Created attachment 231090 [details] v1 Moin moin desktop@ would like to ask for an exp-run to update expat2 to 2.4.3 (security release). The patch is attached, and can also be found here: https://people.freebsd.org/~tcberner/patches/0001-textproc-expat2-update-to-2.4.3.patch mfg Tobias
For portmgr -- The two versions (2.4.2 and 2.4.3) are ABI and API compatible. Code diff can be reviewed here: https://github.com/libexpat/libexpat/compare/R_2_4_2...R_2_4_3 I've replaced my own desktop's expat2 with an independently created and almost identical patch and didn't observed any issue (as expected). Note that unlike the base system bundled expat2 (libbsdxml) which processes mostly trusted data (GEOM, libmt were from kernel; the exception was unbound-anchor, but that was signed data), vulnerabilities in port expat2 could be a greater threat.
Exp-run looks fine
(In reply to Antoine Brodin from comment #2) 👍
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=97d40c6bda0656833e3e16d9364a5dc1b9587200 commit 97d40c6bda0656833e3e16d9364a5dc1b9587200 Author: Tobias C. Berner <tcberner@FreeBSD.org> AuthorDate: 2022-01-17 18:59:30 +0000 Commit: Tobias C. Berner <tcberner@FreeBSD.org> CommitDate: 2022-01-21 08:04:08 +0000 textproc/expat2: update to 2.4.3 From [1]: libexpat is a fast streaming XML parser. Alongside libxml2, Expat is one of the most widely used software libre XML parsers written in C, precisely C99. It is cross-platform and licensed under the MIT license. Expat 2.4.3 has been released earlier today. Besides two minor fixes to the build system, this release is about security fixes. There is a total of 8 CVEs fixed, all related to fixed-size integer math (integer overflow and invalid shifts) near memory allocation. Impact is denial of service, or more. * CVE-2021-45960 * CVE-2021-46143 * CVE-2022-22822 * CVE-2022-22823 * CVE-2022-22824 * CVE-2022-22825 * CVE-2022-22826 * CVE-2022-22827 For more details, please check out the change log [2]. [1] https://blog.hartwork.org/posts/expat-2-4-3-released/ [2] https://github.com/libexpat/libexpat/blob/R_2_4_3/expat/Changes Exp-run by: antoine PR: 261285 textproc/expat2/Makefile | 2 +- textproc/expat2/distinfo | 6 +++--- textproc/expat2/pkg-plist | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-)
A commit in branch 2022Q1 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=13b8735a3908eaceaf9053a78d0c0120bef83e7f commit 13b8735a3908eaceaf9053a78d0c0120bef83e7f Author: Tobias C. Berner <tcberner@FreeBSD.org> AuthorDate: 2022-01-17 18:59:30 +0000 Commit: Tobias C. Berner <tcberner@FreeBSD.org> CommitDate: 2022-01-21 08:04:50 +0000 textproc/expat2: update to 2.4.3 From [1]: libexpat is a fast streaming XML parser. Alongside libxml2, Expat is one of the most widely used software libre XML parsers written in C, precisely C99. It is cross-platform and licensed under the MIT license. Expat 2.4.3 has been released earlier today. Besides two minor fixes to the build system, this release is about security fixes. There is a total of 8 CVEs fixed, all related to fixed-size integer math (integer overflow and invalid shifts) near memory allocation. Impact is denial of service, or more. * CVE-2021-45960 * CVE-2021-46143 * CVE-2022-22822 * CVE-2022-22823 * CVE-2022-22824 * CVE-2022-22825 * CVE-2022-22826 * CVE-2022-22827 For more details, please check out the change log [2]. [1] https://blog.hartwork.org/posts/expat-2-4-3-released/ [2] https://github.com/libexpat/libexpat/blob/R_2_4_3/expat/Changes Exp-run by: antoine PR: 261285 (cherry picked from commit 97d40c6bda0656833e3e16d9364a5dc1b9587200) textproc/expat2/Makefile | 2 +- textproc/expat2/distinfo | 6 +++--- textproc/expat2/pkg-plist | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-)