From 100bc7072ca63a9053b4e34b80d084896cfb143e Mon Sep 17 00:00:00 2001 From: Sebastian Pipping Date: Sat, 22 May 2021 15:29:58 +0200 Subject: [PATCH 01/10] README.md: Make CMake config mode example more clear --- expat/README.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/expat/README.md b/expat/README.md index b56390eb..0d539881 100644 --- a/expat/README.md +++ b/expat/README.md @@ -45,7 +45,7 @@ This approach leverages CMake's own [module `FindEXPAT`](https://cmake.org/cmake Notice the *uppercase* `EXPAT` in the following example: ```cmake -cmake_minimum_required(VERSION 3.0) +cmake_minimum_required(VERSION 3.0) # or 3.10, see below project(hello VERSION 1.0.0) @@ -55,12 +55,12 @@ add_executable(hello hello.c ) -if(${CMAKE_VERSION} VERSION_GREATER_EQUAL "3.10") - target_link_libraries(hello PUBLIC EXPAT::EXPAT) -else() - target_include_directories(hello PRIVATE ${EXPAT_INCLUDE_DIRS}) - target_link_libraries(hello PUBLIC ${EXPAT_LIBRARIES}) -endif() +# a) for CMake >=3.10 (see CMake's FindEXPAT docs) +target_link_libraries(hello PUBLIC EXPAT::EXPAT) + +# b) for CMake >=3.0 +target_include_directories(hello PRIVATE ${EXPAT_INCLUDE_DIRS}) +target_link_libraries(hello PUBLIC ${EXPAT_LIBRARIES}) ``` ### b) Config Mode From a7694ee392110674eddaf9eb819eb7dda12ce56f Mon Sep 17 00:00:00 2001 From: Sebastian Pipping Date: Sat, 22 May 2021 15:31:07 +0200 Subject: [PATCH 02/10] README.md: Document where generated CMake files need >=2.4.0 to work --- expat/README.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/expat/README.md b/expat/README.md index 0d539881..44ec194a 100644 --- a/expat/README.md +++ b/expat/README.md @@ -69,7 +69,11 @@ This approach requires files from… - libexpat >=2.2.8 where packaging uses the CMake build system or -- libexpat >=2.3.0 where packaging uses the GNU Autotools build system. +- libexpat >=2.3.0 where packaging uses the GNU Autotools build system + on Linux +or +- libexpat >=2.4.0 where packaging uses the GNU Autotools build system + on macOS or MinGW. Notice the *lowercase* `expat` in the following example: From 39e081acc0edf211baf2dcfe6c85d2b5f821342c Mon Sep 17 00:00:00 2001 From: Sebastian Pipping Date: Sat, 22 May 2021 15:35:36 +0200 Subject: [PATCH 03/10] README.md: Fix a URL for some markdown interpreters --- expat/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/expat/README.md b/expat/README.md index 44ec194a..962d3c20 100644 --- a/expat/README.md +++ b/expat/README.md @@ -8,7 +8,7 @@ # Expat, Release 2.3.0 This is Expat, a C library for parsing XML, started by -[James Clark](https://en.wikipedia.org/wiki/James_Clark_(programmer)) in 1997. +[James Clark](https://en.wikipedia.org/wiki/James_Clark_%28programmer%29) in 1997. Expat is a stream-oriented XML parser. This means that you register handlers with the parser before starting the parse. These handlers are called when the parser discovers the associated structures in the From fb952cb1d69689865e2ea0f210e11f72ab2d5038 Mon Sep 17 00:00:00 2001 From: Sebastian Pipping Date: Sat, 22 May 2021 15:41:12 +0200 Subject: [PATCH 04/10] README.md: Mention Windos binaries zip download option --- expat/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/expat/README.md b/expat/README.md index 962d3c20..9f1f8410 100644 --- a/expat/README.md +++ b/expat/README.md @@ -22,7 +22,7 @@ Expat supports the following compilers: - Microsoft Visual Studio >=15.0/2017 (rolling `${today} minus 5 years`) Windows users can use the -[`expat-win32bin-*.