diff options
author | arcadia-devtools <arcadia-devtools@yandex-team.ru> | 2022-02-21 13:09:08 +0300 |
---|---|---|
committer | arcadia-devtools <arcadia-devtools@yandex-team.ru> | 2022-02-21 13:09:08 +0300 |
commit | b99d6e954b74694820a0964402003eb9f14da4de (patch) | |
tree | 8814902312bae587822187234b721ef2d9675cf9 /contrib/libs/expat | |
parent | 96a6a371c53651ccfd7dfdc87fe354cf23de9b5c (diff) | |
download | ydb-b99d6e954b74694820a0964402003eb9f14da4de.tar.gz |
intermediate changes
ref:ff022ac951849edb1ef2cc274bf6c1c6863144a1
Diffstat (limited to 'contrib/libs/expat')
-rw-r--r-- | contrib/libs/expat/Changes | 1064 |
1 files changed, 1064 insertions, 0 deletions
diff --git a/contrib/libs/expat/Changes b/contrib/libs/expat/Changes new file mode 100644 index 0000000000..9c1b5c7bc2 --- /dev/null +++ b/contrib/libs/expat/Changes @@ -0,0 +1,1064 @@ +NOTE: We are looking for help with a few things: + https://github.com/libexpat/libexpat/labels/help%20wanted + If you can help, please get in touch. Thanks! + +Release 2.4.4 Sun January 30 2022 + Security fixes: + #550 CVE-2022-23852 -- Fix signed integer overflow + (undefined behavior) in function XML_GetBuffer + (that is also called by function XML_Parse internally) + for when XML_CONTEXT_BYTES is defined to >0 (which is both + common and default). + Impact is denial of service or more. + #551 CVE-2022-23990 -- Fix unsigned integer overflow in function + doProlog triggered by large content in element type + declarations when there is an element declaration handler + present (from a prior call to XML_SetElementDeclHandler). + Impact is denial of service or more. + + Bug fixes: + #544 #545 xmlwf: Fix a memory leak on output file opening error + + Other changes: + #546 Autotools: Fix broken CMake support under Cygwin + #554 Windows: Add missing files to the installer to fix + compilation with CMake from installed sources + #552 #554 Version info bumped from 9:3:8 to 9:4:8; + see https://verbump.de/ for what these numbers do + + Special thanks to: + Carlo Bramini + hwt0415 + Roland Illig + Samanta Navarro + and + Clang LeakSan and the Clang team + +Release 2.4.3 Sun January 16 2022 + Security fixes: + #531 #534 CVE-2021-45960 -- Fix issues with left shifts by >=29 places + resulting in + a) realloc acting as free + b) realloc allocating too few bytes + c) undefined behavior + depending on architecture and precise value + for XML documents with >=2^27+1 prefixed attributes + on a single XML tag a la + "<r xmlns:a='[..]' a:a123='[..]' [..] />" + where XML_ParserCreateNS is used to create the parser + (which needs argument "-n" when running xmlwf). + Impact is denial of service, or more. + #532 #538 CVE-2021-46143 (ZDI-CAN-16157) -- Fix integer overflow + on variable m_groupSize in function doProlog leading + to realloc acting as free. + Impact is denial of service or more. + #539 CVE-2022-22822 to CVE-2022-22827 -- Prevent integer overflows + near memory allocation at multiple places. Mitre assigned + a dedicated CVE for each involved internal C function: + - CVE-2022-22822 for function addBinding + - CVE-2022-22823 for function build_model + - CVE-2022-22824 for function defineAttribute + - CVE-2022-22825 for function lookup + - CVE-2022-22826 for function nextScaffoldPart + - CVE-2022-22827 for function storeAtts + Impact is denial of service or more. + + Other changes: + #535 CMake: Make call to file(GENERATE [..]) work for CMake <3.19 + #541 Autotools|CMake: MinGW: Make run.sh(.in) work for Cygwin + and MSYS2 by not going through Wine on these platforms + #527 #528 Address compiler warnings + #533 #543 Version info bumped from 9:2:8 to 9:3:8; + see https://verbump.de/ for what these numbers do + + Infrastructure: + #536 CI: Check for realistic minimum CMake version + #529 #539 CI: Cover compilation with -m32 + #529 CI: Store coverage reports as artifacts for download + #528 CI: Upgrade Clang from 11 to 13 + + Special thanks to: + An anonymous whitehat + Christopher Degawa + J. Peter Mugaas + Tyson Smith + and + GCC Farm Project + Trend Micro Zero Day Initiative + +Release 2.4.2 Sun December 19 2021 + Other changes: + #509 #510 Link againgst libm for function "isnan" + #513 #514 Include expat_config.h as early as possible + #498 Autotools: Include files with release archives: + - buildconf.sh + - fuzz/*.c + #507 #519 Autotools: Sync CMake templates + #495 #524 CMake: MinGW: Fix pkg-config section "Libs" for + - non-release build types (e.g. -DCMAKE_BUILD_TYPE=Debug) + - multi-config CMake generators (e.g. Ninja Multi-Config) + #502 #503 docs: Document that function XML_GetBuffer may return NULL + when asking for a buffer of 0 (zero) bytes size + #522 #523 docs: Fix return value docs for both + XML_SetBillionLaughsAttackProtection* functions + #525 #526 Version info bumped from 9:1:8 to 9:2:8; + see https://verbump.de/ for what these numbers do + + Special thanks to: + Dong-hee Na + Joergen Ibsen + Kai Pastor + +Release 2.4.1 Sun May 23 2021 + Bug fixes: + #488 #490 Autotools: Fix installed header expat_config.h for multilib + systems; regression introduced in 2.4.0 by pull request #486 + + Other changes: + #491 #492 Version info bumped from 9:0:8 to 9:1:8; + see https://verbump.de/ for what these numbers do + + Special thanks to: + Gentoo's QA check "multilib_check_headers" + +Release 2.4.0 Sun May 23 2021 + Security fixes: + #34 #466 #484 CVE-2013-0340/CWE-776 -- Protect against billion laughs attacks + (denial-of-service; flavors