Accepting request 508174 from home:msmeissn:branches:devel:libraries:c_c++

- Version update to 2.2.1 Sat June 17 2017
  - Security fixes:
                    CVE-2017-9233 / bsc#1047236 -- External entity infinite loop DoS
                    Details: https://libexpat.github.io/doc/cve-2017-9233/
                    Commit c4bf96bb51dd2a1b0e185374362ee136fe2c9d7f
   - [MOX-002]      CVE-2016-9063 / bsc#1047240 -- Detect integer overflow; 
                    (Fixed version of existing downstream patches!)
   - (SF.net) #539  Fix regression from fix to CVE-2016-0718 cutting off
                    longer tag names; 
               #25  More integer overflow detection (function poolGrow); 
   - [MOX-002]      Detect overflow from len=INT_MAX call to XML_Parse; 
   - [MOX-005] #30  Use high quality entropy for hash initialization:
                    * arc4random_buf on BSD, systems with libbsd
                      (when configured with --with-libbsd), CloudABI
                    * RtlGenRandom on Windows XP / Server 2003 and later
                    * getrandom on Linux 3.17+
                    In a way, that's still part of CVE-2016-5300.
                    https://github.com/libexpat/libexpat/pull/30/commits
   - [MOX-005] For the low quality entropy extraction fallback code,
               the parser instance address can no longer leak, 
   - [MOX-003] Prevent use of uninitialised variable; commit
   - [MOX-004] a4dc944f37b664a3ca7199c624a98ee37babdb4b
               Add missing parameter validation to public API functions
               and dedicated error code XML_ERROR_INVALID_ARGUMENT:
   - [MOX-006] * NULL checks; commits
               * Negative length (XML_Parse); commit
   - [MOX-002] 70db8d2538a10f4c022655d6895e4c3e78692e7f
   - [MOX-001] #35  Change hash algorithm to William Ahern's version of SipHash
                    to go further with fixing CVE-2012-0876.
                    https://github.com/libexpat/libexpat/pull/39/commits

OBS-URL: https://build.opensuse.org/request/show/508174
OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/expat?expand=0&rev=57

expat-2.2.0.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:d9e50ff2d19b3538bd2127902a89987474e1a4db8e43a66a4d1a712ab9a504ff
-size 414352

expat-2.2.1.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:1868cadae4c82a018e361e2b2091de103cd820aaacb0d6cfa49bd2cd83978885
+size 405441

expat.changes

@@ -1,3 +1,54 @@
+-------------------------------------------------------------------
+Tue Jul  4 14:33:00 UTC 2017 - meissner@suse.com
+
+- Version update to 2.2.1 Sat June 17 2017
+  - Security fixes:
+                    CVE-2017-9233 / bsc#1047236 -- External entity infinite loop DoS
+                    Details: https://libexpat.github.io/doc/cve-2017-9233/
+                    Commit c4bf96bb51dd2a1b0e185374362ee136fe2c9d7f
+   - [MOX-002]      CVE-2016-9063 / bsc#1047240 -- Detect integer overflow; 
+                    (Fixed version of existing downstream patches!)
+   - (SF.net) #539  Fix regression from fix to CVE-2016-0718 cutting off
+                    longer tag names; 
+               #25  More integer overflow detection (function poolGrow); 
+   - [MOX-002]      Detect overflow from len=INT_MAX call to XML_Parse; 
+   - [MOX-005] #30  Use high quality entropy for hash initialization:
+                    * arc4random_buf on BSD, systems with libbsd
+                      (when configured with --with-libbsd), CloudABI
+                    * RtlGenRandom on Windows XP / Server 2003 and later
+                    * getrandom on Linux 3.17+
+                    In a way, that's still part of CVE-2016-5300.
+                    https://github.com/libexpat/libexpat/pull/30/commits
+   - [MOX-005] For the low quality entropy extraction fallback code,
+               the parser instance address can no longer leak, 
+   - [MOX-003] Prevent use of uninitialised variable; commit
+   - [MOX-004] a4dc944f37b664a3ca7199c624a98ee37babdb4b
+               Add missing parameter validation to public API functions
+               and dedicated error code XML_ERROR_INVALID_ARGUMENT:
+   - [MOX-006] * NULL checks; commits
+               * Negative length (XML_Parse); commit
+   - [MOX-002] 70db8d2538a10f4c022655d6895e4c3e78692e7f
+   - [MOX-001] #35  Change hash algorithm to William Ahern's version of SipHash
+                    to go further with fixing CVE-2012-0876.
+                    https://github.com/libexpat/libexpat/pull/39/commits
+   - Bug fixes:
+     #32 Fix sharing of hash salt across parsers;
+         relevant where XML_ExternalEntityParserCreate is called
+         prior to XML_Parse, in particular (e.g. FBReader)
+     #28 xmlwf: Auto-disable use of memory-mapping (and parsing
+         as a single chunk) for files larger than ~1 GB (2^30 bytes)
+         rather than failing with error "out of memory"
+     #3  Fix double free after malloc failure in DTD code; commit
+         7ae9c3d3af433cd4defe95234eae7dc8ed15637f
+     #17 Fix memory leak on parser error for unbound XML attribute
+         prefix with new namespaces defined in the same tag;
+         found by Google's OSS-Fuzz; commits
+         xmlwf on Windows: Add missing calls to CloseHandle
+   - New features:
+     #30 Introduced environment switch EXPAT_ENTROPY_DEBUG=1
+         for runtime debugging of entropy extraction
+         Bump version info from 7:2:6 to 7:3:6
+
 -------------------------------------------------------------------
 Mon Jul 18 23:02:23 UTC 2016 - jengelh@inai.de
 

expat.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package expat
 #
-# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -17,7 +17,7 @@
 
 
 Name:           expat
-Version:        2.2.0
+Version:        2.2.1
 Release:        0
 Summary:        XML Parser Toolkit
 License:        MIT