1 __ __ _ 2 ___\ \/ /_ __ __ _| |_ 3 / _ \\ /| '_ \ / _` | __| 4 | __// \| |_) | (_| | |_ 5 \___/_/\_\ .__/ \__,_|\__| 6 |_| XML parser 7 8!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 9!! <blink>Expat is UNDERSTAFFED and WITHOUT FUNDING.</blink> !! 10!! ~~~~~~~~~~~~ !! 11!! The following topics need *additional skilled C developers* to progress !! 12!! in a timely manner or at all (loosely ordered by descending priority): !! 13!! _______________________ !! 14!! - teaming up on fixing the UNFIXED SECURITY ISSUES listed at: !! 15!! """"""""""""""""""""""" !! 16!! https://github.com/libexpat/libexpat/issues/1160 !! 17!! !! 18!! - teaming up on researching and fixing future security reports and !! 19!! ClusterFuzz findings with few-days-max response times in communication !! 20!! in order to (1) have a sound fix ready before the end of a 90 days !! 21!! grace period and (2) in a sustainable manner, !! 22!! !! 23!! - implementing and auto-testing XML 1.0r5 support !! 24!! (needs discussion before pull requests), !! 25!! !! 26!! For details, please reach out via e-mail to sebastian@pipping.org so we !! 27!! can schedule a voice call on the topic, in English or German. !! 28!! !! 29!! THANK YOU! Sebastian Pipping -- Berlin, 2026-03-17 !! 30!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 31 32Release 2.8.1 Sun May 10 2026 33 Security fixes: 34 #1216 CVE-2026-45186 -- Fix quadratic runtime from attribute name 35 collision checks that allowed denial of service attacks 36 through moderately sized crafted XML input (CWE-407). 37 Please note that a layer of compression around XML can 38 significantly reduce the minimum attack payload size. 39 40 Other changes: 41 #1209 #1213 Drop more casts related to `void *` that C99 does not need 42 #1213 xmlwf: Streamline use of `mmap` 43 #1214 #1217 Version info bumped from 13:0:12 (libexpat*.so.1.12.0) 44 to 13:1:12 (libexpat*.so.1.12.1); see https://verbump.de/ 45 for what these numbers do 46 47 Infrastructure: 48 #1210 CI: Cover compilation with Visual Studio 18 2026 on Windows 49 #1215 CI: Cover compilation for ARM64 on Windows 50 #1212 CI: Bump WASI SDK from 32 to 33 51 52 Special thanks to: 53 Berkay Eren Ürün 54 Matthew Fernandez 55 Nick Wellnhofer 56 Tania Somanna 57 58Release 2.8.0 Fri April 24 2026 59 Security fixes: 60 #47 #1183 CVE-2026-41080 -- The existing hash flooding protection 61 (based on SipHash) only used 4 to 8 bytes of entropy for 62 a salt, when 16 bytes of salt are supported by the 63 implementation of SipHash used by Expat. Now full 16 bytes 64 of entropy are used to improve protection against hash 65 flooding attacks. 66 Existing API function XML_SetHashSalt is now deprecated 67 because of its limitations, and its use should be 68 considered a vulnerability. Please either use the new API 69 function XML_SetHashSalt16Bytes (with known-high-quality 70 entropy input only!) instead, or leave the derivation of 71 a 16-bytes hash salt from high quality entropy to Expat's 72 internal machinery (by *not* calling either of the two 73 XML_SetHashSalt* functions). 74 75 Bug fixes: 76 #1188 Avoid propagating /dev/urandom file descriptor to child 77 processes 78 #1193 Fix interpretation of `errno` after randomization calls 79 #1195 Avoid assuming uint8_t is a character type 80 81 Other changes: 82 #1180 #1199 Add support for `getentropy(3)` as a source of entropy; 83 this helps with protecting against hash flooding attacks, 84 in particular with WASI SDK (where none of the other 85 entropy sources supported by libexpat are available). 86 #1200 Autotools: Add `--without-arc4random` and 87 `--without-arc4random-buf` 88 #1200 Autotools: Make `./configure` output report on available 89 high quality entropy sources 90 #1173 Autotools|macOS: Sync CMake templates with CMake 4.3.0 91 #1201 Autotools|CMake: Improve checks for `arc4random` and 92 `arc4random_buf` e.g. with modern glibc 93 #1201 CMake: Report on availability of functions `arc4random` and 94 `arc4random_buf` 95 #1201 CMake: Mark entropy related build switches as advanced 96 #1189 .. 97 #1203 #1204 Extract new files from entropy extraction code 98 #1194 Stop duplicating C tests 1:1 as C++ ("runtests_cxx") 99 #1202 Fix a comment typo in expat_external.h 100 #1187 Fix grammar in compile error message 101 #1192 examples: Build warning-free with -Wwrite-strings 102 #1171 tests: Address harmless warning from Coverity 103 #1170 #1176 Sync file headers 104 #1190 #1206 Version info bumped from 12:3:11 (libexpat*.so.1.11.3) 105 to 13:0:12 (libexpat*.so.1.12.0); see https://verbump.de/ 106 for what these numbers do 107 108 Infrastructure: 109 #1166 #1167 .. 110 #1172 #1175 .. 111 #1178 #1179 .. 112 #1185 #1205 CI: Make Perl XML::Parser integration tests run against 113 both version 2.47 and the latest release 2.58 114 #1169 CI: Adapt to breaking changes regarding Inno Setup 115 #1173 CI: Adapt to breaking changes regarding CMake 116 #1174 CI: Include public corpus of fuzzer `xml_lpm_fuzzer` with 117 regression testing 118 #1181 #1182 CI: Bump WASI SDK from 30 to 32 119 120 Special thanks to: 121 Jérôme Duval 122 Matthew Fernandez 123 124Release 2.7.5 Tue March 17 2026 125 Security fixes: 126 #1158 CVE-2026-32776 -- Fix NULL function pointer dereference for 127 empty external parameter entities; it takes use of both 128 functions XML_ExternalEntityParserCreate and 129 XML_SetParamEntityParsing for an application to be 130 vulnerable. 131 #1161 #1162 CVE-2026-32777 -- Protect from XML_TOK_INSTANCE_START 132 infinite loop in function entityValueProcessor; it takes 133 use of both functions XML_ExternalEntityParserCreate and 134 XML_SetParamEntityParsing for an application to be 135 vulnerable. 136 #1163 CVE-2026-32778 -- Fix NULL dereference in function setContext 137 on retry after an earlier ouf-of-memory condition; it takes 138 use of function XML_ParserCreateNS or XML_ParserCreate_MM 139 for an application to be vulnerable. 140 #1160 Three more unfixed vulnerabilities left 141 142 Other changes: 143 #1146 #1147 Autotools: Fix condition for symbol versioning check, in 144 particular when compiling with slibtool (not libtool) 145 #1156 Address Cppcheck >=2.20.0 warnings 146 #1153 tests: Make test_buffer_can_grow_to_max work for MinGW on 147 Ubuntu 24.04 148 #1157 #1159 Version info bumped from 12:2:11 (libexpat*.so.1.11.2) 149 to 12:3:11 (libexpat*.so.1.11.3); see https://verbump.de/ 150 for what these numbers do 151 152 Infrastructure: 153 #1148 CI: Fix FreeBSD and Solaris CI 154 #1149 CI: Bump to WASI SDK 30 155 #1153 CI: Adapt to breaking changes with Ubuntu 22.04 156 #1156 CI: Adapt to breaking changes in Cppcheck 157 158 Special thanks to: 159 Berkay Eren Ürün 160 Christian Ng 161 Fabio Scaccabarozzi 162 Francesco Bertolaccini 163 Mark Brand 164 Rhodri James 165 and 166 AddressSanitizer 167 Buttercup 168 OSS-Fuzz / ClusterFuzz 169 Trail of Bits 170 171Release 2.7.4 Sat January 31 2026 172 Security fixes: 173 #1131 CVE-2026-24515 -- Function XML_ExternalEntityParserCreate 174 failed to copy the encoding handler data passed to 175 XML_SetUnknownEncodingHandler from the parent to the new 176 subparser. This can cause a NULL dereference (CWE-476) from 177 external entities that declare use of an unknown encoding. 178 The expected impact is denial of service. It takes use of 179 both functions XML_ExternalEntityParserCreate and 180 XML_SetUnknownEncodingHandler for an application to be 181 vulnerable. 182 #1075 CVE-2026-25210 -- Add missing check for integer overflow 183 related to buffer size determination in function doContent 184 185 Bug fixes: 186 #1073 lib: Fix missing undoing of group size expansion in doProlog 187 failure cases 188 #1107 xmlwf: Fix a memory leak 189 #1104 WASI: Fix format specifiers for 32bit WASI SDK 190 191 Other changes: 192 #1105 lib: Fix strict aliasing 193 #1106 lib: Leverage feature "flexible array member" of C99 194 #1051 lib: Swap (size_t)(-1) for C99 equivalent SIZE_MAX 195 #1109 lib|xmlwf: Return NULL instead of 0 for pointers 196 #1068 lib|Windows: Clean up use of macro _MSC_EXTENSIONS with MSVC 197 #1112 lib: Remove unused import 198 #1110 xmlwf: Warn about XXE in --help output (and man page) 199 #1102 #1103 WASI: Stop using getpid 200 #1113 #1130 Autotools: Drop file expat.m4 that provided obsolete Autoconf 201 macro AM_WITH_EXPAT 202 #1123 Autotools: Limit -Wno-pedantic-ms-format to MinGW 203 #1129 #1134 .. 204 #1087 Autotools|macOS: Sync CMake templates with CMake 4.0 205 #1139 #1140 Autotools|CMake: Introduce off-by-default symbol versioning 206 The related build system flags are: 207 - For Autotools, configure with --enable-symbol-versioning 208 - For CMake, configure with -DEXPAT_SYMBOL_VERSIONING=ON 209 Please double-check for consequences before activating 210 this inside distro packaging. Bug reports welcome! 211 #1117 Autotools|CMake: Remove libbsd support 212 #1105 Autotools|CMake: Stop using -fno-strict-aliasing, and use 213 -Wstrict-aliasing=3 instead 214 #1124 Autotools|CMake: Prefer command gsed (GNU sed) over sed 215 (e.g. for Solaris) inside fix-xmltest-log.sh 216 #1067 CMake: Detect and warn about unusable check_c_compiler_flag 217 #1137 CMake: Drop support for CMake <3.17 218 #1138 CMake|Windows: Fix libexpat.def.cmake version comments 219 220 #1086 #1110 docs: Add warning about external reference handlers and XXE 221 #1066 docs: Be explicit that parent parsers need to outlive 222 subparsers 223 #1089 .. 224 #1090 #1091 .. 225 #1092 #1093 .. 226 #1094 #1098 .. 227 #1115 #1116 docs: Misc non-content improvements to doc/reference.html 228 #1132 #1133 Version info bumped from 12:1:11 (libexpat*.so.1.11.1) 229 to 12:2:11 (libexpat*.so.1.11.2); see https://verbump.de/ 230 for what these numbers do 231 232 Infrastructure: 233 #1119 #1121 Document guidelines for contributing to Expat 234 #1120 Introduce a pull request template 235 #1074 CI: Stop using about-to-be-removed image "macos-13" 236 #1083 #1088 CI: Mitigate random Wine crashes 237 #1104 CI: Cover compilation with WASI SDK 238 #1116 CI: Enforce clean doc XML formatting 239 #1124 .. 240 #1135 #1136 CI: Cover Solaris 11.4 241 #1125 CI: Extend CI coverage of FreeBSD 242 #1139 #1140 CI: Cover symbol versioning 243 #1114 xmlwf: Reformat helpgen code (using Black 25.12.0) 244 #1071 .gitignore: Add files CPackConfig.cmake and 245 CPackSourceConfig.cmake 246 247 Special thanks to: 248 Alfonso Gregory 249 Bénédikt Tran 250 Gordon Messmer 251 Hanno Böck 252 Jakub Kulík 253 Matthew Fernandez 254 Neil Pang 255 Rosen Penev 256 and 257 Artiphishell Inc. 258 259Release 2.7.3 Wed September 24 2025 260 Security fixes: 261 #1046 #1048 Fix alignment of internal allocations for some non-amd64 262 architectures (e.g. sparc32); fixes up on the fix to 263 CVE-2025-59375 from #1034 (of Expat 2.7.2 and related 264 backports) 265 #1059 Fix a class of false positives where input should have been 266 rejected with error XML_ERROR_ASYNC_ENTITY; regression from 267 CVE-2024-8176 fix pull request #973 (of Expat 2.7.0 and 268 related backports). Please check the added unit tests for 269 example documents. 270 271 Other changes: 272 #1043 Prove and regression-proof absence of integer overflow 273 from function expat_realloc 274 #1062 Remove "harmless" cast that truncated a size_t to unsigned 275 #1049 Autotools: Remove "ln -s" discovery 276 #1054 docs: Be consistent with use of floating point around 277 XML_SetAllocTrackerMaximumAmplification 278 #1056 docs: Make it explicit that XML_GetCurrentColumnNumber 279 starts at 0 280 #1057 docs: Better integrate the effect of the activation 281 thresholds 282 #1058 docs: Fix an in-comment typo in expat.h 283 #1045 docs: Fix a typo in README.md 284 #1041 docs: Improve change log of release 2.7.2 285 #1053 xmlwf: Resolve use of functions XML_GetErrorLineNumber 286 and XML_GetErrorColumnNumber 287 #1032 Windows: Normalize .bat files to CRLF line endings 288 #1060 #1061 Version info bumped from 12:0:11 (libexpat*.so.1.11.0) 289 to 12:1:11 (libexpat*.so.1.11.1); see https://verbump.de/ 290 for what these numbers do 291 292 Infrastructure: 293 #1047 #1050 CI: Cleanup UndefinedBehaviorSanitizer fatality 294 #1044 CI|Linux: Stop aborting at first job failure 295 #1052 CI|FreeBSD: Upgrade to FreeBSD 15.0 296 #1039 CI|FreeBSD: Do not install CMake meta-package 297 298 Special thanks to: 299 Bénédikt Tran 300 Berkay Eren Ürün 301 Daniel Engberg 302 Hanno Böck 303 Matthew Fernandez 304 Rolf Eike Beer 305 Sam James 306 Tim Bray 307 and 308 Clang/GCC UndefinedBehaviorSanitizer 309 OSS-Fuzz / ClusterFuzz 310 Z3 Theorem Prover 311 312Release 2.7.2 Tue September 16 2025 313 Security fixes: 314 #1018 #1034 CVE-2025-59375 -- Disallow use of disproportional amounts of 315 dynamic memory from within an Expat parser (e.g. previously 316 a ~250 KiB sized document was able to cause allocation of 317 ~800 MiB from the heap, i.e. an "amplification" of factor 318 ~3,300); once a threshold (that defaults to 64 MiB) is 319 reached, a maximum amplification factor (that defaults to 320 100.0) is enforced, and violating documents are rejected 321 with an out-of-memory error. 322 There are two new API functions to fine-tune this new 323 behavior: 324 - XML_SetAllocTrackerActivationThreshold 325 - XML_SetAllocTrackerMaximumAmplification . 326 If you ever need to increase these defaults for non-attack 327 XML payload, please file a bug report with libexpat. 328 There is also a new environment variable 329 EXPAT_MALLOC_DEBUG=(0|1|2) to control the verbosity 330 of allocations debugging at runtime, disabled by default. 331 Known impact is (reliable and easy) denial of service: 332 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C 333 (Base Score: 7.5, Temporal Score: 7.2) 334 Please note that a layer of compression around XML can 335 significantly reduce the minimum attack payload size. 336 Distributors intending to backport (or cherry-pick) the 337 fix need to copy 99% of the related pull request, not just 338 the "lib: Implement tracking of dynamic memory allocations" 339 commit, to not end up with a state that literally does both 340 too much and too little at the same time. Appending ".diff" 341 to the pull request URL could be of help. 342 343 Other changes: 344 #1008 #1017 Autotools|macOS: Sync CMake templates with CMake 3.31 345 #1007 CMake: Drop support for CMake <3.15 346 #1004 CMake: Fix off_t detection for -Werror 347 #1007 CMake|Windows: Fix -DEXPAT_MSVC_STATIC_CRT=ON 348 #1013 Windows: Drop support for Visual Studio <=16.0/2019 349 #1026 xmlwf: Mention supported environment variables in 350 --help output 351 #1024 xmlwf: Fix (internal) help generator 352 #1034 docs: Promote the contract to call function 353 XML_FreeContentModel when registering a custom 354 element declaration handler (via a call to function 355 XML_SetElementDeclHandler) 356 #1027 docs: Add missing <p>..</p> wrap 357 #994 docs: Drop AppVeyor badge 358 #1000 tests: Fix portable_strndup 359 #1036 Drop casts around malloc/free/realloc that C99 does not need 360 #1010 Replace empty for loops with while loops 361 #1011 Add const with internal XmlInitUnknownEncodingNS 362 #14 #1037 Drop an OpenVMS support leftover 363 #999 #1001 Address more clang-tidy warnings 364 #1030 #1038 Version info bumped from 11:2:10 (libexpat*.so.1.10.2) 365 to 12:0:11 (libexpat*.so.1.11.0); see https://verbump.de/ 366 for what these numbers do 367 368 Infrastructure: 369 #1003 CI: Cover compilation on FreeBSD 370 #1009 #1035 CI: Upgrade Clang from 19 to 21 371 #1031 CI: Make calling Cppcheck without --suppress=objectIndex 372 and --suppress=unknownMacro possible 373 #1013 CI|Windows: Get off of deprecated image "windows-2019" 374 #1008 #1017 .. 375 #1023 #1025 CI: Adapt to breaking changes in GitHub Actions 376 377 Special thanks to: 378 Alexander Bluhm 379 Neil Pang 380 Theo Buehler 381 and 382 GNU Time 383 OSS-Fuzz / ClusterFuzz 384 Perl XML::Parser 385 386Release 2.7.1 Thu March 27 2025 387 Bug fixes: 388 #980 #989 Restore event pointer behavior from Expat 2.6.4 389 (that the fix to CVE-2024-8176 changed in 2.7.0); 390 affected API functions are: 391 - XML_GetCurrentByteCount 392 - XML_GetCurrentByteIndex 393 - XML_GetCurrentColumnNumber 394 - XML_GetCurrentLineNumber 395 - XML_GetInputContext 396 397 Other changes: 398 #976 #977 Autotools: Integrate files "fuzz/xml_lpm_fuzzer.{cpp,proto}" 399 with Automake that were missing from 2.7.0 release tarballs 400 #983 #984 Fix printf format specifiers for 32bit Emscripten 401 #992 docs: Promote OpenSSF Best Practices self-certification 402 #978 tests/benchmark: Resolve mistaken double close 403 #986 Address Frama-C warnings 404 #990 #993 Version info bumped from 11:1:10 (libexpat*.so.1.10.1) 405 to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/ 406 for what these numbers do 407 408 Infrastructure: 409 #982 CI: Start running Perl XML::Parser integration tests 410 #987 CI: Enforce Clang Static Analyzer clean code 411 #991 CI: Re-enable warning clang-analyzer-valist.Uninitialized 412 for clang-tidy 413 #981 CI: Cover compilation with musl 414 #983 #984 CI: Cover compilation with 32bit Emscripten 415 #976 #977 CI: Protect against fuzzer files missing from future 416 release archives 417 418 Special thanks to: 419 Berkay Eren Ürün 420 Matthew Fernandez 421 and 422 Perl XML::Parser 423 424Release 2.7.0 Thu March 13 2025 425 Security fixes: 426 #893 #973 CVE-2024-8176 -- Fix crash from chaining a large number 427 of entities caused by stack overflow by resolving use of 428 recursion, for all three uses of entities: 429 - general entities in character data ("<e>&g1;</e>") 430 - general entities in attribute values ("<e k1='&g1;'/>") 431 - parameter entities ("%p1;") 432 Known impact is (reliable and easy) denial of service: 433 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C 434 (Base Score: 7.5, Temporal Score: 7.2) 435 Please note that a layer of compression around XML can 436 significantly reduce the minimum attack payload size. 437 438 Other changes: 439 #935 #937 Autotools: Make generated CMake files look for 440 libexpat.@SO_MAJOR@.dylib on macOS 441 #925 Autotools: Sync CMake templates with CMake 3.29 442 #945 #962 #966 CMake: Drop support for CMake <3.13 443 #942 CMake: Small fuzzing related improvements 444 #921 docs: Add missing documentation of error code 445 XML_ERROR_NOT_STARTED that was introduced with 2.6.4 446 #941 docs: Document need for C++11 compiler for use from C++ 447 #959 tests/benchmark: Fix a (harmless) TOCTTOU 448 #944 Windows: Fix installer target location of file xmlwf.xml 449 for CMake 450 #953 Windows: Address warning -Wunknown-warning-option 451 about -Wno-pedantic-ms-format from LLVM MinGW 452 #971 Address Cppcheck warnings 453 #969 #970 Mass-migrate links from http:// to https:// 454 #947 #958 .. 455 #974 #975 Document changes since the previous release 456 #974 #975 Version info bumped from 11:0:10 (libexpat*.so.1.10.0) 457 to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/ 458 for what these numbers do 459 460 Infrastructure: 461 #926 tests: Increase robustness 462 #927 #932 .. 463 #930 #933 tests: Increase test coverage 464 #617 #950 .. 465 #951 #952 .. 466 #954 #955 .. Fuzzing: Add new fuzzer "xml_lpm_fuzzer" based on 467 #961 Google's libprotobuf-mutator ("LPM") 468 #957 Fuzzing|CI: Start producing fuzzing code coverage reports 469 #936 CI: Pass -q -q for LCOV >=2.1 in coverage.sh 470 #942 CI: Small fuzzing related improvements 471 #139 #203 .. 472 #791 #946 CI: Make GitHub Actions build using MSVC on Windows and 473 produce 32bit and 64bit Windows binaries 474 #956 CI: Get off of about-to-be-removed Ubuntu 20.04 475 #960 #964 CI: Start uploading to Coverity Scan for static analysis 476 #972 CI: Stop loading DTD from the internet to address flaky CI 477 #971 CI: Adapt to breaking changes in Cppcheck 478 479 Special thanks to: 480 Alexander Gieringer 481 Berkay Eren Ürün 482 Hanno Böck 483 Jann Horn 484 Mark Brand 485 Sebastian Andrzej Siewior 486 Snild Dolkow 487 Thomas Pröll 488 Tomas Korbar 489 valord577 490 and 491 Google Project Zero 492 Linutronix 493 Red Hat 494 Siemens 495 496Release 2.6.4 Wed November 6 2024 497 Security fixes: 498 #915 CVE-2024-50602 -- Fix crash within function XML_ResumeParser 499 from a NULL pointer dereference by disallowing function 500 XML_StopParser to (stop or) suspend an unstarted parser. 501 A new error code XML_ERROR_NOT_STARTED was introduced to 502 properly communicate this situation. // CWE-476 CWE-754 503 504 Other changes: 505 #903 CMake: Add alias target "expat::expat" 506 #905 docs: Document use via CMake >=3.18 with FetchContent 507 and SOURCE_SUBDIR and its consequences 508 #902 tests: Reduce use of global parser instance 509 #904 tests: Resolve duplicate handler 510 #317 #918 tests: Improve tests on doctype closing (ex CVE-2019-15903) 511 #914 Fix signedness of format strings 512 #915 For use from C++, expat.h started requiring C++11 due to 513 use of C99 features 514 #919 #920 Version info bumped from 10:3:9 (libexpat*.so.1.9.3) 515 to 11:0:10 (libexpat*.so.1.10.0); see https://verbump.de/ 516 for what these numbers do 517 518 Infrastructure: 519 #907 CI: Upgrade Clang from 18 to 19 520 #913 CI: Drop macos-12 and add macos-15 521 #910 CI: Adapt to breaking changes in GitHub Actions 522 #898 Add missing entries to .gitignore 523 524 Special thanks to: 525 Hanno Böck 526 José Eduardo Gutiérrez Conejo 527 José Ricardo Cardona Quesada 528 529Release 2.6.3 Wed September 4 2024 530 Security fixes: 531 #887 #890 CVE-2024-45490 -- Calling function XML_ParseBuffer with 532 len < 0 without noticing and then calling XML_GetBuffer 533 will have XML_ParseBuffer fail to recognize the problem 534 and XML_GetBuffer corrupt memory. 