targeting CPU time or RAM or both, + leveraging general entities or parameter entities or both) + by tracking and limiting the input amplification factor + (<amplification> := (<direct> + <indirect>) / <direct>). + By conservative default, amplification up to a factor of 100.0 + is tolerated and rejection only starts after 8 MiB of output bytes + (=<direct> + <indirect>) have been processed. + The fix adds the following to the API: + - A new error code XML_ERROR_AMPLIFICATION_LIMIT_BREACH to + signals this specific condition. + - Two new API functions .. + - XML_SetBillionLaughsAttackProtectionMaximumAmplification and + - XML_SetBillionLaughsAttackProtectionActivationThreshold + .. to further tighten billion laughs protection parameters + when desired. Please see file "doc/reference.html" for details. + If you ever need to increase the defaults for non-attack XML + payload, please file a bug report with libexpat. + - Two new XML_FEATURE_* constants .. + - that can be queried using the XML_GetFeatureList function, and + - that are shown in "xmlwf -v" output. + - Two new environment variable switches .. + - EXPAT_ACCOUNTING_DEBUG=(0|1|2|3) and + - EXPAT_ENTITY_DEBUG=(0|1) + .. for runtime debugging of accounting and entity processing. + Specific behavior of these values may change in the future. + - Two new command line arguments "-a FACTOR" and "-b BYTES" + for xmlwf to further tighten billion laughs protection + parameters when desired. + If you ever need to increase the defaults for non-attack XML + payload, please file a bug report with libexpat. + + Bug fixes: + #332 #470 For (non-default) compilation with -DEXPAT_MIN_SIZE=ON (CMake) + or CPPFLAGS=-DXML_MIN_SIZE (GNU Autotools): Fix segfault + for UTF-16 payloads containing CDATA sections. + #485 #486 Autotools: Fix generated CMake files for non-64bit and + non-Linux platforms (e.g. macOS and MinGW in particular) + that were introduced with release 2.3.0 + + Other changes: + #468 #469 xmlwf: Improve help output and the xmlwf man page + #463 xmlwf: Improve maintainability through some refactoring + #477 xmlwf: Fix man page DocBook validity + #458 #459 CMake: Support absolute paths for both CMAKE_INSTALL_LIBDIR + and CMAKE_INSTALL_INCLUDEDIR + #471 #481 CMake: Add support for standard variable BUILD_SHARED_LIBS + #457 Unexpose symbol _INTERNAL_trim_to_complete_utf8_characters + #467 Resolve macro HAVE_EXPAT_CONFIG_H + #472 Delete unused legacy helper file "conftools/PrintPath" + #473 #483 Improve attribution + #464 #465 #477 doc/reference.html: Fix XHTML validity + #475 #478 doc/reference.html: Replace the 90s look by OK.css + #479 Version info bumped from 8:0:7 to 9:0:8 + due to addition of new symbols and error codes; + see https://verbump.de/ for what these numbers do + + Infrastructure: + #456 CI: Enable periodic runs + #457 CI: Start covering the list of exported symbols + #474 CI: Isolate coverage task + #476 #482 CI: Adapt to breaking changes in image "ubuntu-18.04" + #477 CI: Cover well-formedness and DocBook/XHTML validity + of doc/reference.html and doc/xmlwf.xml + + Special thanks to: + Dimitry Andric + Eero Helenius + Nick Wellnhofer + Rhodri James + Tomas Korbar + Yury Gribov + and + Clang LeakSan + JetBrains + OSS-Fuzz + +Release 2.3.0 Thu March 25 2021 + Bug fixes: + #438 When calling XML_ParseBuffer without a prior successful call to + XML_GetBuffer as a user, no longer trigger undefined behavior + (by adding an integer to a NULL pointer) but rather return + XML_STATUS_ERROR and set the error code to (new) code + XML_ERROR_NO_BUFFER. Found by UBSan (UndefinedBehaviorSanitizer) + of Clang 11 (but not Clang 9). + #444 xmlwf: Exit status 2 was used for both: + - malformed input files (documented) and + - invalid command-line arguments (undocumented). + The case of invalid command-line arguments now + has its own exit status 4, resolving the ambiguity. + + Other changes: + #439 xmlwf: Add argument -k to allow continuing after + non-fatal errors + #439 xmlwf: Add section about exit status to the -h help output + #422 #426 #447 Windows: Drop support for Visual Studio <=14.0/2015 + #434 Windows: CMake: Detect unsupported Visual Studio at + configure time (rather than at compile time) + #382 #428 testrunner: Make verbose mode (argument "-v") report + about passed tests, and make default mode report about + failures, as well. + #442 CMake: Call "enable_language(CXX)" prior to tinkering + with CMAKE_CXX_* variables + #448 Document use of libexpat from a CMake-based project + #451 Autotools: Install CMake files as generated by CMake 3.19.6 + so that users with "find_package(expat [..] CONFIG [..])" + are served on distributions that are *not* using the CMake + build system inside for libexpat packaging + #436 #437 Autotools: Drop obsolescent macro AC_HEADER_STDC + #450 #452 Autotools: Resolve use of obsolete macro AC_CONFIG_HEADER + #441 Address compiler warnings + #443 Version info bumped from 7:12:6 to 8:0:7 + due to addition of error code XML_ERROR_NO_BUFFER + (see https://verbump.de/ for what these numbers do) + + Infrastructure: + #435 #446 Replace Travis CI by GitHub Actions + + Special thanks to: + Alexander Richardson + Oleksandr Popovych + Thomas Beutlich + Tim Bray + and + Clang LeakSan, Clang 11 UBSan and the Clang team + +Release 2.2.10 Sat October 3 2020 + Bug fixes: + #390 #395 #398 Fix undefined behavior during parsing caused by + pointer arithmetic with NULL pointers + #404 #405 Fix reading uninitialized variable during parsing + #406 xmlwf: Add missing check for malloc NULL return + + Other changes: + #396 Windows: Drop support for Visual Studio <=8.0/2005 + #409 Windows: Add missing file "Changes" to the installer + to fix compilation with CMake from installed sources + #403 xmlwf: Document exit codes in xmlwf manpage and + exit with code 3 (rather than code 1) for output errors + when used with "-d DIRECTORY" + #356 #359 MinGW: Provide declaration of rand_s for mingwrt <5.3.0 + #383 #392 Autotools: Use -Werror while configure tests the compiler + for supported compile flags to avoid false positives + #383 #393 #394 Autotools: Improve handling of user (C|CPP|CXX|LD)FLAGS, + e.g. ensure that they have the last word over flags added + while running ./configure + #360 CMake: Create libexpatw.