Created attachment 236716 [details] v1 Moin moin desktop@ would like to ask for an exp-run to update expat to 2.4.9. The patch is attached, and can also be found here: https://people.freebsd.org/~tcberner/patches/0001-textproc-expat2-update-to-2.4.9.patch mfg Tobias
Perhaps also add VuXML entry due to CVE-2022-40674 ?
Exp-run looks fine
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=9901fd092a8c8e43f24217ebea61a6f53ad245fb commit 9901fd092a8c8e43f24217ebea61a6f53ad245fb Author: Tobias C. Berner <tcberner@FreeBSD.org> AuthorDate: 2022-09-21 04:36:41 +0000 Commit: Tobias C. Berner <tcberner@FreeBSD.org> CommitDate: 2022-09-27 04:06:34 +0000 textproc/expat2: update to 2.4.9 Release 2.4.9 Tue September 20 2022 Security fixes: #629 #640 CVE-2022-40674 -- Heap use-after-free vulnerability in function doContent. Expected impact is denial of service or potentially arbitrary code execution. Bug fixes: #634 MinGW: Fix mis-compilation for -D__USE_MINGW_ANSI_STDIO=0 #614 docs: Fix documentation on effect of switch XML_DTD on symbol visibility in doc/reference.html Other changes: #638 MinGW: Make fix-xmltest-log.sh drop more Wine bug output #596 #625 Autotools: Sync CMake templates with CMake 3.22 #608 CMake: Migrate from use of CMAKE_*_POSTFIX to dedicated variables EXPAT_*_POSTFIX to stop affecting other projects #597 #599 Windows|CMake: Add missing -DXML_STATIC to test runners and fuzzers #512 #621 Windows|CMake: Render .def file from a template to fix linking with -DEXPAT_DTD=OFF and/or -DEXPAT_ATTR_INFO=ON #611 #621 MinGW|CMake: Apply MSVC .def file when linking #622 #624 MinGW|CMake: Sync library name with GNU Autotools, i.e. produce libexpat-1.dll rather than libexpat.dll by default. Filename libexpat.dll.a is unaffected. #632 MinGW|CMake: Set missing variable CMAKE_RC_COMPILER in toolchain file "cmake/mingw-toolchain.cmake" to avoid error "windres: Command not found" on e.g. Ubuntu 20.04 #597 #627 CMake: Unify inconsistent use of set() and option() in context of public build time options to take need for set(.. FORCE) in projects using Expat by means of add_subdirectory(..) off Expat's users' shoulders #626 #641 Stop exporting API symbols when building a static library #644 Resolve use of deprecated "fgrep" by "grep -F" #620 CMake: Make documentation on variables a bit more consistent #636 CMake: Drop leading whitespace from a #cmakedefine line in file expat_config.h.cmake #594 xmlwf: Fix harmless variable mix-up in function nsattcmp #592 #593 #610 Address Cppcheck warnings #643 Address Clang 15 compiler warnings #642 #644 Version info bumped from 9:8:8 to 9:9:8; see https://verbump.de/ for what these numbers do Infrastructure: #597 #598 CI: Windows: Start covering MSVC 2022 #619 CI: macOS: Migrate off deprecated macOS 10.15 #632 CI: Linux: Make migration off deprecated Ubuntu 18.04 work #643 CI: Upgrade Clang from 14 to 15 #637 apply-clang-format.sh: Add support for BSD find #633 coverage.sh: Exclude MinGW headers #635 coverage.sh: Fix name collision for -funsigned-char Special thanks to: David Faure Felix Wilhelm Frank Bergmann Rhodri James Rosen Penev Thijs Schreijer Vincent Torri and Google Project Zero Exp-run by: antoine PR: 266524 textproc/expat2/Makefile | 2 +- textproc/expat2/distinfo | 6 +++--- textproc/expat2/pkg-plist | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-)
A commit in branch 2022Q3 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=abe4eae5c809b82028300031577720e51790b3dd commit abe4eae5c809b82028300031577720e51790b3dd Author: Tobias C. Berner <tcberner@FreeBSD.org> AuthorDate: 2022-09-21 04:36:41 +0000 Commit: Tobias C. Berner <tcberner@FreeBSD.org> CommitDate: 2022-09-27 04:07:51 +0000 textproc/expat2: update to 2.4.9 Release 2.4.9 Tue September 20 2022 Security fixes: #629 #640 CVE-2022-40674 -- Heap use-after-free vulnerability in function doContent. Expected impact is denial of service or potentially arbitrary code execution. Bug fixes: #634 MinGW: Fix mis-compilation for -D__USE_MINGW_ANSI_STDIO=0 #614 docs: Fix documentation on effect of switch XML_DTD on symbol visibility in doc/reference.html Other changes: #638 MinGW: Make fix-xmltest-log.sh drop more Wine bug output #596 #625 Autotools: Sync CMake templates with CMake 3.22 #608 CMake: Migrate from use of CMAKE_*_POSTFIX to dedicated variables EXPAT_*_POSTFIX to stop affecting other projects #597 #599 Windows|CMake: Add missing -DXML_STATIC to test runners and fuzzers #512 #621 Windows|CMake: Render .def file from a template to fix linking with -DEXPAT_DTD=OFF and/or -DEXPAT_ATTR_INFO=ON #611 #621 MinGW|CMake: Apply MSVC .def file when linking #622 #624 MinGW|CMake: Sync library name with GNU Autotools, i.e. produce libexpat-1.dll rather than libexpat.dll by default. Filename libexpat.dll.a is unaffected. #632 MinGW|CMake: Set missing variable CMAKE_RC_COMPILER in toolchain file "cmake/mingw-toolchain.cmake" to avoid error "windres: Command not found" on e.g. Ubuntu 20.04 #597 #627 CMake: Unify inconsistent use of set() and option() in context of public build time options to take need for set(.. FORCE) in projects using Expat by means of add_subdirectory(..) off Expat's users' shoulders #626 #641 Stop exporting API symbols when building a static library #644 Resolve use of deprecated "fgrep" by "grep -F" #620 CMake: Make documentation on variables a bit more consistent #636 CMake: Drop leading whitespace from a #cmakedefine line in file expat_config.h.cmake #594 xmlwf: Fix harmless variable mix-up in function nsattcmp #592 #593 #610 Address Cppcheck warnings #643 Address Clang 15 compiler warnings #642 #644 Version info bumped from 9:8:8 to 9:9:8; see https://verbump.de/ for what these numbers do Infrastructure: #597 #598 CI: Windows: Start covering MSVC 2022 #619 CI: macOS: Migrate off deprecated macOS 10.15 #632 CI: Linux: Make migration off deprecated Ubuntu 18.04 work #643 CI: Upgrade Clang from 14 to 15 #637 apply-clang-format.sh: Add support for BSD find #633 coverage.sh: Exclude MinGW headers #635 coverage.sh: Fix name collision for -funsigned-char Special thanks to: David Faure Felix Wilhelm Frank Bergmann Rhodri James Rosen Penev Thijs Schreijer Vincent Torri and Google Project Zero Exp-run by: antoine PR: 266524 (cherry picked from commit 9901fd092a8c8e43f24217ebea61a6f53ad245fb) textproc/expat2/Makefile | 2 +- textproc/expat2/distinfo | 6 +++--- textproc/expat2/pkg-plist | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-)
Thanks for the exp-run. Committed, and vuxml added. mfg Tobias
Merge to quarterly in ports abe4eae5c809