXIUyZk5ysTQeT3eJVd3R3yxORfaHSD5kuHnXWwsp noGi5/0671t0iUGSqbF4CRAfmw6QmvNyhXnWD/4h3rEK6AkbcZ5EMiWdCphpje+vbjIBGj2o
/yYltsLI/hBtVa8N7XZdzZ9JDT8fIWj5515DsfunTtksrObpRdiq4lxAoYqiboI+ XaJIKSWiXrvI+ueWfrFcdOfl4vq2CGMp/rjKTR26xkTk+JQws7mcXX6xHCODQreQEfOFQnpG
L1BCHwvaTy9ghXhhpgnym0DJk2bmucRair96apTzdYoszd7iLM7BTQRc1HBNARAA kQBxJ/Mlx3dqjKlEgHCUp9sDYS2UaYMM4b6D3WWohSbFK/KhC/qH+51cviBcCFoaXtCaGy6v
6EzAcDoXEON3EsOc9hln8dEIHeP4Wfmz5z+qIrcnngbjJg/3XzvUWMN4XukOyZxB gFzhwUpXmmk3aMaPvJ/yWFa5qfP3IcSVd2mK6QPSUkRjqqUEnXk79Q3j2tmvh2Dl4+KOlt+2
GALPSToZ5k7MU6SkJMaDpow+Q6IGj3fU6pyTOGUAKctILNHlvZsgtNpQad/i3jUP aPvs4oITr3bhHHK4nvbwc/JAl744mxg8EE/dlkS+uHGlNfHzzQuud75dLxGeyjLCr/FGUUrA
r60IUrZ18kF1DTJh8HeVrySD1ru+2eVoz1Q7ROv6j01g5bKxQBrl/FL2NIXYLOB5 g12D4Z4tDPtJHLwWOs9rIZWk3W16VpVSyzP+7bREuiNsCat0saGQm5T4TCBn7JiuHu5R/jG0
nqT1ZrRuP3S7w31x+waswHsXpNU8bhN/sZsK+AzBoF9JArviFdVZ3TCNNbRUYinF gHBjrEZ0EvQxUyRqmT2irnCQ8EY6icuVA6oJGjX+nt1HO7n/5XFFb32ZZueX575zg47VGgUY
F8Bi50nIH/Z1rms6wxaHmER7p1KHARDW0keeO4EgkjVRlLJW0WoyPw3Kx+0Pv5Wt 18z5tURzHRS0/OkYjKlCau6JPqe4tmePSHTi51KfpnlzZ5f7L3vYVFlh4i30TQVX3qoZw8R4
3o3cWnm6ZTNzq1WJqD67qzxDxPEJcxpLChW0FXUcduoqILPB3hc3Ad+/+HRWuAzR qOTkashJCDOnB2Y4Ll8gww5ttfuC7Kc3H5P/QvcEQj6G5m895QlVyD7keyssKA2hycTp81OH
JethWYfBSQtQ106UApZFnsTFpMzHSg1orCOvcWFXtbm61/qRD2Ux9LyBXR0kzWdm kNd9bxkkxFXw+ebVTii8R4Fu3uFLDD7nPPIJyES5rzHuQDGwZ+GdQs+a9lDQrBfNKGy0tGGI
nRmSCL+iO4h5yoFBcnBOnVhCjVCYkczSwpO7qk46VPGLNpPgCTR61B/1IuKeW0x5 sYkEcgQYAQgAJgIbAhYhBDF2732yNn8fyk8wax+bDpCa83KFBQJgizOSBQkFl/TBAkDBdCAE
gR0KgVq9aRZcgg/hgz3h+4PkSRzTdvaKIIwpU41Kvh0poA8US1Xe4UihL9XAblBD GQEIAB0WIQTLjecKkM+/bDv1zFaWJirP+9OuxgUCXNRyTQAKCRCWJirP+9OuxtrPEACD/zB/
yYSFlkf3KY55Sub5i+WMVJ+nVMOn10aJg0oLHnZmPvAKGqzDNURUVOoYRmqxi3K6 1827oc+7jvuhRTUu5JNNM0CJgtWNMmMnsstlFrEg+B1HRNOQqCQjEsB16Uzcw7P2mnJE7Cor
4NAzQmFfpMZPvnOayqImEEaXqeKAat1pEKda9a/SfR0AEQEAAcLBfAQYAQgAJgIb xCDWD708GxBjzD6r/TFQ+/E+OosErgPkIN9ggywI7m28vEOeQ12Ev6uNAmWi84OzkE/CB9N3
