|
1 | | -NOTE: We are looking for help with a few things: |
2 | | - https://github.com/libexpat/libexpat/labels/help%20wanted |
3 | | - If you can help, please get in touch. Thanks! |
| 1 | + __ __ _ |
| 2 | + ___\ \/ /_ __ __ _| |_ |
| 3 | + / _ \\ /| '_ \ / _` | __| |
| 4 | + | __// \| |_) | (_| | |_ |
| 5 | + \___/_/\_\ .__/ \__,_|\__| |
| 6 | + |_| XML parser |
| 7 | + |
| 8 | +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! |
| 9 | +!! <blink>Expat is UNDERSTAFFED and WITHOUT FUNDING.</blink> !! |
| 10 | +!! ~~~~~~~~~~~~ !! |
| 11 | +!! The following topics need *additional skilled C developers* to progress !! |
| 12 | +!! in a timely manner or at all (loosely ordered by descending priority): !! |
| 13 | +!! !! |
| 14 | +!! - teaming up on researching and fixing future security reports and !! |
| 15 | +!! ClusterFuzz findings with few-days-max response times in communication !! |
| 16 | +!! in order to (1) have a sound fix ready before the end of a 90 days !! |
| 17 | +!! grace period and (2) in a sustainable manner, !! |
| 18 | +!! - helping CPython Expat bindings with supporting Expat's billion laughs !! |
| 19 | +!! attack protection API (https://github.com/python/cpython/issues/90949): !! |
| 20 | +!! - XML_SetBillionLaughsAttackProtectionActivationThreshold !! |
| 21 | +!! - XML_SetBillionLaughsAttackProtectionMaximumAmplification !! |
| 22 | +!! - helping Perl's XML::Parser Expat bindings with supporting Expat's !! |
| 23 | +!! security API (https://github.com/cpan-authors/XML-Parser/issues/102): !! |
| 24 | +!! - XML_SetBillionLaughsAttackProtectionActivationThreshold !! |
| 25 | +!! - XML_SetBillionLaughsAttackProtectionMaximumAmplification !! |
| 26 | +!! - XML_SetReparseDeferralEnabled !! |
| 27 | +!! - implementing and auto-testing XML 1.0r5 support !! |
| 28 | +!! (needs discussion before pull requests), !! |
| 29 | +!! - smart ideas on fixing the Autotools CMake files generation issue !! |
| 30 | +!! without breaking CI (needs discussion before pull requests), !! |
| 31 | +!! - pushing migration from `int` to `size_t` further !! |
| 32 | +!! including edge-cases test coverage (needs discussion before anything). !! |
| 33 | +!! !! |
| 34 | +!! For details, please reach out via e-mail to [email protected] so we !! |
| 35 | +!! can schedule a voice call on the topic, in English or German. !! |
| 36 | +!! !! |
| 37 | +!! THANK YOU! Sebastian Pipping -- Berlin, 2024-03-09 !! |
| 38 | +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! |
| 39 | + |
| 40 | +Release 2.7.1 Thu March 27 2025 |
| 41 | + Bug fixes: |
| 42 | + #980 #989 Restore event pointer behavior from Expat 2.6.4 |
| 43 | + (that the fix to CVE-2024-8176 changed in 2.7.0); |
| 44 | + affected API functions are: |
| 45 | + - XML_GetCurrentByteCount |
| 46 | + - XML_GetCurrentByteIndex |
| 47 | + - XML_GetCurrentColumnNumber |
| 48 | + - XML_GetCurrentLineNumber |
| 49 | + - XML_GetInputContext |
| 50 | + |
| 51 | + Other changes: |
| 52 | + #976 #977 Autotools: Integrate files "fuzz/xml_lpm_fuzzer.{cpp,proto}" |
| 53 | + with Automake that were missing from 2.7.0 release tarballs |
| 54 | + #983 #984 Fix printf format specifiers for 32bit Emscripten |
| 55 | + #992 docs: Promote OpenSSF Best Practices self-certification |
| 56 | + #978 tests/benchmark: Resolve mistaken double close |
| 57 | + #986 Address compiler warnings |
| 58 | + #990 #993 Version info bumped from 11:1:10 (libexpat*.so.1.10.1) |
| 59 | + to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/ |
| 60 | + for what these numbers do |
| 61 | + |
| 62 | + Infrastructure: |
| 63 | + #982 CI: Start running Perl XML::Parser integration tests |
| 64 | + #987 CI: Enforce Clang Static Analyzer clean code |
| 65 | + #991 CI: Re-enable warning clang-analyzer-valist.Uninitialized |
| 66 | + for clang-tidy |
| 67 | + #981 CI: Cover compilation with musl |
| 68 | + #983 #984 CI: Cover compilation with 32bit Emscripten |
| 69 | + #976 #977 CI: Protect against fuzzer files missing from future |
| 70 | + release archives |
| 71 | + |
| 72 | + Special thanks to: |
| 73 | + Berkay Eren Ürün |
| 74 | + Matthew Fernandez |
| 75 | + and |
| 76 | + Perl XML::Parser |
| 77 | + |
| 78 | +Release 2.7.0 Thu March 13 2025 |
| 79 | + Security fixes: |
| 80 | + #893 #973 CVE-2024-8176 -- Fix crash from chaining a large number |
| 81 | + of entities caused by stack overflow by resolving use of |
| 82 | + recursion, for all three uses of entities: |
| 83 | + - general entities in character data ("<e>&g1;</e>") |
| 84 | + - general entities in attribute values ("<e k1='&g1;'/>") |
| 85 | + - parameter entities ("%p1;") |
| 86 | + Known impact is (reliable and easy) denial of service: |
| 87 | + CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C |
| 88 | + (Base Score: 7.5, Temporal Score: 7.2) |
| 89 | + Please note that a layer of compression around XML can |
| 90 | + significantly reduce the minimum attack payload size. |
| 91 | + |
| 92 | + Other changes: |
| 93 | + #935 #937 Autotools: Make generated CMake files look for |
| 94 | + libexpat.@ [email protected] on macOS |
| 95 | + #925 Autotools: Sync CMake templates with CMake 3.29 |
| 96 | + #945 #962 #966 CMake: Drop support for CMake <3.13 |
| 97 | + #942 CMake: Small fuzzing related improvements |
| 98 | + #921 docs: Add missing documentation of error code |
| 99 | + XML_ERROR_NOT_STARTED that was introduced with 2.6.4 |
| 100 | + #941 docs: Document need for C++11 compiler for use from C++ |
| 101 | + #959 tests/benchmark: Fix a (harmless) TOCTTOU |
| 102 | + #944 Windows: Fix installer target location of file xmlwf.xml |
| 103 | + for CMake |
| 104 | + #953 Windows: Address warning -Wunknown-warning-option |
| 105 | + about -Wno-pedantic-ms-format from LLVM MinGW |
| 106 | + #971 Address Cppcheck warnings |
| 107 | + #969 #970 Mass-migrate links from http:// to https:// |
| 108 | + #947 #958 .. |
| 109 | + #974 #975 Document changes since the previous release |
| 110 | + #974 #975 Version info bumped from 11:0:10 (libexpat*.so.1.10.0) |
| 111 | + to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/ |
| 112 | + for what these numbers do |
| 113 | + |
| 114 | + Infrastructure: |
| 115 | + #926 tests: Increase robustness |
| 116 | + #927 #932 .. |
| 117 | + #930 #933 tests: Increase test coverage |
| 118 | + #617 #950 .. |
| 119 | + #951 #952 .. |
| 120 | + #954 #955 .. Fuzzing: Add new fuzzer "xml_lpm_fuzzer" based on |
| 121 | + #961 Google's libprotobuf-mutator ("LPM") |
| 122 | + #957 Fuzzing|CI: Start producing fuzzing code coverage reports |
| 123 | + #936 CI: Pass -q -q for LCOV >=2.1 in coverage.sh |
| 124 | + #942 CI: Small fuzzing related improvements |
| 125 | + #139 #203 .. |
| 126 | + #791 #946 CI: Make GitHub Actions build using MSVC on Windows and |
| 127 | + produce 32bit and 64bit Windows binaries |
| 128 | + #956 CI: Get off of about-to-be-removed Ubuntu 20.04 |
| 129 | + #960 #964 CI: Start uploading to Coverity Scan for static analysis |
| 130 | + #972 CI: Stop loading DTD from the internet to address flaky CI |
| 131 | + #971 CI: Adapt to breaking changes in Cppcheck |
| 132 | + |
| 133 | + Special thanks to: |
| 134 | + Alexander Gieringer |
| 135 | + Berkay Eren Ürün |
| 136 | + Hanno Böck |
| 137 | + Jann Horn |
| 138 | + Mark Brand |
| 139 | + Sebastian Andrzej Siewior |
| 140 | + Snild Dolkow |
| 141 | + Thomas Pröll |
| 142 | + Tomas Korbar |
| 143 | + valord577 |
| 144 | + and |
| 145 | + Google Project Zero |
| 146 | + Linutronix |
| 147 | + Red Hat |
| 148 | + Siemens |
| 149 | + |
| 150 | +Release 2.6.4 Wed November 6 2024 |
| 151 | + Security fixes: |
| 152 | + #915 CVE-2024-50602 -- Fix crash within function XML_ResumeParser |
| 153 | + from a NULL pointer dereference by disallowing function |
| 154 | + XML_StopParser to (stop or) suspend an unstarted parser. |
| 155 | + A new error code XML_ERROR_NOT_STARTED was introduced to |
| 156 | + properly communicate this situation. // CWE-476 CWE-754 |
| 157 | + |
| 158 | + Other changes: |
| 159 | + #903 CMake: Add alias target "expat::expat" |
| 160 | + #905 docs: Document use via CMake >=3.18 with FetchContent |
| 161 | + and SOURCE_SUBDIR and its consequences |
| 162 | + #902 tests: Reduce use of global parser instance |
| 163 | + #904 tests: Resolve duplicate handler |
| 164 | + #317 #918 tests: Improve tests on doctype closing (ex CVE-2019-15903) |
| 165 | + #914 Fix signedness of format strings |
| 166 | + #915 For use from C++, expat.h started requiring C++11 due to |
| 167 | + use of C99 features |
| 168 | + #919 #920 Version info bumped from 10:3:9 (libexpat*.so.1.9.3) |
| 169 | + to 11:0:10 (libexpat*.so.1.10.0); see https://verbump.de/ |
| 170 | + for what these numbers do |
| 171 | + |
| 172 | + Infrastructure: |
| 173 | + #907 CI: Upgrade Clang from 18 to 19 |
| 174 | + #913 CI: Drop macos-12 and add macos-15 |
| 175 | + #910 CI: Adapt to breaking changes in GitHub Actions |
| 176 | + #898 Add missing entries to .gitignore |
| 177 | + |
| 178 | + Special thanks to: |
| 179 | + Hanno Böck |
| 180 | + José Eduardo Gutiérrez Conejo |
| 181 | + José Ricardo Cardona Quesada |
| 182 | + |
| 183 | +Release 2.6.3 Wed September 4 2024 |
| 184 | + Security fixes: |
| 185 | + #887 #890 CVE-2024-45490 -- Calling function XML_ParseBuffer with |
| 186 | + len < 0 without noticing and then calling XML_GetBuffer |
| 187 | + will have XML_ParseBuffer fail to recognize the problem |
| 188 | + and XML_GetBuffer corrupt memory. |
| 189 | + With the fix, XML_ParseBuffer now complains with error |
| 190 | + XML_ERROR_INVALID_ARGUMENT just like sibling XML_Parse |
| 191 | + has been doing since Expat 2.2.1, and now documented. |
| 192 | + Impact is denial of service to potentially artitrary code |
| 193 | + execution. |
| 194 | + #888 #891 CVE-2024-45491 -- Internal function dtdCopy can have an |
| 195 | + integer overflow for nDefaultAtts on 32-bit platforms |
| 196 | + (where UINT_MAX equals SIZE_MAX). |
| 197 | + Impact is denial of service to potentially artitrary code |
| 198 | + execution. |
| 199 | + #889 #892 CVE-2024-45492 -- Internal function nextScaffoldPart can |
| 200 | + have an integer overflow for m_groupSize on 32-bit |
| 201 | + platforms (where UINT_MAX equals SIZE_MAX). |
| 202 | + Impact is denial of service to potentially artitrary code |
| 203 | + execution. |
| 204 | + |
| 205 | + Other changes: |
| 206 | + #851 #879 Autotools: Sync CMake templates with CMake 3.28 |
| 207 | + #853 Autotools: Always provide path to find(1) for portability |