{dll,so} and expatw.pc (with emphasis + on suffix "w") with -DEXPAT_CHAR_TYPE=(ushort|wchar_t) + #360 CMake: Detect and deny unsupported build combinations + involving -DEXPAT_CHAR_TYPE=(ushort|wchar_t) + #360 CMake: Install pre-compiled shipped xmlwf.1 manpage in case + of -DEXPAT_BUILD_DOCS=OFF + #375 #380 #419 CMake: Fix use of Expat by means of add_subdirectory + #407 #408 CMake: Keep expat target name constant at "expat" + (i.e. refrain from using the target name to control + build artifact filenames) + #385 CMake: Fix compilation with -DEXPAT_SHARED_LIBS=OFF for + Windows + CMake: Expose man page compilation as target "xmlwf-manpage" + #413 #414 CMake: Introduce option EXPAT_BUILD_PKGCONFIG + to control generation of pkg-config file "expat.pc" + #424 CMake: Add minimalistic support for building binary packages + with CMake target "package"; based on CPack + #366 CMake: Add option -DEXPAT_OSSFUZZ_BUILD=(ON|OFF) with + default OFF to build fuzzer code against OSS-Fuzz and + related environment variable LIB_FUZZING_ENGINE + #354 Fix testsuite for -DEXPAT_DTD=OFF and -DEXPAT_NS=OFF, each + #354 #355 .. + #356 #412 Address compiler warnings + #368 #369 Address pngcheck warnings with doc/*.png images + #425 Version info bumped from 7:11:6 to 7:12:6 + + Special thanks to: + asavah + Ben Wagner + Bhargava Shastry + Frank Landgraf + Jeffrey Walton + Joe Orton + Kleber Tarcísio + Ma Lin + Maciej Sroczyński + Mohammed Khajapasha + Vadim Zeitlin + and + Cppcheck 2.0 and the Cppcheck team + +Release 2.2.9 Wed September 25 2019 + Other changes: + examples: Drop executable bits from elements.c + #349 Windows: Change the name of the Windows DLLs from expat*.dll + to libexpat*.dll once more (regression from 2.2.8, first + fixed in 1.95.3, issue #61 on SourceForge today, + was issue #432456 back then); needs a fix due + case-insensitive file systems on Windows and the fact that + Perl's XML::Parser::Expat compiles into Expat.dll. + #347 Windows: Only define _CRT_RAND_S if not defined + Version info bumped from 7:10:6 to 7:11:6 + + Special thanks to: + Ben Wagner + +Release 2.2.8 Fri September 13 2019 + Security fixes: + #317 #318 CVE-2019-15903 -- Fix heap overflow triggered by + XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber), + and deny internal entities closing the doctype; + fixed in commit c20b758c332d9a13afbbb276d30db1d183a85d43 + + Bug fixes: + #240 Fix cases where XML_StopParser did not have any effect + when called from inside of an end element handler + #341 xmlwf: Fix exit code for operation without "-d DIRECTORY"; + previously, only "-d DIRECTORY" would give you a proper + exit code: + # xmlwf -d . <<<'<not well-formed>' 2>/dev/null ; echo $? + 2 + # xmlwf <<<'<not well-formed>' 2>/dev/null ; echo $? + 0 + Now both cases return exit code 2. + + Other changes: + #299 #302 Windows: Replace LoadLibrary hack to access + unofficial API function SystemFunction036 (RtlGenRandom) + by using official API function rand_s (needs WinXP+) + #325 Windows: Drop support for Visual Studio <=7.1/2003 + and document supported compilers in README.md + #286 Windows: Remove COM code from xmlwf; in case it turns + out needed later, there will be a dedicated repository + below https://github.com/libexpat/ for that code + #322 Windows: Remove explicit MSVC solution and project files. + You can generate Visual Studio solution files through + CMake, e.g.: cmake -G"Visual Studio 15 2017" . + #338 xmlwf: Make "xmlwf -h" help output more friendly + #339 examples: Improve elements.c + #244 #264 Autotools: Add argument --enable-xml-attr-info + #239 #301 Autotools: Add arguments + --with-getrandom + --without-getrandom + --with-sys-getrandom + --without-sys-getrandom + #312 #343 Autotools: Fix linking issues with "./configure LD=clang" + Autotools: Fix "make run-xmltest" for out-of-source builds + #329 #336 CMake: Pull all options from Expat <=2.2.7 into namespace + prefix EXPAT_ with the exception of DOCBOOK_TO_MAN: + - BUILD_doc -> EXPAT_BUILD_DOCS (plural) + - BUILD_examples -> EXPAT_BUILD_EXAMPLES + - BUILD_shared -> EXPAT_SHARED_LIBS + - BUILD_tests -> EXPAT_BUILD_TESTS + - BUILD_tools -> EXPAT_BUILD_TOOLS + - DOCBOOK_TO_MAN -> DOCBOOK_TO_MAN (unchanged) + - INSTALL -> EXPAT_ENABLE_INSTALL + - MSVC_USE_STATIC_CRT -> EXPAT_MSVC_STATIC_CRT + - USE_libbsd -> EXPAT_WITH_LIBBSD + - WARNINGS_AS_ERRORS -> EXPAT_WARNINGS_AS_ERRORS + - XML_CONTEXT_BYTES -> EXPAT_CONTEXT_BYTES + - XML_DEV_URANDOM -> EXPAT_DEV_URANDOM + - XML_DTD -> EXPAT_DTD + - XML_NS -> EXPAT_NS + - XML_UNICODE -> EXPAT_CHAR_TYPE=ushort (!) + - XML_UNICODE_WCHAR_T -> EXPAT_CHAR_TYPE=wchar_t (!) + #244 #264 CMake: Add argument -DEXPAT_ATTR_INFO=(ON|OFF), + default OFF + #326 CMake: Add argument -DEXPAT_LARGE_SIZE=(ON|OFF), + default OFF + #328 CMake: Add argument -DEXPAT_MIN_SIZE=(ON|OFF), + default OFF + #239 #277 CMake: Add arguments + -DEXPAT_WITH_GETRANDOM=(ON|OFF|AUTO), default AUTO + -DEXPAT_WITH_SYS_GETRANDOM=(ON|OFF|AUTO), default AUTO + #326 CMake: Install expat_config.h to include directory + #326 CMake: Generate and install configuration files for + future find_package(expat [..] CONFIG [..]) + CMake: Now produces a summary of applied configuration + CMake: Require C++ compiler only when tests are enabled + #330 CMake: Fix compilation for 16bit character types, + i.e. ex -DXML_UNICODE=ON (and ex -DXML_UNICODE_WCHAR_T=ON) + #265 CMake: Fix linking with MinGW + #330 CMake: Add full support for MinGW; to enable, use + -DCMAKE_TOOLCHAIN_FILE=[expat]/cmake/mingw-toolchain.cmake + #330 CMake: Port "make run-xmltest" from GNU Autotools to CMake + #316 CMake: Windows: Make binary postfix match MSVC + Old: expat[d].lib + New: expat[w][d][MD|MT].lib + CMake: Migrate files from Windows to Unix line endings + #308 CMake: Integrate OSS-Fuzz fuzzers, option + -DEXPAT_BUILD_FUZZERS=(ON|OFF), default OFF + #14 Drop an OpenVMS support leftover + #235 #268 .. + #270 #310 .. + #313 #331 #333 Address compiler warnings + #282 #283 .. + #284 #285 Address cppcheck warnings + #294 #295 Address Clang Static Analyzer warnings + #24 #293 Mass-apply clang-format 9 (and ensure conformance during CI) + Version info bumped from 7:9:6 to 7:10:6 + + Special thanks to: + David Loffredo + Joonun Jang + Kishore Kunche + Marco Maggi + Mitch Phillips + Mohammed Khajapasha + Rolf Ade + xantares + Zhongyuan Zhou + +Release 2.2.7 Wed June 19 2019 + Security fixes: + #186 #262 CVE-2018-20843 -- Fix extraction of namespace prefixes from + XML names; XML names with multiple colons could end up in + the wrong namespace, and take a high amount of RAM and CPU + resources while processing, opening the door to + use for denial-of-service attacks + + Other changes: + #195 #197 Autotools/CMake: Utilize -fvisibility=hidden to stop + exporting non-API symbols + #227 Autotools: Add --without-examples and --without-tests + #228 Autotools: Modernize configure.ac + #245 #246 Autotools: Fix check for -fvisibility=hidden for Clang + #247 #248 Autotools: Fix compilation for lack of docbook2x-man + #236 #258 Autotools: Produce .tar.{gz,lz,xz} release archives + #212 CMake: Make libdir of pkgconfig expat.pc support multilib + #158 #263 CMake: Build man page in PROJECT_BINARY_DIR not _SOURCE_DIR + #219 Remove fallback to bcopy, assume that memmove(3) exists + #257 Use portable "/usr/bin/env bash" shebang (e.g. for OpenBSD) + #243 Windows: Fix syntax of .def module definition files + Version info bumped from 7:8:6 to 7:9:6 + + Special thanks to: + Benjamin Peterson + Caolán McNamara + Hanno Böck + KangLin + Kishore Kunche + Marco Maggi + Rhodri James + Sebastian Dröge + userwithuid + Yury Gribov + +Release 2.2.6 Sun August 12 2018 + Bug fixes: + #170 #206 Avoid doing arithmetic with NULL pointers in XML_GetBuffer + #204 #205 Fix 2.2.5 regression with suspend-resume while parsing + a document like '<root/>' + + Other changes: + #165 #168 Autotools: Fix docbook-related configure syntax error + #166 Autotools: Avoid grep option `-q` for Solaris + #167 Autotools: Support + ./configure DOCBOOK_TO_MAN="xmlto man --skip-validation" + #159 #167 Autotools: Support DOCBOOK_TO_MAN command which produces + xmlwf.1 rather than XMLWF.1; also covers case insensitive + file systems + #181 Autotools: Drop -rpath option passed to libtool + #188 Autotools: Detect and deny SGML docbook2man as ours is XML + #188 Autotools/CMake: Support command db2x_docbook2man as well + #174 CMake: Introduce option WARNINGS_AS_ERRORS, defaults to OFF + #184 #185 CMake: Introduce option MSVC_USE_STATIC_CRT, defaults to OFF + #207 #208 CMake: Introduce option XML_UNICODE and XML_UNICODE_WCHAR_T, + both defaulting to OFF + #175 CMake: Prefer check_symbol_exists over check_function_exists + #176 CMake: Create the same pkg-config file as with GNU Autotools + #178 #179 CMake: Use GNUInstallDirs module to set proper defaults for + install directories + #208 CMake: Utilize expat_config.h.cmake for XML_DEV_URANDOM + #180 Windows: Fix compilation of test suite for Visual Studio 2008 + #131 #173 #202 Address compiler warnings + #187 #190 #200 Fix miscellaneous typos + Version info bumped from 7:7:6 to 7:8:6 + + Special thanks to: + Anton Maklakov + Benjamin Peterson + Brad King + Franek Korta + Frank Rast + Joe Orton + luzpaz + Pedro Vicente + Rainer Jung + Rhodri James + Rolf Ade + Rolf Eike Beer + Thomas Beutlich + Tomasz Kłoczko + +Release 2.2.5 Tue October 31 2017 + Bug fixes: + #8 If the parser runs out of memory, make sure its internal + state reflects the memory it actually has, not the memory + it wanted to have. + #11 The default handler wasn't being called when it should for + a SYSTEM or PUBLIC doctype if an entity declaration handler + was registered. + #137 #138 Fix a case of mistakenly reported parsing success where + XML_StopParser was called from an element handler + #162 Function XML_ErrorString was returning NULL rather than + a message for code XML_ERROR_INVALID_ARGUMENT + introduced with release 2.2.1 + + Other changes: + #106 xmlwf: Add argument -N adding notation declarations + #75 #106 Test suite: Resolve expected failure cases where xmlwf + output was incomplete + #127 Windows: Fix test suite compilation + #126 #127 Windows: Fix compilation for Visual Studio 2012 + Windows: Upgrade shipped project files to Visual Studio 2017 + #33 #132 tests: Mass-fix compilation for XML_UNICODE_WCHAR_T + #129 examples: Fix compilation for XML_UNICODE_WCHAR_T + #130 benchmark: Fix compilation for XML_UNICODE_WCHAR_T + #144 xmlwf: Fix compilation for XML_UNICODE_WCHAR_T; still needs + Windows or MinGW for 2-byte wchar_t + #9 Address two Clang Static Analyzer false positives + #59 Resolve troublesome macros hiding parser struct membership + and dereferencing that pointer + #6 Resolve superfluous internal malloc/realloc switch + #153 #155 Improve docbook2x-man detection + #160 Undefine NDEBUG in the test suite (rather than rejecting it) + #161 Address compiler warnings + Version info bumped from 7:6:6 to 7:7:6 + + Special thanks to: + Benbuck Nason + Hans Wennborg + José Gutiérrez de la Concha + Pedro Monreal Gonzalez + Rhodri James + Rolf Ade + Stephen Groat + and + Core Infrastructure Initiative + +Release 2.2.4 Sat August 19 2017 + Bug fixes: + #115 Fix copying of partial characters for UTF-8 input + + Other changes: + #109 Fix "make check" for non-x86 architectures that default + to unsigned type char (-128..127 rather than 0..255) + #109 coverage.sh: Cover -funsigned-char + Autotools: Introduce --without-xmlwf argument + #65 Autotools: Replace handwritten Makefile with GNU Automake + #43 CMake: Auto-detect high quality entropy extractors, add new + option USE_libbsd=ON to use arc4random_buf of libbsd + #74 CMake: Add -fno-strict-aliasing only where supported + #114 CMake: Always honor manually set BUILD_* options + #114 CMake: Compile man page if docbook2x-man is available, only + #117 Include file tests/xmltest.log.expected in source tarball + (required for "make run-xmltest") + #117 Include (existing) Visual Studio 2013 files in source tarball + Improve test suite error output + #111 Fix some typos in documentation + Version info bumped from 7:5:6 to 7:6:6 + + Special thanks to: + Jakub Wilk + Joe Orton + Lin Tian + Rolf Eike Beer + +Release 2.2.3 Wed August 2 2017 + Security fixes: + #82 CVE-2017-11742 -- Windows: Fix DLL hijacking vulnerability + using Steve Holme's LoadLibrary wrapper for/of cURL + + Bug fixes: + #85 Fix a dangling pointer issue related to realloc + + Other changes: + Increase code coverage + #91 Linux: Allow getrandom to fail if nonblocking pool has not + yet been initialized and read /dev/urandom then, instead. + This is in line with what recent Python does. + #81 Pre-10.7/Lion macOS: Support entropy from arc4random + #86 Check that a UTF-16 encoding in an XML declaration has the + right endianness + #4 #5 #7 Recover correctly when some reallocations fail + Repair "./configure && make" for systems without any + provider of high quality entropy + and try reading /dev/urandom on those + Ensure that user-defined character encodings have converter + functions when they are needed + Fix mis-leading description of argument -c in xmlwf.1 + Rely on macro HAVE_ARC4RANDOM_BUF (rather than __CloudABI__) + for CloudABI + #100 Fix use of SIPHASH_MAIN in siphash.h + #23 Test suite: Fix memory leaks + Version info bumped from 7:4:6 to 7:5:6 + + Special thanks to: + Chanho Park + Joe Orton + Pascal Cuoq + Rhodri James + Simon McVittie + Vadim Zeitlin + Viktor Szakats + and + Core Infrastructure Initiative + +Release 2.2.2 Wed July 12 2017 + Security fixes: + #43 Protect against compilation without any source of high + quality entropy enabled, e.g. with CMake build system; + commit ff0207e6076e9828e536b8d9cd45c9c92069b895 + #60 Windows with _UNICODE: + Unintended use of LoadLibraryW with a non-wide string + resulted in failure to load advapi32.dll and degradation + in quality of used entropy when compiled with _UNICODE for + Windows; you can launch existing binaries with + EXPAT_ENTROPY_DEBUG=1 in the environment to inspect the + quality of entropy used during runtime; commits + * 95b95032f907ef1cd17ee7a9a1768010a825d61d + * 73a5a2e9c081f49f2d775cf7ced864158b68dc80 + [MOX-006] Fix non-NULL parser parameter validation in XML_Parse; + resulted in NULL dereference, previously; + commit ac256dafdffc9622ab0dc2c62fcecb0dfcfa71fe + + Bug fixes: + #69 Fix improper use of unsigned long long integer literals + + Other changes: + #73 Start requiring a C99 compiler + #49 Fix "==" Bashism in configure script + #50 Fix too eager getrandom detection for Debian GNU/kFreeBSD + #52 and macOS + #51 Address lack of stdint.h in Visual Studio 2003 to 2008 + #58 Address compile warnings + #68 Fix "./buildconf.sh && ./configure" for some versions + of Dash for /bin/sh + #72 CMake: Ease use of Expat in context of a parent project + with multiple CMakeLists.txt files + #72 CMake: Resolve mistaken executable permissions + #76 Address compile warning with -DNDEBUG (not recommended!) + #77 Address compile warning about macro redefinition + + Special thanks to: + Alexander Bluhm + Ben Boeckel + Cătălin Răceanu + Kerin Millar + László Böszörményi + S. P. Zeidler + Segev Finer + Václav Slavík + Victor Stinner + Viktor Szakats + and + Radically Open Security + +Release 2.2.1 Sat June 17 2017 + Security fixes: + CVE-2017-9233 -- External entity infinite loop DoS + Details: https://libexpat.github.io/doc/cve-2017-9233/ + Commit c4bf96bb51dd2a1b0e185374362ee136fe2c9d7f + [MOX-002] CVE-2016-9063 -- Detect integer overflow; commit + d4f735b88d9932bd5039df2335eefdd0723dbe20 + (Fixed version of existing downstream patches!) + (SF.net) #539 Fix regression from fix to CVE-2016-0718 cutting off + longer tag names; commits + * 896b6c1fd3b842f377d1b62135dccf0a579cf65d + * af507cef2c93cb8d40062a0abe43a4f4e9158fb2 + #16 * 0dbbf43fdb20f593ddf4fa1ff67288000dd4a7fd + #25 More integer overflow detection (function poolGrow); commits + * 810b74e4703dcfdd8f404e3cb177d44684775143 + * 44178553f3539ce69d34abee77a05e879a7982ac + [MOX-002] Detect overflow from len=INT_MAX call to XML_Parse; commits + * 4be2cb5afcc018d996f34bbbce6374b7befad47f + * 7e5b71b748491b6e459e5c9a1d090820f94544d8 + [MOX-005] #30 Use high quality entropy for hash initialization: + * arc4random_buf on BSD, systems with libbsd + (when configured with --with-libbsd), CloudABI + * RtlGenRandom on Windows XP / Server 2003 and later + * getrandom on Linux 3.17+ + In a way, that's still part of CVE-2016-5300. + https://github.com/libexpat/libexpat/pull/30/commits + [MOX-005] For the low quality entropy extraction fallback code, + the parser instance address can no longer leak, commit + 04ad658bd3079dd15cb60fc67087900f0ff4b083 + [MOX-003] Prevent use of uninitialised variable; commit + [MOX-004] a4dc944f37b664a3ca7199c624a98ee37babdb4b + Add missing parameter validation to public API functions + and dedicated error code XML_ERROR_INVALID_ARGUMENT: + [MOX-006] * NULL checks; commits + * d37f74b2b7149a3a95a680c4c4cd2a451a51d60a (merge/many) + * 9ed727064b675b7180c98cb3d4f75efba6966681 + * 6a747c837c50114dfa413994e07c0ba477be4534 + * Negative length (XML_Parse); commit + [MOX-002] 70db8d2538a10f4c022655d6895e4c3e78692e7f + [MOX-001] #35 Change hash algorithm to William Ahern's version of SipHash + to go further with fixing CVE-2012-0876. + https://github.com/libexpat/libexpat/pull/39/commits + + Bug fixes: + #32 Fix sharing of hash salt across parsers; + relevant where XML_ExternalEntityParserCreate is called + prior to XML_Parse, in particular (e.g. FBReader) + #28 xmlwf: Auto-disable use of memory-mapping (and parsing + as a single chunk) for files larger than ~1 GB (2^30 bytes) + rather than failing with error "out of memory" + #3 Fix double free after malloc failure in DTD code; commit + 7ae9c3d3af433cd4defe95234eae7dc8ed15637f + #17 Fix memory leak on parser error for unbound XML attribute + prefix with new namespaces defined in the same tag; + found by Google's OSS-Fuzz; commits + * 16f87daae5a16132e479e4f71862128c7a915c73 + * b47dbc9745932c160893d433220e462bd605f8cd + xmlwf on Windows: Add missing calls to CloseHandle + + New features: + #30 Introduced environment switch EXPAT_ENTROPY_DEBUG=1 + for runtime debugging of entropy extraction + + Other changes: + Increase code coverage + #33 Reject use of XML_UNICODE_WCHAR_T with sizeof(wchar_t) != 2; + XML_UNICODE_WCHAR_T was never meant to be used outside + of Windows; 4-byte wchar_t is common on Linux + (SF.net) #538 Start using -fno-strict-aliasing + (SF.net) #540 Support compilation against cloudlibc of CloudABI + Allow MinGW cross-compilation + (SF.net) #534 CMake: Introduce option "BUILD_doc" (enabled by default) + to bypass compilation of the xmlwf.1 man page + (SF.net) pr2 CMake: Introduce option "INSTALL" (enabled by default) + to bypass installation of expat files + CMake: Fix ninja support + Autotools: Add parameters --enable-xml-context [COUNT] + and --disable-xml-context; default of context of 1024 + bytes enabled unchanged + #14 Drop AmigaOS 4.x code and includes + #14 Drop ancient build systems: + * Borland C++ Builder + * OpenVMS + * Open Watcom + * Visual Studio 6.0 + * Pre-X Mac OS (MPW Makefile) + If you happen to rely on some of these, please get in + touch for joining with maintenance. + #10 Move from WIN32 to _WIN32 + #13 Fix "make run-xmltest" order instability + Address compile warnings + Bump version info from 7:2:6 to 7:3:6 + Add AUTHORS file + + Infrastructure: + #1 Migrate from SourceForge to GitHub (except downloads): + https://github.com/libexpat/ + #1 Re-create http://libexpat.org/ project website + Start utilizing Travis CI + + Special thanks to: + Andy Wang + Don Lewis + Ed Schouten + Karl Waclawek + Pascal Cuoq + Rhodri James + Sergei Nikulov + Tobias Taschner + Viktor Szakats + and + Core Infrastructure Initiative + Mozilla Foundation (MOSS Track 3: Secure Open Source) + Radically Open Security + +Release 2.2.0 Tue June 21 2016 + Security fixes: + #537 CVE-2016-0718 -- Fix crash on malformed input + CVE-2016-4472 -- Improve insufficient fix to CVE-2015-1283 / + CVE-2015-2716 introduced with Expat 2.1.1 + #499 CVE-2016-5300 -- Use more entropy for hash initialization + than the original fix to CVE-2012-0876 + #519 CVE-2012-6702 -- Resolve troublesome internal call to srand + that was introduced with Expat 2.1.0 + when addressing CVE-2012-0876 (issue #496) + + Bug fixes: + Fix uninitialized reads of size 1 + (e.g. in little2_updatePosition) + Fix detection of UTF-8 character boundaries + + Other changes: + #532 Fix compilation for Visual Studio 2010 (keyword "C99") + Autotools: Resolve use of "$<" to better support bmake + Autotools: Add QA script "qa.sh" (and make target "qa") + Autotools: Respect CXXFLAGS if given + Autotools: Fix "make run-xmltest" + Autotools: Have "make run-xmltest" check for expected output + p90 CMake: Fix static build (BUILD_shared=OFF) on Windows + #536 CMake: Add soversion, support -DNO_SONAME=yes to bypass + #323 CMake: Add suffix "d" to differentiate debug from release + CMake: Define WIN32 with CMake on Windows + Annotate memory allocators for GCC + Address all currently known compile warnings + Make sure that API symbols remain visible despite + -fvisibility=hidden + Remove executable flag from source files + Resolve COMPILED_FROM_DSP in favor of WIN32 + + Special thanks to: + Björn Lindahl + Christian Heimes + Cristian Rodríguez + Daniel Krügler + Gustavo Grieco + Karl Waclawek + László Böszörményi + Marco Grassi + Pascal Cuoq + Sergei Nikulov + Thomas Beutlich + Warren Young + Yann Droneaud + +Release 2.1.1 Sat March 12 2016 + Security fixes: + #582: CVE-2015-1283 - Multiple integer overflows in XML_GetBuffer + + Bug fixes: + #502: Fix potential null pointer dereference + #520: Symbol XML_SetHashSalt was not exported + Output of "xmlwf -h" was incomplete + + Other changes: + #503: Document behavior of calling XML_SetHashSalt with salt 0 + Minor improvements to man page xmlwf(1) + Improvements to the experimental CMake build system + libtool now invoked with --verbose + +Release 2.1.0 Sat March 24 2012 + - Security fixes: + #2958794: CVE-2012-1148 - Memory leak in poolGrow. + #2895533: CVE-2012-1147 - Resource leak in readfilemap.c. + #3496608: CVE-2012-0876 - Hash DOS attack. + #2894085: CVE-2009-3560 - Buffer over-read and crash in big2_toUtf8(). + #1990430: CVE-2009-3720 - Parser crash with special UTF-8 sequences. + - Bug Fixes: + #1742315: Harmful XML_ParserCreateNS suggestion. + #1785430: Expat build fails on linux-amd64 with gcc version>=4.1 -O3. + #1983953, 2517952, 2517962, 2649838: + Build modifications using autoreconf instead of buildconf.sh. + #2815947, #2884086: OBJEXT and EXEEXT support while building. + #2517938: xmlwf should return non-zero exit status if not well-formed. + #2517946: Wrong statement about XMLDecl in xmlwf.1 and xmlwf.sgml. + #2855609: Dangling positionPtr after error. + #2990652: CMake support. + #3010819: UNEXPECTED_STATE with a trailing "%" in entity value. + #3206497: Uninitialized memory returned from XML_Parse. + #3287849: make check fails on mingw-w64. + - Patches: + #1749198: pkg-config support. + #3010222: Fix for bug #3010819. + #3312568: CMake support. + #3446384: Report byte offsets for attr names and values. + - New Features / API changes: + Added new API member XML_SetHashSalt() that allows setting an initial + value (salt) for hash calculations. This is part of the fix for + bug #3496608 to randomize hash parameters. + When compiled with XML_ATTR_INFO defined, adds new API member + XML_GetAttributeInfo() that allows retrieving the byte + offsets for attribute names and values (patch #3446384). + Added CMake build system. + See bug #2990652 and patch #3312568. + Added run-benchmark target to Makefile.in - relies on testdata module + present in the same relative location as in the repository. + +Release 2.0.1 Tue June 5 2007 + - Fixed bugs #1515266, #1515600: The character data handler's calling + of XML_StopParser() was not handled properly; if the parser was + stopped and the handler set to NULL, the parser would segfault. + - Fixed bug #1690883: Expat failed on EBCDIC systems as it assumed + some character constants to be ASCII encoded. + - Minor cleanups of the test harness. + - Fixed xmlwf bug #1513566: "out of memory" error on file size zero. + - Fixed outline.c bug #1543233: missing a final XML_ParserFree() call. + - Fixes and improvements for Windows platform: + bugs #1409451, #1476160, #1548182, #1602769, #1717322. + - Build fixes for various platforms: + HP-UX, Tru64, Solaris 9: patch #1437840, bug #1196180. + All Unix: #1554618 (refreshed config.sub/config.guess). + #1490371, #1613457: support both, DESTDIR and INSTALL_ROOT, + without relying on GNU-Make specific features. + #1647805: Patched configure.in to work better with Intel compiler. + - Fixes to Makefile.in to have make check work correctly: + bugs #1408143, #1535603, #1536684. + - Added Open Watcom support: patch #1523242. + +Release 2.0.0 Wed Jan 11 2006 + - We no longer use the "check" library for C unit testing; we + always use the (partial) internal implementation of the API. + - Report XML_NS setting via XML_GetFeatureList(). + - Fixed headers for use from C++. + - XML_GetCurrentLineNumber() and XML_GetCurrentColumnNumber() + now return unsigned integers. + - Added XML_LARGE_SIZE switch to enable 64-bit integers for + byte indexes and line/column numbers. + - Updated to use libtool 1.5.22 (the most recent). + - Added support for AmigaOS. + - Some mostly minor bug fixes. SF issues include: #1006708, + #1021776, #1023646, #1114960, #1156398, #1221160, #1271642. + +Release 1.95.8 Fri Jul 23 2004 + - Major new feature: suspend/resume. Handlers can now request + that a parse be suspended for later resumption or aborted + altogether. See "Temporarily Stopping Parsing" in the + documentation for more details. + - Some mostly minor bug fixes, but compilation should no + longer generate warnings on most platforms. SF issues + include: #827319, #840173, #846309, #888329, #896188, #923913, + #928113, #961698, #985192. + +Release 1.95.7 Mon Oct 20 2003 + - Fixed enum XML_Status issue (reported on SourceForge many + times), so compilers that are properly picky will be happy. + - Introduced an XMLCALL macro to control the calling + convention used by the Expat API; this macro should be used + to annotate prototypes and definitions of callback + implementations in code compiled with a calling convention + other than the default convention for the host platform. + - Improved ability to build without the configure-generated + expat_config.h header. This is useful for applications + which embed Expat rather than linking in the library. + - Fixed a variety of bugs: see SF issues #458907, #609603, + #676844, #679754, #692878, #692964, #695401, #699323, #699487, + #820946. + - Improved hash table lookups. + - Added more regression tests and improved documentation. + +Release 1.95.6 Tue Jan 28 2003 + - Added XML_FreeContentModel(). + - Added XML_MemMalloc(), XML_MemRealloc(), XML_MemFree(). + - Fixed a variety of bugs: see SF issues #615606, #616863, + #618199, #653180, #673791. + - Enhanced the regression test suite. + - Man page improvements: includes SF issue #632146. + +Release 1.95.5 Fri Sep 6 2002 + - Added XML_UseForeignDTD() for improved SAX2 support. + - Added XML_GetFeatureList(). + - Defined XML_Bool type and the values XML_TRUE and XML_FALSE. + - Use an incomplete struct instead of a void* for the parser + (may not retain). + - Fixed UTF-8 decoding bug that caused legal UTF-8 to be rejected. + - Finally fixed bug where default handler would report DTD + events that were already handled by another handler. + Initial patch contributed by Darryl Miles. + - Removed unnecessary DllMain() function that caused static + linking into a DLL to be difficult. + - Added VC++ projects for building static libraries. + - Reduced line-length for all source code and headers to be + no longer than 80 characters, to help with AS/400 support. + - Reduced memory copying during parsing (SF patch #600964). + - Fixed a variety of bugs: see SF issues #580793, #434664, + #483514, #580503, #581069, #584041, #584183, #584832, #585537, + #596555, #596678, #598352, #598944, #599715, #600479, #600971. + +Release 1.95.4 Fri Jul 12 2002 + - Added support for VMS, contributed by Craig Berry. See + vms/README.vms for more information. + - Added Mac OS (classic) support, with a makefile for MPW, + contributed by Thomas Wegner and Daryle Walker. + - Added Borland C++ Builder 5 / BCC 5.5 support, contributed + by Patrick McConnell (SF patch #538032). + - Fixed a variety of bugs: see SF issues #441449, #563184, + #564342, #566334, #566901, #569461, #570263, #575168, #579196. + - Made skippedEntityHandler conform to SAX2 (see source comment) + - Re-implemented WFC: Entity Declared from XML 1.0 spec and + added a new error "entity declared in parameter entity": + see SF bug report #569461 and SF patch #578161 + - Re-implemented section 5.1 from XML 1.0 spec: + see SF bug report #570263 and SF patch #578161 + +Release 1.95.3 Mon Jun 3 2002 + - Added a project to the MSVC workspace to create a wchar_t + version of the library; the DLLs are named libexpatw.dll. + - Changed the name of the Windows DLLs from expat.dll to + libexpat.dll; this fixes SF bug #432456. + - Added the XML_ParserReset() API function. + - Fixed XML_SetReturnNSTriplet() to work for element names. + - Made the XML_UNICODE builds usable (thanks, Karl!). + - Allow xmlwf to read from standard input. + - Install a man page for xmlwf on Unix systems. + - Fixed many bugs; see SF bug reports #231864, #461380, #464837, + #466885, #469226, #477667, #484419, #487840, #494749, #496505, + #547350. Other bugs which we can't test as easily may also + have been fixed, especially in the area of build support. + +Release 1.95.2 Fri Jul 27 2001 + - More changes to make MSVC happy with the build; add a single + workspace to support both the library and xmlwf application. + - Added a Windows installer for Windows users; includes + xmlwf.exe. + - Added compile-time constants that can be used to determine the + Expat version + - Removed a lot of GNU-specific dependencies to aide portability + among the various Unix flavors. + - Fix the UTF-8 BOM bug. + - Cleaned up warning messages for several compilers. + - Added the -Wall, -Wstrict-prototypes options for GCC. + +Release 1.95.1 Sun Oct 22 15:11:36 EDT 2000 + - Changes to get expat to build under Microsoft compiler + - Removed all aborts and instead return an UNEXPECTED_STATE error. + - Fixed a bug where a stray '%' in an entity value would cause an + abort. + - Defined XML_SetEndNamespaceDeclHandler. Thanks to Darryl Miles for + finding this oversight. + - Changed default patterns in lib/Makefile.in to fit non-GNU makes + Thanks to robin@unrated.net for reporting and providing an + account to test on. + - The reference had the wrong label for XML_SetStartNamespaceDecl. + Reported by an anonymous user. + +Release 1.95.0 Fri Sep 29 2000 + - XML_ParserCreate_MM + Allows you to set a memory management suite to replace the + standard malloc,realloc, and free. + - XML_SetReturnNSTriplet + If you turn this feature on when namespace processing is in + effect, then qualified, prefixed element and attribute names + are returned as "uri|name|prefix" where '|' is whatever + separator character is used in namespace processing. + - Merged in features from perl-expat + o XML_SetElementDeclHandler + o XML_SetAttlistDeclHandler + o XML_SetXmlDeclHandler + o XML_SetEntityDeclHandler + o StartDoctypeDeclHandler takes 3 additional parameters: + sysid, pubid, has_internal_subset + o Many paired handler setters (like XML_SetElementHandler) + now have corresponding individual handler setters + o XML_GetInputContext for getting the input context of + the current parse position. + - Added reference material + - Packaged into a distribution that builds a sharable library |