DBYhBDF2732yNn8fyk8wax+bDpCa83KFBQJlmCIKBQkMhhi9AAoJEB+bDpCa83KF sMc67aXS65152DdZLcARaJL+WbMQeQYRCX2xBxKnaDZNkk0L+afyJK3OQv4Xnx0il1eHCUWK
43IP/24REKNHAnMFoXt46XrhGq3buZguAkpT14D7jGK3lkQBM8CVO4htuqnR51hA D5K3Z69GR8nrweYhrkfczMZpCw/jciKqlasY1kDYy6BHWPsSp3sx4iGbxm+px+eQ6LGWOfyB
ujal4w6AAANaZJi6M5NQrv57T+EejsyOvZHBtOco60qsbu2Ph6apJDiVrQsaQngn 4C1CbCxXGDXyxUlXQMxdKcvgOZ2NDyWq5WabTottrUrEl1+RClhy02VFHLNbga5snVRTLE92
VGhEc8tDD5UM5LtceSJ1fBThEnPPbSdkZdV8IeZu807OipuFQLfpKHp040VzJQ0u QvvKR8S8ihp/n/vPY3VAs4nUPueOTmJzU88U4xsrRvWPyhFQ2FFgJvTkkiyYw6beEQ1ResrX
TfRysAGHq8ZWopEv0ozYDcIfdFT2t4tviSEqBNSUNa3SD2K1TlXquKHZ3ISQCkO3 vHByX3QvWKWs3rdmdhjLRmuoOnb+zYQxfiQhIZzK2j2ix21pwAT+OwCWdXEb2HxNpchwc3yl
Q44/eSzLBMKok0FKdViilWfUiWQQZsIoR94A0m14NCm7c/lGQK7yl++Ric52KT4V slieegVh/Un+6eg8HoaiAKNHqzwHJwQ3G636x2kpxS71vVKSBgBrwTF2agKGTTbF6quzjB0b
uZ+Y0K197ruWaBPS7N18xHNH0/P7bhOSGu7PGW3fSbXif7xAfB9moICR50GLIbe9 fa1mVzhpHhgCDZ8JUCE933yjKLp1EvccyzNJGXX+wUuyufuYHIyT4dW9crwWAKYqAQF252k5
/iC466eu2fpGB55dkd8oGDL/GGyCD9EmkNSSgZ4YNKt2fR6VFtJdzntZrK2ichrY qr3cK9NxS56Bouf9Ou9bdIlBkqmxeAkQH5sOkJrzcoXLuA/9E35tq9kEQLfVk/XIPaNcK1cY
uyGXQ9UiJNtAUM60eF4CmJX99nfStc2VZXXNSy6D/fNkWbMgJz7uINL0jFICihXo thOICf/LfZVcNvlGxIfMGfuEbQ+1eWcdVa/UW1Kff3VUOZaAjyRbpdrVbEUCyoFnnMEs/GbC
kwAiaO+y364WOSzk/NQPZcIZ/fnPZPKnWIReQfMdPAHr4pVS7fYv5AMFonR3fUSe G5+gWGpgwD6jt7tESCCpQIssp3b8vf69SWNH8jKY4LXPkeSaxuhFWlUjaJXnvCMYWeHTPTke
jroXeIyZB6Dgt/v13sOBQ61GFt0n75sX2wSlc8NvkXLG3xpwqPZ7Js8Tadc7HK3R BKHVMoAKYWKr7t6jgLDGoNO+B0l4vVGq2K8M0obd5Wn8HV1IgYu9yP5CX8KzYkSyg9Vc2djQ
7ksCpRwz+rJHn6sEvVZSx6+S5EzTw7TNWqDeczsmR+YPYRvewsF8BBgBCAAmAhsM 4k9aKfCthVwwKJ+OH1MJFpEKYihmUweaGo9+32sHdT4ifyn6zS+K8HHZGlK6DeBlqrWkx7GP
FiEEMXbvfbI2fx/KTzBrH5sOkJrzcoUFAmPHK5AFCQjT7sMACgkQH5sOkJrzcoUX wHZWtq6v2DxcobZieLoLmyDZlJFJHjbKZ9Bg/OqUaqCyuFzHoVC0UTRIgvblButt1agaMPz/
Xg/9Hz4S2vwSa15mrrW3syDWt0aZ10loLNi3kL9ZJ4Q95Mj64JKR7qAkzfQ3Q7mw 7+VdXZUKmXjZjopW6R7ScxK/q4uvKykY+r0eDTihLp6Nyb7m96Xv8HvlBe9Vzxm//PtosZUs