535 With the fix, XML_ParseBuffer now complains with error 536 XML_ERROR_INVALID_ARGUMENT just like sibling XML_Parse 537 has been doing since Expat 2.2.1, and now documented. 538 Impact is denial of service to potentially artitrary code 539 execution. 540 #888 #891 CVE-2024-45491 -- Internal function dtdCopy can have an 541 integer overflow for nDefaultAtts on 32-bit platforms 542 (where UINT_MAX equals SIZE_MAX). 543 Impact is denial of service to potentially artitrary code 544 execution. 545 #889 #892 CVE-2024-45492 -- Internal function nextScaffoldPart can 546 have an integer overflow for m_groupSize on 32-bit 547 platforms (where UINT_MAX equals SIZE_MAX). 548 Impact is denial of service to potentially artitrary code 549 execution. 550 551 Other changes: 552 #851 #879 Autotools: Sync CMake templates with CMake 3.28 553 #853 Autotools: Always provide path to find(1) for portability 554 #861 Autotools: Ensure that the m4 directory always exists. 555 #870 Autotools: Simplify handling of SIZEOF_VOID_P 556 #869 Autotools: Support non-GNU sed 557 #856 Autotools|CMake: Fix main() to main(void) 558 #865 Autotools|CMake: Fix compile tests for HAVE_SYSCALL_GETRANDOM 559 #863 Autotools|CMake: Stop requiring dos2unix 560 #854 #855 CMake: Fix check for symbols size_t and off_t 561 #864 docs|tests: Convert README to Markdown and update 562 #741 Windows: Drop support for Visual Studio <=15.0/2017 563 #886 Drop needless XML_DTD guards around is_param access 564 #885 Fix typo in a code comment 565 #894 #896 Version info bumped from 10:2:9 (libexpat*.so.1.9.2) 566 to 10:3:9 (libexpat*.so.1.9.3); see https://verbump.de/ 567 for what these numbers do 568 569 Infrastructure: 570 #880 Readme: Promote the call for help 571 #868 CI: Fix various issues 572 #849 CI: Allow triggering GitHub Actions workflows manually 573 #851 #872 .. 574 #873 #879 CI: Adapt to breaking changes in GitHub Actions 575 576 Special thanks to: 577 Alexander Bluhm 578 Berkay Eren Ürün 579 Dag-Erling Smørgrav 580 Ferenc Géczi 581 TaiYou 582 583Release 2.6.2 Wed March 13 2024 584 Security fixes: 585 #839 #842 CVE-2024-28757 -- Prevent billion laughs attacks with 586 isolated use of external parsers. Please see the commit 587 message of commit 1d50b80cf31de87750103656f6eb693746854aa8 588 for details. 589 590 Bug fixes: 591 #839 #841 Reject direct parameter entity recursion 592 and avoid the related undefined behavior 593 594 Other changes: 595 #847 Autotools: Fix build for DOCBOOK_TO_MAN containing spaces 596 #837 Add missing #821 and #824 to 2.6.1 change log 597 #838 #843 Version info bumped from 10:1:9 (libexpat*.so.1.9.1) 598 to 10:2:9 (libexpat*.so.1.9.2); see https://verbump.de/ 599 for what these numbers do 600 601 Special thanks to: 602 Philippe Antoine 603 Tomas Korbar 604 and 605 Clang UndefinedBehaviorSanitizer 606 OSS-Fuzz / ClusterFuzz 607 608Release 2.6.1 Thu February 29 2024 609 Bug fixes: 610 #817 Make tests independent of CPU speed, and thus more robust 611 #828 #836 Expose billion laughs API with XML_DTD defined and 612 XML_GE undefined, regression from 2.6.0 613 614 Other changes: 615 #829 Hide test-only code behind new internal macro 616 #833 Autotools: Reject expat_config.h.in defining SIZEOF_VOID_P 617 #821 #824 Autotools: Fix "make clean" for case: 618 ./configure --without-docbook && make clean all 619 #819 Address compiler warnings 620 #832 #834 Version info bumped from 10:0:9 (libexpat*.so.1.9.0) 621 to 10:1:9 (libexpat*.so.1.9.1); see https://verbump.de/ 622 for what these numbers do 623 624 Infrastructure: 625 #818 CI: Adapt to breaking changes in clang-format 626 627 Special thanks to: 628 David Hall 629 Snild Dolkow 630 631Release 2.6.0 Tue February 6 2024 632 Security fixes: 633 #789 #814 CVE-2023-52425 -- Fix quadratic runtime issues with big tokens 634 that can cause denial of service, in partial where 635 dealing with compressed XML input. Applications 636 that parsed a document in one go -- a single call to 637 functions XML_Parse or XML_ParseBuffer -- were not affected. 638 The smaller the chunks/buffers you use for parsing 639 previously, the bigger the problem prior to the fix. 640 Backporters should be careful to no omit parts of 641 pull request #789 and to include earlier pull request #771, 642 in order to not break the fix. 643 #777 CVE-2023-52426 -- Fix billion laughs attacks for users 644 compiling *without* XML_DTD defined (which is not common). 645 Users with XML_DTD defined have been protected since 646 Expat >=2.4.0 (and that was CVE-2013-0340 back then). 647 648 Bug fixes: 649 #753 Fix parse-size-dependent "invalid token" error for 650 external entities that start with a byte order mark 651 #780 Fix NULL pointer dereference in setContext via 652 XML_ExternalEntityParserCreate for compilation with 653 XML_DTD undefined 654 #812 #813 Protect against closing entities out of order 655 656 Other changes: 657 #723 Improve support for arc4random/arc4random_buf 658 #771 #788 Improve buffer growth in XML_GetBuffer and XML_Parse 659 #761 #770 xmlwf: Support --help and --version 660 #759 #770 xmlwf: Support custom buffer size for XML_GetBuffer and read 661 #744 xmlwf: Improve language and URL clickability in help output 662 #673 examples: Add new example "element_declarations.c" 663 #764 Be stricter about macro XML_CONTEXT_BYTES at build time 664 #765 Make inclusion to expat_config.h consistent 665 #726 #727 Autotools: configure.ac: Support --disable-maintainer-mode 666 #678 #705 .. 667 #706 #733 #792 Autotools: Sync CMake templates with CMake 3.26 668 #795 Autotools: Make installation of shipped man page doc/xmlwf.1 669 independent of docbook2man availability 670 #815 Autotools|CMake: Add missing -DXML_STATIC to pkg-config file 671 section "Cflags.private" in order to fix compilation 672 against static libexpat using pkg-config on Windows 673 #724 #751 Autotools|CMake: Require a C99 compiler 674 (a de-facto requirement already since Expat 2.2.2 of 2017) 675 #793 Autotools|CMake: Fix PACKAGE_BUGREPORT variable 676 #750 #786 Autotools|CMake: Make test suite require a C++11 compiler 677 #749 CMake: Require CMake >=3.5.0 678 #672 CMake: Lowercase off_t and size_t to help a bug in Meson 679 #746 CMake: Sort xmlwf sources alphabetically 680 #785 CMake|Windows: Fix generation of DLL file version info 681 #790 CMake: Build tests/benchmark/benchmark.c as well for 682 a build with -DEXPAT_BUILD_TESTS=ON 683 #745 #757 docs: Document the importance of isFinal + adjust tests 684 accordingly 685 #736 docs: Improve use of "NULL" and "null" 686 #713 docs: Be specific about version of XML (XML 1.0r4) 687 and version of C (C99); (XML 1.0r5 will need a sponsor.) 688 #762 docs: reference.html: Promote function XML_ParseBuffer more 689 #779 docs: reference.html: Add HTML anchors to XML_* macros 690 #760 docs: reference.html: Upgrade to OK.css 1.2.0 691 #763 #739 docs: Fix typos 692 #696 docs|CI: Use HTTPS URLs instead of HTTP at various places 693 #669 #670 .. 694 #692 #703 .. 695 #733 #772 Address compiler warnings 696 #798 #800 Address clang-tidy warnings 697 #775 #776 Version info bumped from 9:10:8 (libexpat*.so.1.8.10) 698 to 10:0:9 (libexpat*.so.1.9.0); see https://verbump.de/ 699 for what these numbers do 700 701 Infrastructure: 702 #700 #701 docs: Document security policy in file SECURITY.md 703 #766 docs: Improve parse buffer variables in-code documentation 704 #674 #738 .. 705 #740 #747 .. 706 #748 #781 #782 Refactor coverage and conformance tests 707 #714 #716 Refactor debug level variables to unsigned long 708 #671 Improve handling of empty environment variable value 709 in function getDebugLevel (without visible user effect) 710 #755 #774 .. 711 #758 #783 .. 712 #784 #787 tests: Improve test coverage with regard to parse chunk size 713 #660 #797 #801 Fuzzing: Improve fuzzing coverage 714 #367 #799 Fuzzing|CI: Start running OSS-Fuzz fuzzing regression tests 715 #698 #721 CI: Resolve some Travis CI leftovers 716 #669 CI: Be robust towards absence of Git tags 717 #693 #694 CI: Set permissions to "contents: read" for security 718 #709 CI: Pin all GitHub Actions to specific commits for security 719 #739 CI: Reject spelling errors using codespell 720 #798 CI: Enforce clang-tidy clean code 721 #773 #808 .. 722 #809 #810 CI: Upgrade Clang from 15 to 18 723 #796 CI: Start using Clang's Control Flow Integrity sanitizer 724 #675 #720 #722 CI: Adapt to breaking changes in GitHub Actions Ubuntu images 725 #689 CI: Adapt to breaking changes in Clang/LLVM Debian packaging 726 #763 CI: Adapt to breaking changes in codespell 727 #803 CI: Adapt to breaking changes in Cppcheck 728 729 Special thanks to: 730 Ivan Galkin 731 Joyce Brum 732 Philippe Antoine 733 Rhodri James 734 Snild Dolkow 735 spookyahell 736 Steven Garske 737 and 738 Clang AddressSanitizer 739 Clang UndefinedBehaviorSanitizer 740 codespell 741 GCC Farm Project 742 OSS-Fuzz 743 Sony Mobile 744 745Release 2.5.0 Tue October 25 2022 746 Security fixes: 747 #616 #649 #650 CVE-2022-43680 -- Fix heap use-after-free after overeager 748 destruction of a shared DTD in function 749 XML_ExternalEntityParserCreate in out-of-memory situations. 750 Expected impact is denial of service or potentially 751 arbitrary code execution. 752 753 Bug fixes: 754 #612 #645 Fix corruption from undefined entities 755 #613 #654 Fix case when parsing was suspended while processing nested 756 entities 757 #616 #652 #653 Stop leaking opening tag bindings after a closing tag 758 mismatch error where a parser is reset through 759 XML_ParserReset and then reused to parse 760 #656 CMake: Fix generation of pkg-config file 761 #658 MinGW|CMake: Fix static library name 762 763 Other changes: 764 #663 Protect header expat_config.h from multiple inclusion 765 #666 examples: Make use of XML_GetBuffer and be more 766 consistent across examples 767 #648 Address compiler warnings 768 #667 #668 Version info bumped from 9:9:8 to 9:10:8; 769 see https://verbump.de/ for what these numbers do 770 771 Special thanks to: 772 Jann Horn 773 Mark Brand 774 Osyotr 775 Rhodri James 776 and 777 Google Project Zero 778 779Release 2.4.9 Tue September 20 2022 780 Security fixes: 781 #629 #640 CVE-2022-40674 -- Heap use-after-free vulnerability in 782 function doContent. Expected impact is denial of service 783 or potentially arbitrary code execution. 784 785 Bug fixes: 786 #634 MinGW: Fix mis-compilation for -D__USE_MINGW_ANSI_STDIO=0 787 #614 docs: Fix documentation on effect of switch XML_DTD on 788 symbol visibility in doc/reference.html 789 790 Other changes: 791 #638 MinGW: Make fix-xmltest-log.sh drop more Wine bug output 792 #596 #625 Autotools: Sync CMake templates with CMake 3.22 793 #608 CMake: Migrate from use of CMAKE_*_POSTFIX to 794 dedicated variables EXPAT_*_POSTFIX to stop affecting 795 other projects 796 #597 #599 Windows|CMake: Add missing -DXML_STATIC to test runners 797 and fuzzers 798 #512 #621 Windows|CMake: Render .def file from a template to fix 799 linking with -DEXPAT_DTD=OFF and/or -DEXPAT_ATTR_INFO=ON 800 #611 #621 MinGW|CMake: Apply MSVC .def file when linking 801 #622 #624 MinGW|CMake: Sync library name with GNU Autotools, 802 i.e. produce libexpat-1.dll rather than libexpat.dll 803 by default. Filename libexpat.dll.a is unaffected. 804 #632 MinGW|CMake: Set missing variable CMAKE_RC_COMPILER in 805 toolchain file "cmake/mingw-toolchain.cmake" to avoid 806 error "windres: Command not found" on e.g. Ubuntu 20.04 807 #597 #627 CMake: Unify inconsistent use of set() and option() in 808 context of public build time options to take need for 809 set(.. FORCE) in projects using Expat by means of 810 add_subdirectory(..) off Expat's users' shoulders 811 #626 #641 Stop exporting API symbols when building a static library 812 #644 Resolve use of deprecated "fgrep" by "grep -F" 813 #620 CMake: Make documentation on variables a bit more consistent 814 #636 CMake: Drop leading whitespace from a #cmakedefine line in 815 file expat_config.h.cmake 816 #594 xmlwf: Fix harmless variable mix-up in function nsattcmp 817 #592 #593 #610 Address Cppcheck warnings 818 #643 Address Clang 15 compiler warnings 819 #642 #644 Version info bumped from 9:8:8 to 9:9:8; 820 see https://verbump.de/ for what these numbers do 821 822 Infrastructure: 823 #597 #598 CI: Windows: Start covering MSVC 2022 824 #619 CI: macOS: Migrate off deprecated macOS 10.15 825 #632 CI: Linux: Make migration off deprecated Ubuntu 18.04 work 826 #643 CI: Upgrade Clang from 14 to 15 827 #637 apply-clang-format.sh: Add support for BSD find 828 #633 coverage.sh: Exclude MinGW headers 829 #635 coverage.sh: Fix name collision for -funsigned-char 830 831 Special thanks to: 832 David Faure 833 Felix Wilhelm 834 Frank Bergmann 835 Rhodri James 836 Rosen Penev 837 Thijs Schreijer 838 Vincent Torri 839 and 840 Google Project Zero 841 842Release 2.4.8 Mon March 28 2022 843 Other changes: 844 #587 pkg-config: Move "-lm" to section "Libs.private" 845 #587 CMake|MSVC: Fix pkg-config section "Libs" 846 #55 #582 CMake|macOS: Start using linker arguments 847 "-compatibility_version <version>" and 848 "-current_version <version>" in a way compatible with 849 GNU Libtool 850 #590 #591 Version info bumped from 9:7:8 to 9:8:8; 851 see https://verbump.de/ for what these numbers do 852 853 Infrastructure: 854 #589 CI: Upgrade Clang from 13 to 14 855 856 Special thanks to: 857 evpobr 858 Kai Pastor 859 Sam James 860 861Release 2.4.7 Fri March 4 2022 862 Bug fixes: 863 #572 #577 Relax fix to CVE-2022-25236 (introduced with release 2.4.5) 864 with regard to all valid URI characters (RFC 3986), 865 i.e. the following set (excluding whitespace): 866 ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz 867 0123456789 % -._~ :/?#[]@ !$&'()*+,;= 868 869 Other changes: 870 #555 #570 #581 CMake|Windows: Store Expat version in the DLL 871 #577 Document consequences of namespace separator choices not just 872 in doc/reference.html but also in header <expat.h> 873 #577 Document Expat's lack of validation of namespace URIs against 874 RFC 3986, and that the XML 1.0r4 specification doesn't 875 require Expat to validate namespace URIs, and that Expat 876 may do more in that regard in future releases. 877 If you find need for strict RFC 3986 URI validation on 878 application level today, https://uriparser.github.io/ may 879 be of interest. 880 #579 Fix documentation of XML_EndDoctypeDeclHandler in <expat.h> 881 #575 Document that a call to XML_FreeContentModel can be done at 882 a later time from outside the element declaration handler 883 #574 Make hardcoded namespace URIs easier to find in code 884 #573 Update documentation on use of XML_POOR_ENTOPY on Solaris 885 #569 #571 tests: Resolve use of macros NAN and INFINITY for GNU G++ 886 4.8.2 on Solaris. 887 #578 #580 Version info bumped from 9:6:8 to 9:7:8; 888 see https://verbump.de/ for what these numbers do 889 890 Special thanks to: 891 Jeffrey Walton 892 Johnny Jazeix 893 Thijs Schreijer 894 895Release 2.4.6 Sun February 20 2022 896 Bug fixes: 897 #566 Fix a regression introduced by the fix for CVE-2022-25313 898 in release 2.4.5 that affects applications that (1) 899 call function XML_SetElementDeclHandler and (2) are 900 parsing XML that contains nested element declarations 901 (e.g. "<!ELEMENT junk ((bar|foo|xyz+), zebra*)>"). 902 903 Other changes: 904 #567 #568 Version info bumped from 9:5:8 to 9:6:8; 905 see https://verbump.de/ for what these numbers do 906 907 Special thanks to: 908 Matt Sergeant 909 Samanta Navarro 910 Sergei Trofimovich 911 and 912 NixOS 913 Perl XML::Parser 914 915Release 2.4.5 Fri February 18 2022 916 Security fixes: 917 #562 CVE-2022-25235 -- Passing malformed 2- and 3-byte UTF-8 918 sequences (e.g. from start tag names) to the XML 919 processing application on top of Expat can cause 920 arbitrary damage (e.g. code execution) depending 921 on how invalid UTF-8 is handled inside the XML 922 processor; validation was not their job but Expat's. 923 Exploits with code execution are known to exist. 924 #561 CVE-2022-25236 -- Passing (one or more) namespace separator 925 characters in "xmlns[:prefix]" attribute values 926 made Expat send malformed tag names to the XML 927 processor on top of Expat which can cause 928 arbitrary damage (e.g. code execution) depending 929 on such unexpectable cases are handled inside the XML 930 processor; validation was not their job but Expat's. 931 Exploits with code execution are known to exist. 932 #558 CVE-2022-25313 -- Fix stack exhaustion in doctype parsing 933 that could be triggered by e.g. a 2 megabytes 934 file with a large number of opening braces. 935 Expected impact is denial of service or potentially 936 arbitrary code execution. 937 #560 CVE-2022-25314 -- Fix integer overflow in function copyString; 938 only affects the encoding name parameter at parser creation 939 time which is often hardcoded (rather than user input), 940 takes a value in the gigabytes to trigger, and a 64-bit 941 machine. Expected impact is denial of service. 942 #559 CVE-2022-25315 -- Fix integer overflow in function storeRawNames; 943 needs input in the gigabytes and a 64-bit machine. 944 Expected impact is denial of service or potentially 945 arbitrary code execution. 946 947 Other changes: 948 #557 #564 Version info bumped from 9:4:8 to 9:5:8; 949 see https://verbump.de/ for what these numbers do 950 951 Special thanks to: 952 Ivan Fratric 953 Samanta Navarro 954 and 955 Google Project Zero 956 JetBrains 957 958Release 2.4.4 Sun January 30 2022 959 Security fixes: 960 #550 CVE-2022-23852 -- Fix signed integer overflow 961 (undefined behavior) in function XML_GetBuffer 962 (that is also called by function XML_Parse internally) 963 for when XML_CONTEXT_BYTES is defined to >0 (which is both 964 common and default). 965 Impact is denial of service or more. 966 #551 CVE-2022-23990 -- Fix unsigned integer overflow in function 967 doProlog triggered by large content in element type 968 declarations when there is an element declaration handler 969 present (from a prior call to XML_SetElementDeclHandler). 970 Impact is denial of service or more. 971 972 Bug fixes: 973 #544 #545 xmlwf: Fix a memory leak on output file opening error 974 975 Other changes: 976 #546 Autotools: Fix broken CMake support under Cygwin 977 #554 Windows: Add missing files to the installer to fix 978 compilation with CMake from installed sources 979 #552 #554 Version info bumped from 9:3:8 to 9:4:8; 980 see https://verbump.de/ for what these numbers do 981 982 Special thanks to: 983 Carlo Bramini 984 hwt0415 985 Roland Illig 986 Samanta Navarro 987 and 988 Clang LeakSan and the Clang team 989 990Release 2.4.3 Sun January 16 2022 991 Security fixes: 992 #531 #534 CVE-2021-45960 -- Fix issues with left shifts by >=29 places 993 resulting in 994 a) realloc acting as free 995 b) realloc allocating too few bytes 996 c) undefined behavior 997 depending on architecture and precise value 998 for XML documents with >=2^27+1 prefixed attributes 999 on a single XML tag a la 1000 "<r xmlns:a='[..]' a:a123='[..]' [..] />" 1001 where XML_ParserCreateNS is used to create the parser 1002 (which needs argument "-n" when running xmlwf). 1003 Impact is denial of service, or more. 1004 #532 #538 CVE-2021-46143 (ZDI-CAN-16157) -- Fix integer overflow 1005 on variable m_groupSize in function doProlog leading 1006 to realloc acting as free. 1007 Impact is denial of service or more. 1008 #539 CVE-2022-22822 to CVE-2022-22827 -- Prevent integer overflows 1009 near memory allocation at multiple places. Mitre assigned 1010 a dedicated CVE for each involved internal C function: 1011 - CVE-2022-22822 for function addBinding 1012 - CVE-2022-22823 for function build_model 1013 - CVE-2022-22824 for function defineAttribute 1014 - CVE-2022-22825 for function lookup 1015 - CVE-2022-22826 for function nextScaffoldPart 1016 - CVE-2022-22827 for function storeAtts 1017 Impact is denial of service or more. 1018 1019 Other changes: 1020 #535 CMake: Make call to file(GENERATE [..]) work for CMake <3.19 1021 #541 Autotools|CMake: MinGW: Make run.sh(.in) work for Cygwin 1022 and MSYS2 by not going through Wine on these platforms 1023 #527 #528 Address compiler warnings 1024 #533 #543 Version info bumped from 9:2:8 to 9:3:8; 1025 see https://verbump.de/ for what these numbers do 1026 1027 Infrastructure: 1028 #536 CI: Check for realistic minimum CMake version 1029 #529 #539 CI: Cover compilation with -m32 1030 #529 CI: Store coverage reports as artifacts for download 1031 #528 CI: Upgrade Clang from 11 to 13 1032 1033 Special thanks to: 1034 An anonymous whitehat 1035 Christopher Degawa 1036 J. Peter Mugaas 1037 Tyson Smith 1038 and 1039 GCC Farm Project 1040 Trend Micro Zero Day Initiative 1041 1042Release 2.4.2 Sun December 19 2021 1043 Other changes: 1044 #509 #510 Link againgst libm for function "isnan" 1045 #513 #514 