SUSE-SU-2025:03239-1

This update for expat fixes the following issues:

expat was updated to version 2.7.1:

• Bug fixes:

  • Restore event pointer behavior from Expat 2.6.4 (that the fix to CVE-2024-8176 changed in 2.7.0); affected API functions are:

            - XML_GetCurrentByteCount
            - XML_GetCurrentByteIndex
            - XML_GetCurrentColumnNumber
            - XML_GetCurrentLineNumber
            - XML_GetInputContext
    

• Other changes:

  • Fix printf format specifiers for 32bit Emscripten
  • docs: Promote OpenSSF Best Practices self-certification
  • tests/benchmark: Resolve mistaken double close
  • Address compiler warnings
  • Version info bumped from 11:1:10 (libexpat.so.1.10.1) to 11:2:10 (libexpat.so.1.10.2); see https://verbump.de/ for what these numbers do

Version update to 2.7.0 (CVE-2024-8176, bsc#1239618, jsc#PED-12507)

• Security fixes:

• CVE-2024-8176 -- Fix crash from chaining a large number of entities caused by stack overflow by resolving use of recursion, for all three uses of entities: - general entities in character data ('<e>&g1;</e>') - general entities in attribute values ('<e k1='&g1;'/>') - parameter entities ('%p1;')

  Known impact is (reliable and easy) denial of service: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C (Base Score: 7.5, Temporal Score: 7.2) Please note that a layer of compression around XML can significantly reduce the minimum attack payload size.

• Other changes:

  • docs: Add missing documentation of error code XMLERRORNOT_STARTED that was introduced with 2.6.4
  • docs: Document need for C++11 compiler for use from C++
  • Address Cppcheck warnings

  • Mass-migrate links from http:// to https://

  • Document changes since the previous release

  • Version info bumped from 11:0:10 (libexpat.so.1.10.0) to 11:1:10 (libexpat.so.1.10.1); see https://verbump.de/ for what these numbers do