ini/2tdDeMg8kg4yQ+eOCAYhySE3eiE0ThaFlUYXnCSNVSgOyT6YtAs6Fjx3rNxS sQatJHMecKePEhkY0i/bqm4CAur7ESfWatgZhZC0MIG0jTCB6O7ueBVTKX80eXeyErYt+Wra
9+J5E3zbyBwO8TpWvkT2jr7lKU5XZp0L1RQuKN0DB3i1tg0cgJLbdFkLr72lQoDY iH6wuBW8GCLuuMnAiaVkoknx75Oyqirr3Una2xoGGMcER2+QTWTxD/GuiPIOK6z1ktglCjIH
QTVMaiv3Iu/mdgAk4mCSnR9URFNxCbLYWUBLhH1KtCACbDhXXSfVnGUVc0b/jVTn hK+bedsSrv6pnJtcdc42btv57ZmslyjiSIOwnCHQNfODjc9Ke4/FtVnsRmIhn/NXI8OdL5oH
HsHm+D2c0tn9krZ9ONZ9J22aIZQQg80xxSz66kW0bWnzhdAge/3T0joeegZLyROE vI4Hu/sWWdGJBHIEGAEIACYCGwIWIQQxdu99sjZ/H8pPMGsfmw6QmvNyhQUCYdIzLgUJBv/p
TrBFbLW+Rcit0SX6G+mCg1J3FALIsEtB9nG9a5Tum+bML021wiTH+MVLH0GP1ckt 4QJAwXQgBBkBCAAdFiEEy43nCpDPv2w79cxWliYqz/vTrsYFAlzUck0ACgkQliYqz/vTrsba
DZH/zNuR6CtxLsrw2vgLsRd1QGiB9LN96sKYBQHF4Ys79V54ASBVBTK77vxcW4dI zxAAg/8wf9fNu6HPu477oUU1LuSTTTNAiYLVjTJjJ7LLZRaxIPgdR0TTkKgkIxLAdelM3MOz
d2ZPxi0LU57jL3mJf6SQBVA1s0/HNaNc7rtueilYqcIkU6wpYtbtV5+G7MHv3RwX 9ppyROwqK8Qg1g+9PBsQY8w+q/0xUPvxPjqLBK4D5CDfYIMsCO5tvLxDnkNdhL+rjQJlovOD
mRdA1kYbc3EM/YfjEjK2bGCKRrK4cpjr8BIfxP/H6mioTtLZqVb5O3ui7kA11GS4 s5BPwgfTd7DHOu2l0uudedg3WS3AEWiS/lmzEHkGEQl9sQcSp2g2TZJNC/mn8iStzkL+F58d
fWXurGLMWOVPmcVAUm/lZ86I5rX9p9V45Z1ViOkGIKGfq5QqZvxdDRpv+hftpOrW IpdXhwlFig+St2evRkfJ68HmIa5H3MzGaQsP43IiqpWrGNZA2MugR1j7Eqd7MeIhm8Zvqcfn
eICB/FZB9FhkS3WS2EKHaqcWk5lKtpRgPcsVD4Zk1Tlmi6DCwXsEGAEIACYCGwwW kOixljn8geAtQmwsVxg18sVJV0DMXSnL4DmdjQ8lquVmm06Lba1KxJdfkQpYctNlRRyzW4Gu
IQQxdu99sjZ/H8pPMGsfmw6QmvNyhQUCYdIzCwUJBv/rvgAKCRAfmw6QmvNyhXK5 bJ1UUyxPdkL7ykfEvIoaf5/7z2N1QLOJ1D7njk5ic1PPFOMbK0b1j8oRUNhRYCb05JIsmMOm
D/jBMCAdoJVW9ai4tKgNac3sxFjrtnLPo6lEzB4AXnltkC1VwULeDL+O3IueYCt7 3hENUXrK17xwcl90L1ilrN63ZnYYy0ZrqDp2/s2EMX4kISGcyto9osdtacAE/jsAlnVxG9h8
kyRr9vvogG/y/e8kpVIGvH8TcZd71EvUkM7Df9X88I5bPrA78MpWAEQGE1RxsFLQ TaXIcHN8pbJYnnoFYf1J/unoPB6GogCjR6s8BycENxut+sdpKcUu9b1SkgYAa8ExdmoChk02
VppzAOeiXVTXy/nwS/8LKP28W5FNFH0M9qYmvTjeS0YYwxr7DJU526B0JGiis4kX xeqrs4wdG32tZlc4aR4YAg2fCVAhPd98oyi6dRL3HMszSRl1/sFLsrn7mByMk+HVvXK8FgCm
