rpms/expat
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

merge into: rpms:c8
Branches Tags
rpms:c8
rpms:c9s
rpms:c10s
rpms:c9
rpms:c8s
rpms:c9s-CVE-2025-59375
rpms:c10
rpms:c9-beta
rpms:c9s-plans-gating-update
rpms:c8-beta
rpms:imports/c10s/expat-2.7.3-1.el10
rpms:imports/c9/expat-2.5.0-5.el9_7.1
rpms:imports/c8/expat-2.5.0-1.el8_10
rpms:imports/c10/expat-2.7.1-1.el10_1.3
rpms:imports/c10/expat-2.7.1-1.el10_0.3
rpms:imports/c10s/expat-2.7.1-2.el10
rpms:imports/c10/expat-2.7.1-1.el10_0
rpms:imports/c9/expat-2.5.0-5.el9_6
rpms:imports/c8/expat-2.2.5-17.el8_10
rpms:imports/c9/expat-2.5.0-3.el9_5.3
rpms:imports/c10s/expat-2.7.1-1.el10
rpms:imports/c10s/expat-2.7.0-1.el10
rpms:imports/c9-beta/expat-2.5.0-4.el9
rpms:imports/c9/expat-2.5.0-3.el9_5.1
rpms:imports/c8/expat-2.2.5-16.el8_10
rpms:imports/c10s/expat-2.6.4-1.el10
rpms:imports/c10s/expat-2.6.2-2.el10
rpms:imports/c8/expat-2.2.5-15.el8_10
rpms:imports/c9/expat-2.5.0-2.el9_4.1
rpms:imports/c10s/expat-2.6.2-1.el10
rpms:imports/c8/expat-2.2.5-13.el8_10
rpms:imports/c9/expat-2.5.0-2.el9_4
rpms:imports/c8/expat-2.2.5-11.el8_9.1
rpms:imports/c8/expat-2.2.5-11.el8
rpms:imports/c9/expat-2.5.0-1.el9
rpms:imports/c9-beta/expat-2.5.0-1.el9
rpms:imports/c8-beta/expat-2.2.5-11.el8
rpms:imports/c9/expat-2.4.9-1.el9_1.1
rpms:imports/c8/expat-2.2.5-10.el8_7.1
rpms:imports/c8s/expat-2.2.5-11.el8
rpms:imports/c8s/expat-2.2.5-10.el8_7.1
rpms:imports/c9/expat-2.4.9-1.el9_1
rpms:imports/c8/expat-2.2.5-10.el8
rpms:imports/c8/expat-2.2.5-8.el8_6.3
rpms:imports/c8s/expat-2.2.5-10.el8
rpms:imports/c9/expat-2.2.10-12.el9_0.3
rpms:imports/c9-beta/expat-2.4.7-1.el9
rpms:imports/c8-beta/expat-2.2.5-9.el8
rpms:imports/c8/expat-2.2.5-8.el8_6.2
rpms:imports/c9/expat-2.2.10-12.el9_0.2
rpms:imports/c9/expat-2.2.10-12.el9_0
rpms:imports/c8/expat-2.2.5-8.el8
rpms:imports/c8s/expat-2.2.5-9.el8
rpms:imports/c9-beta/expat-2.2.10-12.el9_0
rpms:imports/c8-beta/expat-2.2.5-5.el8
rpms:imports/c8s/expat-2.2.5-8.el8
rpms:imports/c8/expat-2.2.5-4.el8_5.3
rpms:imports/c9-beta/expat-2.2.10-9.el9
rpms:imports/c8s/expat-2.2.5-5.el8
rpms:imports/c9-beta/expat-2.2.10-4.el9
rpms:imports/c8-beta/expat-2.2.5-4.el8
rpms:imports/c8-beta/expat-2.2.5-3.el8
rpms:imports/c8s/expat-2.2.5-4.el8
rpms:imports/c8/expat-2.2.5-4.el8
