1*0c65ac1dSAntonio Huete JimenezNOTE: We are looking for help with a few things: 2*0c65ac1dSAntonio Huete Jimenez https://github.com/libexpat/libexpat/labels/help%20wanted 3*0c65ac1dSAntonio Huete Jimenez If you can help, please get in touch. Thanks! 4*0c65ac1dSAntonio Huete Jimenez 5*0c65ac1dSAntonio Huete JimenezRelease 2.5.0 Tue October 25 2022 6*0c65ac1dSAntonio Huete Jimenez Security fixes: 7*0c65ac1dSAntonio Huete Jimenez #616 #649 #650 CVE-2022-43680 -- Fix heap use-after-free after overeager 8*0c65ac1dSAntonio Huete Jimenez destruction of a shared DTD in function 9*0c65ac1dSAntonio Huete Jimenez XML_ExternalEntityParserCreate in out-of-memory situations. 10*0c65ac1dSAntonio Huete Jimenez Expected impact is denial of service or potentially 11*0c65ac1dSAntonio Huete Jimenez arbitrary code execution. 12*0c65ac1dSAntonio Huete Jimenez 13*0c65ac1dSAntonio Huete Jimenez Bug fixes: 14*0c65ac1dSAntonio Huete Jimenez #612 #645 Fix curruption from undefined entities 15*0c65ac1dSAntonio Huete Jimenez #613 #654 Fix case when parsing was suspended while processing nested 16*0c65ac1dSAntonio Huete Jimenez entities 17*0c65ac1dSAntonio Huete Jimenez #616 #652 #653 Stop leaking opening tag bindings after a closing tag 18*0c65ac1dSAntonio Huete Jimenez mismatch error where a parser is reset through 19*0c65ac1dSAntonio Huete Jimenez XML_ParserReset and then reused to parse 20*0c65ac1dSAntonio Huete Jimenez #656 CMake: Fix generation of pkg-config file 21*0c65ac1dSAntonio Huete Jimenez #658 MinGW|CMake: Fix static library name 22*0c65ac1dSAntonio Huete Jimenez 23*0c65ac1dSAntonio Huete Jimenez Other changes: 24*0c65ac1dSAntonio Huete Jimenez #663 Protect header expat_config.h from multiple inclusion 25*0c65ac1dSAntonio Huete Jimenez #666 examples: Make use of XML_GetBuffer and be more 26*0c65ac1dSAntonio Huete Jimenez consistent across examples 27*0c65ac1dSAntonio Huete Jimenez #648 Address compiler warnings 28*0c65ac1dSAntonio Huete Jimenez #667 #668 Version info bumped from 9:9:8 to 9:10:8; 29*0c65ac1dSAntonio Huete Jimenez see https://verbump.de/ for what these numbers do 30*0c65ac1dSAntonio Huete Jimenez 31*0c65ac1dSAntonio Huete Jimenez Special thanks to: 32*0c65ac1dSAntonio Huete Jimenez Jann Horn 33*0c65ac1dSAntonio Huete Jimenez Mark Brand 34*0c65ac1dSAntonio Huete Jimenez Osyotr 35*0c65ac1dSAntonio Huete Jimenez Rhodri James 36*0c65ac1dSAntonio Huete Jimenez and 37*0c65ac1dSAntonio Huete Jimenez Google Project Zero 38*0c65ac1dSAntonio Huete Jimenez 39*0c65ac1dSAntonio Huete JimenezRelease 2.4.9 Tue September 20 2022 40*0c65ac1dSAntonio Huete Jimenez Security fixes: 41*0c65ac1dSAntonio Huete Jimenez #629 #640 CVE-2022-40674 -- Heap use-after-free vulnerability in 42*0c65ac1dSAntonio Huete Jimenez function doContent. Expected impact is denial of service 43*0c65ac1dSAntonio Huete Jimenez or potentially arbitrary code execution. 44*0c65ac1dSAntonio Huete Jimenez 45*0c65ac1dSAntonio Huete Jimenez Bug fixes: 46*0c65ac1dSAntonio Huete Jimenez #634 MinGW: Fix mis-compilation for -D__USE_MINGW_ANSI_STDIO=0 47*0c65ac1dSAntonio Huete Jimenez #614 docs: Fix documentation on effect of switch XML_DTD on 48*0c65ac1dSAntonio Huete Jimenez symbol visibility in doc/reference.html 49*0c65ac1dSAntonio Huete Jimenez 50*0c65ac1dSAntonio Huete Jimenez Other changes: 51*0c65ac1dSAntonio Huete Jimenez #638 MinGW: Make fix-xmltest-log.sh drop more Wine bug output 52*0c65ac1dSAntonio Huete Jimenez #596 #625 Autotools: Sync CMake templates with CMake 3.22 53*0c65ac1dSAntonio Huete Jimenez #608 CMake: Migrate from use of CMAKE_*_POSTFIX to 54*0c65ac1dSAntonio Huete Jimenez dedicated variables EXPAT_*_POSTFIX to stop affecting 55*0c65ac1dSAntonio Huete Jimenez other projects 56*0c65ac1dSAntonio Huete Jimenez #597 #599 Windows|CMake: Add missing -DXML_STATIC to test runners 57*0c65ac1dSAntonio Huete Jimenez and fuzzers 58*0c65ac1dSAntonio Huete Jimenez #512 #621 Windows|CMake: Render .def file from a template to fix 59*0c65ac1dSAntonio Huete Jimenez linking with -DEXPAT_DTD=OFF and/or -DEXPAT_ATTR_INFO=ON 60*0c65ac1dSAntonio Huete Jimenez #611 #621 MinGW|CMake: Apply MSVC .def file when linking 61*0c65ac1dSAntonio Huete Jimenez #622 #624 MinGW|CMake: Sync library name with GNU Autotools, 62*0c65ac1dSAntonio Huete Jimenez i.e. produce libexpat-1.dll rather than libexpat.dll 63*0c65ac1dSAntonio Huete Jimenez by default. Filename libexpat.dll.a is unaffected. 64*0c65ac1dSAntonio Huete Jimenez #632 MinGW|CMake: Set missing variable CMAKE_RC_COMPILER in 65*0c65ac1dSAntonio Huete Jimenez toolchain file "cmake/mingw-toolchain.cmake" to avoid 66*0c65ac1dSAntonio Huete Jimenez error "windres: Command not found" on e.g. Ubuntu 20.04 67*0c65ac1dSAntonio Huete Jimenez #597 #627 CMake: Unify inconsistent use of set() and option() in 68*0c65ac1dSAntonio Huete Jimenez context of public build time options to take need for 69*0c65ac1dSAntonio Huete Jimenez set(.. FORCE) in projects using Expat by means of 70*0c65ac1dSAntonio Huete Jimenez add_subdirectory(..) off Expat's users' shoulders 71*0c65ac1dSAntonio Huete Jimenez #626 #641 Stop exporting API symbols when building a static library 72*0c65ac1dSAntonio Huete Jimenez #644 Resolve use of deprecated "fgrep" by "grep -F" 73*0c65ac1dSAntonio Huete Jimenez #620 CMake: Make documentation on variables a bit more consistent 74*0c65ac1dSAntonio Huete Jimenez #636 CMake: Drop leading whitespace from a #cmakedefine line in 75*0c65ac1dSAntonio Huete Jimenez file expat_config.h.cmake 76*0c65ac1dSAntonio Huete Jimenez #594 xmlwf: Fix harmless variable mix-up in function nsattcmp 77*0c65ac1dSAntonio Huete Jimenez #592 #593 #610 Address Cppcheck warnings 78*0c65ac1dSAntonio Huete Jimenez #643 Address Clang 15 compiler warnings 79*0c65ac1dSAntonio Huete Jimenez #642 #644 Version info bumped from 9:8:8 to 9:9:8; 80*0c65ac1dSAntonio Huete Jimenez see https://verbump.de/ for what these numbers do 81*0c65ac1dSAntonio Huete Jimenez 82*0c65ac1dSAntonio Huete Jimenez Infrastructure: 83*0c65ac1dSAntonio Huete Jimenez #597 #598 CI: Windows: Start covering MSVC 2022 84*0c65ac1dSAntonio Huete Jimenez #619 CI: macOS: Migrate off deprecated macOS 10.15 85*0c65ac1dSAntonio Huete Jimenez #632 CI: Linux: Make migration off deprecated Ubuntu 18.04 work 86*0c65ac1dSAntonio Huete Jimenez #643 CI: Upgrade Clang from 14 to 15 87*0c65ac1dSAntonio Huete Jimenez #637 apply-clang-format.sh: Add support for BSD find 88*0c65ac1dSAntonio Huete Jimenez #633 coverage.sh: Exclude MinGW headers 89*0c65ac1dSAntonio Huete Jimenez #635 coverage.sh: Fix name collision for -funsigned-char 90*0c65ac1dSAntonio Huete Jimenez 91*0c65ac1dSAntonio Huete Jimenez Special thanks to: 92*0c65ac1dSAntonio Huete Jimenez David Faure 93*0c65ac1dSAntonio Huete Jimenez Felix Wilhelm 94*0c65ac1dSAntonio Huete Jimenez Frank Bergmann 95*0c65ac1dSAntonio Huete Jimenez Rhodri James 96*0c65ac1dSAntonio Huete Jimenez Rosen Penev 97*0c65ac1dSAntonio Huete Jimenez Thijs Schreijer 98*0c65ac1dSAntonio Huete Jimenez Vincent Torri 99*0c65ac1dSAntonio Huete Jimenez and 100*0c65ac1dSAntonio Huete Jimenez Google Project Zero 101*0c65ac1dSAntonio Huete Jimenez 102*0c65ac1dSAntonio Huete JimenezRelease 2.4.8 Mon March 28 2022 103*0c65ac1dSAntonio Huete Jimenez Other changes: 104*0c65ac1dSAntonio Huete Jimenez #587 pkg-config: Move "-lm" to section "Libs.private" 105*0c65ac1dSAntonio Huete Jimenez #587 CMake|MSVC: Fix pkg-config section "Libs" 106*0c65ac1dSAntonio Huete Jimenez #55 #582 CMake|macOS: Start using linker arguments 107*0c65ac1dSAntonio Huete Jimenez "-compatibility_version <version>" and 108*0c65ac1dSAntonio Huete Jimenez "-current_version <version>" in a way compatible with 109*0c65ac1dSAntonio Huete Jimenez GNU Libtool 110*0c65ac1dSAntonio Huete Jimenez #590 #591 Version info bumped from 9:7:8 to 9:8:8; 111*0c65ac1dSAntonio Huete Jimenez see https://verbump.de/ for what these numbers do 112*0c65ac1dSAntonio Huete Jimenez 113*0c65ac1dSAntonio Huete Jimenez Infrastructure: 114*0c65ac1dSAntonio Huete Jimenez #589 CI: Upgrade Clang from 13 to 14 115*0c65ac1dSAntonio Huete Jimenez 116*0c65ac1dSAntonio Huete Jimenez Special thanks to: 117*0c65ac1dSAntonio Huete Jimenez evpobr 118*0c65ac1dSAntonio Huete Jimenez Kai Pastor 119*0c65ac1dSAntonio Huete Jimenez Sam James 120*0c65ac1dSAntonio Huete Jimenez 121*0c65ac1dSAntonio Huete JimenezRelease 2.4.7 Fri March 4 2022 122*0c65ac1dSAntonio Huete Jimenez Bug fixes: 123*0c65ac1dSAntonio Huete Jimenez #572 #577 Relax fix to CVE-2022-25236 (introduced with release 2.4.5) 124*0c65ac1dSAntonio Huete Jimenez with regard to all valid URI characters (RFC 3986), 125*0c65ac1dSAntonio Huete Jimenez i.e. the following set (excluding whitespace): 126*0c65ac1dSAntonio Huete Jimenez ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz 127*0c65ac1dSAntonio Huete Jimenez 0123456789 % -._~ :/?#[]@ !$&'()*+,;= 128*0c65ac1dSAntonio Huete Jimenez 129*0c65ac1dSAntonio Huete Jimenez Other changes: 130*0c65ac1dSAntonio Huete Jimenez #555 #570 #581 CMake|Windows: Store Expat version in the DLL 131*0c65ac1dSAntonio Huete Jimenez #577 Document consequences of namespace separator choices not just 132*0c65ac1dSAntonio Huete Jimenez in doc/reference.html but also in header <expat.h> 133*0c65ac1dSAntonio Huete Jimenez #577 Document Expat's lack of validation of namespace URIs against 134*0c65ac1dSAntonio Huete Jimenez RFC 3986, and that the XML 1.0r4 specification doesn't 135*0c65ac1dSAntonio Huete Jimenez require Expat to validate namespace URIs, and that Expat 136*0c65ac1dSAntonio Huete Jimenez may do more in that regard in future releases. 137*0c65ac1dSAntonio Huete Jimenez If you find need for strict RFC 3986 URI validation on 138*0c65ac1dSAntonio Huete Jimenez application level today, https://uriparser.github.io/ may 139*0c65ac1dSAntonio Huete Jimenez be of interest. 140*0c65ac1dSAntonio Huete Jimenez #579 Fix documentation of XML_EndDoctypeDeclHandler in <expat.h> 141*0c65ac1dSAntonio Huete Jimenez #575 Document that a call to XML_FreeContentModel can be done at 142*0c65ac1dSAntonio Huete Jimenez a later time from outside the element declaration handler 143*0c65ac1dSAntonio Huete Jimenez #574 Make hardcoded namespace URIs easier to find in code 144*0c65ac1dSAntonio Huete Jimenez #573 Update documentation on use of XML_POOR_ENTOPY on Solaris 145*0c65ac1dSAntonio Huete Jimenez #569 #571 tests: Resolve use of macros NAN and INFINITY for GNU G++ 146*0c65ac1dSAntonio Huete Jimenez 4.8.2 on Solaris. 147*0c65ac1dSAntonio Huete Jimenez #578 #580 Version info bumped from 9:6:8 to 9:7:8; 148*0c65ac1dSAntonio Huete Jimenez see https://verbump.de/ for what these numbers do 149*0c65ac1dSAntonio Huete Jimenez 150*0c65ac1dSAntonio Huete Jimenez Special thanks to: 151*0c65ac1dSAntonio Huete Jimenez Jeffrey Walton 152*0c65ac1dSAntonio Huete Jimenez Johnny Jazeix 153*0c65ac1dSAntonio Huete Jimenez Thijs Schreijer 154*0c65ac1dSAntonio Huete Jimenez 155*0c65ac1dSAntonio Huete JimenezRelease 2.4.6 Sun February 20 2022 156*0c65ac1dSAntonio Huete Jimenez Bug fixes: 157*0c65ac1dSAntonio Huete Jimenez #566 Fix a regression introduced by the fix for CVE-2022-25313 158*0c65ac1dSAntonio Huete Jimenez in release 2.4.5 that affects applications that (1) 159*0c65ac1dSAntonio Huete Jimenez call function XML_SetElementDeclHandler and (2) are 160*0c65ac1dSAntonio Huete Jimenez parsing XML that contains nested element declarations 161*0c65ac1dSAntonio Huete Jimenez (e.g. "<!ELEMENT junk ((bar|foo|xyz+), zebra*)>"). 