Opened 3 weeks ago
Closed 11 days ago
#5964 closed enhancement (fixed)
expat-2.8.2
| Reported by: | Bruce Dubbs | Owned by: | SecurityAdvisory |
|---|---|---|---|
| Priority: | high | Milestone: | 13.1 |
| Component: | Book | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description
New point version.
Change History (4)
comment:1 by , 3 weeks ago
| Priority: | normal → high |
|---|
comment:2 by , 3 weeks ago
Release 2.8.2 Thu June 25 2026
Security fixes:
#1246 CVE-2026-50219 -- Disallow calls to functions
`XML_GetBuffer`, `XML_Parse`, `XML_ParseBuffer`,
`XML_ParserFree`, `XML_ParserReset` to guard e.g.
Expat bindings from memory corruption;
this CPython issue is related:
https://github.com/python/cpython/issues/146169
#1267 CVE-2026-56131 -- Protect XML_ResumeParser from being called
from a handler, plugging a hole in the fix
to CVE-2026-50219
#1272 CVE-2026-56132 -- Fix out-of-bound scaffolding index store
in `doProlog`
#1229 #1232 CVE-2026-56403 -- Integer overflow in `storeAtts`
#1249 CVE-2026-56404 -- Integer overflow in `addBinding`
#1251 CVE-2026-56405 -- Integer overflow in `getAttributeId`
#1255 CVE-2026-56406 -- Integer overflow in `XML_ParseBuffer`
#1262 CVE-2026-56407 -- Integer overflow in `textLen` handling
#565 CVE-2026-56408 -- Integer overflow in `copyString`
(commit 16e2efd867ea8567ffa012210b52ef5918e20817)
#1259 CVE-2026-56409 -- xmlwf: Integer overflow in output path join
#1252 CVE-2026-56410 -- xmlwf: Integer overflow in
`resolveSystemId`
#1263 CVE-2026-56411 -- xmlwf: Integer overflow in notation list
allocation
#1278 CVE-2026-56412 -- Guard XML_TOK_DATA_CHARS handler calls in
`doCdataSection`, plugging a hole in the fix to
CVE-2026-50219
Bug fixes:
#1260 xmlwf: Escape names and base URI in meta output
#1266 xmlwf: Pick a safe quote for notation system and public IDs
Other changes:
#1257 CMake|Autotools: Stop using /dev/urandom by default
#1244 #1254 CMake: Fix guard for Unix sources of entropy
#1183 #1270 CMake|Windows: Add missing export for symbol
`XML_SetHashSalt16Bytes`
#1236 CMake: Mark option EXPAT_OSSFUZZ_BUILD as advanced
#1283 Limit output indentation for EXPAT_ENTITY_DEBUG=1 and
allow unlimited indentation via EXPAT_ENTITY_DEBUG=2
#565 Replace some loops by use of `memcpy`, `strlen`, `wcslen`
#1220 lib: Use a size_t for group sizes
#1221 lib: Fix too-conservative integer overflow check when
appending raw name
#1222 lib: Simplify attribute allocation/management logic
#1224 Update fallthrough annotations to satisfy Clang and GCC
#1226 lib: Remove unnecessary void * casts in random code
#1228 lib: Reduce scope of locals in storeAtts
#1230 lib: Count attributes with size_t variables
#1238 Minor get-buffer improvements
#1239 #1240 lib|tests: Include header expat_config.h first
#1241 lib: Shrink size of XML_GetBuffer
#1242 lib: Remove a legacy comment
#1243 lib: XML_ParserReset: Extract repeated linked-list move logic
#1243 lib: Unify entity free lists
#1247 lib: Fix use of '0' as boolean literal
#1248 lib: Make XML_Index overflow check more intuitive
#1256 lib: Use size_t for counting string/URI lengths
#1258 lib: XML_GetInputContext: Remove use of 0 for NULL
#1261 Comment typo fixes
#1275 Teach Memory Sanitizer semantics of randomization functions
#1276 #1281 Version info bumped from 13:1:12 (libexpat*.so.1.12.1)
to 13:2:12 (libexpat*.so.1.12.2); see https://verbump.de/
for what these numbers do
Infrastructure:
#1231 perl-integration.yml: Bump to XML::Parser 2.59
#1237 emscripten.yml: Bump from Ubuntu 22.04 to 24.04
#1183 #1271 windows-build.yml: Cover completeness of file
libexpat.def.cmake
#1274 linux.yml: Make llvm-symbolizer available in CI
comment:3 by , 2 weeks ago
| Owner: | changed from to |
|---|
Fixed at commit 4a56fb5d78.
Leaving open for security advisories.
comment:4 by , 11 days ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Advisory sa-13.0-138 has been issued.
Note:
See TracTickets
for help on using tickets.

The Changes file mentions about a dozen of vulnerabilities.