1 __ __ _ 2 ___\ \/ /_ __ __ _| |_ 3 / _ \\ /| '_ \ / _` | __| 4 | __// \| |_) | (_| | |_ 5 \___/_/\_\ .__/ \__,_|\__| 6 |_| XML parser 7 8!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 9!! <blink>Expat is UNDERSTAFFED and WITHOUT FUNDING.</blink> !! 10!! ~~~~~~~~~~~~ !! 11!! The following topics need *additional skilled C developers* to progress !! 12!! in a timely manner or at all (loosely ordered by descending priority): !! 13!! !! 14!! - teaming up on researching and fixing future security reports and !! 15!! ClusterFuzz findings with few-days-max response times in communication !! 16!! in order to (1) have a sound fix ready before the end of a 90 days !! 17!! grace period and (2) in a sustainable manner, !! 18!! - helping CPython Expat bindings with supporting Expat's amplification !! 19!! attack protection API (https://github.com/python/cpython/issues/90949): !! 20!! - XML_SetAllocTrackerActivationThreshold !! 21!! - XML_SetAllocTrackerMaximumAmplification !! 22!! - XML_SetBillionLaughsAttackProtectionActivationThreshold !! 23!! - XML_SetBillionLaughsAttackProtectionMaximumAmplification !! 24!! - helping Perl's XML::Parser Expat bindings with supporting Expat's !! 25!! security API (https://github.com/cpan-authors/XML-Parser/issues/102): !! 26!! - XML_SetAllocTrackerActivationThreshold !! 27!! - XML_SetAllocTrackerMaximumAmplification !! 28!! - XML_SetBillionLaughsAttackProtectionActivationThreshold !! 29!! - XML_SetBillionLaughsAttackProtectionMaximumAmplification !! 30!! - XML_SetReparseDeferralEnabled !! 31!! - implementing and auto-testing XML 1.0r5 support !! 32!! (needs discussion before pull requests), !! 33!! - smart ideas on fixing the Autotools CMake files generation issue !! 34!! without breaking CI (needs discussion before pull requests), !! 35!! - pushing migration from `int` to `size_t` further !! 36!! including edge-cases test coverage (needs discussion before anything). !! 37!! !! 38!! For details, please reach out via e-mail to sebastian@pipping.org so we !! 39!! can schedule a voice call on the topic, in English or German. !! 40!! !! 41!! THANK YOU! Sebastian Pipping -- Berlin, 2024-03-09 !! 42!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 43 44Release 2.7.2 Tue September 16 2025 45 Security fixes: 46 #1018 #1034 CVE-2025-59375 -- Disallow use of disproportional amounts of 47 dynamic memory from within an Expat parser (e.g. previously 48 a ~250 KiB sized document was able to cause allocation of 49 ~800 MiB from the heap, i.e. an "amplification" of factor 50 ~3,300); once a threshold (that defaults to 64 MiB) is 51 reached, a maximum amplification factor (that defaults to 52 100.0) is enforced, and violating documents are rejected 53 with an out-of-memory error. 54 There are two new API functions to fine-tune this new 55 behavior: 56 - XML_SetAllocTrackerActivationThreshold 57 - XML_SetAllocTrackerMaximumAmplification . 58 If you ever need to increase these defaults for non-attack 59 XML payload, please file a bug report with libexpat. 60 There is also a new environment variable 61 EXPAT_MALLOC_DEBUG=(0|1|2) to control the verbosity 62 of allocations debugging at runtime, disabled by default. 63 Known impact is (reliable and easy) denial of service: 64 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C 65 (Base Score: 7.5, Temporal Score: 7.2) 66 Please note that a layer of compression around XML can 67 significantly reduce the minimum attack payload size. 68 Distributors intending to backport (or cherry-pick) the 69 fix need to copy 99% of the related pull request, not just 70 the "lib: Implement tracking of dynamic memory allocations" 71 commit, to not end up with a state that literally does both 72 too much and too little at the same time. Appending ".diff" 73 to the pull request URL could be of help. 74 75 Other changes: 76 #1008 #1017 Autotools: Sync CMake templates with CMake 3.31 for macOS 77 #1007 CMake: Drop support for CMake <3.15 78 #1004 CMake: Fix off_t detection for -Werror 79 #1007 CMake|Windows: Fix -DEXPAT_MSVC_STATIC_CRT=ON 80 #1013 Windows: Drop support for Visual Studio <=16.0/2019 81 #1026 xmlwf: Mention supported environment variables in 82 --help output 83 #1024 xmlwf: Fix (internal) help generator 84 #1034 docs: Promote the contract to call function 85 XML_FreeContentModel when registering a custom 86 element declaration handler (via a call to function 87 XML_SetElementDeclHandler) 88 #1027 docs: Add missing <p>..</p> wrap 89 #994 docs: Drop AppVeyor badge 90 #1000 tests: Fix portable_strndup 91 #1036 Drop casts around malloc/free/realloc that C99 does not need 92 #1010 Replace empty for-loops with while loops 93 #1011 Add const with internal XmlInitUnknownEncodingNS 94 #14 #1037 Drop an OpenVMS support leftover 95 #999 #1001 Address more clang-tidy warnings 96 #1030 #1038 Version info bumped from 11:2:10 (libexpat*.so.1.10.2) 97 to 12:0:11 (libexpat*.so.1.11.0); see https://verbump.de/ 98 for what these numbers do 99 100 Infrastructure: 101 #1003 CI: Cover compilation on FreeBSD 102 #1009 #1035 CI: Upgrade Clang from 19 to 21 103 #1031 CI: Make calling Cppcheck without --suppress=objectIndex 104 and --suppress=unknownMacro possible 105 #1013 CI|Windows: Get off of deprecated image "windows-2019" 106 #1008 #1017 .. 107 #1023 #1025 CI: Adapt to breaking changes in GitHub Actions 108 109 Special thanks to: 110 Alexander Bluhm 111 Neil Pang 112 Theo Buehler 113 and 114 OSS-Fuzz / ClusterFuzz 115 Perl XML::Parser 116 117Release 2.7.1 Thu March 27 2025 118 Bug fixes: 119 #980 #989 Restore event pointer behavior from Expat 2.6.4 120 (that the fix to CVE-2024-8176 changed in 2.7.0); 121 affected API functions are: 122 - XML_GetCurrentByteCount 123 - XML_GetCurrentByteIndex 124 - XML_GetCurrentColumnNumber 125 - XML_GetCurrentLineNumber 126 - XML_GetInputContext 127 128 Other changes: 129 #976 #977 Autotools: Integrate files "fuzz/xml_lpm_fuzzer.{cpp,proto}" 130 with Automake that were missing from 2.7.0 release tarballs 131 #983 #984 Fix printf format specifiers for 32bit Emscripten 132 #992 docs: Promote OpenSSF Best Practices self-certification 133 #978 tests/benchmark: Resolve mistaken double close 134 #986 Address Frama-C warnings 135 #990 #993 Version info bumped from 11:1:10 (libexpat*.so.1.10.1) 136 to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/ 137 for what these numbers do 138 139 Infrastructure: 140 #982 CI: Start running Perl XML::Parser integration tests 141 #987 CI: Enforce Clang Static Analyzer clean code 142 #991 CI: Re-enable warning clang-analyzer-valist.Uninitialized 143 for clang-tidy 144 #981 CI: Cover compilation with musl 145 #983 #984 CI: Cover compilation with 32bit Emscripten 146 #976 #977 CI: Protect against fuzzer files missing from future 147 release archives 148 149 Special thanks to: 150 Berkay Eren Ürün 151 Matthew Fernandez 152 and 153 Perl XML::Parser 154 155Release 2.7.0 Thu March 13 2025 156 Security fixes: 157 #893 #973 CVE-2024-8176 -- Fix crash from chaining a large number 158 of entities caused by stack overflow by resolving use of 159 recursion, for all three uses of entities: 160 - general entities in character data ("<e>&g1;</e>") 161 - general entities in attribute values ("<e k1='&g1;'/>") 162 - parameter entities ("%p1;") 163 Known impact is (reliable and easy) denial of service: 164 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C 165 (Base Score: 7.5, Temporal Score: 7.2) 166 Please note that a layer of compression around XML can 167 significantly reduce the minimum attack payload size. 168 169 Other changes: 170 #935 #937 Autotools: Make generated CMake files look for 171 libexpat.@SO_MAJOR@.dylib on macOS 172 #925 Autotools: Sync CMake templates with CMake 3.29 173 #945 #962 #966 CMake: Drop support for CMake <3.13 174 #942 CMake: Small fuzzing related improvements 175 #921 docs: Add missing documentation of error code 176 XML_ERROR_NOT_STARTED that was introduced with 2.6.4 177 #941 docs: Document need for C++11 compiler for use from C++ 178 #959 tests/benchmark: Fix a (harmless) TOCTTOU 179 #944 Windows: Fix installer target location of file xmlwf.xml 180 for CMake 181 #953 Windows: Address warning -Wunknown-warning-option 182 about -Wno-pedantic-ms-format from LLVM MinGW 183 #971 Address Cppcheck warnings 184 #969 #970 Mass-migrate links from http:// to https:// 185 #947 #958 .. 186 #974 #975 Document changes since the previous release 187 #974 #975 Version info bumped from 11:0:10 (libexpat*.so.1.10.0) 188 to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/ 189 for what these numbers do 190 191 Infrastructure: 192 #926 tests: Increase robustness 193 #927 #932 .. 194 #930 #933 tests: Increase test coverage 195 #617 #950 .. 196 #951 #952 .. 197 #954 #955 .. Fuzzing: Add new fuzzer "xml_lpm_fuzzer" based on 198 #961 Google's libprotobuf-mutator ("LPM") 199 #957 Fuzzing|CI: Start producing fuzzing code coverage reports 200 #936 CI: Pass -q -q for LCOV >=2.1 in coverage.sh 201 #942 CI: Small fuzzing related improvements 202 #139 #203 .. 