diff --git a/.expat.metadata b/.expat.metadata
index eb70785..2c088e1 100644
--- a/.expat.metadata
+++ b/.expat.metadata
@@ -1 +1 @@
-a2a0f172dd3346b520918331b7480d4d30557439 SOURCES/expat-2.2.10.tar.gz
+71bc4b192e54040b41d98e5a49aca5e18e27485b SOURCES/expat-2.4.9.tar.gz
diff --git a/.gitignore b/.gitignore
index b5e40bd..37fcacc 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/expat-2.2.10.tar.gz
+SOURCES/expat-2.4.9.tar.gz
diff --git a/SOURCES/expat-2.2.10-Add-missing-validation-of-encoding.patch b/SOURCES/expat-2.2.10-Add-missing-validation-of-encoding.patch
deleted file mode 100644
index 2d526c2..0000000
--- a/SOURCES/expat-2.2.10-Add-missing-validation-of-encoding.patch
+++ /dev/null
@@ -1,281 +0,0 @@
-From ee2a5b50e7d1940ba8745715b62ceb9efd3a96da Mon Sep 17 00:00:00 2001
-From: Sebastian Pipping <sebastian@pipping.org>
-Date: Tue, 8 Feb 2022 17:37:14 +0100
-Subject: [PATCH 1/5] lib: Drop unused macro UTF8_GET_NAMING
-
----
- expat/lib/xmltok.c | 5 -----
- 1 file changed, 5 deletions(-)
-
-diff --git a/lib/xmltok.c b/lib/xmltok.c
-index a72200e8..3bddf125 100644
---- a/lib/xmltok.c
-+++ b/lib/xmltok.c
-@@ -98,11 +98,6 @@
- + ((((byte)[1]) & 3) << 1) + ((((byte)[2]) >> 5) & 1)] \
- & (1u << (((byte)[2]) & 0x1F)))
-
--#define UTF8_GET_NAMING(pages, p, n) \
-- ((n) == 2 \
-- ? UTF8_GET_NAMING2(pages, (const unsigned char *)(p)) \
-- : ((n) == 3 ? UTF8_GET_NAMING3(pages, (const unsigned char *)(p)) : 0))
--
- /* Detection of invalid UTF-8 sequences is based on Table 3.1B
- of Unicode 3.2: http://www.unicode.org/unicode/reports/tr28/
- with the additional restriction of not allowing the Unicode
-
-From 3f0a0cb644438d4d8e3294cd0b1245d0edb0c6c6 Mon Sep 17 00:00:00 2001
-From: Sebastian Pipping <sebastian@pipping.org>
-Date: Tue, 8 Feb 2022 04:32:20 +0100
-Subject: [PATCH 2/5] lib: Add missing validation of encoding (CVE-2022-25235)
-
----
- expat/lib/xmltok_impl.c | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
-diff --git a/lib/xmltok_impl.c b/lib/xmltok_impl.c
-index 0430591b..64a3b2c1 100644
---- a/lib/xmltok_impl.c
-+++ b/lib/xmltok_impl.c
-@@ -69,7 +69,7 @@
- case BT_LEAD##n: \
- if (end - ptr < n) \
- return XML_TOK_PARTIAL_CHAR; \
-- if (! IS_NAME_CHAR(enc, ptr, n)) { \
-+ if (IS_INVALID_CHAR(enc, ptr, n) || ! IS_NAME_CHAR(enc, ptr, n)) { \
- *nextTokPtr = ptr; \
- return XML_TOK_INVALID; \
- } \
-@@ -98,7 +98,7 @@
- case BT_LEAD##n: \
- if (end - ptr < n) \
- return XML_TOK_PARTIAL_CHAR; \
-- if (! IS_NMSTRT_CHAR(enc, ptr, n)) { \
-+ if (IS_INVALID_CHAR(enc, ptr, n) || ! IS_NMSTRT_CHAR(enc, ptr, n)) { \
- *nextTokPtr = ptr; \
- return XML_TOK_INVALID; \
- } \
-@@ -1142,6 +1142,10 @@ PREFIX(prologTok)(const ENCODING *enc, const char *ptr, const char *end,
- case BT_LEAD##n: \
- if (end - ptr < n) \
- return XML_TOK_PARTIAL_CHAR; \
-+ if (IS_INVALID_CHAR(enc, ptr, n)) { \
-+ *nextTokPtr = ptr; \
-+ return XML_TOK_INVALID; \
-+ } \
- if (IS_NMSTRT_CHAR(enc, ptr, n)) { \
- ptr += n; \
- tok = XML_TOK_NAME; \
-
-From c85a3025e7a1be086dc34e7559fbc543914d047f Mon Sep 17 00:00:00 2001
-From: Sebastian Pipping <sebastian@pipping.org>
-Date: Wed, 9 Feb 2022 01:00:38 +0100
