bfa566
%global unversion 2_2_5
bfa566
bfa566
Summary: An XML parser library
bfa566
Name: expat
bfa566
Version: %(echo %{unversion} | sed 's/_/./g')
d7717d
Release: 11%{?dist}
bfa566
Source: https://github.com/libexpat/libexpat/archive/R_%{unversion}.tar.gz#/expat-%{version}.tar.gz
bfa566
URL: https://libexpat.github.io/
bfa566
License: MIT
bfa566
BuildRequires: autoconf, libtool, xmlto, gcc-c++
bfa566
Patch0: expat-2.2.5-doc2man.patch
f31154
Patch1: expat-2.2.5-CVE-2018-20843.patch
f31154
Patch2: expat-2.2.5-CVE-2019-15903.patch
bb3aa7
Patch3:	expat-2.2.5-Detect-and-prevent-integer-overflow-in-XML_GetBuffer.patch
bb3aa7
Patch4:	expat-2.2.5-Detect-and-prevent-troublesome-left-shifts.patch
bb3aa7
Patch5:	expat-2.2.5-Prevent-integer-overflow-on-m_groupSize-in-function.patch
bb3aa7
Patch6:	expat-2.2.5-Prevent-more-integer-overflows.patch
8ad338
Patch7: expat-2.2.5-Protect-against-malicious-namespace-declarations.patch
8ad338
Patch8: expat-2.2.5-Add-missing-validation-of-encoding.patch
8ad338
Patch9: expat-2.2.5-Prevent-integer-overflow-in-storeRawNames.patch
1581cb
Patch10: expat-2.2.5-Prevent-integer-overflow-in-copyString.patch
1581cb
Patch11: expat-2.2.5-Prevent-stack-exhaustion-in-build_model.patch
8353ed
Patch12: expat-2.2.5-Ensure-raw-tagnames-are-safe-exiting-internalEntityParser.patch
81c2b5
Patch13: expat-2.2.5-CVE-2022-43680.patch
bfa566
bfa566
%description
bfa566
This is expat, the C library for parsing XML, written by James Clark. Expat
bfa566
is a stream oriented XML parser. This means that you register handlers with
bfa566
the parser prior to starting the parse. These handlers are called when the
bfa566
parser discovers the associated structures in the document being parsed. A
bfa566
start tag is an example of the kind of structures for which you may
bfa566
register handlers.
bfa566
bfa566
%package devel
bfa566
Summary: Libraries and header files to develop applications using expat
bfa566
Requires: expat%{?_isa} = %{version}-%{release}
bfa566
bfa566
%description devel
bfa566
The expat-devel package contains the libraries, include files and documentation
bfa566
to develop XML applications with expat.
bfa566
bfa566
%package static
bfa566
Summary: expat XML parser static library
bfa566
Requires: expat-devel%{?_isa} = %{version}-%{release}
bfa566
bfa566
%description static
bfa566
The expat-static package contains the static version of the expat library.
bfa566
Install it if you need to link statically with expat.
bfa566
bfa566
%prep
bfa566
%setup -q -n libexpat-R_%{unversion}/expat
bfa566
%patch0 -p2 -b .doc2man
f31154
%patch1 -p2 -b .cve20843
f31154
%patch2 -p2 -b .cve15903
8ad338
%patch3 -p1 -b .CVE-2022-23852
8ad338
%patch4 -p1 -b .CVE-2021-45960
8ad338
%patch5 -p1 -b .CVE-2021-46143
8ad338
%patch6 -p1 -b .CVE-2022-22822-CVE-2022-22827
8ad338
%patch7 -p1 -b .CVE-2022-25236
8ad338
%patch8 -p1 -b .CVE-2022-25235
8ad338
%patch9 -p1 -b .CVE-2022-25315
1581cb
%patch10 -p1 -b .CVE-2022-25314
1581cb
%patch11 -p1 -b .CVE-2022-25313
8353ed
%patch12 -p1 -b .CVE-2022-40674
81c2b5
%patch13 -p1 -b .CVE-2022-43680
f31154
bfa566
sed -i 's/install-data-hook/do-nothing-please/' lib/Makefile.am
bfa566
./buildconf.sh
bfa566
bfa566
%build
bfa566
export CFLAGS="$RPM_OPT_FLAGS -fPIC"
bfa566
export DOCBOOK_TO_MAN="xmlto man --skip-validation"
bfa566
%configure
bfa566
make %{?_smp_mflags}
bfa566
bfa566
%install
bfa566
make install DESTDIR=$RPM_BUILD_ROOT
bfa566
bfa566
rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
bfa566
bfa566
%check
bfa566
make check
bfa566
bfa566
%ldconfig_scriptlets
bfa566
bfa566
%files
bfa566
%{!?_licensedir:%global license %%doc}
bfa566
%doc AUTHORS Changes
bfa566
%license COPYING
bfa566
%{_bindir}/*
bfa566
%{_libdir}/lib*.so.*
bfa566
%{_mandir}/*/*
bfa566
bfa566
%files devel
bfa566
%doc doc/reference.html doc/*.png doc/*.css examples/*.c
bfa566
%{_libdir}/lib*.so
bfa566
%{_libdir}/pkgconfig/*.pc
bfa566
%{_includedir}/*.h
bfa566
bfa566
%files static
bfa566
%{_libdir}/lib*.a
bfa566
bfa566
%changelog
d7717d
* Mon Nov 14 2022 Tomas Korbar <tkorbar@redhat.com> - 2.2.5-11
81c2b5
- CVE-2022-43680 expat: use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate
81c2b5
- Resolves: CVE-2022-43680
81c2b5
c1b657
* Fri Sep 30 2022 Tomas Korbar <tkorbar@redhat.com> - 2.2.5-10
8353ed
- Ensure raw tagnames are safe exiting internalEntityParser
8353ed
- Resolves: CVE-2022-40674
8353ed
c1b657
* Fri May 06 2022 Tomas Korbar <tkorbar@redhat.com> - 2.2.5-9
1581cb
- Fix multiple CVEs
1581cb
- Resolves: CVE-2022-25314
1581cb
- Resolves: CVE-2022-25313
1581cb
bb3aa7
* Mon Mar 14 2022 Tomas Korbar <tkorbar@redhat.com> - 2.2.5-8
bb3aa7
- Improve patch for CVE-2022-25236
8ad338
- Related: CVE-2022-25236
8ad338
bb3aa7
* Fri Mar 04 2022 Tomas Korbar <tkorbar@redhat.com> - 2.2.5-7
bb3aa7
- Fix patch for CVE-2022-25235
bb3aa7
- Resolves: CVE-2022-25235
bb3aa7
bb3aa7
* Thu Mar 03 2022 Tomas Korbar <tkorbar@redhat.com> - 2.2.5-6
8ad338
- Fix multiple CVEs
bb3aa7
- CVE-2022-25236 expat: namespace-separator characters in "xmlns[:prefix]" attribute values can lead to arbitrary code execution
bb3aa7
- CVE-2022-25235 expat: malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution
bb3aa7
- CVE-2022-25315 expat: integer overflow in storeRawNames()
8ad338
- Resolves: CVE-2022-25236
8ad338
- Resolves: CVE-2022-25235
8ad338
- Resolves: CVE-2022-25315
8ad338
bb3aa7
* Fri Feb 14 2022 Tomas Korbar <tkorbar@redhat.com> -  2.2.5-5
8ad338
- Fix multiple CVEs
8ad338
- CVE-2022-23852 expat: integer overflow in function XML_GetBuffer
8ad338
- CVE-2021-45960 expat: Large number of prefixed XML attributes on a single tag can crash libexpat
8ad338
- CVE-2021-46143 expat: Integer overflow in doProlog in xmlparse.c
8ad338
- CVE-2022-22827 Integer overflow in storeAtts in xmlparse.c
8ad338
- CVE-2022-22826 Integer overflow in nextScaffoldPart in xmlparse.c
8ad338
- CVE-2022-22825 Integer overflow in lookup in xmlparse.c
8ad338
- CVE-2022-22824 Integer overflow in defineAttribute in xmlparse.c
8ad338
- CVE-2022-22823 Integer overflow in build_model in xmlparse.c