Include expat_config.h as early as possible 1046 #498 Autotools: Include files with release archives: 1047 - buildconf.sh 1048 - fuzz/*.c 1049 #507 #519 Autotools: Sync CMake templates with CMake 3.20 1050 #495 #524 CMake: MinGW: Fix pkg-config section "Libs" for 1051 - non-release build types (e.g. -DCMAKE_BUILD_TYPE=Debug) 1052 - multi-config CMake generators (e.g. Ninja Multi-Config) 1053 #502 #503 docs: Document that function XML_GetBuffer may return NULL 1054 when asking for a buffer of 0 (zero) bytes size 1055 #522 #523 docs: Fix return value docs for both 1056 XML_SetBillionLaughsAttackProtection* functions 1057 #525 #526 Version info bumped from 9:1:8 to 9:2:8; 1058 see https://verbump.de/ for what these numbers do 1059 1060 Special thanks to: 1061 Donghee Na 1062 Joergen Ibsen 1063 Kai Pastor 1064 1065Release 2.4.1 Sun May 23 2021 1066 Bug fixes: 1067 #488 #490 Autotools: Fix installed header expat_config.h for multilib 1068 systems; regression introduced in 2.4.0 by pull request #486 1069 1070 Other changes: 1071 #491 #492 Version info bumped from 9:0:8 to 9:1:8; 1072 see https://verbump.de/ for what these numbers do 1073 1074 Special thanks to: 1075 Gentoo's QA check "multilib_check_headers" 1076 1077Release 2.4.0 Sun May 23 2021 1078 Security fixes: 1079 #34 #466 #484 CVE-2013-0340/CWE-776 -- Protect against billion laughs attacks 1080 (denial-of-service; flavors targeting CPU time or RAM or both, 1081 leveraging general entities or parameter entities or both) 1082 by tracking and limiting the input amplification factor 1083 (<amplification> := (<direct> + <indirect>) / <direct>). 1084 By conservative default, amplification up to a factor of 100.0 1085 is tolerated and rejection only starts after 8 MiB of output bytes 1086 (=<direct> + <indirect>) have been processed. 1087 The fix adds the following to the API: 1088 - A new error code XML_ERROR_AMPLIFICATION_LIMIT_BREACH to 1089 signals this specific condition. 1090 - Two new API functions .. 1091 - XML_SetBillionLaughsAttackProtectionMaximumAmplification and 1092 - XML_SetBillionLaughsAttackProtectionActivationThreshold 1093 .. to further tighten billion laughs protection parameters 1094 when desired. Please see file "doc/reference.html" for details. 1095 If you ever need to increase the defaults for non-attack XML 1096 payload, please file a bug report with libexpat. 1097 - Two new XML_FEATURE_* constants .. 1098 - that can be queried using the XML_GetFeatureList function, and 1099 - that are shown in "xmlwf -v" output. 1100 - Two new environment variable switches .. 1101 - EXPAT_ACCOUNTING_DEBUG=(0|1|2|3) and 1102 - EXPAT_ENTITY_DEBUG=(0|1) 1103 .. for runtime debugging of accounting and entity processing. 1104 Specific behavior of these values may change in the future. 1105 - Two new command line arguments "-a FACTOR" and "-b BYTES" 1106 for xmlwf to further tighten billion laughs protection 1107 parameters when desired. 1108 If you ever need to increase the defaults for non-attack XML 1109 payload, please file a bug report with libexpat. 1110 1111 Bug fixes: 1112 #332 #470 For (non-default) compilation with -DEXPAT_MIN_SIZE=ON (CMake) 1113 or CPPFLAGS=-DXML_MIN_SIZE (GNU Autotools): Fix segfault 1114 for UTF-16 payloads containing CDATA sections. 1115 #485 #486 Autotools: Fix generated CMake files for non-64bit and 1116 non-Linux platforms (e.g. macOS and MinGW in particular) 1117 that were introduced with release 2.3.0 1118 1119 Other changes: 1120 #468 #469 xmlwf: Improve help output and the xmlwf man page 1121 #463 xmlwf: Improve maintainability through some refactoring 1122 #477 xmlwf: Fix man page DocBook validity 1123 #456 Autotools: Sync CMake templates with CMake 3.18 1124 #458 #459 CMake: Support absolute paths for both CMAKE_INSTALL_LIBDIR 1125 and CMAKE_INSTALL_INCLUDEDIR 1126 #471 #481 CMake: Add support for standard variable BUILD_SHARED_LIBS 1127 #457 Unexpose symbol _INTERNAL_trim_to_complete_utf8_characters 1128 #467 Resolve macro HAVE_EXPAT_CONFIG_H 1129 #472 Delete unused legacy helper file "conftools/PrintPath" 1130 #473 #483 Improve attribution 1131 #464 #465 #477 doc/reference.html: Fix XHTML validity 1132 #475 #478 doc/reference.html: Replace the 90s look by OK.css 1133 #479 Version info bumped from 8:0:7 to 9:0:8 1134 due to addition of new symbols and error codes; 1135 see https://verbump.de/ for what these numbers do 1136 1137 Infrastructure: 1138 #456 CI: Enable periodic runs 1139 #457 CI: Start covering the list of exported symbols 1140 #474 CI: Isolate coverage task 1141 #476 #482 CI: Adapt to breaking changes in image "ubuntu-18.04" 1142 #477 CI: Cover well-formedness and DocBook/XHTML validity 1143 of doc/reference.html and doc/xmlwf.xml 1144 1145 Special thanks to: 1146 Dimitry Andric 1147 Eero Helenius 1148 Nick Wellnhofer 1149 Rhodri James 1150 Tomas Korbar 1151 Yury Gribov 1152 and 1153 Clang LeakSan 1154 JetBrains 1155 OSS-Fuzz 1156 1157Release 2.3.0 Thu March 25 2021 1158 Bug fixes: 1159 #438 When calling XML_ParseBuffer without a prior successful call to 1160 XML_GetBuffer as a user, no longer trigger undefined behavior 1161 (by adding an integer to a NULL pointer) but rather return 1162 XML_STATUS_ERROR and set the error code to (new) code 1163 XML_ERROR_NO_BUFFER. Found by UBSan (UndefinedBehaviorSanitizer) 1164 of Clang 11 (but not Clang 9). 1165 #444 xmlwf: Exit status 2 was used for both: 1166 - malformed input files (documented) and 1167 - invalid command-line arguments (undocumented). 1168 The case of invalid command-line arguments now 1169 has its own exit status 4, resolving the ambiguity. 1170 1171 Other changes: 1172 #439 xmlwf: Add argument -k to allow continuing after 1173 non-fatal errors 1174 #439 xmlwf: Add section about exit status to the -h help output 1175 #422 #426 #447 Windows: Drop support for Visual Studio <=14.0/2015 1176 #434 Windows: CMake: Detect unsupported Visual Studio at 1177 configure time (rather than at compile time) 1178 #382 #428 testrunner: Make verbose mode (argument "-v") report 1179 about passed tests, and make default mode report about 1180 failures, as well. 1181 #442 CMake: Call "enable_language(CXX)" prior to tinkering 1182 with CMAKE_CXX_* variables 1183 #448 Document use of libexpat from a CMake-based project 1184 #451 Autotools: Install CMake files as generated by CMake 3.19.6 1185 so that users with "find_package(expat [..] CONFIG [..])" 1186 are served on distributions that are *not* using the CMake 1187 build system inside for libexpat packaging 1188 #436 #437 Autotools: Drop obsolescent macro AC_HEADER_STDC 1189 #450 #452 Autotools: Resolve use of obsolete macro AC_CONFIG_HEADER 1190 #441 Address compiler warnings 1191 #443 Version info bumped from 7:12:6 to 8:0:7 1192 due to addition of error code XML_ERROR_NO_BUFFER 1193 (see https://verbump.de/ for what these numbers do) 1194 1195 Infrastructure: 1196 #435 #446 Replace Travis CI by GitHub Actions 1197 1198 Special thanks to: 1199 Alexander Richardson 1200 Oleksandr Popovych 1201 Thomas Beutlich 1202 Tim Bray 1203 and 1204 Clang LeakSan, Clang 11 UBSan and the Clang team 1205 1206Release 2.2.10 Sat October 3 2020 1207 Bug fixes: 1208 #390 #395 #398 Fix undefined behavior during parsing caused by 1209 pointer arithmetic with NULL pointers 1210 #404 #405 Fix reading uninitialized variable during parsing 1211 #406 xmlwf: Add missing check for malloc NULL return 1212 1213 Other changes: 1214 #396 Windows: Drop support for Visual Studio <=8.0/2005 1215 #409 Windows: Add missing file "Changes" to the installer 1216 to fix compilation with CMake from installed sources 1217 #403 xmlwf: Document exit codes in xmlwf manpage and 1218 exit with code 3 (rather than code 1) for output errors 1219 when used with "-d DIRECTORY" 1220 #356 #359 MinGW: Provide declaration of rand_s for mingwrt <5.3.0 1221 #383 #392 Autotools: Use -Werror while configure tests the compiler 1222 for supported compile flags to avoid false positives 1223 #383 #393 #394 Autotools: Improve handling of user (C|CPP|CXX|LD)FLAGS, 1224 e.g. ensure that they have the last word over flags added 1225 while running ./configure 1226 #360 CMake: Create libexpatw.{dll,so} and expatw.pc (with emphasis 1227 on suffix "w") with -DEXPAT_CHAR_TYPE=(ushort|wchar_t) 1228 #360 CMake: Detect and deny unsupported build combinations 1229 involving -DEXPAT_CHAR_TYPE=(ushort|wchar_t) 1230 #360 CMake: Install pre-compiled shipped xmlwf.1 manpage in case 1231 of -DEXPAT_BUILD_DOCS=OFF 1232 #375 #380 #419 CMake: Fix use of Expat by means of add_subdirectory 1233 #407 #408 CMake: Keep expat target name constant at "expat" 1234 (i.e. refrain from using the target name to control 1235 build artifact filenames) 1236 #385 CMake: Fix compilation with -DEXPAT_SHARED_LIBS=OFF for 1237 Windows 1238 CMake: Expose man page compilation as target "xmlwf-manpage" 1239 #413 #414 CMake: Introduce option EXPAT_BUILD_PKGCONFIG 1240 to control generation of pkg-config file "expat.pc" 1241 #424 CMake: Add minimalistic support for building binary packages 1242 with CMake target "package"; based on CPack 1243 #366 CMake: Add option -DEXPAT_OSSFUZZ_BUILD=(ON|OFF) with 1244 default OFF to build fuzzer code against OSS-Fuzz and 1245 related environment variable LIB_FUZZING_ENGINE 1246 #354 Fix testsuite for -DEXPAT_DTD=OFF and -DEXPAT_NS=OFF, each 1247 #354 #355 .. 1248 #356 #412 Address compiler warnings 1249 #368 #369 Address pngcheck warnings with doc/*.png images 1250 #425 Version info bumped from 7:11:6 to 7:12:6 1251 1252 Special thanks to: 1253 asavah 1254 Ben Wagner 1255 Bhargava Shastry 1256 Frank Landgraf 1257 Jeffrey Walton 1258 Joe Orton 1259 Kleber Tarcísio 1260 Ma Lin 1261 Maciej Sroczyński 1262 Mohammed Khajapasha 1263 Vadim Zeitlin 1264 and 1265 Cppcheck 2.0 and the Cppcheck team 1266 1267Release 2.2.9 Wed September 25 2019 1268 Other changes: 1269 examples: Drop executable bits from elements.c 1270 #349 Windows: Change the name of the Windows DLLs from expat*.dll 1271 to libexpat*.dll once more (regression from 2.2.8, first 1272 fixed in 1.95.3, issue #61 on SourceForge today, 1273 was issue #432456 back then); needs a fix due 1274 case-insensitive file systems on Windows and the fact that 1275 Perl's XML::Parser::Expat compiles into Expat.dll. 1276 #347 Windows: Only define _CRT_RAND_S if not defined 1277 Version info bumped from 7:10:6 to 7:11:6 1278 1279 Special thanks to: 1280 Ben Wagner 1281 1282Release 2.2.8 Fri September 13 2019 1283 Security fixes: 1284 #317 #318 CVE-2019-15903 -- Fix heap overflow triggered by 1285 XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber), 1286 and deny internal entities closing the doctype; 1287 fixed in commit c20b758c332d9a13afbbb276d30db1d183a85d43 1288 1289 Bug fixes: 1290 #240 Fix cases where XML_StopParser did not have any effect 1291 when called from inside of an end element handler 1292 #341 xmlwf: Fix exit code for operation without "-d DIRECTORY"; 1293 previously, only "-d DIRECTORY" would give you a proper 1294 exit code: 1295 # xmlwf -d . <<<'<not well-formed>' 2>/dev/null ; echo $? 