-Subject: [PATCH 3/5] lib: Add comments to BT_LEAD* cases where encoding has
- already been validated
-
----
- expat/lib/xmltok_impl.c | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/lib/xmltok_impl.c b/lib/xmltok_impl.c
-index 64a3b2c1..84ff35f9 100644
---- a/lib/xmltok_impl.c
-+++ b/lib/xmltok_impl.c
-@@ -1274,7 +1274,7 @@ PREFIX(attributeValueTok)(const ENCODING *enc, const char *ptr, const char *end,
- switch (BYTE_TYPE(enc, ptr)) {
- # define LEAD_CASE(n) \
- case BT_LEAD##n: \
-- ptr += n; \
-+ ptr += n; /* NOTE: The encoding has already been validated. */ \
- break;
- LEAD_CASE(2)
- LEAD_CASE(3)
-@@ -1343,7 +1343,7 @@ PREFIX(entityValueTok)(const ENCODING *enc, const char *ptr, const char *end,
- switch (BYTE_TYPE(enc, ptr)) {
- # define LEAD_CASE(n) \
- case BT_LEAD##n: \
-- ptr += n; \
-+ ptr += n; /* NOTE: The encoding has already been validated. */ \
- break;
- LEAD_CASE(2)
- LEAD_CASE(3)
-@@ -1522,7 +1522,7 @@ PREFIX(getAtts)(const ENCODING *enc, const char *ptr, int attsMax,
- state = inName; \
- }
- # define LEAD_CASE(n) \
-- case BT_LEAD##n: \
-+ case BT_LEAD##n: /* NOTE: The encoding has already been validated. */ \
- START_NAME ptr += (n - MINBPC(enc)); \
- break;
- LEAD_CASE(2)
-@@ -1734,7 +1734,7 @@ PREFIX(nameLength)(const ENCODING *enc, const char *ptr) {
- switch (BYTE_TYPE(enc, ptr)) {
- # define LEAD_CASE(n) \
- case BT_LEAD##n: \
-- ptr += n; \
-+ ptr += n; /* NOTE: The encoding has already been validated. */ \
- break;
- LEAD_CASE(2)
- LEAD_CASE(3)
-@@ -1779,7 +1779,7 @@ PREFIX(updatePosition)(const ENCODING *enc, const char *ptr, const char *end,
- switch (BYTE_TYPE(enc, ptr)) {
- # define LEAD_CASE(n) \
- case BT_LEAD##n: \
-- ptr += n; \
-+ ptr += n; /* NOTE: The encoding has already been validated. */ \
- pos->columnNumber++; \
- break;
- LEAD_CASE(2)
-
-From 6a5510bc6b7efe743356296724e0b38300f05379 Mon Sep 17 00:00:00 2001
-From: Sebastian Pipping <sebastian@pipping.org>
-Date: Tue, 8 Feb 2022 04:06:21 +0100
-Subject: [PATCH 4/5] tests: Cover missing validation of encoding
- (CVE-2022-25235)
-
----
- expat/tests/runtests.c | 109 +++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 109 insertions(+)
-
-diff --git a/tests/runtests.c b/tests/runtests.c
-index bc5344b1..9b155b82 100644
---- a/tests/runtests.c
-+++ b/tests/runtests.c
-@@ -5998,6 +5998,105 @@ START_TEST(test_utf8_in_cdata_section_2) {
- }
- END_TEST
-
-+START_TEST(test_utf8_in_start_tags) {
-+ struct test_case {
-+ bool goodName;
-+ bool goodNameStart;
-+ const char *tagName;
-+ };
-+
-+ // The idea with the tests below is this:
-+ // We want to cover 1-, 2- and 3-byte sequences, 4-byte sequences
-+ // go to isNever and are hence not a concern.
-+ //
-+ // We start with a character that is a valid name character
-+ // (or even name-start character, see XML 1.0r4 spec) and then we flip
-+ // single bits at places where (1) the result leaves the UTF-8 encoding space
-+ // and (2) we stay in the same n-byte sequence family.
-+ //
-+ // The flipped bits are highlighted in angle brackets in comments,
-+ // e.g. "[<1>011 1001]" means we had [0011 1001] but we now flipped
-+ // the most significant bit to 1 to leave UTF-8 encoding space.
-+ struct test_case cases[] = {
-+ // 1-byte UTF-8: [0xxx xxxx]
-+ {true, true, "\x3A"}, // [0011 1010] = ASCII colon ':'
-+ {false, false, "\xBA"}, // [<1>011 1010]
-+ {true, false, "\x39"}, // [0011 1001] = ASCII nine '9'
-+ {false, false, "\xB9"}, // [<1>011 1001]
-+
-+ // 2-byte UTF-8: [110x xxxx] [10xx xxxx]
-+ {true, true, "\xDB\xA5"}, // [1101 1011] [1010 0101] =
-+ // Arabic small waw U+06E5
-+ {false, false, "\x9B\xA5"}, // [1<0>01 1011] [1010 0101]
-+ {false, false, "\xDB\x25"}, // [1101 1011] [<0>010 0101]
-+ {false, false, "\xDB\xE5"}, // [1101 1011] [1<1>10 0101]
-+ {true, false, "\xCC\x81"}, // [1100 1100] [1000 0001] =
-+ // combining char U+0301
-+ {false, false, "\x8C\x81"}, // [1<0>00 1100] [1000 0001]
-+ {false, false, "\xCC\x01"}, // [1100 1100] [<0>000 0001]
-+ {false, false, "\xCC\xC1"}, // [1100 1100] [1<1>00 0001]
-+
-+ // 3-byte UTF-8: [1110 xxxx] [10xx xxxx] [10xxxxxx]
-+ {true, true, "\xE0\xA4\x85"}, // [1110 0000] [1010 0100] [1000 0101] =
-+ // Devanagari Letter A U+0905
-+ {false, false, "\xA0\xA4\x85"}, // [1<0>10 0000] [1010 0100] [1000 0101]
-+ {false, false, "\xE0\x24\x85"}, // [1110 0000] [<0>010 0100] [1000 0101]
-+ {false, false, "\xE0\xE4\x85"}, // [1110 0000] [1<1>10 0100] [1000 0101]
-+ {false, false, "\xE0\xA4\x05"}, // [1110 0000] [1010 0100] [<0>000 0101]
-+ {false, false, "\xE0\xA4\xC5"}, // [1110 0000] [1010 0100] [1<1>00 0101]
-+ {true, false, "\xE0\xA4\x81"}, // [1110 0000] [1010 0100] [1000 0001] =
-+ // combining char U+0901
-+ {false, false, "\xA0\xA4\x81"}, // [1<0>10 0000] [1010 0100] [1000 0001]
-+ {false, false, "\xE0\x24\x81"}, // [1110 0000] [<0>010 0100] [1000 0001]
-+ {false, false, "\xE0\xE4\x81"}, // [1110 0000] [1<1>10 0100] [1000 0001]
-+ {false, false, "\xE0\xA4\x01"}, // [1110 0000] [1010 0100] [<0>000 0001]
-+ {false, false, "\xE0\xA4\xC1"}, // [1110 0000] [1010 0100] [1<1>00 0001]
-+ };
-+ const bool atNameStart[] = {true, false};
-+
-+ size_t i = 0;
-+ char doc[1024];
-+ size_t failCount = 0;
-+
-+ for (; i < sizeof(cases) / sizeof(cases[0]); i++) {
-+ size_t j = 0;
-+ for (; j < sizeof(atNameStart) / sizeof(atNameStart[0]); j++) {
-+ const bool expectedSuccess
-+ = atNameStart[j] ? cases[i].goodNameStart : cases[i].goodName;
-+ sprintf(doc, "<%s%s><!--", atNameStart[j] ? "" : "a", cases[i].tagName);
-+ XML_Parser parser = XML_ParserCreate(NULL);
-+
-+ const enum XML_Status status
-+ = XML_Parse(parser, doc, (int)strlen(doc), /*isFinal=*/XML_FALSE);
-+
-+ bool success = true;
-+ if ((status == XML_STATUS_OK) != expectedSuccess) {
-+ success = false;
-+ }
-+ if ((status == XML_STATUS_ERROR)
-+ && (XML_GetErrorCode(parser) != XML_ERROR_INVALID_TOKEN)) {
-+ success = false;
-+ }
-+
-+ if (! success) {
-+ fprintf(
-+ stderr,
-+ "FAIL case %2u (%sat name start, %u-byte sequence, error code %d)\n",
-+ (unsigned)i + 1u, atNameStart[j] ? " " : "not ",
-+ (unsigned)strlen(cases[i].tagName), XML_GetErrorCode(parser));
-+ failCount++;
-+ }
-+
-+ XML_ParserFree(parser);
-+ }
-+ }
-+
-+ if (failCount > 0) {
-+ fail("UTF-8 regression detected");
-+ }
-+}
-+END_TEST
-+
- /* Test trailing spaces in elements are accepted */
- static void XMLCALL
- record_element_end_handler(void *userData, const XML_Char *name) {
-@@ -6175,6 +6274,14 @@ START_TEST(test_bad_doctype) {
- }
- END_TEST
-
-+START_TEST(test_bad_doctype_utf8) {
-+ const char *text = "<!DOCTYPE \xDB\x25"
-+ "doc><doc/>"; // [1101 1011] [<0>010 0101]
-+ expect_failure(text, XML_ERROR_INVALID_TOKEN,
-+ "Invalid UTF-8 in DOCTYPE not faulted");
-+}
-+END_TEST
-+
- START_TEST(test_bad_doctype_utf16) {
- const char text[] =
- /* <!DOCTYPE doc [ \x06f2 ]><doc/>
-@@ -11870,6 +11977,7 @@ make_suite(void) {
- tcase_add_test(tc_basic, test_ext_entity_utf8_non_bom);
- tcase_add_test(tc_basic, test_utf8_in_cdata_section);
- tcase_add_test(tc_basic, test_utf8_in_cdata_section_2);
-+ tcase_add_test(tc_basic, test_utf8_in_start_tags);
- tcase_add_test(tc_basic, test_trailing_spaces_in_elements);
- tcase_add_test(tc_basic, test_utf16_attribute);
- tcase_add_test(tc_basic, test_utf16_second_attr);
-@@ -11878,6 +11986,7 @@ make_suite(void) {
- tcase_add_test(tc_basic, test_bad_attr_desc_keyword);
- tcase_add_test(tc_basic, test_bad_attr_desc_keyword_utf16);
- tcase_add_test(tc_basic, test_bad_doctype);
-+ tcase_add_test(tc_basic, test_bad_doctype_utf8);
- tcase_add_test(tc_basic, test_bad_doctype_utf16);
- tcase_add_test(tc_basic, test_bad_doctype_plus);