8ad338
- CVE-2022-22822 Integer overflow in addBinding in xmlparse.c
8ad338
- Resolves: CVE-2022-23852
8ad338
- Resolves: CVE-2021-45960
8ad338
- Resolves: CVE-2021-46143
8ad338
- Resolves: CVE-2022-22827
8ad338
- Resolves: CVE-2022-22826
8ad338
- Resolves: CVE-2022-22825
8ad338
- Resolves: CVE-2022-22824
8ad338
- Resolves: CVE-2022-22823
8ad338
- Resolves: CVE-2022-22822
8ad338
f31154
* Fri Apr 24 2020 Joe Orton <jorton@redhat.com> - 2.2.5-4
f31154
- add security fixes for CVE-2018-20843, CVE-2019-15903
f31154
bfa566
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.5-3
bfa566
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
bfa566
bfa566
* Sat Feb 03 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 2.2.5-2
bfa566
- Switch to %%ldconfig_scriptlets
bfa566
bfa566
* Thu Nov  2 2017 Joe Orton <jorton@redhat.com> - 2.2.5-1
bfa566
- update to 2.2.5 (#1508667)
bfa566
bfa566
* Mon Aug 21 2017 Joe Orton <jorton@redhat.com> - 2.2.4-1
bfa566
- update to 2.2.4 (#1483359)
bfa566
bfa566
* Fri Aug  4 2017 Joe Orton <jorton@redhat.com> - 2.2.3-1
bfa566
- fix tests with unsigned char (upstream PR 109)
bfa566
- update to 2.2.3 (#1473266)
bfa566
bfa566
* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.2-4
bfa566
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
bfa566
bfa566
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.2-3
bfa566
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
bfa566
bfa566
* Fri Jul 14 2017 Joe Orton <jorton@redhat.com> - 2.2.2-2
bfa566
- update to 2.2.2 (#1470891)
bfa566
bfa566
* Fri Jul  7 2017 Joe Orton <jorton@redhat.com> - 2.2.1-2
bfa566
- trim unnecessary doc, examples content
bfa566
bfa566
* Mon Jun 19 2017 Joe Orton <jorton@redhat.com> - 2.2.1-1
bfa566
- update to 2.2.1 (#1462474)
bfa566
bfa566
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.0-2
bfa566
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
bfa566
bfa566
* Tue Jun 21 2016 Joe Orton <jorton@redhat.com> - 2.2.0-1
bfa566
- update to 2.2.0 (#1247348)
bfa566
bfa566
* Thu Jun 16 2016 Joe Orton <jorton@redhat.com> - 2.1.1-2
bfa566
- add security fixes for CVE-2016-0718, CVE-2012-6702, CVE-2016-5300,
bfa566
  CVE-2016-4472
bfa566
bfa566
* Mon Apr 18 2016 David Tardon <dtardon@redhat.com> - 2.1.1-1
bfa566
- new upstream release
bfa566
bfa566
* Wed Feb 03 2016 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.0-13
bfa566
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
bfa566
bfa566
* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.0-12
bfa566
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
bfa566
bfa566
* Sat Feb 21 2015 Till Maas <opensource@till.name> - 2.1.0-11
bfa566
- Rebuilt for Fedora 23 Change
bfa566
  https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code
bfa566
bfa566
* Sat Aug 16 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.0-10
bfa566
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
bfa566
bfa566
* Sat Jul 12 2014 Tom Callaway <spot@fedoraproject.org> - 2.1.0-9
bfa566
- fix license handling
bfa566
bfa566
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.0-8
bfa566
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
bfa566
bfa566
* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.0-7
bfa566
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
bfa566
bfa566
* Mon Jun 17 2013 Joe Orton <jorton@redhat.com> - 2.1.0-6
bfa566
- fix "xmlwf -h" output (#948534)
bfa566
bfa566
* Wed Feb 13 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.0-5
bfa566
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
bfa566
bfa566
