diff --git a/expat-2.4.4.tar.xz b/expat-2.4.4.tar.xz deleted file mode 100644 index 1feebe8..0000000 --- a/expat-2.4.4.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:b5d25d6e373351c2ed19b562b4732d01d2589ac8c8e9e7962d8df1207cc311b8 -size 449448 diff --git a/expat-2.4.4.tar.xz.asc b/expat-2.4.4.tar.xz.asc deleted file mode 100644 index e64e933..0000000 --- a/expat-2.4.4.tar.xz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCAAdFiEEy43nCpDPv2w79cxWliYqz/vTrsYFAmH11+gACgkQliYqz/vT -rsYnng/+PctRB7klFTZ8BhmZXw7p3zasX9j17kY1/a24LT79mBNz+jSlxHI1nhwQ -ML9Tn3H/YdyriqYYVngjqrNoUFxGmTvF/VHE92AZ1AoDyqDUmzj061hcAIJvFevz -Ucn3f4dgBZJ8qsys0Y3SIaEZNLdTkOz4wT2czSdWHxwaGS/FCa28wJ3ed5Sr8dSS -KMzt6WG6nkqPUNMnlgX24wmg+Y5wcdGipTD/hbDoSkSWK5s2qUhNDs8Nuq8MLKu4 -PAawLOg/TyZAN36nX7/WZiaPB5pOgLsgP94DOyQBtF4+O/tGTADKazhV7e5pOwTb -dzdGBzpgbhIa70V/iSLX0TcE8NlFEp3RLMd9Yv19w/S7Dhju3ZrcjVVpwlwnR16w -nWr5vNMw+HiF0QrtKt1swSex5GuMHbzGAQqAfOQZwGPe/kDfC6TSwKvJwWOjVzuF -JYoFMAM2vIT6zf0l5HvmysFEx9Z0hFuV9/R2cv5ADqWLj88L4sQGaVQrmJDuYxao -swYRHqOkl2T36prwQPpHXs8B1GovuMTJqBf3WwBx00TC+/slvM04HCx02p6zk2HV -awfYf93A8HiywTmlQCOoSBve7tvpluNulICCAOHmxeE4DpZvjjHqEtfUeyiKrtnN -pTWzdnmoxC95gBKxft3VAx6RNk144kNQUYIJ+N6SulBI72O2hVI= -=vDlI ------END PGP SIGNATURE----- diff --git a/expat-2.4.6.tar.xz b/expat-2.4.6.tar.xz new file mode 100644 index 0000000..95debb0 --- /dev/null +++ b/expat-2.4.6.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:de55794b7a9bc214852fdc075beaaecd854efe1361597e6268ee87946951289b +size 452468 diff --git a/expat-2.4.6.tar.xz.asc b/expat-2.4.6.tar.xz.asc new file mode 100644 index 0000000..92b7188 --- /dev/null +++ b/expat-2.4.6.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEEy43nCpDPv2w79cxWliYqz/vTrsYFAmISdL8ACgkQliYqz/vT +rsaPBhAAlALWvVoxvGj5Sko6xbOBVXfal/c40pbAN4yFVKYW1YBNaswB6cjQDuUI +VBLqQwtZicNWHxPCLF0bldJFbNiiR3w6cm08e4C+YKHtEH4FRsLDxzWYF1n7nd0t +Yez7BozXwafD2HDgx86bJOnVhSkn2fAHPKUGLErHLvpFg7aLvIOPtWPJ+9YeGeDa +B8SrQB7YLu9EpkUmwGUCB5zZremoX8vC3+2N8RR2HLQ0dq1VPaBJrJkinGP8j/W5 +bxi/eADCIt09cD6WEinFdE6M3LBSb1K8aKdnGxpQ8A3bs+XoBy6MTXCmdtnsa07y +whUEcWvu/npxgNAsZoW3LW2DPn0B8Ym/DW1K4GrtYVhZZGo7/mvazr2+LPo1xhUZ +x5iT4m+4COk0QwEb8rXVMIQAvlObdk8vR7AzPmetLiRrC1Ht2RQ5NCPGLoAUC/9t +Lw0X34MJ9xU1tSY7bWJzTa7RCaAjo36amnINsupw83PxOnFreshnIMvCULG9u99Y +lmF3XiyARjCbzYsJTGChldtQZ1tA4A+4aKO71HM/Ajo8CGBnB3q2W/88ORclOfpe +WJ0ubUUHp/63l6uZPg4hESdSS2ID6PY9WbrS91rNBSEr8ZOrra5VWbEif2fN+mDC +sy61OGEXvgNmGK06ygr8o8T32DLc+dh/ST6BMTpUo7PXKcA4/qg= +=gI+p +-----END PGP SIGNATURE----- diff --git a/expat.changes b/expat.changes index f05e199..bbf4e3f 100644 --- a/expat.changes +++ b/expat.changes @@ -1,3 +1,55 @@ +------------------------------------------------------------------- +Sun Feb 20 19:48:53 UTC 2022 - David Anes + +- update to 2.4.6 (bsc#1196168, CVE-2022-25313): + * Bug fixes: + - Fix a regression introduced by the fix for CVE-2022-25313 + in release 2.4.5 that affects applications that (1) + call function XML_SetElementDeclHandler and (2) are + parsing XML that contains nested element declarations + (e.g. ""). + - Version info bumped from 9:5:8 to 9:6:8; + see https://verbump.de/ for what these numbers do. + +------------------------------------------------------------------- +Sat Feb 19 09:21:21 UTC 2022 - David Anes + +- update to 2.4.5 (bsc#1196171, bsc#1196169, bsc#1196168, + bsc#1196026, bsc#1196025): + * Security fixes: + - CVE-2022-25235 -- Passing malformed 2- and 3-byte UTF-8 + sequences (e.g. from start tag names) to the XML + processing application on top of Expat can cause + arbitrary damage (e.g. code execution) depending + on how invalid UTF-8 is handled inside the XML + processor; validation was not their job but Expat's. + Exploits with code execution are known to exist. + - CVE-2022-25236 -- Passing (one or more) namespace separator + characters in "xmlns[:prefix]" attribute values + made Expat send malformed tag names to the XML + processor on top of Expat which can cause + arbitrary damage (e.g. code execution) depending + on such unexpectable cases are handled inside the XML + processor; validation was not their job but Expat's. + Exploits with code execution are known to exist. + - CVE-2022-25313 -- Fix stack exhaustion in doctype parsing + that could be triggered by e.g. a 2 megabytes + file with a large number of opening braces. + Expected impact is denial of service or potentially + arbitrary code execution. + - CVE-2022-25314 -- Fix integer overflow in function copyString; + only affects the encoding name parameter at parser creation + time which is often hardcoded (rather than user input), + takes a value in the gigabytes to trigger, and a 64-bit + machine. Expected impact is denial of service. + - CVE-2022-25315 -- Fix integer overflow in function storeRawNames; + needs input in the gigabytes and a 64-bit machine. + Expected impact is denial of service or potentially + arbitrary code execution. + * Other changes: + - Version info bumped from 9:4:8 to 9:5:8; + see https://verbump.de/ for what these numbers do + ------------------------------------------------------------------- Mon Jan 31 06:13:13 UTC 2022 - David Anes diff --git a/expat.spec b/expat.spec index fdd3a1e..159742e 100644 --- a/expat.spec +++ b/expat.spec @@ -16,9 +16,9 @@ # -%global unversion 2_4_4 +%global unversion 2_4_6 Name: expat -Version: 2.4.4 +Version: 2.4.6 Release: 0 Summary: XML Parser Toolkit License: MIT