162*0c65ac1dSAntonio Huete Jimenez 163*0c65ac1dSAntonio Huete Jimenez Other changes: 164*0c65ac1dSAntonio Huete Jimenez #567 #568 Version info bumped from 9:5:8 to 9:6:8; 165*0c65ac1dSAntonio Huete Jimenez see https://verbump.de/ for what these numbers do 166*0c65ac1dSAntonio Huete Jimenez 167*0c65ac1dSAntonio Huete Jimenez Special thanks to: 168*0c65ac1dSAntonio Huete Jimenez Matt Sergeant 169*0c65ac1dSAntonio Huete Jimenez Samanta Navarro 170*0c65ac1dSAntonio Huete Jimenez Sergei Trofimovich 171*0c65ac1dSAntonio Huete Jimenez and 172*0c65ac1dSAntonio Huete Jimenez NixOS 173*0c65ac1dSAntonio Huete Jimenez Perl XML::Parser 174*0c65ac1dSAntonio Huete Jimenez 175*0c65ac1dSAntonio Huete JimenezRelease 2.4.5 Fri February 18 2022 176*0c65ac1dSAntonio Huete Jimenez Security fixes: 177*0c65ac1dSAntonio Huete Jimenez #562 CVE-2022-25235 -- Passing malformed 2- and 3-byte UTF-8 178*0c65ac1dSAntonio Huete Jimenez sequences (e.g. from start tag names) to the XML 179*0c65ac1dSAntonio Huete Jimenez processing application on top of Expat can cause 180*0c65ac1dSAntonio Huete Jimenez arbitrary damage (e.g. code execution) depending 181*0c65ac1dSAntonio Huete Jimenez on how invalid UTF-8 is handled inside the XML 182*0c65ac1dSAntonio Huete Jimenez processor; validation was not their job but Expat's. 183*0c65ac1dSAntonio Huete Jimenez Exploits with code execution are known to exist. 184*0c65ac1dSAntonio Huete Jimenez #561 CVE-2022-25236 -- Passing (one or more) namespace separator 185*0c65ac1dSAntonio Huete Jimenez characters in "xmlns[:prefix]" attribute values 186*0c65ac1dSAntonio Huete Jimenez made Expat send malformed tag names to the XML 187*0c65ac1dSAntonio Huete Jimenez processor on top of Expat which can cause 188*0c65ac1dSAntonio Huete Jimenez arbitrary damage (e.g. code execution) depending 189*0c65ac1dSAntonio Huete Jimenez on such unexpectable cases are handled inside the XML 190*0c65ac1dSAntonio Huete Jimenez processor; validation was not their job but Expat's. 191*0c65ac1dSAntonio Huete Jimenez Exploits with code execution are known to exist. 192*0c65ac1dSAntonio Huete Jimenez #558 CVE-2022-25313 -- Fix stack exhaustion in doctype parsing 193*0c65ac1dSAntonio Huete Jimenez that could be triggered by e.g. a 2 megabytes 194*0c65ac1dSAntonio Huete Jimenez file with a large number of opening braces. 195*0c65ac1dSAntonio Huete Jimenez Expected impact is denial of service or potentially 196*0c65ac1dSAntonio Huete Jimenez arbitrary code execution. 197*0c65ac1dSAntonio Huete Jimenez #560 CVE-2022-25314 -- Fix integer overflow in function copyString; 198*0c65ac1dSAntonio Huete Jimenez only affects the encoding name parameter at parser creation 199*0c65ac1dSAntonio Huete Jimenez time which is often hardcoded (rather than user input), 200*0c65ac1dSAntonio Huete Jimenez takes a value in the gigabytes to trigger, and a 64-bit 201*0c65ac1dSAntonio Huete Jimenez machine. Expected impact is denial of service. 202*0c65ac1dSAntonio Huete Jimenez #559 CVE-2022-25315 -- Fix integer overflow in function storeRawNames; 203*0c65ac1dSAntonio Huete Jimenez needs input in the gigabytes and a 64-bit machine. 204*0c65ac1dSAntonio Huete Jimenez Expected impact is denial of service or potentially 205*0c65ac1dSAntonio Huete Jimenez arbitrary code execution. 206*0c65ac1dSAntonio Huete Jimenez 207*0c65ac1dSAntonio Huete Jimenez Other changes: 208*0c65ac1dSAntonio Huete Jimenez #557 #564 Version info bumped from 9:4:8 to 9:5:8; 209*0c65ac1dSAntonio Huete Jimenez see https://verbump.de/ for what these numbers do 210*0c65ac1dSAntonio Huete Jimenez 211*0c65ac1dSAntonio Huete Jimenez Special thanks to: 212*0c65ac1dSAntonio Huete Jimenez Ivan Fratric 213*0c65ac1dSAntonio Huete Jimenez Samanta Navarro 214*0c65ac1dSAntonio Huete Jimenez and 215*0c65ac1dSAntonio Huete Jimenez Google Project Zero 216*0c65ac1dSAntonio Huete Jimenez JetBrains 217*0c65ac1dSAntonio Huete Jimenez 218*0c65ac1dSAntonio Huete JimenezRelease 2.4.4 Sun January 30 2022 219*0c65ac1dSAntonio Huete Jimenez Security fixes: 220*0c65ac1dSAntonio Huete Jimenez #550 CVE-2022-23852 -- Fix signed integer overflow 221*0c65ac1dSAntonio Huete Jimenez (undefined behavior) in function XML_GetBuffer 222*0c65ac1dSAntonio Huete Jimenez (that is also called by function XML_Parse internally) 223*0c65ac1dSAntonio Huete Jimenez for when XML_CONTEXT_BYTES is defined to >0 (which is both 224*0c65ac1dSAntonio Huete Jimenez common and default). 225*0c65ac1dSAntonio Huete Jimenez Impact is denial of service or more. 226*0c65ac1dSAntonio Huete Jimenez #551 CVE-2022-23990 -- Fix unsigned integer overflow in function 227*0c65ac1dSAntonio Huete Jimenez doProlog triggered by large content in element type 228*0c65ac1dSAntonio Huete Jimenez declarations when there is an element declaration handler 229*0c65ac1dSAntonio Huete Jimenez present (from a prior call to XML_SetElementDeclHandler). 230*0c65ac1dSAntonio Huete Jimenez Impact is denial of service or more. 231*0c65ac1dSAntonio Huete Jimenez 232*0c65ac1dSAntonio Huete Jimenez Bug fixes: 233*0c65ac1dSAntonio Huete Jimenez #544 #545 xmlwf: Fix a memory leak on output file opening error 234*0c65ac1dSAntonio Huete Jimenez 235*0c65ac1dSAntonio Huete Jimenez Other changes: 236*0c65ac1dSAntonio Huete Jimenez #546 Autotools: Fix broken CMake support under Cygwin 237*0c65ac1dSAntonio Huete Jimenez #554 Windows: Add missing files to the installer to fix 238*0c65ac1dSAntonio Huete Jimenez compilation with CMake from installed sources 239*0c65ac1dSAntonio Huete Jimenez #552 #554 Version info bumped from 9:3:8 to 9:4:8; 240*0c65ac1dSAntonio Huete Jimenez see https://verbump.de/ for what these numbers do 241*0c65ac1dSAntonio Huete Jimenez 242*0c65ac1dSAntonio Huete Jimenez Special thanks to: 243*0c65ac1dSAntonio Huete Jimenez Carlo Bramini 244*0c65ac1dSAntonio Huete Jimenez hwt0415 245*0c65ac1dSAntonio Huete Jimenez Roland Illig 246*0c65ac1dSAntonio Huete Jimenez Samanta Navarro 247*0c65ac1dSAntonio Huete Jimenez and 248*0c65ac1dSAntonio Huete Jimenez Clang LeakSan and the Clang team 249*0c65ac1dSAntonio Huete Jimenez 250*0c65ac1dSAntonio Huete JimenezRelease 2.4.3 Sun January 16 2022 251*0c65ac1dSAntonio Huete Jimenez Security fixes: 252*0c65ac1dSAntonio Huete Jimenez #531 #534 CVE-2021-45960 -- Fix issues with left shifts by >=29 places 253*0c65ac1dSAntonio Huete Jimenez resulting in 254*0c65ac1dSAntonio Huete Jimenez a) realloc acting as free 255*0c65ac1dSAntonio Huete Jimenez b) realloc allocating too few bytes 256*0c65ac1dSAntonio Huete Jimenez c) undefined behavior 257*0c65ac1dSAntonio Huete Jimenez depending on architecture and precise value 258*0c65ac1dSAntonio Huete Jimenez for XML documents with >=2^27+1 prefixed attributes 259*0c65ac1dSAntonio Huete Jimenez on a single XML tag a la 260*0c65ac1dSAntonio Huete Jimenez "<r xmlns:a='[..]' a:a123='[..]' [..] />" 261*0c65ac1dSAntonio Huete Jimenez where XML_ParserCreateNS is used to create the parser 262*0c65ac1dSAntonio Huete Jimenez (which needs argument "-n" when running xmlwf). 263*0c65ac1dSAntonio Huete Jimenez Impact is denial of service, or more. 264*0c65ac1dSAntonio Huete Jimenez #532 #538 CVE-2021-46143 (ZDI-CAN-16157) -- Fix integer overflow 265*0c65ac1dSAntonio Huete Jimenez on variable m_groupSize in function doProlog leading 266*0c65ac1dSAntonio Huete Jimenez to realloc acting as free. 267*0c65ac1dSAntonio Huete Jimenez Impact is denial of service or more. 268*0c65ac1dSAntonio Huete Jimenez #539 CVE-2022-22822 to CVE-2022-22827 -- Prevent integer overflows 269*0c65ac1dSAntonio Huete Jimenez near memory allocation at multiple places. Mitre assigned 270*0c65ac1dSAntonio Huete Jimenez a dedicated CVE for each involved internal C function: 271*0c65ac1dSAntonio Huete Jimenez - CVE-2022-22822 for function addBinding 272*0c65ac1dSAntonio Huete Jimenez - CVE-2022-22823 for function build_model 273*0c65ac1dSAntonio Huete Jimenez - CVE-2022-22824 for function defineAttribute 274*0c65ac1dSAntonio Huete Jimenez - CVE-2022-22825 for function lookup 275*0c65ac1dSAntonio Huete Jimenez - CVE-2022-22826 for function nextScaffoldPart 276*0c65ac1dSAntonio Huete Jimenez - CVE-2022-22827 for function storeAtts 277*0c65ac1dSAntonio Huete Jimenez Impact is denial of service or more. 278*0c65ac1dSAntonio Huete Jimenez 279*0c65ac1dSAntonio Huete Jimenez Other changes: 280*0c65ac1dSAntonio Huete Jimenez #535 CMake: Make call to file(GENERATE [..]) work for CMake <3.19 281*0c65ac1dSAntonio Huete Jimenez #541 Autotools|CMake: MinGW: Make run.sh(.in) work for Cygwin 282*0c65ac1dSAntonio Huete Jimenez and MSYS2 by not going through Wine on these platforms 283*0c65ac1dSAntonio Huete Jimenez #527 #528 Address compiler warnings 284*0c65ac1dSAntonio Huete Jimenez #533 #543 Version info bumped from 9:2:8 to 9:3:8; 285*0c65ac1dSAntonio Huete Jimenez see https://verbump.de/ for what these numbers do 286*0c65ac1dSAntonio Huete Jimenez 287*0c65ac1dSAntonio Huete Jimenez Infrastructure: 288*0c65ac1dSAntonio Huete Jimenez #536 CI: Check for realistic minimum CMake version 289*0c65ac1dSAntonio Huete Jimenez #529 #539 CI: Cover compilation with -m32 290*0c65ac1dSAntonio Huete Jimenez #529 CI: Store coverage reports as artifacts for download 291*0c65ac1dSAntonio Huete Jimenez #528 CI: Upgrade Clang from 11 to 13 292*0c65ac1dSAntonio Huete Jimenez 293*0c65ac1dSAntonio Huete Jimenez Special thanks to: 294*0c65ac1dSAntonio Huete Jimenez An anonymous whitehat 295*0c65ac1dSAntonio Huete Jimenez Christopher Degawa 296*0c65ac1dSAntonio Huete Jimenez J. Peter Mugaas 297*0c65ac1dSAntonio Huete Jimenez Tyson Smith 298*0c65ac1dSAntonio Huete Jimenez and 299*0c65ac1dSAntonio Huete Jimenez GCC Farm Project 300*0c65ac1dSAntonio Huete Jimenez Trend Micro Zero Day Initiative 301*0c65ac1dSAntonio Huete Jimenez 302*0c65ac1dSAntonio Huete JimenezRelease 2.4.2 Sun December 19 2021 303*0c65ac1dSAntonio Huete Jimenez Other changes: 304*0c65ac1dSAntonio Huete Jimenez #509 #510 Link againgst libm for function "isnan" 305*0c65ac1dSAntonio Huete Jimenez #513 #514 Include expat_config.h as early as possible 306*0c65ac1dSAntonio Huete Jimenez #498 Autotools: Include files with release archives: 307*0c65ac1dSAntonio Huete Jimenez - buildconf.sh 308*0c65ac1dSAntonio Huete Jimenez - fuzz/*.c 309*0c65ac1dSAntonio Huete Jimenez #507 #519 Autotools: Sync CMake templates with CMake 3.20 310*0c65ac1dSAntonio Huete Jimenez #495 #524 CMake: MinGW: Fix pkg-config section "Libs" for 311*0c65ac1dSAntonio Huete Jimenez - non-release build types (e.g. -DCMAKE_BUILD_TYPE=Debug) 312*0c65ac1dSAntonio Huete Jimenez - multi-config CMake generators (e.g. Ninja Multi-Config) 313*0c65ac1dSAntonio Huete Jimenez #502 #503 docs: Document that function XML_GetBuffer may return NULL 314*0c65ac1dSAntonio Huete Jimenez when asking for a buffer of 0 (zero) bytes size 315*0c65ac1dSAntonio Huete Jimenez #522 #523 docs: Fix return value docs for both 316*0c65ac1dSAntonio Huete Jimenez XML_SetBillionLaughsAttackProtection* functions 317*0c65ac1dSAntonio Huete Jimenez #525 #526 Version info bumped from 9:1:8 to 9:2:8; 318*0c65ac1dSAntonio Huete Jimenez see https://verbump.de/ for what these numbers do 319*0c65ac1dSAntonio Huete Jimenez 320*0c65ac1dSAntonio Huete Jimenez Special thanks to: 321*0c65ac1dSAntonio Huete Jimenez Dong-hee Na 322*0c65ac1dSAntonio Huete Jimenez Joergen Ibsen 323*0c65ac1dSAntonio Huete Jimenez Kai Pastor 324*0c65ac1dSAntonio Huete Jimenez 325*0c65ac1dSAntonio Huete JimenezRelease 2.4.1 Sun May 23 2021 326*0c65ac1dSAntonio Huete Jimenez Bug fixes: 327*0c65ac1dSAntonio Huete Jimenez #488 #490 Autotools: Fix installed header expat_config.h for multilib 328*0c65ac1dSAntonio Huete Jimenez systems; regression introduced in 2.4.0 by pull request #486 329*0c65ac1dSAntonio Huete Jimenez 330*0c65ac1dSAntonio Huete Jimenez Other changes: 331*0c65ac1dSAntonio Huete Jimenez #491 #492 Version info bumped from 9:0:8 to 9:1:8; 332*0c65ac1dSAntonio Huete Jimenez see https://verbump.de/ for what these numbers do 333*0c65ac1dSAntonio Huete Jimenez 334*0c65ac1dSAntonio Huete Jimenez Special thanks to: 335*0c65ac1dSAntonio Huete Jimenez Gentoo's QA check "multilib_check_headers" 336*0c65ac1dSAntonio Huete Jimenez 337*0c65ac1dSAntonio Huete JimenezRelease 2.4.0 Sun May 23 2021 338*0c65ac1dSAntonio Huete Jimenez Security fixes: 339*0c65ac1dSAntonio Huete Jimenez #34 #466 #484 CVE-2013-0340/CWE-776 -- Protect against billion laughs attacks 340*0c65ac1dSAntonio Huete Jimenez (denial-of-service; flavors targeting CPU time or RAM or both, 341*0c65ac1dSAntonio Huete Jimenez leveraging general entities or parameter entities or both) 342*0c65ac1dSAntonio Huete Jimenez by tracking and limiting the input amplification factor 343*0c65ac1dSAntonio Huete Jimenez (<amplification> := (<direct> + <indirect>) / <direct>). 