*.*.exe` installer download](https://github.com/libexpat/libexpat/releases), +[`expat-win32bin-*.*.*.{exe,zip}` download](https://github.com/libexpat/libexpat/releases), which includes both pre-compiled libraries and executables, and source code for developers. From c57141d59751c71ff9559cdf64fefea9dc50f0df Mon Sep 17 00:00:00 2001 From: Sebastian Pipping Date: Fri, 21 May 2021 17:19:33 +0200 Subject: [PATCH 05/10] Changes: Combine notes on billion laughs attack protection --- expat/Changes | 39 ++++++++++++++++++++------------------- 1 file changed, 20 insertions(+), 19 deletions(-) diff --git a/expat/Changes b/expat/Changes index 2870961f..342d9b23 100644 --- a/expat/Changes +++ b/expat/Changes @@ -12,8 +12,26 @@ Release X.X.X XXX XXXXX XX XXXX By conservative default, amplification up to a factor of 100.0 is tolerated and rejection only starts after 8 MiB of output bytes (= + ) have been processed. - A new error code XML_ERROR_AMPLIFICATION_LIMIT_BREACH signals - this condition. + The fix adds the following to the API: + - A new error code XML_ERROR_AMPLIFICATION_LIMIT_BREACH to + signals this specific condition. + - Two new API functions .. + - XML_SetBillionLaughsAttackProtectionMaximumAmplification and + - XML_SetBillionLaughsAttackProtectionActivationThreshold + .. to further tighten billion laughs protection parameters + when desired. Please see file "doc/reference.html" for details. + If you ever need to increase the defaults for non-attack XML + payload, please file a bug report with libexpat. + - Two new environment variable switches .. + - EXPAT_ACCOUNTING_DEBUG=(0|1|2|3) and + - EXPAT_ENTITY_DEBUG=(0|1) + .. for runtime debugging of accounting and entity processing. + Specific behavior of these values may change in the future. + - Two new command line arguments "-a FACTOR" and "-b BYTES" + for xmlwf to further tighten billion laughs protection + parameters when desired. + If you ever need to increase the defaults for non-attack XML + payload, please file a bug report with libexpat. Bug fixes: #332 #470 For (non-default) compilation with -DEXPAT_MIN_SIZE=ON (CMake) @@ -23,23 +41,6 @@ Release X.X.X XXX XXXXX XX XXXX non-Linux platforms (e.g. macOS and MinGW in particular) that were introduced with release 2.3.0 - New features: - #34 #466 #484 Add two new API functions to further tighten billion laughs - protection parameters when desired. - - XML_SetBillionLaughsAttackProtectionMaximumAmplification - - XML_SetBillionLaughsAttackProtectionActivationThreshold - Please see file "doc/reference.html" for more details. - If you ever need to increase the defaults for non-attack XML - payload, please file a bug report with libexpat. - #34 #466 #484 Introduce environment switches EXPAT_ACCOUNTING_DEBUG=(0|1|2|3) - and EXPAT_ENTITY_DEBUG=(0|1) for runtime debugging of accounting - and entity processing; specific behavior of these values may - change in the future. - #34 #466 #484 xmlwf: Add arguments "-a FACTOR" and "-b BYTES" to further tighten - billion laughs protection parameters when desired. - If you ever need to increase the defaults for non-attack XML - payload, please file a bug report with libexpat. - Other changes: #457 Unexpose symbol _INTERNAL_trim_to_complete_utf8_characters #458 #459 CMake: Support absolute paths for both CMAKE_INSTALL_LIBDIR From 731bdee05388c714c4a5d2eb4b2afc499e74727d Mon Sep 