Opened 18 months ago

Closed 18 months ago

Last modified 18 months ago

#5146 closed enhancement (fixed)

expat-2.5.0

Reported by: Bruce Dubbs Owned by: lfs-book
Priority: high Milestone: 11.3
Component: Book Version: git
Severity: normal Keywords:
Cc:

Description

New minor version.

Change History (5)

comment:1 by Douglas R. Reno, 18 months ago

Priority: normalhigh

Yet another security fix in Expat. CVE-2022-43680

comment:2 by pierre, 18 months ago

expat-2.4.9.tar.xz is not accessible anymore on sourceforge.

comment:3 by Bruce Dubbs, 18 months ago

Release 2.5.0 Tue October 25 2022

Security fixes:

  • CVE-2022-43680 -- Fix heap use-after-free after overeager destruction of a shared DTD in function XML_ExternalEntityParserCreate in out-of-memory situations. Expected impact is denial of service or potentially arbitrary code execution.

Bug fixes:

  • Fix curruption from undefined entities
  • Fix case when parsing was suspended while processing nested entities
  • Stop leaking opening tag bindings after a closing tag mismatch error where a parser is reset through XML_ParserReset and then reused to parse
  • CMake: Fix generation of pkg-config file
  • MinGW|CMake: Fix static library name

Other changes:

  • Protect header expat_config.h from multiple inclusion
  • examples: Make use of XML_GetBuffer and be more consistent across examples
  • Address compiler warnings
  • Version info bumped from 9:9:8 to 9:10:8; see https://verbump.de/ for what these numbers do

comment:4 by Bruce Dubbs, 18 months ago

Resolution: fixed
Status: newclosed

Fixed at commit 3f4304998a76ef3bd6141cf7a32cb6740bf032a6.

comment:5 by Douglas R. Reno, 18 months ago

Filed SA-11.2-030

Note: See TracTickets for help on using tickets.