344*0c65ac1dSAntonio Huete Jimenez By conservative default, amplification up to a factor of 100.0 345*0c65ac1dSAntonio Huete Jimenez is tolerated and rejection only starts after 8 MiB of output bytes 346*0c65ac1dSAntonio Huete Jimenez (=<direct> + <indirect>) have been processed. 347*0c65ac1dSAntonio Huete Jimenez The fix adds the following to the API: 348*0c65ac1dSAntonio Huete Jimenez - A new error code XML_ERROR_AMPLIFICATION_LIMIT_BREACH to 349*0c65ac1dSAntonio Huete Jimenez signals this specific condition. 350*0c65ac1dSAntonio Huete Jimenez - Two new API functions .. 351*0c65ac1dSAntonio Huete Jimenez - XML_SetBillionLaughsAttackProtectionMaximumAmplification and 352*0c65ac1dSAntonio Huete Jimenez - XML_SetBillionLaughsAttackProtectionActivationThreshold 353*0c65ac1dSAntonio Huete Jimenez .. to further tighten billion laughs protection parameters 354*0c65ac1dSAntonio Huete Jimenez when desired. Please see file "doc/reference.html" for details. 355*0c65ac1dSAntonio Huete Jimenez If you ever need to increase the defaults for non-attack XML 356*0c65ac1dSAntonio Huete Jimenez payload, please file a bug report with libexpat. 357*0c65ac1dSAntonio Huete Jimenez - Two new XML_FEATURE_* constants .. 358*0c65ac1dSAntonio Huete Jimenez - that can be queried using the XML_GetFeatureList function, and 359*0c65ac1dSAntonio Huete Jimenez - that are shown in "xmlwf -v" output. 360*0c65ac1dSAntonio Huete Jimenez - Two new environment variable switches .. 361*0c65ac1dSAntonio Huete Jimenez - EXPAT_ACCOUNTING_DEBUG=(0|1|2|3) and 362*0c65ac1dSAntonio Huete Jimenez - EXPAT_ENTITY_DEBUG=(0|1) 363*0c65ac1dSAntonio Huete Jimenez .. for runtime debugging of accounting and entity processing. 364*0c65ac1dSAntonio Huete Jimenez Specific behavior of these values may change in the future. 365*0c65ac1dSAntonio Huete Jimenez - Two new command line arguments "-a FACTOR" and "-b BYTES" 366*0c65ac1dSAntonio Huete Jimenez for xmlwf to further tighten billion laughs protection 367*0c65ac1dSAntonio Huete Jimenez parameters when desired. 368*0c65ac1dSAntonio Huete Jimenez If you ever need to increase the defaults for non-attack XML 369*0c65ac1dSAntonio Huete Jimenez payload, please file a bug report with libexpat. 370*0c65ac1dSAntonio Huete Jimenez 371*0c65ac1dSAntonio Huete Jimenez Bug fixes: 372*0c65ac1dSAntonio Huete Jimenez #332 #470 For (non-default) compilation with -DEXPAT_MIN_SIZE=ON (CMake) 373*0c65ac1dSAntonio Huete Jimenez or CPPFLAGS=-DXML_MIN_SIZE (GNU Autotools): Fix segfault 374*0c65ac1dSAntonio Huete Jimenez for UTF-16 payloads containing CDATA sections. 375*0c65ac1dSAntonio Huete Jimenez #485 #486 Autotools: Fix generated CMake files for non-64bit and 376*0c65ac1dSAntonio Huete Jimenez non-Linux platforms (e.g. macOS and MinGW in particular) 377*0c65ac1dSAntonio Huete Jimenez that were introduced with release 2.3.0 378*0c65ac1dSAntonio Huete Jimenez 379*0c65ac1dSAntonio Huete Jimenez Other changes: 380*0c65ac1dSAntonio Huete Jimenez #468 #469 xmlwf: Improve help output and the xmlwf man page 381*0c65ac1dSAntonio Huete Jimenez #463 xmlwf: Improve maintainability through some refactoring 382*0c65ac1dSAntonio Huete Jimenez #477 xmlwf: Fix man page DocBook validity 383*0c65ac1dSAntonio Huete Jimenez #456 Autotools: Sync CMake templates with CMake 3.18 384*0c65ac1dSAntonio Huete Jimenez #458 #459 CMake: Support absolute paths for both CMAKE_INSTALL_LIBDIR 385*0c65ac1dSAntonio Huete Jimenez and CMAKE_INSTALL_INCLUDEDIR 386*0c65ac1dSAntonio Huete Jimenez #471 #481 CMake: Add support for standard variable BUILD_SHARED_LIBS 387*0c65ac1dSAntonio Huete Jimenez #457 Unexpose symbol _INTERNAL_trim_to_complete_utf8_characters 388*0c65ac1dSAntonio Huete Jimenez #467 Resolve macro HAVE_EXPAT_CONFIG_H 389*0c65ac1dSAntonio Huete Jimenez #472 Delete unused legacy helper file "conftools/PrintPath" 390*0c65ac1dSAntonio Huete Jimenez #473 #483 Improve attribution 391*0c65ac1dSAntonio Huete Jimenez #464 #465 #477 doc/reference.html: Fix XHTML validity 392*0c65ac1dSAntonio Huete Jimenez #475 #478 doc/reference.html: Replace the 90s look by OK.css 393*0c65ac1dSAntonio Huete Jimenez #479 Version info bumped from 8:0:7 to 9:0:8 394*0c65ac1dSAntonio Huete Jimenez due to addition of new symbols and error codes; 395*0c65ac1dSAntonio Huete Jimenez see https://verbump.de/ for what these numbers do 396*0c65ac1dSAntonio Huete Jimenez 397*0c65ac1dSAntonio Huete Jimenez Infrastructure: 398*0c65ac1dSAntonio Huete Jimenez #456 CI: Enable periodic runs 399*0c65ac1dSAntonio Huete Jimenez #457 CI: Start covering the list of exported symbols 400*0c65ac1dSAntonio Huete Jimenez #474 CI: Isolate coverage task 401*0c65ac1dSAntonio Huete Jimenez #476 #482 CI: Adapt to breaking changes in image "ubuntu-18.04" 402*0c65ac1dSAntonio Huete Jimenez #477 CI: Cover well-formedness and DocBook/XHTML validity 403*0c65ac1dSAntonio Huete Jimenez of doc/reference.html and doc/xmlwf.xml 404*0c65ac1dSAntonio Huete Jimenez 405*0c65ac1dSAntonio Huete Jimenez Special thanks to: 406*0c65ac1dSAntonio Huete Jimenez Dimitry Andric 407*0c65ac1dSAntonio Huete Jimenez Eero Helenius 408*0c65ac1dSAntonio Huete Jimenez Nick Wellnhofer 409*0c65ac1dSAntonio Huete Jimenez Rhodri James 410*0c65ac1dSAntonio Huete Jimenez Tomas Korbar 411*0c65ac1dSAntonio Huete Jimenez Yury Gribov 412*0c65ac1dSAntonio Huete Jimenez and 413*0c65ac1dSAntonio Huete Jimenez Clang LeakSan 414*0c65ac1dSAntonio Huete Jimenez JetBrains 415*0c65ac1dSAntonio Huete Jimenez OSS-Fuzz 416*0c65ac1dSAntonio Huete Jimenez 417*0c65ac1dSAntonio Huete JimenezRelease 2.3.0 Thu March 25 2021 418*0c65ac1dSAntonio Huete Jimenez Bug fixes: 419*0c65ac1dSAntonio Huete Jimenez #438 When calling XML_ParseBuffer without a prior successful call to 420*0c65ac1dSAntonio Huete Jimenez XML_GetBuffer as a user, no longer trigger undefined behavior 421*0c65ac1dSAntonio Huete Jimenez (by adding an integer to a NULL pointer) but rather return 422*0c65ac1dSAntonio Huete Jimenez XML_STATUS_ERROR and set the error code to (new) code 423*0c65ac1dSAntonio Huete Jimenez XML_ERROR_NO_BUFFER. Found by UBSan (UndefinedBehaviorSanitizer) 424*0c65ac1dSAntonio Huete Jimenez of Clang 11 (but not Clang 9). 425*0c65ac1dSAntonio Huete Jimenez #444 xmlwf: Exit status 2 was used for both: 426*0c65ac1dSAntonio Huete Jimenez - malformed input files (documented) and 427*0c65ac1dSAntonio Huete Jimenez - invalid command-line arguments (undocumented). 428*0c65ac1dSAntonio Huete Jimenez The case of invalid command-line arguments now 429*0c65ac1dSAntonio Huete Jimenez has its own exit status 4, resolving the ambiguity. 430*0c65ac1dSAntonio Huete Jimenez 431*0c65ac1dSAntonio Huete Jimenez Other changes: 432*0c65ac1dSAntonio Huete Jimenez #439 xmlwf: Add argument -k to allow continuing after 433*0c65ac1dSAntonio Huete Jimenez non-fatal errors 434*0c65ac1dSAntonio Huete Jimenez #439 xmlwf: Add section about exit status to the -h help output 435*0c65ac1dSAntonio Huete Jimenez #422 #426 #447 Windows: Drop support for Visual Studio <=14.0/2015 436*0c65ac1dSAntonio Huete Jimenez #434 Windows: CMake: Detect unsupported Visual Studio at 437*0c65ac1dSAntonio Huete Jimenez configure time (rather than at compile time) 438*0c65ac1dSAntonio Huete Jimenez #382 #428 testrunner: Make verbose mode (argument "-v") report 439*0c65ac1dSAntonio Huete Jimenez about passed tests, and make default mode report about 440*0c65ac1dSAntonio Huete Jimenez failures, as well. 441*0c65ac1dSAntonio Huete Jimenez #442 CMake: Call "enable_language(CXX)" prior to tinkering 442*0c65ac1dSAntonio Huete Jimenez with CMAKE_CXX_* variables 443*0c65ac1dSAntonio Huete Jimenez #448 Document use of libexpat from a CMake-based project 444*0c65ac1dSAntonio Huete Jimenez #451 Autotools: Install CMake files as generated by CMake 3.19.6 445*0c65ac1dSAntonio Huete Jimenez so that users with "find_package(expat [..] CONFIG [..])" 446*0c65ac1dSAntonio Huete Jimenez are served on distributions that are *not* using the CMake 447*0c65ac1dSAntonio Huete Jimenez build system inside for libexpat packaging 448*0c65ac1dSAntonio Huete Jimenez #436 #437 Autotools: Drop obsolescent macro AC_HEADER_STDC 449*0c65ac1dSAntonio Huete Jimenez #450 #452 Autotools: Resolve use of obsolete macro AC_CONFIG_HEADER 450*0c65ac1dSAntonio Huete Jimenez #441 Address compiler warnings 451*0c65ac1dSAntonio Huete Jimenez #443 Version info bumped from 7:12:6 to 8:0:7 452*0c65ac1dSAntonio Huete Jimenez due to addition of error code XML_ERROR_NO_BUFFER 453*0c65ac1dSAntonio Huete Jimenez (see https://verbump.de/ for what these numbers do) 454*0c65ac1dSAntonio Huete Jimenez 455*0c65ac1dSAntonio Huete Jimenez Infrastructure: 456*0c65ac1dSAntonio Huete Jimenez #435 #446 Replace Travis CI by GitHub Actions 457*0c65ac1dSAntonio Huete Jimenez 458*0c65ac1dSAntonio Huete Jimenez Special thanks to: 459*0c65ac1dSAntonio Huete Jimenez Alexander Richardson 460*0c65ac1dSAntonio Huete Jimenez Oleksandr Popovych 461*0c65ac1dSAntonio Huete Jimenez Thomas Beutlich 462*0c65ac1dSAntonio Huete Jimenez Tim Bray 463*0c65ac1dSAntonio Huete Jimenez and 464*0c65ac1dSAntonio Huete Jimenez Clang LeakSan, Clang 11 UBSan and the Clang team 465*0c65ac1dSAntonio Huete Jimenez 466*0c65ac1dSAntonio Huete JimenezRelease 2.2.10 Sat October 3 2020 467*0c65ac1dSAntonio Huete Jimenez Bug fixes: 468*0c65ac1dSAntonio Huete Jimenez #390 #395 #398 Fix undefined behavior during parsing caused by 469*0c65ac1dSAntonio Huete Jimenez pointer arithmetic with NULL pointers 470*0c65ac1dSAntonio Huete Jimenez #404 #405 Fix reading uninitialized variable during parsing 471*0c65ac1dSAntonio Huete Jimenez #406 xmlwf: Add missing check for malloc NULL return 472*0c65ac1dSAntonio Huete Jimenez 473*0c65ac1dSAntonio Huete Jimenez Other changes: 474*0c65ac1dSAntonio Huete Jimenez #396 Windows: Drop support for Visual Studio <=8.0/2005 475*0c65ac1dSAntonio Huete Jimenez #409 Windows: Add missing file "Changes" to the installer 476*0c65ac1dSAntonio Huete Jimenez to fix compilation with CMake from installed sources 477*0c65ac1dSAntonio Huete Jimenez #403 xmlwf: Document exit codes in xmlwf manpage and 478*0c65ac1dSAntonio Huete Jimenez exit with code 3 (rather than code 1) for output errors 479*0c65ac1dSAntonio Huete Jimenez when used with "-d DIRECTORY" 480*0c65ac1dSAntonio Huete Jimenez #356 #359 MinGW: Provide declaration of rand_s for mingwrt <5.3.0 481*0c65ac1dSAntonio Huete Jimenez #383 #392 Autotools: Use -Werror while configure tests the compiler 482*0c65ac1dSAntonio Huete Jimenez for supported compile flags to avoid false positives 483*0c65ac1dSAntonio Huete Jimenez #383 #393 #394 Autotools: Improve handling of user (C|CPP|CXX|LD)FLAGS, 484*0c65ac1dSAntonio Huete Jimenez e.g. ensure that they have the last word over flags added 485*0c65ac1dSAntonio Huete Jimenez while running ./configure 486*0c65ac1dSAntonio Huete Jimenez #360 CMake: Create libexpatw.{dll,so} and expatw.pc (with emphasis 487*0c65ac1dSAntonio Huete Jimenez on suffix "w") with -DEXPAT_CHAR_TYPE=(ushort|wchar_t) 488*0c65ac1dSAntonio Huete Jimenez #360 CMake: Detect and deny unsupported build combinations 489*0c65ac1dSAntonio Huete Jimenez involving -DEXPAT_CHAR_TYPE=(ushort|wchar_t) 490*0c65ac1dSAntonio Huete Jimenez #360 CMake: Install pre-compiled shipped xmlwf.1 manpage in case 491*0c65ac1dSAntonio Huete Jimenez of -DEXPAT_BUILD_DOCS=OFF 492*0c65ac1dSAntonio Huete Jimenez #375 #380 #419 CMake: Fix use of Expat by means of add_subdirectory 493*0c65ac1dSAntonio Huete Jimenez #407 #408 CMake: Keep expat target name constant at "expat" 494*0c65ac1dSAntonio Huete Jimenez (i.e. refrain from using the target name to control 495*0c65ac1dSAntonio Huete Jimenez build artifact filenames) 496*0c65ac1dSAntonio Huete Jimenez #385 CMake: Fix compilation with -DEXPAT_SHARED_LIBS=OFF for 497*0c65ac1dSAntonio Huete Jimenez Windows 498*0c65ac1dSAntonio Huete Jimenez CMake: Expose man page compilation as target "xmlwf-manpage" 499*0c65ac1dSAntonio Huete Jimenez #413 #414 CMake: Introduce option EXPAT_BUILD_PKGCONFIG 500*0c65ac1dSAntonio Huete Jimenez to control generation of pkg-config file "expat.pc" 501*0c65ac1dSAntonio Huete Jimenez #424 CMake: Add minimalistic support for building binary packages 502*0c65ac1dSAntonio Huete Jimenez with CMake target "package"; based on CPack 503*0c65ac1dSAntonio Huete Jimenez #366 CMake: Add option -DEXPAT_OSSFUZZ_BUILD=(ON|OFF) with 504*0c65ac1dSAntonio Huete Jimenez default OFF to build fuzzer code against OSS-Fuzz and 505*0c65ac1dSAntonio Huete Jimenez related environment variable LIB_FUZZING_ENGINE 506*0c65ac1dSAntonio Huete Jimenez #354 Fix testsuite for -DEXPAT_DTD=OFF and -DEXPAT_NS=OFF, each 507*0c65ac1dSAntonio Huete Jimenez #354 #355 .. 508*0c65ac1dSAntonio Huete Jimenez #356 #412 Address compiler warnings 509*0c65ac1dSAntonio Huete Jimenez #368 #369 Address pngcheck warnings with doc/*.png images 510*0c65ac1dSAntonio Huete Jimenez #425 Version info bumped from 7:11:6 to 7:12:6 511*0c65ac1dSAntonio Huete Jimenez 512*0c65ac1dSAntonio Huete Jimenez Special thanks to: 513*0c65ac1dSAntonio Huete Jimenez asavah 514*0c65ac1dSAntonio Huete Jimenez Ben Wagner 515*0c65ac1dSAntonio Huete Jimenez Bhargava Shastry 516*0c65ac1dSAntonio Huete Jimenez Frank Landgraf 517*0c65ac1dSAntonio Huete Jimenez Jeffrey Walton 518*0c65ac1dSAntonio Huete Jimenez Joe Orton 519*0c65ac1dSAntonio Huete Jimenez Kleber Tarcísio 520*0c65ac1dSAntonio Huete Jimenez Ma Lin 521*0c65ac1dSAntonio Huete Jimenez Maciej Sroczyński 522*0c65ac1dSAntonio Huete Jimenez Mohammed Khajapasha 523*0c65ac1dSAntonio Huete Jimenez Vadim Zeitlin 524*0c65ac1dSAntonio Huete Jimenez and 525*0c65ac1dSAntonio Huete Jimenez Cppcheck 2.0 and the Cppcheck team 526*0c65ac1dSAntonio Huete Jimenez 527*0c65ac1dSAntonio Huete JimenezRelease 2.2.9 Wed September 25 2019 528*0c65ac1dSAntonio Huete Jimenez Other changes: 529*0c65ac1dSAntonio Huete Jimenez examples: Drop executable bits from elements.c 530*0c65ac1dSAntonio Huete Jimenez #349 Windows: Change the name of the Windows DLLs from expat*.dll 531*0c65ac1dSAntonio Huete Jimenez to libexpat*.dll once more (regression from 2.2.8, first 532*0c65ac1dSAntonio Huete Jimenez fixed in 1.95.3, issue #61 on SourceForge today, 533*0c65ac1dSAntonio Huete Jimenez was issue #432456 back then); needs a fix due 534*0c65ac1dSAntonio Huete Jimenez case-insensitive file systems on Windows and the fact that 535*0c65ac1dSAntonio Huete Jimenez Perl's XML::Parser::Expat compiles into Expat.dll. 536*0c65ac1dSAntonio Huete Jimenez #347 Windows: Only define _CRT_RAND_S if not defined 537*0c65ac1dSAntonio Huete Jimenez Version info bumped from 7:10:6 to 7:11:6 538*0c65ac1dSAntonio Huete Jimenez 539*0c65ac1dSAntonio Huete Jimenez Special thanks to: 540*0c65ac1dSAntonio Huete Jimenez Ben Wagner 541*0c65ac1dSAntonio Huete Jimenez 542*0c65ac1dSAntonio Huete JimenezRelease 2.2.8 Fri September 13 2019 543*0c65ac1dSAntonio Huete Jimenez Security fixes: 544*0c65ac1dSAntonio Huete Jimenez #317 #318 CVE-2019-15903 -- Fix heap overflow triggered by 545*0c65ac1dSAntonio Huete Jimenez XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber), 546*0c65ac1dSAntonio Huete Jimenez and deny internal entities closing the doctype; 547*0c65ac1dSAntonio Huete Jimenez fixed in commit c20b758c332d9a13afbbb276d30db1d183a85d43 548*0c65ac1dSAntonio Huete Jimenez 549*0c65ac1dSAntonio Huete Jimenez Bug fixes: 550*0c65ac1dSAntonio Huete Jimenez #240 Fix cases where XML_StopParser did not have any effect 551*0c65ac1dSAntonio Huete Jimenez when called from inside of an end element handler 552*0c65ac1dSAntonio Huete Jimenez #341 xmlwf: Fix exit code for operation without "-d DIRECTORY"; 553*0c65ac1dSAntonio Huete Jimenez previously, only "-d DIRECTORY" would give you a proper 554*0c65ac1dSAntonio Huete Jimenez exit code: 555*0c65ac1dSAntonio Huete Jimenez # xmlwf -d . <<<'<not well-formed>' 2>/dev/null ; echo $? 556*0c65ac1dSAntonio Huete Jimenez 2 557*0c65ac1dSAntonio Huete Jimenez # xmlwf <<<'<not well-formed>' 2>/dev/null ; echo $? 558*0c65ac1dSAntonio Huete Jimenez 0 559*0c65ac1dSAntonio Huete Jimenez Now both cases return exit code 2. 560*0c65ac1dSAntonio Huete Jimenez 561*0c65ac1dSAntonio Huete Jimenez Other changes: 562*0c65ac1dSAntonio Huete Jimenez #299 #302 Windows: Replace LoadLibrary hack to access 563*0c65ac1dSAntonio Huete Jimenez unofficial API function SystemFunction036 (RtlGenRandom) 564*0c65ac1dSAntonio Huete Jimenez by using official API function rand_s (needs WinXP+) 565*0c65ac1dSAntonio Huete Jimenez #325 Windows: Drop support for Visual Studio <=7.1/2003 566*0c65ac1dSAntonio Huete Jimenez and document supported compilers in README.md 567*0c65ac1dSAntonio Huete Jimenez #286 Windows: Remove COM code from xmlwf; in case it turns 568*0c65ac1dSAntonio Huete Jimenez out needed later, there will be a dedicated repository 569*0c65ac1dSAntonio Huete Jimenez below https://github.com/libexpat/ for that code 570*0c65ac1dSAntonio Huete Jimenez #322 Windows: Remove explicit MSVC solution and project files. 571*0c65ac1dSAntonio Huete Jimenez You can generate Visual Studio solution files through 572*0c65ac1dSAntonio Huete Jimenez CMake, e.g.: cmake -G"Visual Studio 15 2017" . 573*0c65ac1dSAntonio Huete Jimenez #338 xmlwf: Make "xmlwf -h" help output more friendly 574*0c65ac1dSAntonio Huete Jimenez #339 examples: Improve elements.c 575*0c65ac1dSAntonio Huete Jimenez #244 #264 Autotools: Add argument --enable-xml-attr-info 576*0c65ac1dSAntonio Huete Jimenez #239 #301 Autotools: Add arguments 577*0c65ac1dSAntonio Huete Jimenez --with-getrandom 578*0c65ac1dSAntonio Huete Jimenez --without-getrandom 579*0c65ac1dSAntonio Huete Jimenez --with-sys-getrandom 580*0c65ac1dSAntonio Huete Jimenez --without-sys-getrandom 581*0c65ac1dSAntonio Huete Jimenez #312 #343 Autotools: Fix linking issues with "./configure LD=clang" 582*0c65ac1dSAntonio Huete Jimenez Autotools: Fix "make run-xmltest" for out-of-source builds 583*0c65ac1dSAntonio Huete Jimenez #329 #336 CMake: Pull all options from Expat <=2.2.7 into namespace 584*0c65ac1dSAntonio Huete Jimenez prefix EXPAT_ with the exception of DOCBOOK_TO_MAN: 585*0c65ac1dSAntonio Huete Jimenez - BUILD_doc -> EXPAT_BUILD_DOCS (plural) 586*0c65ac1dSAntonio Huete Jimenez - BUILD_examples -> EXPAT_BUILD_EXAMPLES 587*0c65ac1dSAntonio Huete Jimenez - BUILD_shared -> EXPAT_SHARED_LIBS 588*0c65ac1dSAntonio Huete Jimenez - BUILD_tests -> EXPAT_BUILD_TESTS 589*0c65ac1dSAntonio Huete Jimenez - BUILD_tools -> EXPAT_BUILD_TOOLS 590*0c65ac1dSAntonio Huete Jimenez - DOCBOOK_TO_MAN -> DOCBOOK_TO_MAN (unchanged) 591*0c65ac1dSAntonio Huete Jimenez - INSTALL -> EXPAT_ENABLE_INSTALL 592*0c65ac1dSAntonio Huete Jimenez - MSVC_USE_STATIC_CRT -> EXPAT_MSVC_STATIC_CRT 593*0c65ac1dSAntonio Huete Jimenez - USE_libbsd -> EXPAT_WITH_LIBBSD 594*0c65ac1dSAntonio Huete Jimenez - WARNINGS_AS_ERRORS -> EXPAT_WARNINGS_AS_ERRORS 595*0c65ac1dSAntonio Huete Jimenez - XML_CONTEXT_BYTES -> EXPAT_CONTEXT_BYTES 596*0c65ac1dSAntonio Huete Jimenez - XML_DEV_URANDOM -> EXPAT_DEV_URANDOM 597*0c65ac1dSAntonio Huete Jimenez - XML_DTD -> EXPAT_DTD 598*0c65ac1dSAntonio Huete Jimenez - XML_NS -> EXPAT_NS 599*0c65ac1dSAntonio Huete Jimenez - XML_UNICODE -> EXPAT_CHAR_TYPE=ushort (!) 600*0c65ac1dSAntonio Huete Jimenez - XML_UNICODE_WCHAR_T -> EXPAT_CHAR_TYPE=wchar_t (!) 601*0c65ac1dSAntonio Huete Jimenez #244 #264 CMake: Add argument -DEXPAT_ATTR_INFO=(ON|OFF), 602*0c65ac1dSAntonio Huete Jimenez default OFF 603*0c65ac1dSAntonio Huete Jimenez #326 CMake: Add argument -DEXPAT_LARGE_SIZE=(ON|OFF), 604*0c65ac1dSAntonio Huete Jimenez default OFF 605*0c65ac1dSAntonio Huete Jimenez #328 CMake: Add argument -DEXPAT_MIN_SIZE=(ON|OFF), 606*0c65ac1dSAntonio Huete Jimenez default OFF 607*0c65ac1dSAntonio Huete Jimenez #239 #277 CMake: Add arguments 608*0c65ac1dSAntonio Huete Jimenez -DEXPAT_WITH_GETRANDOM=(ON|OFF|AUTO), default AUTO 609*0c65ac1dSAntonio Huete Jimenez -DEXPAT_WITH_SYS_GETRANDOM=(ON|OFF|AUTO), default AUTO 610*0c65ac1dSAntonio Huete Jimenez #326 CMake: Install expat_config.h to include directory 611*0c65ac1dSAntonio Huete Jimenez #326 CMake: Generate and install configuration files for 612*0c65ac1dSAntonio Huete Jimenez future find_package(expat [..] CONFIG [..]) 613*0c65ac1dSAntonio Huete Jimenez CMake: Now produces a summary of applied configuration 614*0c65ac1dSAntonio Huete Jimenez CMake: Require C++ compiler only when tests are enabled 615*0c65ac1dSAntonio Huete Jimenez #330 CMake: Fix compilation for 16bit character types, 616*0c65ac1dSAntonio Huete Jimenez i.e. ex -DXML_UNICODE=ON (and ex -DXML_UNICODE_WCHAR_T=ON) 617*0c65ac1dSAntonio Huete Jimenez #265 CMake: Fix linking with MinGW 618*0c65ac1dSAntonio Huete Jimenez #330 CMake: Add full support for MinGW; to enable, use 619*0c65ac1dSAntonio Huete Jimenez -DCMAKE_TOOLCHAIN_FILE=[expat]/cmake/mingw-toolchain.cmake 620*0c65ac1dSAntonio Huete Jimenez #330 CMake: Port "make run-xmltest" from GNU Autotools to CMake 621*0c65ac1dSAntonio Huete Jimenez #316 CMake: Windows: Make binary postfix match MSVC 622*0c65ac1dSAntonio Huete Jimenez Old: expat[d].lib 623*0c65ac1dSAntonio Huete Jimenez New: expat[w][d][MD|MT].lib 624*0c65ac1dSAntonio Huete Jimenez CMake: Migrate files from Windows to Unix line endings 625*0c65ac1dSAntonio Huete Jimenez #308 CMake: Integrate OSS-Fuzz fuzzers, option 626*0c65ac1dSAntonio Huete Jimenez -DEXPAT_BUILD_FUZZERS=(ON|OFF), default OFF 627*0c65ac1dSAntonio Huete Jimenez #14 Drop an OpenVMS support leftover 628*0c65ac1dSAntonio Huete Jimenez #235 #268 .. 629*0c65ac1dSAntonio Huete Jimenez #270 #310 .. 630*0c65ac1dSAntonio Huete Jimenez #313 #331 #333 Address compiler warnings 631*0c65ac1dSAntonio Huete Jimenez #282 #283 .. 