1 changed files with 91 additions and 61 deletions
--- a/SPECS/expat.spec
+++ b/SPECS/expat.spec
@ -1,11 +1,10 @@
-%global unversion 2_5_0
-
 Summary: An XML parser library
 Name: expat
-Version: %(echo %{unversion} | sed 's/_/./g')
-Release: 1%{?dist}
-Source: https://github.com/libexpat/libexpat/archive/R_%{unversion}.tar.gz#/expat-%{version}.tar.gz
+Version: 2.5.0
+Release: 6%{?dist}
+Source: https://github.com/libexpat/libexpat/archive/R_2_5_0.tar.gz#/expat-%{version}.tar.gz
 URL: https://libexpat.github.io/
+VCS: git:https://github.com/libexpat/libexpat.git
 License: MIT
 BuildRequires: autoconf, libtool, xmlto, gcc-c++
 BuildRequires: make
@ -23,7 +22,7 @@ Patch4: expat-2.5.0-CVE-2024-45492.patch
 Patch5: expat-2.5.0-CVE-2024-50602.patch
 # https://issues.redhat.com/browse/RHEL-57489
 Patch6: expat-2.5.0-CVE-2024-8176.patch
-# https://issues.redhat.com/browse/RHEL-114618
+# https://issues.redhat.com/browse/RHEL-114643
 Patch7: expat-2.5.0-CVE-2025-59375.patch

 %description
@ -51,7 +50,7 @@ The expat-static package contains the static version of the expat library.
 Install it if you need to link statically with expat.

 %prep
-%setup -q -n libexpat-R_%{unversion}/expat
+%setup -q -n libexpat-R_2_5_0/expat
 pushd ..
 %patch0 -p1 -b .CVE-2023-52425
 %patch1 -p1 -b .CVE-2024-28757
@ -70,21 +69,21 @@ sed -i 's/install-data-hook/do-nothing-please/' lib/Makefile.am
 export CFLAGS="$RPM_OPT_FLAGS -fPIC"
 export DOCBOOK_TO_MAN="xmlto man --skip-validation"
 %configure
-make %{?_smp_mflags}
+%make_build

 %install
-make install DESTDIR=$RPM_BUILD_ROOT
+%make_install

 rm -f $RPM_BUILD_ROOT%{_libdir}/*.la

 %check
 bash -c "for i in {1..500000}; do printf AAAAAAAAAAAAAAAAAAAA >> achars.txt; done"
 for testfile in ../testdata/largefiles/aaaaaa_*; do
-        first_part="$(sed 's/\(.*\)ACHARS.*/\1/g' $testfile)"
-        second_part="$(sed 's/.*ACHARS\(.*\)/\1/g' $testfile)"
-        printf "$first_part" > "$testfile"
-        cat achars.txt >> "$testfile"
-        printf "$second_part" >> "$testfile"
+	first_part="$(sed 's/\(.*\)ACHARS.*/\1/g' $testfile)"
+	second_part="$(sed 's/.*ACHARS\(.*\)/\1/g' $testfile)"
+	printf "$first_part" > "$testfile"
+	cat achars.txt >> "$testfile"
+	printf "$second_part" >> "$testfile"
 done

 make check
@ -92,7 +91,6 @@ make check
 %ldconfig_scriptlets

 %files
-%{!?_licensedir:%global license %%doc}
 %doc AUTHORS Changes
 %license COPYING
 %{_bindir}/*
@ -110,61 +108,50 @@ make check
 %{_libdir}/lib*.a

 %changelog
-* Wed Nov 19 2025 Tomas Korbar <tkorbar@redhat.com> - 2.5.0-1
- Rebase to version 2.5.0
+* Tue Dec 02 2025 Tomas Korbar <tkorbar@redhat.com> - 2.5.0-6
 - Fix CVE-2025-59375
- Resolves: RHEL-114618
+- Resolves: RHEL-114643

-* Mon Apr 07 2025 Tomas Korbar <tkorbar@redhat.com> - 2.2.5-17
+* Mon Mar 31 2025 Tomas Korbar <tkorbar@redhat.com> - 2.5.0-5
 - Fix CVE-2024-8176
- Resolves: RHEL-57477
+- Resolves: RHEL-57489

-* Fri Nov 08 2024 Tomas Korbar <tkorbar@redhat.com> - 2.2.5-16
+* Thu Nov 07 2024 Tomas Korbar <tkorbar@redhat.com> - 2.5.0-4
 - Fix CVE-2024-50602
- Resolves: RHEL-65062
+- Resolves: RHEL-65066

-* Wed Sep 11 2024 Tomas Korbar <tkorbar@redhat.com> - 2.2.5-15
- Rebuild for test reconfiguration
+* Wed Oct 09 2024 Tomas Korbar <tkorbar@redhat.com> - 2.5.0-3
+- Fix CVE-2024-45490, CVE-2024-45491, CVE-2024-45492
+- Resolves: RHEL-56761
+- Resolves: RHEL-57520
+- Resolves: RHEL-57511

-* Wed Sep 11 2024 Tomas Korbar <tkorbar@redhat.com> - 2.2.5-14
- Fix multiple CVEs
- Fix CVE-2024-45492 integer overflow
- Fix CVE-2024-45491 Integer Overflow or Wraparound
- Fix CVE-2024-45490 Negative Length Parsing Vulnerability
- Resolves: RHEL-57505
- Resolves: RHEL-57493
- Resolves: RHEL-56751
+* Tue Feb 13 2024 Tomas Korbar <tkorbar@redhat.com> - 2.5.0-2
+- Fix parsing of large tokens
+- Reject direct parameter entity recursion
+- Resolves: RHEL-29699
+- Resolves: RHEL-29696

-* Tue Mar 26 2024 Tomas Korbar <tkorbar@redhat.com> - 2.2.5-13
- Fix wrongly exposed variables
- Resolves: RHEL-29321
-
-* Thu Mar 21 2024 Tomas Korbar <tkorbar@redhat.com> - 2.2.5-12
- CVE-2023-52425 expat: parsing large tokens can trigger a denial of service
- Resolves: RHEL-29321
-
-* Mon Nov 14 2022 Tomas Korbar <tkorbar@redhat.com> - 2.2.5-11
- CVE-2022-43680 expat: use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate
+* Thu Nov 10 2022 Tomas Korbar <tkorbar@redhat.com> - 2.5.0-1
+- Rebase to version 2.5.0
 - Resolves: CVE-2022-43680

-* Fri Sep 30 2022 Tomas Korbar <tkorbar@redhat.com> - 2.2.5-10
- Ensure raw tagnames are safe exiting internalEntityParser
+* Thu Sep 29 2022 Tomas Korbar <tkorbar@redhat.com> - 2.4.9-1
+- Rebase to version 2.4.9
 - Resolves: CVE-2022-40674

-* Fri May 06 2022 Tomas Korbar <tkorbar@redhat.com> - 2.2.5-9
- Fix multiple CVEs
- Resolves: CVE-2022-25314
+* Tue Apr 26 2022 Tomas Korbar <tkorbar@redhat.com> -  2.4.7-1
+- Rebase to version 2.4.7
+- Resolves: rhbz#2067201
 - Resolves: CVE-2022-25313
+- Resolves: CVE-2022-25314
+- Resolves: CVE-2022-25236

-* Mon Mar 14 2022 Tomas Korbar <tkorbar@redhat.com> - 2.2.5-8
- Improve patch for CVE-2022-25236
+* Mon Mar 14 2022 Tomas Korbar <tkorbar@redhat.com> -  2.2.10-11
+- Improve fix for CVE-2022-25236
 - Related: CVE-2022-25236

-* Fri Mar 04 2022 Tomas Korbar <tkorbar@redhat.com> - 2.2.5-7
- Fix patch for CVE-2022-25235
- Resolves: CVE-2022-25235
-
-* Thu Mar 03 2022 Tomas Korbar <tkorbar@redhat.com> - 2.2.5-6
+* Mon Feb 28 2022 Tomas Korbar <tkorbar@redhat.com> -  2.2.10-10
 - Fix multiple CVEs
 - CVE-2022-25236 expat: namespace-separator characters in "xmlns[:prefix]" attribute values can lead to arbitrary code execution
 - CVE-2022-25235 expat: malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution
@ -173,20 +160,25 @@ make check
 - Resolves: CVE-2022-25235
 - Resolves: CVE-2022-25315

-* Fri Feb 14 2022 Tomas Korbar <tkorbar@redhat.com> -  2.2.5-5
- Fix multiple CVEs
+* Thu Feb 10 2022 Tomas Korbar <tkorbar@redhat.com> -  2.2.10-9
 - CVE-2022-23852 expat: integer overflow in function XML_GetBuffer
+- Resolves: CVE-2022-23852
+
+* Thu Feb 10 2022 Tomas Korbar <tkorbar@redhat.com> -  2.2.10-8
 - CVE-2021-45960 expat: Large number of prefixed XML attributes on a single tag can crash libexpat
+- Resolves: CVE-2021-45960
+
+* Wed Feb 09 2022 Tomas Korbar <tkorbar@redhat.com> -  2.2.10-7
 - CVE-2021-46143 expat: Integer overflow in doProlog in xmlparse.c
+- Resolves: CVE-2021-46143
+
+* Wed Feb 09 2022 Tomas Korbar <tkorbar@redhat.com> -  2.2.10-6
 - CVE-2022-22827 Integer overflow in storeAtts in xmlparse.c
 - CVE-2022-22826 Integer overflow in nextScaffoldPart in xmlparse.c
 - CVE-2022-22825 Integer overflow in lookup in xmlparse.c
 - CVE-2022-22824 Integer overflow in defineAttribute in xmlparse.c
 - CVE-2022-22823 Integer overflow in build_model in xmlparse.c
 - CVE-2022-22822 Integer overflow in addBinding in xmlparse.c
- Resolves: CVE-2022-23852
- Resolves: CVE-2021-45960
- Resolves: CVE-2021-46143
 - Resolves: CVE-2022-22827
 - Resolves: CVE-2022-22826
 - Resolves: CVE-2022-22825
@ -194,8 +186,46 @@ make check
 - Resolves: CVE-2022-22823
 - Resolves: CVE-2022-22822

-* Fri Apr 24 2020 Joe Orton <jorton@redhat.com> - 2.2.5-4
- add security fixes for CVE-2018-20843, CVE-2019-15903
+* Mon Feb 07 2022 Tomas Korbar <tkorbar@redhat.com> -  2.2.10-5
+- CVE-2022-23990 expat: integer overflow in the doProlog function
+- Resolve: rhbz#2050503
+
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.2.10-4
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
+
+* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 2.2.10-3
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.10-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Fri Nov 13 2020 Joe Orton <jorton@redhat.com> - 2.2.10-1
+- update to 2.2.10 (#1884940)
+
+* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.8-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.8-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Mon Sep 16 2019 Joe Orton <jorton@redhat.com> - 2.2.8-1
+- update to 2.2.8 (#1752167)
+
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.7-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Thu Jun 27 2019 Joe Orton <jorton@redhat.com> - 2.2.7-1
+- update to 2.2.7 (#1723724, #1722224)
+
+* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.6-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Wed Aug 15 2018 Joe Orton <jorton@redhat.com> - 2.2.6-1
+- update to 2.2.6
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.5-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild

 * Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.5-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild