SUSE-SU-2025:20207-1

This update for expat fixes the following issues:

Version update to 2.7.1:

• Bug fixes:

  • Restore event pointer behavior from Expat 2.6.4 (that the fix to CVE-2024-8176 changed in 2.7.0); affected API functions are:

    • XML_GetCurrentByteCount
    • XML_GetCurrentByteIndex
    • XML_GetCurrentColumnNumber
    • XML_GetCurrentLineNumber
    • XML_GetInputContext

  • Other changes: #976 #977 Autotools: Integrate files "fuzz/xmllpmfuzzer.{cpp,proto}" with Automake that were missing from 2.7.0 release tarballs #983 #984 Fix printf format specifiers for 32bit Emscripten #992 docs: Promote OpenSSF Best Practices self-certification #978 tests/benchmark: Resolve mistaken double close #986 Address compiler warnings #990 #993 Version info bumped from 11:1:10 (libexpat*.so.1.10.1) to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/ for what these numbers do

    Infrastructure: #982 CI: Start running Perl XML::Parser integration tests #987 CI: Enforce Clang Static Analyzer clean code #991 CI: Re-enable warning clang-analyzer-valist.Uninitialized for clang-tidy #981 CI: Cover compilation with musl #983 #984 CI: Cover compilation with 32bit Emscripten #976 #977 CI: Protect against fuzzer files missing from future release archives

Version update to 2.7.0 (CVE-2024-8176 [bsc#1239618])

• Security fixes:

  • CVE-2024-8176 -- Fix crash from chaining a large number of entities caused by stack overflow by resolving use of recursion, for all three uses of entities:

    • general entities in character data ("<e>&g1;</e>")
    • general entities in attribute values ("<e k1='&g1;'/>")
    • parameter entities ("%p1;")

    Known impact is (reliable and easy) denial of service:

    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C

    (Base Score: 7.5, Temporal Score: 7.2)

    Please note that a layer of compression around XML can significantly reduce the minimum attack payload size.

    • Other changes:
      • Document changes since the previous release
      • Version info bumped from 11:0:10 (libexpat*.so.1.10.0) to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/ for what these numbers do

Version update to 2.6.4:

• Security fixes: [bsc#1232601][bsc#1232579]
  • CVE-2024-50602 -- Fix crash within function XMLResumeParser from a NULL pointer dereference by disallowing function XMLStopParser to (stop or) suspend an unstarted parser. A new error code XMLERRORNOT_STARTED was introduced to properly communicate this situation. // CWE-476 CWE-754
• Other changes:
  • Version info bumped from 10:3:9 (libexpat*.so.1.9.3) to 11:0:10 (libexpat*.so.1.10.0); see https://verbump.de/ for what these numbers do

Update to 2.6.3:

• Security fixes:

  • CVE-2024-45490, bsc#1229930 -- Calling function XMLParseBuffer with len < 0 without noticing and then calling XMLGetBuffer will have XMLParseBuffer fail to recognize the problem and XMLGetBuffer corrupt memory. With the fix, XMLParseBuffer now complains with error XMLERRORINVALIDARGUMENT just like sibling XML_Parse has been doing since Expat 2.2.1, and now documented. Impact is denial of service to potentially artitrary code execution.
  • CVE-2024-45491, bsc#1229931 -- Internal function dtdCopy can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINTMAX equals SIZEMAX). Impact is denial of service to potentially artitrary code execution.
  • CVE-2024-45492, bsc#1229932 -- Internal function nextScaffoldPart can have an integer overflow for mgroupSize on 32-bit platforms (where UINTMAX equals SIZE_MAX). Impact is denial of service to potentially artitrary code execution.

• Other changes:

  • Version info bumped from 10:2:9 (libexpat*.so.1.9.2) to 10:3:9 (libexpat*.so.1.9.3); see https://verbump.de/ for what these numbers do

Update to 2.6.2:

• CVE-2024-28757 -- Prevent billion laughs attacks with isolated use of external parsers (bsc#1221289)
• Reject direct parameter entity recursion and avoid the related undefined behavior

Update to 2.6.1:

• Expose billion laughs API with XMLDTD defined and XMLGE undefined, regression from 2.6.0
• Make tests independent of CPU speed, and thus more robust

Update to 2.6.0:

• Security fixes:
  • CVE-2023-52425 (bsc#1219559)
    Fix quadratic runtime issues with big tokens that can cause denial of service, in partial where dealing with compressed XML input. Applications that parsed a document in one go -- a single call to functions XMLParse or XMLParseBuffer -- were not affected. The smaller the chunks/buffers you use for parsing previously, the bigger the problem prior to the fix. Backporters should be careful to no omit parts of pull request #789 and to include earlier pull request #771, in order to not break the fix.
  • CVE-2023-52426 (bsc#1219561) Fix billion laughs attacks for users compiling without XMLDTD defined (which is not common). Users with XMLDTD defined have been protected since Expat >=2.4.0 (and that was CVE-2013-0340 back then).
• Bug fixes:
  • Fix parse-size-dependent "invalid token" error for external entities that start with a byte order mark
  • Fix NULL pointer dereference in setContext via XMLExternalEntityParserCreate for compilation with XMLDTD undefined
  • Protect against closing entities out of order
• Other changes:
  • Improve support for arc4random/arc4randombuf
  • Improve buffer growth in XMLGetBuffer and XMLParse
  • xmlwf: Support --help and --version
  • xmlwf: Support custom buffer size for XMLGetBuffer and read
  • xmlwf: Improve language and URL clickability in help output
  • examples: Add new example "elementdeclarations.c"
  • Be stricter about macro XMLCONTEXTBYTES at build time
  • Make inclusion to expatconfig.h consistent
  • Autotools: configure.ac: Support --disable-maintainer-mode
  • Autotools: Sync CMake templates with CMake 3.26
  • Autotools: Make installation of shipped man page doc/xmlwf.1 independent of docbook2man availability
  • Autotools|CMake: Add missing -DXMLSTATIC to pkg-config file section "Cflags.private" in order to fix compilation against static libexpat using pkg-config on Windows
  • Autotools|CMake: Require a C99 compiler (a de-facto requirement already since Expat 2.2.2 of 2017)
  • Autotools|CMake: Fix PACKAGEBUGREPORT variable
  • Autotools|CMake: Make test suite require a C++11 compiler
  • CMake: Require CMake >=3.5.0
  • CMake: Lowercase offt and sizet to help a bug in Meson
  • CMake: Sort xmlwf sources alphabetically
  • CMake|Windows: Fix generation of DLL file version info
  • CMake: Build tests/benchmark/benchmark.c as well for a build with -DEXPATBUILDTESTS=ON
  • docs: Document the importance of isFinal + adjust tests accordingly
  • docs: Improve use of "NULL" and "null"
  • docs: Be specific about version of XML (XML 1.0r4) and version of C (C99); (XML 1.0r5 will need a sponsor.)
  • docs: reference.html: Promote function XMLParseBuffer more
  • docs: reference.html: Add HTML anchors to XML* macros
  • docs: reference.html: Upgrade to OK.css 1.2.0
  • docs: Fix typos
  • docs|CI: Use HTTPS URLs instead of HTTP at various places
  • Address compiler warnings
  • Address clang-tidy warnings
  • Version info bumped from 9:10:8 (libexpat*.so.1.8.10) to 10:0:9 (libexpat*.so.1.9.0); see https://verbump.de/ for what these numbers do