rpm/expat
SHA256
1
0
Fork 0
forked from pool/expat
Code Pull Requests Activity

Accepting request 508187 from devel:libraries:c_c++

Browse Source 
1

OBS-URL: https://build.opensuse.org/request/show/508187
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/expat?expand=0&rev=50
This commit is contained in:
Dominique Leuenberger 2017-07-11 06:34:44 +00:00 committed by Git OBS Bridge
commit a6a3a5bbb7
4 changed files with 56 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
expat-2.2.0.tar.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:d9e50ff2d19b3538bd2127902a89987474e1a4db8e43a66a4d1a712ab9a504ff
size 414352

3
expat-2.2.1.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:1868cadae4c82a018e361e2b2091de103cd820aaacb0d6cfa49bd2cd83978885
size 405441

51
expat.changes
View File

@ -1,3 +1,54 @@
-------------------------------------------------------------------
Tue Jul 4 14:33:00 UTC 2017 - meissner@suse.com
- Version update to 2.2.1 Sat June 17 2017
- Security fixes:
CVE-2017-9233 / bsc#1047236 -- External entity infinite loop DoS
Details: https://libexpat.github.io/doc/cve-2017-9233/
Commit c4bf96bb51dd2a1b0e185374362ee136fe2c9d7f
- [MOX-002] CVE-2016-9063 / bsc#1047240 -- Detect integer overflow;
(Fixed version of existing downstream patches!)
- (SF.net) #539 Fix regression from fix to CVE-2016-0718 cutting off
longer tag names;
#25 More integer overflow detection (function poolGrow);
- [MOX-002] Detect overflow from len=INT_MAX call to XML_Parse;
- [MOX-005] #30 Use high quality entropy for hash initialization:
* arc4random_buf on BSD, systems with libbsd
(when configured with --with-libbsd), CloudABI
* RtlGenRandom on Windows XP / Server 2003 and later
* getrandom on Linux 3.17+
In a way, that's still part of CVE-2016-5300.
https://github.com/libexpat/libexpat/pull/30/commits
- [MOX-005] For the low quality entropy extraction fallback code,
the parser instance address can no longer leak,
- [MOX-003] Prevent use of uninitialised variable; commit
- [MOX-004] a4dc944f37b664a3ca7199c624a98ee37babdb4b
Add missing parameter validation to public API functions
and dedicated error code XML_ERROR_INVALID_ARGUMENT:
- [MOX-006] * NULL checks; commits
* Negative length (XML_Parse); commit
- [MOX-002] 70db8d2538a10f4c022655d6895e4c3e78692e7f
- [MOX-001] #35 Change hash algorithm to William Ahern's version of SipHash
to go further with fixing CVE-2012-0876.
https://github.com/libexpat/libexpat/pull/39/commits
- Bug fixes:
#32 Fix sharing of hash salt across parsers;
relevant where XML_ExternalEntityParserCreate is called
prior to XML_Parse, in particular (e.g. FBReader)
#28 xmlwf: Auto-disable use of memory-mapping (and parsing
as a single chunk) for files larger than ~1 GB (2^30 bytes)
rather than failing with error "out of memory"
#3 Fix double free after malloc failure in DTD code; commit
7ae9c3d3af433cd4defe95234eae7dc8ed15637f
#17 Fix memory leak on parser error for unbound XML attribute
prefix with new namespaces defined in the same tag;
found by Google's OSS-Fuzz; commits
xmlwf on Windows: Add missing calls to CloseHandle
- New features:
#30 Introduced environment switch EXPAT_ENTROPY_DEBUG=1
for runtime debugging of entropy extraction
Bump version info from 7:2:6 to 7:3:6
-------------------------------------------------------------------
Mon Jul 18 23:02:23 UTC 2016 - jengelh@inai.de

4
expat.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package expat
#
# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -17,7 +17,7 @@
Name: expat
Version: 2.2.0
Version: 2.2.1
Release: 0
Summary: XML Parser Toolkit
License: MIT