* Thu Jul 19 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.0-4
bfa566
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
bfa566
bfa566
* Fri Apr 13 2012 Joe Orton <jorton@redhat.com> - 2.1.0-3
bfa566
- add -static subpackage (#722647)
bfa566
bfa566
* Fri Mar 30 2012 Joe Orton <jorton@redhat.com> - 2.1.0-1
bfa566
- ship .pc file, move library back to libdir (#808399)
bfa566
bfa566
* Mon Mar 26 2012 Joe Orton <jorton@redhat.com> - 2.1.0-1
bfa566
- update to 2.1.0 (#806602)
bfa566
bfa566
* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0.1-12
bfa566
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
bfa566
bfa566
* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0.1-11
bfa566
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
bfa566
bfa566
* Mon Feb  8 2010 Joe Orton <jorton@redhat.com> - 2.0.1-10
bfa566
- revised fix for CVE-2009-3560 regression (#544996)
bfa566
bfa566
* Sun Jan 31 2010 Joe Orton <jorton@redhat.com> - 2.0.1-9
bfa566
- drop static libraries (#556046)
bfa566
- add fix for regression in CVE-2009-3560 patch (#544996)
bfa566
bfa566
* Tue Dec  1 2009 Joe Orton <jorton@redhat.com> - 2.0.1-8
bfa566
- add security fix for CVE-2009-3560 (#533174)
bfa566
- add security fix for CVE-2009-3720 (#531697)
bfa566
- run the test suite
bfa566
bfa566
* Fri Jul 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0.1-7
bfa566
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
bfa566
bfa566
* Tue Feb 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0.1-6
bfa566
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
bfa566
bfa566
* Tue Feb 19 2008 Fedora Release Engineering <rel-eng@fedoraproject.org> - 2.0.1-5
bfa566
- Autorebuild for GCC 4.3
bfa566
bfa566
* Wed Jan 23 2008 Joe Orton <jorton@redhat.com> 2.0.1-4
bfa566
- chmod 644 even more documentation (#429806)
bfa566
bfa566
* Tue Jan  8 2008 Joe Orton <jorton@redhat.com> 2.0.1-3
bfa566
- chmod 644 the documentation (#427950)
bfa566
bfa566
* Wed Aug 22 2007 Joe Orton <jorton@redhat.com> 2.0.1-2
bfa566
- rebuild
bfa566
bfa566
* Wed Aug  8 2007 Joe Orton <jorton@redhat.com> 2.0.1-1
bfa566
- update to 2.0.1
bfa566
- fix the License tag
bfa566
- drop the .la file
bfa566
bfa566
* Sun Feb  4 2007 Joe Orton <jorton@redhat.com> 1.95.8-10
bfa566
- remove trailing dot in Summary (#225742)
bfa566
- use preferred BuildRoot per packaging guidelines (#225742)
bfa566
bfa566
* Tue Jan 30 2007 Joe Orton <jorton@redhat.com> 1.95.8-9
bfa566
- regenerate configure/libtool correctly (#199361)
bfa566
- strip DSP files from examples (#186889)
bfa566
- fix expat.h compilation with g++ -pedantic (#190244)
bfa566
bfa566
* Wed Jul 12 2006 Jesse Keating <jkeating@redhat.com> - 1.95.8-8.2.1
bfa566
- rebuild
bfa566
bfa566
* Fri Feb 10 2006 Jesse Keating <jkeating@redhat.com> - 1.95.8-8.2
bfa566
- bump again for double-long bug on ppc(64)
bfa566
bfa566
* Tue Feb 07 2006 Jesse Keating <jkeating@redhat.com> - 1.95.8-8.1
bfa566
- rebuilt for new gcc4.1 snapshot and glibc changes
bfa566
bfa566
* Tue Jan 31 2006 Joe Orton <jorton@redhat.com> 1.95.8-8
bfa566
- restore .la file for apr-util
bfa566
bfa566
* Mon Jan 30 2006 Joe Orton <jorton@redhat.com> 1.95.8-7
bfa566
- move library to /lib (#178743)
bfa566
- omit .la file (#170031)
bfa566
bfa566
* Fri Dec 09 2005 Jesse Keating <jkeating@redhat.com>
bfa566
- rebuilt
bfa566
bfa566
* Tue Mar  8 2005 Joe Orton <jorton@redhat.com> 1.95.8-6
bfa566
- rebuild
bfa566
bfa566
* Thu Nov 25 2004 Ivana Varekova <varekova@redhat.com> 1.95.8
bfa566
- update to 1.95.8
bfa566
bfa566
* Wed Jun 16 2004 Jeff Johnson <jbj@jbj.org> 1.95.7-4
bfa566
- add -fPIC (#125586).
bfa566
bfa566
* Tue Jun 15 2004 Elliot Lee <sopwith@redhat.com>
bfa566
- rebuilt
bfa566
bfa566
* Fri Jun 11 2004 Jeff Johnson <jbj@jbj.org> 1.95.7-2
bfa566
- fix: malloc failure from dbus test suite (#124747).
bfa566
bfa566
* Tue Mar 02 2004 Elliot Lee <sopwith@redhat.com>
bfa566
- rebuilt
bfa566
bfa566
* Sun Feb 22 2004 Joe Orton <jorton@redhat.com> 1.95.7-1
bfa566
- update to 1.95.7, include COPYING file in main package
bfa566
bfa566
* Fri Feb 13 2004 Elliot Lee <sopwith@redhat.com>
bfa566
- rebuilt
bfa566
bfa566
* Wed Sep 17 2003 Matt Wilson <msw@redhat.com> 1.95.5-6
bfa566
- rebuild again for #91211
bfa566
bfa566
* Tue Sep 16 2003 Matt Wilson <msw@redhat.com> 1.95.5-5
bfa566
- rebuild to fix gzip'ed file md5sums (#91211)
bfa566
bfa566
* Tue Jun 17 2003 Jeff Johnson <jbj@redhat.com> 1.95.5-4
bfa566
- rebuilt because of crt breakage on ppc64.
bfa566
bfa566
* Wed Jun 04 2003 Elliot Lee <sopwith@redhat.com>
bfa566
- rebuilt
bfa566
bfa566
* Wed Jan 22 2003 Tim Powers <timp@redhat.com>
bfa566
- rebuilt
bfa566
bfa566
* Mon Nov 11 2002 Jeff Johnson <jbj@redhat.com> 1.95.5-1
bfa566
- update to 1.95.5.
bfa566
bfa566
* Mon Aug 19 2002 Trond Eivind Glomsrød <teg@redhat.com> 1,95.4-1
bfa566
- 1.95.4. 1.95.3 was withdrawn by the expat developers.
bfa566
bfa566
* Fri Jun 21 2002 Tim Powers <timp@redhat.com>
bfa566
- automated rebuild
bfa566
bfa566
* Thu Jun  6 2002 Trond Eivind Glomsrød <teg@redhat.com> 1,95.3-1
bfa566
- 1.95.3
bfa566
bfa566
* Thu May 23 2002 Tim Powers <timp@redhat.com>
bfa566
- automated rebuild
bfa566
bfa566
* Fri Mar 22 2002 Trond Eivind Glomsrød <teg@redhat.com>
bfa566
- Change a prereq in -devel on main package to a req
bfa566
- License from MIT/X11 to BSD
bfa566
bfa566
* Mon Mar 11 2002 Trond Eivind Glomsrød <teg@redhat.com>
bfa566
- 1.95.2
bfa566
bfa566
* Sun Jun 24 2001 Elliot Lee <sopwith@redhat.com>
bfa566
- Bump release + rebuild.
bfa566
bfa566
* Tue Oct 24 2000 Jeff Johnson <jbj@redhat.com>
bfa566
- update to 1.95.1
bfa566
bfa566
* Sun Oct  8 2000 Jeff Johnson <jbj@redhat.com>
bfa566
- Create.