rpms:imports/c8/expat-2.2.5-3.el8
...
pull from: rpms:c9-beta
Branches Tags
rpms:c9s
rpms:c10s
rpms:c9
rpms:c8
rpms:c8s
rpms:c9s-CVE-2025-59375
rpms:c10
rpms:c9-beta
rpms:c9s-plans-gating-update
rpms:c8-beta
rpms:imports/c10s/expat-2.7.3-1.el10
rpms:imports/c9/expat-2.5.0-5.el9_7.1
rpms:imports/c8/expat-2.5.0-1.el8_10
rpms:imports/c10/expat-2.7.1-1.el10_1.3
rpms:imports/c10/expat-2.7.1-1.el10_0.3
rpms:imports/c10s/expat-2.7.1-2.el10
rpms:imports/c10/expat-2.7.1-1.el10_0
rpms:imports/c9/expat-2.5.0-5.el9_6
rpms:imports/c8/expat-2.2.5-17.el8_10
rpms:imports/c9/expat-2.5.0-3.el9_5.3
rpms:imports/c10s/expat-2.7.1-1.el10
rpms:imports/c10s/expat-2.7.0-1.el10
rpms:imports/c9-beta/expat-2.5.0-4.el9
rpms:imports/c9/expat-2.5.0-3.el9_5.1
rpms:imports/c8/expat-2.2.5-16.el8_10
rpms:imports/c10s/expat-2.6.4-1.el10
rpms:imports/c10s/expat-2.6.2-2.el10
rpms:imports/c8/expat-2.2.5-15.el8_10
rpms:imports/c9/expat-2.5.0-2.el9_4.1
rpms:imports/c10s/expat-2.6.2-1.el10
rpms:imports/c8/expat-2.2.5-13.el8_10
rpms:imports/c9/expat-2.5.0-2.el9_4
rpms:imports/c8/expat-2.2.5-11.el8_9.1
rpms:imports/c8/expat-2.2.5-11.el8
rpms:imports/c9/expat-2.5.0-1.el9
rpms:imports/c9-beta/expat-2.5.0-1.el9
rpms:imports/c8-beta/expat-2.2.5-11.el8
rpms:imports/c9/expat-2.4.9-1.el9_1.1
rpms:imports/c8/expat-2.2.5-10.el8_7.1
rpms:imports/c8s/expat-2.2.5-11.el8
rpms:imports/c8s/expat-2.2.5-10.el8_7.1
rpms:imports/c9/expat-2.4.9-1.el9_1
rpms:imports/c8/expat-2.2.5-10.el8
rpms:imports/c8/expat-2.2.5-8.el8_6.3
rpms:imports/c8s/expat-2.2.5-10.el8
rpms:imports/c9/expat-2.2.10-12.el9_0.3
rpms:imports/c9-beta/expat-2.4.7-1.el9
rpms:imports/c8-beta/expat-2.2.5-9.el8
rpms:imports/c8/expat-2.2.5-8.el8_6.2
rpms:imports/c9/expat-2.2.10-12.el9_0.2
rpms:imports/c9/expat-2.2.10-12.el9_0
rpms:imports/c8/expat-2.2.5-8.el8
rpms:imports/c8s/expat-2.2.5-9.el8
rpms:imports/c9-beta/expat-2.2.10-12.el9_0
rpms:imports/c8-beta/expat-2.2.5-5.el8
rpms:imports/c8s/expat-2.2.5-8.el8
rpms:imports/c8/expat-2.2.5-4.el8_5.3
rpms:imports/c9-beta/expat-2.2.10-9.el9
rpms:imports/c8s/expat-2.2.5-5.el8
rpms:imports/c9-beta/expat-2.2.10-4.el9
rpms:imports/c8-beta/expat-2.2.5-4.el8
rpms:imports/c8-beta/expat-2.2.5-3.el8
rpms:imports/c8s/expat-2.2.5-4.el8
rpms:imports/c8/expat-2.2.5-4.el8
rpms:imports/c8/expat-2.2.5-3.el8

