Bug 261285 (expat-2.4.3) - [exp-run] update texproc/expat2 to 2.4.3
Summary: [exp-run] update texproc/expat2 to 2.4.3
Status: Closed FIXED
Alias: expat-2.4.3
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Tobias C. Berner
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-01-17 19:02 UTC by Tobias C. Berner
Modified: 2022-01-31 09:34 UTC (History)
5 users (show)

See Also:
tcberner: merge-quarterly+
antoine: exp-run+


Attachments
v1 (2.55 KB, patch)
2022-01-17 19:02 UTC, Tobias C. Berner
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Tobias C. Berner freebsd_committer 2022-01-17 19:02:55 UTC
Created attachment 231090 [details]
v1

Moin moin 

desktop@ would like to ask for an exp-run to update expat2 to 2.4.3 (security release).

The patch is attached, and can also be found here:
https://people.freebsd.org/~tcberner/patches/0001-textproc-expat2-update-to-2.4.3.patch


mfg Tobias
Comment 1 Xin LI freebsd_committer 2022-01-18 08:52:27 UTC
For portmgr -- The two versions (2.4.2 and 2.4.3) are ABI and API compatible.

Code diff can be reviewed here: https://github.com/libexpat/libexpat/compare/R_2_4_2...R_2_4_3

I've replaced my own desktop's expat2 with an independently created and almost identical patch and didn't observed any issue (as expected).

Note that unlike the base system bundled expat2 (libbsdxml) which processes mostly trusted data (GEOM, libmt were from kernel; the exception was unbound-anchor, but that was signed data), vulnerabilities in port expat2 could be a greater threat.
Comment 2 Antoine Brodin freebsd_committer 2022-01-20 18:20:34 UTC
Exp-run looks fine
Comment 3 Xin LI freebsd_committer 2022-01-20 18:27:39 UTC
(In reply to Antoine Brodin from comment #2)
👍
Comment 4 commit-hook freebsd_committer 2022-01-21 08:05:25 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=97d40c6bda0656833e3e16d9364a5dc1b9587200

commit 97d40c6bda0656833e3e16d9364a5dc1b9587200
Author:     Tobias C. Berner <tcberner@FreeBSD.org>
AuthorDate: 2022-01-17 18:59:30 +0000
Commit:     Tobias C. Berner <tcberner@FreeBSD.org>
CommitDate: 2022-01-21 08:04:08 +0000

    textproc/expat2: update to 2.4.3

    From [1]:

    libexpat is a fast streaming XML parser. Alongside libxml2, Expat is one
    of the most widely used software libre XML parsers written in C,
    precisely C99. It is cross-platform and licensed under the MIT license.

    Expat 2.4.3 has been released earlier today. Besides two minor fixes to
    the build system, this release is about security fixes. There is a total
    of 8 CVEs fixed, all related to fixed-size integer math (integer
    overflow and invalid shifts) near memory allocation. Impact is denial of
    service, or more.

      *  CVE-2021-45960
      *  CVE-2021-46143
      *  CVE-2022-22822
      *  CVE-2022-22823
      *  CVE-2022-22824
      *  CVE-2022-22825
      *  CVE-2022-22826
      *  CVE-2022-22827

    For more details, please check out the change log [2].

    [1] https://blog.hartwork.org/posts/expat-2-4-3-released/
    [2] https://github.com/libexpat/libexpat/blob/R_2_4_3/expat/Changes

    Exp-run by:     antoine
    PR:             261285

 textproc/expat2/Makefile  | 2 +-
 textproc/expat2/distinfo  | 6 +++---
 textproc/expat2/pkg-plist | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)
Comment 5 commit-hook freebsd_committer 2022-01-21 08:05:26 UTC
A commit in branch 2022Q1 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=13b8735a3908eaceaf9053a78d0c0120bef83e7f

commit 13b8735a3908eaceaf9053a78d0c0120bef83e7f
Author:     Tobias C. Berner <tcberner@FreeBSD.org>
AuthorDate: 2022-01-17 18:59:30 +0000
Commit:     Tobias C. Berner <tcberner@FreeBSD.org>
CommitDate: 2022-01-21 08:04:50 +0000

    textproc/expat2: update to 2.4.3

    From [1]:

    libexpat is a fast streaming XML parser. Alongside libxml2, Expat is one
    of the most widely used software libre XML parsers written in C,
    precisely C99. It is cross-platform and licensed under the MIT license.

    Expat 2.4.3 has been released earlier today. Besides two minor fixes to
    the build system, this release is about security fixes. There is a total
    of 8 CVEs fixed, all related to fixed-size integer math (integer
    overflow and invalid shifts) near memory allocation. Impact is denial of
    service, or more.

      *  CVE-2021-45960
      *  CVE-2021-46143
      *  CVE-2022-22822
      *  CVE-2022-22823
      *  CVE-2022-22824
      *  CVE-2022-22825
      *  CVE-2022-22826
      *  CVE-2022-22827

    For more details, please check out the change log [2].

    [1] https://blog.hartwork.org/posts/expat-2-4-3-released/
    [2] https://github.com/libexpat/libexpat/blob/R_2_4_3/expat/Changes

    Exp-run by:     antoine
    PR:             261285

    (cherry picked from commit 97d40c6bda0656833e3e16d9364a5dc1b9587200)

 textproc/expat2/Makefile  | 2 +-
 textproc/expat2/distinfo  | 6 +++---
 textproc/expat2/pkg-plist | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)