17 00:00:00 2001 From: Sebastian Pipping Date: Fri, 21 May 2021 17:25:59 +0200 Subject: [PATCH 06/10] Changes: Document new XML_FEATURE_ constants --- expat/Changes | 3 +++ 1 file changed, 3 insertions(+) diff --git a/expat/Changes b/expat/Changes index 342d9b23..0ba8a076 100644 --- a/expat/Changes +++ b/expat/Changes @@ -22,6 +22,9 @@ Release X.X.X XXX XXXXX XX XXXX when desired. Please see file "doc/reference.html" for details. If you ever need to increase the defaults for non-attack XML payload, please file a bug report with libexpat. + - Two new XML_FEATURE_* constants .. + - that can be queried using the XML_GetFeatureList function, and + - that are shown in "xmlwf -v" output. - Two new environment variable switches .. - EXPAT_ACCOUNTING_DEBUG=(0|1|2|3) and - EXPAT_ENTITY_DEBUG=(0|1) From bc6495dfc0ce36277d36c231f794b10e5ed4e609 Mon Sep 17 00:00:00 2001 From: Sebastian Pipping Date: Tue, 11 May 2021 15:46:42 +0200 Subject: [PATCH 07/10] Changes: Extend section on upcoming release 2.4.0 --- expat/Changes | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/expat/Changes b/expat/Changes index 0ba8a076..07b2e1a3 100644 --- a/expat/Changes +++ b/expat/Changes @@ -45,15 +45,33 @@ Release X.X.X XXX XXXXX XX XXXX that were introduced with release 2.3.0 Other changes: - #457 Unexpose symbol _INTERNAL_trim_to_complete_utf8_characters + #468 #469 xmlwf: Improve help output and the xmlwf man page + #463 xmlwf: Improve maintainability through some refactoring + #477 xmlwf: Fix man page DocBook validity #458 #459 CMake: Support absolute paths for both CMAKE_INSTALL_LIBDIR and CMAKE_INSTALL_INCLUDEDIR #471 #481 CMake: Add support for standard variable BUILD_SHARED_LIBS - #468 #469 xmlwf: Improve help output and the xmlwf man page + #457 Unexpose symbol _INTERNAL_trim_to_complete_utf8_characters + #467 Resolve macro HAVE_EXPAT_CONFIG_H + #472 Delete unused legacy helper file "conftools/PrintPath" + #473 #483 Improve attribution + #464 #465 #477 doc/reference.html: Fix XHTML validity + #475 #478 doc/reference.html: Replace the 90s look by OK.css + + Infrastructure: + #456 CI: Enable periodic runs + #457 CI: Start covering the list of exported symbols + #474 CI: Isolate coverage task + #476 #482 CI: Adapt to breaking changes in image "ubuntu-18.04" + #477 CI: Cover well-formedness and DocBook/XHTML validity + of doc/reference.html and doc/xmlwf.xml Special thanks to: Dimitry Andric + Eero Helenius Nick Wellnhofer + Rhodri James + Tomas Korbar Yury Gribov and Clang LeakSan From b913a529ae090647c015d4212048b58ebae93aeb Mon Sep 17 00:00:00 2001 From: Sebastian Pipping Date: Tue, 11 May 2021 15:55:19 +0200 Subject: [PATCH 08/10] Bump version to 2.4.0 --- expat/CMake.README | 12 ++++++------ expat/CMakeLists.txt | 2 +- expat/Changes | 2 +- expat/README.md | 2 +- expat/doc/reference.html | 2 +- expat/lib/expat.h | 2 +- expat/lib/xmlparse.c | 2 +- expat/tests/runtests.c | 2 +- expat/win32/expat.iss | 2 +- 9 files changed, 14 insertions(+), 14 deletions(-) diff --git a/expat/CMake.README b/expat/CMake.README index a512a7b7..bd7c51c5 100644 --- a/expat/CMake.README +++ b/expat/CMake.README @@ -3,25 +3,25 @@ The cmake based buildsystem for expat works on Windows (cygwin, mingw, Visual Studio) and should work on all other platform cmake supports. -Assuming ~/expat-2.3.0 is the source directory of expat, add a subdirectory +Assuming ~/expat-2.4.0 is the source directory of expat, add a