- tcase_add_test(tc_basic, test_bad_doctype_star);
-
diff --git a/SOURCES/expat-2.2.10-Detect-and-prevent-integer-overflow-in-XML_GetBuffer.patch b/SOURCES/expat-2.2.10-Detect-and-prevent-integer-overflow-in-XML_GetBuffer.patch
deleted file mode 100644
index 58d9941..0000000
--- a/SOURCES/expat-2.2.10-Detect-and-prevent-integer-overflow-in-XML_GetBuffer.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-diff --git a/lib/xmlparse.c b/lib/xmlparse.c
-index d54af683..5ce31402 100644
---- a/lib/xmlparse.c
-+++ b/lib/xmlparse.c
-@@ -2067,6 +2067,11 @@ XML_GetBuffer(XML_Parser parser, int len) {
- keep = (int)EXPAT_SAFE_PTR_DIFF(parser->m_bufferPtr, parser->m_buffer);
- if (keep > XML_CONTEXT_BYTES)
- keep = XML_CONTEXT_BYTES;
-+ /* Detect and prevent integer overflow */
-+ if (keep > INT_MAX - neededSize) {
-+ parser->m_errorCode = XML_ERROR_NO_MEMORY;
-+ return NULL;
-+ }
- neededSize += keep;
- #endif /* defined XML_CONTEXT_BYTES */
- if (neededSize
-diff --git a/tests/runtests.c b/tests/runtests.c
-index e89e8220..579dad1a 100644
---- a/tests/runtests.c
-+++ b/tests/runtests.c
-@@ -3847,6 +3847,30 @@ START_TEST(test_get_buffer_2) {
- }
- END_TEST
-
-+/* Test for signed integer overflow CVE-2022-23852 */
-+#if defined(XML_CONTEXT_BYTES)
-+START_TEST(test_get_buffer_3_overflow) {
-+ XML_Parser parser = XML_ParserCreate(NULL);
-+ assert(parser != NULL);
-+
-+ const char *const text = "\n";
-+ const int expectedKeepValue = (int)strlen(text);
-+
-+ // After this call, variable "keep" in XML_GetBuffer will
-+ // have value expectedKeepValue
-+ if (XML_Parse(parser, text, (int)strlen(text), XML_FALSE /* isFinal */)
-+ == XML_STATUS_ERROR)
-+ xml_failure(parser);
-+
-+ assert(expectedKeepValue > 0);
-+ if (XML_GetBuffer(parser, INT_MAX - expectedKeepValue + 1) != NULL)
-+ fail("enlarging buffer not failed");
-+
-+ XML_ParserFree(parser);
-+}
-+END_TEST
-+#endif // defined(XML_CONTEXT_BYTES)
-+
- /* Test position information macros */
- START_TEST(test_byte_info_at_end) {
- const char *text = "<doc></doc>";
-@@ -11731,6 +11755,9 @@ make_suite(void) {
- tcase_add_test(tc_basic, test_empty_parse);
- tcase_add_test(tc_basic, test_get_buffer_1);
- tcase_add_test(tc_basic, test_get_buffer_2);
-+#if defined(XML_CONTEXT_BYTES)
-+ tcase_add_test(tc_basic, test_get_buffer_3_overflow);
-+#endif
- tcase_add_test(tc_basic, test_byte_info_at_end);
- tcase_add_test(tc_basic, test_byte_info_at_error);
- tcase_add_test(tc_basic, test_byte_info_at_cdata);
-
diff --git a/SOURCES/expat-2.2.10-Detect-and-prevent-troublesome-left-shifts.patch b/SOURCES/expat-2.2.10-Detect-and-prevent-troublesome-left-shifts.patch
deleted file mode 100644
index 1ad6374..0000000
--- a/SOURCES/expat-2.2.10-Detect-and-prevent-troublesome-left-shifts.patch
+++ /dev/null
@@ -1,59 +0,0 @@
-From 0adcb34c49bee5b19bd29b16a578c510c23597ea Mon Sep 17 00:00:00 2001
-From: Sebastian Pipping <sebastian@pipping.org>
-Date: Mon, 27 Dec 2021 20:15:02 +0100
-Subject: [PATCH] lib: Detect and prevent troublesome left shifts in function
- storeAtts (CVE-2021-45960)
-
----
- expat/lib/xmlparse.c | 31 +++++++++++++++++++++++++++++--
- 1 file changed, 29 insertions(+), 2 deletions(-)
-
-diff --git a/lib/xmlparse.c b/lib/xmlparse.c
-index d730f41c3..b47c31b05 100644
---- a/lib/xmlparse.c
-+++ b/lib/xmlparse.c
-@@ -3414,7 +3414,13 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
- if (nPrefixes) {
- int j; /* hash table index */
- unsigned long version = parser->m_nsAttsVersion;
-- int nsAttsSize = (int)1 << parser->m_nsAttsPower;
-+
-+ /* Detect and prevent invalid shift */
-+ if (parser->m_nsAttsPower >= sizeof(unsigned int) * 8 /* bits per byte */) {
-+ return XML_ERROR_NO_MEMORY;
-+ }
-+
-+ unsigned int nsAttsSize = 1u << parser->m_nsAttsPower;
- unsigned char oldNsAttsPower = parser->m_nsAttsPower;
- /* size of hash table must be at least 2 * (# of prefixed attributes) */
- if ((nPrefixes << 1)
-@@ -3425,7 +3431,28 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
- ;
- if (parser->m_nsAttsPower < 3)
- parser->m_nsAttsPower = 3;
-- nsAttsSize = (int)1 << parser->m_nsAttsPower;
-+
-+ /* Detect and prevent invalid shift */
-+ if (parser->m_nsAttsPower >= sizeof(nsAttsSize) * 8 /* bits per byte */) {
-+ /* Restore actual size of memory in m_nsAtts */
-+ parser->m_nsAttsPower = oldNsAttsPower;
-+ return XML_ERROR_NO_MEMORY;
-+ }
-+
-+ nsAttsSize = 1u << parser->m_nsAttsPower;
-+
-+ /* Detect and prevent integer overflow.
-+ * The preprocessor guard addresses the "always false" warning
-+ * from -Wtype-limits on platforms where
-+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
-+#if UINT_MAX >= SIZE_MAX
-+ if (nsAttsSize > (size_t)(-1) / sizeof(NS_ATT)) {
-+ /* Restore actual size of memory in m_nsAtts */
-+ parser->m_nsAttsPower = oldNsAttsPower;
-+ return XML_ERROR_NO_MEMORY;
-+ }
-+#endif
-+
- temp = (NS_ATT *)REALLOC(parser, parser->m_nsAtts,
- nsAttsSize * sizeof(NS_ATT));
- if (! temp) {
diff --git a/SOURCES/expat-2.2.10-Ensure-raw-tagnames-are-safe-exiting-internalEntityParser.patch b/SOURCES/expat-2.2.10-Ensure-raw-tagnames-are-safe-exiting-internalEntityParser.patch
deleted file mode 100644
index 42c4bca..0000000
--- a/SOURCES/expat-2.2.10-Ensure-raw-tagnames-are-safe-exiting-internalEntityParser.patch
+++ /dev/null
@@ -1,118 +0,0 @@
-commit 1502af12eebfd796b1d1dbcf547c3e17200904e2
-Author: Tomas Korbar <tkorbar@redhat.com>
-Date: Thu Sep 29 16:09:09 2022 +0200
-
- Fix CVE-2022-40674
-
-diff --git a/lib/xmlparse.c b/lib/xmlparse.c
-index 8e84b5a..9051ab2 100644
---- a/lib/xmlparse.c
-+++ b/lib/xmlparse.c
-@@ -5555,9 +5555,14 @@ internalEntityProcessor(XML_Parser parser, const char *s, const char *end,
- {
- parser->m_processor = contentProcessor;
- /* see externalEntityContentProcessor vs contentProcessor */
-- return doContent(parser, parser->m_parentParser ? 1 : 0, parser->m_encoding,
-+ result = doContent(parser, parser->m_parentParser ? 1 : 0, parser->m_encoding,
- s, end, nextPtr,
- (XML_Bool)! parser->m_parsingStatus.finalBuffer);
-+ if (result == XML_ERROR_NONE) {
-+ if (! storeRawNames(parser))
-+ return XML_ERROR_NO_MEMORY;
-+ }
-+ return result;
- }
- }
-
-diff --git a/tests/runtests.c b/tests/runtests.c
-index 05f3083..c886f5a 100644
---- a/tests/runtests.c
-+++ b/tests/runtests.c
-@@ -5022,6 +5022,78 @@ START_TEST(test_resume_entity_with_syntax_error) {
- }
- END_TEST
-
-+void
-+suspending_comment_handler(void *userData, const XML_Char *data) {
-+ UNUSED_P(data);
-+ XML_Parser parser = (XML_Parser)userData;
-+ XML_StopParser(parser, XML_TRUE);
-+}
-+
-+START_TEST(test_suspend_resume_internal_entity_issue_629) {
-+ const char *const text
-+ = "<!DOCTYPE a [<!ENTITY e '<!--COMMENT-->a'>]><a>&e;<b>\n"
-+ "<"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-+ "/>"
-+ "</b></a>";
-+ const size_t firstChunkSizeBytes = 54;
-+
-+ XML_Parser parser = XML_ParserCreate(NULL);
-+ XML_SetUserData(parser, parser);
-+ XML_SetCommentHandler(parser, suspending_comment_handler);
-+
-+ if (XML_Parse(parser, text, (int)firstChunkSizeBytes, XML_FALSE)
-+ != XML_STATUS_SUSPENDED)
-+ xml_failure(parser);
-+ if (XML_ResumeParser(parser) != XML_STATUS_OK)
-+ xml_failure(parser);
-+ if (XML_Parse(parser, text + firstChunkSizeBytes,
-+ (int)(strlen(text) - firstChunkSizeBytes), XML_TRUE)
-+ != XML_STATUS_OK)
-+ xml_failure(parser);
-+ XML_ParserFree(parser);
-+}
-+END_TEST
-+
- /* Test suspending and resuming in a parameter entity substitution */
- static void XMLCALL
- element_decl_suspender(void *userData, const XML_Char *name,
-@@ -11629,6 +11701,8 @@ make_suite(void) {
- tcase_add_test(tc_basic, test_partial_char_in_epilog);
- tcase_add_test(tc_basic, test_hash_collision);
- tcase_add_test__ifdef_xml_dtd(tc_basic, test_suspend_resume_internal_entity);
-+ tcase_add_test__ifdef_xml_dtd(tc_basic,
-+ test_suspend_resume_internal_entity_issue_629);
- tcase_add_test__ifdef_xml_dtd(tc_basic, test_resume_entity_with_syntax_error);
