From 7959225d05d964ad08036eb77789e7aacef38000 Mon Sep 17 00:00:00 2001 From: Sebastian Pipping Date: Fri, 14 Mar 2025 23:02:07 +0100 Subject: [PATCH 1/4] Makefile.am: Add missing files for xml_lpm_fuzzer --- expat/Makefile.am | 2 ++ 1 file changed, 2 insertions(+) diff --git a/expat/Makefile.am b/expat/Makefile.am index 7d8e17c2..733baf98 100644 --- a/expat/Makefile.am +++ b/expat/Makefile.am @@ -96,6 +96,8 @@ EXTRA_DIST = \ conftools/expat.m4 \ conftools/get-version.sh \ \ + fuzz/xml_lpm_fuzzer.cpp \ + fuzz/xml_lpm_fuzzer.proto \ fuzz/xml_parsebuffer_fuzzer.c \ fuzz/xml_parse_fuzzer.c \ \ From 1c24499c1b5067fb468c447ed7d57651553ce000 Mon Sep 17 00:00:00 2001 From: Sebastian Pipping Date: Fri, 14 Mar 2025 22:55:56 +0100 Subject: [PATCH 2/4] fuzzing.yml: Ensure that "make dist" includes all files for fuzzing --- .github/workflows/fuzzing.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/.github/workflows/fuzzing.yml b/.github/workflows/fuzzing.yml index 278cf21f..16bac218 100644 --- a/.github/workflows/fuzzing.yml +++ b/.github/workflows/fuzzing.yml @@ -71,9 +71,26 @@ jobs: run: |- set -x sudo apt-get install --yes --no-install-recommends -V \ + autoconf \ + automake \ + docbook2x \ + libtool \ libprotobuf-dev \ + lzip \ protobuf-compiler + - name: Turn Git clone into Autotools "make dist" release tarball + run: |- + set -x + pushd expat/ + ./buildconf.sh + ./configure + make dist + popd + tar xf expat/expat-*.tar.xz + rm -R expat/ + mv expat-* expat + - name: Build Expat fuzzers run: | set -x -o pipefail From 991a5de397da31dd35cb8467e0928895f7163e6c Mon Sep 17 00:00:00 2001 From: Sebastian Pipping Date: Fri, 14 Mar 2025 23:13:19 +0100 Subject: [PATCH 3/4] fuzzing.yml: Re-group artifact naming This grouping better suits a human interested in one particular fuzzer. --- .github/workflows/fuzzing.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/fuzzing.yml b/.github/workflows/fuzzing.yml index 16bac218..8c7cef52 100644 --- a/.github/workflows/fuzzing.yml +++ b/.github/workflows/fuzzing.yml @@ -148,7 +148,7 @@ jobs: - name: Store fuzzing logs of last batch uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1 with: - name: expat_fuzzing_logs_last_${{ matrix.fuzzer }}_${{ github.sha }} + name: ${{ matrix.fuzzer }}_${{ github.sha }}_logs_last path: expat/build/fuzz-*.log if-no-files-found: error @@ -168,6 +168,6 @@ jobs: - name: Store coverage report uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1 with: - name: expat_fuzzing_coverage_${{ matrix.fuzzer }}_${{ github.sha }} + name: ${{ matrix.fuzzer }}_${{ github.sha }}_coverage path: expat/build/coverage/ if-no-files-found: error From fec0d8cdabe87f5ad4a2721cc54964e3ba4ce32c Mon Sep 17 00:00:00 2001 From: Sebastian Pipping Date: Fri, 14 Mar 2025 23:03:51 +0100 Subject: [PATCH 4/4] Changes: Document #977 --- expat/Changes | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/expat/Changes b/expat/Changes index 1f5ba0a0..f2db2e21 100644 --- a/expat/Changes +++ b/expat/Changes @@ -37,6 +37,15 @@ !! THANK YOU! Sebastian Pipping -- Berlin, 2024-03-09 !! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +Release 2.7.1 ??? ????? ?? ???? + Other changes: + #976 #977 Autotools: Integrate files "fuzz/xml_lpm_fuzzer.{cpp,proto}" + with Automake that were missing from 2.7.0 release tarballs + + Infrastructure: + #976 #977 CI: Protect against fuzzer files missing from future + release archives + Release 2.7.0 Thu March 13 2025 Security fixes: #893 #973 CVE-2024-8176 -- Fix crash from chaining a large number