l81tYnd2H46cx1qjSMmWMV0dPWMbUG5gs3HtU4u5DpBgn7a+klihpmtxebWNV2vO KgEBdudpOaq93CvTcUuegaLn/TrvW3SJQZKpsXgJEB+bDpCa83KFsXUP/2EnRVBTcGNoFUlM
3TCqYJps+WbvDPHpUsHFpW+wYvE0VosB9jYKzhOS94aGz4Yl7fTZq/tF4atBReoe pix9my9IMvGCoYcV3PlPPIucZqmyFH1ky+jKNRlTKW6lim+dsrHrKnFkQ/swv6dZnjkph0tK
ESJi6RJWpvNmdSQPYrJu3BAGWnYTuniW9xhHhSYnCSrH3WfZSermU6XiAmKtZB5X xqpcc3yYIieUPoy9ypddxy5Q199yBBceGU/+UTYMWqVgOOELXeblTICoV+GTveQ9DkxpRf2U
w4HyjuJgKjUDjzVDOvpTQVcnpkBXkOdw0dIZDk61cq81p/R6bmxEGsIkMHNpxRfA 9kJ8Vhb5hUA4mUC2Wez99ucljwQl72ayP7RoDIQ12GrrX5fFQi+1mnwqJPu8y2AUeCSC7Dzz
1PNwjypgioLF2Cyq5kB3IVc8KdpW4O3XaVSiMfvXlkvpQJmCPtxup8IqUmgL+ILT yfgZC9hJD8O8KeH03XCefoSfxAO4HH9Er1UN9TSFSzsIftK/G4cW8Xoqh7S/5tLaRk7/dCGc
qLJaHOhpbb6bsikTDekUC9DIV58xQ5HuHI0qaTrDyZsG8CK6f+OwxKbXJh5QDFar tmEM06SbacwiZFgYP7xAkYgg55tGX8ULxVQI4KpjXP3RLaw5a3RUUm9Sg7+bQgU1jB0qxq2L
M5YrOIHaOaBSICQtCgCBH/Jp388LOm8rTDqSHAQxp9ZjQafyLBaGHlHR2rvnztfV uXpPMWmapiX6uWx8PJrWJ21XNnHmcszwStyTWCYMaH1Zcdqy5bWe9oklIKVBus8k2Iu0Rk34
1LHS+9Pvven6J3Fj4r5hztJXuKUrOZ/BsLw8c7DnOI0UwsF8BBgBCAAmFiEEMXbv hmPgaB3TG/wyOraUnNZewccxFc9mls5o1v48lrm4ZERW9djwUIj/eCU5Z3fbubdk32R5E9Nv
fbI2fx/KTzBrH5sOkJrzcoUFAlzUcE0CGwwFCQHhM4AACgkQH5sOkJrzcoUMYw/+ MlcxcE+5SHKFJd0H2cVZPnhI5G90P/eQFAkmGhpGtpSQ9AmH9rP+K/GB1Jj4GM2u3IDwMgds
P8uPNx1N+IdYdzoTsRQzeo9Z/yhtIvsW3iXvvHS9QZ/YbelByeBMjVIgxNMsAqRe JhTGUfJh1UW6phBx6x5WMN/nrylFv7U7spggFfStlK3AmKy6zR3xlugmmmKc65XCTl/KG7wu
F3qo+oJU+YzqQcrojPAVycxEWgzKgf9tWdmRSzQ3JTcM+Dc5RzUi6e9yDbucd1k8 nG5VutE9BCxlviVKeE5eiQRyBBgBCAAmFiEEMXbvfbI2fx/KTzBrH5sOkJrzcoUFAlzUck0C
sVG/x7L+pLI2IgQm7eHPIEhQ7RkN061TCSqfOeuuL4ilOgPuBahgzQIL8B6uj85o GwIFCQHhM4ACQAkQH5sOkJrzcoXBdCAEGQEIAB0WIQTLjecKkM+/bDv1zFaWJirP+9OuxgUC
LbRzp1TWzjPCYCOp/NvQ2qK/cIOuu8XSneDp+fsEDIfGdhtLtldLyc9ARjSqn7IL XNRyTQAKCRCWJirP+9OuxtrPEACD/zB/1827oc+7jvuhRTUu5JNNM0CJgtWNMmMnsstlFrEg