| 208 | + #861 Autotools: Ensure that the m4 directory always exists. |
| 209 | + #870 Autotools: Simplify handling of SIZEOF_VOID_P |
| 210 | + #869 Autotools: Support non-GNU sed |
| 211 | + #856 Autotools|CMake: Fix main() to main(void) |
| 212 | + #865 Autotools|CMake: Fix compile tests for HAVE_SYSCALL_GETRANDOM |
| 213 | + #863 Autotools|CMake: Stop requiring dos2unix |
| 214 | + #854 #855 CMake: Fix check for symbols size_t and off_t |
| 215 | + #864 docs|tests: Convert README to Markdown and update |
| 216 | + #741 Windows: Drop support for Visual Studio <=15.0/2017 |
| 217 | + #886 Drop needless XML_DTD guards around is_param access |
| 218 | + #885 Fix typo in a code comment |
| 219 | + #894 #896 Version info bumped from 10:2:9 (libexpat*.so.1.9.2) |
| 220 | + to 10:3:9 (libexpat*.so.1.9.3); see https://verbump.de/ |
| 221 | + for what these numbers do |
| 222 | + |
| 223 | + Infrastructure: |
| 224 | + #880 Readme: Promote the call for help |
| 225 | + #868 CI: Fix various issues |
| 226 | + #849 CI: Allow triggering GitHub Actions workflows manually |
| 227 | + #851 #872 .. |
| 228 | + #873 #879 CI: Adapt to breaking changes in GitHub Actions |
| 229 | + |
| 230 | + Special thanks to: |
| 231 | + Alexander Bluhm |
| 232 | + Berkay Eren Ürün |
| 233 | + Dag-Erling Smørgrav |
| 234 | + Ferenc Géczi |
| 235 | + TaiYou |
| 236 | + |
| 237 | +Release 2.6.2 Wed March 13 2024 |
| 238 | + Security fixes: |
| 239 | + #839 #842 CVE-2024-28757 -- Prevent billion laughs attacks with |
| 240 | + isolated use of external parsers. Please see the commit |
| 241 | + message of commit 1d50b80cf31de87750103656f6eb693746854aa8 |
| 242 | + for details. |
| 243 | + |
| 244 | + Bug fixes: |
| 245 | + #839 #841 Reject direct parameter entity recursion |
| 246 | + and avoid the related undefined behavior |
| 247 | + |
| 248 | + Other changes: |
| 249 | + #847 Autotools: Fix build for DOCBOOK_TO_MAN containing spaces |
| 250 | + #837 Add missing #821 and #824 to 2.6.1 change log |
| 251 | + #838 #843 Version info bumped from 10:1:9 (libexpat*.so.1.9.1) |
| 252 | + to 10:2:9 (libexpat*.so.1.9.2); see https://verbump.de/ |
| 253 | + for what these numbers do |
| 254 | + |
| 255 | + Special thanks to: |
| 256 | + Philippe Antoine |
| 257 | + Tomas Korbar |
| 258 | + and |
| 259 | + Clang UndefinedBehaviorSanitizer |
| 260 | + OSS-Fuzz / ClusterFuzz |
| 261 | + |
| 262 | +Release 2.6.1 Thu February 29 2024 |
| 263 | + Bug fixes: |
| 264 | + #817 Make tests independent of CPU speed, and thus more robust |
| 265 | + #828 #836 Expose billion laughs API with XML_DTD defined and |
| 266 | + XML_GE undefined, regression from 2.6.0 |
| 267 | + |
| 268 | + Other changes: |
| 269 | + #829 Hide test-only code behind new internal macro |
| 270 | + #833 Autotools: Reject expat_config.h.in defining SIZEOF_VOID_P |
| 271 | + #821 #824 Autotools: Fix "make clean" for case: |
| 272 | + ./configure --without-docbook && make clean all |
| 273 | + #819 Address compiler warnings |
| 274 | + #832 #834 Version info bumped from 10:0:9 (libexpat*.so.1.9.0) |
| 275 | + to 10:1:9 (libexpat*.so.1.9.1); see https://verbump.de/ |
| 276 | + for what these numbers do |
| 277 | + |
| 278 | + Infrastructure: |
| 279 | + #818 CI: Adapt to breaking changes in clang-format |
| 280 | + |
| 281 | + Special thanks to: |
| 282 | + David Hall |
| 283 | + Snild Dolkow |
4 | 284 |
|
5 | 285 | Release 2.6.0 Tue February 6 2024 |
6 | 286 | Security fixes: |
|
0 commit comments