This update for expat fixes the following issues:

Version update to 2.7.1:

 Bug fixes:

   #980 #989  Restore event pointer behavior from Expat 2.6.4
                (that the fix to CVE-2024-8176 changed in 2.7.0);
                affected API functions are:
                - XML_GetCurrentByteCount
                - XML_GetCurrentByteIndex
                - XML_GetCurrentColumnNumber
                - XML_GetCurrentLineNumber
                - XML_GetInputContext

 Other changes:

   #976 #977  Autotools: Integrate files "fuzz/xml_lpm_fuzzer.{cpp,proto}"
                with Automake that were missing from 2.7.0 release tarballs
   #983 #984  Fix printf format specifiers for 32bit Emscripten
        #992  docs: Promote OpenSSF Best Practices self-certification
        #978  tests/benchmark: Resolve mistaken double close
        #986  Address compiler warnings
   #990 #993  Version info bumped from 11:1:10 (libexpat*.so.1.10.1)
                to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/
                for what these numbers do

    Infrastructure:

        #982  CI: Start running Perl XML::Parser integration tests
        #987  CI: Enforce Clang Static Analyzer clean code
        #991  CI: Re-enable warning clang-analyzer-valist.Uninitialized
                for clang-tidy
        #981  CI: Cover compilation with musl
   #983 #984  CI: Cover compilation with 32bit Emscripten
   #976 #977  CI: Protect against fuzzer files missing from future
                release archives

version update to 2.7.0 (CVE-2024-8176 [bsc#1239618]):

• Security fixes:

   #893 #973  CVE-2024-8176 -- Fix crash from chaining a large number
                of entities caused by stack overflow by resolving use of
                recursion, for all three uses of entities:
                - general entities in character data ("<e>&g1;</e>")
                - general entities in attribute values ("<e k1='&g1;'/>")
                - parameter entities ("%p1;")
                Known impact is (reliable and easy) denial of service:
                CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C
                (Base Score: 7.5, Temporal Score: 7.2)
                Please note that a layer of compression around XML can
                significantly reduce the minimum attack payload size.
  

  • Other changes: #935 #937 Autotools: Make generated CMake files look for libexpat.@SO_MAJOR@.dylib on macOS #925 Autotools: Sync CMake templates with CMake 3.29

    945 #962 #966 CMake: Drop support for CMake <3.13

        #942  CMake: Small fuzzing related improvements
        #921  docs: Add missing documentation of error code
                XML_ERROR_NOT_STARTED that was introduced with 2.6.4
        #941  docs: Document need for C++11 compiler for use from C++
        #959  tests/benchmark: Fix a (harmless) TOCTTOU
        #944  Windows: Fix installer target location of file xmlwf.xml
                for CMake
        #953  Windows: Address warning -Wunknown-warning-option
                about -Wno-pedantic-ms-format from LLVM MinGW
        #971  Address Cppcheck warnings
    

    #969 #970 Mass-migrate links from http:// to https://

    947 #958 ..

    #974 #975 Document changes since the previous release #974 #975 Version info bumped from 11:0:10 (libexpat*.so.1.10.0) to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/ for what these numbers do

    • no source changes, just adding jira reference: jsc#SLE-21253

Version update to 2.6.4

• Security fixes: [bsc#1232601][bsc#1232579] #915 CVE-2024-50602 -- Fix crash within function XMLResumeParser from a NULL pointer dereference by disallowing function XMLStopParser to (stop or) suspend an unstarted parser. A new error code XMLERRORNOT_STARTED was introduced to properly communicate this situation. // CWE-476 CWE-754
• Other changes: #903 CMake: Add alias target "expat::expat" #905 docs: Document use via CMake >=3.18 with FetchContent and SOURCE_SUBDIR and its consequences #902 tests: Reduce use of global parser instance #904 tests: Resolve duplicate handler #317 #918 tests: Improve tests on doctype closing (ex CVE-2019-15903) #914 Fix signedness of format strings #919 #920 Version info bumped from 10:3:9 (libexpat*.so.1.9.3) to 11:0:10 (libexpat*.so.1.10.0); see https://verbump.de/ for what these numbers do

Update to 2.6.3:

• Security fixes:

  • CVE-2024-45490, bsc#1229930 -- Calling function XMLParseBuffer with len < 0 without noticing and then calling XMLGetBuffer will have XMLParseBuffer fail to recognize the problem and XMLGetBuffer corrupt memory. With the fix, XMLParseBuffer now complains with error XMLERRORINVALIDARGUMENT just like sibling XML_Parse has been doing since Expat 2.2.1, and now documented. Impact is denial of service to potentially artitrary code execution.
  • CVE-2024-45491, bsc#1229931 -- Internal function dtdCopy can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINTMAX equals SIZEMAX). Impact is denial of service to potentially artitrary code execution.
  • CVE-2024-45492, bsc#1229932 -- Internal function nextScaffoldPart can have an integer overflow for mgroupSize on 32-bit platforms (where UINTMAX equals SIZE_MAX). Impact is denial of service to potentially artitrary code execution.

Update to 2.6.2:

• CVE-2024-28757 -- Prevent billion laughs attacks with isolated use of external parsers (bsc#1221289)
• Reject direct parameter entity recursion and avoid the related undefined behavior

Update to 2.6.1:

• Expose billion laughs API with XMLDTD defined and XMLGE undefined, regression from 2.6.0
• Make tests independent of CPU speed, and thus more robust

Update to 2.6.0:

• Security fixes:
  • CVE-2023-52425 (bsc#1219559)
    -- Fix quadratic runtime issues with big tokens that can cause denial of service, in partial where dealing with compressed XML input. Applications that parsed a document in one go -- a single call to functions XMLParse or XMLParseBuffer -- were not affected. The smaller the chunks/buffers you use for parsing previously, the bigger the problem prior to the fix. Backporters should be careful to no omit parts of pull request #789 and to include earlier pull request #771, in order to not break the fix.
  • CVE-2023-52426 (bsc#1219561) -- Fix billion laughs attacks for users compiling without XMLDTD defined (which is not common). Users with XMLDTD defined have been protected since Expat >=2.4.0 (and that was CVE-2013-0340 back then).
• Bug fixes:
  • Fix parse-size-dependent "invalid token" error for external entities that start with a byte order mark
  • Fix NULL pointer dereference in setContext via XMLExternalEntityParserCreate for compilation with XMLDTD undefined
  • Protect against closing entities out of order
• Other changes:
  • Improve support for arc4random/arc4randombuf
  • Improve buffer growth in XMLGetBuffer and XMLParse
  • xmlwf: Support --help and --version
  • xmlwf: Support custom buffer size for XMLGetBuffer and read
  • xmlwf: Improve language and URL clickability in help output
  • examples: Add new example "elementdeclarations.c"
  • Be stricter about macro XMLCONTEXTBYTES at build time
  • Make inclusion to expatconfig.h consistent
  • Autotools: configure.ac: Support --disable-maintainer-mode
  • Autotools: Sync CMake templates with CMake 3.26
  • Autotools: Make installation of shipped man page doc/xmlwf.1 independent of docbook2man availability
  • Autotools|CMake: Add missing -DXMLSTATIC to pkg-config file section "Cflags.private" in order to fix compilation against static libexpat using pkg-config on Windows
  • Autotools|CMake: Require a C99 compiler (a de-facto requirement already since Expat 2.2.2 of 2017)
  • Autotools|CMake: Fix PACKAGEBUGREPORT variable
  • Autotools|CMake: Make test suite require a C++11 compiler
  • CMake: Require CMake >=3.5.0
  • CMake: Lowercase offt and sizet to help a bug in Meson
  • CMake: Sort xmlwf sources alphabetically
  • CMake|Windows: Fix generation of DLL file version info
  • CMake: Build tests/benchmark/benchmark.c as well for a build with -DEXPATBUILDTESTS=ON
  • docs: Document the importance of isFinal + adjust tests accordingly
  • docs: Improve use of "NULL" and "null"
  • docs: Be specific about version of XML (XML 1.0r4) and version of C (C99); (XML 1.0r5 will need a sponsor.)
  • docs: reference.html: Promote function XMLParseBuffer more
  • docs: reference.html: Add HTML anchors to XML* macros
  • docs: reference.html: Upgrade to OK.css 1.2.0
  • docs: Fix typos
  • docs|CI: Use HTTPS URLs instead of HTTP at various places
  • Address compiler warnings
  • Address clang-tidy warnings
  • Version info bumped from 9:10:8 (libexpat*.so.1.8.10) to 10:0:9 (libexpat*.so.1.9.0); see https://verbump.de/ for what these numbers do