632*0c65ac1dSAntonio Huete Jimenez #284 #285 Address cppcheck warnings 633*0c65ac1dSAntonio Huete Jimenez #294 #295 Address Clang Static Analyzer warnings 634*0c65ac1dSAntonio Huete Jimenez #24 #293 Mass-apply clang-format 9 (and ensure conformance during CI) 635*0c65ac1dSAntonio Huete Jimenez Version info bumped from 7:9:6 to 7:10:6 636*0c65ac1dSAntonio Huete Jimenez 637*0c65ac1dSAntonio Huete Jimenez Special thanks to: 638*0c65ac1dSAntonio Huete Jimenez David Loffredo 639*0c65ac1dSAntonio Huete Jimenez Joonun Jang 640*0c65ac1dSAntonio Huete Jimenez Kishore Kunche 641*0c65ac1dSAntonio Huete Jimenez Marco Maggi 642*0c65ac1dSAntonio Huete Jimenez Mitch Phillips 643*0c65ac1dSAntonio Huete Jimenez Mohammed Khajapasha 644*0c65ac1dSAntonio Huete Jimenez Rolf Ade 645*0c65ac1dSAntonio Huete Jimenez xantares 646*0c65ac1dSAntonio Huete Jimenez Zhongyuan Zhou 647*0c65ac1dSAntonio Huete Jimenez 648*0c65ac1dSAntonio Huete JimenezRelease 2.2.7 Wed June 19 2019 649*0c65ac1dSAntonio Huete Jimenez Security fixes: 650*0c65ac1dSAntonio Huete Jimenez #186 #262 CVE-2018-20843 -- Fix extraction of namespace prefixes from 651*0c65ac1dSAntonio Huete Jimenez XML names; XML names with multiple colons could end up in 652*0c65ac1dSAntonio Huete Jimenez the wrong namespace, and take a high amount of RAM and CPU 653*0c65ac1dSAntonio Huete Jimenez resources while processing, opening the door to 654*0c65ac1dSAntonio Huete Jimenez use for denial-of-service attacks 655*0c65ac1dSAntonio Huete Jimenez 656*0c65ac1dSAntonio Huete Jimenez Other changes: 657*0c65ac1dSAntonio Huete Jimenez #195 #197 Autotools/CMake: Utilize -fvisibility=hidden to stop 658*0c65ac1dSAntonio Huete Jimenez exporting non-API symbols 659*0c65ac1dSAntonio Huete Jimenez #227 Autotools: Add --without-examples and --without-tests 660*0c65ac1dSAntonio Huete Jimenez #228 Autotools: Modernize configure.ac 661*0c65ac1dSAntonio Huete Jimenez #245 #246 Autotools: Fix check for -fvisibility=hidden for Clang 662*0c65ac1dSAntonio Huete Jimenez #247 #248 Autotools: Fix compilation for lack of docbook2x-man 663*0c65ac1dSAntonio Huete Jimenez #236 #258 Autotools: Produce .tar.{gz,lz,xz} release archives 664*0c65ac1dSAntonio Huete Jimenez #212 CMake: Make libdir of pkgconfig expat.pc support multilib 665*0c65ac1dSAntonio Huete Jimenez #158 #263 CMake: Build man page in PROJECT_BINARY_DIR not _SOURCE_DIR 666*0c65ac1dSAntonio Huete Jimenez #219 Remove fallback to bcopy, assume that memmove(3) exists 667*0c65ac1dSAntonio Huete Jimenez #257 Use portable "/usr/bin/env bash" shebang (e.g. for OpenBSD) 668*0c65ac1dSAntonio Huete Jimenez #243 Windows: Fix syntax of .def module definition files 669*0c65ac1dSAntonio Huete Jimenez Version info bumped from 7:8:6 to 7:9:6 670*0c65ac1dSAntonio Huete Jimenez 671*0c65ac1dSAntonio Huete Jimenez Special thanks to: 672*0c65ac1dSAntonio Huete Jimenez Benjamin Peterson 673*0c65ac1dSAntonio Huete Jimenez Caolán McNamara 674*0c65ac1dSAntonio Huete Jimenez Hanno Böck 675*0c65ac1dSAntonio Huete Jimenez KangLin 676*0c65ac1dSAntonio Huete Jimenez Kishore Kunche 677*0c65ac1dSAntonio Huete Jimenez Marco Maggi 678*0c65ac1dSAntonio Huete Jimenez Rhodri James 679*0c65ac1dSAntonio Huete Jimenez Sebastian Dröge 680*0c65ac1dSAntonio Huete Jimenez userwithuid 681*0c65ac1dSAntonio Huete Jimenez Yury Gribov 682*0c65ac1dSAntonio Huete Jimenez 683*0c65ac1dSAntonio Huete JimenezRelease 2.2.6 Sun August 12 2018 684*0c65ac1dSAntonio Huete Jimenez Bug fixes: 685*0c65ac1dSAntonio Huete Jimenez #170 #206 Avoid doing arithmetic with NULL pointers in XML_GetBuffer 686*0c65ac1dSAntonio Huete Jimenez #204 #205 Fix 2.2.5 regression with suspend-resume while parsing 687*0c65ac1dSAntonio Huete Jimenez a document like '<root/>' 688*0c65ac1dSAntonio Huete Jimenez 689*0c65ac1dSAntonio Huete Jimenez Other changes: 690*0c65ac1dSAntonio Huete Jimenez #165 #168 Autotools: Fix docbook-related configure syntax error 691*0c65ac1dSAntonio Huete Jimenez #166 Autotools: Avoid grep option `-q` for Solaris 692*0c65ac1dSAntonio Huete Jimenez #167 Autotools: Support 693*0c65ac1dSAntonio Huete Jimenez ./configure DOCBOOK_TO_MAN="xmlto man --skip-validation" 694*0c65ac1dSAntonio Huete Jimenez #159 #167 Autotools: Support DOCBOOK_TO_MAN command which produces 695*0c65ac1dSAntonio Huete Jimenez xmlwf.1 rather than XMLWF.1; also covers case insensitive 696*0c65ac1dSAntonio Huete Jimenez file systems 697*0c65ac1dSAntonio Huete Jimenez #181 Autotools: Drop -rpath option passed to libtool 698*0c65ac1dSAntonio Huete Jimenez #188 Autotools: Detect and deny SGML docbook2man as ours is XML 699*0c65ac1dSAntonio Huete Jimenez #188 Autotools/CMake: Support command db2x_docbook2man as well 700*0c65ac1dSAntonio Huete Jimenez #174 CMake: Introduce option WARNINGS_AS_ERRORS, defaults to OFF 701*0c65ac1dSAntonio Huete Jimenez #184 #185 CMake: Introduce option MSVC_USE_STATIC_CRT, defaults to OFF 702*0c65ac1dSAntonio Huete Jimenez #207 #208 CMake: Introduce option XML_UNICODE and XML_UNICODE_WCHAR_T, 703*0c65ac1dSAntonio Huete Jimenez both defaulting to OFF 704*0c65ac1dSAntonio Huete Jimenez #175 CMake: Prefer check_symbol_exists over check_function_exists 705*0c65ac1dSAntonio Huete Jimenez #176 CMake: Create the same pkg-config file as with GNU Autotools 706*0c65ac1dSAntonio Huete Jimenez #178 #179 CMake: Use GNUInstallDirs module to set proper defaults for 707*0c65ac1dSAntonio Huete Jimenez install directories 708*0c65ac1dSAntonio Huete Jimenez #208 CMake: Utilize expat_config.h.cmake for XML_DEV_URANDOM 709*0c65ac1dSAntonio Huete Jimenez #180 Windows: Fix compilation of test suite for Visual Studio 2008 710*0c65ac1dSAntonio Huete Jimenez #131 #173 #202 Address compiler warnings 711*0c65ac1dSAntonio Huete Jimenez #187 #190 #200 Fix miscellaneous typos 712*0c65ac1dSAntonio Huete Jimenez Version info bumped from 7:7:6 to 7:8:6 713*0c65ac1dSAntonio Huete Jimenez 714*0c65ac1dSAntonio Huete Jimenez Special thanks to: 715*0c65ac1dSAntonio Huete Jimenez Anton Maklakov 716*0c65ac1dSAntonio Huete Jimenez Benjamin Peterson 717*0c65ac1dSAntonio Huete Jimenez Brad King 718*0c65ac1dSAntonio Huete Jimenez Franek Korta 719*0c65ac1dSAntonio Huete Jimenez Frank Rast 720*0c65ac1dSAntonio Huete Jimenez Joe Orton 721*0c65ac1dSAntonio Huete Jimenez luzpaz 722*0c65ac1dSAntonio Huete Jimenez Pedro Vicente 723*0c65ac1dSAntonio Huete Jimenez Rainer Jung 724*0c65ac1dSAntonio Huete Jimenez Rhodri James 725*0c65ac1dSAntonio Huete Jimenez Rolf Ade 726*0c65ac1dSAntonio Huete Jimenez Rolf Eike Beer 727*0c65ac1dSAntonio Huete Jimenez Thomas Beutlich 728*0c65ac1dSAntonio Huete Jimenez Tomasz Kłoczko 729*0c65ac1dSAntonio Huete Jimenez 730*0c65ac1dSAntonio Huete JimenezRelease 2.2.5 Tue October 31 2017 731*0c65ac1dSAntonio Huete Jimenez Bug fixes: 732*0c65ac1dSAntonio Huete Jimenez #8 If the parser runs out of memory, make sure its internal 733*0c65ac1dSAntonio Huete Jimenez state reflects the memory it actually has, not the memory 734*0c65ac1dSAntonio Huete Jimenez it wanted to have. 735*0c65ac1dSAntonio Huete Jimenez #11 The default handler wasn't being called when it should for 736*0c65ac1dSAntonio Huete Jimenez a SYSTEM or PUBLIC doctype if an entity declaration handler 737*0c65ac1dSAntonio Huete Jimenez was registered. 738*0c65ac1dSAntonio Huete Jimenez #137 #138 Fix a case of mistakenly reported parsing success where 739*0c65ac1dSAntonio Huete Jimenez XML_StopParser was called from an element handler 740*0c65ac1dSAntonio Huete Jimenez #162 Function XML_ErrorString was returning NULL rather than 741*0c65ac1dSAntonio Huete Jimenez a message for code XML_ERROR_INVALID_ARGUMENT 742*0c65ac1dSAntonio Huete Jimenez introduced with release 2.2.1 743*0c65ac1dSAntonio Huete Jimenez 744*0c65ac1dSAntonio Huete Jimenez Other changes: 745*0c65ac1dSAntonio Huete Jimenez #106 xmlwf: Add argument -N adding notation declarations 746*0c65ac1dSAntonio Huete Jimenez #75 #106 Test suite: Resolve expected failure cases where xmlwf 747*0c65ac1dSAntonio Huete Jimenez output was incomplete 748*0c65ac1dSAntonio Huete Jimenez #127 Windows: Fix test suite compilation 749*0c65ac1dSAntonio Huete Jimenez #126 #127 Windows: Fix compilation for Visual Studio 2012 750*0c65ac1dSAntonio Huete Jimenez Windows: Upgrade shipped project files to Visual Studio 2017 751*0c65ac1dSAntonio Huete Jimenez #33 #132 tests: Mass-fix compilation for XML_UNICODE_WCHAR_T 752*0c65ac1dSAntonio Huete Jimenez #129 examples: Fix compilation for XML_UNICODE_WCHAR_T 753*0c65ac1dSAntonio Huete Jimenez #130 benchmark: Fix compilation for XML_UNICODE_WCHAR_T 754*0c65ac1dSAntonio Huete Jimenez #144 xmlwf: Fix compilation for XML_UNICODE_WCHAR_T; still needs 755*0c65ac1dSAntonio Huete Jimenez Windows or MinGW for 2-byte wchar_t 756*0c65ac1dSAntonio Huete Jimenez #9 Address two Clang Static Analyzer false positives 757*0c65ac1dSAntonio Huete Jimenez #59 Resolve troublesome macros hiding parser struct membership 758*0c65ac1dSAntonio Huete Jimenez and dereferencing that pointer 759*0c65ac1dSAntonio Huete Jimenez #6 Resolve superfluous internal malloc/realloc switch 760*0c65ac1dSAntonio Huete Jimenez #153 #155 Improve docbook2x-man detection 761*0c65ac1dSAntonio Huete Jimenez #160 Undefine NDEBUG in the test suite (rather than rejecting it) 762*0c65ac1dSAntonio Huete Jimenez #161 Address compiler warnings 763*0c65ac1dSAntonio Huete Jimenez Version info bumped from 7:6:6 to 7:7:6 764*0c65ac1dSAntonio Huete Jimenez 765*0c65ac1dSAntonio Huete Jimenez Special thanks to: 766*0c65ac1dSAntonio Huete Jimenez Benbuck Nason 767*0c65ac1dSAntonio Huete Jimenez Hans Wennborg 768*0c65ac1dSAntonio Huete Jimenez José Gutiérrez de la Concha 769*0c65ac1dSAntonio Huete Jimenez Pedro Monreal Gonzalez 770*0c65ac1dSAntonio Huete Jimenez Rhodri James 771*0c65ac1dSAntonio Huete Jimenez Rolf Ade 772*0c65ac1dSAntonio Huete Jimenez Stephen Groat 773*0c65ac1dSAntonio Huete Jimenez and 774*0c65ac1dSAntonio Huete Jimenez Core Infrastructure Initiative 775*0c65ac1dSAntonio Huete Jimenez 776*0c65ac1dSAntonio Huete JimenezRelease 2.2.4 Sat August 19 2017 777*0c65ac1dSAntonio Huete Jimenez Bug fixes: 778*0c65ac1dSAntonio Huete Jimenez #115 Fix copying of partial characters for UTF-8 input 779*0c65ac1dSAntonio Huete Jimenez 780*0c65ac1dSAntonio Huete Jimenez Other changes: 781*0c65ac1dSAntonio Huete Jimenez #109 Fix "make check" for non-x86 architectures that default 782*0c65ac1dSAntonio Huete Jimenez to unsigned type char (-128..127 rather than 0..255) 783*0c65ac1dSAntonio Huete Jimenez #109 coverage.sh: Cover -funsigned-char 784*0c65ac1dSAntonio Huete Jimenez Autotools: Introduce --without-xmlwf argument 785*0c65ac1dSAntonio Huete Jimenez #65 Autotools: Replace handwritten Makefile with GNU Automake 786*0c65ac1dSAntonio Huete Jimenez #43 CMake: Auto-detect high quality entropy extractors, add new 787*0c65ac1dSAntonio Huete Jimenez option USE_libbsd=ON to use arc4random_buf of libbsd 788*0c65ac1dSAntonio Huete Jimenez #74 CMake: Add -fno-strict-aliasing only where supported 789*0c65ac1dSAntonio Huete Jimenez #114 CMake: Always honor manually set BUILD_* options 790*0c65ac1dSAntonio Huete Jimenez #114 CMake: Compile man page if docbook2x-man is available, only 791*0c65ac1dSAntonio Huete Jimenez #117 Include file tests/xmltest.log.expected in source tarball 792*0c65ac1dSAntonio Huete Jimenez (required for "make run-xmltest") 793*0c65ac1dSAntonio Huete Jimenez #117 Include (existing) Visual Studio 2013 files in source tarball 794*0c65ac1dSAntonio Huete Jimenez Improve test suite error output 795*0c65ac1dSAntonio Huete Jimenez #111 Fix some typos in documentation 796*0c65ac1dSAntonio Huete Jimenez Version info bumped from 7:5:6 to 7:6:6 797*0c65ac1dSAntonio Huete Jimenez 798*0c65ac1dSAntonio Huete Jimenez Special thanks to: 799*0c65ac1dSAntonio Huete Jimenez Jakub Wilk 800*0c65ac1dSAntonio Huete Jimenez Joe Orton 801*0c65ac1dSAntonio Huete Jimenez Lin Tian 802*0c65ac1dSAntonio Huete Jimenez Rolf Eike Beer 803*0c65ac1dSAntonio Huete Jimenez 804*0c65ac1dSAntonio Huete JimenezRelease 2.2.3 Wed August 2 2017 805*0c65ac1dSAntonio Huete Jimenez Security fixes: 806*0c65ac1dSAntonio Huete Jimenez #82 CVE-2017-11742 -- Windows: Fix DLL hijacking vulnerability 807*0c65ac1dSAntonio Huete Jimenez using Steve Holme's LoadLibrary wrapper for/of cURL 808*0c65ac1dSAntonio Huete Jimenez 809*0c65ac1dSAntonio Huete Jimenez Bug fixes: 810*0c65ac1dSAntonio Huete Jimenez #85 Fix a dangling pointer issue related to realloc 811*0c65ac1dSAntonio Huete Jimenez 812*0c65ac1dSAntonio Huete Jimenez Other changes: 813*0c65ac1dSAntonio Huete Jimenez Increase code coverage 814*0c65ac1dSAntonio Huete Jimenez #91 Linux: Allow getrandom to fail if nonblocking pool has not 815*0c65ac1dSAntonio Huete Jimenez yet been initialized and read /dev/urandom then, instead. 816*0c65ac1dSAntonio Huete Jimenez This is in line with what recent Python does. 817*0c65ac1dSAntonio Huete Jimenez #81 Pre-10.7/Lion macOS: Support entropy from arc4random 818*0c65ac1dSAntonio Huete Jimenez #86 Check that a UTF-16 encoding in an XML declaration has the 819*0c65ac1dSAntonio Huete Jimenez right endianness 820*0c65ac1dSAntonio Huete Jimenez #4 #5 #7 Recover correctly when some reallocations fail 821*0c65ac1dSAntonio Huete Jimenez Repair "./configure && make" for systems without any 822*0c65ac1dSAntonio Huete Jimenez provider of high quality entropy 823*0c65ac1dSAntonio Huete Jimenez and try reading /dev/urandom on those 824*0c65ac1dSAntonio Huete Jimenez Ensure that user-defined character encodings have converter 825*0c65ac1dSAntonio Huete Jimenez functions when they are needed 826*0c65ac1dSAntonio Huete Jimenez Fix mis-leading description of argument -c in xmlwf.1 827*0c65ac1dSAntonio Huete Jimenez Rely on macro HAVE_ARC4RANDOM_BUF (rather than __CloudABI__) 828*0c65ac1dSAntonio Huete Jimenez for CloudABI 829*0c65ac1dSAntonio Huete Jimenez #100 Fix use of SIPHASH_MAIN in siphash.h 830*0c65ac1dSAntonio Huete Jimenez #23 Test suite: Fix memory leaks 831*0c65ac1dSAntonio Huete Jimenez Version info bumped from 7:4:6 to 7:5:6 832*0c65ac1dSAntonio Huete Jimenez 833*0c65ac1dSAntonio Huete Jimenez Special thanks to: 834*0c65ac1dSAntonio Huete Jimenez Chanho Park 835*0c65ac1dSAntonio Huete Jimenez Joe Orton 836*0c65ac1dSAntonio Huete Jimenez Pascal Cuoq 837*0c65ac1dSAntonio Huete Jimenez Rhodri James 838*0c65ac1dSAntonio Huete Jimenez Simon McVittie 839*0c65ac1dSAntonio Huete Jimenez Vadim Zeitlin 840*0c65ac1dSAntonio Huete Jimenez Viktor Szakats 841*0c65ac1dSAntonio Huete Jimenez and 842*0c65ac1dSAntonio Huete Jimenez Core Infrastructure Initiative 843*0c65ac1dSAntonio Huete Jimenez 844*0c65ac1dSAntonio Huete JimenezRelease 2.2.2 Wed July 12 2017 845*0c65ac1dSAntonio Huete Jimenez Security fixes: 846*0c65ac1dSAntonio Huete Jimenez #43 Protect against compilation without any source of high 847*0c65ac1dSAntonio Huete Jimenez quality entropy enabled, e.g. with CMake build system; 848*0c65ac1dSAntonio Huete Jimenez commit ff0207e6076e9828e536b8d9cd45c9c92069b895 849*0c65ac1dSAntonio Huete Jimenez #60 Windows with _UNICODE: 850*0c65ac1dSAntonio Huete Jimenez Unintended use of LoadLibraryW with a non-wide string 851*0c65ac1dSAntonio Huete Jimenez resulted in failure to load advapi32.dll and degradation 852*0c65ac1dSAntonio Huete Jimenez in quality of used entropy when compiled with _UNICODE for 853*0c65ac1dSAntonio Huete Jimenez Windows; you can launch existing binaries with 854*0c65ac1dSAntonio Huete Jimenez EXPAT_ENTROPY_DEBUG=1 in the environment to inspect the 855*0c65ac1dSAntonio Huete Jimenez quality of entropy used during runtime; commits 856*0c65ac1dSAntonio Huete Jimenez * 95b95032f907ef1cd17ee7a9a1768010a825d61d 857*0c65ac1dSAntonio Huete Jimenez * 73a5a2e9c081f49f2d775cf7ced864158b68dc80 858*0c65ac1dSAntonio Huete Jimenez [MOX-006] Fix non-NULL parser parameter validation in XML_Parse; 859*0c65ac1dSAntonio Huete Jimenez resulted in NULL dereference, previously; 860*0c65ac1dSAntonio Huete Jimenez commit ac256dafdffc9622ab0dc2c62fcecb0dfcfa71fe 861*0c65ac1dSAntonio Huete Jimenez 862*0c65ac1dSAntonio Huete Jimenez Bug fixes: 863*0c65ac1dSAntonio Huete Jimenez #69 Fix improper use of unsigned long long integer literals 864*0c65ac1dSAntonio Huete Jimenez 865*0c65ac1dSAntonio Huete Jimenez Other changes: 866*0c65ac1dSAntonio Huete Jimenez #73 Start requiring a C99 compiler 867*0c65ac1dSAntonio Huete Jimenez #49 Fix "==" Bashism in configure script 868*0c65ac1dSAntonio Huete Jimenez #50 Fix too eager getrandom detection for Debian GNU/kFreeBSD 869*0c65ac1dSAntonio Huete Jimenez #52 and macOS 870*0c65ac1dSAntonio Huete Jimenez #51 Address lack of stdint.h in Visual Studio 2003 to 2008 871*0c65ac1dSAntonio Huete Jimenez #58 Address compile warnings 872*0c65ac1dSAntonio Huete Jimenez #68 Fix "./buildconf.sh && ./configure" for some versions 873*0c65ac1dSAntonio Huete Jimenez of Dash for /bin/sh 874*0c65ac1dSAntonio Huete Jimenez #72 CMake: Ease use of Expat in context of a parent project 875*0c65ac1dSAntonio Huete Jimenez with multiple CMakeLists.txt files 876*0c65ac1dSAntonio Huete Jimenez #72 CMake: Resolve mistaken executable permissions 877*0c65ac1dSAntonio Huete Jimenez #76 Address compile warning with -DNDEBUG (not recommended!) 878*0c65ac1dSAntonio Huete Jimenez #77 Address compile warning about macro redefinition 879*0c65ac1dSAntonio Huete Jimenez 880*0c65ac1dSAntonio Huete Jimenez Special thanks to: 881*0c65ac1dSAntonio Huete Jimenez Alexander Bluhm 882*0c65ac1dSAntonio Huete Jimenez Ben Boeckel 883*0c65ac1dSAntonio Huete Jimenez Cătălin Răceanu 884*0c65ac1dSAntonio Huete Jimenez Kerin Millar 885*0c65ac1dSAntonio Huete Jimenez László Böszörményi 886*0c65ac1dSAntonio Huete Jimenez S. P. Zeidler 887*0c65ac1dSAntonio Huete Jimenez Segev Finer 888*0c65ac1dSAntonio Huete Jimenez Václav Slavík 889*0c65ac1dSAntonio Huete Jimenez Victor Stinner 890*0c65ac1dSAntonio Huete Jimenez Viktor Szakats 891*0c65ac1dSAntonio Huete Jimenez and 892*0c65ac1dSAntonio Huete Jimenez Radically Open Security 893*0c65ac1dSAntonio Huete Jimenez 894*0c65ac1dSAntonio Huete JimenezRelease 2.2.1 Sat June 17 2017 895*0c65ac1dSAntonio Huete Jimenez Security fixes: 896*0c65ac1dSAntonio Huete Jimenez CVE-2017-9233 -- External entity infinite loop DoS 897*0c65ac1dSAntonio Huete Jimenez Details: https://libexpat.github.io/doc/cve-2017-9233/ 898*0c65ac1dSAntonio Huete Jimenez Commit c4bf96bb51dd2a1b0e185374362ee136fe2c9d7f 899*0c65ac1dSAntonio Huete Jimenez [MOX-002] CVE-2016-9063 -- Detect integer overflow; commit 900*0c65ac1dSAntonio Huete Jimenez d4f735b88d9932bd5039df2335eefdd0723dbe20 901*0c65ac1dSAntonio Huete Jimenez (Fixed version of existing downstream patches!) 902*0c65ac1dSAntonio Huete Jimenez (SF.net) #539 Fix regression from fix to CVE-2016-0718 cutting off 903*0c65ac1dSAntonio Huete Jimenez longer tag names; commits 904*0c65ac1dSAntonio Huete Jimenez * 896b6c1fd3b842f377d1b62135dccf0a579cf65d 905*0c65ac1dSAntonio Huete Jimenez * af507cef2c93cb8d40062a0abe43a4f4e9158fb2 906*0c65ac1dSAntonio Huete Jimenez #16 * 0dbbf43fdb20f593ddf4fa1ff67288000dd4a7fd 907*0c65ac1dSAntonio Huete Jimenez #25 More integer overflow detection (function poolGrow); commits 908*0c65ac1dSAntonio Huete Jimenez * 810b74e4703dcfdd8f404e3cb177d44684775143 909*0c65ac1dSAntonio Huete Jimenez * 44178553f3539ce69d34abee77a05e879a7982ac 910*0c65ac1dSAntonio Huete Jimenez [MOX-002] Detect overflow from len=INT_MAX call to XML_Parse; commits 911*0c65ac1dSAntonio Huete Jimenez * 4be2cb5afcc018d996f34bbbce6374b7befad47f 912*0c65ac1dSAntonio Huete Jimenez * 7e5b71b748491b6e459e5c9a1d090820f94544d8 913*0c65ac1dSAntonio Huete Jimenez [MOX-005] #30 Use high quality entropy for hash initialization: 914*0c65ac1dSAntonio Huete Jimenez * arc4random_buf on BSD, systems with libbsd 915*0c65ac1dSAntonio Huete Jimenez (when configured with --with-libbsd), CloudABI 916*0c65ac1dSAntonio Huete Jimenez * RtlGenRandom on Windows XP / Server 2003 and later 917*0c65ac1dSAntonio Huete Jimenez * getrandom on Linux 3.17+ 918*0c65ac1dSAntonio Huete Jimenez In a way, that's still part of CVE-2016-5300. 919*0c65ac1dSAntonio Huete Jimenez https://github.com/libexpat/libexpat/pull/30/commits 920*0c65ac1dSAntonio Huete Jimenez [MOX-005] For the low quality entropy extraction fallback code, 921*0c65ac1dSAntonio Huete Jimenez the parser instance address can no longer leak, commit 922*0c65ac1dSAntonio Huete Jimenez 04ad658bd3079dd15cb60fc67087900f0ff4b083 923*0c65ac1dSAntonio Huete Jimenez [MOX-003] Prevent use of uninitialised variable; commit 924*0c65ac1dSAntonio Huete Jimenez [MOX-004] a4dc944f37b664a3ca7199c624a98ee37babdb4b 925*0c65ac1dSAntonio Huete Jimenez Add missing parameter validation to public API functions 926*0c65ac1dSAntonio Huete Jimenez and dedicated error code XML_ERROR_INVALID_ARGUMENT: 927*0c65ac1dSAntonio Huete Jimenez [MOX-006] * NULL checks; commits 928*0c65ac1dSAntonio Huete Jimenez * d37f74b2b7149a3a95a680c4c4cd2a451a51d60a (merge/many) 929*0c65ac1dSAntonio Huete Jimenez * 9ed727064b675b7180c98cb3d4f75efba6966681 930*0c65ac1dSAntonio Huete Jimenez * 6a747c837c50114dfa413994e07c0ba477be4534 931*0c65ac1dSAntonio Huete Jimenez * Negative length (XML_Parse); commit 932*0c65ac1dSAntonio Huete Jimenez [MOX-002] 70db8d2538a10f4c022655d6895e4c3e78692e7f 933*0c65ac1dSAntonio Huete Jimenez [MOX-001] #35 Change hash algorithm to William Ahern's version of SipHash 934*0c65ac1dSAntonio Huete Jimenez to go further with fixing CVE-2012-0876. 935*0c65ac1dSAntonio Huete Jimenez https://github.com/libexpat/libexpat/pull/39/commits 936*0c65ac1dSAntonio Huete Jimenez 937*0c65ac1dSAntonio Huete Jimenez Bug fixes: 938*0c65ac1dSAntonio Huete Jimenez #32 Fix sharing of hash salt across parsers; 939*0c65ac1dSAntonio Huete Jimenez relevant where XML_ExternalEntityParserCreate is called 940*0c65ac1dSAntonio Huete Jimenez prior to XML_Parse, in particular (e.g. FBReader) 941*0c65ac1dSAntonio Huete Jimenez #28 xmlwf: Auto-disable use of memory-mapping (and parsing 942*0c65ac1dSAntonio Huete Jimenez as a single chunk) for files larger than ~1 GB (2^30 bytes) 943*0c65ac1dSAntonio Huete Jimenez rather than failing with error "out of memory" 944*0c65ac1dSAntonio Huete Jimenez #3 Fix double free after malloc failure in DTD code; commit 945*0c65ac1dSAntonio Huete Jimenez 7ae9c3d3af433cd4defe95234eae7dc8ed15637f 946*0c65ac1dSAntonio Huete Jimenez #17 Fix memory leak on parser error for unbound XML attribute 947*0c65ac1dSAntonio Huete Jimenez prefix with new namespaces defined in the same tag; 948*0c65ac1dSAntonio Huete Jimenez found by Google's OSS-Fuzz; commits 949*0c65ac1dSAntonio Huete Jimenez * 16f87daae5a16132e479e4f71862128c7a915c73 950*0c65ac1dSAntonio Huete Jimenez * b47dbc9745932c160893d433220e462bd605f8cd 951*0c65ac1dSAntonio Huete Jimenez xmlwf on Windows: Add missing calls to CloseHandle 952*0c65ac1dSAntonio Huete Jimenez 953*0c65ac1dSAntonio Huete Jimenez New features: 954*0c65ac1dSAntonio Huete Jimenez #30 Introduced environment switch EXPAT_ENTROPY_DEBUG=1 955*0c65ac1dSAntonio Huete Jimenez for runtime debugging of entropy extraction 956*0c65ac1dSAntonio Huete Jimenez 957*0c65ac1dSAntonio Huete Jimenez Other changes: 958*0c65ac1dSAntonio Huete Jimenez Increase code coverage 959*0c65ac1dSAntonio Huete Jimenez #33 Reject use of XML_UNICODE_WCHAR_T with sizeof(wchar_t) != 2; 960*0c65ac1dSAntonio Huete Jimenez XML_UNICODE_WCHAR_T was never meant to be used outside 961*0c65ac1dSAntonio Huete Jimenez of Windows; 4-byte wchar_t is common on Linux 962*0c65ac1dSAntonio Huete Jimenez (SF.net) #538 Start using -fno-strict-aliasing 963*0c65ac1dSAntonio Huete Jimenez (SF.net) #540 Support compilation against cloudlibc of CloudABI 964*0c65ac1dSAntonio Huete Jimenez Allow MinGW cross-compilation 965*0c65ac1dSAntonio Huete Jimenez (SF.net) #534 CMake: Introduce option "BUILD_doc" (enabled by default) 966*0c65ac1dSAntonio Huete Jimenez to bypass compilation of the xmlwf.1 man page 967*0c65ac1dSAntonio Huete Jimenez (SF.net) pr2 CMake: Introduce option "INSTALL" (enabled by default) 968*0c65ac1dSAntonio Huete Jimenez to bypass installation of expat files 969*0c65ac1dSAntonio Huete Jimenez CMake: Fix ninja support 970*0c65ac1dSAntonio Huete Jimenez Autotools: Add parameters --enable-xml-context [COUNT] 971*0c65ac1dSAntonio Huete Jimenez and --disable-xml-context; default of context of 1024 972*0c65ac1dSAntonio Huete Jimenez bytes enabled unchanged 973*0c65ac1dSAntonio Huete Jimenez #14 Drop AmigaOS 4.x code and includes 974*0c65ac1dSAntonio Huete Jimenez #14 Drop ancient build systems: 975*0c65ac1dSAntonio Huete Jimenez * Borland C++ Builder 976*0c65ac1dSAntonio Huete Jimenez * OpenVMS 977*0c65ac1dSAntonio Huete Jimenez * Open Watcom 978*0c65ac1dSAntonio Huete Jimenez * Visual Studio 6.0 979*0c65ac1dSAntonio Huete Jimenez * Pre-X Mac OS (MPW Makefile) 980*0c65ac1dSAntonio Huete Jimenez If you happen to rely on some of these, please get in 981*0c65ac1dSAntonio Huete Jimenez touch for joining with maintenance. 982*0c65ac1dSAntonio Huete Jimenez #10 Move from WIN32 to _WIN32 983*0c65ac1dSAntonio Huete Jimenez #13 Fix "make run-xmltest" order instability 984*0c65ac1dSAntonio Huete Jimenez Address compile warnings 985*0c65ac1dSAntonio Huete Jimenez Bump version info from 7:2:6 to 7:3:6 986*0c65ac1dSAntonio Huete Jimenez Add AUTHORS file 987*0c65ac1dSAntonio Huete Jimenez 988*0c65ac1dSAntonio Huete Jimenez Infrastructure: 989*0c65ac1dSAntonio Huete Jimenez #1 Migrate from SourceForge to GitHub (except downloads): 990*0c65ac1dSAntonio Huete Jimenez https://github.com/libexpat/ 991*0c65ac1dSAntonio Huete Jimenez #1 Re-create http://libexpat.org/ project website 992*0c65ac1dSAntonio Huete Jimenez Start utilizing Travis CI 993*0c65ac1dSAntonio Huete Jimenez 994*0c65ac1dSAntonio Huete Jimenez Special thanks to: 995*0c65ac1dSAntonio Huete Jimenez Andy Wang 996*0c65ac1dSAntonio Huete Jimenez Don Lewis 997*0c65ac1dSAntonio Huete Jimenez Ed Schouten 998*0c65ac1dSAntonio Huete Jimenez Karl Waclawek 999*0c65ac1dSAntonio Huete Jimenez Pascal Cuoq 1000*0c65ac1dSAntonio Huete Jimenez Rhodri James 1001*0c65ac1dSAntonio Huete Jimenez Sergei Nikulov 1002*0c65ac1dSAntonio Huete Jimenez Tobias Taschner 1003*0c65ac1dSAntonio Huete Jimenez Viktor Szakats 1004*0c65ac1dSAntonio Huete Jimenez and 1005*0c65ac1dSAntonio Huete Jimenez Core Infrastructure Initiative 1006*0c65ac1dSAntonio Huete Jimenez Mozilla Foundation (MOSS Track 3: Secure Open Source) 1007*0c65ac1dSAntonio Huete Jimenez Radically Open Security 1008*0c65ac1dSAntonio Huete Jimenez 1009*0c65ac1dSAntonio Huete JimenezRelease 2.2.0 Tue June 21 2016 1010*0c65ac1dSAntonio Huete Jimenez Security fixes: 1011*0c65ac1dSAntonio Huete Jimenez #537 CVE-2016-0718 -- Fix crash on malformed input 1012*0c65ac1dSAntonio Huete Jimenez CVE-2016-4472 -- Improve insufficient fix to CVE-2015-1283 / 1013*0c65ac1dSAntonio Huete Jimenez CVE-2015-2716 introduced with Expat 2.1.1 1014*0c65ac1dSAntonio Huete Jimenez #499 CVE-2016-5300 -- Use more entropy for hash initialization 1015*0c65ac1dSAntonio Huete Jimenez than the original fix to CVE-2012-0876 1016*0c65ac1dSAntonio Huete Jimenez #519 CVE-2012-6702 -- Resolve troublesome internal call to srand 1017*0c65ac1dSAntonio Huete Jimenez that was introduced with Expat 2.1.0 1018*0c65ac1dSAntonio Huete Jimenez when addressing CVE-2012-0876 (issue #496) 1019*0c65ac1dSAntonio Huete Jimenez 1020*0c65ac1dSAntonio Huete Jimenez Bug fixes: 1021*0c65ac1dSAntonio Huete Jimenez Fix uninitialized reads of size 1 1022*0c65ac1dSAntonio Huete Jimenez (e.g. in little2_updatePosition) 1023*0c65ac1dSAntonio Huete Jimenez Fix detection of UTF-8 character boundaries 1024*0c65ac1dSAntonio Huete Jimenez 1025*0c65ac1dSAntonio Huete Jimenez Other changes: 1026*0c65ac1dSAntonio Huete Jimenez #532 Fix compilation for Visual Studio 2010 (keyword "C99") 1027*0c65ac1dSAntonio Huete Jimenez Autotools: Resolve use of "$<" to better support bmake 1028*0c65ac1dSAntonio Huete Jimenez Autotools: Add QA script "qa.sh" (and make target "qa") 1029*0c65ac1dSAntonio Huete Jimenez Autotools: Respect CXXFLAGS if given 1030*0c65ac1dSAntonio Huete Jimenez Autotools: Fix "make run-xmltest" 1031*0c65ac1dSAntonio Huete Jimenez Autotools: Have "make run-xmltest" check for expected output 1032*0c65ac1dSAntonio Huete Jimenez p90 CMake: Fix static build (BUILD_shared=OFF) on Windows 1033*0c65ac1dSAntonio Huete Jimenez #536 CMake: Add soversion, support -DNO_SONAME=yes to bypass 1034*0c65ac1dSAntonio Huete Jimenez #323 CMake: Add suffix "d" to differentiate debug from release 1035*0c65ac1dSAntonio Huete Jimenez CMake: Define WIN32 with CMake on Windows 1036*0c65ac1dSAntonio Huete Jimenez Annotate memory allocators for GCC 1037*0c65ac1dSAntonio Huete Jimenez Address all currently known compile warnings 1038*0c65ac1dSAntonio Huete Jimenez Make sure that API symbols remain visible despite 1039*0c65ac1dSAntonio Huete Jimenez -fvisibility=hidden 1040*0c65ac1dSAntonio Huete Jimenez Remove executable flag from source files 1041*0c65ac1dSAntonio Huete Jimenez Resolve COMPILED_FROM_DSP in favor of WIN32 1042*0c65ac1dSAntonio Huete Jimenez 1043*0c65ac1dSAntonio Huete Jimenez Special thanks to: 1044*0c65ac1dSAntonio Huete Jimenez Björn Lindahl 1045*0c65ac1dSAntonio Huete Jimenez Christian Heimes 1046*0c65ac1dSAntonio Huete Jimenez Cristian Rodríguez 1047*0c65ac1dSAntonio Huete Jimenez Daniel Krügler 1048*0c65ac1dSAntonio Huete Jimenez Gustavo Grieco 1049*0c65ac1dSAntonio Huete Jimenez Karl Waclawek 1050*0c65ac1dSAntonio Huete Jimenez László Böszörményi 1051*0c65ac1dSAntonio Huete Jimenez Marco Grassi 1052*0c65ac1dSAntonio Huete Jimenez Pascal Cuoq 1053*0c65ac1dSAntonio Huete Jimenez Sergei Nikulov 1054*0c65ac1dSAntonio Huete Jimenez Thomas Beutlich 1055*0c65ac1dSAntonio Huete Jimenez Warren Young 1056*0c65ac1dSAntonio Huete Jimenez Yann Droneaud 1057*0c65ac1dSAntonio Huete Jimenez 1058*0c65ac1dSAntonio Huete JimenezRelease 2.1.1 Sat March 12 2016 1059*0c65ac1dSAntonio Huete Jimenez Security fixes: 1060*0c65ac1dSAntonio Huete Jimenez #582: CVE-2015-1283 - Multiple integer overflows in XML_GetBuffer 1061*0c65ac1dSAntonio Huete Jimenez 1062*0c65ac1dSAntonio Huete Jimenez Bug fixes: 1063*0c65ac1dSAntonio Huete Jimenez #502: Fix potential null pointer dereference 1064*0c65ac1dSAntonio Huete Jimenez #520: Symbol XML_SetHashSalt was not exported 1065*0c65ac1dSAntonio Huete Jimenez Output of "xmlwf -h" was incomplete 1066*0c65ac1dSAntonio Huete Jimenez 1067*0c65ac1dSAntonio Huete Jimenez Other changes: 1068*0c65ac1dSAntonio Huete Jimenez #503: Document behavior of calling XML_SetHashSalt with salt 0 1069*0c65ac1dSAntonio Huete Jimenez Minor improvements to man page xmlwf(1) 1070*0c65ac1dSAntonio Huete Jimenez Improvements to the experimental CMake build system 1071*0c65ac1dSAntonio Huete Jimenez libtool now invoked with --verbose 1072*0c65ac1dSAntonio Huete Jimenez 1073fd436345SJohn MarinoRelease 2.1.0 Sat March 24 2012 1074*0c65ac1dSAntonio Huete Jimenez - Security fixes: 1075*0c65ac1dSAntonio Huete Jimenez #2958794: CVE-2012-1148 - Memory leak in poolGrow. 1076*0c65ac1dSAntonio Huete Jimenez #2895533: CVE-2012-1147 - Resource leak in readfilemap.c. 1077*0c65ac1dSAntonio Huete Jimenez #3496608: CVE-2012-0876 - Hash DOS attack. 1078*0c65ac1dSAntonio Huete Jimenez #2894085: CVE-2009-3560 - Buffer over-read and crash in big2_toUtf8(). 1079*0c65ac1dSAntonio Huete Jimenez #1990430: CVE-2009-3720 - Parser crash with special UTF-8 sequences. 1080fd436345SJohn Marino - Bug Fixes: 1081fd436345SJohn Marino #1742315: Harmful XML_ParserCreateNS suggestion. 1082fd436345SJohn Marino #1785430: Expat build fails on linux-amd64 with gcc version>=4.1 -O3. 1083fd436345SJohn Marino #1983953, 2517952, 2517962, 2649838: 1084fd436345SJohn Marino Build modifications using autoreconf instead of buildconf.sh. 1085fd436345SJohn Marino #2815947, #2884086: OBJEXT and EXEEXT support while building. 1086fd436345SJohn Marino #2517938: xmlwf should return non-zero exit status if not well-formed. 1087fd436345SJohn Marino #2517946: Wrong statement about XMLDecl in xmlwf.1 and xmlwf.sgml. 1088fd436345SJohn Marino #2855609: Dangling positionPtr after error. 1089fd436345SJohn Marino #2990652: CMake support. 1090fd436345SJohn Marino #3010819: UNEXPECTED_STATE with a trailing "%" in entity value. 1091*0c65ac1dSAntonio Huete Jimenez #3206497: Uninitialized memory returned from XML_Parse. 1092fd436345SJohn Marino #3287849: make check fails on mingw-w64. 1093fd436345SJohn Marino - Patches: 1094fd436345SJohn Marino #1749198: pkg-config support. 1095fd436345SJohn Marino #3010222: Fix for bug #3010819. 1096fd436345SJohn Marino #3312568: CMake support. 1097fd436345SJohn Marino #3446384: Report byte offsets for attr names and values. 1098fd436345SJohn Marino - New Features / API changes: 1099*0c65ac1dSAntonio Huete Jimenez Added new API member XML_SetHashSalt() that allows setting an initial 1100fd436345SJohn Marino value (salt) for hash calculations. This is part of the fix for 1101fd436345SJohn Marino bug #3496608 to randomize hash parameters. 1102fd436345SJohn Marino When compiled with XML_ATTR_INFO defined, adds new API member 1103fd436345SJohn Marino XML_GetAttributeInfo() that allows retrieving the byte 1104fd436345SJohn Marino offsets for attribute names and values (patch #3446384). 1105fd436345SJohn Marino Added CMake build system. 1106fd436345SJohn Marino See bug #2990652 and patch #3312568. 1107fd436345SJohn Marino Added run-benchmark target to Makefile.in - relies on testdata module 1108fd436345SJohn Marino present in the same relative location as in the repository. 1109fd436345SJohn Marino 1110fb9a9224SMatthew DillonRelease 2.0.1 Tue June 5 2007 1111fd436345SJohn Marino - Fixed bugs #1515266, #1515600: The character data handler's calling 1112fb9a9224SMatthew Dillon of XML_StopParser() was not handled properly; if the parser was 1113fb9a9224SMatthew Dillon stopped and the handler set to NULL, the parser would segfault. 1114fb9a9224SMatthew Dillon - Fixed bug #1690883: Expat failed on EBCDIC systems as it assumed 1115fb9a9224SMatthew Dillon some character constants to be ASCII encoded. 1116fb9a9224SMatthew Dillon - Minor cleanups of the test harness. 1117fb9a9224SMatthew Dillon - Fixed xmlwf bug #1513566: "out of memory" error on file size zero. 1118fb9a9224SMatthew Dillon - Fixed outline.c bug #1543233: missing a final XML_ParserFree() call. 1119fb9a9224SMatthew Dillon - Fixes and improvements for Windows platform: 1120fd436345SJohn Marino bugs #1409451, #1476160, #1548182, #1602769, #1717322. 