1 __ __ _ 2 ___\ \/ /_ __ __ _| |_ 3 / _ \\ /| '_ \ / _` | __| 4 | __// \| |_) | (_| | |_ 5 \___/_/\_\ .__/ \__,_|\__| 6 |_| XML parser 7 8!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 9!! <blink>Expat is UNDERSTAFFED and WITHOUT FUNDING.</blink> !! 10!! ~~~~~~~~~~~~ !! 11!! The following topics need *additional skilled C developers* to progress !! 12!! in a timely manner or at all (loosely ordered by descending priority): !! 13!! !! 14!! - <blink>fixing a complex non-public security issue</blink>, !! 15!! - teaming up on researching and fixing future security reports and !! 16!! ClusterFuzz findings with few-days-max response times in communication !! 17!! in order to (1) have a sound fix ready before the end of a 90 days !! 18!! grace period and (2) in a sustainable manner, !! 19!! - implementing and auto-testing XML 1.0r5 support !! 20!! (needs discussion before pull requests), !! 21!! - smart ideas on fixing the Autotools CMake files generation issue !! 22!! without breaking CI (needs discussion before pull requests), !! 23!! - the Windows binaries topic (needs requirements engineering first), !! 24!! - pushing migration from `int` to `size_t` further !! 25!! including edge-cases test coverage (needs discussion before anything). !! 26!! !! 27!! For details, please reach out via e-mail to sebastian@pipping.org so we !! 28!! can schedule a voice call on the topic, in English or German. !! 29!! !! 30!! THANK YOU! Sebastian Pipping -- Berlin, 2024-03-09 !! 31!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 32 33Release 2.6.3 Wed September 4 2024 34 Security fixes: 35 #887 #890 CVE-2024-45490 -- Calling function XML_ParseBuffer with 36 len < 0 without noticing and then calling XML_GetBuffer 37 will have XML_ParseBuffer fail to recognize the problem 38 and XML_GetBuffer corrupt memory. 39 With the fix, XML_ParseBuffer now complains with error 40 XML_ERROR_INVALID_ARGUMENT just like sibling XML_Parse 41 has been doing since Expat 2.2.1, and now documented. 42 Impact is denial of service to potentially artitrary code 43 execution. 44 #888 #891 CVE-2024-45491 -- Internal function dtdCopy can have an 45 integer overflow for nDefaultAtts on 32-bit platforms 46 (where UINT_MAX equals SIZE_MAX). 47 Impact is denial of service to potentially artitrary code 48 execution. 49 #889 #892 CVE-2024-45492 -- Internal function nextScaffoldPart can 50 have an integer overflow for m_groupSize on 32-bit 51 platforms (where UINT_MAX equals SIZE_MAX). 52 Impact is denial of service to potentially artitrary code 53 execution. 54 55 Other changes: 56 #851 #879 Autotools: Sync CMake templates with CMake 3.28 57 #853 Autotools: Always provide path to find(1) for portability 58 #861 Autotools: Ensure that the m4 directory always exists. 59 #870 Autotools: Simplify handling of SIZEOF_VOID_P 60 #869 Autotools: Support non-GNU sed 61 #856 Autotools|CMake: Fix main() to main(void) 62 #865 Autotools|CMake: Fix compile tests for HAVE_SYSCALL_GETRANDOM 63 #863 Autotools|CMake: Stop requiring dos2unix 64 #854 #855 CMake: Fix check for symbols size_t and off_t 65 #864 docs|tests: Convert README to Markdown and update 66 #741 Windows: Drop support for Visual Studio <=15.0/2017 67 #886 Drop needless XML_DTD guards around is_param access 68 #885 Fix typo in a code comment 69 #894 #896 Version info bumped from 10:2:9 (libexpat*.so.1.9.2) 70 to 10:3:9 (libexpat*.so.1.9.3); see https://verbump.de/ 71 for what these numbers do 72 73 Infrastructure: 74 #880 Readme: Promote the call for help 75 #868 CI: Fix various issues 76 #849 CI: Allow triggering GitHub Actions workflows manually 77 #851 #872 .. 78 #873 #879 CI: Adapt to breaking changes in GitHub Actions 79 80 Special thanks to: 81 Alexander Bluhm 82 Berkay Eren Ürün 83 Dag-Erling Smørgrav 84 Ferenc Géczi 85 TaiYou 86 87Release 2.6.2 Wed March 13 2024 88 Security fixes: 89 #839 #842 CVE-2024-28757 -- Prevent billion laughs attacks with 90 isolated use of external parsers. Please see the commit 91 message of commit 1d50b80cf31de87750103656f6eb693746854aa8 92 for details. 93 94 Bug fixes: 95 #839 #841 Reject direct parameter entity recursion 96 and avoid the related undefined behavior 97 98 Other changes: 99 #847 Autotools: Fix build for DOCBOOK_TO_MAN containing spaces 100 #837 Add missing #821 and #824 to 2.6.1 change log 101 #838 #843 Version info bumped from 10:1:9 (libexpat*.so.1.9.1) 102 to 10:2:9 (libexpat*.so.1.9.2); see https://verbump.de/ 103 for what these numbers do 104 105 Special thanks to: 106 Philippe Antoine 107 Tomas Korbar 108 and 109 Clang UndefinedBehaviorSanitizer 110 OSS-Fuzz / ClusterFuzz 111 112Release 2.6.1 Thu February 29 2024 113 Bug fixes: 114 #817 Make tests independent of CPU speed, and thus more robust 115 #828 #836 Expose billion laughs API with XML_DTD defined and 116 XML_GE undefined, regression from 2.6.0 117 118 Other changes: 119 #829 Hide test-only code behind new internal macro 120 #833 Autotools: Reject expat_config.h.in defining SIZEOF_VOID_P 121 #821 #824 Autotools: Fix "make clean" for case: 122 ./configure --without-docbook && make clean all 123 #819 Address compiler warnings 124 #832 #834 Version info bumped from 10:0:9 (libexpat*.so.1.9.0) 125 to 10:1:9 (libexpat*.so.1.9.1); see https://verbump.de/ 126 for what these numbers do 127 128 Infrastructure: 129 #818 CI: Adapt to breaking changes in clang-format 130 131 Special thanks to: 132 David Hall 133 Snild Dolkow 134 135Release 2.6.0 Tue February 6 2024 136 Security fixes: 137 #789 #814 CVE-2023-52425 -- Fix quadratic runtime issues with big tokens 138 that can cause denial of service, in partial where 139 dealing with compressed XML input. Applications 140 that parsed a document in one go -- a single call to 141 functions XML_Parse or XML_ParseBuffer -- were not affected. 142 The smaller the chunks/buffers you use for parsing 143 previously, the bigger the problem prior to the fix. 144 Backporters should be careful to no omit parts of 145 pull request #789 and to include earlier pull request #771, 146 in order to not break the fix. 147 #777 CVE-2023-52426 -- Fix billion laughs attacks for users 148 compiling *without* XML_DTD defined (which is not common). 149 Users with XML_DTD defined have been protected since 150 Expat >=2.4.0 (and that was CVE-2013-0340 back then). 151 152 Bug fixes: 153 #753 Fix parse-size-dependent "invalid token" error for 154 external entities that start with a byte order mark 155 #780 Fix NULL pointer dereference in setContext via 156 XML_ExternalEntityParserCreate for compilation with 157 XML_DTD undefined 158 #812 #813 Protect against closing entities out of order 159 160 Other changes: 161 #723 Improve support for arc4random/arc4random_buf 162 #771 #788 Improve buffer growth in XML_GetBuffer and XML_Parse 163 #761 #770 xmlwf: Support --help and --version 164 #759 #770 xmlwf: Support custom buffer size for XML_GetBuffer and read 165 #744 xmlwf: Improve language and URL clickability in help output 166 #673 examples: Add new example "element_declarations.c" 167 #764 Be stricter about macro XML_CONTEXT_BYTES at build time 168 #765 Make inclusion to expat_config.h consistent 169 #726 #727 Autotools: configure.ac: Support --disable-maintainer-mode 170 #678 #705 .. 171 #706 #733 #792 Autotools: Sync CMake templates with CMake 3.26 172 #795 Autotools: Make installation of shipped man page doc/xmlwf.1 173 independent of docbook2man availability 174 #815 Autotools|CMake: Add missing -DXML_STATIC to pkg-config file 175 section "Cflags.private" in order to fix compilation 176 against static libexpat using pkg-config on Windows 177 #724 #751 Autotools|CMake: Require a C99 compiler 178 (a de-facto requirement already since Expat 2.2.2 of 2017) 179 #793 Autotools|CMake: Fix PACKAGE_BUGREPORT variable 180 #750 #786 Autotools|CMake: Make test suite require a C++11 compiler 181 #749 CMake: Require CMake >=3.5.0 182 #672 CMake: Lowercase off_t and size_t to help a bug in Meson 183 #746 CMake: Sort xmlwf sources alphabetically 184 #785 CMake|Windows: Fix generation of DLL file version info 185 #790 CMake: Build tests/benchmark/benchmark.c as well for 186 a build with -DEXPAT_BUILD_TESTS=ON 187 #745 #757 docs: Document the importance of isFinal + adjust tests 188 accordingly 189 #736 docs: Improve use of "NULL" and "null" 190 #713 docs: Be specific about version of XML (XML 1.0r4) 191 and version of C (C99); (XML 1.0r5 will need a sponsor.) 192 #762 docs: reference.html: Promote function XML_ParseBuffer more 193 #779 docs: reference.html: Add HTML anchors to XML_* macros 194 #760 docs: reference.html: Upgrade to OK.css 1.2.0 195 #763 #739 docs: Fix typos 196 #696 docs|CI: Use HTTPS URLs instead of HTTP at various places 197 #669 #670 .. 198 #692 #703 .. 199 #733 #772 Address compiler warnings 200 #798 #800 Address clang-tidy warnings 201 #775 #776 Version info bumped from 9:10:8 (libexpat*.so.1.8.10) 202 to 10:0:9 (libexpat*.so.1.9.0); see https://verbump.de/ 203 for what these numbers do 204 205 Infrastructure: 206 #700 #701 docs: Document security policy in file SECURITY.md 207 #766 docs: Improve parse buffer variables in-code documentation 208 #674 #738 .. 209 #740 #747 .. 210 #748 #781 #782 Refactor coverage and conformance tests 211 #714 #716 Refactor debug level variables to unsigned long 212 #671 Improve handling of empty environment variable value 213 in function getDebugLevel (without visible user effect) 214 #755 #774 .. 215 #758 #783 .. 216 #784 #787 tests: Improve test coverage with regard to parse chunk size 217 #660 #797 #801 Fuzzing: Improve fuzzing coverage 218 #367 #799 Fuzzing|CI: Start running OSS-Fuzz fuzzing regression tests 219 #698 #721 CI: Resolve some Travis CI leftovers 220 #669 CI: Be robust towards absence of Git tags 221 #693 #694 CI: Set permissions to "contents: read" for security 222 #709 CI: Pin all GitHub Actions to specific commits for security 223 #739 CI: Reject spelling errors using codespell 224 #798 CI: Enforce clang-tidy clean code 225 #773 #808 .. 226 #809 #810 CI: Upgrade Clang from 15 to 18 227 #796 CI: Start using Clang's Control Flow Integrity sanitizer 228 #675 #720 #722 CI: Adapt to breaking changes in GitHub Actions Ubuntu images 229 #689 CI: Adapt to breaking changes in Clang/LLVM Debian packaging 230 #763 CI: Adapt to breaking changes in codespell 231 #803 CI: Adapt to breaking changes in Cppcheck 232 233 Special thanks to: 234 Ivan Galkin 235 Joyce Brum 236 Philippe Antoine 237 Rhodri James 238 Snild Dolkow 239 spookyahell 240 Steven Garske 241 and 242 Clang AddressSanitizer 243 Clang UndefinedBehaviorSanitizer 244 codespell 245 GCC Farm Project 246 OSS-Fuzz 247 Sony Mobile 248 249Release 2.5.0 Tue October 25 2022 250 Security fixes: 251 #616 #649 #650 CVE-2022-43680 -- Fix heap use-after-free after overeager 252 destruction of a shared DTD in function 253 XML_ExternalEntityParserCreate in out-of-memory situations. 254 Expected impact is denial of service or potentially 255 arbitrary code execution. 256 257 Bug fixes: 258 #612 #645 Fix corruption from undefined entities 259 #613 #654 Fix case when parsing was suspended while processing nested 260 entities 261 #616 #652 #653 Stop leaking opening tag bindings after a closing tag 262 mismatch error where a parser is reset through 263 XML_ParserReset and then reused to parse 264 #656 CMake: Fix generation of pkg-config file 265 #658 MinGW|CMake: Fix static library name 266 267 Other changes: 268 #663 Protect header expat_config.h from multiple inclusion 269 #666 examples: Make use of XML_GetBuffer and be more 270 consistent across examples 271 #648 Address compiler warnings 272 #667 #668 Version info bumped from 9:9:8 to 9:10:8; 273 see https://verbump.de/ for what these numbers do 274 275 Special thanks to: 276 Jann Horn 277 Mark Brand 278 Osyotr 279 Rhodri James 280 and 281 Google Project Zero 282 283Release 2.4.9 Tue September 20 2022 284 Security fixes: 285 #629 #640 CVE-2022-40674 -- Heap use-after-free vulnerability in 286 function doContent. Expected impact is denial of service 287 or potentially arbitrary code execution. 288 289 Bug fixes: 290 #634 MinGW: Fix mis-compilation for -D__USE_MINGW_ANSI_STDIO=0 291 #614 docs: Fix documentation on effect of switch XML_DTD on 292 symbol visibility in doc/reference.html 293 294 Other changes: 295 #638 MinGW: Make fix-xmltest-log.sh drop more Wine bug output 296 #596 #625 Autotools: Sync CMake templates with CMake 3.22 297 #608 CMake: Migrate from use of CMAKE_*_POSTFIX to 298 dedicated variables EXPAT_*_POSTFIX to stop affecting 299 other projects 300 #597 #599 Windows|CMake: Add missing -DXML_STATIC to test runners 301 and fuzzers 302 #512 #621 Windows|CMake: Render .def file from a template to fix 303 linking with -DEXPAT_DTD=OFF and/or -DEXPAT_ATTR_INFO=ON 304 #611 #621 MinGW|CMake: Apply MSVC .def file when linking 305 #622 #624 MinGW|CMake: Sync library name with GNU Autotools, 306 i.e. produce libexpat-1.dll rather than libexpat.dll 307 by default. Filename libexpat.dll.a is unaffected. 308 #632 MinGW|CMake: Set missing variable CMAKE_RC_COMPILER in 309 toolchain file "cmake/mingw-toolchain.cmake" to avoid 310 error "windres: Command not found" on e.g. Ubuntu 20.04 311 #597 #627 CMake: Unify inconsistent use of set() and option() in 312 context of public build time options to take need for 313 set(.. FORCE) in projects using Expat by means of 314 add_subdirectory(..) off Expat's users' shoulders 315 #626 #641 Stop exporting API symbols when building a static library 316 #644 Resolve use of deprecated "fgrep" by "grep -F" 317 #620 CMake: Make documentation on variables a bit more consistent 318 #636 CMake: Drop leading whitespace from a #cmakedefine line in 319 file expat_config.h.cmake 320 #594 xmlwf: Fix harmless variable mix-up in function nsattcmp 321 #592 #593 #610 Address Cppcheck warnings 322 #643 Address Clang 15 compiler warnings 323 #642 #644 Version info bumped from 9:8:8 to 9:9:8; 324 see https://verbump.de/ for what these numbers do 325 326 Infrastructure: 327 #597 #598 CI: Windows: Start covering MSVC 2022 328 #619 CI: macOS: Migrate off deprecated macOS 10.15 329 #632 CI: Linux: Make migration off deprecated Ubuntu 18.04 work 330 #643 CI: Upgrade Clang from 14 to 15 331 #637 apply-clang-format.sh: Add support for BSD find 332 #633 coverage.sh: Exclude MinGW headers 333 #635 coverage.sh: Fix name collision for -funsigned-char 334 335 Special thanks to: 336 David Faure 337 Felix Wilhelm 338 Frank Bergmann 339 Rhodri James 340 Rosen Penev 341 Thijs Schreijer 342 Vincent Torri 343 and 344 Google Project Zero 345 346Release 2.4.8 Mon March 28 2022 347 Other changes: 348 #587 pkg-config: Move "-lm" to section "Libs.private" 349 #587 CMake|MSVC: Fix pkg-config section "Libs" 350 #55 #582 CMake|macOS: Start using linker arguments 351 "-compatibility_version <version>" and 352 "-current_version <version>" in a way compatible with 353 GNU Libtool 354 #590 #591 Version info bumped from 9:7:8 to 9:8:8; 355 see https://verbump.de/ for what these numbers do 356 357 Infrastructure: 358 #589 CI: Upgrade Clang from 13 to 14 359 360 Special thanks to: 361 evpobr 362 Kai Pastor 363 Sam James 364 365Release 2.4.7 Fri March 4 2022 366 Bug fixes: 367 #572 #577 Relax fix to CVE-2022-25236 (introduced with release 2.4.5) 368 with regard to all valid URI characters (RFC 3986), 369 i.e. the following set (excluding whitespace): 370 ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz 371 0123456789 % -._~ :/?#[]@ !$&'()*+,;= 372 373 Other changes: 374 #555 #570 #581 CMake|Windows: Store Expat version in the DLL 375 #577 Document consequences of namespace separator choices not just 376 in doc/reference.html but also in header <expat.h> 377 #577 Document Expat's lack of validation of namespace URIs against 378 RFC 3986, and that the XML 1.0r4 specification doesn't 379 require Expat to validate namespace URIs, and that Expat 380 may do more in that regard in future releases. 381 If you find need for strict RFC 3986 URI validation on 382 application level today, https://uriparser.github.io/ may 383 be of interest. 384 #579 Fix documentation of XML_EndDoctypeDeclHandler in <expat.h> 385 #575 Document that a call to XML_FreeContentModel can be done at 386 a later time from outside the element declaration handler 387 #574 Make hardcoded namespace URIs easier to find in code 388 #573 Update documentation on use of XML_POOR_ENTOPY on Solaris 389 #569 #571 tests: Resolve use of macros NAN and INFINITY for GNU G++ 390 4.8.2 on Solaris. 391 #578 #580 Version info bumped from 9:6:8 to 9:7:8; 392 see https://verbump.de/ for what these numbers do 393 394 Special thanks to: 395 Jeffrey Walton 396 Johnny Jazeix 397 Thijs Schreijer 398 399Release 2.4.6 Sun February 20 2022 400 Bug fixes: 401 #566 Fix a regression introduced by the fix for CVE-2022-25313 402 in release 2.4.5 that affects applications that (1) 403 call function XML_SetElementDeclHandler and (2) are 404 parsing XML that contains nested element declarations 405 (e.g. "<!ELEMENT junk ((bar|foo|xyz+), zebra*)>"). 406 407 Other changes: 408 #567 #568 Version info bumped from 9:5:8 to 9:6:8; 409 see https://verbump.de/ for what these numbers do 410 411 Special thanks to: 412 Matt Sergeant 413 Samanta Navarro 414 Sergei Trofimovich 415 and 416 NixOS 417 Perl XML::Parser 418 419Release 2.4.5 Fri February 18 2022 420 Security fixes: 421 #562 CVE-2022-25235 -- Passing malformed 2- and 3-byte UTF-8 422 sequences (e.g. from start tag names) to the XML 423 processing application on top of Expat can cause 424 arbitrary damage (e.g. code execution) depending 425 on how invalid UTF-8 is handled inside the XML 426 processor; validation was not their job but Expat's. 427 Exploits with code execution are known to exist. 428 #561 CVE-2022-25236 -- Passing (one or more) namespace separator 429 characters in "xmlns[:prefix]" attribute values 430 made Expat send malformed tag names to the XML 431 processor on top of Expat which can cause 432 arbitrary damage (e.g. code execution) depending 433 on such unexpectable cases are handled inside the XML 434 processor; validation was not their job but Expat's. 435 Exploits with code execution are known to exist. 436 #558 CVE-2022-25313 -- Fix stack exhaustion in doctype parsing 437 that could be triggered by e.g. a 2 megabytes 438 file with a large number of opening braces. 439 Expected impact is denial of service or potentially 440 arbitrary code execution. 441 #560 CVE-2022-25314 -- Fix integer overflow in function copyString; 442 only affects the encoding name parameter at parser creation 443 time which is often hardcoded (rather than user input), 444 takes a value in the gigabytes to trigger, and a 64-bit 445 machine. Expected impact is denial of service. 446 #559 CVE-2022-25315 -- Fix integer overflow in function storeRawNames; 447 needs input in the gigabytes and a 64-bit machine. 448 Expected impact is denial of service or potentially 449 arbitrary code execution. 450 451 Other changes: 452 #557 #564 Version info bumped from 9:4:8 to 9:5:8; 453 see https://verbump.de/ for what these numbers do 454 455 Special thanks to: 456 Ivan Fratric 457 Samanta Navarro 458 and 459 Google Project Zero 460 JetBrains 461 462Release 2.4.4 Sun January 30 2022 463 Security fixes: 464 #550 CVE-2022-23852 -- Fix signed integer overflow 465 (undefined behavior) in function XML_GetBuffer 466 (that is also called by function XML_Parse internally) 467 for when XML_CONTEXT_BYTES is defined to >0 (which is both 468 common and default). 469 Impact is denial of service or more. 470 #551 CVE-2022-23990 -- Fix unsigned integer overflow in function 471 doProlog triggered by large content in element type 472 declarations when there is an element declaration handler 473 present (from a prior call to XML_SetElementDeclHandler). 474 Impact is denial of service or more. 475 476 Bug fixes: 477 #544 #545 xmlwf: Fix a memory leak on output file opening error 478 479 Other changes: 480 #546 Autotools: Fix broken CMake support under Cygwin 481 #554 Windows: Add missing files to the installer to fix 482 compilation with CMake from installed sources 483 #552 #554 Version info bumped from 9:3:8 to 9:4:8; 484 see https://verbump.de/ for what these numbers do 485 486 Special thanks to: 487 Carlo Bramini 488 hwt0415 489 Roland Illig 490 Samanta Navarro 491 and 492 Clang LeakSan and the Clang team 493 494Release 2.4.3 Sun January 16 2022 495 Security fixes: 496 #531 #534 CVE-2021-45960 -- Fix issues with left shifts by >=29 places 497 resulting in 498 a) realloc acting as free 499 b) realloc allocating too few bytes 500 c) undefined behavior 501 depending on architecture and precise value 502 for XML documents with >=2^27+1 prefixed attributes 503 on a single XML tag a la 504 "<r xmlns:a='[..]' a:a123='[..]' [..] />" 505 where XML_ParserCreateNS is used to create the parser 506 (which needs argument "-n" when running xmlwf). 507 Impact is denial of service, or more. 508 #532 #538 CVE-2021-46143 (ZDI-CAN-16157) -- Fix integer overflow 509 on variable m_groupSize in function doProlog leading 510 to realloc acting as free. 511 Impact is denial of service or more. 512 #539 CVE-2022-22822 to CVE-2022-22827 -- Prevent integer overflows 513 near memory allocation at multiple places. Mitre assigned 514 a dedicated CVE for each involved internal C function: 515 - CVE-2022-22822 for function addBinding 516 - CVE-2022-22823 for function build_model 517 - CVE-2022-22824 for function defineAttribute 518 - CVE-2022-22825 for function lookup 519 - CVE-2022-22826 for function nextScaffoldPart 520 - CVE-2022-22827 for function storeAtts 521 Impact is denial of service or more. 522 523 Other changes: 524 #535 CMake: Make call to file(GENERATE [..]) work for CMake <3.19 525 #541 Autotools|CMake: MinGW: Make run.sh(.in) work for Cygwin 526 and MSYS2 by not going through Wine on these platforms 527 #527 #528 Address compiler warnings 528 #533 #543 Version info bumped from 9:2:8 to 9:3:8; 529 see https://verbump.de/ for what these numbers do 530 531 Infrastructure: 532 #536 CI: Check for realistic minimum CMake version 533 #529 #539 CI: Cover compilation with -m32 534 #529 CI: Store coverage reports as artifacts for download 535 #528 CI: Upgrade Clang from 11 to 13 536 537 Special thanks to: 538 An anonymous whitehat 539 Christopher Degawa 540 J. Peter Mugaas 541 Tyson Smith 542 and 543 GCC Farm Project 544 Trend Micro Zero Day Initiative 545 546Release 2.4.2 Sun December 19 2021 547 Other changes: 548 #509 #510 Link againgst libm for function "isnan" 549 #513 #514 Include expat_config.h as early as possible 550 #498 Autotools: Include files with release archives: 551 - buildconf.sh 552 - fuzz/*.c 553 #507 #519 Autotools: Sync CMake templates with CMake 3.20 554 #495 #524 CMake: MinGW: Fix pkg-config section "Libs" for 555 - non-release build types (e.g. -DCMAKE_BUILD_TYPE=Debug) 556 - multi-config CMake generators (e.g. Ninja Multi-Config) 557 #502 #503 docs: Document that function XML_GetBuffer may return NULL 558 when asking for a buffer of 0 (zero) bytes size 559 #522 #523 docs: Fix return value docs for both 560 XML_SetBillionLaughsAttackProtection* functions 561 #525 #526 Version info bumped from 9:1:8 to 9:2:8; 562 see https://verbump.de/ for what these numbers do 563 564 Special thanks to: 565 Donghee Na 566 Joergen Ibsen 567 Kai Pastor 568 569Release 2.4.1 Sun May 23 2021 570 Bug fixes: 571 #488 #490 Autotools: Fix installed header expat_config.h for multilib 572 systems; regression introduced in 2.4.0 by pull request #486 573 574 Other changes: 575 #491 #492 Version info bumped from 9:0:8 to 9:1:8; 576 see https://verbump.de/ for what these numbers do 577 578 Special thanks to: 579 Gentoo's QA check "multilib_check_headers" 580 581Release 2.4.0 Sun May 23 2021 582 Security fixes: 583 #34 #466 #484 CVE-2013-0340/CWE-776 -- Protect against billion laughs attacks 584 (denial-of-service; flavors targeting CPU time or RAM or both, 585 leveraging general entities or parameter entities or both) 586 by tracking and limiting the input amplification factor 587 (<amplification> := (<direct> + <indirect>) / <direct>). 588 By conservative default, amplification up to a factor of 100.0 589 is tolerated and rejection only starts after 8 MiB of output bytes 590 (=<direct> + <indirect>) have been processed. 591 The fix adds the following to the API: 592 - A new error code XML_ERROR_AMPLIFICATION_LIMIT_BREACH to 593 signals this specific condition. 594 - Two new API functions .. 595 - XML_SetBillionLaughsAttackProtectionMaximumAmplification and 596 - XML_SetBillionLaughsAttackProtectionActivationThreshold 597 .. to further tighten billion laughs protection parameters 598 when desired. Please see file "doc/reference.html" for details. 599 If you ever need to increase the defaults for non-attack XML 600 payload, please file a bug report with libexpat. 601 - Two new XML_FEATURE_* constants .. 602 - that can be queried using the XML_GetFeatureList function, and 603 - that are shown in "xmlwf -v" output. 604 - Two new environment variable switches .. 605 - EXPAT_ACCOUNTING_DEBUG=(0|1|2|3) and 606 - EXPAT_ENTITY_DEBUG=(0|1) 607 .. for runtime debugging of accounting and entity processing. 608 Specific behavior of these values may change in the future. 609 - Two new command line arguments "-a FACTOR" and "-b BYTES" 610 for xmlwf to further tighten billion laughs protection 611 parameters when desired. 612 If you ever need to increase the defaults for non-attack XML 613 payload, please file a bug report with libexpat. 614 615 Bug fixes: 616 #332 #470 For (non-default) compilation with -DEXPAT_MIN_SIZE=ON (CMake) 617 or CPPFLAGS=-DXML_MIN_SIZE (GNU Autotools): Fix segfault 618 for UTF-16 payloads containing CDATA sections. 619 #485 #486 Autotools: Fix generated CMake files for non-64bit and 620 non-Linux platforms (e.g. macOS and MinGW in particular) 621 that were introduced with release 2.3.0 622 623 Other changes: 624 #468 #469 xmlwf: Improve help output and the xmlwf man page 625 #463 xmlwf: Improve maintainability through some refactoring 626 #477 xmlwf: Fix man page DocBook validity 627 #456 Autotools: Sync CMake templates with CMake 3.18 628 #458 #459 CMake: Support absolute paths for both CMAKE_INSTALL_LIBDIR 629 and CMAKE_INSTALL_INCLUDEDIR 630 #471 #481 CMake: Add support for standard variable BUILD_SHARED_LIBS 631 #457 Unexpose symbol _INTERNAL_trim_to_complete_utf8_characters 632 #467 Resolve macro HAVE_EXPAT_CONFIG_H 633 #472 Delete unused legacy helper file "conftools/PrintPath" 634 #473 #483 Improve attribution 635 #464 #465 #477 doc/reference.html: Fix XHTML validity 636 #475 #478 doc/reference.html: Replace the 90s look by OK.css 637 #479 Version info bumped from 8:0:7 to 9:0:8 638 due to addition of new symbols and error codes; 639 see https://verbump.de/ for what these numbers do 640 641 Infrastructure: 642 #456 CI: Enable periodic runs 643 #457 CI: Start covering the list of exported symbols 644 #474 CI: Isolate coverage task 645 #476 #482 CI: Adapt to breaking changes in image "ubuntu-18.04" 646 #477 CI: Cover well-formedness and DocBook/XHTML validity 647 of doc/reference.html and doc/xmlwf.xml 648 649 Special thanks to: 650 Dimitry Andric 651 Eero Helenius 652 Nick Wellnhofer 653 Rhodri James 654 Tomas Korbar 655 Yury Gribov 656 and 657 Clang LeakSan 658 JetBrains 659 OSS-Fuzz 660 661Release 2.3.0 Thu March 25 2021 662 Bug fixes: 663 #438 When calling XML_ParseBuffer without a prior successful call to 664 XML_GetBuffer as a user, no longer trigger undefined behavior 665 (by adding an integer to a NULL pointer) but rather return 666 XML_STATUS_ERROR and set the error code to (new) code 667 XML_ERROR_NO_BUFFER. Found by UBSan (UndefinedBehaviorSanitizer) 668 of Clang 11 (but not Clang 9). 669 #444 xmlwf: Exit status 2 was used for both: 670 - malformed input files (documented) and 671 - invalid command-line arguments (undocumented). 672 The case of invalid command-line arguments now 673 has its own exit status 4, resolving the ambiguity. 674 675 Other changes: 676 #439 xmlwf: Add argument -k to allow continuing after 677 non-fatal errors 678 #439 xmlwf: Add section about exit status to the -h help output 679 #422 #426 #447 Windows: Drop support for Visual Studio <=14.0/2015 680 #434 Windows: CMake: Detect unsupported Visual Studio at 681 configure time (rather than at compile time) 682 #382 #428 testrunner: Make verbose mode (argument "-v") report 683 about passed tests, and make default mode report about 684 failures, as well. 685 #442 CMake: Call "enable_language(CXX)" prior to tinkering 686 with CMAKE_CXX_* variables 687 #448 Document use of libexpat from a CMake-based project 688 #451 Autotools: Install CMake files as generated by CMake 3.19.6 689 so that users with "find_package(expat [..] CONFIG [..])" 690 are served on distributions that are *not* using the CMake 691 build system inside for libexpat packaging 692 #436 #437 Autotools: Drop obsolescent macro AC_HEADER_STDC 693 #450 #452 Autotools: Resolve use of obsolete macro AC_CONFIG_HEADER 694 #441 Address compiler warnings 695 #443 Version info bumped from 7:12:6 to 8:0:7 696 due to addition of error code XML_ERROR_NO_BUFFER 697 (see https://verbump.de/ for what these numbers do) 698 699 Infrastructure: 700 #435 #446 Replace Travis CI by GitHub Actions 701 702 Special thanks to: 703 Alexander Richardson 704 Oleksandr Popovych 705 Thomas Beutlich 706 Tim Bray 707 and 708 Clang LeakSan, Clang 11 UBSan and the Clang team 709 710Release 2.2.10 Sat October 3 2020 711 Bug fixes: 712 #390 #395 #398 Fix undefined behavior during parsing caused by 713 pointer arithmetic with NULL pointers 714 #404 #405 Fix reading uninitialized variable during parsing 715 #406 xmlwf: Add missing check for malloc NULL return 716 717 Other changes: 718 #396 Windows: Drop support for Visual Studio <=8.0/2005 719 #409 Windows: Add missing file "Changes" to the installer 720 to fix compilation with CMake from installed sources 721 #403 xmlwf: Document exit codes in xmlwf manpage and 722 exit with code 3 (rather than code 1) for output errors 723 when used with "-d DIRECTORY" 724 #356 #359 MinGW: Provide declaration of rand_s for mingwrt <5.3.0 725 #383 #392 Autotools: Use -Werror while configure tests the compiler 726 for supported compile flags to avoid false positives 727 #383 #393 #394 Autotools: Improve handling of user (C|CPP|CXX|LD)FLAGS, 728 e.g. ensure that they have the last word over flags added 729 while running ./configure 730 #360 CMake: Create libexpatw.{dll,so} and expatw.pc (with emphasis 731 on suffix "w") with -DEXPAT_CHAR_TYPE=(ushort|wchar_t) 732 #360 CMake: Detect and deny unsupported build combinations 733 involving -DEXPAT_CHAR_TYPE=(ushort|wchar_t) 734 #360 CMake: Install pre-compiled shipped xmlwf.1 manpage in case 735 of -DEXPAT_BUILD_DOCS=OFF 736 #375 #380 #419 CMake: Fix use of Expat by means of add_subdirectory 737 #407 #408 CMake: Keep expat target name constant at "expat" 738 (i.e. refrain from using the target name to control 739 build artifact filenames) 740 #385 CMake: Fix compilation with -DEXPAT_SHARED_LIBS=OFF for 741 Windows 742 CMake: Expose man page compilation as target "xmlwf-manpage" 743 #413 #414 CMake: Introduce option EXPAT_BUILD_PKGCONFIG 744 to control generation of pkg-config file "expat.pc" 745 #424 CMake: Add minimalistic support for building binary packages 746 with CMake target "package"; based on CPack 747 #366 CMake: Add option -DEXPAT_OSSFUZZ_BUILD=(ON|OFF) with 748 default OFF to build fuzzer code against OSS-Fuzz and 749 related environment variable LIB_FUZZING_ENGINE 750 #354 Fix testsuite for -DEXPAT_DTD=OFF and -DEXPAT_NS=OFF, each 751 #354 #355 .. 752 #356 #412 Address compiler warnings 753 #368 #369 Address pngcheck warnings with doc/*.png images 754 #425 Version info bumped from 7:11:6 to 7:12:6 755 756 Special thanks to: 757 asavah 758 Ben Wagner 759 Bhargava Shastry 760 Frank Landgraf 761 Jeffrey Walton 762 Joe Orton 763 Kleber Tarcísio 764 Ma Lin 765 Maciej Sroczyński 766 Mohammed Khajapasha 767 Vadim Zeitlin 768 and 769 Cppcheck 2.0 and the Cppcheck team 770 771Release 2.2.9 Wed September 25 2019 772 Other changes: 773 examples: Drop executable bits from elements.c 774 #349 Windows: Change the name of the Windows DLLs from expat*.dll 775 to libexpat*.dll once more (regression from 2.2.8, first 776 fixed in 1.95.3, issue #61 on SourceForge today, 777 was issue #432456 back then); needs a fix due 778 case-insensitive file systems on Windows and the fact that 779 Perl's XML::Parser::Expat compiles into Expat.dll. 780 #347 Windows: Only define _CRT_RAND_S if not defined 781 Version info bumped from 7:10:6 to 7:11:6 782 783 Special thanks to: 784 Ben Wagner 785 786Release 2.2.8 Fri September 13 2019 787 Security fixes: 788 #317 #318 CVE-2019-15903 -- Fix heap overflow triggered by 789 XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber), 790 and deny internal entities closing the doctype; 791 fixed in commit c20b758c332d9a13afbbb276d30db1d183a85d43 792 793 Bug fixes: 794 #240 Fix cases where XML_StopParser did not have any effect 795 when called from inside of an end element handler 796 #341 xmlwf: Fix exit code for operation without "-d DIRECTORY"; 797 previously, only "-d DIRECTORY" would give you a proper 798 exit code: 799 # xmlwf -d . <<<'<not well-formed>' 2>/dev/null ; echo $? 800 2 801 # xmlwf <<<'<not well-formed>' 2>/dev/null ; echo $? 802 0 803 Now both cases return exit code 2. 804 805 Other changes: 806 #299 #302 Windows: Replace LoadLibrary hack to access 807 unofficial API function SystemFunction036 (RtlGenRandom) 808 by using official API function rand_s (needs WinXP+) 809 #325 Windows: Drop support for Visual Studio <=7.1/2003 810 and document supported compilers in README.md 811 #286 Windows: Remove COM code from xmlwf; in case it turns 812 out needed later, there will be a dedicated repository 813 below https://github.com/libexpat/ for that code 814 #322 Windows: Remove explicit MSVC solution and project files. 815 You can generate Visual Studio solution files through 816 CMake, e.g.: cmake -G"Visual Studio 15 2017" . 817 #338 xmlwf: Make "xmlwf -h" help output more friendly 818 #339 examples: Improve elements.c 819 #244 #264 Autotools: Add argument --enable-xml-attr-info 820 #239 #301 Autotools: Add arguments 821 --with-getrandom 822 --without-getrandom 823 --with-sys-getrandom 824 --without-sys-getrandom 825 #312 #343 Autotools: Fix linking issues with "./configure LD=clang" 826 Autotools: Fix "make run-xmltest" for out-of-source builds 827 #329 #336 CMake: Pull all options from Expat <=2.2.7 into namespace 828 prefix EXPAT_ with the exception of DOCBOOK_TO_MAN: 829 - BUILD_doc -> EXPAT_BUILD_DOCS (plural) 830 - BUILD_examples -> EXPAT_BUILD_EXAMPLES 831 - BUILD_shared -> EXPAT_SHARED_LIBS 832 - BUILD_tests -> EXPAT_BUILD_TESTS 833 - BUILD_tools -> EXPAT_BUILD_TOOLS 834 - DOCBOOK_TO_MAN -> DOCBOOK_TO_MAN (unchanged) 835 - INSTALL -> EXPAT_ENABLE_INSTALL 836 - MSVC_USE_STATIC_CRT -> EXPAT_MSVC_STATIC_CRT 837 - USE_libbsd -> EXPAT_WITH_LIBBSD 838 - WARNINGS_AS_ERRORS -> EXPAT_WARNINGS_AS_ERRORS 839 - XML_CONTEXT_BYTES -> EXPAT_CONTEXT_BYTES 840 - XML_DEV_URANDOM -> EXPAT_DEV_URANDOM 841 - XML_DTD -> EXPAT_DTD 842 - XML_NS -> EXPAT_NS 843 - XML_UNICODE -> EXPAT_CHAR_TYPE=ushort (!) 844 - XML_UNICODE_WCHAR_T -> EXPAT_CHAR_TYPE=wchar_t (!) 845 #244 #264 CMake: Add argument -DEXPAT_ATTR_INFO=(ON|OFF), 846 default OFF 847 #326 CMake: Add argument -DEXPAT_LARGE_SIZE=(ON|OFF), 848 default OFF 849 #328 CMake: Add argument -DEXPAT_MIN_SIZE=(ON|OFF), 850 default OFF 851 #239 #277 CMake: Add arguments 852 -DEXPAT_WITH_GETRANDOM=(ON|OFF|AUTO), default AUTO 853 -DEXPAT_WITH_SYS_GETRANDOM=(ON|OFF|AUTO), default AUTO 854 #326 CMake: Install expat_config.h to include directory 855 #326 CMake: Generate and install configuration files for 856 future find_package(expat [..] CONFIG [..]) 857 CMake: Now produces a summary of applied configuration 858 CMake: Require C++ compiler only when tests are enabled 859 #330 CMake: Fix compilation for 16bit character types, 860 i.e. ex -DXML_UNICODE=ON (and ex -DXML_UNICODE_WCHAR_T=ON) 861 #265 CMake: Fix linking with MinGW 862 #330 CMake: Add full support for MinGW; to enable, use 863 -DCMAKE_TOOLCHAIN_FILE=[expat]/cmake/mingw-toolchain.cmake 864 #330 CMake: Port "make run-xmltest" from GNU Autotools to CMake 865 #316 CMake: Windows: Make binary postfix match MSVC 866 Old: expat[d].lib 867 New: expat[w][d][MD|MT].lib 868 CMake: Migrate files from Windows to Unix line endings 869 #308 CMake: Integrate OSS-Fuzz fuzzers, option 870 -DEXPAT_BUILD_FUZZERS=(ON|OFF), default OFF 871 #14 Drop an OpenVMS support leftover 872 #235 #268 .. 873 #270 #310 .. 874 #313 #331 #333 Address compiler warnings 875 #282 #283 .. 876 #284 #285 Address cppcheck warnings 877 #294 #295 Address Clang Static Analyzer warnings 878 #24 #293 Mass-apply clang-format 9 (and ensure conformance during CI) 879 Version info bumped from 7:9:6 to 7:10:6 880 881 Special thanks to: 882 David Loffredo 883 Joonun Jang 884 Kishore Kunche 885 Marco Maggi 886 Mitch Phillips 887 Mohammed Khajapasha 888 Rolf Ade 889 xantares 890 Zhongyuan Zhou 891 892Release 2.2.7 Wed June 19 2019 893 Security fixes: 894 #186 #262 CVE-2018-20843 -- Fix extraction of namespace prefixes from 895 XML names; XML names with multiple colons could end up in 896 the wrong namespace, and take a high amount of RAM and CPU 897 resources while processing, opening the door to 898 use for denial-of-service attacks 899 900 Other changes: 901 #195 #197 Autotools/CMake: Utilize -fvisibility=hidden to stop 902 exporting non-API symbols 903 #227 Autotools: Add --without-examples and --without-tests 904 #228 Autotools: Modernize configure.ac 905 #245 #246 Autotools: Fix check for -fvisibility=hidden for Clang 906 #247 #248 Autotools: Fix compilation for lack of docbook2x-man 907 #236 #258 Autotools: Produce .tar.{gz,lz,xz} release archives 908 #212 CMake: Make libdir of pkgconfig expat.pc support multilib 909 #158 #263 CMake: Build man page in PROJECT_BINARY_DIR not _SOURCE_DIR 910 #219 Remove fallback to bcopy, assume that memmove(3) exists 911 #257 Use portable "/usr/bin/env bash" shebang (e.g. for OpenBSD) 912 #243 Windows: Fix syntax of .def module definition files 913 Version info bumped from 7:8:6 to 7:9:6 914 915 Special thanks to: 916 Benjamin Peterson 917 Caolán McNamara 918 Hanno Böck 919 KangLin 920 Kishore Kunche 921 Marco Maggi 922 Rhodri James 923 Sebastian Dröge 924 userwithuid 925 Yury Gribov 926 927Release 2.2.6 Sun August 12 2018 928 Bug fixes: 929 #170 #206 Avoid doing arithmetic with NULL pointers in XML_GetBuffer 930 #204 #205 Fix 2.2.5 regression with suspend-resume while parsing 931 a document like '<root/>' 932 933 Other changes: 934 #165 #168 Autotools: Fix docbook-related configure syntax error 935 #166 Autotools: Avoid grep option `-q` for Solaris 936 #167 Autotools: Support 937 ./configure DOCBOOK_TO_MAN="xmlto man --skip-validation" 938 #159 #167 Autotools: Support DOCBOOK_TO_MAN command which produces 939 xmlwf.1 rather than XMLWF.1; also covers case insensitive 940 file systems 941 #181 Autotools: Drop -rpath option passed to libtool 942 #188 Autotools: Detect and deny SGML docbook2man as ours is XML 943 #188 Autotools/CMake: Support command db2x_docbook2man as well 944 #174 CMake: Introduce option WARNINGS_AS_ERRORS, defaults to OFF 945 #184 #185 CMake: Introduce option MSVC_USE_STATIC_CRT, defaults to OFF 946 #207 #208 CMake: Introduce option XML_UNICODE and XML_UNICODE_WCHAR_T, 947 both defaulting to OFF 948 #175 CMake: Prefer check_symbol_exists over check_function_exists 949 #176 CMake: Create the same pkg-config file as with GNU Autotools 950 #178 #179 CMake: Use GNUInstallDirs module to set proper defaults for 951 install directories 952 #208 CMake: Utilize expat_config.h.cmake for XML_DEV_URANDOM 953 #180 Windows: Fix compilation of test suite for Visual Studio 2008 954 #131 #173 #202 Address compiler warnings 955 #187 #190 #200 Fix miscellaneous typos 956 Version info bumped from 7:7:6 to 7:8:6 957 958 Special thanks to: 959 Anton Maklakov 960 Benjamin Peterson 961 Brad King 962 Franek Korta 963 Frank Rast 964 Joe Orton 965 luzpaz 966 Pedro Vicente 967 Rainer Jung 968 Rhodri James 969 Rolf Ade 970 Rolf Eike Beer 971 Thomas Beutlich 972 Tomasz Kłoczko 973 974Release 2.2.5 Tue October 31 2017 975 Bug fixes: 976 #8 If the parser runs out of memory, make sure its internal 977 state reflects the memory it actually has, not the memory 978 it wanted to have. 979 #11 The default handler wasn't being called when it should for 980 a SYSTEM or PUBLIC doctype if an entity declaration handler 981 was registered. 982 #137 #138 Fix a case of mistakenly reported parsing success where 983 XML_StopParser was called from an element handler 984 #162 Function XML_ErrorString was returning NULL rather than 985 a message for code XML_ERROR_INVALID_ARGUMENT 986 introduced with release 2.2.1 987 988 Other changes: 989 #106 xmlwf: Add argument -N adding notation declarations 990 #75 #106 Test suite: Resolve expected failure cases where xmlwf 991 output was incomplete 992 #127 Windows: Fix test suite compilation 993 #126 #127 Windows: Fix compilation for Visual Studio 2012 994 Windows: Upgrade shipped project files to Visual Studio 2017 995 #33 #132 tests: Mass-fix compilation for XML_UNICODE_WCHAR_T 996 #129 examples: Fix compilation for XML_UNICODE_WCHAR_T 997 #130 benchmark: Fix compilation for XML_UNICODE_WCHAR_T 998 #144 xmlwf: Fix compilation for XML_UNICODE_WCHAR_T; still needs 999 Windows or MinGW for 2-byte wchar_t 1000 #9 Address two Clang Static Analyzer false positives 1001 #59 Resolve troublesome macros hiding parser struct membership 1002 and dereferencing that pointer 1003 #6 Resolve superfluous internal malloc/realloc switch 1004 #153 #155 Improve docbook2x-man detection 1005 #160 Undefine NDEBUG in the test suite (rather than rejecting it) 1006 #161 Address compiler warnings 1007 Version info bumped from 7:6:6 to 7:7:6 1008 1009 Special thanks to: 1010 Benbuck Nason 1011 Hans Wennborg 1012 José Gutiérrez de la Concha 1013 Pedro Monreal Gonzalez 1014 Rhodri James 1015 Rolf Ade 1016 Stephen Groat 1017 and 1018 Core Infrastructure Initiative 1019 1020Release 2.2.4 Sat August 19 2017 1021 Bug fixes: 1022 #115 Fix copying of partial characters for UTF-8 input 1023 1024 Other changes: 1025 #109 Fix "make check" for non-x86 architectures that default 1026 to unsigned type char (-128..127 rather than 0..255) 1027 #109 coverage.sh: Cover -funsigned-char 1028 Autotools: Introduce --without-xmlwf argument 1029 #65 Autotools: Replace handwritten Makefile with GNU Automake 1030 #43 CMake: Auto-detect high quality entropy extractors, add new 1031 option USE_libbsd=ON to use arc4random_buf of libbsd 1032 #74 CMake: Add -fno-strict-aliasing only where supported 1033 #114 CMake: Always honor manually set BUILD_* options 1034 #114 CMake: Compile man page if docbook2x-man is available, only 1035 #117 Include file tests/xmltest.log.expected in source tarball 1036 (required for "make run-xmltest") 1037 #117 Include (existing) Visual Studio 2013 files in source tarball 1038 Improve test suite error output 1039 #111 Fix some typos in documentation 1040 Version info bumped from 7:5:6 to 7:6:6 1041 1042 Special thanks to: 1043 Jakub Wilk 1044 Joe Orton 1045 Lin Tian 1046 Rolf Eike Beer 1047 1048Release 2.2.3 Wed August 2 2017 1049 Security fixes: 1050 #82 CVE-2017-11742 -- Windows: Fix DLL hijacking vulnerability 1051 using Steve Holme's LoadLibrary wrapper for/of cURL 1052 1053 Bug fixes: 1054 #85 Fix a dangling pointer issue related to realloc 1055 1056 Other changes: 1057 Increase code coverage 1058 #91 Linux: Allow getrandom to fail if nonblocking pool has not 1059 yet been initialized and read /dev/urandom then, instead. 1060 This is in line with what recent Python does. 1061 #81 Pre-10.7/Lion macOS: Support entropy from arc4random 1062 #86 Check that a UTF-16 encoding in an XML declaration has the 1063 right endianness 1064 #4 #5 #7 Recover correctly when some reallocations fail 1065 Repair "./configure && make" for systems without any 1066 provider of high quality entropy 1067 and try reading /dev/urandom on those 1068 Ensure that user-defined character encodings have converter 1069 functions when they are needed 1070 Fix mis-leading description of argument -c in xmlwf.1 1071 Rely on macro HAVE_ARC4RANDOM_BUF (rather than __CloudABI__) 1072 for CloudABI 1073 #100 Fix use of SIPHASH_MAIN in siphash.h 1074 #23 Test suite: Fix memory leaks 1075 Version info bumped from 7:4:6 to 7:5:6 1076 1077 Special thanks to: 1078 Chanho Park 1079 Joe Orton 1080 Pascal Cuoq 1081 Rhodri James 1082 Simon McVittie 1083 Vadim Zeitlin 1084 Viktor Szakats 1085 and 1086 Core Infrastructure Initiative 1087 1088Release 2.2.2 Wed July 12 2017 1089 Security fixes: 1090 #43 Protect against compilation without any source of high 1091 quality entropy enabled, e.g. with CMake build system; 1092 commit ff0207e6076e9828e536b8d9cd45c9c92069b895 1093 #60 Windows with _UNICODE: 1094 Unintended use of LoadLibraryW with a non-wide string 1095 resulted in failure to load advapi32.dll and degradation 1096 in quality of used entropy when compiled with _UNICODE for 1097 Windows; you can launch existing binaries with 1098 EXPAT_ENTROPY_DEBUG=1 in the environment to inspect the 1099 quality of entropy used during runtime; commits 1100 * 95b95032f907ef1cd17ee7a9a1768010a825d61d 1101 * 73a5a2e9c081f49f2d775cf7ced864158b68dc80 1102 [MOX-006] Fix non-NULL parser parameter validation in XML_Parse; 1103 resulted in NULL dereference, previously; 1104 commit ac256dafdffc9622ab0dc2c62fcecb0dfcfa71fe 1105 1106 Bug fixes: 1107 #69 Fix improper use of unsigned long long integer literals 1108 1109 Other changes: 1110 #73 Start requiring a C99 compiler 1111 #49 Fix "==" Bashism in configure script 1112 #50 Fix too eager getrandom detection for Debian GNU/kFreeBSD 1113 #52 and macOS 1114 #51 Address lack of stdint.h in Visual Studio 2003 to 2008 1115 #58 Address compile warnings 1116 #68 Fix "./buildconf.sh && ./configure" for some versions 1117 of Dash for /bin/sh 1118 #72 CMake: Ease use of Expat in context of a parent project 1119 with multiple CMakeLists.txt files 1120 #72 CMake: Resolve mistaken executable permissions 1121 #76 Address compile warning with -DNDEBUG (not recommended!) 1122 #77 Address compile warning about macro redefinition 1123 1124 Special thanks to: 1125 Alexander Bluhm 1126 Ben Boeckel 1127 Cătălin Răceanu 1128 Kerin Millar 1129 László Böszörményi 1130 S. P. Zeidler 1131 Segev Finer 1132 Václav Slavík 1133 Victor Stinner 1134 Viktor Szakats 1135 and 1136 Radically Open Security 1137 1138Release 2.2.1 Sat June 17 2017 1139 Security fixes: 1140 CVE-2017-9233 -- External entity infinite loop DoS 1141 Details: https://libexpat.github.io/doc/cve-2017-9233/ 1142 Commit c4bf96bb51dd2a1b0e185374362ee136fe2c9d7f 1143 [MOX-002] CVE-2016-9063 -- Detect integer overflow; commit 1144 d4f735b88d9932bd5039df2335eefdd0723dbe20 1145 (Fixed version of existing downstream patches!) 1146 (SF.net) #539 Fix regression from fix to CVE-2016-0718 cutting off 1147 longer tag names; commits 1148 * 896b6c1fd3b842f377d1b62135dccf0a579cf65d 1149 * af507cef2c93cb8d40062a0abe43a4f4e9158fb2 1150 #16 * 0dbbf43fdb20f593ddf4fa1ff67288000dd4a7fd 1151 #25 More integer overflow detection (function poolGrow); commits 1152 * 810b74e4703dcfdd8f404e3cb177d44684775143 1153 * 44178553f3539ce69d34abee77a05e879a7982ac 1154 [MOX-002] Detect overflow from len=INT_MAX call to XML_Parse; commits 1155 * 4be2cb5afcc018d996f34bbbce6374b7befad47f 1156 * 7e5b71b748491b6e459e5c9a1d090820f94544d8 1157 [MOX-005] #30 Use high quality entropy for hash initialization: 1158 * arc4random_buf on BSD, systems with libbsd 1159 (when configured with --with-libbsd), CloudABI 1160 * RtlGenRandom on Windows XP / Server 2003 and later 1161 * getrandom on Linux 3.17+ 1162 In a way, that's still part of CVE-2016-5300. 1163 https://github.com/libexpat/libexpat/pull/30/commits 1164 [MOX-005] For the low quality entropy extraction fallback code, 1165 the parser instance address can no longer leak, commit 1166 04ad658bd3079dd15cb60fc67087900f0ff4b083 1167 [MOX-003] Prevent use of uninitialised variable; commit 1168 [MOX-004] a4dc944f37b664a3ca7199c624a98ee37babdb4b 1169 Add missing parameter validation to public API functions 1170 and dedicated error code XML_ERROR_INVALID_ARGUMENT: 1171 [MOX-006] * NULL checks; commits 1172 * d37f74b2b7149a3a95a680c4c4cd2a451a51d60a (merge/many) 1173 * 9ed727064b675b7180c98cb3d4f75efba6966681 1174 * 6a747c837c50114dfa413994e07c0ba477be4534 1175 * Negative length (XML_Parse); commit 1176 [MOX-002] 70db8d2538a10f4c022655d6895e4c3e78692e7f 1177 [MOX-001] #35 Change hash algorithm to William Ahern's version of SipHash 1178 to go further with fixing CVE-2012-0876. 1179 https://github.com/libexpat/libexpat/pull/39/commits 1180 1181 Bug fixes: 1182 #32 Fix sharing of hash salt across parsers; 1183 relevant where XML_ExternalEntityParserCreate is called 1184 prior to XML_Parse, in particular (e.g. FBReader) 1185 #28 xmlwf: Auto-disable use of memory-mapping (and parsing 1186 as a single chunk) for files larger than ~1 GB (2^30 bytes) 1187 rather than failing with error "out of memory" 1188 #3 Fix double free after malloc failure in DTD code; commit 1189 7ae9c3d3af433cd4defe95234eae7dc8ed15637f 1190 #17 Fix memory leak on parser error for unbound XML attribute 1191 prefix with new namespaces defined in the same tag; 1192 found by Google's OSS-Fuzz; commits 1193 * 16f87daae5a16132e479e4f71862128c7a915c73 1194 * b47dbc9745932c160893d433220e462bd605f8cd 1195 xmlwf on Windows: Add missing calls to CloseHandle 1196 1197 New features: 1198 #30 Introduced environment switch EXPAT_ENTROPY_DEBUG=1 1199 for runtime debugging of entropy extraction 1200 1201 Other changes: 1202 Increase code coverage 1203 #33 Reject use of XML_UNICODE_WCHAR_T with sizeof(wchar_t) != 2; 1204 XML_UNICODE_WCHAR_T was never meant to be used outside 1205 of Windows; 4-byte wchar_t is common on Linux 1206 (SF.net) #538 Start using -fno-strict-aliasing 1207 (SF.net) #540 Support compilation against cloudlibc of CloudABI 1208 Allow MinGW cross-compilation 1209 (SF.net) #534 CMake: Introduce option "BUILD_doc" (enabled by default) 1210 to bypass compilation of the xmlwf.1 man page 1211 (SF.net) pr2 CMake: Introduce option "INSTALL" (enabled by default) 1212 to bypass installation of expat files 1213 CMake: Fix ninja support 1214 Autotools: Add parameters --enable-xml-context [COUNT] 1215 and --disable-xml-context; default of context of 1024 1216 bytes enabled unchanged 1217 #14 Drop AmigaOS 4.x code and includes 1218 #14 Drop ancient build systems: 1219 * Borland C++ Builder 1220 * OpenVMS 1221 * Open Watcom 1222 * Visual Studio 6.0 1223 * Pre-X Mac OS (MPW Makefile) 1224 If you happen to rely on some of these, please get in 1225 touch for joining with maintenance. 1226 #10 Move from WIN32 to _WIN32 1227 #13 Fix "make run-xmltest" order instability 1228 Address compile warnings 1229 Bump version info from 7:2:6 to 7:3:6 1230 Add AUTHORS file 1231 1232 Infrastructure: 1233 #1 Migrate from SourceForge to GitHub (except downloads): 1234 https://github.com/libexpat/ 1235 #1 Re-create http://libexpat.org/ project website 1236 Start utilizing Travis CI 1237 1238 Special thanks to: 1239 Andy Wang 1240 Don Lewis 1241 Ed Schouten 1242 Karl Waclawek 1243 Pascal Cuoq 1244 Rhodri James 1245 Sergei Nikulov 1246 Tobias Taschner 1247 Viktor Szakats 1248 and 1249 Core Infrastructure Initiative 1250 Mozilla Foundation (MOSS Track 3: Secure Open Source) 1251 Radically Open Security 1252 1253Release 2.2.0 Tue June 21 2016 1254 Security fixes: 1255 #537 CVE-2016-0718 -- Fix crash on malformed input 1256 CVE-2016-4472 -- Improve insufficient fix to CVE-2015-1283 / 1257 CVE-2015-2716 introduced with Expat 2.1.1 1258 #499 CVE-2016-5300 -- Use more entropy for hash initialization 1259 than the original fix to CVE-2012-0876 1260 #519 CVE-2012-6702 -- Resolve troublesome internal call to srand 1261 that was introduced with Expat 2.1.0 1262 when addressing CVE-2012-0876 (issue #496) 1263 1264 Bug fixes: 1265 Fix uninitialized reads of size 1 1266 (e.g. in little2_updatePosition) 1267 Fix detection of UTF-8 character boundaries 1268 1269 Other changes: 1270 #532 Fix compilation for Visual Studio 2010 (keyword "C99") 1271 Autotools: Resolve use of "$<" to better support bmake 1272 Autotools: Add QA script "qa.sh" (and make target "qa") 1273 Autotools: Respect CXXFLAGS if given 1274 Autotools: Fix "make run-xmltest" 1275 Autotools: Have "make run-xmltest" check for expected output 1276 p90 CMake: Fix static build (BUILD_shared=OFF) on Windows 1277 #536 CMake: Add soversion, support -DNO_SONAME=yes to bypass 1278 #323 CMake: Add suffix "d" to differentiate debug from release 1279 CMake: Define WIN32 with CMake on Windows 1280 Annotate memory allocators for GCC 1281 Address all currently known compile warnings 1282 Make sure that API symbols remain visible despite 1283 -fvisibility=hidden 1284 Remove executable flag from source files 1285 Resolve COMPILED_FROM_DSP in favor of WIN32 1286 1287 Special thanks to: 1288 Björn Lindahl 1289 Christian Heimes 1290 Cristian Rodríguez 1291 Daniel Krügler 1292 Gustavo Grieco 1293 Karl Waclawek 1294 László Böszörményi 1295 Marco Grassi 1296 Pascal Cuoq 1297 Sergei Nikulov 1298 Thomas Beutlich 1299 Warren Young 1300 Yann Droneaud 1301 1302Release 2.1.1 Sat March 12 2016 1303 Security fixes: 1304 #582: CVE-2015-1283 - Multiple integer overflows in XML_GetBuffer 1305 1306 Bug fixes: 1307 #502: Fix potential null pointer dereference 1308 #520: Symbol XML_SetHashSalt was not exported 1309 Output of "xmlwf -h" was incomplete 1310 1311 Other changes: 1312 #503: Document behavior of calling XML_SetHashSalt with salt 0 1313 Minor improvements to man page xmlwf(1) 1314 Improvements to the experimental CMake build system 1315 libtool now invoked with --verbose 1316 1317Release 2.1.0 Sat March 24 2012 1318 - Security fixes: 1319 #2958794: CVE-2012-1148 - Memory leak in poolGrow. 1320 #2895533: CVE-2012-1147 - Resource leak in readfilemap.c. 1321 #3496608: CVE-2012-0876 - Hash DOS attack. 1322 #2894085: CVE-2009-3560 - Buffer over-read and crash in big2_toUtf8(). 1323 #1990430: CVE-2009-3720 - Parser crash with special UTF-8 sequences. 1324 - Bug Fixes: 1325 #1742315: Harmful XML_ParserCreateNS suggestion. 1326 #1785430: Expat build fails on linux-amd64 with gcc version>=4.1 -O3. 1327 #1983953, 2517952, 2517962, 2649838: 1328 Build modifications using autoreconf instead of buildconf.sh. 1329 #2815947, #2884086: OBJEXT and EXEEXT support while building. 1330 #2517938: xmlwf should return non-zero exit status if not well-formed. 1331 #2517946: Wrong statement about XMLDecl in xmlwf.1 and xmlwf.sgml. 1332 #2855609: Dangling positionPtr after error. 1333 #2990652: CMake support. 1334 #3010819: UNEXPECTED_STATE with a trailing "%" in entity value. 1335 #3206497: Uninitialized memory returned from XML_Parse. 1336 #3287849: make check fails on mingw-w64. 1337 - Patches: 1338 #1749198: pkg-config support. 1339 #3010222: Fix for bug #3010819. 1340 #3312568: CMake support. 1341 #3446384: Report byte offsets for attr names and values. 1342 - New Features / API changes: 1343 Added new API member XML_SetHashSalt() that allows setting an initial 1344 value (salt) for hash calculations. This is part of the fix for 1345 bug #3496608 to randomize hash parameters. 1346 When compiled with XML_ATTR_INFO defined, adds new API member 1347 XML_GetAttributeInfo() that allows retrieving the byte 1348 offsets for attribute names and values (patch #3446384). 1349 Added CMake build system. 1350 See bug #2990652 and patch #3312568. 1351 Added run-benchmark target to Makefile.in - relies on testdata module 1352 present in the same relative location as in the repository. 1353 1354Release 2.0.1 Tue June 5 2007 1355 - Fixed bugs #1515266, #1515600: The character data handler's calling 1356 of XML_StopParser() was not handled properly; if the parser was 1357 stopped and the handler set to NULL, the parser would segfault. 1358 - Fixed bug #1690883: Expat failed on EBCDIC systems as it assumed 1359 some character constants to be ASCII encoded. 1360 - Minor cleanups of the test harness. 1361 - Fixed xmlwf bug #1513566: "out of memory" error on file size zero. 1362 - Fixed outline.c bug #1543233: missing a final XML_ParserFree() call. 1363 - Fixes and improvements for Windows platform: 1364 bugs #1409451, #1476160, #1548182, #1602769, #1717322. 1365 - Build fixes for various platforms: 1366 HP-UX, Tru64, Solaris 9: patch #1437840, bug #1196180. 1367 All Unix: #1554618 (refreshed config.sub/config.guess). 1368 #1490371, #1613457: support both, DESTDIR and INSTALL_ROOT, 1369 without relying on GNU-Make specific features. 1370 #1647805: Patched configure.in to work better with Intel compiler. 1371 - Fixes to Makefile.in to have make check work correctly: 1372 bugs #1408143, #1535603, #1536684. 1373 - Added Open Watcom support: patch #1523242. 1374 1375Release 2.0.0 Wed Jan 11 2006 1376 - We no longer use the "check" library for C unit testing; we 1377 always use the (partial) internal implementation of the API. 1378 - Report XML_NS setting via XML_GetFeatureList(). 1379 - Fixed headers for use from C++. 1380 - XML_GetCurrentLineNumber() and XML_GetCurrentColumnNumber() 1381 now return unsigned integers. 1382 - Added XML_LARGE_SIZE switch to enable 64-bit integers for 1383 byte indexes and line/column numbers. 1384 - Updated to use libtool 1.5.22 (the most recent). 1385 - Added support for AmigaOS. 1386 - Some mostly minor bug fixes. SF issues include: #1006708, 1387 #1021776, #1023646, #1114960, #1156398, #1221160, #1271642. 1388 1389Release 1.95.8 Fri Jul 23 2004 1390 - Major new feature: suspend/resume. Handlers can now request 1391 that a parse be suspended for later resumption or aborted 1392 altogether. See "Temporarily Stopping Parsing" in the 1393 documentation for more details. 1394 - Some mostly minor bug fixes, but compilation should no 1395 longer generate warnings on most platforms. SF issues 1396 include: #827319, #840173, #846309, #888329, #896188, #923913, 1397 #928113, #961698, #985192. 1398 1399Release 1.95.7 Mon Oct 20 2003 1400 - Fixed enum XML_Status issue (reported on SourceForge many 1401 times), so compilers that are properly picky will be happy. 1402 - Introduced an XMLCALL macro to control the calling 1403 convention used by the Expat API; this macro should be used 1404 to annotate prototypes and definitions of callback 1405 implementations in code compiled with a calling convention 1406 other than the default convention for the host platform. 1407 - Improved ability to build without the configure-generated 1408 expat_config.h header. This is useful for applications 1409 which embed Expat rather than linking in the library. 1410 - Fixed a variety of bugs: see SF issues #458907, #609603, 1411 #676844, #679754, #692878, #692964, #695401, #699323, #699487, 1412 #820946. 1413 - Improved hash table lookups. 1414 - Added more regression tests and improved documentation. 1415 1416Release 1.95.6 Tue Jan 28 2003 1417 - Added XML_FreeContentModel(). 1418 - Added XML_MemMalloc(), XML_MemRealloc(), XML_MemFree(). 1419 - Fixed a variety of bugs: see SF issues #615606, #616863, 1420 #618199, #653180, #673791. 1421 - Enhanced the regression test suite. 1422 - Man page improvements: includes SF issue #632146. 1423 1424Release 1.95.5 Fri Sep 6 2002 1425 - Added XML_UseForeignDTD() for improved SAX2 support. 1426 - Added XML_GetFeatureList(). 1427 - Defined XML_Bool type and the values XML_TRUE and XML_FALSE. 1428 - Use an incomplete struct instead of a void* for the parser 1429 (may not retain). 1430 - Fixed UTF-8 decoding bug that caused legal UTF-8 to be rejected. 1431 - Finally fixed bug where default handler would report DTD 1432 events that were already handled by another handler. 1433 Initial patch contributed by Darryl Miles. 1434 - Removed unnecessary DllMain() function that caused static 1435 linking into a DLL to be difficult. 1436 - Added VC++ projects for building static libraries. 1437 - Reduced line-length for all source code and headers to be 1438 no longer than 80 characters, to help with AS/400 support. 1439 - Reduced memory copying during parsing (SF patch #600964). 1440 - Fixed a variety of bugs: see SF issues #580793, #434664, 1441 #483514, #580503, #581069, #584041, #584183, #584832, #585537, 1442 #596555, #596678, #598352, #598944, #599715, #600479, #600971. 1443 1444Release 1.95.4 Fri Jul 12 2002 1445 - Added support for VMS, contributed by Craig Berry. See 1446 vms/README.vms for more information. 1447 - Added Mac OS (classic) support, with a makefile for MPW, 1448 contributed by Thomas Wegner and Daryle Walker. 1449 - Added Borland C++ Builder 5 / BCC 5.5 support, contributed 1450 by Patrick McConnell (SF patch #538032). 1451 - Fixed a variety of bugs: see SF issues #441449, #563184, 1452 #564342, #566334, #566901, #569461, #570263, #575168, #579196. 1453 - Made skippedEntityHandler conform to SAX2 (see source comment) 1454 - Re-implemented WFC: Entity Declared from XML 1.0 spec and 1455 added a new error "entity declared in parameter entity": 1456 see SF bug report #569461 and SF patch #578161 1457 - Re-implemented section 5.1 from XML 1.0 spec: 1458 see SF bug report #570263 and SF patch #578161 1459 1460Release 1.95.3 Mon Jun 3 2002 1461 - Added a project to the MSVC workspace to create a wchar_t 1462 version of the library; the DLLs are named libexpatw.dll. 1463 - Changed the name of the Windows DLLs from expat.dll to 1464 libexpat.dll; this fixes SF bug #432456. 1465 - Added the XML_ParserReset() API function. 1466 - Fixed XML_SetReturnNSTriplet() to work for element names. 1467 - Made the XML_UNICODE builds usable (thanks, Karl!). 1468 - Allow xmlwf to read from standard input. 1469 - Install a man page for xmlwf on Unix systems. 1470 - Fixed many bugs; see SF bug reports #231864, #461380, #464837, 1471 #466885, #469226, #477667, #484419, #487840, #494749, #496505, 1472 #547350. Other bugs which we can't test as easily may also 1473 have been fixed, especially in the area of build support. 1474 1475Release 1.95.2 Fri Jul 27 2001 1476 - More changes to make MSVC happy with the build; add a single 1477 workspace to support both the library and xmlwf application. 1478 - Added a Windows installer for Windows users; includes 1479 xmlwf.exe. 1480 - Added compile-time constants that can be used to determine the 1481 Expat version 1482 - Removed a lot of GNU-specific dependencies to aide portability 1483 among the various Unix flavors. 1484 - Fix the UTF-8 BOM bug. 1485 - Cleaned up warning messages for several compilers. 1486 - Added the -Wall, -Wstrict-prototypes options for GCC. 1487 1488Release 1.95.1 Sun Oct 22 15:11:36 EDT 2000 1489 - Changes to get expat to build under Microsoft compiler 1490 - Removed all aborts and instead return an UNEXPECTED_STATE error. 1491 - Fixed a bug where a stray '%' in an entity value would cause an 1492 abort. 1493 - Defined XML_SetEndNamespaceDeclHandler. Thanks to Darryl Miles for 1494 finding this oversight. 1495 - Changed default patterns in lib/Makefile.in to fit non-GNU makes 1496 Thanks to robin@unrated.net for reporting and providing an 1497 account to test on. 1498 - The reference had the wrong label for XML_SetStartNamespaceDecl. 1499 Reported by an anonymous user. 1500 1501Release 1.95.0 Fri Sep 29 2000 1502 - XML_ParserCreate_MM 1503 Allows you to set a memory management suite to replace the 1504 standard malloc,realloc, and free. 1505 - XML_SetReturnNSTriplet 1506 If you turn this feature on when namespace processing is in 1507 effect, then qualified, prefixed element and attribute names 1508 are returned as "uri|name|prefix" where '|' is whatever 1509 separator character is used in namespace processing. 1510 - Merged in features from perl-expat 1511 o XML_SetElementDeclHandler 1512 o XML_SetAttlistDeclHandler 1513 o XML_SetXmlDeclHandler 1514 o XML_SetEntityDeclHandler 1515 o StartDoctypeDeclHandler takes 3 additional parameters: 1516 sysid, pubid, has_internal_subset 1517 o Many paired handler setters (like XML_SetElementHandler) 1518 now have corresponding individual handler setters 1519 o XML_GetInputContext for getting the input context of 1520 the current parse position. 1521 - Added reference material 1522 - Packaged into a distribution that builds a sharable library 1523