subdirectory build and change into that directory: -~/expat-2.3.0$ mkdir build && cd build -~/expat-2.3.0/build$ +~/expat-2.4.0$ mkdir build && cd build +~/expat-2.4.0/build$ From that directory, call cmake first, then call make, make test and make install in the usual way: -~/expat-2.3.0/build$ cmake .. +~/expat-2.4.0/build$ cmake .. -- The C compiler identification is GNU -- The CXX compiler identification is GNU .... -- Configuring done -- Generating done --- Build files have been written to: /home/patrick/expat-2.3.0/build +-- Build files have been written to: /home/patrick/expat-2.4.0/build If you want to specify the install location for your files, append -DCMAKE_INSTALL_PREFIX=/your/install/path to the cmake call. -~/expat-2.3.0/build$ make && make test && make install +~/expat-2.4.0/build$ make && make test && make install Scanning dependencies of target expat [ 5%] Building C object CMakeFiles/expat.dir/lib/xmlparse.c.o [ 11%] Building C object CMakeFiles/expat.dir/lib/xmlrole.c.o diff --git a/expat/CMakeLists.txt b/expat/CMakeLists.txt index bf48e6d1..c747f3e1 100644 --- a/expat/CMakeLists.txt +++ b/expat/CMakeLists.txt @@ -64,7 +64,7 @@ endif() project(expat VERSION - 2.3.0 + 2.4.0 LANGUAGES C ) diff --git a/expat/Changes b/expat/Changes index 07b2e1a3..c9d17276 100644 --- a/expat/Changes +++ b/expat/Changes @@ -2,7 +2,7 @@ NOTE: We are looking for help with a few things: https://github.com/libexpat/libexpat/labels/help%20wanted If you can help, please get in touch. Thanks! -Release X.X.X XXX XXXXX XX XXXX +Release 2.4.0 XXX XXXXX XX XXXX Security fixes: #34 #466 #484 CVE-2013-0340/CWE-776 -- Protect against billion laughs attacks (denial-of-service; flavors targeting CPU time or RAM or both, diff --git a/expat/README.md b/expat/README.md index 9f1f8410..94e0bb14 100644 --- a/expat/README.md +++ b/expat/README.md @@ -5,7 +5,7 @@ [![Downloads GitHub](https://img.shields.io/github/downloads/libexpat/libexpat/total?label=Downloads%20GitHub)](https://github.com/libexpat/libexpat/releases) -# Expat, Release 2.3.0 +# Expat, Release 2.4.0 This is Expat, a C library for parsing XML, started by [James Clark](https://en.wikipedia.org/wiki/James_Clark_%28programmer%29) in 1997. diff --git a/expat/doc/reference.html b/expat/doc/reference.html index 8e77a10c..acedcf1c 100644 --- a/expat/doc/reference.html +++ b/expat/doc/reference.html @@ -48,7 +48,7 @@

The Expat XML Parser - Release 2.3.0 + Release 2.4.0

diff --git a/expat/lib/expat.h b/expat/lib/expat.h index 30a064ad..016c1c5f 100644 --- a/expat/lib/expat.h +++ b/expat/lib/expat.h @@ -1040,7 +1040,7 @@ XML_SetBillionLaughsAttackProtectionActivationThreshold( See http://semver.org. */ #define XML_MAJOR_VERSION 2 -#define XML_MINOR_VERSION 3 +#define XML_MINOR_VERSION 4 #define XML_MICRO_VERSION 0 #ifdef __cplusplus diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c index 6a59342c..214c93fd 100644 --- a/expat/lib/xmlparse.c +++ b/expat/lib/xmlparse.c @@ -1,4 +1,4 @@ -/* d667b5f8e56e24fdfaf5e38596d419d924a9fadceb987d81d5613ecb7ca51b0e (2.3.0+) +/* 40f0f9c2be99a31dd0c833cd7d5a1bbd825a95e241f6e6c689b69ce275aba9a9 (2.4.0+) __ __ _ ___\ \/ /_ __ __ _| |_ / _ \\ /| '_ \ / _` | __| diff --git a/expat/tests/runtests.c b/expat/tests/runtests.c index e3944561..8cee7ee8 100644 --- a/expat/tests/runtests.c +++ b/expat/tests/runtests.c @@ -7351,7 +7351,7 @@ START_TEST(test_misc_version) { fail("Version mismatch"); #if ! defined(XML_UNICODE) || defined(XML_UNICODE_WCHAR_T) - if (xcstrcmp(version_text, XCS("expat_2.3.0"))) /* needs bump on releases */ + if (xcstrcmp(version_text, XCS("expat_2.4.0"))) /* needs bump on releases */ fail("XML_*_VERSION in expat.h out of sync?