Opened 2 years ago

Closed 2 years ago

Last modified 2 years ago

#5117 closed enhancement (fixed)

expat-2.4.9

Reported by: Bruce Dubbs Owned by: lfs-book
Priority: highest Milestone: 11.3
Component: Book Version: git
Severity: normal Keywords:
Cc:

Description

New point version.

Change History (4)

comment:1 by Xi Ruoyao, 2 years ago

Priority: normalhighest

Contains CVE-2022-40674 fix. The vulnerability is rated "9.8 critical" so make it "highest" for now.

comment:2 by Bruce Dubbs, 2 years ago

Release 2.4.9 Tue September 20 2022

Security fixes:

  • CVE-2022-40674 -- Heap use-after-free vulnerability in

function doContent. Expected impact is denial of service or potentially arbitrary code execution.

Bug fixes:

  • MinGW: Fix mis-compilation for -DUSE_MINGW_ANSI_STDIO=0
  • docs: Fix documentation on effect of switch XML_DTD on symbol visibility in doc/reference.html

Other changes:

  • MinGW: Make fix-xmltest-log.sh drop more Wine bug output
  • Autotools: Sync CMake templates with CMake 3.22
  • CMake: Migrate from use of CMAKE_*_POSTFIX to dedicated variables EXPAT_*_POSTFIX to stop affecting other projects
  • Windows|CMake: Add missing -DXML_STATIC to test runners and fuzzers
  • Windows|CMake: Render .def file from a template to fix linking with -DEXPAT_DTD=OFF and/or -DEXPAT_ATTR_INFO=ON
  • MinGW|CMake: Apply MSVC .def file when linking
  • MinGW|CMake: Sync library name with GNU Autotools, i.e. produce libexpat-1.dll rather than libexpat.dll by default. Filename libexpat.dll.a is unaffected.
  • MinGW|CMake: Set missing variable CMAKE_RC_COMPILER in toolchain file "cmake/mingw-toolchain.cmake" to avoid error "windres: Command not found" on e.g. Ubuntu 20.04
  • CMake: Unify inconsistent use of set() and option() in context of public build time options to take need for set(.. FORCE) in projects using Expat by means of add_subdirectory(..) off Expat's users' shoulders
  • Stop exporting API symbols when building a static library
  • Resolve use of deprecated "fgrep" by "grep -F"
  • CMake: Make documentation on variables a bit more consistent
  • CMake: Drop leading whitespace from a #cmakedefine line in file expat_config.h.cmake
  • xmlwf: Fix harmless variable mix-up in function nsattcmp
  • Address Cppcheck warnings
  • Address Clang 15 compiler warnings
  • Version info bumped from 9:8:8 to 9:9:8; see https://verbump.de/ for what these numbers do

Infrastructure:

  • CI: Windows: Start covering MSVC 2022
  • CI: macOS: Migrate off deprecated macOS 10.15
  • CI: Linux: Make migration off deprecated Ubuntu 18.04 work
  • CI: Upgrade Clang from 14 to 15
  • apply-clang-format.sh: Add support for BSD find
  • coverage.sh: Exclude MinGW headers
  • coverage.sh: Fix name collision for -funsigned-char

comment:3 by Bruce Dubbs, 2 years ago

Resolution: fixed
Status: newclosed

Fixed at commit 47a8542090bafe61e6fab0d5509e217349caf793

comment:4 by Douglas R. Reno, 2 years ago

SA-11.2-009 issued.

Note: See TracTickets for help on using tickets.