diff options
author | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2019-06-29 00:34:01 +0000 |
---|---|---|
committer | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2019-06-29 00:34:01 +0000 |
commit | ce1d59e0f39f9cc1c7946c1cef7d2be476c66396 (patch) | |
tree | 81e082f01760f5f871e7c494f1cb7ee210260365 /lib | |
parent | 523c30bc8f1287d4d1c5e52a83fbd83829c770a1 (diff) |
Update libexpat to 2.2.7. Relevant for OpenBSD is only the fix for
CVE-2018-20843, a potential denial-of-service in libexpat due to
high RAM and CPU usage.
OK deraadt@
Diffstat (limited to 'lib')
-rw-r--r-- | lib/libexpat/Changes | 35 | ||||
-rw-r--r-- | lib/libexpat/Makefile | 4 | ||||
-rw-r--r-- | lib/libexpat/README.md | 3 | ||||
-rw-r--r-- | lib/libexpat/expat_config.h | 3 | ||||
-rw-r--r-- | lib/libexpat/lib/expat.h | 2 | ||||
-rw-r--r-- | lib/libexpat/lib/expat_external.h | 6 | ||||
-rw-r--r-- | lib/libexpat/lib/winconfig.h | 4 | ||||
-rw-r--r-- | lib/libexpat/lib/xmlparse.c | 26 | ||||
-rw-r--r-- | lib/libexpat/tests/runtests.c | 2 |
9 files changed, 56 insertions, 29 deletions
diff --git a/lib/libexpat/Changes b/lib/libexpat/Changes index b0ee42cd36c..a587e9ab7a0 100644 --- a/lib/libexpat/Changes +++ b/lib/libexpat/Changes @@ -2,6 +2,41 @@ NOTE: We are looking for help with a few things: https://github.com/libexpat/libexpat/labels/help%20wanted If you can help, please get in touch. Thanks! +Release 2.2.7 Wed June 19 2019 + Security fixes: + #186 #262 Fix extraction of namespace prefixes from XML names; + XML names with multiple colons could end up in the + wrong namespace, and take a high amount of RAM and CPU + resources while processing, opening the door to + use for denial-of-service attacks + + Other changes: + #195 #197 Autotools/CMake: Utilize -fvisibility=hidden to stop + exporting non-API symbols + #227 Autotools: Add --without-examples and --without-tests + #228 Autotools: Modernize configure.ac + #245 #246 Autotools: Fix check for -fvisibility=hidden for Clang + #247 #248 Autotools: Fix compilation for lack of docbook2x-man + #236 #258 Autotools: Produce .tar.{gz,lz,xz} release archives + #212 CMake: Make libdir of pkgconfig expat.pc support multilib + #158 #263 CMake: Build man page in PROJECT_BINARY_DIR not _SOURCE_DIR + #219 Remove fallback to bcopy, assume that memmove(3) exists + #257 Use portable "/usr/bin/env bash" shebang (e.g. for OpenBSD) + #243 Windows: Fix syntax of .def module definition files + Version info bumped from 7:8:6 to 7:9:6 + + Special thanks to: + Benjamin Peterson + Caolán McNamara + Hanno Böck + KangLin + Kishore Kunche + Marco Maggi + Rhodri James + Sebastian Dröge + userwithuid + Yury Gribov + Release 2.2.6 Sun August 12 2018 Bug fixes: #170 #206 Avoid doing arithmetic with NULL pointers in XML_GetBuffer diff --git a/lib/libexpat/Makefile b/lib/libexpat/Makefile index a6e8a62e5a3..8bb75e7408c 100644 --- a/lib/libexpat/Makefile +++ b/lib/libexpat/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.14 2017/07/28 09:32:49 aoyama Exp $ +# $OpenBSD: Makefile,v 1.15 2019/06/29 00:33:59 bluhm