203 #791 #946 CI: Make GitHub Actions build using MSVC on Windows and 204 produce 32bit and 64bit Windows binaries 205 #956 CI: Get off of about-to-be-removed Ubuntu 20.04 206 #960 #964 CI: Start uploading to Coverity Scan for static analysis 207 #972 CI: Stop loading DTD from the internet to address flaky CI 208 #971 CI: Adapt to breaking changes in Cppcheck 209 210 Special thanks to: 211 Alexander Gieringer 212 Berkay Eren Ürün 213 Hanno Böck 214 Jann Horn 215 Mark Brand 216 Sebastian Andrzej Siewior 217 Snild Dolkow 218 Thomas Pröll 219 Tomas Korbar 220 valord577 221 and 222 Google Project Zero 223 Linutronix 224 Red Hat 225 Siemens 226 227Release 2.6.4 Wed November 6 2024 228 Security fixes: 229 #915 CVE-2024-50602 -- Fix crash within function XML_ResumeParser 230 from a NULL pointer dereference by disallowing function 231 XML_StopParser to (stop or) suspend an unstarted parser. 232 A new error code XML_ERROR_NOT_STARTED was introduced to 233 properly communicate this situation. // CWE-476 CWE-754 234 235 Other changes: 236 #903 CMake: Add alias target "expat::expat" 237 #905 docs: Document use via CMake >=3.18 with FetchContent 238 and SOURCE_SUBDIR and its consequences 239 #902 tests: Reduce use of global parser instance 240 #904 tests: Resolve duplicate handler 241 #317 #918 tests: Improve tests on doctype closing (ex CVE-2019-15903) 242 #914 Fix signedness of format strings 243 #915 For use from C++, expat.h started requiring C++11 due to 244 use of C99 features 245 #919 #920 Version info bumped from 10:3:9 (libexpat*.so.1.9.3) 246 to 11:0:10 (libexpat*.so.1.10.0); see https://verbump.de/ 247 for what these numbers do 248 249 Infrastructure: 250 #907 CI: Upgrade Clang from 18 to 19 251 #913 CI: Drop macos-12 and add macos-15 252 #910 CI: Adapt to breaking changes in GitHub Actions 253 #898 Add missing entries to .gitignore 254 255 Special thanks to: 256 Hanno Böck 257 José Eduardo Gutiérrez Conejo 258 José Ricardo Cardona Quesada 259 260Release 2.6.3 Wed September 4 2024 261 Security fixes: 262 #887 #890 CVE-2024-45490 -- Calling function XML_ParseBuffer with 263 len < 0 without noticing and then calling XML_GetBuffer 264 will have XML_ParseBuffer fail to recognize the problem 265 and XML_GetBuffer corrupt memory. 266 With the fix, XML_ParseBuffer now complains with error 267 XML_ERROR_INVALID_ARGUMENT just like sibling XML_Parse 268 has been doing since Expat 2.2.1, and now documented. 269 Impact is denial of service to potentially artitrary code 270 execution. 271 #888 #891 CVE-2024-45491 -- Internal function dtdCopy can have an 272 integer overflow for nDefaultAtts on 32-bit platforms 273 (where UINT_MAX equals SIZE_MAX). 274 Impact is denial of service to potentially artitrary code 275 execution. 276 #889 #892 CVE-2024-45492 -- Internal function nextScaffoldPart can 277 have an integer overflow for m_groupSize on 32-bit 278 platforms (where UINT_MAX equals SIZE_MAX). 279 Impact is denial of service to potentially artitrary code 280 execution. 281 282 Other changes: 283 #851 #879 Autotools: Sync CMake templates with CMake 3.28 284 #853 Autotools: Always provide path to find(1) for portability 285 #861 Autotools: Ensure that the m4 directory always exists. 286 #870 Autotools: Simplify handling of SIZEOF_VOID_P 287 #869 Autotools: Support non-GNU sed 288 #856 Autotools|CMake: Fix main() to main(void) 289 #865 Autotools|CMake: Fix compile tests for HAVE_SYSCALL_GETRANDOM 290 #863 Autotools|CMake: Stop requiring dos2unix 291 #854 #855 CMake: Fix check for symbols size_t and off_t 292 #864 docs|tests: Convert README to Markdown and update 293 #741 Windows: Drop support for Visual Studio <=15.0/2017 294 #886 Drop needless XML_DTD guards around is_param access 295 #885 Fix typo in a code comment 296 #894 #896 Version info bumped from 10:2:9 (libexpat*.so.1.9.2) 297 to 10:3:9 (libexpat*.so.1.9.3); see https://verbump.de/ 298 for what these numbers do 299 300 Infrastructure: 301 #880 Readme: Promote the call for help 302 #868 CI: Fix various issues 303 #849 CI: Allow triggering GitHub Actions workflows manually 304 #851 #872 .. 305 #873 #879 CI: Adapt to breaking changes in GitHub Actions 306 307 Special thanks to: 308 Alexander Bluhm 309 Berkay Eren Ürün 310 Dag-Erling Smørgrav 311 Ferenc Géczi 312 TaiYou 313 314Release 2.6.2 Wed March 13 2024 315 Security fixes: 316 #839 #842 CVE-2024-28757 -- Prevent billion laughs attacks with 317 isolated use of external parsers. Please see the commit 318 message of commit 1d50b80cf31de87750103656f6eb693746854aa8 319 for details. 320 321 Bug fixes: 322 #839 #841 Reject direct parameter entity recursion 323 and avoid the related undefined behavior 324 325 Other changes: 326 #847 Autotools: Fix build for DOCBOOK_TO_MAN containing spaces 327 #837 Add missing #821 and #824 to 2.6.1 change log 328 #838 #843 Version info bumped from 10:1:9 (libexpat*.so.1.9.1) 329 to 10:2:9 (libexpat*.so.1.9.2); see https://verbump.de/ 330 for what these numbers do 331 332 Special thanks to: 333 Philippe Antoine 334 Tomas Korbar 335 and 336 Clang UndefinedBehaviorSanitizer 337 OSS-Fuzz / ClusterFuzz 338 339Release 2.6.1 Thu February 29 2024 340 Bug fixes: 341 #817 Make tests independent of CPU speed, and thus more robust 342 #828 #836 Expose billion laughs API with XML_DTD defined and 343 XML_GE undefined, regression from 2.6.0 344 345 Other changes: 346 #829 Hide test-only code behind new internal macro 347 #833 Autotools: Reject expat_config.h.in defining SIZEOF_VOID_P 348 #821 #824 Autotools: Fix "make clean" for case: 349 ./configure --without-docbook && make clean all 350 #819 Address compiler warnings 351 #832 #834 Version info bumped from 10:0:9 (libexpat*.so.1.9.0) 352 to 10:1:9 (libexpat*.so.1.9.1); see https://verbump.de/ 353 for what these numbers do 354 355 Infrastructure: 356 #818 CI: Adapt to breaking changes in clang-format 357 358 Special thanks to: 359 David Hall 360 Snild Dolkow 361 362Release 2.6.0 Tue February 6 2024 363 Security fixes: 364 #789 #814 CVE-2023-52425 -- Fix quadratic runtime issues with big tokens 365 that can cause denial of service, in partial where 366 dealing with compressed XML input. Applications 367 that parsed a document in one go -- a single call to 368 functions XML_Parse or XML_ParseBuffer -- were not affected. 369 The smaller the chunks/buffers you use for parsing 370 previously, the bigger the problem prior to the fix. 371 Backporters should be careful to no omit parts of 372 pull request #789 and to include earlier pull request #771, 373 in order to not break the fix. 374 #777 CVE-2023-52426 -- Fix billion laughs attacks for users 375 compiling *without* XML_DTD defined (which is not common). 376 Users with XML_DTD defined have been protected since 377 Expat >=2.4.0 (and that was CVE-2013-0340 back then). 378 379 Bug fixes: 380 #753 Fix parse-size-dependent "invalid token" error for 381 external entities that start with a byte order mark 382 #780 Fix NULL pointer dereference in setContext via 383 XML_ExternalEntityParserCreate for compilation with 384 XML_DTD undefined 385 #812 #813 Protect against closing entities out of order 386 387 Other changes: 388 #723 Improve support for arc4random/arc4random_buf 389 #771 #788 Improve buffer growth in XML_GetBuffer and XML_Parse 390 #761 #770 xmlwf: Support --help and --version 391 #759 #770 xmlwf: Support custom buffer size for XML_GetBuffer and read 392 #744 xmlwf: Improve language and URL clickability in help output 393 #673 examples: Add new example "element_declarations.c" 394 #764 Be stricter about macro XML_CONTEXT_BYTES at build time 395 #765 Make inclusion to expat_config.h consistent 396 #726 #727 Autotools: configure.ac: Support --disable-maintainer-mode 397 #678 #705 .. 398 #706 #733 #792 Autotools: Sync CMake templates with CMake 3.26 399 #795 Autotools: Make installation of shipped man page doc/xmlwf.1 400 independent of docbook2man availability 401 #815 Autotools|CMake: Add missing -DXML_STATIC to pkg-config file 402 section "Cflags.private" in order to fix compilation 403 against static libexpat using pkg-config on Windows 404 #724 #751 Autotools|CMake: Require a C99 compiler 405 (a de-facto requirement already since Expat 2.2.2 of 2017) 406 #793 Autotools|CMake: Fix PACKAGE_BUGREPORT variable 407 #750 #786 Autotools|CMake: Make test suite require a C++11 compiler 408 #749 CMake: Require CMake >=3.5.0 409 #672 CMake: Lowercase off_t and size_t to help a bug in Meson 410 #746 CMake: Sort xmlwf sources alphabetically 411 #785 CMake|Windows: Fix generation of DLL file version info 412 #790 CMake: Build tests/benchmark/benchmark.c as well for 413 a build with -DEXPAT_BUILD_TESTS=ON 414 #745 #757 docs: Document the importance of isFinal + adjust tests 415 accordingly 416 #736 docs: Improve use of "NULL" and "null" 417 #713 docs: Be specific about version of XML (XML 1.0r4) 418 and version of C (C99); (XML 1.0r5 will need a sponsor.) 419 #762 docs: reference.html: Promote function XML_ParseBuffer more 420 #779 docs: reference.html: Add HTML anchors to XML_* macros 421 #760 docs: reference.html: Upgrade to OK.css 1.2.0 422 #763 #739 docs: Fix typos 423 #696 docs|CI: Use HTTPS URLs instead of HTTP at various places 424 #669 #670 .. 425 #692 #703 .. 426 #733 #772 Address compiler warnings 427 #798 #800 Address clang-tidy warnings 428 #775 #776 Version info bumped from 9:10:8 (libexpat*.so.1.8.10) 429 to 10:0:9 (libexpat*.so.1.9.0); see https://verbump.de/ 430 for what these numbers do 431 432 Infrastructure: 433 #700 #701 docs: Document security policy in file SECURITY.md 434 #766 docs: Improve parse buffer variables in-code documentation 435 #674 #738 .. 436 #740 #747 .. 437 #748 #781 #782 Refactor coverage and conformance tests 438 #714 #716 Refactor debug level variables to unsigned long 439 #671 Improve handling of empty environment variable value 440 in function getDebugLevel (without visible user effect) 441 #755 #774 .. 442 #758 #783 .. 443 #784 #787 tests: Improve test coverage with regard to parse chunk size 444 #660 #797 #801 Fuzzing: Improve fuzzing coverage 445 #367 #799 Fuzzing|CI: Start running OSS-Fuzz fuzzing regression tests 446 #698 #721 CI: Resolve some Travis CI leftovers 447 #669 CI: Be robust towards absence of Git tags 448 #693 #694 CI: Set permissions to "contents: read" for security 449 #709 CI: Pin all GitHub Actions to specific commits for security 450 #739 CI: Reject spelling errors using codespell 451 #798 CI: Enforce clang-tidy clean code 452 #773 #808 .. 453 #809 #810 CI: Upgrade Clang from 15 to 18 454 #796 CI: Start using Clang's Control Flow Integrity sanitizer 455 #675 #720 #722 CI: Adapt to breaking changes in GitHub Actions Ubuntu images 456 #689 CI: Adapt to breaking changes in Clang/LLVM Debian packaging 457 #763 CI: Adapt to breaking changes in codespell 458 #803 CI: Adapt to breaking changes in Cppcheck 459 460 Special thanks to: 461 Ivan Galkin 462 Joyce Brum 463 Philippe Antoine 464 Rhodri James 465 Snild Dolkow 466 spookyahell 467 Steven Garske 468 and 469 Clang AddressSanitizer 470 Clang UndefinedBehaviorSanitizer 471 codespell 472 GCC Farm Project 473 OSS-Fuzz 474 Sony Mobile 475 476Release 2.5.0 Tue October 25 2022 477 Security fixes: 478 #616 #649 #650 CVE-2022-43680 -- Fix heap use-after-free after overeager 479 destruction of a shared DTD in function 480 XML_ExternalEntityParserCreate in out-of-memory situations. 481 Expected impact is denial of service or potentially 482 arbitrary code execution. 483 484 Bug fixes: 485 #612 #645 Fix corruption from undefined entities 486 #613 #654 Fix case when parsing was suspended while processing nested 487 entities 488 #616 #652 #653 Stop leaking opening tag bindings after a closing tag 489 mismatch error where a parser is reset through 490 XML_ParserReset and then reused to parse 491 #656 CMake: Fix generation of pkg-config file 492 #658 MinGW|CMake: Fix static library name 493 494 Other changes: 495 #663 Protect header expat_config.h from multiple inclusion 496 #666 examples: Make use of XML_GetBuffer and be more 497 consistent across examples 498 #648 Address compiler warnings 499 #667 #668 Version info bumped from 9:9:8 to 9:10:8; 500 see https://verbump.de/ for what these numbers do 501 502 Special thanks to: 503 Jann Horn 504 Mark Brand 505 Osyotr 506 Rhodri James 507 and 508 Google Project Zero 509 510Release 2.4.9 Tue September 20 2022 511 Security fixes: 512 #629 #640 CVE-2022-40674 -- Heap use-after-free vulnerability in 513 function doContent. Expected impact is denial of service 514 or potentially arbitrary code execution. 515 516 Bug fixes: 517 #634 MinGW: Fix mis-compilation for -D__USE_MINGW_ANSI_STDIO=0 518 #614 docs: Fix documentation on effect of switch XML_DTD on 519 symbol visibility in doc/reference.html 520 521 Other changes: 522 #638 MinGW: Make fix-xmltest-log.sh drop more Wine bug output 523 #596 #625 Autotools: Sync CMake templates with CMake 3.22 524 #608 CMake: Migrate from use of CMAKE_*_POSTFIX to 525 dedicated variables EXPAT_*_POSTFIX to stop affecting 526 other projects 527 #597 #599 Windows|CMake: Add missing -DXML_STATIC to test runners 528 and fuzzers 529 #512 #621 Windows|CMake: Render .def file from a template to fix 530 linking with -DEXPAT_DTD=OFF and/or -DEXPAT_ATTR_INFO=ON 531 #611 #621 MinGW|CMake: Apply MSVC .def file when linking 532 #622 #624 MinGW|CMake: Sync library name with GNU Autotools, 533 i.e. produce libexpat-1.dll rather than libexpat.dll 534 by default. Filename libexpat.dll.a is unaffected. 535 #632 MinGW|CMake: Set missing variable CMAKE_RC_COMPILER in 536 toolchain file "cmake/mingw-toolchain.cmake" to avoid 537 error "windres: Command not found" on e.g. Ubuntu 20.04 538 #597 #627 CMake: Unify inconsistent use of set() and option() in 539 context of public build time options to take need for 540 set(.. FORCE) in projects using Expat by means of 541 add_subdirectory(..) off Expat's users' shoulders 542 #626 #641 Stop exporting API symbols when building a static library 543 #644 Resolve use of deprecated "fgrep" by "grep -F" 544 #620 CMake: Make documentation on variables a bit more consistent 545 #636 CMake: Drop leading whitespace from a #cmakedefine line in 546 file expat_config.h.cmake 547 #594 xmlwf: Fix harmless variable mix-up in function nsattcmp 548 #592 #593 #610 Address Cppcheck warnings 549 #643 Address Clang 15 compiler warnings 550 #642 #644 Version info bumped from 9:8:8 to 9:9:8; 551 see https://verbump.de/ for what these numbers do 552 553 Infrastructure: 554 #597 #598 CI: Windows: Start covering MSVC 2022 555 #619 CI: macOS: Migrate off deprecated macOS 10.15 556 #632 CI: Linux: Make migration off deprecated Ubuntu 18.04 work 557 #643 CI: Upgrade Clang from 14 to 15 558 #637 apply-clang-format.sh: Add support for BSD find 559 #633 coverage.sh: Exclude MinGW headers 560 #635 coverage.sh: Fix name collision for -funsigned-char 561 562 Special thanks to: 563 David Faure 564 Felix Wilhelm 565 Frank Bergmann 566 Rhodri James 567 Rosen Penev 568 Thijs Schreijer 569 Vincent Torri 570 and 571 Google Project Zero 572 573Release 2.4.8 Mon March 28 2022 574 Other changes: 575 #587 pkg-config: Move "-lm" to section "Libs.private" 576 #587 CMake|MSVC: Fix pkg-config section "Libs" 577 #55 #582 CMake|macOS: Start using linker arguments 578 "-compatibility_version <version>" and 579 "-current_version <version>" in a way compatible with 580 GNU Libtool 581 #590 #591 Version info bumped from 9:7:8 to 9:8:8; 582 see https://verbump.de/ for what these numbers do 583 584 Infrastructure: 585 #589 CI: Upgrade Clang from 13 to 14 586 587 Special thanks to: 588 evpobr 589 Kai Pastor 590 Sam James 591 592Release 2.4.7 Fri March 4 2022 593 Bug fixes: 594 #572 #577 Relax fix to CVE-2022-25236 (introduced with release 2.4.5) 595 with regard to all valid URI characters (RFC 3986), 596 i.e. the following set (excluding whitespace): 597 ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz 598 0123456789 % -._~ :/?#[]@ !$&'()*+,;= 599 600 Other changes: 601 #555 #570 #581 CMake|Windows: Store Expat version in the DLL 602 #577 Document consequences of namespace separator choices not just 603 in doc/reference.html but also in header <expat.h> 604 #577 Document Expat's lack of validation of namespace URIs against 605 RFC 3986, and that the XML 1.0r4 specification doesn't 606 require Expat to validate namespace URIs, and that Expat 607 may do more in that regard in future releases. 608 If you find need for strict RFC 3986 URI validation on 609 application level today, https://uriparser.github.io/ may 610 be of interest. 611 #579 Fix documentation of XML_EndDoctypeDeclHandler in <expat.h> 612 #575 Document that a call to XML_FreeContentModel can be done at 613 a later time from outside the element declaration handler 614 #574 Make hardcoded namespace URIs easier to find in code 615 #573 Update documentation on use of XML_POOR_ENTOPY on Solaris 616 #569 #571 tests: Resolve use of macros NAN and INFINITY for GNU G++ 617 4.8.2 on Solaris. 618 #578 #580 Version info bumped from 9:6:8 to 9:7:8; 619 see https://verbump.de/ for what these numbers do 620 621 Special thanks to: 622 Jeffrey Walton 623 Johnny Jazeix 624 Thijs Schreijer 625 626Release 2.4.6 Sun February 20 2022 627 Bug fixes: 628 #566 Fix a regression introduced by the fix for CVE-2022-25313 629 in release 2.4.5 that affects applications that (1) 630 call function XML_SetElementDeclHandler and (2) are 631 parsing XML that contains nested element declarations 632 (e.g. "<!ELEMENT junk ((bar|foo|xyz+), zebra*)>"). 633 634 Other changes: 635 #567 #568 Version info bumped from 9:5:8 to 9:6:8; 636 see https://verbump.de/ for what these numbers do 637 638 Special thanks to: 639 Matt Sergeant 640 Samanta Navarro 641 Sergei Trofimovich 642 and 643 NixOS 644 Perl XML::Parser 645 646Release 2.4.5 Fri February 18 2022 647 Security fixes: 648 #562 CVE-2022-25235 -- Passing malformed 2- and 3-byte UTF-8 649 sequences (e.g. from start tag names) to the XML 650 processing application on top of Expat can cause 651 arbitrary damage (e.g. code execution) depending 652 on how invalid UTF-8 is handled inside the XML 653 processor; validation was not their job but Expat's. 654 Exploits with code execution are known to exist. 655 #561 CVE-2022-25236 -- Passing (one or more) namespace separator 656 characters in "xmlns[:prefix]" attribute values 657 made Expat send malformed tag names to the XML 658 processor on top of Expat which can cause 659 arbitrary damage (e.g. code execution) depending 660 on such unexpectable cases are handled inside the XML 661 processor; validation was not their job but Expat's. 662 Exploits with code execution are known to exist. 663 #558 CVE-2022-25313 -- Fix stack exhaustion in doctype parsing 664 that could be triggered by e.g. a 2 megabytes 665 file with a large number of opening braces. 