No commits in common. "c8" and "c9-beta" have entirely different histories.
c8 ... c9-beta

3 changed files with 82 additions and 3126 deletions
Show Stats Expand all files Collapse all files

1535
SOURCES/expat-2.5.0-CVE-2024-8176.patch
View File

File diff suppressed because it is too large Load Diff

1526
SOURCES/expat-2.5.0-CVE-2025-59375.patch
View File

File diff suppressed because it is too large Load Diff

147
SPECS/expat.spec
View File

@ -3,7 +3,7 @@
Summary: An XML parser library
Name: expat
Version: %(echo %{unversion} | sed 's/_/./g')
Release: 1%{?dist}
Release: 4%{?dist}
Source: https://github.com/libexpat/libexpat/archive/R_%{unversion}.tar.gz#/expat-%{version}.tar.gz
URL: https://libexpat.github.io/
License: MIT
@ -21,10 +21,6 @@ Patch3: expat-2.5.0-CVE-2024-45491.patch
Patch4: expat-2.5.0-CVE-2024-45492.patch
# https://issues.redhat.com/browse/RHEL-65066
Patch5: expat-2.5.0-CVE-2024-50602.patch
# https://issues.redhat.com/browse/RHEL-57489
Patch6: expat-2.5.0-CVE-2024-8176.patch
# https://issues.redhat.com/browse/RHEL-114618
Patch7: expat-2.5.0-CVE-2025-59375.patch
%description
This is expat, the C library for parsing XML, written by James Clark. Expat
@ -59,8 +55,6 @@ pushd ..
%patch3 -p1 -b .CVE-2024-45491
%patch4 -p1 -b .CVE-2024-45492
%patch5 -p1 -b .CVE-2024-50602
%patch6 -p1 -b .CVE-2024-8176
%patch7 -p1 -b .CVE-2025-59375
popd
sed -i 's/install-data-hook/do-nothing-please/' lib/Makefile.am
@ -70,21 +64,21 @@ sed -i 's/install-data-hook/do-nothing-please/' lib/Makefile.am
export CFLAGS="$RPM_OPT_FLAGS -fPIC"
export DOCBOOK_TO_MAN="xmlto man --skip-validation"
%configure
make %{?_smp_mflags}
%make_build
%install
make install DESTDIR=$RPM_BUILD_ROOT
%make_install
rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
%check
bash -c "for i in {1..500000}; do printf AAAAAAAAAAAAAAAAAAAA >> achars.txt; done"
for testfile in ../testdata/largefiles/aaaaaa_*; do
first_part="$(sed 's/\(.*\)ACHARS.*/\1/g' $testfile)"
second_part="$(sed 's/.*ACHARS\(.*\)/\1/g' $testfile)"
printf "$first_part" > "$testfile"
cat achars.txt >> "$testfile"
printf "$second_part" >> "$testfile"
first_part="$(sed 's/\(.*\)ACHARS.*/\1/g' $testfile)"
second_part="$(sed 's/.*ACHARS\(.*\)/\1/g' $testfile)"
printf "$first_part" > "$testfile"
cat achars.txt >> "$testfile"
printf "$second_part" >> "$testfile"
done
make check
@ -92,7 +86,6 @@ make check
%ldconfig_scriptlets
%files
%{!?_licensedir:%global license %%doc}
%doc AUTHORS Changes
%license COPYING
%{_bindir}/*
@ -110,61 +103,42 @@ make check
%{_libdir}/lib*.a
%changelog
* Wed Nov 19 2025 Tomas Korbar <tkorbar@redhat.com> - 2.5.0-1
- Rebase to version 2.5.0
- Fix CVE-2025-59375
- Resolves: RHEL-114618
* Mon Apr 07 2025 Tomas Korbar <tkorbar@redhat.com> - 2.2.5-17
- Fix CVE-2024-8176
- Resolves: RHEL-57477
* Fri Nov 08 2024 Tomas Korbar <tkorbar@redhat.com> - 2.2.5-16
* Thu Nov 07 2024 Tomas Korbar <tkorbar@redhat.com> - 2.5.0-4
- Fix CVE-2024-50602
- Resolves: RHEL-65062
- Resolves: RHEL-65066
* Wed Sep 11 2024 Tomas Korbar <tkorbar@redhat.com> - 2.2.5-15
- Rebuild for test reconfiguration
* Wed Oct 09 2024 Tomas Korbar <tkorbar@redhat.com> - 2.5.0-3
- Fix CVE-2024-45490, CVE-2024-45491, CVE-2024-45492
- Resolves: RHEL-56761
- Resolves: RHEL-57520
- Resolves: RHEL-57511
* Wed Sep 11 2024 Tomas Korbar <tkorbar@redhat.com> - 2.2.5-14
- Fix multiple CVEs
- Fix CVE-2024-45492 integer overflow
- Fix CVE-2024-45491 Integer Overflow or Wraparound
- Fix CVE-2024-45490 Negative Length Parsing Vulnerability
- Resolves: RHEL-57505
- Resolves: RHEL-57493
- Resolves: RHEL-56751
* Tue Feb 13 2024 Tomas Korbar <tkorbar@redhat.com> - 2.5.0-2
- Fix parsing of large tokens
- Reject direct parameter entity recursion
- Resolves: RHEL-29699
- Resolves: RHEL-29696
* Tue Mar 26 2024 Tomas Korbar <tkorbar@redhat.com> - 2.2.5-13
- Fix wrongly exposed variables
- Resolves: RHEL-29321
* Thu Mar 21 2024 Tomas Korbar <tkorbar@redhat.com> - 2.2.5-12
- CVE-2023-52425 expat: parsing large tokens can trigger a denial of service
- Resolves: RHEL-29321
* Mon Nov 14 2022 Tomas Korbar <tkorbar@redhat.com> - 2.2.5-11
- CVE-2022-43680 expat: use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate
* Thu Nov 10 2022 Tomas Korbar <tkorbar@redhat.com> - 2.5.0-1
- Rebase to version 2.5.0
- Resolves: CVE-2022-43680
* Fri Sep 30 2022 Tomas Korbar <tkorbar@redhat.com> - 2.2.5-10
- Ensure raw tagnames are safe exiting internalEntityParser
* Thu Sep 29 2022 Tomas Korbar <tkorbar@redhat.com> - 2.4.9-1
- Rebase to version 2.4.9
- Resolves: CVE-2022-40674
* Fri May 06 2022 Tomas Korbar <tkorbar@redhat.com> - 2.2.5-9
- Fix multiple CVEs
- Resolves: CVE-2022-25314
* Tue Apr 26 2022 Tomas Korbar <tkorbar@redhat.com> - 2.4.7-1
- Rebase to version 2.4.7
- Resolves: rhbz#2067201
- Resolves: CVE-2022-25313
- Resolves: CVE-2022-25314
- Resolves: CVE-2022-25236
* Mon Mar 14 2022 Tomas Korbar <tkorbar@redhat.com> - 2.2.5-8
- Improve patch for CVE-2022-25236
* Mon Mar 14 2022 Tomas Korbar <tkorbar@redhat.com> - 2.2.10-11
- Improve fix for CVE-2022-25236
- Related: CVE-2022-25236
* Fri Mar 04 2022 Tomas Korbar <tkorbar@redhat.com> - 2.2.5-7
- Fix patch for CVE-2022-25235
- Resolves: CVE-2022-25235
* Thu Mar 03 2022 Tomas Korbar <tkorbar@redhat.com> - 2.2.5-6
* Mon Feb 28 2022 Tomas Korbar <tkorbar@redhat.com> - 2.2.10-10
- Fix multiple CVEs
- CVE-2022-25236 expat: namespace-separator characters in "xmlns[:prefix]" attribute values can lead to arbitrary code execution
- CVE-2022-25235 expat: malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution
@ -173,20 +147,25 @@ make check
- Resolves: CVE-2022-25235
- Resolves: CVE-2022-25315
* Fri Feb 14 2022 Tomas Korbar <tkorbar@redhat.com> - 2.2.5-5
- Fix multiple CVEs
* Thu Feb 10 2022 Tomas Korbar <tkorbar@redhat.com> - 2.2.10-9
- CVE-2022-23852 expat: integer overflow in function XML_GetBuffer
- Resolves: CVE-2022-23852
* Thu Feb 10 2022 Tomas Korbar <tkorbar@redhat.com> - 2.2.10-8
- CVE-2021-45960 expat: Large number of prefixed XML attributes on a single tag can crash libexpat
- Resolves: CVE-2021-45960
* Wed Feb 09 2022 Tomas Korbar <tkorbar@redhat.com> - 2.2.10-7
- CVE-2021-46143 expat: Integer overflow in doProlog in xmlparse.c
- Resolves: CVE-2021-46143
* Wed Feb 09 2022 Tomas Korbar <tkorbar@redhat.com> - 2.2.10-6
- CVE-2022-22827 Integer overflow in storeAtts in xmlparse.c
- CVE-2022-22826 Integer overflow in nextScaffoldPart in xmlparse.c
- CVE-2022-22825 Integer overflow in lookup in xmlparse.c
- CVE-2022-22824 Integer overflow in defineAttribute in xmlparse.c
- CVE-2022-22823 Integer overflow in build_model in xmlparse.c
- CVE-2022-22822 Integer overflow in addBinding in xmlparse.c
- Resolves: CVE-2022-23852
- Resolves: CVE-2021-45960
- Resolves: CVE-2021-46143
- Resolves: CVE-2022-22827
- Resolves: CVE-2022-22826
- Resolves: CVE-2022-22825
@ -194,8 +173,46 @@ make check
- Resolves: CVE-2022-22823
- Resolves: CVE-2022-22822
* Fri Apr 24 2020 Joe Orton <jorton@redhat.com> - 2.2.5-4
- add security fixes for CVE-2018-20843, CVE-2019-15903
* Mon Feb 07 2022 Tomas Korbar <tkorbar@redhat.com> - 2.2.10-5
- CVE-2022-23990 expat: integer overflow in the doProlog function
- Resolve: rhbz#2050503
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.2.10-4
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 2.2.10-3
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.10-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Fri Nov 13 2020 Joe Orton <jorton@redhat.com> - 2.2.10-1
- update to 2.2.10 (#1884940)
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.8-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.8-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Mon Sep 16 2019 Joe Orton <jorton@redhat.com> - 2.2.8-1
- update to 2.2.8 (#1752167)
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.7-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Thu Jun 27 2019 Joe Orton <jorton@redhat.com> - 2.2.7-1
- update to 2.2.7 (#1723724, #1722224)
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.6-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Wed Aug 15 2018 Joe Orton <jorton@redhat.com> - 2.2.6-1
- update to 2.2.6
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.5-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.5-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild