From nobody Thu Mar 10 05:16:15 2022 X-Original-To: desktop@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id EF85719FE5D2 for ; Thu, 10 Mar 2022 05:16:15 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KDcjW4vjKz3k9d for ; Thu, 10 Mar 2022 05:16:15 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 8832C1F10C for ; Thu, 10 Mar 2022 05:16:15 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 22A5GF7k036565 for ; Thu, 10 Mar 2022 05:16:15 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from bugzilla@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 22A5GFwt036564 for desktop@FreeBSD.org; Thu, 10 Mar 2022 05:16:15 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: desktop@FreeBSD.org Subject: [Bug 262381] [exp-run] update texproc/expat2 to 2.4.7 Date: Thu, 10 Mar 2022 05:16:15 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: commit-hook@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: tcberner@freebsd.org X-Bugzilla-Flags: exp-run+ X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Using and improving FreeBSD on the desktop List-Archive: https://lists.freebsd.org/archives/freebsd-desktop List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-desktop@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1646889375; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=rDhda2JKXKHebHhcLcAObivBobs2faPorkFe9L1SjA4=; b=MmMzSYElQIpVjcGKiOqQLPPDuklP2lFIi2k+HbQ4HRpgYrN95lFQ5BvwwSUxsbw+wpxhaV XW8KW56y5qj9InRqvfvfkfTUqnfkXbL1QLleQDHbw1vnmY+tu4waRVOHUtL9eydqZ275pk 2Gwpz83pl22oJWkFX6Ma6TzG6bVgpfz/kkZVNpHE1i3mhicg1BHW5z4p+Ul7JggcXbU9f3 Kbb/sqjs10h2I6NkL5gosf/hQm1yE7cOME/ZI6EPe8jA5SPhGuvCwRzd0U7cqONpfGNkGm hkpow/7z1yiNnM2sHp0sDCTqNYsqPiL8iCwxdJfi2qWfkEwR9Y0NSufvU8Qtgg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1646889375; a=rsa-sha256; cv=none; b=BUuNQ9g6MaUySGb1x/AGla02W2b0xUxneHclCFiyMNTmXwbFpgA0x8mVjh2ZJmfnMXDW05 RcIHPg+RzkQ/P8kYHMHgrw+3PZSOfEbHeLuajgf8hxJjvHAy26IJ4Ns/yhhR4nY/EtPNqj KhU3m7S/NnQUkOZvjQSdLpSurhbWjZnFMiAidSttRafGLBx+D9+2SIT0sVSCIbhB0HZFZM d+YQ7DB/b2MYZDe5I5IZ7mkTAREeR3RpsvWm5GiCFxOgsJBrzD89V4jWNyPgGIeJmVfhsl BYvBVuCAbKw6s7iqWHrC6nOvgQdbjgWLUjAt78LoWKQpQ+3lV+XU9jeijQe+PA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D262381 --- Comment #2 from commit-hook@FreeBSD.org --- A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=3D5a4db4dfb5abda7978bcb9cb146cd6e= 74725e43e commit 5a4db4dfb5abda7978bcb9cb146cd6e74725e43e Author: Tobias C. Berner AuthorDate: 2022-03-06 15:17:40 +0000 Commit: Tobias C. Berner CommitDate: 2022-03-10 05:14:18 +0000 textproc/expat2: update to 2.4.7 From [1]: Release 2.4.7 Fri March 4 2022 Bug fixes: #572 #577 Relax fix to CVE-2022-25236 (introduced with release 2.4.5) with regard to all valid URI characters (RFC 3986), i.e. the following set (excluding whitespace): ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwx= yz 0123456789 % -._~ :/?#[]@ !$&'()*+,;=3D Other changes: #555 #570 #581 CMake|Windows: Store Expat version in the DLL #577 Document consequences of namespace separator choices = not just in doc/reference.html but also in header #577 Document Expat's lack of validation of namespace URIs against RFC 3986, and that the XML 1.0r4 specification does= n't require Expat to validate namespace URIs, and that Expat may do more in that regard in future releases. If you find need for strict RFC 3986 URI validation= on application level today, https://uriparser.github.i= o/ may be of interest. #579 Fix documentation of XML_EndDoctypeDeclHandler in #575 Document that a call to XML_FreeContentModel can be d= one at a later time from outside the element declaration handler #574 Make hardcoded namespace URIs easier to find in code #573 Update documentation on use of XML_POOR_ENTOPY on Sol= aris #569 #571 tests: Resolve use of macros NAN and INFINITY for GNU= G++ 4.8.2 on Solaris. #578 #580 Version info bumped from 9:6:8 to 9:7:8; see https://verbump.de/ for what these numbers do Special thanks to: Jeffrey Walton Johnny Jazeix Thijs Schreijer Release 2.4.6 Sun February 20 2022 Bug fixes: #566 Fix a regression introduced by the fix for CVE-2022-2= 5313 in release 2.4.5 that affects applications that (1) call function XML_SetElementDeclHandler and (2) are parsing XML that contains nested element declaratio= ns (e.g. ""). Other changes: #567 #568 Version info bumped from 9:5:8 to 9:6:8; see https://verbump.de/ for what these numbers do Special thanks to: Matt Sergeant Samanta Navarro Sergei Trofimovich and NixOS Perl XML::Parser Release 2.4.5 Fri February 18 2022 Security fixes: #562 CVE-2022-25235 -- Passing malformed 2- and 3-byte UTF= -8 sequences (e.g. from start tag names) to the XML processing application on top of Expat can cause arbitrary damage (e.g. code execution) depending on how invalid UTF-8 is handled inside the XML processor; validation was not their job but Expat's. Exploits with code execution are known to exist. #561 CVE-2022-25236 -- Passing (one or more) namespace separator characters in "xmlns[:prefix]" attribute values made Expat send malformed tag names to the XML processor on top of Expat which can cause arbitrary damage (e.g. code execution) depending on such unexpectable cases are handled inside the X= ML processor; validation was not their job but Expat's. Exploits with code execution are known to exist. #558 CVE-2022-25313 -- Fix stack exhaustion in doctype par= sing that could be triggered by e.g. a 2 megabytes file with a large number of opening braces. Expected impact is denial of service or potentially arbitrary code execution. #560 CVE-2022-25314 -- Fix integer overflow in function copyString; only affects the encoding name parameter at parser creation time which is often hardcoded (rather than user inp= ut), takes a value in the gigabytes to trigger, and a 64= -bit machine. Expected impact is denial of service. #559 CVE-2022-25315 -- Fix integer overflow in function storeRawNames; needs input in the gigabytes and a 64-bit machine. Expected impact is denial of service or potentially arbitrary code execution. Other changes: #557 #564 Version info bumped from 9:4:8 to 9:5:8; see https://verbump.de/ for what these numbers do Special thanks to: Ivan Fratric Samanta Navarro and Google Project Zero JetBrains [1] Changelog: https://github.com/libexpat/libexpat/blob/R_2_4_7/expat/Changes Exp-run by: antoine PR: 262381 Security: CVE-2022-25235 Security: CVE-2022-25236 Security: CVE-2022-25313 Security: CVE-2022-25314 Security: CVE-2022-25315 textproc/expat2/Makefile | 2 +- textproc/expat2/distinfo | 6 +++--- textproc/expat2/pkg-plist | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) --=20 You are receiving this mail because: You are on the CC list for the bug.=