[Bug 262381] [exp-run] update texproc/expat2 to 2.4.7

From: <bugzilla-noreply_at_freebsd.org>
Date: Thu, 10 Mar 2022 05:16:15 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=262381

--- Comment #2 from commit-hook@FreeBSD.org ---
A commit in branch main references this bug:

URL:
https://cgit.FreeBSD.org/ports/commit/?id=5a4db4dfb5abda7978bcb9cb146cd6e74725e43e

commit 5a4db4dfb5abda7978bcb9cb146cd6e74725e43e
Author:     Tobias C. Berner <tcberner@FreeBSD.org>
AuthorDate: 2022-03-06 15:17:40 +0000
Commit:     Tobias C. Berner <tcberner@FreeBSD.org>
CommitDate: 2022-03-10 05:14:18 +0000

    textproc/expat2: update to 2.4.7

    From [1]:

    Release 2.4.7 Fri March 4 2022
            Bug fixes:
           #572 #577  Relax fix to CVE-2022-25236 (introduced with release
2.4.5)
                        with regard to all valid URI characters (RFC 3986),
                        i.e. the following set (excluding whitespace):
                        ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz
                        0123456789 % -._~ :/?#[]@ !$&'()*+,;=

            Other changes:
      #555 #570 #581  CMake|Windows: Store Expat version in the DLL
                #577  Document consequences of namespace separator choices not
just
                        in doc/reference.html but also in header <expat.h>
                #577  Document Expat's lack of validation of namespace URIs
against
                        RFC 3986, and that the XML 1.0r4 specification doesn't
                        require Expat to validate namespace URIs, and that
Expat
                        may do more in that regard in future releases.
                        If you find need for strict RFC 3986 URI validation on
                        application level today, https://uriparser.github.io/
may
                        be of interest.
                #579  Fix documentation of XML_EndDoctypeDeclHandler in
<expat.h>
                #575  Document that a call to XML_FreeContentModel can be done
at
                        a later time from outside the element declaration
handler
                #574  Make hardcoded namespace URIs easier to find in code
                #573  Update documentation on use of XML_POOR_ENTOPY on Solaris
           #569 #571  tests: Resolve use of macros NAN and INFINITY for GNU G++
                        4.8.2 on Solaris.
           #578 #580  Version info bumped from 9:6:8 to 9:7:8;
                        see https://verbump.de/ for what these numbers do

            Special thanks to:
                Jeffrey Walton
                Johnny Jazeix
                Thijs Schreijer

    Release 2.4.6 Sun February 20 2022
            Bug fixes:
                #566  Fix a regression introduced by the fix for CVE-2022-25313
                        in release 2.4.5 that affects applications that (1)
                        call function XML_SetElementDeclHandler and (2) are
                        parsing XML that contains nested element declarations
                        (e.g. "<!ELEMENT junk ((bar|foo|xyz+), zebra*)>").

            Other changes:
           #567 #568  Version info bumped from 9:5:8 to 9:6:8;
                        see https://verbump.de/ for what these numbers do

            Special thanks to:
                Matt Sergeant
                Samanta Navarro
                Sergei Trofimovich
                     and
                NixOS
                Perl XML::Parser

    Release 2.4.5 Fri February 18 2022
            Security fixes:
                #562  CVE-2022-25235 -- Passing malformed 2- and 3-byte UTF-8
                        sequences (e.g. from start tag names) to the XML
                        processing application on top of Expat can cause
                        arbitrary damage (e.g. code execution) depending
                        on how invalid UTF-8 is handled inside the XML
                        processor; validation was not their job but Expat's.
                        Exploits with code execution are known to exist.
                #561  CVE-2022-25236 -- Passing (one or more) namespace
separator
                        characters in "xmlns[:prefix]" attribute values
                        made Expat send malformed tag names to the XML
                        processor on top of Expat which can cause
                        arbitrary damage (e.g. code execution) depending
                        on such unexpectable cases are handled inside the XML
                        processor; validation was not their job but Expat's.
                        Exploits with code execution are known to exist.
                #558  CVE-2022-25313 -- Fix stack exhaustion in doctype parsing
                        that could be triggered by e.g. a 2 megabytes
                        file with a large number of opening braces.
                        Expected impact is denial of service or potentially
                        arbitrary code execution.
                #560  CVE-2022-25314 -- Fix integer overflow in function
copyString;
                        only affects the encoding name parameter at parser
creation
                        time which is often hardcoded (rather than user input),
                        takes a value in the gigabytes to trigger, and a 64-bit
                        machine.  Expected impact is denial of service.
                #559  CVE-2022-25315 -- Fix integer overflow in function
storeRawNames;
                        needs input in the gigabytes and a 64-bit machine.
                        Expected impact is denial of service or potentially
                        arbitrary code execution.

            Other changes:
           #557 #564  Version info bumped from 9:4:8 to 9:5:8;
                        see https://verbump.de/ for what these numbers do

            Special thanks to:
                Ivan Fratric
                Samanta Navarro
                     and
                Google Project Zero
                JetBrains

    [1] Changelog:
            https://github.com/libexpat/libexpat/blob/R_2_4_7/expat/Changes

    Exp-run by:     antoine
    PR:             262381

    Security: CVE-2022-25235
    Security: CVE-2022-25236
    Security: CVE-2022-25313
    Security: CVE-2022-25314
    Security: CVE-2022-25315

 textproc/expat2/Makefile  | 2 +-
 textproc/expat2/distinfo  | 6 +++---
 textproc/expat2/pkg-plist | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

-- 
You are receiving this mail because:
You are on the CC list for the bug.