- tcase_add_test__ifdef_xml_dtd(tc_basic, test_suspend_resume_parameter_entity);
- tcase_add_test(tc_basic, test_restart_on_error);
diff --git a/SOURCES/expat-2.2.10-Prevent-integer-overflow-in-copyString.patch b/SOURCES/expat-2.2.10-Prevent-integer-overflow-in-copyString.patch
deleted file mode 100644
index 9c9a640..0000000
--- a/SOURCES/expat-2.2.10-Prevent-integer-overflow-in-copyString.patch
+++ /dev/null
@@ -1,14 +0,0 @@
-diff --git a/lib/xmlparse.c b/lib/xmlparse.c
-index 4b43e6132..a39377c23 100644
---- a/lib/xmlparse.c
-+++ b/lib/xmlparse.c
-@@ -7412,7 +7412,7 @@ getElementType(XML_Parser parser, const ENCODING *enc, const char *ptr,
-
- static XML_Char *
- copyString(const XML_Char *s, const XML_Memory_Handling_Suite *memsuite) {
-- int charsRequired = 0;
-+ size_t charsRequired = 0;
- XML_Char *result;
-
- /* First determine how long the string is */
-
diff --git a/SOURCES/expat-2.2.10-Prevent-integer-overflow-in-storeRawNames.patch b/SOURCES/expat-2.2.10-Prevent-integer-overflow-in-storeRawNames.patch
deleted file mode 100644
index 31e35fa..0000000
--- a/SOURCES/expat-2.2.10-Prevent-integer-overflow-in-storeRawNames.patch
+++ /dev/null
@@ -1,139 +0,0 @@
-From eb0362808b4f9f1e2345a0cf203b8cc196d776d9 Mon Sep 17 00:00:00 2001
-From: Samanta Navarro <ferivoz@riseup.net>
-Date: Tue, 15 Feb 2022 11:55:46 +0000
-Subject: [PATCH] Prevent integer overflow in storeRawNames
-
-It is possible to use an integer overflow in storeRawNames for out of
-boundary heap writes. Default configuration is affected. If compiled
-with XML_UNICODE then the attack does not work. Compiling with
--fsanitize=address confirms the following proof of concept.
-
-The problem can be exploited by abusing the m_buffer expansion logic.
-Even though the initial size of m_buffer is a power of two, eventually
-it can end up a little bit lower, thus allowing allocations very close
-to INT_MAX (since INT_MAX/2 can be surpassed). This means that tag
-names can be parsed which are almost INT_MAX in size.
-
-Unfortunately (from an attacker point of view) INT_MAX/2 is also a
-limitation in string pools. Having a tag name of INT_MAX/2 characters
-or more is not possible.
-
-Expat can convert between different encodings. UTF-16 documents which
-contain only ASCII representable characters are twice as large as their
-ASCII encoded counter-parts.
-
-The proof of concept works by taking these three considerations into
-account:
-
-1. Move the m_buffer size slightly below a power of two by having a
- short root node <a>. This allows the m_buffer to grow very close
- to INT_MAX.
-2. The string pooling forbids tag names longer than or equal to
- INT_MAX/2, so keep the attack tag name smaller than that.
-3. To be able to still overflow INT_MAX even though the name is
- limited at INT_MAX/2-1 (nul byte) we use UTF-16 encoding and a tag
- which only contains ASCII characters. UTF-16 always stores two
- bytes per character while the tag name is converted to using only
- one. Our attack node byte count must be a bit higher than
- 2/3 INT_MAX so the converted tag name is around INT_MAX/3 which
- in sum can overflow INT_MAX.
-
-Thanks to our small root node, m_buffer can handle 2/3 INT_MAX bytes
-without running into INT_MAX boundary check. The string pooling is
-able to store INT_MAX/3 as tag name because the amount is below
-INT_MAX/2 limitation. And creating the sum of both eventually overflows
-in storeRawNames.
-
-Proof of Concept:
-
-1. Compile expat with -fsanitize=address.