Exp $ .PATH: ${.CURDIR}/lib @@ -8,7 +8,7 @@ LIB= expat SRCS= xmlparse.c xmltok.c xmlrole.c CFLAGS+=-I${.CURDIR} -DHAVE_EXPAT_CONFIG_H .if ${COMPILER_VERSION:L} != "gcc3" -CFLAGS+=-fvisibility=hidden +CFLAGS+=-fvisibility=hidden -DXML_ENABLE_VISIBILITY=1 .endif PC_FILES=expat.pc diff --git a/lib/libexpat/README.md b/lib/libexpat/README.md index 2c7e6ac4050..fd3911ebc68 100644 --- a/lib/libexpat/README.md +++ b/lib/libexpat/README.md @@ -1,8 +1,9 @@ [![Travis CI Build Status](https://travis-ci.org/libexpat/libexpat.svg?branch=master)](https://travis-ci.org/libexpat/libexpat) [![AppVeyor Build Status](https://ci.appveyor.com/api/projects/status/github/libexpat/libexpat?svg=true)](https://ci.appveyor.com/project/libexpat/libexpat) +[![Packaging status](https://repology.org/badge/tiny-repos/expat.svg)](https://repology.org/metapackage/expat/versions) -# Expat, Release 2.2.6 +# Expat, Release 2.2.7 This is Expat, a C library for parsing XML, started by [James Clark](https://en.wikipedia.org/wiki/James_Clark_(programmer)) in 1997. diff --git a/lib/libexpat/expat_config.h b/lib/libexpat/expat_config.h index 30b865c212f..ea1a6a0ec07 100644 --- a/lib/libexpat/expat_config.h +++ b/lib/libexpat/expat_config.h @@ -1,10 +1,9 @@ -/* $OpenBSD: expat_config.h,v 1.4 2017/08/04 16:24:03 bluhm Exp $ */ +/* $OpenBSD: expat_config.h,v 1.5 2019/06/29 00:33:59 bluhm Exp $ */ /* quick and dirty conf for OpenBSD */ #define HAVE_ARC4RANDOM 1 #define HAVE_ARC4RANDOM_BUF 1 -#define HAVE_MEMMOVE 1 #define XML_CONTEXT_BYTES 1024 #define XML_DTD 1 #define XML_NS 1 diff --git a/lib/libexpat/lib/expat.h b/lib/libexpat/lib/expat.h index 174c3fafda3..c050f1d918c 100644 --- a/lib/libexpat/lib/expat.h +++ b/lib/libexpat/lib/expat.h @@ -1076,7 +1076,7 @@ XML_GetFeatureList(void); */ #define XML_MAJOR_VERSION 2 #define XML_MINOR_VERSION 2 -#define XML_MICRO_VERSION 6 +#define XML_MICRO_VERSION 7 #ifdef __cplusplus } diff --git a/lib/libexpat/lib/expat_external.h b/lib/libexpat/lib/expat_external.h index 629483a91b2..875225d77e5 100644 --- a/lib/libexpat/lib/expat_external.h +++ b/lib/libexpat/lib/expat_external.h @@ -93,7 +93,11 @@ # endif #endif /* not defined XML_STATIC */ -#if !defined(XMLIMPORT) && defined(__GNUC__) && (__GNUC__ >= 4) +#ifndef XML_ENABLE_VISIBILITY +# define XML_ENABLE_VISIBILITY 0 +#endif + +#if !defined(XMLIMPORT) && XML_ENABLE_VISIBILITY # define XMLIMPORT __attribute__ ((visibility ("default"))) #endif diff --git a/lib/libexpat/lib/winconfig.h b/lib/libexpat/lib/winconfig.h index 17fea468900..28a043c6044 100644 --- a/lib/libexpat/lib/winconfig.h +++ b/lib/libexpat/lib/winconfig.h @@ -53,10 +53,6 @@ /* we will assume all Windows platforms are little endian */ #define BYTEORDER 1234 -/* Windows has memmove() available. */ -#define HAVE_MEMMOVE - - #endif /* !defined(HAVE_EXPAT_CONFIG_H) */ diff --git a/lib/libexpat/lib/xmlparse.c b/lib/libexpat/lib/xmlparse.c index 20a9e635003..4191824cd34 100644 --- a/lib/libexpat/lib/xmlparse.c +++ b/lib/libexpat/lib/xmlparse.c @@ -1,4 +1,4 @@ -/* 19ac4776051591216f1874e34ee99b6a43a3784c8bd7d70efeb9258dd22b906a (2.2.6+) +/* 69df5be70289a11fb834869ce4a91c23c1d9dd04baffcbd10e86742d149a080c (2.2.7+) __ __ _ ___\ \/ /_ __ __ _| |_ / _ \\ /| '_ \ / _` | __| @@ -116,15 +116,6 @@ typedef char ICHAR; /* Do safe (NULL-aware) pointer arithmetic */ #define EXPAT_SAFE_PTR_DIFF(p, q) (((p) && (q)) ? ((p) - (q)) : 0) -/* Handle the case where memmove() doesn't exist. */ -#ifndef HAVE_MEMMOVE -#ifdef HAVE_BCOPY -#define memmove(d,s,l) bcopy((s),(d),(l)) -#else -#error memmove does not exist on this platform, nor is a substitute available -#endif /* HAVE_BCOPY */ -#endif /* HAVE_MEMMOVE */ - #include "internal.h" #include "xmltok.h" #include "xmlrole.h" @@ -627,6 +618,7 @@ static const XML_Char implicitContext[] = { ASCII_s, ASCII_p, ASCII_a, ASCII_c, ASCII_e, '\0' }; + static unsigned long generate_hash_secret_salt(XML_Parser parser) { @@ -2771,7 +2763,7 @@ doContent(XML_Parser parser, enum XML_Error result; if (parser->m_startCdataSectionHandler) parser->m_startCdataSectionHandler(parser->m_handlerArg); -#if 0 +/* BEGIN disabled code */ /* Suppose you doing a transformation on a document that involves changing only the character data. You set up a defaultHandler and a characterDataHandler. The defaultHandler simply copies @@ -2784,9 +2776,9 @@ doContent(XML_Parser parser, However, now we have a start/endCdataSectionHandler, so it seems easier to let the user deal with this. */ - else if (parser->m_characterDataHandler) + else if (0 && parser->m_characterDataHandler) parser->m_characterDataHandler(parser->m_handlerArg, parser->m_dataBuf, 0); -#endif +/* END disabled code */ else if (parser->m_defaultHandler) reportDefault(parser, enc, s, next); result = doCdataSection(parser, enc, &next, end, nextPtr, haveMore); @@ -3483,11 +3475,11 @@ doCdataSection(XML_Parser parser, case XML_TOK_CDATA_SECT_CLOSE: if (parser->m_endCdataSectionHandler) parser->m_endCdataSectionHandler(parser->m_handlerArg); -#if 0 +/* BEGIN disabled code */ /* see comment under XML_TOK_CDATA_SECT_OPEN */ - else if (parser->m_characterDataHandler) + else if (0 && parser->m_characterDataHandler) parser->m_characterDataHandler(parser->m_handlerArg, parser->m_dataBuf, 0); -#endif +/* END disabled code */ else if (parser->m_defaultHandler) reportDefault(parser, enc, s, next); *startPtr = next; @@ -5832,7 +5824,7 @@ setElementTypePrefix(XML_Parser parser, ELEMENT_TYPE *elementType) else poolDiscard(&dtd->pool); elementType->prefix = prefix; - + break; } } return 1; diff --git a/lib/libexpat/tests/runtests.c b/lib/libexpat/tests/runtests.c index 4f4d2687f11..ccad50f4ea2 100644 --- a/lib/libexpat/tests/runtests.c +++ b/lib/libexpat/tests/runtests.c @@ -8062,7 +8062,7 @@ START_TEST(test_misc_version) fail("Version mismatch"); #if ! defined(XML_UNICODE) || defined(XML_UNICODE_WCHAR_T) - if (xcstrcmp(version_text, XCS("expat_2.2.6"))) /* needs bump on releases */ + if (xcstrcmp(version_text, XCS("expat_2.2.7"))) /* needs bump on releases */ fail("XML_*_VERSION in expat.h out of sync?\n"); #else /* If we have XML_UNICODE defined but not XML_UNICODE_WCHAR_T |