\n"); #else /* If we have XML_UNICODE defined but not XML_UNICODE_WCHAR_T diff --git a/expat/win32/expat.iss b/expat/win32/expat.iss index 2f25a501..4d37cd24 100644 --- a/expat/win32/expat.iss +++ b/expat/win32/expat.iss @@ -36,7 +36,7 @@ ; OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE ; USE OR OTHER DEALINGS IN THE SOFTWARE. -#define expatVer "2.3.0" +#define expatVer "2.4.0" [Setup] AppName=Expat From e083f03235c5e86a4a4f9b7e233db5cf47cd4b54 Mon Sep 17 00:00:00 2001 From: Sebastian Pipping Date: Tue, 11 May 2021 16:00:52 +0200 Subject: [PATCH 09/10] Bump version info from 8:0:7 to 9:0:8 See https://verbump.de/ for what these numbers do --- expat/CMakeLists.txt | 4 ++-- expat/Changes | 3 +++ expat/configure.ac | 4 ++-- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/expat/CMakeLists.txt b/expat/CMakeLists.txt index c747f3e1..aa00c066 100644 --- a/expat/CMakeLists.txt +++ b/expat/CMakeLists.txt @@ -386,9 +386,9 @@ if(EXPAT_WITH_LIBBSD) target_link_libraries(expat ${LIB_BSD}) endif() -set(LIBCURRENT 8) # sync +set(LIBCURRENT 9) # sync set(LIBREVISION 0) # with -set(LIBAGE 7) # configure.ac! +set(LIBAGE 8) # configure.ac! math(EXPR LIBCURRENT_MINUS_AGE "${LIBCURRENT} - ${LIBAGE}") set_property(TARGET expat PROPERTY OUTPUT_NAME "${_EXPAT_OUTPUT_NAME}") diff --git a/expat/Changes b/expat/Changes index c9d17276..fe5bafba 100644 --- a/expat/Changes +++ b/expat/Changes @@ -57,6 +57,9 @@ Release 2.4.0 XXX XXXXX XX XXXX #473 #483 Improve attribution #464 #465 #477 doc/reference.html: Fix XHTML validity #475 #478 doc/reference.html: Replace the 90s look by OK.css + #479 Version info bumped from 8:0:7 to 9:0:8 + due to addition of new symbols and error codes; + see https://verbump.de/ for what these numbers do Infrastructure: #456 CI: Enable periodic runs diff --git a/expat/configure.ac b/expat/configure.ac index 84319d64..b038ee41 100644 --- a/expat/configure.ac +++ b/expat/configure.ac @@ -81,9 +81,9 @@ dnl dnl If the API changes incompatibly set LIBAGE back to 0 dnl -LIBCURRENT=8 # sync +LIBCURRENT=9 # sync LIBREVISION=0 # with -LIBAGE=7 # CMakeLists.txt! +LIBAGE=8 # CMakeLists.txt! AC_CONFIG_HEADERS([expat_config.h]) From ecdff1c906ecb041c0c05a27410211b1052f7ab1 Mon Sep 17 00:00:00 2001 From: Sebastian Pipping Date: Tue, 11 May 2021 16:03:19 +0200 Subject: [PATCH 10/10] Set expected release date for 2.4.0 --- expat/Changes | 2 +- expat/doc/xmlwf.xml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/expat/Changes b/expat/Changes index fe5bafba..6d926eb5 100644 --- a/expat/Changes +++ b/expat/Changes @@ -2,7 +2,7 @@ NOTE: We are looking for help with a few things: https://github.com/libexpat/libexpat/labels/help%20wanted If you can help, please get in touch. Thanks! -Release 2.4.0 XXX XXXXX XX XXXX +Release 2.4.0 Sun May 23 2021 Security fixes: #34 #466 #484 CVE-2013-0340/CWE-776 -- Protect against billion laughs attacks (denial-of-service; flavors targeting CPU time or RAM or both, diff --git a/expat/doc/xmlwf.xml b/expat/doc/xmlwf.xml index 60a4ae00..fa1b3565 100644 --- a/expat/doc/xmlwf.xml +++ b/expat/doc/xmlwf.xml @@ -22,7 +22,7 @@ Scott"> Bronson"> - May 4, 2021"> + May 23, 2021"> 1"> bronson@rinspin.com">