QJHeNx5cLC/0LU+FCJJ+qI8FMvsKCU7PTZZIDFjsYieHdWK0zauu4pxpyktV+OJm +B1HRNOQqCQjEsB16Uzcw7P2mnJE7CorxCDWD708GxBjzD6r/TFQ+/E+OosErgPkIN9ggywI
YUfhJQLKz/tzVKf6klN+Ko7/axXi+63F+7dDTENiZx/sMr0E3ttnTWbezNNf/7kh 7m28vEOeQ12Ev6uNAmWi84OzkE/CB9N3sMc67aXS65152DdZLcARaJL+WbMQeQYRCX2xBxKn
5/SSlj57lmt9xEdQ4DMD91d5bywSt/5i8JT0fKL97mJa9uFoyD0fAwDftwR+EGZX aDZNkk0L+afyJK3OQv4Xnx0il1eHCUWKD5K3Z69GR8nrweYhrkfczMZpCw/jciKqlasY1kDY
AYE5Lqe4UeftMWhmsI2cVYSl9Qlj75NOGE1pUqXPmfc9cREUImV9m1d/T3twklEm y6BHWPsSp3sx4iGbxm+px+eQ6LGWOfyB4C1CbCxXGDXyxUlXQMxdKcvgOZ2NDyWq5WabTott
eIGgDaN19CpIkCBcCttk/FFbSiEh+CP6We+o3AHbu2t2coqnELqTo/WTRBnUw/e0 rUrEl1+RClhy02VFHLNbga5snVRTLE92QvvKR8S8ihp/n/vPY3VAs4nUPueOTmJzU88U4xsr
NFrP+TRatWLhLGmzvz9HMDsj2cBHWi9VTHxPDYj2u7rhLLLJi5oDYzmdCziQzMDc RvWPyhFQ2FFgJvTkkiyYw6beEQ1ResrXvHByX3QvWKWs3rdmdhjLRmuoOnb+zYQxfiQhIZzK
/eh4U7233VvL9387WWP0e0ZgSfnEvNvjQ7JN94NLJOk= 2j2ix21pwAT+OwCWdXEb2HxNpchwc3ylslieegVh/Un+6eg8HoaiAKNHqzwHJwQ3G636x2kp
=2AOW xS71vVKSBgBrwTF2agKGTTbF6quzjB0bfa1mVzhpHhgCDZ8JUCE933yjKLp1EvccyzNJGXX+
wUuyufuYHIyT4dW9crwWAKYqAQF252k5qr3cK9NxS56Bouf9Ou9bdIlBkqmxeKcnD/4+1HUg
5cKrfSTXZNsuOU7AnlybWpU7Jl8YdxfeuCCe+I5W3jTYqljpCRGWBAHtE3udB37JXKSn8yH7
0JzXQDWL9+G1wqk5iwkvtmKqAapzJFuZ9lYNlNGYDxI9foTq99f+OheFnT3nUm8IA9N0MwjG
CIJ5501HM+NO8WylVoy0Y+erxbyQGC2Ey7YjVZSuCTZo3BuYiSCP8Bmd9qHxCJmBGQgbtA/2
QBcLZ8o/z9w0U39Iwsei8oacZncVTIFnBDsU3E25M1eyQ8VdcAqLL7v3UFOi+20zBBs+g8jB
BdzXUVhp+RAsXldo8i/qtdD4/90UXT7FBXmImGtzOVmza23v7Dyq7P/ZueEAqhr7vtW97UQ7
+YkXDa4rHi4HrGJClrdxixEyCTPrD++SvwxAud3hAUKZF9hOb0fD9A7cn63EERVgaJGAi7p9
Oqqbqni8JOssQF6TeCUFP+X3nR4+iy8EX4scfN6LUB6/mnhoRVZ3GNEzPAZi9PGe8RqWJqUM
trBVUPVxcwAgfijPmmMIXIUyZk5ysTQeT3eJVd3R3yxORfaHSD5kuHnXWwsp/yYltsLI/hBt
Va8N7XZdzZ9JDT8fIWj5515DsfunTtksrObpRdiq4lxAoYqiboI+L1BCHwvaTy9ghXhhpgny
m0DJk2bmucRair96apTzdYoszd7iLA==
=DiYK
-----END PGP PUBLIC KEY BLOCK----- -----END PGP PUBLIC KEY BLOCK-----

56
expat.spec
View File

@ -1,8 +1,7 @@
# #
# spec file for package expat # spec file for package expat
# #
# Copyright (c) 2024 SUSE LLC # Copyright (c) 2022 SUSE LLC
# Copyright (c) 2024 Andreas Stieger <Andreas.Stieger@gmx.de>
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed # remain the property of their copyright owners, unless otherwise agreed
@ -17,10 +16,9 @@
# #
%global unversion 2_6_4 %global unversion 2_5_0
%define sover 1
Name: expat Name: expat
Version: 2.6.4 Version: 2.5.0
Release: 0 Release: 0
Summary: XML Parser Toolkit Summary: XML Parser Toolkit
License: MIT License: MIT
@ -31,9 +29,16 @@ Source1: https://github.com/libexpat/libexpat/releases/download/R_%{unver
Source2: baselibs.conf Source2: baselibs.conf
Source3: %{name}faq.html Source3: %{name}faq.html
# https://www.gentoo.org/inside-gentoo/developers/index.html#sping # https://www.gentoo.org/inside-gentoo/developers/index.html#sping
# https://github.com/libexpat/libexpat/issues/537#issuecomment-1003796884 # https://keys.gentoo.org/pks/lookup?op=get&search=0x1F9B0E909AF37285#/%{name}.keyring
Source4: https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x3176ef7db2367f1fca4f306b1f9b0e909af37285#/expat.keyring Source4: %{name}.keyring
BuildRequires: c++_compiler # PATCH FIX-UPSTREAM: bsc#1221289 (CVE-2024-28757)
# https://github.com/libexpat/libexpat/pull/842
Patch0: expat-CVE-2024-28757.patch
Patch1: expat-fix-minicheck.patch
# CVE-2024-50602 [bsc#1232579], DoS via XML_ResumeParser
Patch2: expat-CVE-2024-50602.patch
BuildRequires: gcc-c++
BuildRequires: libtool
BuildRequires: pkgconfig BuildRequires: pkgconfig
%description %description
@ -41,11 +46,11 @@ Expat is an XML parser library written in C. It is a stream-oriented
parser in which an application registers handlers for things the parser in which an application registers handlers for things the
parser might find in the XML document (like start tags). parser might find in the XML document (like start tags).
%package -n libexpat%{sover} %package -n libexpat1
Summary: XML Parser Toolkit Summary: XML Parser Toolkit
Group: System/Libraries Group: System/Libraries
%description -n libexpat%{sover} %description -n libexpat1
Expat is an XML parser library written in C. It is a stream-oriented Expat is an XML parser library written in C. It is a stream-oriented
parser in which an application registers handlers for things the parser in which an application registers handlers for things the
parser might find in the XML document (like start tags). parser might find in the XML document (like start tags).
@ -54,7 +59,7 @@ parser might find in the XML document (like start tags).
Summary: Development files for expat, an XML parser toolkit Summary: Development files for expat, an XML parser toolkit
Group: Development/Libraries/C and C++ Group: Development/Libraries/C and C++
Requires: glibc-devel Requires: glibc-devel
Requires: libexpat%{sover} = %{version} Requires: libexpat1 = %{version}
%description -n libexpat-devel %description -n libexpat-devel
Expat is an XML parser library written in C. It is a stream-oriented Expat is an XML parser library written in C. It is a stream-oriented
@ -66,17 +71,17 @@ in libexpat.
%prep %prep
%autosetup -p1 %autosetup -p1
cp %{SOURCE3} . cp %{SOURCE3} .
rm -f examples/*.dsp
%build %build
%configure \ %configure \
--disable-silent-rules \ --disable-silent-rules \
--docdir="%{_docdir}/%{name}" \ --docdir="%{_docdir}/%{name}" \
--disable-static \ --disable-static
--without-docbook
%if 0%{?do_profiling} %if 0%{?do_profiling}
%make_build CFLAGS="%{optflags} %{cflags_profile_generate}" LDFLAGS="%{optflags} %{cflags_profile_generate}" %make_build CFLAGS="%{optflags} %{cflags_profile_generate}"
%make_build CFLAGS="%{optflags} %{cflags_profile_generate}" LDFLAGS="%{optflags} %{cflags_profile_generate}" check %make_build CFLAGS="%{optflags} %{cflags_profile_generate}" LDFLAGS="%{optflags} %{cflags_profile_generate}" check
%make_build clean %make_build clean
%make_build CFLAGS="%{optflags} %{cflags_profile_feedback}" %make_build CFLAGS="%{optflags} %{cflags_profile_feedback}"
@ -84,31 +89,30 @@ cp %{SOURCE3} .
%make_build CFLAGS="%{optflags}" %make_build CFLAGS="%{optflags}"
%endif %endif
%check
%make_build check
%install %install
%make_install %make_install
find %{buildroot} -type f -name "*.la" -delete -print find %{buildroot} -type f -name "*.la" -delete -print
# Fix permissions error: spurious-executable-perm
chmod 0644 examples/elements.c
%ldconfig_scriptlets -n libexpat%{sover} %check
%make_build check
%post -n libexpat1 -p /sbin/ldconfig
%postun -n libexpat1 -p /sbin/ldconfig
%files %files
%license COPYING %license COPYING
%doc AUTHORS README.md expatfaq.html %doc AUTHORS README.md expatfaq.html
%doc doc/reference.html doc/*.css %doc doc/reference.html doc/style.css
%doc examples/*.c examples/Makefile.am examples/Makefile.in %doc examples/elements.c examples/outline.c examples/Makefile.am examples/Makefile.in
%doc changelog %doc changelog
%{_bindir}/xmlwf %{_bindir}/xmlwf
%{_mandir}/man1/xmlwf.1%{?ext_man}
%files -n libexpat1 %files -n libexpat1
%license COPYING %{_libdir}/libexpat.so.*
%{_libdir}/libexpat.so.%{sover}
%{_libdir}/libexpat.so.%{sover}.*
%files -n libexpat-devel %files -n libexpat-devel
%license COPYING
%{_includedir}/* %{_includedir}/*
%{_libdir}/libexpat.so %{_libdir}/libexpat.so
%{_libdir}/pkgconfig/expat.pc %{_libdir}/pkgconfig/expat.pc