1121fb9a9224SMatthew Dillon - Build fixes for various platforms: 1122fb9a9224SMatthew Dillon HP-UX, Tru64, Solaris 9: patch #1437840, bug #1196180. 1123fb9a9224SMatthew Dillon All Unix: #1554618 (refreshed config.sub/config.guess). 1124fb9a9224SMatthew Dillon #1490371, #1613457: support both, DESTDIR and INSTALL_ROOT, 1125fb9a9224SMatthew Dillon without relying on GNU-Make specific features. 1126fb9a9224SMatthew Dillon #1647805: Patched configure.in to work better with Intel compiler. 1127fb9a9224SMatthew Dillon - Fixes to Makefile.in to have make check work correctly: 1128fb9a9224SMatthew Dillon bugs #1408143, #1535603, #1536684. 1129fb9a9224SMatthew Dillon - Added Open Watcom support: patch #1523242. 1130fb9a9224SMatthew Dillon 1131fb9a9224SMatthew DillonRelease 2.0.0 Wed Jan 11 2006 1132fb9a9224SMatthew Dillon - We no longer use the "check" library for C unit testing; we 1133fb9a9224SMatthew Dillon always use the (partial) internal implementation of the API. 1134fb9a9224SMatthew Dillon - Report XML_NS setting via XML_GetFeatureList(). 1135fb9a9224SMatthew Dillon - Fixed headers for use from C++. 1136fb9a9224SMatthew Dillon - XML_GetCurrentLineNumber() and XML_GetCurrentColumnNumber() 1137fb9a9224SMatthew Dillon now return unsigned integers. 1138fb9a9224SMatthew Dillon - Added XML_LARGE_SIZE switch to enable 64-bit integers for 1139fb9a9224SMatthew Dillon byte indexes and line/column numbers. 1140fb9a9224SMatthew Dillon - Updated to use libtool 1.5.22 (the most recent). 1141fb9a9224SMatthew Dillon - Added support for AmigaOS. 1142fd436345SJohn Marino - Some mostly minor bug fixes. SF issues include: #1006708, 1143fd436345SJohn Marino #1021776, #1023646, #1114960, #1156398, #1221160, #1271642. 1144fb9a9224SMatthew Dillon 1145fb9a9224SMatthew DillonRelease 1.95.8 Fri Jul 23 2004 1146fb9a9224SMatthew Dillon - Major new feature: suspend/resume. Handlers can now request 1147fb9a9224SMatthew Dillon that a parse be suspended for later resumption or aborted 1148fb9a9224SMatthew Dillon altogether. See "Temporarily Stopping Parsing" in the 1149fb9a9224SMatthew Dillon documentation for more details. 1150fb9a9224SMatthew Dillon - Some mostly minor bug fixes, but compilation should no 1151fb9a9224SMatthew Dillon longer generate warnings on most platforms. SF issues 1152fd436345SJohn Marino include: #827319, #840173, #846309, #888329, #896188, #923913, 1153fd436345SJohn Marino #928113, #961698, #985192. 1154fb9a9224SMatthew Dillon 1155fb9a9224SMatthew DillonRelease 1.95.7 Mon Oct 20 2003 1156fb9a9224SMatthew Dillon - Fixed enum XML_Status issue (reported on SourceForge many 1157fb9a9224SMatthew Dillon times), so compilers that are properly picky will be happy. 1158fb9a9224SMatthew Dillon - Introduced an XMLCALL macro to control the calling 1159fb9a9224SMatthew Dillon convention used by the Expat API; this macro should be used 1160fb9a9224SMatthew Dillon to annotate prototypes and definitions of callback 1161fb9a9224SMatthew Dillon implementations in code compiled with a calling convention 1162fb9a9224SMatthew Dillon other than the default convention for the host platform. 1163fb9a9224SMatthew Dillon - Improved ability to build without the configure-generated 1164fb9a9224SMatthew Dillon expat_config.h header. This is useful for applications 1165fb9a9224SMatthew Dillon which embed Expat rather than linking in the library. 1166fd436345SJohn Marino - Fixed a variety of bugs: see SF issues #458907, #609603, 1167fd436345SJohn Marino #676844, #679754, #692878, #692964, #695401, #699323, #699487, 1168fd436345SJohn Marino #820946. 1169fb9a9224SMatthew Dillon - Improved hash table lookups. 1170fb9a9224SMatthew Dillon - Added more regression tests and improved documentation. 1171fb9a9224SMatthew Dillon 1172fb9a9224SMatthew DillonRelease 1.95.6 Tue Jan 28 2003 1173fb9a9224SMatthew Dillon - Added XML_FreeContentModel(). 1174fb9a9224SMatthew Dillon - Added XML_MemMalloc(), XML_MemRealloc(), XML_MemFree(). 1175fd436345SJohn Marino - Fixed a variety of bugs: see SF issues #615606, #616863, 1176fd436345SJohn Marino #618199, #653180, #673791. 1177fb9a9224SMatthew Dillon - Enhanced the regression test suite. 1178fd436345SJohn Marino - Man page improvements: includes SF issue #632146. 1179fb9a9224SMatthew Dillon 1180fb9a9224SMatthew DillonRelease 1.95.5 Fri Sep 6 2002 1181fb9a9224SMatthew Dillon - Added XML_UseForeignDTD() for improved SAX2 support. 1182fb9a9224SMatthew Dillon - Added XML_GetFeatureList(). 1183fb9a9224SMatthew Dillon - Defined XML_Bool type and the values XML_TRUE and XML_FALSE. 1184fb9a9224SMatthew Dillon - Use an incomplete struct instead of a void* for the parser 1185fb9a9224SMatthew Dillon (may not retain). 1186fb9a9224SMatthew Dillon - Fixed UTF-8 decoding bug that caused legal UTF-8 to be rejected. 1187fb9a9224SMatthew Dillon - Finally fixed bug where default handler would report DTD 1188fb9a9224SMatthew Dillon events that were already handled by another handler. 1189fb9a9224SMatthew Dillon Initial patch contributed by Darryl Miles. 1190fb9a9224SMatthew Dillon - Removed unnecessary DllMain() function that caused static 1191fb9a9224SMatthew Dillon linking into a DLL to be difficult. 1192fb9a9224SMatthew Dillon - Added VC++ projects for building static libraries. 1193fb9a9224SMatthew Dillon - Reduced line-length for all source code and headers to be 1194fb9a9224SMatthew Dillon no longer than 80 characters, to help with AS/400 support. 1195fb9a9224SMatthew Dillon - Reduced memory copying during parsing (SF patch #600964). 1196fd436345SJohn Marino - Fixed a variety of bugs: see SF issues #580793, #434664, 1197fd436345SJohn Marino #483514, #580503, #581069, #584041, #584183, #584832, #585537, 1198fd436345SJohn Marino #596555, #596678, #598352, #598944, #599715, #600479, #600971. 1199fb9a9224SMatthew Dillon 1200fb9a9224SMatthew DillonRelease 1.95.4 Fri Jul 12 2002 1201fb9a9224SMatthew Dillon - Added support for VMS, contributed by Craig Berry. See 1202fb9a9224SMatthew Dillon vms/README.vms for more information. 1203fb9a9224SMatthew Dillon - Added Mac OS (classic) support, with a makefile for MPW, 1204fb9a9224SMatthew Dillon contributed by Thomas Wegner and Daryle Walker. 1205fb9a9224SMatthew Dillon - Added Borland C++ Builder 5 / BCC 5.5 support, contributed 1206fb9a9224SMatthew Dillon by Patrick McConnell (SF patch #538032). 1207fd436345SJohn Marino - Fixed a variety of bugs: see SF issues #441449, #563184, 1208fd436345SJohn Marino #564342, #566334, #566901, #569461, #570263, #575168, #579196. 1209fb9a9224SMatthew Dillon - Made skippedEntityHandler conform to SAX2 (see source comment) 1210fb9a9224SMatthew Dillon - Re-implemented WFC: Entity Declared from XML 1.0 spec and 1211fb9a9224SMatthew Dillon added a new error "entity declared in parameter entity": 1212fd436345SJohn Marino see SF bug report #569461 and SF patch #578161 1213fb9a9224SMatthew Dillon - Re-implemented section 5.1 from XML 1.0 spec: 1214fd436345SJohn Marino see SF bug report #570263 and SF patch #578161 1215fb9a9224SMatthew Dillon 1216fb9a9224SMatthew DillonRelease 1.95.3 Mon Jun 3 2002 1217fb9a9224SMatthew Dillon - Added a project to the MSVC workspace to create a wchar_t 1218fb9a9224SMatthew Dillon version of the library; the DLLs are named libexpatw.dll. 1219fb9a9224SMatthew Dillon - Changed the name of the Windows DLLs from expat.dll to 1220fb9a9224SMatthew Dillon libexpat.dll; this fixes SF bug #432456. 1221fb9a9224SMatthew Dillon - Added the XML_ParserReset() API function. 1222fb9a9224SMatthew Dillon - Fixed XML_SetReturnNSTriplet() to work for element names. 1223fb9a9224SMatthew Dillon - Made the XML_UNICODE builds usable (thanks, Karl!). 1224fb9a9224SMatthew Dillon - Allow xmlwf to read from standard input. 1225fb9a9224SMatthew Dillon - Install a man page for xmlwf on Unix systems. 1226fd436345SJohn Marino - Fixed many bugs; see SF bug reports #231864, #461380, #464837, 1227fd436345SJohn Marino #466885, #469226, #477667, #484419, #487840, #494749, #496505, 1228fd436345SJohn Marino #547350. Other bugs which we can't test as easily may also 1229fb9a9224SMatthew Dillon have been fixed, especially in the area of build support. 1230fb9a9224SMatthew Dillon 1231fb9a9224SMatthew DillonRelease 1.95.2 Fri Jul 27 2001 1232fb9a9224SMatthew Dillon - More changes to make MSVC happy with the build; add a single 1233fb9a9224SMatthew Dillon workspace to support both the library and xmlwf application. 1234fb9a9224SMatthew Dillon - Added a Windows installer for Windows users; includes 1235fb9a9224SMatthew Dillon xmlwf.exe. 1236fb9a9224SMatthew Dillon - Added compile-time constants that can be used to determine the 1237fb9a9224SMatthew Dillon Expat version 1238fb9a9224SMatthew Dillon - Removed a lot of GNU-specific dependencies to aide portability 1239fb9a9224SMatthew Dillon among the various Unix flavors. 1240fb9a9224SMatthew Dillon - Fix the UTF-8 BOM bug. 1241fb9a9224SMatthew Dillon - Cleaned up warning messages for several compilers. 1242fb9a9224SMatthew Dillon - Added the -Wall, -Wstrict-prototypes options for GCC. 1243fb9a9224SMatthew Dillon 1244fb9a9224SMatthew DillonRelease 1.95.1 Sun Oct 22 15:11:36 EDT 2000 1245fb9a9224SMatthew Dillon - Changes to get expat to build under Microsoft compiler 1246fb9a9224SMatthew Dillon - Removed all aborts and instead return an UNEXPECTED_STATE error. 1247fb9a9224SMatthew Dillon - Fixed a bug where a stray '%' in an entity value would cause an 1248fb9a9224SMatthew Dillon abort. 1249fb9a9224SMatthew Dillon - Defined XML_SetEndNamespaceDeclHandler. Thanks to Darryl Miles for 1250fb9a9224SMatthew Dillon finding this oversight. 1251fb9a9224SMatthew Dillon - Changed default patterns in lib/Makefile.in to fit non-GNU makes 1252fb9a9224SMatthew Dillon Thanks to robin@unrated.net for reporting and providing an 1253fb9a9224SMatthew Dillon account to test on. 1254fb9a9224SMatthew Dillon - The reference had the wrong label for XML_SetStartNamespaceDecl. 1255fb9a9224SMatthew Dillon Reported by an anonymous user. 1256fb9a9224SMatthew Dillon 1257fb9a9224SMatthew DillonRelease 1.95.0 Fri Sep 29 2000 1258fb9a9224SMatthew Dillon - XML_ParserCreate_MM 1259fb9a9224SMatthew Dillon Allows you to set a memory management suite to replace the 1260fb9a9224SMatthew Dillon standard malloc,realloc, and free. 1261fb9a9224SMatthew Dillon - XML_SetReturnNSTriplet 1262fb9a9224SMatthew Dillon If you turn this feature on when namespace processing is in 1263fb9a9224SMatthew Dillon effect, then qualified, prefixed element and attribute names 1264fb9a9224SMatthew Dillon are returned as "uri|name|prefix" where '|' is whatever 1265fb9a9224SMatthew Dillon separator character is used in namespace processing. 1266fb9a9224SMatthew Dillon - Merged in features from perl-expat 1267fb9a9224SMatthew Dillon o XML_SetElementDeclHandler 1268fb9a9224SMatthew Dillon o XML_SetAttlistDeclHandler 1269fb9a9224SMatthew Dillon o XML_SetXmlDeclHandler 1270fb9a9224SMatthew Dillon o XML_SetEntityDeclHandler 1271fb9a9224SMatthew Dillon o StartDoctypeDeclHandler takes 3 additional parameters: 1272fb9a9224SMatthew Dillon sysid, pubid, has_internal_subset 1273fb9a9224SMatthew Dillon o Many paired handler setters (like XML_SetElementHandler) 1274fb9a9224SMatthew Dillon now have corresponding individual handler setters 1275fb9a9224SMatthew Dillon o XML_GetInputContext for getting the input context of 1276fb9a9224SMatthew Dillon the current parse position. 1277fb9a9224SMatthew Dillon - Added reference material 1278fb9a9224SMatthew Dillon - Packaged into a distribution that builds a sharable library 1279