1296 2 1297 # xmlwf <<<'<not well-formed>' 2>/dev/null ; echo $? 1298 0 1299 Now both cases return exit code 2. 1300 1301 Other changes: 1302 #299 #302 Windows: Replace LoadLibrary hack to access 1303 unofficial API function SystemFunction036 (RtlGenRandom) 1304 by using official API function rand_s (needs WinXP+) 1305 #325 Windows: Drop support for Visual Studio <=7.1/2003 1306 and document supported compilers in README.md 1307 #286 Windows: Remove COM code from xmlwf; in case it turns 1308 out needed later, there will be a dedicated repository 1309 below https://github.com/libexpat/ for that code 1310 #322 Windows: Remove explicit MSVC solution and project files. 1311 You can generate Visual Studio solution files through 1312 CMake, e.g.: cmake -G"Visual Studio 15 2017" . 1313 #338 xmlwf: Make "xmlwf -h" help output more friendly 1314 #339 examples: Improve elements.c 1315 #244 #264 Autotools: Add argument --enable-xml-attr-info 1316 #239 #301 Autotools: Add arguments 1317 --with-getrandom 1318 --without-getrandom 1319 --with-sys-getrandom 1320 --without-sys-getrandom 1321 #312 #343 Autotools: Fix linking issues with "./configure LD=clang" 1322 Autotools: Fix "make run-xmltest" for out-of-source builds 1323 #329 #336 CMake: Pull all options from Expat <=2.2.7 into namespace 1324 prefix EXPAT_ with the exception of DOCBOOK_TO_MAN: 1325 - BUILD_doc -> EXPAT_BUILD_DOCS (plural) 1326 - BUILD_examples -> EXPAT_BUILD_EXAMPLES 1327 - BUILD_shared -> EXPAT_SHARED_LIBS 1328 - BUILD_tests -> EXPAT_BUILD_TESTS 1329 - BUILD_tools -> EXPAT_BUILD_TOOLS 1330 - DOCBOOK_TO_MAN -> DOCBOOK_TO_MAN (unchanged) 1331 - INSTALL -> EXPAT_ENABLE_INSTALL 1332 - MSVC_USE_STATIC_CRT -> EXPAT_MSVC_STATIC_CRT 1333 - USE_libbsd -> EXPAT_WITH_LIBBSD 1334 - WARNINGS_AS_ERRORS -> EXPAT_WARNINGS_AS_ERRORS 1335 - XML_CONTEXT_BYTES -> EXPAT_CONTEXT_BYTES 1336 - XML_DEV_URANDOM -> EXPAT_DEV_URANDOM 1337 - XML_DTD -> EXPAT_DTD 1338 - XML_NS -> EXPAT_NS 1339 - XML_UNICODE -> EXPAT_CHAR_TYPE=ushort (!) 1340 - XML_UNICODE_WCHAR_T -> EXPAT_CHAR_TYPE=wchar_t (!) 1341 #244 #264 CMake: Add argument -DEXPAT_ATTR_INFO=(ON|OFF), 1342 default OFF 1343 #326 CMake: Add argument -DEXPAT_LARGE_SIZE=(ON|OFF), 1344 default OFF 1345 #328 CMake: Add argument -DEXPAT_MIN_SIZE=(ON|OFF), 1346 default OFF 1347 #239 #277 CMake: Add arguments 1348 -DEXPAT_WITH_GETRANDOM=(ON|OFF|AUTO), default AUTO 1349 -DEXPAT_WITH_SYS_GETRANDOM=(ON|OFF|AUTO), default AUTO 1350 #326 CMake: Install expat_config.h to include directory 1351 #326 CMake: Generate and install configuration files for 1352 future find_package(expat [..] CONFIG [..]) 1353 CMake: Now produces a summary of applied configuration 1354 CMake: Require C++ compiler only when tests are enabled 1355 #330 CMake: Fix compilation for 16bit character types, 1356 i.e. ex -DXML_UNICODE=ON (and ex -DXML_UNICODE_WCHAR_T=ON) 1357 #265 CMake: Fix linking with MinGW 1358 #330 CMake: Add full support for MinGW; to enable, use 1359 -DCMAKE_TOOLCHAIN_FILE=[expat]/cmake/mingw-toolchain.cmake 1360 #330 CMake: Port "make run-xmltest" from GNU Autotools to CMake 1361 #316 CMake: Windows: Make binary postfix match MSVC 1362 Old: expat[d].lib 1363 New: expat[w][d][MD|MT].lib 1364 CMake: Migrate files from Windows to Unix line endings 1365 #308 CMake: Integrate OSS-Fuzz fuzzers, option 1366 -DEXPAT_BUILD_FUZZERS=(ON|OFF), default OFF 1367 #14 Drop an OpenVMS support leftover 1368 #235 #268 .. 1369 #270 #310 .. 1370 #313 #331 #333 Address compiler warnings 1371 #282 #283 .. 1372 #284 #285 Address cppcheck warnings 1373 #294 #295 Address Clang Static Analyzer warnings 1374 #24 #293 Mass-apply clang-format 9 (and ensure conformance during CI) 1375 Version info bumped from 7:9:6 to 7:10:6 1376 1377 Special thanks to: 1378 David Loffredo 1379 Joonun Jang 1380 Kishore Kunche 1381 Marco Maggi 1382 Mitch Phillips 1383 Mohammed Khajapasha 1384 Rolf Ade 1385 xantares 1386 Zhongyuan Zhou 1387 1388Release 2.2.7 Wed June 19 2019 1389 Security fixes: 1390 #186 #262 CVE-2018-20843 -- Fix extraction of namespace prefixes from 1391 XML names; XML names with multiple colons could end up in 1392 the wrong namespace, and take a high amount of RAM and CPU 1393 resources while processing, opening the door to 1394 use for denial-of-service attacks 1395 1396 Other changes: 1397 #195 #197 Autotools/CMake: Utilize -fvisibility=hidden to stop 1398 exporting non-API symbols 1399 #227 Autotools: Add --without-examples and --without-tests 1400 #228 Autotools: Modernize configure.ac 1401 #245 #246 Autotools: Fix check for -fvisibility=hidden for Clang 1402 #247 #248 Autotools: Fix compilation for lack of docbook2x-man 1403 #236 #258 Autotools: Produce .tar.{gz,lz,xz} release archives 1404 #212 CMake: Make libdir of pkgconfig expat.pc support multilib 1405 #158 #263 CMake: Build man page in PROJECT_BINARY_DIR not _SOURCE_DIR 1406 #219 Remove fallback to bcopy, assume that memmove(3) exists 1407 #257 Use portable "/usr/bin/env bash" shebang (e.g. for OpenBSD) 1408 #243 Windows: Fix syntax of .def module definition files 1409 Version info bumped from 7:8:6 to 7:9:6 1410 1411 Special thanks to: 1412 Benjamin Peterson 1413 Caolán McNamara 1414 Hanno Böck 1415 KangLin 1416 Kishore Kunche 1417 Marco Maggi 1418 Rhodri James 1419 Sebastian Dröge 1420 userwithuid 1421 Yury Gribov 1422 1423Release 2.2.6 Sun August 12 2018 1424 Bug fixes: 1425 #170 #206 Avoid doing arithmetic with NULL pointers in XML_GetBuffer 1426 #204 #205 Fix 2.2.5 regression with suspend-resume while parsing 1427 a document like '<root/>' 1428 1429 Other changes: 1430 #165 #168 Autotools: Fix docbook-related configure syntax error 1431 #166 Autotools: Avoid grep option `-q` for Solaris 1432 #167 Autotools: Support 1433 ./configure DOCBOOK_TO_MAN="xmlto man --skip-validation" 1434 #159 #167 Autotools: Support DOCBOOK_TO_MAN command which produces 1435 xmlwf.1 rather than XMLWF.1; also covers case insensitive 1436 file systems 1437 #181 Autotools: Drop -rpath option passed to libtool 1438 #188 Autotools: Detect and deny SGML docbook2man as ours is XML 1439 #188 Autotools/CMake: Support command db2x_docbook2man as well 1440 #174 CMake: Introduce option WARNINGS_AS_ERRORS, defaults to OFF 1441 #184 #185 CMake: Introduce option MSVC_USE_STATIC_CRT, defaults to OFF 1442 #207 #208 CMake: Introduce option XML_UNICODE and XML_UNICODE_WCHAR_T, 1443 both defaulting to OFF 1444 #175 CMake: Prefer check_symbol_exists over check_function_exists 1445 #176 CMake: Create the same pkg-config file as with GNU Autotools 1446 #178 #179 CMake: Use GNUInstallDirs module to set proper defaults for 1447 install directories 1448 #208 CMake: Utilize expat_config.h.cmake for XML_DEV_URANDOM 1449 #180 Windows: Fix compilation of test suite for Visual Studio 2008 1450 #131 #173 #202 Address compiler warnings 1451 #187 #190 #200 Fix miscellaneous typos 1452 Version info bumped from 7:7:6 to 7:8:6 1453 1454 Special thanks to: 1455 Anton Maklakov 1456 Benjamin Peterson 1457 Brad King 1458 Franek Korta 1459 Frank Rast 1460 Joe Orton 1461 luzpaz 1462 Pedro Vicente 1463 Rainer Jung 1464 Rhodri James 1465 Rolf Ade 1466 Rolf Eike Beer 1467 Thomas Beutlich 1468 Tomasz Kłoczko 1469 1470Release 2.2.5 Tue October 31 2017 1471 Bug fixes: 1472 #8 If the parser runs out of memory, make sure its internal 1473 state reflects the memory it actually has, not the memory 1474 it wanted to have. 1475 #11 The default handler wasn't being called when it should for 1476 a SYSTEM or PUBLIC doctype if an entity declaration handler 1477 was registered. 1478 #137 #138 Fix a case of mistakenly reported parsing success where 1479 XML_StopParser was called from an element handler 1480 #162 Function XML_ErrorString was returning NULL rather than 1481 a message for code XML_ERROR_INVALID_ARGUMENT 1482 introduced with release 2.2.1 1483 1484 Other changes: 1485 #106 xmlwf: Add argument -N adding notation declarations 1486 #75 #106 Test suite: Resolve expected failure cases where xmlwf 1487 output was incomplete 1488 #127 Windows: Fix test suite compilation 1489 #126 #127 Windows: Fix compilation for Visual Studio 2012 1490 Windows: Upgrade shipped project files to Visual Studio 2017 1491 #33 #132 tests: Mass-fix compilation for XML_UNICODE_WCHAR_T 1492 #129 examples: Fix compilation for XML_UNICODE_WCHAR_T 1493 #130 benchmark: Fix compilation for XML_UNICODE_WCHAR_T 1494 #144 xmlwf: Fix compilation for XML_UNICODE_WCHAR_T; still needs 1495 Windows or MinGW for 2-byte wchar_t 1496 #9 Address two Clang Static Analyzer false positives 1497 #59 Resolve troublesome macros hiding parser struct membership 1498 and dereferencing that pointer 1499 #6 Resolve superfluous internal malloc/realloc switch 1500 #153 #155 Improve docbook2x-man detection 1501 #160 Undefine NDEBUG in the test suite (rather than rejecting it) 1502 #161 Address compiler warnings 1503 Version info bumped from 7:6:6 to 7:7:6 1504 1505 Special thanks to: 1506 Benbuck Nason 1507 Hans Wennborg 1508 José Gutiérrez de la Concha 1509 Pedro Monreal Gonzalez 1510 Rhodri James 1511 Rolf Ade 1512 Stephen Groat 1513 and 1514 Core Infrastructure Initiative 1515 1516Release 2.2.4 Sat August 19 2017 1517 Bug fixes: 1518 #115 Fix copying of partial characters for UTF-8 input 1519 1520 Other changes: 1521 #109 Fix "make check" for non-x86 architectures that default 1522 to unsigned type char (-128..127 rather than 0..255) 1523 #109 coverage.sh: Cover -funsigned-char 1524 Autotools: Introduce --without-xmlwf argument 1525 #65 Autotools: Replace handwritten Makefile with GNU Automake 1526 #43 CMake: Auto-detect high quality entropy extractors, add new 1527 option USE_libbsd=ON to use arc4random_buf of libbsd 1528 #74 CMake: Add -fno-strict-aliasing only where supported 1529 #114 CMake: Always honor manually set BUILD_* options 1530 #114 CMake: Compile man page if docbook2x-man is available, only 1531 #117 Include file tests/xmltest.log.expected in source tarball 1532 (required for "make run-xmltest") 1533 #117 Include (existing) Visual Studio 2013 files in source tarball 1534 Improve test suite error output 1535 #111 Fix some typos in documentation 1536 Version info bumped from 7:5:6 to 7:6:6 1537 1538 Special thanks to: 1539 Jakub Wilk 1540 Joe Orton 1541 Lin Tian 1542 Rolf Eike Beer 1543 1544Release 2.2.3 Wed August 2 2017 1545 Security fixes: 1546 #82 CVE-2017-11742 -- Windows: Fix DLL hijacking vulnerability 1547 using Steve Holme's LoadLibrary wrapper for/of cURL 1548 1549 Bug fixes: 1550 #85 Fix a dangling pointer issue related to realloc 1551 1552 Other changes: 1553 Increase code coverage 1554 #91 Linux: Allow getrandom to fail if nonblocking pool has not 1555 yet been initialized and read /dev/urandom then, instead. 1556 This is in line with what recent Python does. 1557 #81 Pre-10.7/Lion macOS: Support entropy from arc4random 1558 #86 Check that a UTF-16 encoding in an XML declaration has the 1559 right endianness 1560 #4 #5 #7 Recover correctly when some reallocations fail 1561 Repair "./configure && make" for systems without any 1562 provider of high quality entropy 1563 and try reading /dev/urandom on those 1564 Ensure that user-defined character encodings have converter 1565 functions when they are needed 1566 Fix mis-leading description of argument -c in xmlwf.1 1567 Rely on macro HAVE_ARC4RANDOM_BUF (rather than __CloudABI__) 1568 for CloudABI 1569 #100 Fix use of SIPHASH_MAIN in siphash.h 1570 #23 Test suite: Fix memory leaks 1571 Version info bumped from 7:4:6 to 7:5:6 1572 1573 Special thanks to: 1574 Chanho Park 1575 Joe Orton 1576 Pascal Cuoq 1577 Rhodri James 1578 Simon McVittie 1579 Vadim Zeitlin 1580 Viktor Szakats 1581 and 1582 Core Infrastructure Initiative 1583 1584Release 2.2.2 Wed July 12 2017 1585 Security fixes: 1586 #43 Protect against compilation without any source of high 1587 quality entropy enabled, e.g. with CMake build system; 1588 commit ff0207e6076e9828e536b8d9cd45c9c92069b895 1589 #60 Windows with _UNICODE: 1590 Unintended use of LoadLibraryW with a non-wide string 1591 resulted in failure to load advapi32.dll and degradation 1592 in quality of used entropy when compiled with _UNICODE for 1593 Windows; you can launch existing binaries with 1594 EXPAT_ENTROPY_DEBUG=1 in the environment to inspect the 1595 quality of entropy used during runtime; commits 1596 * 95b95032f907ef1cd17ee7a9a1768010a825d61d 1597 * 73a5a2e9c081f49f2d775cf7ced864158b68dc80 1598 [MOX-006] Fix non-NULL parser parameter validation in XML_Parse; 1599 resulted in NULL dereference, previously; 1600 commit ac256dafdffc9622ab0dc2c62fcecb0dfcfa71fe 1601 1602 Bug fixes: 1603 #69 Fix improper use of unsigned long long integer literals 1604 1605 Other changes: 1606 #73 Start requiring a C99 compiler 1607 #49 Fix "==" Bashism in configure script 1608 #50 Fix too eager getrandom detection for Debian GNU/kFreeBSD 1609 #52 and macOS 1610 #51 Address lack of stdint.h in Visual Studio 2003 to 2008 1611 #58 Address compile warnings 1612 #68 Fix "./buildconf.sh && ./configure" for some versions 1613 of Dash for /bin/sh 1614 #72 CMake: Ease use of Expat in context of a parent project 1615 with multiple CMakeLists.txt files 1616 #72 CMake: Resolve mistaken executable permissions 1617 #76 Address compile warning with -DNDEBUG (not recommended!) 1618 #77 Address compile warning about macro redefinition 1619 1620 Special thanks to: 1621 Alexander Bluhm 1622 Ben Boeckel 1623 Cătălin Răceanu 1624 Kerin Millar 1625 László Böszörményi 1626 S. P. Zeidler 1627 Segev Finer 1628 Václav Slavík 1629 Victor Stinner 1630 Viktor Szakats 1631 and 1632 Radically Open Security 1633 1634Release 2.2.1 Sat June 17 2017 1635 Security fixes: 1636 CVE-2017-9233 -- External entity infinite loop DoS 1637 Details: https://libexpat.github.io/doc/cve-2017-9233/ 1638 Commit c4bf96bb51dd2a1b0e185374362ee136fe2c9d7f 1639 [MOX-002] CVE-2016-9063 -- Detect integer overflow; commit 1640 d4f735b88d9932bd5039df2335eefdd0723dbe20 1641 (Fixed version of existing downstream patches!) 1642 (SF.net) #539 Fix regression from fix to CVE-2016-0718 cutting off 1643 longer tag names; commits 1644 * 896b6c1fd3b842f377d1b62135dccf0a579cf65d 1645 * af507cef2c93cb8d40062a0abe43a4f4e9158fb2 1646 #16 * 0dbbf43fdb20f593ddf4fa1ff67288000dd4a7fd 1647 #25 More integer overflow detection (function poolGrow); commits 1648 * 810b74e4703dcfdd8f404e3cb177d44684775143 1649 * 44178553f3539ce69d34abee77a05e879a7982ac 1650 [MOX-002] Detect overflow from len=INT_MAX call to XML_Parse; commits 1651 * 4be2cb5afcc018d996f34bbbce6374b7befad47f 1652 * 7e5b71b748491b6e459e5c9a1d090820f94544d8 1653 [MOX-005] #30 Use high quality entropy for hash initialization: 1654 * arc4random_buf on BSD, systems with libbsd 1655 (when configured with --with-libbsd), CloudABI 1656 * RtlGenRandom on Windows XP / Server 2003 and later 1657 * getrandom on Linux 3.17+ 1658 In a way, that's still part of CVE-2016-5300. 1659 https://github.com/libexpat/libexpat/pull/30/commits 1660 [MOX-005] For the low quality entropy extraction fallback code, 1661 the parser instance address can no longer leak, commit 1662 04ad658bd3079dd15cb60fc67087900f0ff4b083 1663 [MOX-003] Prevent use of uninitialised variable; commit 1664 [MOX-004] a4dc944f37b664a3ca7199c624a98ee37babdb4b 1665 Add missing parameter validation to public API functions 1666 and dedicated error code XML_ERROR_INVALID_ARGUMENT: 1667 [MOX-006] * NULL checks; commits 1668 * d37f74b2b7149a3a95a680c4c4cd2a451a51d60a (merge/many) 1669 * 9ed727064b675b7180c98cb3d4f75efba6966681 1670 * 6a747c837c50114dfa413994e07c0ba477be4534 1671 * Negative length (XML_Parse); commit 1672 [MOX-002] 70db8d2538a10f4c022655d6895e4c3e78692e7f 1673 [MOX-001] #35 Change hash algorithm to William Ahern's version of SipHash 1674 to go further with fixing CVE-2012-0876. 1675 https://github.com/libexpat/libexpat/pull/39/commits 1676 1677 Bug fixes: 1678 #32 Fix sharing of hash salt across parsers; 1679 relevant where XML_ExternalEntityParserCreate is called 1680 prior to XML_Parse, in particular (e.g. FBReader) 1681 #28 xmlwf: Auto-disable use of memory-mapping (and parsing 1682 as a single chunk) for files larger than ~1 GB (2^30 bytes) 1683 rather than failing with error "out of memory" 1684 #3 Fix double free after malloc failure in DTD code; commit 1685 7ae9c3d3af433cd4defe95234eae7dc8ed15637f 1686 #17 Fix memory leak on parser error for unbound XML attribute 1687 prefix with new namespaces defined in the same tag; 1688 found by Google's OSS-Fuzz; commits 1689 * 16f87daae5a16132e479e4f71862128c7a915c73 1690 * b47dbc9745932c160893d433220e462bd605f8cd 1691 xmlwf on Windows: Add missing calls to CloseHandle 1692 1693 New features: 1694 #30 Introduced environment switch EXPAT_ENTROPY_DEBUG=1 1695 for runtime debugging of entropy extraction 1696 1697 Other changes: 1698 Increase code coverage 1699 #33 Reject use of XML_UNICODE_WCHAR_T with sizeof(wchar_t) != 2; 1700 XML_UNICODE_WCHAR_T was never meant to be used outside 1701 of Windows; 4-byte wchar_t is common on Linux 1702 (SF.net) #538 Start using -fno-strict-aliasing 1703 (SF.net) #540 Support compilation against cloudlibc of CloudABI 1704 Allow MinGW cross-compilation 1705 (SF.net) #534 CMake: Introduce option "BUILD_doc" (enabled by default) 1706 to bypass compilation of the xmlwf.1 man page 1707 (SF.net) pr2 CMake: Introduce option "INSTALL" (enabled by default) 1708 to bypass installation of expat files 1709 CMake: Fix ninja support 1710 Autotools: Add parameters --enable-xml-context [COUNT] 1711 and --disable-xml-context; default of context of 1024 1712 bytes enabled unchanged 1713 #14 Drop AmigaOS 4.x code and includes 1714 #14 Drop ancient build systems: 1715 * Borland C++ Builder 1716 * OpenVMS 1717 * Open Watcom 1718 * Visual Studio 6.0 1719 * Pre-X Mac OS (MPW Makefile) 1720 If you happen to rely on some of these, please get in 1721 touch for joining with maintenance. 1722 #10 Move from WIN32 to _WIN32 1723 #13 Fix "make run-xmltest" order instability 1724 Address compile warnings 1725 Bump version info from 7:2:6 to 7:3:6 1726 Add AUTHORS file 1727 1728 Infrastructure: 1729 #1 Migrate from SourceForge to GitHub (except downloads): 1730 https://github.com/libexpat/ 1731 #1 Re-create http://libexpat.org/ project website 1732 Start utilizing Travis CI 1733 1734 Special thanks to: 1735 Andy Wang 1736 Don Lewis 1737 Ed Schouten 1738 Karl Waclawek 1739 Pascal Cuoq 1740 Rhodri James 1741 Sergei Nikulov 1742 Tobias Taschner 1743 Viktor Szakats 1744 and 1745 Core Infrastructure Initiative 1746 Mozilla Foundation (MOSS Track 3: Secure Open Source) 1747 Radically Open Security 1748 1749Release 2.2.0 Tue June 21 2016 1750 Security fixes: 1751 #537 CVE-2016-0718 -- Fix crash on malformed input 1752 CVE-2016-4472 -- Improve insufficient fix to CVE-2015-1283 / 1753 CVE-2015-2716 introduced with Expat 2.1.1 1754 #499 CVE-2016-5300 -- Use more entropy for hash initialization 1755 than the original fix to CVE-2012-0876 1756 #519 CVE-2012-6702 -- Resolve troublesome internal call to srand 1757 that was introduced with Expat 2.1.0 1758 when addressing CVE-2012-0876 (issue #496) 1759 1760 Bug fixes: 1761 Fix uninitialized reads of size 1 1762 (e.g. in little2_updatePosition) 1763 Fix detection of UTF-8 character boundaries 1764 1765 Other changes: 1766 #532 Fix compilation for Visual Studio 2010 (keyword "C99") 1767 Autotools: Resolve use of "$<" to better support bmake 1768 Autotools: Add QA script "qa.sh" (and make target "qa") 1769 Autotools: Respect CXXFLAGS if given 1770 Autotools: Fix "make run-xmltest" 1771 Autotools: Have "make run-xmltest" check for expected output 1772 p90 CMake: Fix static build (BUILD_shared=OFF) on Windows 1773 #536 CMake: Add soversion, support -DNO_SONAME=yes to bypass 1774 #323 CMake: Add suffix "d" to differentiate debug from release 1775 CMake: Define WIN32 with CMake on Windows 1776 Annotate memory allocators for GCC 1777 Address all currently known compile warnings 1778 Make sure that API symbols remain visible despite 1779 -fvisibility=hidden 1780 Remove executable flag from source files 1781 Resolve COMPILED_FROM_DSP in favor of WIN32 1782 1783 Special thanks to: 1784 Björn Lindahl 1785 Christian Heimes 1786 Cristian Rodríguez 1787 Daniel Krügler 1788 Gustavo Grieco 1789 Karl Waclawek 1790 László Böszörményi 1791 Marco Grassi 1792 Pascal Cuoq 1793 Sergei Nikulov 1794 Thomas Beutlich 1795 Warren Young 1796 Yann Droneaud 1797 1798Release 2.1.1 Sat March 12 2016 1799 Security fixes: 1800 #582: CVE-2015-1283 - Multiple integer overflows in XML_GetBuffer 1801 1802 Bug fixes: 1803 #502: Fix potential null pointer dereference 1804 #520: Symbol XML_SetHashSalt was not exported 1805 Output of "xmlwf -h" was incomplete 1806 1807 Other changes: 1808 #503: Document behavior of calling XML_SetHashSalt with salt 0 1809 Minor improvements to man page xmlwf(1) 1810 Improvements to the experimental CMake build system 1811 libtool now invoked with --verbose 1812 1813Release 2.1.0 Sat March 24 2012 1814 - Security fixes: 1815 #2958794: CVE-2012-1148 - Memory leak in poolGrow. 1816 #2895533: CVE-2012-1147 - Resource leak in readfilemap.c. 1817 #3496608: CVE-2012-0876 - Hash DOS attack. 1818 #2894085: CVE-2009-3560 - Buffer over-read and crash in big2_toUtf8(). 1819 #1990430: CVE-2009-3720 - Parser crash with special UTF-8 sequences. 1820 - Bug Fixes: 1821 #1742315: Harmful XML_ParserCreateNS suggestion. 1822 #1785430: Expat build fails on linux-amd64 with gcc version>=4.1 -O3. 1823 #1983953, 2517952, 2517962, 2649838: 1824 Build modifications using autoreconf instead of buildconf.sh. 1825 #2815947, #2884086: OBJEXT and EXEEXT support while building. 1826 #2517938: xmlwf should return non-zero exit status if not well-formed. 1827 #2517946: Wrong statement about XMLDecl in xmlwf.1 and xmlwf.sgml. 1828 #2855609: Dangling positionPtr after error. 1829 #2990652: CMake support. 1830 #3010819: UNEXPECTED_STATE with a trailing "%" in entity value. 1831 #3206497: Uninitialized memory returned from XML_Parse. 1832 #3287849: make check fails on mingw-w64. 1833 - Patches: 1834 #1749198: pkg-config support. 1835 #3010222: Fix for bug #3010819. 1836 #3312568: CMake support. 1837 #3446384: Report byte offsets for attr names and values. 1838 - New Features / API changes: 1839 Added new API member XML_SetHashSalt() that allows setting an initial 1840 value (salt) for hash calculations. This is part of the fix for 1841 bug #3496608 to randomize hash parameters. 1842 When compiled with XML_ATTR_INFO defined, adds new API member 1843 XML_GetAttributeInfo() that allows retrieving the byte 1844 offsets for attribute names and values (patch #3446384). 1845 Added CMake build system. 1846 See bug #2990652 and patch #3312568. 1847 Added run-benchmark target to Makefile.in - relies on testdata module 1848 present in the same relative location as in the repository. 1849 1850Release 2.0.1 Tue June 5 2007 1851 - Fixed bugs #1515266, #1515600: The character data handler's calling 1852 of XML_StopParser() was not handled properly; if the parser was 1853 stopped and the handler set to NULL, the parser would segfault. 1854 - Fixed bug #1690883: Expat failed on EBCDIC systems as it assumed 1855 some character constants to be ASCII encoded. 1856 - Minor cleanups of the test harness. 1857 - Fixed xmlwf bug #1513566: "out of memory" error on file size zero. 1858 - Fixed outline.c bug #1543233: missing a final XML_ParserFree() call. 1859 - Fixes and improvements for Windows platform: 1860 bugs #1409451, #1476160, #1548182, #1602769, #1717322. 1861 - Build fixes for various platforms: 1862 HP-UX, Tru64, Solaris 9: patch #1437840, bug #1196180. 1863 All Unix: #1554618 (refreshed config.sub/config.guess). 1864 #1490371, #1613457: support both, DESTDIR and INSTALL_ROOT, 1865 without relying on GNU-Make specific features. 1866 #1647805: Patched configure.in to work better with Intel compiler. 1867 - Fixes to Makefile.in to have make check work correctly: 1868 bugs #1408143, #1535603, #1536684. 1869 - Added Open Watcom support: patch #1523242. 1870 1871Release 2.0.0 Wed Jan 11 2006 1872 - We no longer use the "check" library for C unit testing; we 1873 always use the (partial) internal implementation of the API. 1874 - Report XML_NS setting via XML_GetFeatureList(). 1875 - Fixed headers for use from C++. 1876 - XML_GetCurrentLineNumber() and XML_GetCurrentColumnNumber() 1877 now return unsigned integers. 1878 - Added XML_LARGE_SIZE switch to enable 64-bit integers for 1879 byte indexes and line/column numbers. 1880 - Updated to use libtool 1.5.22 (the most recent). 1881 - Added support for AmigaOS. 1882 - Some mostly minor bug fixes. SF issues include: #1006708, 1883 #1021776, #1023646, #1114960, #1156398, #1221160, #1271642. 1884 1885Release 1.95.8 Fri Jul 23 2004 1886 - Major new feature: suspend/resume. Handlers can now request 1887 that a parse be suspended for later resumption or aborted 1888 altogether. See "Temporarily Stopping Parsing" in the 1889 documentation for more details. 1890 - Some mostly minor bug fixes, but compilation should no 1891 longer generate warnings on most platforms. SF issues 1892 include: #827319, #840173, #846309, #888329, #896188, #923913, 1893 #928113, #961698, #985192. 1894 1895Release 1.95.7 Mon Oct 20 2003 1896 - Fixed enum XML_Status issue (reported on SourceForge many 1897 times), so compilers that are properly picky will be happy. 1898 - Introduced an XMLCALL macro to control the calling 1899 convention used by the Expat API; this macro should be used 1900 to annotate prototypes and definitions of callback 1901 implementations in code compiled with a calling convention 1902 other than the default convention for the host platform. 1903 - Improved ability to build without the configure-generated 1904 expat_config.h header. This is useful for applications 1905 which embed Expat rather than linking in the library. 1906 - Fixed a variety of bugs: see SF issues #458907, #609603, 1907 #676844, #679754, #692878, #692964, #695401, #699323, #699487, 1908 #820946. 1909 - Improved hash table lookups. 1910 - Added more regression tests and improved documentation. 1911 1912Release 1.95.6 Tue Jan 28 2003 1913 - Added XML_FreeContentModel(). 1914 - Added XML_MemMalloc(), XML_MemRealloc(), XML_MemFree(). 1915 - Fixed a variety of bugs: see SF issues #615606, #616863, 1916 #618199, #653180, #673791. 1917 - Enhanced the regression test suite. 1918 - Man page improvements: includes SF issue #632146. 1919 1920Release 1.95.5 Fri Sep 6 2002 1921 - Added XML_UseForeignDTD() for improved SAX2 support. 1922 - Added XML_GetFeatureList(). 1923 - Defined XML_Bool type and the values XML_TRUE and XML_FALSE. 1924 - Use an incomplete struct instead of a void* for the parser 1925 (may not retain). 1926 - Fixed UTF-8 decoding bug that caused legal UTF-8 to be rejected. 1927 - Finally fixed bug where default handler would report DTD 1928 events that were already handled by another handler. 1929 Initial patch contributed by Darryl Miles. 1930 - Removed unnecessary DllMain() function that caused static 1931 linking into a DLL to be difficult. 1932 - Added VC++ projects for building static libraries. 1933 - Reduced line-length for all source code and headers to be 1934 no longer than 80 characters, to help with AS/400 support. 1935 - Reduced memory copying during parsing (SF patch #600964). 1936 - Fixed a variety of bugs: see SF issues #580793, #434664, 1937 #483514, #580503, #581069, #584041, #584183, #584832, #585537, 1938 #596555, #596678, #598352, #598944, #599715, #600479, #600971. 1939 1940Release 1.95.4 Fri Jul 12 2002 1941 - Added support for VMS, contributed by Craig Berry. See 1942 vms/README.vms for more information. 1943 - Added Mac OS (classic) support, with a makefile for MPW, 1944 contributed by Thomas Wegner and Daryle Walker. 1945 - Added Borland C++ Builder 5 / BCC 5.5 support, contributed 1946 by Patrick McConnell (SF patch #538032). 1947 - Fixed a variety of bugs: see SF issues #441449, #563184, 1948 #564342, #566334, #566901, #569461, #570263, #575168, #579196. 1949 - Made skippedEntityHandler conform to SAX2 (see source comment) 1950 - Re-implemented WFC: Entity Declared from XML 1.0 spec and 1951 added a new error "entity declared in parameter entity": 1952 see SF bug report #569461 and SF patch #578161 1953 - Re-implemented section 5.1 from XML 1.0 spec: 1954 see SF bug report #570263 and SF patch #578161 1955 1956Release 1.95.3 Mon Jun 3 2002 1957 - Added a project to the MSVC workspace to create a wchar_t 1958 version of the library; the DLLs are named libexpatw.dll. 1959 - Changed the name of the Windows DLLs from expat.dll to 1960 libexpat.dll; this fixes SF bug #432456. 1961 - Added the XML_ParserReset() API function. 1962 - Fixed XML_SetReturnNSTriplet() to work for element names. 1963 - Made the XML_UNICODE builds usable (thanks, Karl!). 1964 - Allow xmlwf to read from standard input. 1965 - Install a man page for xmlwf on Unix systems. 1966 - Fixed many bugs; see SF bug reports #231864, #461380, #464837, 1967 #466885, #469226, #477667, #484419, #487840, #494749, #496505, 1968 #547350. Other bugs which we can't test as easily may also 1969 have been fixed, especially in the area of build support. 1970 1971Release 1.95.2 Fri Jul 27 2001 1972 - More changes to make MSVC happy with the build; add a single 1973 workspace to support both the library and xmlwf application. 1974 - Added a Windows installer for Windows users; includes 1975 xmlwf.exe. 1976 - Added compile-time constants that can be used to determine the 1977 Expat version 1978 - Removed a lot of GNU-specific dependencies to aide portability 1979 among the various Unix flavors. 1980 - Fix the UTF-8 BOM bug. 1981 - Cleaned up warning messages for several compilers. 1982 - Added the -Wall, -Wstrict-prototypes options for GCC. 1983 1984Release 1.95.1 Sun Oct 22 15:11:36 EDT 2000 1985 - Changes to get expat to build under Microsoft compiler 1986 - Removed all aborts and instead return an UNEXPECTED_STATE error. 1987 - Fixed a bug where a stray '%' in an entity value would cause an 1988 abort. 1989 - Defined XML_SetEndNamespaceDeclHandler. Thanks to Darryl Miles for 1990 finding this oversight. 1991 - Changed default patterns in lib/Makefile.in to fit non-GNU makes 1992 Thanks to robin@unrated.net for reporting and providing an 1993 account to test on. 1994 - The reference had the wrong label for XML_SetStartNamespaceDecl. 1995 Reported by an anonymous user. 1996 1997Release 1.95.0 Fri Sep 29 2000 1998 - XML_ParserCreate_MM 1999 Allows you to set a memory management suite to replace the 2000 standard malloc,realloc, and free. 2001 - XML_SetReturnNSTriplet 2002 If you turn this feature on when namespace processing is in 2003 effect, then qualified, prefixed element and attribute names 2004 are returned as "uri|name|prefix" where '|' is whatever 2005 separator character is used in namespace processing. 2006 - Merged in features from perl-expat 2007 o XML_SetElementDeclHandler 2008 o XML_SetAttlistDeclHandler 2009 o XML_SetXmlDeclHandler 2010 o XML_SetEntityDeclHandler 2011 o StartDoctypeDeclHandler takes 3 additional parameters: 2012 sysid, pubid, has_internal_subset 2013 o Many paired handler setters (like XML_SetElementHandler) 2014 now have corresponding individual handler setters 2015 o XML_GetInputContext for getting the input context of 2016 the current parse position. 2017 - Added reference material 2018 - Packaged into a distribution that builds a sharable library 2019