From bb3aa7776e4dd14bc33753ca6cb03353115c41d3 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: May 10 2022 07:20:36 +0000 Subject: import expat-2.2.5-8.el8 --- diff --git a/SPECS/expat.spec b/SPECS/expat.spec index bd8232e..6fc6f49 100644 --- a/SPECS/expat.spec +++ b/SPECS/expat.spec @@ -3,7 +3,7 @@ Summary: An XML parser library Name: expat Version: %(echo %{unversion} | sed 's/_/./g') -Release: 4%{?dist}.3 +Release: 8%{?dist} Source: https://github.com/libexpat/libexpat/archive/R_%{unversion}.tar.gz#/expat-%{version}.tar.gz URL: https://libexpat.github.io/ License: MIT @@ -11,10 +11,10 @@ BuildRequires: autoconf, libtool, xmlto, gcc-c++ Patch0: expat-2.2.5-doc2man.patch Patch1: expat-2.2.5-CVE-2018-20843.patch Patch2: expat-2.2.5-CVE-2019-15903.patch -Patch3: expat-2.2.5-Detect-and-prevent-integer-overflow-in-XML_GetBuffer.patch -Patch4: expat-2.2.5-Detect-and-prevent-troublesome-left-shifts.patch -Patch5: expat-2.2.5-Prevent-integer-overflow-on-m_groupSize-in-function.patch -Patch6: expat-2.2.5-Prevent-more-integer-overflows.patch +Patch3: expat-2.2.5-Detect-and-prevent-integer-overflow-in-XML_GetBuffer.patch +Patch4: expat-2.2.5-Detect-and-prevent-troublesome-left-shifts.patch +Patch5: expat-2.2.5-Prevent-integer-overflow-on-m_groupSize-in-function.patch +Patch6: expat-2.2.5-Prevent-more-integer-overflows.patch Patch7: expat-2.2.5-Protect-against-malicious-namespace-declarations.patch Patch8: expat-2.2.5-Add-missing-validation-of-encoding.patch Patch9: expat-2.2.5-Prevent-integer-overflow-in-storeRawNames.patch @@ -93,17 +93,24 @@ make check %{_libdir}/lib*.a %changelog -* Tue Mar 15 2022 Tomas Korbar - 2.2.5-4.3 -- Improve fix for CVE-2022-25236 +* Mon Mar 14 2022 Tomas Korbar - 2.2.5-8 +- Improve patch for CVE-2022-25236 - Related: CVE-2022-25236 -* Mon Mar 07 2022 Tomas Korbar - 2.2.5-4.2 +* Fri Mar 04 2022 Tomas Korbar - 2.2.5-7 +- Fix patch for CVE-2022-25235 +- Resolves: CVE-2022-25235 + +* Thu Mar 03 2022 Tomas Korbar - 2.2.5-6 - Fix multiple CVEs +- CVE-2022-25236 expat: namespace-separator characters in "xmlns[:prefix]" attribute values can lead to arbitrary code execution +- CVE-2022-25235 expat: malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution +- CVE-2022-25315 expat: integer overflow in storeRawNames() - Resolves: CVE-2022-25236 - Resolves: CVE-2022-25235 - Resolves: CVE-2022-25315 -* Wed Feb 16 2022 Tomas Korbar - 2.2.5-4.1 +* Fri Feb 14 2022 Tomas Korbar - 2.2.5-5 - Fix multiple CVEs - CVE-2022-23852 expat: integer overflow in function XML_GetBuffer - CVE-2021-45960 expat: Large number of prefixed XML attributes on a single tag can crash libexpat