jpayne@68: __ __ _ jpayne@68: ___\ \/ /_ __ __ _| |_ jpayne@68: / _ \\ /| '_ \ / _` | __| jpayne@68: | __// \| |_) | (_| | |_ jpayne@68: \___/_/\_\ .__/ \__,_|\__| jpayne@68: |_| XML parser jpayne@68: jpayne@68: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! jpayne@68: !! Expat is UNDERSTAFFED and WITHOUT FUNDING. !! jpayne@68: !! ~~~~~~~~~~~~ !! jpayne@68: !! The following topics need *additional skilled C developers* to progress !! jpayne@68: !! in a timely manner or at all (loosely ordered by descending priority): !! jpayne@68: !! !! jpayne@68: !! - fixing a complex non-public security issue, !! jpayne@68: !! - teaming up on researching and fixing future security reports and !! jpayne@68: !! ClusterFuzz findings with few-days-max response times in communication !! jpayne@68: !! in order to (1) have a sound fix ready before the end of a 90 days !! jpayne@68: !! grace period and (2) in a sustainable manner, !! jpayne@68: !! - implementing and auto-testing XML 1.0r5 support !! jpayne@68: !! (needs discussion before pull requests), !! jpayne@68: !! - smart ideas on fixing the Autotools CMake files generation issue !! jpayne@68: !! without breaking CI (needs discussion before pull requests), !! jpayne@68: !! - the Windows binaries topic (needs requirements engineering first), !! jpayne@68: !! - pushing migration from `int` to `size_t` further !! jpayne@68: !! including edge-cases test coverage (needs discussion before anything). !! jpayne@68: !! !! jpayne@68: !! For details, please reach out via e-mail to sebastian@pipping.org so we !! jpayne@68: !! can schedule a voice call on the topic, in English or German. !! jpayne@68: !! !! jpayne@68: !! THANK YOU! Sebastian Pipping -- Berlin, 2024-03-09 !! jpayne@68: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! jpayne@68: jpayne@68: Release 2.6.4 Wed November 6 2024 jpayne@68: Security fixes: jpayne@68: #915 CVE-2024-50602 -- Fix crash within function XML_ResumeParser jpayne@68: from a NULL pointer dereference by disallowing function jpayne@68: XML_StopParser to (stop or) suspend an unstarted parser. jpayne@68: A new error code XML_ERROR_NOT_STARTED was introduced to jpayne@68: properly communicate this situation. // CWE-476 CWE-754 jpayne@68: jpayne@68: Other changes: jpayne@68: #903 CMake: Add alias target "expat::expat" jpayne@68: #905 docs: Document use via CMake >=3.18 with FetchContent jpayne@68: and SOURCE_SUBDIR and its consequences jpayne@68: #902 tests: Reduce use of global parser instance jpayne@68: #904 tests: Resolve duplicate handler jpayne@68: #317 #918 tests: Improve tests on doctype closing (ex CVE-2019-15903) jpayne@68: #914 Fix signedness of format strings jpayne@68: #919 #920 Version info bumped from 10:3:9 (libexpat*.so.1.9.3) jpayne@68: to 11:0:10 (libexpat*.so.1.10.0); see https://verbump.de/ jpayne@68: for what these numbers do jpayne@68: jpayne@68: Infrastructure: jpayne@68: #907 CI: Upgrade Clang from 18 to 19 jpayne@68: #913 CI: Drop macos-12 and add macos-15 jpayne@68: #910 CI: Adapt to breaking changes in GitHub Actions jpayne@68: #898 Add missing entries to .gitignore jpayne@68: jpayne@68: Special thanks to: jpayne@68: Hanno Böck jpayne@68: José Eduardo Gutiérrez Conejo jpayne@68: José Ricardo Cardona Quesada jpayne@68: jpayne@68: Release 2.6.3 Wed September 4 2024 jpayne@68: Security fixes: jpayne@68: #887 #890 CVE-2024-45490 -- Calling function XML_ParseBuffer with jpayne@68: len < 0 without noticing and then calling XML_GetBuffer jpayne@68: will have XML_ParseBuffer fail to recognize the problem jpayne@68: and XML_GetBuffer corrupt memory. jpayne@68: With the fix, XML_ParseBuffer now complains with error jpayne@68: XML_ERROR_INVALID_ARGUMENT just like sibling XML_Parse jpayne@68: has been doing since Expat 2.2.1, and now documented. jpayne@68: Impact is denial of service to potentially artitrary code jpayne@68: execution. jpayne@68: #888 #891 CVE-2024-45491 -- Internal function dtdCopy can have an jpayne@68: integer overflow for nDefaultAtts on 32-bit platforms jpayne@68: (where UINT_MAX equals SIZE_MAX). jpayne@68: Impact is denial of service to potentially artitrary code jpayne@68: execution. jpayne@68: #889 #892 CVE-2024-45492 -- Internal function nextScaffoldPart can jpayne@68: have an integer overflow for m_groupSize on 32-bit jpayne@68: platforms (where UINT_MAX equals SIZE_MAX). jpayne@68: Impact is denial of service to potentially artitrary code jpayne@68: execution. jpayne@68: jpayne@68: Other changes: jpayne@68: #851 #879 Autotools: Sync CMake templates with CMake 3.28 jpayne@68: #853 Autotools: Always provide path to find(1) for portability jpayne@68: #861 Autotools: Ensure that the m4 directory always exists. jpayne@68: #870 Autotools: Simplify handling of SIZEOF_VOID_P jpayne@68: #869 Autotools: Support non-GNU sed jpayne@68: #856 Autotools|CMake: Fix main() to main(void) jpayne@68: #865 Autotools|CMake: Fix compile tests for HAVE_SYSCALL_GETRANDOM jpayne@68: #863 Autotools|CMake: Stop requiring dos2unix jpayne@68: #854 #855 CMake: Fix check for symbols size_t and off_t jpayne@68: #864 docs|tests: Convert README to Markdown and update jpayne@68: #741 Windows: Drop support for Visual Studio <=15.0/2017 jpayne@68: #886 Drop needless XML_DTD guards around is_param access jpayne@68: #885 Fix typo in a code comment jpayne@68: #894 #896 Version info bumped from 10:2:9 (libexpat*.so.1.9.2) jpayne@68: to 10:3:9 (libexpat*.so.1.9.3); see https://verbump.de/ jpayne@68: for what these numbers do jpayne@68: jpayne@68: Infrastructure: jpayne@68: #880 Readme: Promote the call for help jpayne@68: #868 CI: Fix various issues jpayne@68: #849 CI: Allow triggering GitHub Actions workflows manually jpayne@68: #851 #872 .. jpayne@68: #873 #879 CI: Adapt to breaking changes in GitHub Actions jpayne@68: jpayne@68: Special thanks to: jpayne@68: Alexander Bluhm jpayne@68: Berkay Eren Ürün jpayne@68: Dag-Erling Smørgrav jpayne@68: Ferenc Géczi jpayne@68: TaiYou jpayne@68: jpayne@68: Release 2.6.2 Wed March 13 2024 jpayne@68: Security fixes: jpayne@68: #839 #842 CVE-2024-28757 -- Prevent billion laughs attacks with jpayne@68: isolated use of external parsers. Please see the commit jpayne@68: message of commit 1d50b80cf31de87750103656f6eb693746854aa8 jpayne@68: for details. jpayne@68: jpayne@68: Bug fixes: jpayne@68: #839 #841 Reject direct parameter entity recursion jpayne@68: and avoid the related undefined behavior jpayne@68: jpayne@68: Other changes: jpayne@68: #847 Autotools: Fix build for DOCBOOK_TO_MAN containing spaces jpayne@68: #837 Add missing #821 and #824 to 2.6.1 change log jpayne@68: #838 #843 Version info bumped from 10:1:9 (libexpat*.so.1.9.1) jpayne@68: to 10:2:9 (libexpat*.so.1.9.2); see https://verbump.de/ jpayne@68: for what these numbers do jpayne@68: jpayne@68: Special thanks to: jpayne@68: Philippe Antoine jpayne@68: Tomas Korbar jpayne@68: and jpayne@68: Clang UndefinedBehaviorSanitizer jpayne@68: OSS-Fuzz / ClusterFuzz jpayne@68: jpayne@68: Release 2.6.1 Thu February 29 2024 jpayne@68: Bug fixes: jpayne@68: #817 Make tests independent of CPU speed, and thus more robust jpayne@68: #828 #836 Expose billion laughs API with XML_DTD defined and jpayne@68: XML_GE undefined, regression from 2.6.0 jpayne@68: jpayne@68: Other changes: jpayne@68: #829 Hide test-only code behind new internal macro jpayne@68: #833 Autotools: Reject expat_config.h.in defining SIZEOF_VOID_P jpayne@68: #821 #824 Autotools: Fix "make clean" for case: jpayne@68: ./configure --without-docbook && make clean all jpayne@68: #819 Address compiler warnings jpayne@68: #832 #834 Version info bumped from 10:0:9 (libexpat*.so.1.9.0) jpayne@68: to 10:1:9 (libexpat*.so.1.9.1); see https://verbump.de/ jpayne@68: for what these numbers do jpayne@68: jpayne@68: Infrastructure: jpayne@68: #818 CI: Adapt to breaking changes in clang-format jpayne@68: jpayne@68: Special thanks to: jpayne@68: David Hall jpayne@68: Snild Dolkow jpayne@68: jpayne@68: Release 2.6.0 Tue February 6 2024 jpayne@68: Security fixes: jpayne@68: #789 #814 CVE-2023-52425 -- Fix quadratic runtime issues with big tokens jpayne@68: that can cause denial of service, in partial where jpayne@68: dealing with compressed XML input. Applications jpayne@68: that parsed a document in one go -- a single call to jpayne@68: functions XML_Parse or XML_ParseBuffer -- were not affected. jpayne@68: The smaller the chunks/buffers you use for parsing jpayne@68: previously, the bigger the problem prior to the fix. jpayne@68: Backporters should be careful to no omit parts of jpayne@68: pull request #789 and to include earlier pull request #771, jpayne@68: in order to not break the fix. jpayne@68: #777 CVE-2023-52426 -- Fix billion laughs attacks for users jpayne@68: compiling *without* XML_DTD defined (which is not common). jpayne@68: Users with XML_DTD defined have been protected since jpayne@68: Expat >=2.4.0 (and that was CVE-2013-0340 back then). jpayne@68: jpayne@68: Bug fixes: jpayne@68: #753 Fix parse-size-dependent "invalid token" error for jpayne@68: external entities that start with a byte order mark jpayne@68: #780 Fix NULL pointer dereference in setContext via jpayne@68: XML_ExternalEntityParserCreate for compilation with jpayne@68: XML_DTD undefined jpayne@68: #812 #813 Protect against closing entities out of order jpayne@68: jpayne@68: Other changes: jpayne@68: #723 Improve support for arc4random/arc4random_buf jpayne@68: #771 #788 Improve buffer growth in XML_GetBuffer and XML_Parse jpayne@68: #761 #770 xmlwf: Support --help and --version jpayne@68: #759 #770 xmlwf: Support custom buffer size for XML_GetBuffer and read jpayne@68: #744 xmlwf: Improve language and URL clickability in help output jpayne@68: #673 examples: Add new example "element_declarations.c" jpayne@68: #764 Be stricter about macro XML_CONTEXT_BYTES at build time jpayne@68: #765 Make inclusion to expat_config.h consistent jpayne@68: #726 #727 Autotools: configure.ac: Support --disable-maintainer-mode jpayne@68: #678 #705 .. jpayne@68: #706 #733 #792 Autotools: Sync CMake templates with CMake 3.26 jpayne@68: #795 Autotools: Make installation of shipped man page doc/xmlwf.1 jpayne@68: independent of docbook2man availability jpayne@68: #815 Autotools|CMake: Add missing -DXML_STATIC to pkg-config file jpayne@68: section "Cflags.private" in order to fix compilation jpayne@68: against static libexpat using pkg-config on Windows jpayne@68: #724 #751 Autotools|CMake: Require a C99 compiler jpayne@68: (a de-facto requirement already since Expat 2.2.2 of 2017) jpayne@68: #793 Autotools|CMake: Fix PACKAGE_BUGREPORT variable jpayne@68: #750 #786 Autotools|CMake: Make test suite require a C++11 compiler jpayne@68: #749 CMake: Require CMake >=3.5.0 jpayne@68: #672 CMake: Lowercase off_t and size_t to help a bug in Meson jpayne@68: #746 CMake: Sort xmlwf sources alphabetically jpayne@68: #785 CMake|Windows: Fix generation of DLL file version info jpayne@68: #790 CMake: Build tests/benchmark/benchmark.c as well for jpayne@68: a build with -DEXPAT_BUILD_TESTS=ON jpayne@68: #745 #757 docs: Document the importance of isFinal + adjust tests jpayne@68: accordingly jpayne@68: #736 docs: Improve use of "NULL" and "null" jpayne@68: #713 docs: Be specific about version of XML (XML 1.0r4) jpayne@68: and version of C (C99); (XML 1.0r5 will need a sponsor.) jpayne@68: #762 docs: reference.html: Promote function XML_ParseBuffer more jpayne@68: #779 docs: reference.html: Add HTML anchors to XML_* macros jpayne@68: #760 docs: reference.html: Upgrade to OK.css 1.2.0 jpayne@68: #763 #739 docs: Fix typos jpayne@68: #696 docs|CI: Use HTTPS URLs instead of HTTP at various places jpayne@68: #669 #670 .. jpayne@68: #692 #703 .. jpayne@68: #733 #772 Address compiler warnings jpayne@68: #798 #800 Address clang-tidy warnings jpayne@68: #775 #776 Version info bumped from 9:10:8 (libexpat*.so.1.8.10) jpayne@68: to 10:0:9 (libexpat*.so.1.9.0); see https://verbump.de/ jpayne@68: for what these numbers do jpayne@68: jpayne@68: Infrastructure: jpayne@68: #700 #701 docs: Document security policy in file SECURITY.md jpayne@68: #766 docs: Improve parse buffer variables in-code documentation jpayne@68: #674 #738 .. jpayne@68: #740 #747 .. jpayne@68: #748 #781 #782 Refactor coverage and conformance tests jpayne@68: #714 #716 Refactor debug level variables to unsigned long jpayne@68: #671 Improve handling of empty environment variable value jpayne@68: in function getDebugLevel (without visible user effect) jpayne@68: #755 #774 .. jpayne@68: #758 #783 .. jpayne@68: #784 #787 tests: Improve test coverage with regard to parse chunk size jpayne@68: #660 #797 #801 Fuzzing: Improve fuzzing coverage jpayne@68: #367 #799 Fuzzing|CI: Start running OSS-Fuzz fuzzing regression tests jpayne@68: #698 #721 CI: Resolve some Travis CI leftovers jpayne@68: #669 CI: Be robust towards absence of Git tags jpayne@68: #693 #694 CI: Set permissions to "contents: read" for security jpayne@68: #709 CI: Pin all GitHub Actions to specific commits for security jpayne@68: #739 CI: Reject spelling errors using codespell jpayne@68: #798 CI: Enforce clang-tidy clean code jpayne@68: #773 #808 .. jpayne@68: #809 #810 CI: Upgrade Clang from 15 to 18 jpayne@68: #796 CI: Start using Clang's Control Flow Integrity sanitizer jpayne@68: #675 #720 #722 CI: Adapt to breaking changes in GitHub Actions Ubuntu images jpayne@68: #689 CI: Adapt to breaking changes in Clang/LLVM Debian packaging jpayne@68: #763 CI: Adapt to breaking changes in codespell jpayne@68: #803 CI: Adapt to breaking changes in Cppcheck jpayne@68: jpayne@68: Special thanks to: jpayne@68: Ivan Galkin jpayne@68: Joyce Brum jpayne@68: Philippe Antoine jpayne@68: Rhodri James jpayne@68: Snild Dolkow jpayne@68: spookyahell jpayne@68: Steven Garske jpayne@68: and jpayne@68: Clang AddressSanitizer jpayne@68: Clang UndefinedBehaviorSanitizer jpayne@68: codespell jpayne@68: GCC Farm Project jpayne@68: OSS-Fuzz jpayne@68: Sony Mobile jpayne@68: jpayne@68: Release 2.5.0 Tue October 25 2022 jpayne@68: Security fixes: jpayne@68: #616 #649 #650 CVE-2022-43680 -- Fix heap use-after-free after overeager jpayne@68: destruction of a shared DTD in function jpayne@68: XML_ExternalEntityParserCreate in out-of-memory situations. jpayne@68: Expected impact is denial of service or potentially jpayne@68: arbitrary code execution. jpayne@68: jpayne@68: Bug fixes: jpayne@68: #612 #645 Fix corruption from undefined entities jpayne@68: #613 #654 Fix case when parsing was suspended while processing nested jpayne@68: entities jpayne@68: #616 #652 #653 Stop leaking opening tag bindings after a closing tag jpayne@68: mismatch error where a parser is reset through jpayne@68: XML_ParserReset and then reused to parse jpayne@68: #656 CMake: Fix generation of pkg-config file jpayne@68: #658 MinGW|CMake: Fix static library name jpayne@68: jpayne@68: Other changes: jpayne@68: #663 Protect header expat_config.h from multiple inclusion jpayne@68: #666 examples: Make use of XML_GetBuffer and be more jpayne@68: consistent across examples jpayne@68: #648 Address compiler warnings jpayne@68: #667 #668 Version info bumped from 9:9:8 to 9:10:8; jpayne@68: see https://verbump.de/ for what these numbers do jpayne@68: jpayne@68: Special thanks to: jpayne@68: Jann Horn jpayne@68: Mark Brand jpayne@68: Osyotr jpayne@68: Rhodri James jpayne@68: and jpayne@68: Google Project Zero jpayne@68: jpayne@68: Release 2.4.9 Tue September 20 2022 jpayne@68: Security fixes: jpayne@68: #629 #640 CVE-2022-40674 -- Heap use-after-free vulnerability in jpayne@68: function doContent. Expected impact is denial of service jpayne@68: or potentially arbitrary code execution. jpayne@68: jpayne@68: Bug fixes: jpayne@68: #634 MinGW: Fix mis-compilation for -D__USE_MINGW_ANSI_STDIO=0 jpayne@68: #614 docs: Fix documentation on effect of switch XML_DTD on jpayne@68: symbol visibility in doc/reference.html jpayne@68: jpayne@68: Other changes: jpayne@68: #638 MinGW: Make fix-xmltest-log.sh drop more Wine bug output jpayne@68: #596 #625 Autotools: Sync CMake templates with CMake 3.22 jpayne@68: #608 CMake: Migrate from use of CMAKE_*_POSTFIX to jpayne@68: dedicated variables EXPAT_*_POSTFIX to stop affecting jpayne@68: other projects jpayne@68: #597 #599 Windows|CMake: Add missing -DXML_STATIC to test runners jpayne@68: and fuzzers jpayne@68: #512 #621 Windows|CMake: Render .def file from a template to fix jpayne@68: linking with -DEXPAT_DTD=OFF and/or -DEXPAT_ATTR_INFO=ON jpayne@68: #611 #621 MinGW|CMake: Apply MSVC .def file when linking jpayne@68: #622 #624 MinGW|CMake: Sync library name with GNU Autotools, jpayne@68: i.e. produce libexpat-1.dll rather than libexpat.dll jpayne@68: by default. Filename libexpat.dll.a is unaffected. jpayne@68: #632 MinGW|CMake: Set missing variable CMAKE_RC_COMPILER in jpayne@68: toolchain file "cmake/mingw-toolchain.cmake" to avoid jpayne@68: error "windres: Command not found" on e.g. Ubuntu 20.04 jpayne@68: #597 #627 CMake: Unify inconsistent use of set() and option() in jpayne@68: context of public build time options to take need for jpayne@68: set(.. FORCE) in projects using Expat by means of jpayne@68: add_subdirectory(..) off Expat's users' shoulders jpayne@68: #626 #641 Stop exporting API symbols when building a static library jpayne@68: #644 Resolve use of deprecated "fgrep" by "grep -F" jpayne@68: #620 CMake: Make documentation on variables a bit more consistent jpayne@68: #636 CMake: Drop leading whitespace from a #cmakedefine line in jpayne@68: file expat_config.h.cmake jpayne@68: #594 xmlwf: Fix harmless variable mix-up in function nsattcmp jpayne@68: #592 #593 #610 Address Cppcheck warnings jpayne@68: #643 Address Clang 15 compiler warnings jpayne@68: #642 #644 Version info bumped from 9:8:8 to 9:9:8; jpayne@68: see https://verbump.de/ for what these numbers do jpayne@68: jpayne@68: Infrastructure: jpayne@68: #597 #598 CI: Windows: Start covering MSVC 2022 jpayne@68: #619 CI: macOS: Migrate off deprecated macOS 10.15 jpayne@68: #632 CI: Linux: Make migration off deprecated Ubuntu 18.04 work jpayne@68: #643 CI: Upgrade Clang from 14 to 15 jpayne@68: #637 apply-clang-format.sh: Add support for BSD find jpayne@68: #633 coverage.sh: Exclude MinGW headers jpayne@68: #635 coverage.sh: Fix name collision for -funsigned-char jpayne@68: jpayne@68: Special thanks to: jpayne@68: David Faure jpayne@68: Felix Wilhelm jpayne@68: Frank Bergmann jpayne@68: Rhodri James jpayne@68: Rosen Penev jpayne@68: Thijs Schreijer jpayne@68: Vincent Torri jpayne@68: and jpayne@68: Google Project Zero jpayne@68: jpayne@68: Release 2.4.8 Mon March 28 2022 jpayne@68: Other changes: jpayne@68: #587 pkg-config: Move "-lm" to section "Libs.private" jpayne@68: #587 CMake|MSVC: Fix pkg-config section "Libs" jpayne@68: #55 #582 CMake|macOS: Start using linker arguments jpayne@68: "-compatibility_version " and jpayne@68: "-current_version " in a way compatible with jpayne@68: GNU Libtool jpayne@68: #590 #591 Version info bumped from 9:7:8 to 9:8:8; jpayne@68: see https://verbump.de/ for what these numbers do jpayne@68: jpayne@68: Infrastructure: jpayne@68: #589 CI: Upgrade Clang from 13 to 14 jpayne@68: jpayne@68: Special thanks to: jpayne@68: evpobr jpayne@68: Kai Pastor jpayne@68: Sam James jpayne@68: jpayne@68: Release 2.4.7 Fri March 4 2022 jpayne@68: Bug fixes: jpayne@68: #572 #577 Relax fix to CVE-2022-25236 (introduced with release 2.4.5) jpayne@68: with regard to all valid URI characters (RFC 3986), jpayne@68: i.e. the following set (excluding whitespace): jpayne@68: ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz jpayne@68: 0123456789 % -._~ :/?#[]@ !$&'()*+,;= jpayne@68: jpayne@68: Other changes: jpayne@68: #555 #570 #581 CMake|Windows: Store Expat version in the DLL jpayne@68: #577 Document consequences of namespace separator choices not just jpayne@68: in doc/reference.html but also in header jpayne@68: #577 Document Expat's lack of validation of namespace URIs against jpayne@68: RFC 3986, and that the XML 1.0r4 specification doesn't jpayne@68: require Expat to validate namespace URIs, and that Expat jpayne@68: may do more in that regard in future releases. jpayne@68: If you find need for strict RFC 3986 URI validation on jpayne@68: application level today, https://uriparser.github.io/ may jpayne@68: be of interest. jpayne@68: #579 Fix documentation of XML_EndDoctypeDeclHandler in jpayne@68: #575 Document that a call to XML_FreeContentModel can be done at jpayne@68: a later time from outside the element declaration handler jpayne@68: #574 Make hardcoded namespace URIs easier to find in code jpayne@68: #573 Update documentation on use of XML_POOR_ENTOPY on Solaris jpayne@68: #569 #571 tests: Resolve use of macros NAN and INFINITY for GNU G++ jpayne@68: 4.8.2 on Solaris. jpayne@68: #578 #580 Version info bumped from 9:6:8 to 9:7:8; jpayne@68: see https://verbump.de/ for what these numbers do jpayne@68: jpayne@68: Special thanks to: jpayne@68: Jeffrey Walton jpayne@68: Johnny Jazeix jpayne@68: Thijs Schreijer jpayne@68: jpayne@68: Release 2.4.6 Sun February 20 2022 jpayne@68: Bug fixes: jpayne@68: #566 Fix a regression introduced by the fix for CVE-2022-25313 jpayne@68: in release 2.4.5 that affects applications that (1) jpayne@68: call function XML_SetElementDeclHandler and (2) are jpayne@68: parsing XML that contains nested element declarations jpayne@68: (e.g. ""). jpayne@68: jpayne@68: Other changes: jpayne@68: #567 #568 Version info bumped from 9:5:8 to 9:6:8; jpayne@68: see https://verbump.de/ for what these numbers do jpayne@68: jpayne@68: Special thanks to: jpayne@68: Matt Sergeant jpayne@68: Samanta Navarro jpayne@68: Sergei Trofimovich jpayne@68: and jpayne@68: NixOS jpayne@68: Perl XML::Parser jpayne@68: jpayne@68: Release 2.4.5 Fri February 18 2022 jpayne@68: Security fixes: jpayne@68: #562 CVE-2022-25235 -- Passing malformed 2- and 3-byte UTF-8 jpayne@68: sequences (e.g. from start tag names) to the XML jpayne@68: processing application on top of Expat can cause jpayne@68: arbitrary damage (e.g. code execution) depending jpayne@68: on how invalid UTF-8 is handled inside the XML jpayne@68: processor; validation was not their job but Expat's. jpayne@68: Exploits with code execution are known to exist. jpayne@68: #561 CVE-2022-25236 -- Passing (one or more) namespace separator jpayne@68: characters in "xmlns[:prefix]" attribute values jpayne@68: made Expat send malformed tag names to the XML jpayne@68: processor on top of Expat which can cause jpayne@68: arbitrary damage (e.g. code execution) depending jpayne@68: on such unexpectable cases are handled inside the XML jpayne@68: processor; validation was not their job but Expat's. jpayne@68: Exploits with code execution are known to exist. jpayne@68: #558 CVE-2022-25313 -- Fix stack exhaustion in doctype parsing jpayne@68: that could be triggered by e.g. a 2 megabytes jpayne@68: file with a large number of opening braces. jpayne@68: Expected impact is denial of service or potentially jpayne@68: arbitrary code execution. jpayne@68: #560 CVE-2022-25314 -- Fix integer overflow in function copyString; jpayne@68: only affects the encoding name parameter at parser creation jpayne@68: time which is often hardcoded (rather than user input), jpayne@68: takes a value in the gigabytes to trigger, and a 64-bit jpayne@68: machine. Expected impact is denial of service. jpayne@68: #559 CVE-2022-25315 -- Fix integer overflow in function storeRawNames; jpayne@68: needs input in the gigabytes and a 64-bit machine. jpayne@68: Expected impact is denial of service or potentially jpayne@68: arbitrary code execution. jpayne@68: jpayne@68: Other changes: jpayne@68: #557 #564 Version info bumped from 9:4:8 to 9:5:8; jpayne@68: see https://verbump.de/ for what these numbers do jpayne@68: jpayne@68: Special thanks to: jpayne@68: Ivan Fratric jpayne@68: Samanta Navarro jpayne@68: and jpayne@68: Google Project Zero jpayne@68: JetBrains jpayne@68: jpayne@68: Release 2.4.4 Sun January 30 2022 jpayne@68: Security fixes: jpayne@68: #550 CVE-2022-23852 -- Fix signed integer overflow jpayne@68: (undefined behavior) in function XML_GetBuffer jpayne@68: (that is also called by function XML_Parse internally) jpayne@68: for when XML_CONTEXT_BYTES is defined to >0 (which is both jpayne@68: common and default). jpayne@68: Impact is denial of service or more. jpayne@68: #551 CVE-2022-23990 -- Fix unsigned integer overflow in function jpayne@68: doProlog triggered by large content in element type jpayne@68: declarations when there is an element declaration handler jpayne@68: present (from a prior call to XML_SetElementDeclHandler). jpayne@68: Impact is denial of service or more. jpayne@68: jpayne@68: Bug fixes: jpayne@68: #544 #545 xmlwf: Fix a memory leak on output file opening error jpayne@68: jpayne@68: Other changes: jpayne@68: #546 Autotools: Fix broken CMake support under Cygwin jpayne@68: #554 Windows: Add missing files to the installer to fix jpayne@68: compilation with CMake from installed sources jpayne@68: #552 #554 Version info bumped from 9:3:8 to 9:4:8; jpayne@68: see https://verbump.de/ for what these numbers do jpayne@68: jpayne@68: Special thanks to: jpayne@68: Carlo Bramini jpayne@68: hwt0415 jpayne@68: Roland Illig jpayne@68: Samanta Navarro jpayne@68: and jpayne@68: Clang LeakSan and the Clang team jpayne@68: jpayne@68: Release 2.4.3 Sun January 16 2022 jpayne@68: Security fixes: jpayne@68: #531 #534 CVE-2021-45960 -- Fix issues with left shifts by >=29 places jpayne@68: resulting in jpayne@68: a) realloc acting as free jpayne@68: b) realloc allocating too few bytes jpayne@68: c) undefined behavior jpayne@68: depending on architecture and precise value jpayne@68: for XML documents with >=2^27+1 prefixed attributes jpayne@68: on a single XML tag a la jpayne@68: "" jpayne@68: where XML_ParserCreateNS is used to create the parser jpayne@68: (which needs argument "-n" when running xmlwf). jpayne@68: Impact is denial of service, or more. jpayne@68: #532 #538 CVE-2021-46143 (ZDI-CAN-16157) -- Fix integer overflow jpayne@68: on variable m_groupSize in function doProlog leading jpayne@68: to realloc acting as free. jpayne@68: Impact is denial of service or more. jpayne@68: #539 CVE-2022-22822 to CVE-2022-22827 -- Prevent integer overflows jpayne@68: near memory allocation at multiple places. Mitre assigned jpayne@68: a dedicated CVE for each involved internal C function: jpayne@68: - CVE-2022-22822 for function addBinding jpayne@68: - CVE-2022-22823 for function build_model jpayne@68: - CVE-2022-22824 for function defineAttribute jpayne@68: - CVE-2022-22825 for function lookup jpayne@68: - CVE-2022-22826 for function nextScaffoldPart jpayne@68: - CVE-2022-22827 for function storeAtts jpayne@68: Impact is denial of service or more. jpayne@68: jpayne@68: Other changes: jpayne@68: #535 CMake: Make call to file(GENERATE [..]) work for CMake <3.19 jpayne@68: #541 Autotools|CMake: MinGW: Make run.sh(.in) work for Cygwin jpayne@68: and MSYS2 by not going through Wine on these platforms jpayne@68: #527 #528 Address compiler warnings jpayne@68: #533 #543 Version info bumped from 9:2:8 to 9:3:8; jpayne@68: see https://verbump.de/ for what these numbers do jpayne@68: jpayne@68: Infrastructure: jpayne@68: #536 CI: Check for realistic minimum CMake version jpayne@68: #529 #539 CI: Cover compilation with -m32 jpayne@68: #529 CI: Store coverage reports as artifacts for download jpayne@68: #528 CI: Upgrade Clang from 11 to 13 jpayne@68: jpayne@68: Special thanks to: jpayne@68: An anonymous whitehat jpayne@68: Christopher Degawa jpayne@68: J. Peter Mugaas jpayne@68: Tyson Smith jpayne@68: and jpayne@68: GCC Farm Project jpayne@68: Trend Micro Zero Day Initiative jpayne@68: jpayne@68: Release 2.4.2 Sun December 19 2021 jpayne@68: Other changes: jpayne@68: #509 #510 Link againgst libm for function "isnan" jpayne@68: #513 #514 Include expat_config.h as early as possible jpayne@68: #498 Autotools: Include files with release archives: jpayne@68: - buildconf.sh jpayne@68: - fuzz/*.c jpayne@68: #507 #519 Autotools: Sync CMake templates with CMake 3.20 jpayne@68: #495 #524 CMake: MinGW: Fix pkg-config section "Libs" for jpayne@68: - non-release build types (e.g. -DCMAKE_BUILD_TYPE=Debug) jpayne@68: - multi-config CMake generators (e.g. Ninja Multi-Config) jpayne@68: #502 #503 docs: Document that function XML_GetBuffer may return NULL jpayne@68: when asking for a buffer of 0 (zero) bytes size jpayne@68: #522 #523 docs: Fix return value docs for both jpayne@68: XML_SetBillionLaughsAttackProtection* functions jpayne@68: #525 #526 Version info bumped from 9:1:8 to 9:2:8; jpayne@68: see https://verbump.de/ for what these numbers do jpayne@68: jpayne@68: Special thanks to: jpayne@68: Donghee Na jpayne@68: Joergen Ibsen jpayne@68: Kai Pastor jpayne@68: jpayne@68: Release 2.4.1 Sun May 23 2021 jpayne@68: Bug fixes: jpayne@68: #488 #490 Autotools: Fix installed header expat_config.h for multilib jpayne@68: systems; regression introduced in 2.4.0 by pull request #486 jpayne@68: jpayne@68: Other changes: jpayne@68: #491 #492 Version info bumped from 9:0:8 to 9:1:8; jpayne@68: see https://verbump.de/ for what these numbers do jpayne@68: jpayne@68: Special thanks to: jpayne@68: Gentoo's QA check "multilib_check_headers" jpayne@68: jpayne@68: Release 2.4.0 Sun May 23 2021 jpayne@68: Security fixes: jpayne@68: #34 #466 #484 CVE-2013-0340/CWE-776 -- Protect against billion laughs attacks jpayne@68: (denial-of-service; flavors targeting CPU time or RAM or both, jpayne@68: leveraging general entities or parameter entities or both) jpayne@68: by tracking and limiting the input amplification factor jpayne@68: ( := ( + ) / ). jpayne@68: By conservative default, amplification up to a factor of 100.0 jpayne@68: is tolerated and rejection only starts after 8 MiB of output bytes jpayne@68: (= + ) have been processed. jpayne@68: The fix adds the following to the API: jpayne@68: - A new error code XML_ERROR_AMPLIFICATION_LIMIT_BREACH to jpayne@68: signals this specific condition. jpayne@68: - Two new API functions .. jpayne@68: - XML_SetBillionLaughsAttackProtectionMaximumAmplification and jpayne@68: - XML_SetBillionLaughsAttackProtectionActivationThreshold jpayne@68: .. to further tighten billion laughs protection parameters jpayne@68: when desired. Please see file "doc/reference.html" for details. jpayne@68: If you ever need to increase the defaults for non-attack XML jpayne@68: payload, please file a bug report with libexpat. jpayne@68: - Two new XML_FEATURE_* constants .. jpayne@68: - that can be queried using the XML_GetFeatureList function, and jpayne@68: - that are shown in "xmlwf -v" output. jpayne@68: - Two new environment variable switches .. jpayne@68: - EXPAT_ACCOUNTING_DEBUG=(0|1|2|3) and jpayne@68: - EXPAT_ENTITY_DEBUG=(0|1) jpayne@68: .. for runtime debugging of accounting and entity processing. jpayne@68: Specific behavior of these values may change in the future. jpayne@68: - Two new command line arguments "-a FACTOR" and "-b BYTES" jpayne@68: for xmlwf to further tighten billion laughs protection jpayne@68: parameters when desired. jpayne@68: If you ever need to increase the defaults for non-attack XML jpayne@68: payload, please file a bug report with libexpat. jpayne@68: jpayne@68: Bug fixes: jpayne@68: #332 #470 For (non-default) compilation with -DEXPAT_MIN_SIZE=ON (CMake) jpayne@68: or CPPFLAGS=-DXML_MIN_SIZE (GNU Autotools): Fix segfault jpayne@68: for UTF-16 payloads containing CDATA sections. jpayne@68: #485 #486 Autotools: Fix generated CMake files for non-64bit and jpayne@68: non-Linux platforms (e.g. macOS and MinGW in particular) jpayne@68: that were introduced with release 2.3.0 jpayne@68: jpayne@68: Other changes: jpayne@68: #468 #469 xmlwf: Improve help output and the xmlwf man page jpayne@68: #463 xmlwf: Improve maintainability through some refactoring jpayne@68: #477 xmlwf: Fix man page DocBook validity jpayne@68: #456 Autotools: Sync CMake templates with CMake 3.18 jpayne@68: #458 #459 CMake: Support absolute paths for both CMAKE_INSTALL_LIBDIR jpayne@68: and CMAKE_INSTALL_INCLUDEDIR jpayne@68: #471 #481 CMake: Add support for standard variable BUILD_SHARED_LIBS jpayne@68: #457 Unexpose symbol _INTERNAL_trim_to_complete_utf8_characters jpayne@68: #467 Resolve macro HAVE_EXPAT_CONFIG_H jpayne@68: #472 Delete unused legacy helper file "conftools/PrintPath" jpayne@68: #473 #483 Improve attribution jpayne@68: #464 #465 #477 doc/reference.html: Fix XHTML validity jpayne@68: #475 #478 doc/reference.html: Replace the 90s look by OK.css jpayne@68: #479 Version info bumped from 8:0:7 to 9:0:8 jpayne@68: due to addition of new symbols and error codes; jpayne@68: see https://verbump.de/ for what these numbers do jpayne@68: jpayne@68: Infrastructure: jpayne@68: #456 CI: Enable periodic runs jpayne@68: #457 CI: Start covering the list of exported symbols jpayne@68: #474 CI: Isolate coverage task jpayne@68: #476 #482 CI: Adapt to breaking changes in image "ubuntu-18.04" jpayne@68: #477 CI: Cover well-formedness and DocBook/XHTML validity jpayne@68: of doc/reference.html and doc/xmlwf.xml jpayne@68: jpayne@68: Special thanks to: jpayne@68: Dimitry Andric jpayne@68: Eero Helenius jpayne@68: Nick Wellnhofer jpayne@68: Rhodri James jpayne@68: Tomas Korbar jpayne@68: Yury Gribov jpayne@68: and jpayne@68: Clang LeakSan jpayne@68: JetBrains jpayne@68: OSS-Fuzz jpayne@68: jpayne@68: Release 2.3.0 Thu March 25 2021 jpayne@68: Bug fixes: jpayne@68: #438 When calling XML_ParseBuffer without a prior successful call to jpayne@68: XML_GetBuffer as a user, no longer trigger undefined behavior jpayne@68: (by adding an integer to a NULL pointer) but rather return jpayne@68: XML_STATUS_ERROR and set the error code to (new) code jpayne@68: XML_ERROR_NO_BUFFER. Found by UBSan (UndefinedBehaviorSanitizer) jpayne@68: of Clang 11 (but not Clang 9). jpayne@68: #444 xmlwf: Exit status 2 was used for both: jpayne@68: - malformed input files (documented) and jpayne@68: - invalid command-line arguments (undocumented). jpayne@68: The case of invalid command-line arguments now jpayne@68: has its own exit status 4, resolving the ambiguity. jpayne@68: jpayne@68: Other changes: jpayne@68: #439 xmlwf: Add argument -k to allow continuing after jpayne@68: non-fatal errors jpayne@68: #439 xmlwf: Add section about exit status to the -h help output jpayne@68: #422 #426 #447 Windows: Drop support for Visual Studio <=14.0/2015 jpayne@68: #434 Windows: CMake: Detect unsupported Visual Studio at jpayne@68: configure time (rather than at compile time) jpayne@68: #382 #428 testrunner: Make verbose mode (argument "-v") report jpayne@68: about passed tests, and make default mode report about jpayne@68: failures, as well. jpayne@68: #442 CMake: Call "enable_language(CXX)" prior to tinkering jpayne@68: with CMAKE_CXX_* variables jpayne@68: #448 Document use of libexpat from a CMake-based project jpayne@68: #451 Autotools: Install CMake files as generated by CMake 3.19.6 jpayne@68: so that users with "find_package(expat [..] CONFIG [..])" jpayne@68: are served on distributions that are *not* using the CMake jpayne@68: build system inside for libexpat packaging jpayne@68: #436 #437 Autotools: Drop obsolescent macro AC_HEADER_STDC jpayne@68: #450 #452 Autotools: Resolve use of obsolete macro AC_CONFIG_HEADER jpayne@68: #441 Address compiler warnings jpayne@68: #443 Version info bumped from 7:12:6 to 8:0:7 jpayne@68: due to addition of error code XML_ERROR_NO_BUFFER jpayne@68: (see https://verbump.de/ for what these numbers do) jpayne@68: jpayne@68: Infrastructure: jpayne@68: #435 #446 Replace Travis CI by GitHub Actions jpayne@68: jpayne@68: Special thanks to: jpayne@68: Alexander Richardson jpayne@68: Oleksandr Popovych jpayne@68: Thomas Beutlich jpayne@68: Tim Bray jpayne@68: and jpayne@68: Clang LeakSan, Clang 11 UBSan and the Clang team jpayne@68: jpayne@68: Release 2.2.10 Sat October 3 2020 jpayne@68: Bug fixes: jpayne@68: #390 #395 #398 Fix undefined behavior during parsing caused by jpayne@68: pointer arithmetic with NULL pointers jpayne@68: #404 #405 Fix reading uninitialized variable during parsing jpayne@68: #406 xmlwf: Add missing check for malloc NULL return jpayne@68: jpayne@68: Other changes: jpayne@68: #396 Windows: Drop support for Visual Studio <=8.0/2005 jpayne@68: #409 Windows: Add missing file "Changes" to the installer jpayne@68: to fix compilation with CMake from installed sources jpayne@68: #403 xmlwf: Document exit codes in xmlwf manpage and jpayne@68: exit with code 3 (rather than code 1) for output errors jpayne@68: when used with "-d DIRECTORY" jpayne@68: #356 #359 MinGW: Provide declaration of rand_s for mingwrt <5.3.0 jpayne@68: #383 #392 Autotools: Use -Werror while configure tests the compiler jpayne@68: for supported compile flags to avoid false positives jpayne@68: #383 #393 #394 Autotools: Improve handling of user (C|CPP|CXX|LD)FLAGS, jpayne@68: e.g. ensure that they have the last word over flags added jpayne@68: while running ./configure jpayne@68: #360 CMake: Create libexpatw.