666 Expected impact is denial of service or potentially 667 arbitrary code execution. 668 #560 CVE-2022-25314 -- Fix integer overflow in function copyString; 669 only affects the encoding name parameter at parser creation 670 time which is often hardcoded (rather than user input), 671 takes a value in the gigabytes to trigger, and a 64-bit 672 machine. Expected impact is denial of service. 673 #559 CVE-2022-25315 -- Fix integer overflow in function storeRawNames; 674 needs input in the gigabytes and a 64-bit machine. 675 Expected impact is denial of service or potentially 676 arbitrary code execution. 677 678 Other changes: 679 #557 #564 Version info bumped from 9:4:8 to 9:5:8; 680 see https://verbump.de/ for what these numbers do 681 682 Special thanks to: 683 Ivan Fratric 684 Samanta Navarro 685 and 686 Google Project Zero 687 JetBrains 688 689Release 2.4.4 Sun January 30 2022 690 Security fixes: 691 #550 CVE-2022-23852 -- Fix signed integer overflow 692 (undefined behavior) in function XML_GetBuffer 693 (that is also called by function XML_Parse internally) 694 for when XML_CONTEXT_BYTES is defined to >0 (which is both 695 common and default). 696 Impact is denial of service or more. 697 #551 CVE-2022-23990 -- Fix unsigned integer overflow in function 698 doProlog triggered by large content in element type 699 declarations when there is an element declaration handler 700 present (from a prior call to XML_SetElementDeclHandler). 701 Impact is denial of service or more. 702 703 Bug fixes: 704 #544 #545 xmlwf: Fix a memory leak on output file opening error 705 706 Other changes: 707 #546 Autotools: Fix broken CMake support under Cygwin 708 #554 Windows: Add missing files to the installer to fix 709 compilation with CMake from installed sources 710 #552 #554 Version info bumped from 9:3:8 to 9:4:8; 711 see https://verbump.de/ for what these numbers do 712 713 Special thanks to: 714 Carlo Bramini 715 hwt0415 716 Roland Illig 717 Samanta Navarro 718 and 719 Clang LeakSan and the Clang team 720 721Release 2.4.3 Sun January 16 2022 722 Security fixes: 723 #531 #534 CVE-2021-45960 -- Fix issues with left shifts by >=29 places 724 resulting in 725 a) realloc acting as free 726 b) realloc allocating too few bytes 727 c) undefined behavior 728 depending on architecture and precise value 729 for XML documents with >=2^27+1 prefixed attributes 730 on a single XML tag a la 731 "<r xmlns:a='[..]' a:a123='[..]' [..] />" 732 where XML_ParserCreateNS is used to create the parser 733 (which needs argument "-n" when running xmlwf). 734 Impact is denial of service, or more. 735 #532 #538 CVE-2021-46143 (ZDI-CAN-16157) -- Fix integer overflow 736 on variable m_groupSize in function doProlog leading 737 to realloc acting as free. 738 Impact is denial of service or more. 739 #539 CVE-2022-22822 to CVE-2022-22827 -- Prevent integer overflows 740 near memory allocation at multiple places. Mitre assigned 741 a dedicated CVE for each involved internal C function: 742 - CVE-2022-22822 for function addBinding 743 - CVE-2022-22823 for function build_model 744 - CVE-2022-22824 for function defineAttribute 745 - CVE-2022-22825 for function lookup 746 - CVE-2022-22826 for function nextScaffoldPart 747 - CVE-2022-22827 for function storeAtts 748 Impact is denial of service or more. 749 750 Other changes: 751 #535 CMake: Make call to file(GENERATE [..]) work for CMake <3.19 752 #541 Autotools|CMake: MinGW: Make run.sh(.in) work for Cygwin 753 and MSYS2 by not going through Wine on these platforms 754 #527 #528 Address compiler warnings 755 #533 #543 Version info bumped from 9:2:8 to 9:3:8; 756 see https://verbump.de/ for what these numbers do 757 758 Infrastructure: 759 #536 CI: Check for realistic minimum CMake version 760 #529 #539 CI: Cover compilation with -m32 761 #529 CI: Store coverage reports as artifacts for download 762 #528 CI: Upgrade Clang from 11 to 13 763 764 Special thanks to: 765 An anonymous whitehat 766 Christopher Degawa 767 J. Peter Mugaas 768 Tyson Smith 769 and 770 GCC Farm Project 771 Trend Micro Zero Day Initiative 772 773Release 2.4.2 Sun December 19 2021 774 Other changes: 775 #509 #510 Link againgst libm for function "isnan" 776 #513 #514 Include expat_config.h as early as possible 777 #498 Autotools: Include files with release archives: 778 - buildconf.sh 779 - fuzz/*.c 780 #507 #519 Autotools: Sync CMake templates with CMake 3.20 781 #495 #524 CMake: MinGW: Fix pkg-config section "Libs" for 782 - non-release build types (e.g. -DCMAKE_BUILD_TYPE=Debug) 783 - multi-config CMake generators (e.g. Ninja Multi-Config) 784 #502 #503 docs: Document that function XML_GetBuffer may return NULL 785 when asking for a buffer of 0 (zero) bytes size 786 #522 #523 docs: Fix return value docs for both 787 XML_SetBillionLaughsAttackProtection* functions 788 #525 #526 Version info bumped from 9:1:8 to 9:2:8; 789 see https://verbump.de/ for what these numbers do 790 791 Special thanks to: 792 Donghee Na 793 Joergen Ibsen 794 Kai Pastor 795 796Release 2.4.1 Sun May 23 2021 797 Bug fixes: 798 #488 #490 Autotools: Fix installed header expat_config.h for multilib 799 systems; regression introduced in 2.4.0 by pull request #486 800 801 Other changes: 802 #491 #492 Version info bumped from 9:0:8 to 9:1:8; 803 see https://verbump.de/ for what these numbers do 804 805 Special thanks to: 806 Gentoo's QA check "multilib_check_headers" 807 808Release 2.4.0 Sun May 23 2021 809 Security fixes: 810 #34 #466 #484 CVE-2013-0340/CWE-776 -- Protect against billion laughs attacks 811 (denial-of-service; flavors targeting CPU time or RAM or both, 812 leveraging general entities or parameter entities or both) 813 by tracking and limiting the input amplification factor 814 (<amplification> := (<direct> + <indirect>) / <direct>). 815 By conservative default, amplification up to a factor of 100.0 816 is tolerated and rejection only starts after 8 MiB of output bytes 817 (=<direct> + <indirect>) have been processed. 818 The fix adds the following to the API: 819 - A new error code XML_ERROR_AMPLIFICATION_LIMIT_BREACH to 820 signals this specific condition. 821 - Two new API functions .. 822 - XML_SetBillionLaughsAttackProtectionMaximumAmplification and 823 - XML_SetBillionLaughsAttackProtectionActivationThreshold 824 .. to further tighten billion laughs protection parameters 825 when desired. Please see file "doc/reference.html" for details. 826 If you ever need to increase the defaults for non-attack XML 827 payload, please file a bug report with libexpat. 828 - Two new XML_FEATURE_* constants .. 829 - that can be queried using the XML_GetFeatureList function, and 830 - that are shown in "xmlwf -v" output. 831 - Two new environment variable switches .. 832 - EXPAT_ACCOUNTING_DEBUG=(0|1|2|3) and 833 - EXPAT_ENTITY_DEBUG=(0|1) 834 .. for runtime debugging of accounting and entity processing. 835 Specific behavior of these values may change in the future. 836 - Two new command line arguments "-a FACTOR" and "-b BYTES" 837 for xmlwf to further tighten billion laughs protection 838 parameters when desired. 839 If you ever need to increase the defaults for non-attack XML 840 payload, please file a bug report with libexpat. 841 842 Bug fixes: 843 #332 #470 For (non-default) compilation with -DEXPAT_MIN_SIZE=ON (CMake) 844 or CPPFLAGS=-DXML_MIN_SIZE (GNU Autotools): Fix segfault 845 for UTF-16 payloads containing CDATA sections. 846 #485 #486 Autotools: Fix generated CMake files for non-64bit and 847 non-Linux platforms (e.g. macOS and MinGW in particular) 848 that were introduced with release 2.3.0 849 850 Other changes: 851 #468 #469 xmlwf: Improve help output and the xmlwf man page 852 #463 xmlwf: Improve maintainability through some refactoring 853 #477 xmlwf: Fix man page DocBook validity 854 #456 Autotools: Sync CMake templates with CMake 3.18 855 #458 #459 CMake: Support absolute paths for both CMAKE_INSTALL_LIBDIR 856 and CMAKE_INSTALL_INCLUDEDIR 857 #471 #481 CMake: Add support for standard variable BUILD_SHARED_LIBS 858 #457 Unexpose symbol _INTERNAL_trim_to_complete_utf8_characters 859 #467 Resolve macro HAVE_EXPAT_CONFIG_H 860 #472 Delete unused legacy helper file "conftools/PrintPath" 861 #473 #483 Improve attribution 862 #464 #465 #477 doc/reference.html: Fix XHTML validity 863 #475 #478 doc/reference.html: Replace the 90s look by OK.css 864 #479 Version info bumped from 8:0:7 to 9:0:8 865 due to addition of new symbols and error codes; 866 see https://verbump.de/ for what these numbers do 867 868 Infrastructure: 869 #456 CI: Enable periodic runs 870 #457 CI: Start covering the list of exported symbols 871 #474 CI: Isolate coverage task 872 #476 #482 CI: Adapt to breaking changes in image "ubuntu-18.04" 873 #477 CI: Cover well-formedness and DocBook/XHTML validity 874 of doc/reference.html and doc/xmlwf.xml 875 876 Special thanks to: 877 Dimitry Andric 878 Eero Helenius 879 Nick Wellnhofer 880 Rhodri James 881 Tomas Korbar 882 Yury Gribov 883 and 884 Clang LeakSan 885 JetBrains 886 OSS-Fuzz 887 888Release 2.3.0 Thu March 25 2021 889 Bug fixes: 890 #438 When calling XML_ParseBuffer without a prior successful call to 891 XML_GetBuffer as a user, no longer trigger undefined behavior 892 (by adding an integer to a NULL pointer) but rather return 893 XML_STATUS_ERROR and set the error code to (new) code 894 XML_ERROR_NO_BUFFER. Found by UBSan (UndefinedBehaviorSanitizer) 895 of Clang 11 (but not Clang 9). 896 #444 xmlwf: Exit status 2 was used for both: 897 - malformed input files (documented) and 898 - invalid command-line arguments (undocumented). 899 The case of invalid command-line arguments now 900 has its own exit status 4, resolving the ambiguity. 901 902 Other changes: 903 #439 xmlwf: Add argument -k to allow continuing after 904 non-fatal errors 905 #439 xmlwf: Add section about exit status to the -h help output 906 #422 #426 #447 Windows: Drop support for Visual Studio <=14.0/2015 907 #434 Windows: CMake: Detect unsupported Visual Studio at 908 configure time (rather than at compile time) 909 #382 #428 testrunner: Make verbose mode (argument "-v") report 910 about passed tests, and make default mode report about 911 failures, as well. 912 #442 CMake: Call "enable_language(CXX)" prior to tinkering 913 with CMAKE_CXX_* variables 914 #448 Document use of libexpat from a CMake-based project 915 #451 Autotools: Install CMake files as generated by CMake 3.19.6 916 so that users with "find_package(expat [..] CONFIG [..])" 917 are served on distributions that are *not* using the CMake 918 build system inside for libexpat packaging 919 #436 #437 Autotools: Drop obsolescent macro AC_HEADER_STDC 920 #450 #452 Autotools: Resolve use of obsolete macro AC_CONFIG_HEADER 921 #441 Address compiler warnings 922 #443 Version info bumped from 7:12:6 to 8:0:7 923 due to addition of error code XML_ERROR_NO_BUFFER 924 (see https://verbump.de/ for what these numbers do) 925 926 Infrastructure: 927 #435 #446 Replace Travis CI by GitHub Actions 928 929 Special thanks to: 930 Alexander Richardson 931 Oleksandr Popovych 932 Thomas Beutlich 933 Tim Bray 934 and 935 Clang LeakSan, Clang 11 UBSan and the Clang team 936 937Release 2.2.10 Sat October 3 2020 938 Bug fixes: 939 #390 #395 #398 Fix undefined behavior during parsing caused by 940 pointer arithmetic with NULL pointers 941 #404 #405 Fix reading uninitialized variable during parsing 942 #406 xmlwf: Add missing check for malloc NULL return 943 944 Other changes: 945 #396 Windows: Drop support for Visual Studio <=8.0/2005 946 #409 Windows: Add missing file "Changes" to the installer 947 to fix compilation with CMake from installed sources 948 #403 xmlwf: Document exit codes in xmlwf manpage and 949 exit with code 3 (rather than code 1) for output errors 950 when used with "-d DIRECTORY" 951 #356 #359 MinGW: Provide declaration of rand_s for mingwrt <5.3.0 952 #383 #392 Autotools: Use -Werror while configure tests the compiler 953 for supported compile flags to avoid false positives 954 #383 #393 #394 Autotools: Improve handling of user (C|CPP|CXX|LD)FLAGS, 955 e.g. ensure that they have the last word over flags added 956 while running ./configure 957 #360 CMake: Create libexpatw.{dll,so} and expatw.pc (with emphasis 958 on suffix "w") with -DEXPAT_CHAR_TYPE=(ushort|wchar_t) 959 #360 CMake: Detect and deny unsupported build combinations 960 involving -DEXPAT_CHAR_TYPE=(ushort|wchar_t) 961 #360 CMake: Install pre-compiled shipped xmlwf.1 manpage in case 962 of -DEXPAT_BUILD_DOCS=OFF 963 #375 #380 #419 CMake: Fix use of Expat by means of add_subdirectory 964 #407 #408 CMake: Keep expat target name constant at "expat" 965 (i.e. refrain from using the target name to control 966 build artifact filenames) 967 #385 CMake: Fix compilation with -DEXPAT_SHARED_LIBS=OFF for 968 Windows 969 CMake: Expose man page compilation as target "xmlwf-manpage" 970 #413 #414 CMake: Introduce option EXPAT_BUILD_PKGCONFIG 971 to control generation of pkg-config file "expat.pc" 972 #424 CMake: Add minimalistic support for building binary packages 973 with CMake target "package"; based on CPack 974 #366 CMake: Add option -DEXPAT_OSSFUZZ_BUILD=(ON|OFF) with 975 default OFF to build fuzzer code against OSS-Fuzz and 976 related environment variable LIB_FUZZING_ENGINE 977 #354 Fix testsuite for -DEXPAT_DTD=OFF and -DEXPAT_NS=OFF, each 978 #354 #355 .. 979 #356 #412 Address compiler warnings 980 #368 #369 Address pngcheck warnings with doc/*.png images 981 #425 Version info bumped from 7:11:6 to 7:12:6 982 983 Special thanks to: 984 asavah 985 Ben Wagner 986 Bhargava Shastry 987 Frank Landgraf 988 Jeffrey Walton 989 Joe Orton 990 Kleber Tarcísio 991 Ma Lin 992 Maciej Sroczyński 993 Mohammed Khajapasha 994 Vadim Zeitlin 995 and 996 Cppcheck 2.0 and the Cppcheck team 997 998Release 2.2.9 Wed September 25 2019 999 Other changes: 1000 examples: Drop executable bits from elements.c 1001 #349 Windows: Change the name of the Windows DLLs from expat*.dll 1002 to libexpat*.dll once more (regression from 2.2.8, first 1003 fixed in 1.95.3, issue #61 on SourceForge today, 1004 was issue #432456 back then); needs a fix due 1005 case-insensitive file systems on Windows and the fact that 1006 Perl's XML::Parser::Expat compiles into Expat.dll. 1007 #347 Windows: Only define _CRT_RAND_S if not defined 1008 Version info bumped from 7:10:6 to 7:11:6 1009 1010 Special thanks to: 1011 Ben Wagner 1012 1013Release 2.2.8 Fri September 13 2019 1014 Security fixes: 1015 #317 #318 CVE-2019-15903 -- Fix heap overflow triggered by 1016 XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber), 1017 and deny internal entities closing the doctype; 1018 fixed in commit c20b758c332d9a13afbbb276d30db1d183a85d43 1019 1020 Bug fixes: 1021 #240 Fix cases where XML_StopParser did not have any effect 1022 when called from inside of an end element handler 1023 #341 xmlwf: Fix exit code for operation without "-d DIRECTORY"; 1024 previously, only "-d DIRECTORY" would give you a proper 1025 exit code: 1026 # xmlwf -d . <<<'<not well-formed>' 2>/dev/null ; echo $? 1027 2 1028 # xmlwf <<<'<not well-formed>' 2>/dev/null ; echo $? 1029 0 1030 Now both cases return exit code 2. 1031 1032 Other changes: 1033 #299 #302 Windows: Replace LoadLibrary hack to access 1034 unofficial API function SystemFunction036 (RtlGenRandom) 1035 by using official API function rand_s (needs WinXP+) 1036 #325 Windows: Drop support for Visual Studio <=7.1/2003 1037 and document supported compilers in README.md 1038 #286 Windows: Remove COM code from xmlwf; in case it turns 1039 out needed later, there will be a dedicated repository 1040 below https://github.com/libexpat/ for that code 1041 #322 Windows: Remove explicit MSVC solution and project files. 1042 You can generate Visual Studio solution files through 1043 CMake, e.g.: cmake -G"Visual Studio 15 2017" . 1044 #338 xmlwf: Make "xmlwf -h" help output more friendly 1045 #339 examples: Improve elements.c 1046 #244 #264 Autotools: Add argument --enable-xml-attr-info 1047 #239 #301 Autotools: Add arguments 1048 --with-getrandom 1049 --without-getrandom 1050 --with-sys-getrandom 1051 --without-sys-getrandom 1052 #312 #343 Autotools: Fix linking issues with "./configure LD=clang" 1053 Autotools: Fix "make run-xmltest" for out-of-source builds 1054 #329 #336 CMake: Pull all options from Expat <=2.2.7 into namespace 1055 prefix EXPAT_ with the exception of DOCBOOK_TO_MAN: 1056 - BUILD_doc -> EXPAT_BUILD_DOCS (plural) 1057 - BUILD_examples -> EXPAT_BUILD_EXAMPLES 1058 - BUILD_shared -> EXPAT_SHARED_LIBS 1059 - BUILD_tests -> EXPAT_BUILD_TESTS 1060 - BUILD_tools -> EXPAT_BUILD_TOOLS 1061 - DOCBOOK_TO_MAN -> DOCBOOK_TO_MAN (unchanged) 1062 - INSTALL -> EXPAT_ENABLE_INSTALL 1063 - MSVC_USE_STATIC_CRT -> EXPAT_MSVC_STATIC_CRT 1064 - USE_libbsd -> EXPAT_WITH_LIBBSD 1065 - WARNINGS_AS_ERRORS -> EXPAT_WARNINGS_AS_ERRORS 1066 - XML_CONTEXT_BYTES -> EXPAT_CONTEXT_BYTES 1067 - XML_DEV_URANDOM -> EXPAT_DEV_URANDOM 1068 - XML_DTD -> EXPAT_DTD 1069 - XML_NS -> EXPAT_NS 1070 - XML_UNICODE -> EXPAT_CHAR_TYPE=ushort (!) 1071 - XML_UNICODE_WCHAR_T -> EXPAT_CHAR_TYPE=wchar_t (!) 1072 #244 #264 CMake: Add argument -DEXPAT_ATTR_INFO=(ON|OFF), 1073 default OFF 1074 #326 CMake: Add argument -DEXPAT_LARGE_SIZE=(ON|OFF), 1075 default OFF 1076 #328 CMake: Add argument -DEXPAT_MIN_SIZE=(ON|OFF), 1077 default OFF 1078 #239 #277 CMake: Add arguments 1079 -DEXPAT_WITH_GETRANDOM=(ON|OFF|AUTO), default AUTO 1080 -DEXPAT_WITH_SYS_GETRANDOM=(ON|OFF|AUTO), default AUTO 1081 #326 CMake: Install expat_config.h to include directory 1082 #326 CMake: Generate and install configuration files for 1083 future find_package(expat [..] CONFIG [..]) 1084 CMake: Now produces a summary of applied configuration 1085 CMake: Require C++ compiler only when tests are enabled 1086 #330 CMake: Fix compilation for 16bit character types, 1087 i.e. ex -DXML_UNICODE=ON (and ex -DXML_UNICODE_WCHAR_T=ON) 1088 #265 CMake: Fix linking with MinGW 1089 #330 CMake: Add full support for MinGW; to enable, use 1090 -DCMAKE_TOOLCHAIN_FILE=[expat]/cmake/mingw-toolchain.cmake 1091 #330 CMake: Port "make run-xmltest" from GNU Autotools to CMake 1092 #316 CMake: Windows: Make binary postfix match MSVC 1093 Old: expat[d].lib 1094 New: expat[w][d][MD|MT].lib 1095 CMake: Migrate files from Windows to Unix line endings 1096 #308 CMake: Integrate OSS-Fuzz fuzzers, option 1097 -DEXPAT_BUILD_FUZZERS=(ON|OFF), default OFF 1098 #14 Drop an OpenVMS support leftover 1099 #235 #268 .. 1100 #270 #310 .. 1101 #313 #331 #333 Address compiler warnings 1102 #282 #283 .. 1103 #284 #285 Address cppcheck warnings 1104 #294 #295 Address Clang Static Analyzer warnings 1105 #24 #293 Mass-apply clang-format 9 (and ensure conformance during CI) 1106 Version info bumped from 7:9:6 to 7:10:6 1107 1108 Special thanks to: 1109 David Loffredo 1110 Joonun Jang 1111 Kishore Kunche 1112 Marco Maggi 1113 Mitch Phillips 1114 Mohammed Khajapasha 1115 Rolf Ade 1116 xantares 1117 Zhongyuan Zhou 1118 1119Release 2.2.7 Wed June 19 2019 1120 Security fixes: 1121 #186 #262 CVE-2018-20843 -- Fix extraction of namespace prefixes from 1122 XML names; XML names with multiple colons could end up in 1123 the wrong namespace, and take a high amount of RAM and CPU 1124 resources while processing, opening the door to 1125 use for denial-of-service attacks 1126 1127 Other changes: 1128 #195 #197 Autotools/CMake: Utilize -fvisibility=hidden to stop 1129 exporting non-API symbols 1130 #227 Autotools: Add --without-examples and --without-tests 1131 #228 Autotools: Modernize configure.ac 1132 #245 #246 Autotools: Fix check for -fvisibility=hidden for Clang 1133 #247 #248 Autotools: Fix compilation for lack of docbook2x-man 1134 #236 #258 Autotools: Produce .tar.{gz,lz,xz} release archives 1135 #212 CMake: Make libdir of pkgconfig expat.pc support multilib 1136 #158 #263 CMake: Build man page in PROJECT_BINARY_DIR not _SOURCE_DIR 1137 #219 Remove fallback to bcopy, assume that memmove(3) exists 1138 #257 Use portable "/usr/bin/env bash" shebang (e.g. for OpenBSD) 1139 #243 Windows: Fix syntax of .def module definition files 1140 Version info bumped from 7:8:6 to 7:9:6 1141 1142 Special thanks to: 1143 Benjamin Peterson 1144 Caolán McNamara 1145 Hanno Böck 1146 KangLin 1147 Kishore Kunche 1148 Marco Maggi 1149 Rhodri James 1150 Sebastian Dröge 1151 userwithuid 1152 Yury Gribov 1153 1154Release 2.2.6 Sun August 12 2018 1155 Bug fixes: 1156 #170 #206 Avoid doing arithmetic with NULL pointers in XML_GetBuffer 1157 #204 #205 Fix 2.2.5 regression with suspend-resume while parsing 1158 a document like '<root/>' 1159 1160 Other changes: 1161 #165 #168 Autotools: Fix docbook-related configure syntax error 1162 #166 Autotools: Avoid grep option `-q` for Solaris 1163 #167 Autotools: Support 1164 ./configure DOCBOOK_TO_MAN="xmlto man --skip-validation" 1165 #159 #167 Autotools: Support DOCBOOK_TO_MAN command which produces 1166 xmlwf.1 rather than XMLWF.1; also covers case insensitive 1167 file systems 1168 #181 Autotools: Drop -rpath option passed to libtool 1169 #188 Autotools: Detect and deny SGML docbook2man as ours is XML 1170 #188 Autotools/CMake: Support command db2x_docbook2man as well 1171 #174 CMake: Introduce option WARNINGS_AS_ERRORS, defaults to OFF 1172 #184 #185 CMake: Introduce option MSVC_USE_STATIC_CRT, defaults to OFF 1173 #207 #208 CMake: Introduce option XML_UNICODE and XML_UNICODE_WCHAR_T, 1174 both defaulting to OFF 1175 #175 CMake: Prefer check_symbol_exists over check_function_exists 1176 #176 CMake: Create the same pkg-config file as with GNU Autotools 1177 #178 #179 CMake: Use GNUInstallDirs module to set proper defaults for 1178 install directories 1179 #208 CMake: Utilize expat_config.h.cmake for XML_DEV_URANDOM 1180 #180 Windows: Fix compilation of test suite for Visual Studio 2008 1181 #131 #173 #202 Address compiler warnings 1182 #187 #190 #200 Fix miscellaneous typos 1183 Version info bumped from 7:7:6 to 7:8:6 1184 1185 Special thanks to: 1186 Anton Maklakov 1187 Benjamin Peterson 1188 Brad King 1189 Franek Korta 1190 Frank Rast 1191 Joe Orton 1192 luzpaz 1193 Pedro Vicente 1194 Rainer Jung 1195 Rhodri James 1196 Rolf Ade 1197 Rolf Eike Beer 1198 Thomas Beutlich 1199 Tomasz Kłoczko 1200 1201Release 2.2.5 Tue October 31 2017 1202 Bug fixes: 1203 #8 If the parser runs out of memory, make sure its internal 1204 state reflects the memory it actually has, not the memory 1205 it wanted to have. 1206 #11 The default handler wasn't being called when it should for 1207 a SYSTEM or PUBLIC doctype if an entity declaration handler 1208 was registered. 1209 #137 #138 Fix a case of mistakenly reported parsing success where 1210 XML_StopParser was called from an element handler 1211 #162 Function XML_ErrorString was returning NULL rather than 1212 a message for code XML_ERROR_INVALID_ARGUMENT 1213 introduced with release 2.2.1 1214 1215 Other changes: 1216 #106 xmlwf: Add argument -N adding notation declarations 1217 #75 #106 Test suite: Resolve expected failure cases where xmlwf 1218 output was incomplete 1219 #127 Windows: Fix test suite compilation 1220 #126 #127 Windows: Fix compilation for Visual Studio 2012 1221 Windows: Upgrade shipped project files to Visual Studio 2017 1222 #33 #132 tests: Mass-fix compilation for XML_UNICODE_WCHAR_T 1223 #129 examples: Fix compilation for XML_UNICODE_WCHAR_T 1224 #130 benchmark: Fix compilation for XML_UNICODE_WCHAR_T 1225 #144 xmlwf: Fix compilation for XML_UNICODE_WCHAR_T; still needs 1226 Windows or MinGW for 2-byte wchar_t 1227 #9 Address two Clang Static Analyzer false positives 1228 #59 Resolve troublesome macros hiding parser struct membership 1229 and dereferencing that pointer 1230 #6 Resolve superfluous internal malloc/realloc switch 1231 #153 #155 Improve docbook2x-man detection 1232 #160 Undefine NDEBUG in the test suite (rather than rejecting it) 1233 #161 Address compiler warnings 1234 Version info bumped from 7:6:6 to 7:7:6 1235 1236 Special thanks to: 1237 Benbuck Nason 1238 Hans Wennborg 1239 José Gutiérrez de la Concha 1240 Pedro Monreal Gonzalez 1241 Rhodri James 1242 Rolf Ade 1243 Stephen Groat 1244 and 1245 Core Infrastructure Initiative 1246 1247Release 2.2.4 Sat August 19 2017 1248 Bug fixes: 1249 #115 Fix copying of partial characters for UTF-8 input 1250 1251 Other changes: 1252 #109 Fix "make check" for non-x86 architectures that default 1253 to unsigned type char (-128..127 rather than 0..255) 1254 #109 coverage.sh: Cover -funsigned-char 1255 Autotools: Introduce --without-xmlwf argument 1256 #65 Autotools: Replace handwritten Makefile with GNU Automake 1257 #43 CMake: Auto-detect high quality entropy extractors, add new 1258 option USE_libbsd=ON to use arc4random_buf of libbsd 1259 #74 CMake: Add -fno-strict-aliasing only where supported 1260 #114 CMake: Always honor manually set BUILD_* options 1261 #114 CMake: Compile man page if docbook2x-man is available, only 1262 #117 Include file tests/xmltest.log.expected in source tarball 1263 (required for "make run-xmltest") 1264 #117 Include (existing) Visual Studio 2013 files in source tarball 1265 Improve test suite error output 1266 #111 Fix some typos in documentation 1267 Version info bumped from 7:5:6 to 7:6:6 1268 1269 Special thanks to: 1270 Jakub Wilk 1271 Joe Orton 1272 Lin Tian 1273 Rolf Eike Beer 1274 1275Release 2.2.3 Wed August 2 2017 1276 Security fixes: 1277 #82 CVE-2017-11742 -- Windows: Fix DLL hijacking vulnerability 1278 using Steve Holme's LoadLibrary wrapper for/of cURL 1279 1280 Bug fixes: 1281 #85 Fix a dangling pointer issue related to realloc 1282 1283 Other changes: 1284 Increase code coverage 1285 #91 Linux: Allow getrandom to fail if nonblocking pool has not 1286 yet been initialized and read /dev/urandom then, instead. 1287 This is in line with what recent Python does. 1288 #81 Pre-10.7/Lion macOS: Support entropy from arc4random 1289 #86 Check that a UTF-16 encoding in an XML declaration has the 1290 right endianness 1291 #4 #5 #7 Recover correctly when some reallocations fail 1292 Repair "./configure && make" for systems without any 1293 provider of high quality entropy 1294 and try reading /dev/urandom on those 1295 Ensure that user-defined character encodings have converter 1296 functions when they are needed 1297 Fix mis-leading description of argument -c in xmlwf.1 1298 Rely on macro HAVE_ARC4RANDOM_BUF (rather than __CloudABI__) 1299 for CloudABI 1300 #100 Fix use of SIPHASH_MAIN in siphash.h 1301 #23 Test suite: Fix memory leaks 1302 Version info bumped from 7:4:6 to 7:5:6 1303 1304 Special thanks to: 1305 Chanho Park 1306 Joe Orton 1307 Pascal Cuoq 1308 Rhodri James 1309 Simon McVittie 1310 Vadim Zeitlin 1311 Viktor Szakats 1312 and 1313 Core Infrastructure Initiative 1314 1315Release 2.2.2 Wed July 12 2017 1316 Security fixes: 1317 #43 Protect against compilation without any source of high 1318 quality entropy enabled, e.g. with CMake build system; 1319 commit ff0207e6076e9828e536b8d9cd45c9c92069b895 1320 #60 Windows with _UNICODE: 1321 Unintended use of LoadLibraryW with a non-wide string 1322 resulted in failure to load advapi32.dll and degradation 1323 in quality of used entropy when compiled with _UNICODE for 1324 Windows; you can launch existing binaries with 1325 EXPAT_ENTROPY_DEBUG=1 in the environment to inspect the 1326 quality of entropy used during runtime; commits 1327 * 95b95032f907ef1cd17ee7a9a1768010a825d61d 1328 * 73a5a2e9c081f49f2d775cf7ced864158b68dc80 1329 [MOX-006] Fix non-NULL parser parameter validation in XML_Parse; 1330 resulted in NULL dereference, previously; 1331 commit ac256dafdffc9622ab0dc2c62fcecb0dfcfa71fe 1332 1333 Bug fixes: 1334 #69 Fix improper use of unsigned long long integer literals 1335 1336 Other changes: 1337 #73 Start requiring a C99 compiler 1338 #49 Fix "==" Bashism in configure script 1339 #50 Fix too eager getrandom detection for Debian GNU/kFreeBSD 1340 #52 and macOS 1341 #51 Address lack of stdint.h in Visual Studio 2003 to 2008 1342 #58 Address compile warnings 1343 #68 Fix "./buildconf.sh && ./configure" for some versions 1344 of Dash for /bin/sh 1345 #72 CMake: Ease use of Expat in context of a parent project 1346 with multiple CMakeLists.txt files 1347 #72 CMake: Resolve mistaken executable permissions 1348 #76 Address compile warning with -DNDEBUG (not recommended!) 1349 #77 Address compile warning about macro redefinition 1350 1351 Special thanks to: 1352 Alexander Bluhm 1353 Ben Boeckel 1354 Cătălin Răceanu 1355 Kerin Millar 1356 László Böszörményi 1357 S. P. Zeidler 1358 Segev Finer 1359 Václav Slavík 1360 Victor Stinner 1361 Viktor Szakats 1362 and 1363 Radically Open Security 1364 1365Release 2.2.1 Sat June 17 2017 1366 Security fixes: 1367 CVE-2017-9233 -- External entity infinite loop DoS 1368 Details: https://libexpat.github.io/doc/cve-2017-9233/ 1369 Commit c4bf96bb51dd2a1b0e185374362ee136fe2c9d7f 1370 [MOX-002] CVE-2016-9063 -- Detect integer overflow; commit 1371 d4f735b88d9932bd5039df2335eefdd0723dbe20 1372 (Fixed version of existing downstream patches!) 1373 (SF.net) #539 Fix regression from fix to CVE-2016-0718 cutting off 1374 longer tag names; commits 1375 * 896b6c1fd3b842f377d1b62135dccf0a579cf65d 1376 * af507cef2c93cb8d40062a0abe43a4f4e9158fb2 1377 #16 * 0dbbf43fdb20f593ddf4fa1ff67288000dd4a7fd 1378 #25 More integer overflow detection (function poolGrow); commits 1379 * 810b74e4703dcfdd8f404e3cb177d44684775143 1380 * 44178553f3539ce69d34abee77a05e879a7982ac 1381 [MOX-002] Detect overflow from len=INT_MAX call to XML_Parse; commits 1382 * 4be2cb5afcc018d996f34bbbce6374b7befad47f 1383 * 7e5b71b748491b6e459e5c9a1d090820f94544d8 1384 [MOX-005] #30 Use high quality entropy for hash initialization: 1385 * arc4random_buf on BSD, systems with libbsd 1386 (when configured with --with-libbsd), CloudABI 1387 * RtlGenRandom on Windows XP / Server 2003 and later 1388 * getrandom on Linux 3.17+ 1389 In a way, that's still part of CVE-2016-5300. 1390 https://github.com/libexpat/libexpat/pull/30/commits 1391 [MOX-005] For the low quality entropy extraction fallback code, 1392 the parser instance address can no longer leak, commit 1393 04ad658bd3079dd15cb60fc67087900f0ff4b083 1394 [MOX-003] Prevent use of uninitialised variable; commit 1395 [MOX-004] a4dc944f37b664a3ca7199c624a98ee37babdb4b 1396 Add missing parameter validation to public API functions 1397 and dedicated error code XML_ERROR_INVALID_ARGUMENT: 1398 [MOX-006] * NULL checks; commits 1399 * d37f74b2b7149a3a95a680c4c4cd2a451a51d60a (merge/many) 1400 * 9ed727064b675b7180c98cb3d4f75efba6966681 1401 * 6a747c837c50114dfa413994e07c0ba477be4534 1402 * Negative length (XML_Parse); commit 1403 [MOX-002] 70db8d2538a10f4c022655d6895e4c3e78692e7f 1404 [MOX-001] #35 Change hash algorithm to William Ahern's version of SipHash 1405 to go further with fixing CVE-2012-0876. 1406 https://github.com/libexpat/libexpat/pull/39/commits 1407 1408 Bug fixes: 1409 #32 Fix sharing of hash salt across parsers; 1410 relevant where XML_ExternalEntityParserCreate is called 1411 prior to XML_Parse, in particular (e.g. FBReader) 1412 #28 xmlwf: Auto-disable use of memory-mapping (and parsing 1413 as a single chunk) for files larger than ~1 GB (2^30 bytes) 1414 rather than failing with error "out of memory" 1415 #3 Fix double free after malloc failure in DTD code; commit 1416 7ae9c3d3af433cd4defe95234eae7dc8ed15637f 1417 #17 Fix memory leak on parser error for unbound XML attribute 1418 prefix with new namespaces defined in the same tag; 1419 found by Google's OSS-Fuzz; commits 1420 * 16f87daae5a16132e479e4f71862128c7a915c73 1421 * b47dbc9745932c160893d433220e462bd605f8cd 1422 xmlwf on Windows: Add missing calls to CloseHandle 1423 1424 New features: 1425 #30 Introduced environment switch EXPAT_ENTROPY_DEBUG=1 1426 for runtime debugging of entropy extraction 1427 1428 Other changes: 1429 Increase code coverage 1430 #33 Reject use of XML_UNICODE_WCHAR_T with sizeof(wchar_t) != 2; 1431 XML_UNICODE_WCHAR_T was never meant to be used outside 1432 of Windows; 4-byte wchar_t is common on Linux 1433 (SF.net) #538 Start using -fno-strict-aliasing 1434 (SF.net) #540 Support compilation against cloudlibc of CloudABI 1435 Allow MinGW cross-compilation 1436 (SF.net) #534 CMake: Introduce option "BUILD_doc" (enabled by default) 1437 to bypass compilation of the xmlwf.1 man page 1438 (SF.net) pr2 CMake: Introduce option "INSTALL" (enabled by default) 1439 to bypass installation of expat files 1440 CMake: Fix ninja support 1441 Autotools: Add parameters --enable-xml-context [COUNT] 1442 and --disable-xml-context; default of context of 1024 1443 bytes enabled unchanged 1444 #14 Drop AmigaOS 4.x code and includes 1445 #14 Drop ancient build systems: 1446 * Borland C++ Builder 1447 * OpenVMS 1448 * Open Watcom 1449 * Visual Studio 6.0 1450 * Pre-X Mac OS (MPW Makefile) 1451 If you happen to rely on some of these, please get in 1452 touch for joining with maintenance. 1453 #10 Move from WIN32 to _WIN32 1454 #13 Fix "make run-xmltest" order instability 1455 Address compile warnings 1456 Bump version info from 7:2:6 to 7:3:6 1457 Add AUTHORS file 1458 1459 Infrastructure: 1460 #1 Migrate from SourceForge to GitHub (except downloads): 1461 https://github.com/libexpat/ 1462 #1 Re-create http://libexpat.org/ project website 1463 Start utilizing Travis CI 1464 1465 Special thanks to: 1466 Andy Wang 1467 Don Lewis 1468 Ed Schouten 1469 Karl Waclawek 1470 Pascal Cuoq 1471 Rhodri James 1472 Sergei Nikulov 1473 Tobias Taschner 1474 Viktor Szakats 1475 and 1476 Core Infrastructure Initiative 1477 Mozilla Foundation (MOSS Track 3: Secure Open Source) 1478 Radically Open Security 1479 1480Release 2.2.0 Tue June 21 2016 1481 Security fixes: 1482 #537 CVE-2016-0718 -- Fix crash on malformed input 1483 CVE-2016-4472 -- Improve insufficient fix to CVE-2015-1283 / 1484 CVE-2015-2716 introduced with Expat 2.1.1 1485 #499 CVE-2016-5300 -- Use more entropy for hash initialization 1486 than the original fix to CVE-2012-0876 1487 #519 CVE-2012-6702 -- Resolve troublesome internal call to srand 1488 that was introduced with Expat 2.1.0 1489 when addressing CVE-2012-0876 (issue #496) 1490 1491 Bug fixes: 1492 Fix uninitialized reads of size 1 1493 (e.g. in little2_updatePosition) 1494 Fix detection of UTF-8 character boundaries 1495 1496 Other changes: 1497 #532 Fix compilation for Visual Studio 2010 (keyword "C99") 1498 Autotools: Resolve use of "$<" to better support bmake 1499 Autotools: Add QA script "qa.sh" (and make target "qa") 1500 Autotools: Respect CXXFLAGS if given 1501 Autotools: Fix "make run-xmltest" 1502 Autotools: Have "make run-xmltest" check for expected output 1503 p90 CMake: Fix static build (BUILD_shared=OFF) on Windows 1504 #536 CMake: Add soversion, support -DNO_SONAME=yes to bypass 1505 #323 CMake: Add suffix "d" to differentiate debug from release 1506 CMake: Define WIN32 with CMake on Windows 1507 Annotate memory allocators for GCC 1508 Address all currently known compile warnings 1509 Make sure that API symbols remain visible despite 1510 -fvisibility=hidden 1511 Remove executable flag from source files 1512 Resolve COMPILED_FROM_DSP in favor of WIN32 1513 1514 Special thanks to: 1515 Björn Lindahl 1516 Christian Heimes 1517 Cristian Rodríguez 1518 Daniel Krügler 1519 Gustavo Grieco 1520 Karl Waclawek 1521 László Böszörményi 1522 Marco Grassi 1523 Pascal Cuoq 1524 Sergei Nikulov 1525 Thomas Beutlich 1526 Warren Young 1527 Yann Droneaud 1528 1529Release 2.1.1 Sat March 12 2016 1530 Security fixes: 1531 #582: CVE-2015-1283 - Multiple integer overflows in XML_GetBuffer 1532 1533 Bug fixes: 1534 #502: Fix potential null pointer dereference 1535 #520: Symbol XML_SetHashSalt was not exported 1536 Output of "xmlwf -h" was incomplete 1537 1538 Other changes: 1539 #503: Document behavior of calling XML_SetHashSalt with salt 0 1540 Minor improvements to man page xmlwf(1) 1541 Improvements to the experimental CMake build system 1542 libtool now invoked with --verbose 1543 1544Release 2.1.0 Sat March 24 2012 1545 - Security fixes: 1546 #2958794: CVE-2012-1148 - Memory leak in poolGrow. 1547 #2895533: CVE-2012-1147 - Resource leak in readfilemap.c. 1548 #3496608: CVE-2012-0876 - Hash DOS attack. 1549 #2894085: CVE-2009-3560 - Buffer over-read and crash in big2_toUtf8(). 1550 #1990430: CVE-2009-3720 - Parser crash with special UTF-8 sequences. 1551 - Bug Fixes: 1552 #1742315: Harmful XML_ParserCreateNS suggestion. 1553 #1785430: Expat build fails on linux-amd64 with gcc version>=4.1 -O3. 1554 #1983953, 2517952, 2517962, 2649838: 1555 Build modifications using autoreconf instead of buildconf.sh. 1556 #2815947, #2884086: OBJEXT and EXEEXT support while building. 1557 #2517938: xmlwf should return non-zero exit status if not well-formed. 1558 #2517946: Wrong statement about XMLDecl in xmlwf.1 and xmlwf.sgml. 1559 #2855609: Dangling positionPtr after error. 1560 #2990652: CMake support. 1561 #3010819: UNEXPECTED_STATE with a trailing "%" in entity value. 1562 #3206497: Uninitialized memory returned from XML_Parse. 1563 #3287849: make check fails on mingw-w64. 1564 - Patches: 1565 #1749198: pkg-config support. 1566 #3010222: Fix for bug #3010819. 1567 #3312568: CMake support. 1568 #3446384: Report byte offsets for attr names and values. 1569 - New Features / API changes: 1570 Added new API member XML_SetHashSalt() that allows setting an initial 1571 value (salt) for hash calculations. This is part of the fix for 1572 bug #3496608 to randomize hash parameters. 1573 When compiled with XML_ATTR_INFO defined, adds new API member 1574 XML_GetAttributeInfo() that allows retrieving the byte 1575 offsets for attribute names and values (patch #3446384). 1576 Added CMake build system. 1577 See bug #2990652 and patch #3312568. 1578 Added run-benchmark target to Makefile.in - relies on testdata module 1579 present in the same relative location as in the repository. 1580 1581Release 2.0.1 Tue June 5 2007 1582 - Fixed bugs #1515266, #1515600: The character data handler's calling 1583 of XML_StopParser() was not handled properly; if the parser was 1584 stopped and the handler set to NULL, the parser would segfault. 1585 - Fixed bug #1690883: Expat failed on EBCDIC systems as it assumed 1586 some character constants to be ASCII encoded. 1587 - Minor cleanups of the test harness. 1588 - Fixed xmlwf bug #1513566: "out of memory" error on file size zero. 1589 - Fixed outline.c bug #1543233: missing a final XML_ParserFree() call. 1590 - Fixes and improvements for Windows platform: 1591 bugs #1409451, #1476160, #1548182, #1602769, #1717322. 1592 - Build fixes for various platforms: 1593 HP-UX, Tru64, Solaris 9: patch #1437840, bug #1196180. 1594 All Unix: #1554618 (refreshed config.sub/config.guess). 1595 #1490371, #1613457: support both, DESTDIR and INSTALL_ROOT, 1596 without relying on GNU-Make specific features. 1597 #1647805: Patched configure.in to work better with Intel compiler. 1598 - Fixes to Makefile.in to have make check work correctly: 1599 bugs #1408143, #1535603, #1536684. 1600 - Added Open Watcom support: patch #1523242. 1601 1602Release 2.0.0 Wed Jan 11 2006 1603 - We no longer use the "check" library for C unit testing; we 1604 always use the (partial) internal implementation of the API. 1605 - Report XML_NS setting via XML_GetFeatureList(). 1606 - Fixed headers for use from C++. 1607 - XML_GetCurrentLineNumber() and XML_GetCurrentColumnNumber() 1608 now return unsigned integers. 1609 - Added XML_LARGE_SIZE switch to enable 64-bit integers for 1610 byte indexes and line/column numbers. 1611 - Updated to use libtool 1.5.22 (the most recent). 1612 - Added support for AmigaOS. 1613 - Some mostly minor bug fixes. SF issues include: #1006708, 1614 #1021776, #1023646, #1114960, #1156398, #1221160, #1271642. 1615 1616Release 1.95.8 Fri Jul 23 2004 1617 - Major new feature: suspend/resume. Handlers can now request 1618 that a parse be suspended for later resumption or aborted 1619 altogether. See "Temporarily Stopping Parsing" in the 1620 documentation for more details. 1621 - Some mostly minor bug fixes, but compilation should no 1622 longer generate warnings on most platforms. SF issues 1623 include: #827319, #840173, #846309, #888329, #896188, #923913, 1624 #928113, #961698, #985192. 1625 1626Release 1.95.7 Mon Oct 20 2003 1627 - Fixed enum XML_Status issue (reported on SourceForge many 1628 times), so compilers that are properly picky will be happy. 1629 - Introduced an XMLCALL macro to control the calling 1630 convention used by the Expat API; this macro should be used 1631 to annotate prototypes and definitions of callback 1632 implementations in code compiled with a calling convention 1633 other than the default convention for the host platform. 1634 - Improved ability to build without the configure-generated 1635 expat_config.h header. This is useful for applications 1636 which embed Expat rather than linking in the library. 1637 - Fixed a variety of bugs: see SF issues #458907, #609603, 1638 #676844, #679754, #692878, #692964, #695401, #699323, #699487, 1639 #820946. 1640 - Improved hash table lookups. 1641 - Added more regression tests and improved documentation. 1642 1643Release 1.95.6 Tue Jan 28 2003 1644 - Added XML_FreeContentModel(). 1645 - Added XML_MemMalloc(), XML_MemRealloc(), XML_MemFree(). 1646 - Fixed a variety of bugs: see SF issues #615606, #616863, 1647 #618199, #653180, #673791. 1648 - Enhanced the regression test suite. 1649 - Man page improvements: includes SF issue #632146. 1650 1651Release 1.95.5 Fri Sep 6 2002 1652 - Added XML_UseForeignDTD() for improved SAX2 support. 1653 - Added XML_GetFeatureList(). 1654 - Defined XML_Bool type and the values XML_TRUE and XML_FALSE. 1655 - Use an incomplete struct instead of a void* for the parser 1656 (may not retain). 1657 - Fixed UTF-8 decoding bug that caused legal UTF-8 to be rejected. 1658 - Finally fixed bug where default handler would report DTD 1659 events that were already handled by another handler. 1660 Initial patch contributed by Darryl Miles. 1661 - Removed unnecessary DllMain() function that caused static 1662 linking into a DLL to be difficult. 1663 - Added VC++ projects for building static libraries. 1664 - Reduced line-length for all source code and headers to be 1665 no longer than 80 characters, to help with AS/400 support. 1666 - Reduced memory copying during parsing (SF patch #600964). 1667 - Fixed a variety of bugs: see SF issues #580793, #434664, 1668 #483514, #580503, #581069, #584041, #584183, #584832, #585537, 1669 #596555, #596678, #598352, #598944, #599715, #600479, #600971. 1670 1671Release 1.95.4 Fri Jul 12 2002 1672 - Added support for VMS, contributed by Craig Berry. See 1673 vms/README.vms for more information. 1674 - Added Mac OS (classic) support, with a makefile for MPW, 1675 contributed by Thomas Wegner and Daryle Walker. 1676 - Added Borland C++ Builder 5 / BCC 5.5 support, contributed 1677 by Patrick McConnell (SF patch #538032). 1678 - Fixed a variety of bugs: see SF issues #441449, #563184, 1679 #564342, #566334, #566901, #569461, #570263, #575168, #579196. 1680 - Made skippedEntityHandler conform to SAX2 (see source comment) 1681 - Re-implemented WFC: Entity Declared from XML 1.0 spec and 1682 added a new error "entity declared in parameter entity": 1683 see SF bug report #569461 and SF patch #578161 1684 - Re-implemented section 5.1 from XML 1.0 spec: 1685 see SF bug report #570263 and SF patch #578161 1686 1687Release 1.95.3 Mon Jun 3 2002 1688 - Added a project to the MSVC workspace to create a wchar_t 1689 version of the library; the DLLs are named libexpatw.dll. 1690 - Changed the name of the Windows DLLs from expat.dll to 1691 libexpat.dll; this fixes SF bug #432456. 1692 - Added the XML_ParserReset() API function. 1693 - Fixed XML_SetReturnNSTriplet() to work for element names. 1694 - Made the XML_UNICODE builds usable (thanks, Karl!). 1695 - Allow xmlwf to read from standard input. 1696 - Install a man page for xmlwf on Unix systems. 1697 - Fixed many bugs; see SF bug reports #231864, #461380, #464837, 1698 #466885, #469226, #477667, #484419, #487840, #494749, #496505, 1699 #547350. Other bugs which we can't test as easily may also 1700 have been fixed, especially in the area of build support. 1701 1702Release 1.95.2 Fri Jul 27 2001 1703 - More changes to make MSVC happy with the build; add a single 1704 workspace to support both the library and xmlwf application. 1705 - Added a Windows installer for Windows users; includes 1706 xmlwf.exe. 1707 - Added compile-time constants that can be used to determine the 1708 Expat version 1709 - Removed a lot of GNU-specific dependencies to aide portability 1710 among the various Unix flavors. 1711 - Fix the UTF-8 BOM bug. 1712 - Cleaned up warning messages for several compilers. 1713 - Added the -Wall, -Wstrict-prototypes options for GCC. 1714 1715Release 1.95.1 Sun Oct 22 15:11:36 EDT 2000 1716 - Changes to get expat to build under Microsoft compiler 1717 - Removed all aborts and instead return an UNEXPECTED_STATE error. 1718 - Fixed a bug where a stray '%' in an entity value would cause an 1719 abort. 1720 - Defined XML_SetEndNamespaceDeclHandler. Thanks to Darryl Miles for 1721 finding this oversight. 1722 - Changed default patterns in lib/Makefile.in to fit non-GNU makes 1723 Thanks to robin@unrated.net for reporting and providing an 1724 account to test on. 1725 - The reference had the wrong label for XML_SetStartNamespaceDecl. 1726 Reported by an anonymous user. 1727 1728Release 1.95.0 Fri Sep 29 2000 1729 - XML_ParserCreate_MM 1730 Allows you to set a memory management suite to replace the 1731 standard malloc,realloc, and free. 1732 - XML_SetReturnNSTriplet 1733 If you turn this feature on when namespace processing is in 1734 effect, then qualified, prefixed element and attribute names 1735 are returned as "uri|name|prefix" where '|' is whatever 1736 separator character is used in namespace processing. 1737 - Merged in features from perl-expat 1738 o XML_SetElementDeclHandler 1739 o XML_SetAttlistDeclHandler 1740 o XML_SetXmlDeclHandler 1741 o XML_SetEntityDeclHandler 1742 o StartDoctypeDeclHandler takes 3 additional parameters: 1743 sysid, pubid, has_internal_subset 1744 o Many paired handler setters (like XML_SetElementHandler) 1745 now have corresponding individual handler setters 1746 o XML_GetInputContext for getting the input context of 1747 the current parse position. 1748 - Added reference material 1749 - Packaged into a distribution that builds a sharable library 1750