{dll,so} and expatw.pc (with emphasis jpayne@68: on suffix "w") with -DEXPAT_CHAR_TYPE=(ushort|wchar_t) jpayne@68: #360 CMake: Detect and deny unsupported build combinations jpayne@68: involving -DEXPAT_CHAR_TYPE=(ushort|wchar_t) jpayne@68: #360 CMake: Install pre-compiled shipped xmlwf.1 manpage in case jpayne@68: of -DEXPAT_BUILD_DOCS=OFF jpayne@68: #375 #380 #419 CMake: Fix use of Expat by means of add_subdirectory jpayne@68: #407 #408 CMake: Keep expat target name constant at "expat" jpayne@68: (i.e. refrain from using the target name to control jpayne@68: build artifact filenames) jpayne@68: #385 CMake: Fix compilation with -DEXPAT_SHARED_LIBS=OFF for jpayne@68: Windows jpayne@68: CMake: Expose man page compilation as target "xmlwf-manpage" jpayne@68: #413 #414 CMake: Introduce option EXPAT_BUILD_PKGCONFIG jpayne@68: to control generation of pkg-config file "expat.pc" jpayne@68: #424 CMake: Add minimalistic support for building binary packages jpayne@68: with CMake target "package"; based on CPack jpayne@68: #366 CMake: Add option -DEXPAT_OSSFUZZ_BUILD=(ON|OFF) with jpayne@68: default OFF to build fuzzer code against OSS-Fuzz and jpayne@68: related environment variable LIB_FUZZING_ENGINE jpayne@68: #354 Fix testsuite for -DEXPAT_DTD=OFF and -DEXPAT_NS=OFF, each jpayne@68: #354 #355 .. jpayne@68: #356 #412 Address compiler warnings jpayne@68: #368 #369 Address pngcheck warnings with doc/*.png images jpayne@68: #425 Version info bumped from 7:11:6 to 7:12:6 jpayne@68: jpayne@68: Special thanks to: jpayne@68: asavah jpayne@68: Ben Wagner jpayne@68: Bhargava Shastry jpayne@68: Frank Landgraf jpayne@68: Jeffrey Walton jpayne@68: Joe Orton jpayne@68: Kleber Tarcísio jpayne@68: Ma Lin jpayne@68: Maciej Sroczyński jpayne@68: Mohammed Khajapasha jpayne@68: Vadim Zeitlin jpayne@68: and jpayne@68: Cppcheck 2.0 and the Cppcheck team jpayne@68: jpayne@68: Release 2.2.9 Wed September 25 2019 jpayne@68: Other changes: jpayne@68: examples: Drop executable bits from elements.c jpayne@68: #349 Windows: Change the name of the Windows DLLs from expat*.dll jpayne@68: to libexpat*.dll once more (regression from 2.2.8, first jpayne@68: fixed in 1.95.3, issue #61 on SourceForge today, jpayne@68: was issue #432456 back then); needs a fix due jpayne@68: case-insensitive file systems on Windows and the fact that jpayne@68: Perl's XML::Parser::Expat compiles into Expat.dll. jpayne@68: #347 Windows: Only define _CRT_RAND_S if not defined jpayne@68: Version info bumped from 7:10:6 to 7:11:6 jpayne@68: jpayne@68: Special thanks to: jpayne@68: Ben Wagner jpayne@68: jpayne@68: Release 2.2.8 Fri September 13 2019 jpayne@68: Security fixes: jpayne@68: #317 #318 CVE-2019-15903 -- Fix heap overflow triggered by jpayne@68: XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber), jpayne@68: and deny internal entities closing the doctype; jpayne@68: fixed in commit c20b758c332d9a13afbbb276d30db1d183a85d43 jpayne@68: jpayne@68: Bug fixes: jpayne@68: #240 Fix cases where XML_StopParser did not have any effect jpayne@68: when called from inside of an end element handler jpayne@68: #341 xmlwf: Fix exit code for operation without "-d DIRECTORY"; jpayne@68: previously, only "-d DIRECTORY" would give you a proper jpayne@68: exit code: jpayne@68: # xmlwf -d . <<<'' 2>/dev/null ; echo $? jpayne@68: 2 jpayne@68: # xmlwf <<<'' 2>/dev/null ; echo $? jpayne@68: 0 jpayne@68: Now both cases return exit code 2. jpayne@68: jpayne@68: Other changes: jpayne@68: #299 #302 Windows: Replace LoadLibrary hack to access jpayne@68: unofficial API function SystemFunction036 (RtlGenRandom) jpayne@68: by using official API function rand_s (needs WinXP+) jpayne@68: #325 Windows: Drop support for Visual Studio <=7.1/2003 jpayne@68: and document supported compilers in README.md jpayne@68: #286 Windows: Remove COM code from xmlwf; in case it turns jpayne@68: out needed later, there will be a dedicated repository jpayne@68: below https://github.com/libexpat/ for that code jpayne@68: #322 Windows: Remove explicit MSVC solution and project files. jpayne@68: You can generate Visual Studio solution files through jpayne@68: CMake, e.g.: cmake -G"Visual Studio 15 2017" . jpayne@68: #338 xmlwf: Make "xmlwf -h" help output more friendly jpayne@68: #339 examples: Improve elements.c jpayne@68: #244 #264 Autotools: Add argument --enable-xml-attr-info jpayne@68: #239 #301 Autotools: Add arguments jpayne@68: --with-getrandom jpayne@68: --without-getrandom jpayne@68: --with-sys-getrandom jpayne@68: --without-sys-getrandom jpayne@68: #312 #343 Autotools: Fix linking issues with "./configure LD=clang" jpayne@68: Autotools: Fix "make run-xmltest" for out-of-source builds jpayne@68: #329 #336 CMake: Pull all options from Expat <=2.2.7 into namespace jpayne@68: prefix EXPAT_ with the exception of DOCBOOK_TO_MAN: jpayne@68: - BUILD_doc -> EXPAT_BUILD_DOCS (plural) jpayne@68: - BUILD_examples -> EXPAT_BUILD_EXAMPLES jpayne@68: - BUILD_shared -> EXPAT_SHARED_LIBS jpayne@68: - BUILD_tests -> EXPAT_BUILD_TESTS jpayne@68: - BUILD_tools -> EXPAT_BUILD_TOOLS jpayne@68: - DOCBOOK_TO_MAN -> DOCBOOK_TO_MAN (unchanged) jpayne@68: - INSTALL -> EXPAT_ENABLE_INSTALL jpayne@68: - MSVC_USE_STATIC_CRT -> EXPAT_MSVC_STATIC_CRT jpayne@68: - USE_libbsd -> EXPAT_WITH_LIBBSD jpayne@68: - WARNINGS_AS_ERRORS -> EXPAT_WARNINGS_AS_ERRORS jpayne@68: - XML_CONTEXT_BYTES -> EXPAT_CONTEXT_BYTES jpayne@68: - XML_DEV_URANDOM -> EXPAT_DEV_URANDOM jpayne@68: - XML_DTD -> EXPAT_DTD jpayne@68: - XML_NS -> EXPAT_NS jpayne@68: - XML_UNICODE -> EXPAT_CHAR_TYPE=ushort (!) jpayne@68: - XML_UNICODE_WCHAR_T -> EXPAT_CHAR_TYPE=wchar_t (!) jpayne@68: #244 #264 CMake: Add argument -DEXPAT_ATTR_INFO=(ON|OFF), jpayne@68: default OFF jpayne@68: #326 CMake: Add argument -DEXPAT_LARGE_SIZE=(ON|OFF), jpayne@68: default OFF jpayne@68: #328 CMake: Add argument -DEXPAT_MIN_SIZE=(ON|OFF), jpayne@68: default OFF jpayne@68: #239 #277 CMake: Add arguments jpayne@68: -DEXPAT_WITH_GETRANDOM=(ON|OFF|AUTO), default AUTO jpayne@68: -DEXPAT_WITH_SYS_GETRANDOM=(ON|OFF|AUTO), default AUTO jpayne@68: #326 CMake: Install expat_config.h to include directory jpayne@68: #326 CMake: Generate and install configuration files for jpayne@68: future find_package(expat [..] CONFIG [..]) jpayne@68: CMake: Now produces a summary of applied configuration jpayne@68: CMake: Require C++ compiler only when tests are enabled jpayne@68: #330 CMake: Fix compilation for 16bit character types, jpayne@68: i.e. ex -DXML_UNICODE=ON (and ex -DXML_UNICODE_WCHAR_T=ON) jpayne@68: #265 CMake: Fix linking with MinGW jpayne@68: #330 CMake: Add full support for MinGW; to enable, use jpayne@68: -DCMAKE_TOOLCHAIN_FILE=[expat]/cmake/mingw-toolchain.cmake jpayne@68: #330 CMake: Port "make run-xmltest" from GNU Autotools to CMake jpayne@68: #316 CMake: Windows: Make binary postfix match MSVC jpayne@68: Old: expat[d].lib jpayne@68: New: expat[w][d][MD|MT].lib jpayne@68: CMake: Migrate files from Windows to Unix line endings jpayne@68: #308 CMake: Integrate OSS-Fuzz fuzzers, option jpayne@68: -DEXPAT_BUILD_FUZZERS=(ON|OFF), default OFF jpayne@68: #14 Drop an OpenVMS support leftover jpayne@68: #235 #268 .. jpayne@68: #270 #310 .. jpayne@68: #313 #331 #333 Address compiler warnings jpayne@68: #282 #283 .. jpayne@68: #284 #285 Address cppcheck warnings jpayne@68: #294 #295 Address Clang Static Analyzer warnings jpayne@68: #24 #293 Mass-apply clang-format 9 (and ensure conformance during CI) jpayne@68: Version info bumped from 7:9:6 to 7:10:6 jpayne@68: jpayne@68: Special thanks to: jpayne@68: David Loffredo jpayne@68: Joonun Jang jpayne@68: Kishore Kunche jpayne@68: Marco Maggi jpayne@68: Mitch Phillips jpayne@68: Mohammed Khajapasha jpayne@68: Rolf Ade jpayne@68: xantares jpayne@68: Zhongyuan Zhou jpayne@68: jpayne@68: Release 2.2.7 Wed June 19 2019 jpayne@68: Security fixes: jpayne@68: #186 #262 CVE-2018-20843 -- Fix extraction of namespace prefixes from jpayne@68: XML names; XML names with multiple colons could end up in jpayne@68: the wrong namespace, and take a high amount of RAM and CPU jpayne@68: resources while processing, opening the door to jpayne@68: use for denial-of-service attacks jpayne@68: jpayne@68: Other changes: jpayne@68: #195 #197 Autotools/CMake: Utilize -fvisibility=hidden to stop jpayne@68: exporting non-API symbols jpayne@68: #227 Autotools: Add --without-examples and --without-tests jpayne@68: #228 Autotools: Modernize configure.ac jpayne@68: #245 #246 Autotools: Fix check for -fvisibility=hidden for Clang jpayne@68: #247 #248 Autotools: Fix compilation for lack of docbook2x-man jpayne@68: #236 #258 Autotools: Produce .tar.{gz,lz,xz} release archives jpayne@68: #212 CMake: Make libdir of pkgconfig expat.pc support multilib jpayne@68: #158 #263 CMake: Build man page in PROJECT_BINARY_DIR not _SOURCE_DIR jpayne@68: #219 Remove fallback to bcopy, assume that memmove(3) exists jpayne@68: #257 Use portable "/usr/bin/env bash" shebang (e.g. for OpenBSD) jpayne@68: #243 Windows: Fix syntax of .def module definition files jpayne@68: Version info bumped from 7:8:6 to 7:9:6 jpayne@68: jpayne@68: Special thanks to: jpayne@68: Benjamin Peterson jpayne@68: Caolán McNamara jpayne@68: Hanno Böck jpayne@68: KangLin jpayne@68: Kishore Kunche jpayne@68: Marco Maggi jpayne@68: Rhodri James jpayne@68: Sebastian Dröge jpayne@68: userwithuid jpayne@68: Yury Gribov jpayne@68: jpayne@68: Release 2.2.6 Sun August 12 2018 jpayne@68: Bug fixes: jpayne@68: #170 #206 Avoid doing arithmetic with NULL pointers in XML_GetBuffer jpayne@68: #204 #205 Fix 2.2.5 regression with suspend-resume while parsing jpayne@68: a document like '' jpayne@68: jpayne@68: Other changes: jpayne@68: #165 #168 Autotools: Fix docbook-related configure syntax error jpayne@68: #166 Autotools: Avoid grep option `-q` for Solaris jpayne@68: #167 Autotools: Support jpayne@68: ./configure DOCBOOK_TO_MAN="xmlto man --skip-validation" jpayne@68: #159 #167 Autotools: Support DOCBOOK_TO_MAN command which produces jpayne@68: xmlwf.1 rather than XMLWF.1; also covers case insensitive jpayne@68: file systems jpayne@68: #181 Autotools: Drop -rpath option passed to libtool jpayne@68: #188 Autotools: Detect and deny SGML docbook2man as ours is XML jpayne@68: #188 Autotools/CMake: Support command db2x_docbook2man as well jpayne@68: #174 CMake: Introduce option WARNINGS_AS_ERRORS, defaults to OFF jpayne@68: #184 #185 CMake: Introduce option MSVC_USE_STATIC_CRT, defaults to OFF jpayne@68: #207 #208 CMake: Introduce option XML_UNICODE and XML_UNICODE_WCHAR_T, jpayne@68: both defaulting to OFF jpayne@68: #175 CMake: Prefer check_symbol_exists over check_function_exists jpayne@68: #176 CMake: Create the same pkg-config file as with GNU Autotools jpayne@68: #178 #179 CMake: Use GNUInstallDirs module to set proper defaults for jpayne@68: install directories jpayne@68: #208 CMake: Utilize expat_config.h.cmake for XML_DEV_URANDOM jpayne@68: #180 Windows: Fix compilation of test suite for Visual Studio 2008 jpayne@68: #131 #173 #202 Address compiler warnings jpayne@68: #187 #190 #200 Fix miscellaneous typos jpayne@68: Version info bumped from 7:7:6 to 7:8:6 jpayne@68: jpayne@68: Special thanks to: jpayne@68: Anton Maklakov jpayne@68: Benjamin Peterson jpayne@68: Brad King jpayne@68: Franek Korta jpayne@68: Frank Rast jpayne@68: Joe Orton jpayne@68: luzpaz jpayne@68: Pedro Vicente jpayne@68: Rainer Jung jpayne@68: Rhodri James jpayne@68: Rolf Ade jpayne@68: Rolf Eike Beer jpayne@68: Thomas Beutlich jpayne@68: Tomasz Kłoczko jpayne@68: jpayne@68: Release 2.2.5 Tue October 31 2017 jpayne@68: Bug fixes: jpayne@68: #8 If the parser runs out of memory, make sure its internal jpayne@68: state reflects the memory it actually has, not the memory jpayne@68: it wanted to have. jpayne@68: #11 The default handler wasn't being called when it should for jpayne@68: a SYSTEM or PUBLIC doctype if an entity declaration handler jpayne@68: was registered. jpayne@68: #137 #138 Fix a case of mistakenly reported parsing success where jpayne@68: XML_StopParser was called from an element handler jpayne@68: #162 Function XML_ErrorString was returning NULL rather than jpayne@68: a message for code XML_ERROR_INVALID_ARGUMENT jpayne@68: introduced with release 2.2.1 jpayne@68: jpayne@68: Other changes: jpayne@68: #106 xmlwf: Add argument -N adding notation declarations jpayne@68: #75 #106 Test suite: Resolve expected failure cases where xmlwf jpayne@68: output was incomplete jpayne@68: #127 Windows: Fix test suite compilation jpayne@68: #126 #127 Windows: Fix compilation for Visual Studio 2012 jpayne@68: Windows: Upgrade shipped project files to Visual Studio 2017 jpayne@68: #33 #132 tests: Mass-fix compilation for XML_UNICODE_WCHAR_T jpayne@68: #129 examples: Fix compilation for XML_UNICODE_WCHAR_T jpayne@68: #130 benchmark: Fix compilation for XML_UNICODE_WCHAR_T jpayne@68: #144 xmlwf: Fix compilation for XML_UNICODE_WCHAR_T; still needs jpayne@68: Windows or MinGW for 2-byte wchar_t jpayne@68: #9 Address two Clang Static Analyzer false positives jpayne@68: #59 Resolve troublesome macros hiding parser struct membership jpayne@68: and dereferencing that pointer jpayne@68: #6 Resolve superfluous internal malloc/realloc switch jpayne@68: #153 #155 Improve docbook2x-man detection jpayne@68: #160 Undefine NDEBUG in the test suite (rather than rejecting it) jpayne@68: #161 Address compiler warnings jpayne@68: Version info bumped from 7:6:6 to 7:7:6 jpayne@68: jpayne@68: Special thanks to: jpayne@68: Benbuck Nason jpayne@68: Hans Wennborg jpayne@68: José Gutiérrez de la Concha jpayne@68: Pedro Monreal Gonzalez jpayne@68: Rhodri James jpayne@68: Rolf Ade jpayne@68: Stephen Groat jpayne@68: and jpayne@68: Core Infrastructure Initiative jpayne@68: jpayne@68: Release 2.2.4 Sat August 19 2017 jpayne@68: Bug fixes: jpayne@68: #115 Fix copying of partial characters for UTF-8 input jpayne@68: jpayne@68: Other changes: jpayne@68: #109 Fix "make check" for non-x86 architectures that default jpayne@68: to unsigned type char (-128..127 rather than 0..255) jpayne@68: #109 coverage.sh: Cover -funsigned-char jpayne@68: Autotools: Introduce --without-xmlwf argument jpayne@68: #65 Autotools: Replace handwritten Makefile with GNU Automake jpayne@68: #43 CMake: Auto-detect high quality entropy extractors, add new jpayne@68: option USE_libbsd=ON to use arc4random_buf of libbsd jpayne@68: #74 CMake: Add -fno-strict-aliasing only where supported jpayne@68: #114 CMake: Always honor manually set BUILD_* options jpayne@68: #114 CMake: Compile man page if docbook2x-man is available, only jpayne@68: #117 Include file tests/xmltest.log.expected in source tarball jpayne@68: (required for "make run-xmltest") jpayne@68: #117 Include (existing) Visual Studio 2013 files in source tarball jpayne@68: Improve test suite error output jpayne@68: #111 Fix some typos in documentation jpayne@68: Version info bumped from 7:5:6 to 7:6:6 jpayne@68: jpayne@68: Special thanks to: jpayne@68: Jakub Wilk jpayne@68: Joe Orton jpayne@68: Lin Tian jpayne@68: Rolf Eike Beer jpayne@68: jpayne@68: Release 2.2.3 Wed August 2 2017 jpayne@68: Security fixes: jpayne@68: #82 CVE-2017-11742 -- Windows: Fix DLL hijacking vulnerability jpayne@68: using Steve Holme's LoadLibrary wrapper for/of cURL jpayne@68: jpayne@68: Bug fixes: jpayne@68: #85 Fix a dangling pointer issue related to realloc jpayne@68: jpayne@68: Other changes: jpayne@68: Increase code coverage jpayne@68: #91 Linux: Allow getrandom to fail if nonblocking pool has not jpayne@68: yet been initialized and read /dev/urandom then, instead. jpayne@68: This is in line with what recent Python does. jpayne@68: #81 Pre-10.7/Lion macOS: Support entropy from arc4random jpayne@68: #86 Check that a UTF-16 encoding in an XML declaration has the jpayne@68: right endianness jpayne@68: #4 #5 #7 Recover correctly when some reallocations fail jpayne@68: Repair "./configure && make" for systems without any jpayne@68: provider of high quality entropy jpayne@68: and try reading /dev/urandom on those jpayne@68: Ensure that user-defined character encodings have converter jpayne@68: functions when they are needed jpayne@68: Fix mis-leading description of argument -c in xmlwf.1 jpayne@68: Rely on macro HAVE_ARC4RANDOM_BUF (rather than __CloudABI__) jpayne@68: for CloudABI jpayne@68: #100 Fix use of SIPHASH_MAIN in siphash.h jpayne@68: #23 Test suite: Fix memory leaks jpayne@68: Version info bumped from 7:4:6 to 7:5:6 jpayne@68: jpayne@68: Special thanks to: jpayne@68: Chanho Park jpayne@68: Joe Orton jpayne@68: Pascal Cuoq jpayne@68: Rhodri James jpayne@68: Simon McVittie jpayne@68: Vadim Zeitlin jpayne@68: Viktor Szakats jpayne@68: and jpayne@68: Core Infrastructure Initiative jpayne@68: jpayne@68: Release 2.2.2 Wed July 12 2017 jpayne@68: Security fixes: jpayne@68: #43 Protect against compilation without any source of high jpayne@68: quality entropy enabled, e.g. with CMake build system; jpayne@68: commit ff0207e6076e9828e536b8d9cd45c9c92069b895 jpayne@68: #60 Windows with _UNICODE: jpayne@68: Unintended use of LoadLibraryW with a non-wide string jpayne@68: resulted in failure to load advapi32.dll and degradation jpayne@68: in quality of used entropy when compiled with _UNICODE for jpayne@68: Windows; you can launch existing binaries with jpayne@68: EXPAT_ENTROPY_DEBUG=1 in the environment to inspect the jpayne@68: quality of entropy used during runtime; commits jpayne@68: * 95b95032f907ef1cd17ee7a9a1768010a825d61d jpayne@68: * 73a5a2e9c081f49f2d775cf7ced864158b68dc80 jpayne@68: [MOX-006] Fix non-NULL parser parameter validation in XML_Parse; jpayne@68: resulted in NULL dereference, previously; jpayne@68: commit ac256dafdffc9622ab0dc2c62fcecb0dfcfa71fe jpayne@68: jpayne@68: Bug fixes: jpayne@68: #69 Fix improper use of unsigned long long integer literals jpayne@68: jpayne@68: Other changes: jpayne@68: #73 Start requiring a C99 compiler jpayne@68: #49 Fix "==" Bashism in configure script jpayne@68: #50 Fix too eager getrandom detection for Debian GNU/kFreeBSD jpayne@68: #52 and macOS jpayne@68: #51 Address lack of stdint.h in Visual Studio 2003 to 2008 jpayne@68: #58 Address compile warnings jpayne@68: #68 Fix "./buildconf.sh && ./configure" for some versions jpayne@68: of Dash for /bin/sh jpayne@68: #72 CMake: Ease use of Expat in context of a parent project jpayne@68: with multiple CMakeLists.txt files jpayne@68: #72 CMake: Resolve mistaken executable permissions jpayne@68: #76 Address compile warning with -DNDEBUG (not recommended!) jpayne@68: #77 Address compile warning about macro redefinition jpayne@68: jpayne@68: Special thanks to: jpayne@68: Alexander Bluhm jpayne@68: Ben Boeckel jpayne@68: Cătălin Răceanu jpayne@68: Kerin Millar jpayne@68: László Böszörményi jpayne@68: S. P. Zeidler jpayne@68: Segev Finer jpayne@68: Václav Slavík jpayne@68: Victor Stinner jpayne@68: Viktor Szakats jpayne@68: and jpayne@68: Radically Open Security jpayne@68: jpayne@68: Release 2.2.1 Sat June 17 2017 jpayne@68: Security fixes: jpayne@68: CVE-2017-9233 -- External entity infinite loop DoS jpayne@68: Details: https://libexpat.github.io/doc/cve-2017-9233/ jpayne@68: Commit c4bf96bb51dd2a1b0e185374362ee136fe2c9d7f jpayne@68: [MOX-002] CVE-2016-9063 -- Detect integer overflow; commit jpayne@68: d4f735b88d9932bd5039df2335eefdd0723dbe20 jpayne@68: (Fixed version of existing downstream patches!) jpayne@68: (SF.net) #539 Fix regression from fix to CVE-2016-0718 cutting off jpayne@68: longer tag names; commits jpayne@68: * 896b6c1fd3b842f377d1b62135dccf0a579cf65d jpayne@68: * af507cef2c93cb8d40062a0abe43a4f4e9158fb2 jpayne@68: #16 * 0dbbf43fdb20f593ddf4fa1ff67288000dd4a7fd jpayne@68: #25 More integer overflow detection (function poolGrow); commits jpayne@68: * 810b74e4703dcfdd8f404e3cb177d44684775143 jpayne@68: * 44178553f3539ce69d34abee77a05e879a7982ac jpayne@68: [MOX-002] Detect overflow from len=INT_MAX call to XML_Parse; commits jpayne@68: * 4be2cb5afcc018d996f34bbbce6374b7befad47f jpayne@68: * 7e5b71b748491b6e459e5c9a1d090820f94544d8 jpayne@68: [MOX-005] #30 Use high quality entropy for hash initialization: jpayne@68: * arc4random_buf on BSD, systems with libbsd jpayne@68: (when configured with --with-libbsd), CloudABI jpayne@68: * RtlGenRandom on Windows XP / Server 2003 and later jpayne@68: * getrandom on Linux 3.17+ jpayne@68: In a way, that's still part of CVE-2016-5300. jpayne@68: https://github.com/libexpat/libexpat/pull/30/commits jpayne@68: [MOX-005] For the low quality entropy extraction fallback code, jpayne@68: the parser instance address can no longer leak, commit jpayne@68: 04ad658bd3079dd15cb60fc67087900f0ff4b083 jpayne@68: [MOX-003] Prevent use of uninitialised variable; commit jpayne@68: [MOX-004] a4dc944f37b664a3ca7199c624a98ee37babdb4b jpayne@68: Add missing parameter validation to public API functions jpayne@68: and dedicated error code XML_ERROR_INVALID_ARGUMENT: jpayne@68: [MOX-006] * NULL checks; commits jpayne@68: * d37f74b2b7149a3a95a680c4c4cd2a451a51d60a (merge/many) jpayne@68: * 9ed727064b675b7180c98cb3d4f75efba6966681 jpayne@68: * 6a747c837c50114dfa413994e07c0ba477be4534 jpayne@68: * Negative length (XML_Parse); commit jpayne@68: [MOX-002] 70db8d2538a10f4c022655d6895e4c3e78692e7f jpayne@68: [MOX-001] #35 Change hash algorithm to William Ahern's version of SipHash jpayne@68: to go further with fixing CVE-2012-0876. jpayne@68: https://github.com/libexpat/libexpat/pull/39/commits jpayne@68: jpayne@68: Bug fixes: jpayne@68: #32 Fix sharing of hash salt across parsers; jpayne@68: relevant where XML_ExternalEntityParserCreate is called jpayne@68: prior to XML_Parse, in particular (e.g. FBReader) jpayne@68: #28 xmlwf: Auto-disable use of memory-mapping (and parsing jpayne@68: as a single chunk) for files larger than ~1 GB (2^30 bytes) jpayne@68: rather than failing with error "out of memory" jpayne@68: #3 Fix double free after malloc failure in DTD code; commit jpayne@68: 7ae9c3d3af433cd4defe95234eae7dc8ed15637f jpayne@68: #17 Fix memory leak on parser error for unbound XML attribute jpayne@68: prefix with new namespaces defined in the same tag; jpayne@68: found by Google's OSS-Fuzz; commits jpayne@68: * 16f87daae5a16132e479e4f71862128c7a915c73 jpayne@68: * b47dbc9745932c160893d433220e462bd605f8cd jpayne@68: xmlwf on Windows: Add missing calls to CloseHandle jpayne@68: jpayne@68: New features: jpayne@68: #30 Introduced environment switch EXPAT_ENTROPY_DEBUG=1 jpayne@68: for runtime debugging of entropy extraction jpayne@68: jpayne@68: Other changes: jpayne@68: Increase code coverage jpayne@68: #33 Reject use of XML_UNICODE_WCHAR_T with sizeof(wchar_t) != 2; jpayne@68: XML_UNICODE_WCHAR_T was never meant to be used outside jpayne@68: of Windows; 4-byte wchar_t is common on Linux jpayne@68: (SF.net) #538 Start using -fno-strict-aliasing jpayne@68: (SF.net) #540 Support compilation against cloudlibc of CloudABI jpayne@68: Allow MinGW cross-compilation jpayne@68: (SF.net) #534 CMake: Introduce option "BUILD_doc" (enabled by default) jpayne@68: to bypass compilation of the xmlwf.1 man page jpayne@68: (SF.net) pr2 CMake: Introduce option "INSTALL" (enabled by default) jpayne@68: to bypass installation of expat files jpayne@68: CMake: Fix ninja support jpayne@68: Autotools: Add parameters --enable-xml-context [COUNT] jpayne@68: and --disable-xml-context; default of context of 1024 jpayne@68: bytes enabled unchanged jpayne@68: #14 Drop AmigaOS 4.x code and includes jpayne@68: #14 Drop ancient build systems: jpayne@68: * Borland C++ Builder jpayne@68: * OpenVMS jpayne@68: * Open Watcom jpayne@68: * Visual Studio 6.0 jpayne@68: * Pre-X Mac OS (MPW Makefile) jpayne@68: If you happen to rely on some of these, please get in jpayne@68: touch for joining with maintenance. jpayne@68: #10 Move from WIN32 to _WIN32 jpayne@68: #13 Fix "make run-xmltest" order instability jpayne@68: Address compile warnings jpayne@68: Bump version info from 7:2:6 to 7:3:6 jpayne@68: Add AUTHORS file jpayne@68: jpayne@68: Infrastructure: jpayne@68: #1 Migrate from SourceForge to GitHub (except downloads): jpayne@68: https://github.com/libexpat/ jpayne@68: #1 Re-create http://libexpat.org/ project website jpayne@68: Start utilizing Travis CI jpayne@68: jpayne@68: Special thanks to: jpayne@68: Andy Wang jpayne@68: Don Lewis jpayne@68: Ed Schouten jpayne@68: Karl Waclawek jpayne@68: Pascal Cuoq jpayne@68: Rhodri James jpayne@68: Sergei Nikulov jpayne@68: Tobias Taschner jpayne@68: Viktor Szakats jpayne@68: and jpayne@68: Core Infrastructure Initiative jpayne@68: Mozilla Foundation (MOSS Track 3: Secure Open Source) jpayne@68: Radically Open Security jpayne@68: jpayne@68: Release 2.2.0 Tue June 21 2016 jpayne@68: Security fixes: jpayne@68: #537 CVE-2016-0718 -- Fix crash on malformed input jpayne@68: CVE-2016-4472 -- Improve insufficient fix to CVE-2015-1283 / jpayne@68: CVE-2015-2716 introduced with Expat 2.1.1 jpayne@68: #499 CVE-2016-5300 -- Use more entropy for hash initialization jpayne@68: than the original fix to CVE-2012-0876 jpayne@68: #519 CVE-2012-6702 -- Resolve troublesome internal call to srand jpayne@68: that was introduced with Expat 2.1.0 jpayne@68: when addressing CVE-2012-0876 (issue #496) jpayne@68: jpayne@68: Bug fixes: jpayne@68: Fix uninitialized reads of size 1 jpayne@68: (e.g. in little2_updatePosition) jpayne@68: Fix detection of UTF-8 character boundaries jpayne@68: jpayne@68: Other changes: jpayne@68: #532 Fix compilation for Visual Studio 2010 (keyword "C99") jpayne@68: Autotools: Resolve use of "$<" to better support bmake jpayne@68: Autotools: Add QA script "qa.sh" (and make target "qa") jpayne@68: Autotools: Respect CXXFLAGS if given jpayne@68: Autotools: Fix "make run-xmltest" jpayne@68: Autotools: Have "make run-xmltest" check for expected output jpayne@68: p90 CMake: Fix static build (BUILD_shared=OFF) on Windows jpayne@68: #536 CMake: Add soversion, support -DNO_SONAME=yes to bypass jpayne@68: #323 CMake: Add suffix "d" to differentiate debug from release jpayne@68: CMake: Define WIN32 with CMake on Windows jpayne@68: Annotate memory allocators for GCC jpayne@68: Address all currently known compile warnings jpayne@68: Make sure that API symbols remain visible despite jpayne@68: -fvisibility=hidden jpayne@68: Remove executable flag from source files jpayne@68: Resolve COMPILED_FROM_DSP in favor of WIN32 jpayne@68: jpayne@68: Special thanks to: jpayne@68: Björn Lindahl jpayne@68: Christian Heimes jpayne@68: Cristian Rodríguez jpayne@68: Daniel Krügler jpayne@68: Gustavo Grieco jpayne@68: Karl Waclawek jpayne@68: László Böszörményi jpayne@68: Marco Grassi jpayne@68: Pascal Cuoq jpayne@68: Sergei Nikulov jpayne@68: Thomas Beutlich jpayne@68: Warren Young jpayne@68: Yann Droneaud jpayne@68: jpayne@68: Release 2.1.1 Sat March 12 2016 jpayne@68: Security fixes: jpayne@68: #582: CVE-2015-1283 - Multiple integer overflows in XML_GetBuffer jpayne@68: jpayne@68: Bug fixes: jpayne@68: #502: Fix potential null pointer dereference jpayne@68: #520: Symbol XML_SetHashSalt was not exported jpayne@68: Output of "xmlwf -h" was incomplete jpayne@68: jpayne@68: Other changes: jpayne@68: #503: Document behavior of calling XML_SetHashSalt with salt 0 jpayne@68: Minor improvements to man page xmlwf(1) jpayne@68: Improvements to the experimental CMake build system jpayne@68: libtool now invoked with --verbose jpayne@68: jpayne@68: Release 2.1.0 Sat March 24 2012 jpayne@68: - Security fixes: jpayne@68: #2958794: CVE-2012-1148 - Memory leak in poolGrow. jpayne@68: #2895533: CVE-2012-1147 - Resource leak in readfilemap.c. jpayne@68: #3496608: CVE-2012-0876 - Hash DOS attack. jpayne@68: #2894085: CVE-2009-3560 - Buffer over-read and crash in big2_toUtf8(). jpayne@68: #1990430: CVE-2009-3720 - Parser crash with special UTF-8 sequences. jpayne@68: - Bug Fixes: jpayne@68: #1742315: Harmful XML_ParserCreateNS suggestion. jpayne@68: #1785430: Expat build fails on linux-amd64 with gcc version>=4.1 -O3. jpayne@68: #1983953, 2517952, 2517962, 2649838: jpayne@68: Build modifications using autoreconf instead of buildconf.sh. jpayne@68: #2815947, #2884086: OBJEXT and EXEEXT support while building. jpayne@68: #2517938: xmlwf should return non-zero exit status if not well-formed. jpayne@68: #2517946: Wrong statement about XMLDecl in xmlwf.1 and xmlwf.sgml. jpayne@68: #2855609: Dangling positionPtr after error. jpayne@68: #2990652: CMake support. jpayne@68: #3010819: UNEXPECTED_STATE with a trailing "%" in entity value. jpayne@68: #3206497: Uninitialized memory returned from XML_Parse. jpayne@68: #3287849: make check fails on mingw-w64. jpayne@68: - Patches: jpayne@68: #1749198: pkg-config support. jpayne@68: #3010222: Fix for bug #3010819. jpayne@68: #3312568: CMake support. jpayne@68: #3446384: Report byte offsets for attr names and values. jpayne@68: - New Features / API changes: jpayne@68: Added new API member XML_SetHashSalt() that allows setting an initial jpayne@68: value (salt) for hash calculations. This is part of the fix for jpayne@68: bug #3496608 to randomize hash parameters. jpayne@68: When compiled with XML_ATTR_INFO defined, adds new API member jpayne@68: XML_GetAttributeInfo() that allows retrieving the byte jpayne@68: offsets for attribute names and values (patch #3446384). jpayne@68: Added CMake build system. jpayne@68: See bug #2990652 and patch #3312568. jpayne@68: Added run-benchmark target to Makefile.in - relies on testdata module jpayne@68: present in the same relative location as in the repository. jpayne@68: jpayne@68: Release 2.0.1 Tue June 5 2007 jpayne@68: - Fixed bugs #1515266, #1515600: The character data handler's calling jpayne@68: of XML_StopParser() was not handled properly; if the parser was jpayne@68: stopped and the handler set to NULL, the parser would segfault. jpayne@68: - Fixed bug #1690883: Expat failed on EBCDIC systems as it assumed jpayne@68: some character constants to be ASCII encoded. jpayne@68: - Minor cleanups of the test harness. jpayne@68: - Fixed xmlwf bug #1513566: "out of memory" error on file size zero. jpayne@68: - Fixed outline.c bug #1543233: missing a final XML_ParserFree() call. jpayne@68: - Fixes and improvements for Windows platform: jpayne@68: bugs #1409451, #1476160, #1548182, #1602769, #1717322. jpayne@68: - Build fixes for various platforms: jpayne@68: HP-UX, Tru64, Solaris 9: patch #1437840, bug #1196180. jpayne@68: All Unix: #1554618 (refreshed config.sub/config.guess). jpayne@68: #1490371, #1613457: support both, DESTDIR and INSTALL_ROOT, jpayne@68: without relying on GNU-Make specific features. jpayne@68: #1647805: Patched configure.in to work better with Intel compiler. jpayne@68: - Fixes to Makefile.in to have make check work correctly: jpayne@68: bugs #1408143, #1535603, #1536684. jpayne@68: - Added Open Watcom support: patch #1523242. jpayne@68: jpayne@68: Release 2.0.0 Wed Jan 11 2006 jpayne@68: - We no longer use the "check" library for C unit testing; we jpayne@68: always use the (partial) internal implementation of the API. jpayne@68: - Report XML_NS setting via XML_GetFeatureList(). jpayne@68: - Fixed headers for use from C++. jpayne@68: - XML_GetCurrentLineNumber() and XML_GetCurrentColumnNumber() jpayne@68: now return unsigned integers. jpayne@68: - Added XML_LARGE_SIZE switch to enable 64-bit integers for jpayne@68: byte indexes and line/column numbers. jpayne@68: - Updated to use libtool 1.5.22 (the most recent). jpayne@68: - Added support for AmigaOS. jpayne@68: - Some mostly minor bug fixes. SF issues include: #1006708, jpayne@68: #1021776, #1023646, #1114960, #1156398, #1221160, #1271642. jpayne@68: jpayne@68: Release 1.95.8 Fri Jul 23 2004 jpayne@68: - Major new feature: suspend/resume. Handlers can now request jpayne@68: that a parse be suspended for later resumption or aborted jpayne@68: altogether. See "Temporarily Stopping Parsing" in the jpayne@68: documentation for more details. jpayne@68: - Some mostly minor bug fixes, but compilation should no jpayne@68: longer generate warnings on most platforms. SF issues jpayne@68: include: #827319, #840173, #846309, #888329, #896188, #923913, jpayne@68: #928113, #961698, #985192. jpayne@68: jpayne@68: Release 1.95.7 Mon Oct 20 2003 jpayne@68: - Fixed enum XML_Status issue (reported on SourceForge many jpayne@68: times), so compilers that are properly picky will be happy. jpayne@68: - Introduced an XMLCALL macro to control the calling jpayne@68: convention used by the Expat API; this macro should be used jpayne@68: to annotate prototypes and definitions of callback jpayne@68: implementations in code compiled with a calling convention jpayne@68: other than the default convention for the host platform. jpayne@68: - Improved ability to build without the configure-generated jpayne@68: expat_config.h header. This is useful for applications jpayne@68: which embed Expat rather than linking in the library. jpayne@68: - Fixed a variety of bugs: see SF issues #458907, #609603, jpayne@68: #676844, #679754, #692878, #692964, #695401, #699323, #699487, jpayne@68: #820946. jpayne@68: - Improved hash table lookups. jpayne@68: - Added more regression tests and improved documentation. jpayne@68: jpayne@68: Release 1.95.6 Tue Jan 28 2003 jpayne@68: - Added XML_FreeContentModel(). jpayne@68: - Added XML_MemMalloc(), XML_MemRealloc(), XML_MemFree(). jpayne@68: - Fixed a variety of bugs: see SF issues #615606, #616863, jpayne@68: #618199, #653180, #673791. jpayne@68: - Enhanced the regression test suite. jpayne@68: - Man page improvements: includes SF issue #632146. jpayne@68: jpayne@68: Release 1.95.5 Fri Sep 6 2002 jpayne@68: - Added XML_UseForeignDTD() for improved SAX2 support. jpayne@68: - Added XML_GetFeatureList(). jpayne@68: - Defined XML_Bool type and the values XML_TRUE and XML_FALSE. jpayne@68: - Use an incomplete struct instead of a void* for the parser jpayne@68: (may not retain). jpayne@68: - Fixed UTF-8 decoding bug that caused legal UTF-8 to be rejected. jpayne@68: - Finally fixed bug where default handler would report DTD jpayne@68: events that were already handled by another handler. jpayne@68: Initial patch contributed by Darryl Miles. jpayne@68: - Removed unnecessary DllMain() function that caused static jpayne@68: linking into a DLL to be difficult. jpayne@68: - Added VC++ projects for building static libraries. jpayne@68: - Reduced line-length for all source code and headers to be jpayne@68: no longer than 80 characters, to help with AS/400 support. jpayne@68: - Reduced memory copying during parsing (SF patch #600964). jpayne@68: - Fixed a variety of bugs: see SF issues #580793, #434664, jpayne@68: #483514, #580503, #581069, #584041, #584183, #584832, #585537, jpayne@68: #596555, #596678, #598352, #598944, #599715, #600479, #600971. jpayne@68: jpayne@68: Release 1.95.4 Fri Jul 12 2002 jpayne@68: - Added support for VMS, contributed by Craig Berry. See jpayne@68: vms/README.vms for more information. jpayne@68: - Added Mac OS (classic) support, with a makefile for MPW, jpayne@68: contributed by Thomas Wegner and Daryle Walker. jpayne@68: - Added Borland C++ Builder 5 / BCC 5.5 support, contributed jpayne@68: by Patrick McConnell (SF patch #538032). jpayne@68: - Fixed a variety of bugs: see SF issues #441449, #563184, jpayne@68: #564342, #566334, #566901, #569461, #570263, #575168, #579196. jpayne@68: - Made skippedEntityHandler conform to SAX2 (see source comment) jpayne@68: - Re-implemented WFC: Entity Declared from XML 1.0 spec and jpayne@68: added a new error "entity declared in parameter entity": jpayne@68: see SF bug report #569461 and SF patch #578161 jpayne@68: - Re-implemented section 5.1 from XML 1.0 spec: jpayne@68: see SF bug report #570263 and SF patch #578161 jpayne@68: jpayne@68: Release 1.95.3 Mon Jun 3 2002 jpayne@68: - Added a project to the MSVC workspace to create a wchar_t jpayne@68: version of the library; the DLLs are named libexpatw.dll. jpayne@68: - Changed the name of the Windows DLLs from expat.dll to jpayne@68: libexpat.dll; this fixes SF bug #432456. jpayne@68: - Added the XML_ParserReset() API function. jpayne@68: - Fixed XML_SetReturnNSTriplet() to work for element names. jpayne@68: - Made the XML_UNICODE builds usable (thanks, Karl!). jpayne@68: - Allow xmlwf to read from standard input. jpayne@68: - Install a man page for xmlwf on Unix systems. jpayne@68: - Fixed many bugs; see SF bug reports #231864, #461380, #464837, jpayne@68: #466885, #469226, #477667, #484419, #487840, #494749, #496505, jpayne@68: #547350. Other bugs which we can't test as easily may also jpayne@68: have been fixed, especially in the area of build support. jpayne@68: jpayne@68: Release 1.95.2 Fri Jul 27 2001 jpayne@68: - More changes to make MSVC happy with the build; add a single jpayne@68: workspace to support both the library and xmlwf application. jpayne@68: - Added a Windows installer for Windows users; includes jpayne@68: xmlwf.exe. jpayne@68: - Added compile-time constants that can be used to determine the jpayne@68: Expat version jpayne@68: - Removed a lot of GNU-specific dependencies to aide portability jpayne@68: among the various Unix flavors. jpayne@68: - Fix the UTF-8 BOM bug. jpayne@68: - Cleaned up warning messages for several compilers. jpayne@68: - Added the -Wall, -Wstrict-prototypes options for GCC. jpayne@68: jpayne@68: Release 1.95.1 Sun Oct 22 15:11:36 EDT 2000 jpayne@68: - Changes to get expat to build under Microsoft compiler jpayne@68: - Removed all aborts and instead return an UNEXPECTED_STATE error. jpayne@68: - Fixed a bug where a stray '%' in an entity value would cause an jpayne@68: abort. jpayne@68: - Defined XML_SetEndNamespaceDeclHandler. Thanks to Darryl Miles for jpayne@68: finding this oversight. jpayne@68: - Changed default patterns in lib/Makefile.in to fit non-GNU makes jpayne@68: Thanks to robin@unrated.net for reporting and providing an jpayne@68: account to test on. jpayne@68: - The reference had the wrong label for XML_SetStartNamespaceDecl. jpayne@68: Reported by an anonymous user. jpayne@68: jpayne@68: Release 1.95.0 Fri Sep 29 2000 jpayne@68: - XML_ParserCreate_MM jpayne@68: Allows you to set a memory management suite to replace the jpayne@68: standard malloc,realloc, and free. jpayne@68: - XML_SetReturnNSTriplet jpayne@68: If you turn this feature on when namespace processing is in jpayne@68: effect, then qualified, prefixed element and attribute names jpayne@68: are returned as "uri|name|prefix" where '|' is whatever jpayne@68: separator character is used in namespace processing. jpayne@68: - Merged in features from perl-expat jpayne@68: o XML_SetElementDeclHandler jpayne@68: o XML_SetAttlistDeclHandler jpayne@68: o XML_SetXmlDeclHandler jpayne@68: o XML_SetEntityDeclHandler jpayne@68: o StartDoctypeDeclHandler takes 3 additional parameters: jpayne@68: sysid, pubid, has_internal_subset jpayne@68: o Many paired handler setters (like XML_SetElementHandler) jpayne@68: now have corresponding individual handler setters jpayne@68: o XML_GetInputContext for getting the input context of jpayne@68: the current parse position. jpayne@68: - Added reference material jpayne@68: - Packaged into a distribution that builds a sharable library