-
-2. Create Proof of Concept binary which iterates through input
- file 16 MB at once for better performance and easier integer
- calculations:
-
-```
-cat > poc.c << EOF
- #include <err.h>
- #include <expat.h>
- #include <stdlib.h>
- #include <stdio.h>
-
- #define CHUNK (16 * 1024 * 1024)
- int main(int argc, char *argv[]) {
- XML_Parser parser;
- FILE *fp;
- char *buf;
- int i;
-
- if (argc != 2)
- errx(1, "usage: poc file.xml");
- if ((parser = XML_ParserCreate(NULL)) == NULL)
- errx(1, "failed to create expat parser");
- if ((fp = fopen(argv[1], "r")) == NULL) {
- XML_ParserFree(parser);
- err(1, "failed to open file");
- }
- if ((buf = malloc(CHUNK)) == NULL) {
- fclose(fp);
- XML_ParserFree(parser);
- err(1, "failed to allocate buffer");
- }
- i = 0;
- while (fread(buf, CHUNK, 1, fp) == 1) {
- printf("iteration %d: XML_Parse returns %d\n", ++i,
- XML_Parse(parser, buf, CHUNK, XML_FALSE));
- }
- free(buf);
- fclose(fp);
- XML_ParserFree(parser);
- return 0;
- }
-EOF
-gcc -fsanitize=address -lexpat -o poc poc.c
-```
-
-3. Construct specially prepared UTF-16 XML file:
-
-```
-dd if=/dev/zero bs=1024 count=794624 | tr '\0' 'a' > poc-utf8.xml
-echo -n '<a><' | dd conv=notrunc of=poc-utf8.xml
-echo -n '><' | dd conv=notrunc of=poc-utf8.xml bs=1 seek=805306368
-iconv -f UTF-8 -t UTF-16LE poc-utf8.xml > poc-utf16.xml
-```
-
-4. Run proof of concept:
-
-```
-./poc poc-utf16.xml
-```
----
- expat/lib/xmlparse.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/lib/xmlparse.c b/lib/xmlparse.c
-index 4b43e613..f34d6ab5 100644
---- a/lib/xmlparse.c
-+++ b/lib/xmlparse.c
-@@ -2563,6 +2563,7 @@ storeRawNames(XML_Parser parser) {
- while (tag) {
- int bufSize;
- int nameLen = sizeof(XML_Char) * (tag->name.strLen + 1);
-+ size_t rawNameLen;
- char *rawNameBuf = tag->buf + nameLen;
- /* Stop if already stored. Since m_tagStack is a stack, we can stop
- at the first entry that has already been copied; everything
-@@ -2574,7 +2575,11 @@ storeRawNames(XML_Parser parser) {
- /* For re-use purposes we need to ensure that the
- size of tag->buf is a multiple of sizeof(XML_Char).
- */
-- bufSize = nameLen + ROUND_UP(tag->rawNameLength, sizeof(XML_Char));
-+ rawNameLen = ROUND_UP(tag->rawNameLength, sizeof(XML_Char));
-+ /* Detect and prevent integer overflow. */
-+ if (rawNameLen > (size_t)INT_MAX - nameLen)
-+ return XML_FALSE;
-+ bufSize = nameLen + (int)rawNameLen;
- if (bufSize > tag->bufEnd - tag->buf) {
- char *temp = (char *)REALLOC(parser, tag->buf, bufSize);
- if (temp == NULL)
-
diff --git a/SOURCES/expat-2.2.10-Prevent-integer-overflow-on-m_groupSize-in-function.patch b/SOURCES/expat-2.2.10-Prevent-integer-overflow-on-m_groupSize-in-function.patch
deleted file mode 100644
index 17d192f..0000000
--- a/SOURCES/expat-2.2.10-Prevent-integer-overflow-on-m_groupSize-in-function.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 85ae9a2d7d0e9358f356b33977b842df8ebaec2b Mon Sep 17 00:00:00 2001
-From: Sebastian Pipping <sebastian@pipping.org>
-Date: Sat, 25 Dec 2021 20:52:08 +0100
-Subject: [PATCH] lib: Prevent integer overflow on m_groupSize in function
- doProlog (CVE-2021-46143)
-
----
- expat/lib/xmlparse.c | 15 +++++++++++++++
- 1 file changed, 15 insertions(+)
-
-diff --git a/lib/xmlparse.c b/lib/xmlparse.c
-index b47c31b0..8f243126 100644
---- a/lib/xmlparse.c
-+++ b/lib/xmlparse.c
-@@ -5046,6 +5046,11 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
- if (parser->m_prologState.level >= parser->m_groupSize) {
- if (parser->m_groupSize) {
- {
-+ /* Detect and prevent integer overflow */
-+ if (parser->m_groupSize > (unsigned int)(-1) / 2u) {
-+ return XML_ERROR_NO_MEMORY;
-+ }
-+
- char *const new_connector = (char *)REALLOC(
- parser, parser->m_groupConnector, parser->m_groupSize *= 2);
- if (new_connector == NULL) {
-@@ -5056,6 +5061,16 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
- }
-
- if (dtd->scaffIndex) {
-+ /* Detect and prevent integer overflow.
-+ * The preprocessor guard addresses the "always false" warning
-+ * from -Wtype-limits on platforms where
-+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
-+#if UINT_MAX >= SIZE_MAX
-+ if (parser->m_groupSize > (size_t)(-1) / sizeof(int)) {
-+ return XML_ERROR_NO_MEMORY;
-+ }
-+#endif
-+
- int *const new_scaff_index = (int *)REALLOC(
- parser, dtd->scaffIndex, parser->m_groupSize * sizeof(int));
- if (new_scaff_index == NULL)
diff --git a/SOURCES/expat-2.2.10-Prevent-more-integer-overflows.patch b/SOURCES/expat-2.2.10-Prevent-more-integer-overflows.patch
deleted file mode 100644
index 63b5d2f..0000000
--- a/SOURCES/expat-2.2.10-Prevent-more-integer-overflows.patch
+++ /dev/null
@@ -1,250 +0,0 @@
-From 9f93e8036e842329863bf20395b8fb8f73834d9e Mon Sep 17 00:00:00 2001
-From: Sebastian Pipping <sebastian@pipping.org>
-Date: Thu, 30 Dec 2021 22:46:03 +0100
-Subject: [PATCH] lib: Prevent integer overflow at multiple places
- (CVE-2022-22822 to CVE-2022-22827)
-
-The involved functions are:
-- addBinding (CVE-2022-22822)
-- build_model (CVE-2022-22823)
-- defineAttribute (CVE-2022-22824)
-- lookup (CVE-2022-22825)
-- nextScaffoldPart (CVE-2022-22826)
-- storeAtts (CVE-2022-22827)
----
- expat/lib/xmlparse.c | 153 ++++++++++++++++++++++++++++++++++++++++++-
- 1 file changed, 151 insertions(+), 2 deletions(-)
-
-diff --git a/lib/xmlparse.c b/lib/xmlparse.c
-index 8f243126..575e73ee 100644
---- a/lib/xmlparse.c
-+++ b/lib/xmlparse.c
-@@ -3261,13 +3261,38 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
-
- /* get the attributes from the tokenizer */
- n = XmlGetAttributes(enc, attStr, parser->m_attsSize, parser->m_atts);
-+
-+ /* Detect and prevent integer overflow */
-+ if (n > INT_MAX - nDefaultAtts) {
-+ return XML_ERROR_NO_MEMORY;
-+ }
-+
- if (n + nDefaultAtts > parser->m_attsSize) {
- int oldAttsSize = parser->m_attsSize;
- ATTRIBUTE *temp;
- #ifdef XML_ATTR_INFO
- XML_AttrInfo *temp2;
- #endif
-+
-+ /* Detect and prevent integer overflow */
-+ if ((nDefaultAtts > INT_MAX - INIT_ATTS_SIZE)
-+ || (n > INT_MAX - (nDefaultAtts + INIT_ATTS_SIZE))) {
-+ return XML_ERROR_NO_MEMORY;
-+ }
-+
- parser->m_attsSize = n + nDefaultAtts + INIT_ATTS_SIZE;
-+
-+ /* Detect and prevent integer overflow.
-+ * The preprocessor guard addresses the "always false" warning
-+ * from -Wtype-limits on platforms where
-+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
-+#if UINT_MAX >= SIZE_MAX
-+ if ((unsigned)parser->m_attsSize > (size_t)(-1) / sizeof(ATTRIBUTE)) {
-+ parser->m_attsSize = oldAttsSize;
-+ return XML_ERROR_NO_MEMORY;
-+ }
-+#endif
-+
- temp = (ATTRIBUTE *)REALLOC(parser, (void *)parser->m_atts,
- parser->m_attsSize * sizeof(ATTRIBUTE));
- if (temp == NULL) {
-@@ -3276,6 +3301,17 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
- }
- parser->m_atts = temp;
- #ifdef XML_ATTR_INFO
-+ /* Detect and prevent integer overflow.
-+ * The preprocessor guard addresses the "always false" warning
-+ * from -Wtype-limits on platforms where
-+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
-+# if UINT_MAX >= SIZE_MAX
-+ if ((unsigned)parser->m_attsSize > (size_t)(-1) / sizeof(XML_AttrInfo)) {
-+ parser->m_attsSize = oldAttsSize;
-+ return XML_ERROR_NO_MEMORY;
-+ }
-+# endif
-+
- temp2 = (XML_AttrInfo *)REALLOC(parser, (void *)parser->m_attInfo,
- parser->m_attsSize * sizeof(XML_AttrInfo));
- if (temp2 == NULL) {
-@@ -3610,9 +3646,31 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
- tagNamePtr->prefixLen = prefixLen;
- for (i = 0; localPart[i++];)
- ; /* i includes null terminator */
-+
-+ /* Detect and prevent integer overflow */
-+ if (binding->uriLen > INT_MAX - prefixLen
-+ || i > INT_MAX - (binding->uriLen + prefixLen)) {
-+ return XML_ERROR_NO_MEMORY;
-+ }
-+
- n = i + binding->uriLen + prefixLen;
- if (n > binding->uriAlloc) {
- TAG *p;
-+
-+ /* Detect and prevent integer overflow */
-+ if (n > INT_MAX - EXPAND_SPARE) {
-+ return XML_ERROR_NO_MEMORY;
-+ }
-+ /* Detect and prevent integer overflow.
-+ * The preprocessor guard addresses the "always false" warning
-+ * from -Wtype-limits on platforms where
-+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
-+#if UINT_MAX >= SIZE_MAX
-+ if ((unsigned)(n + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) {
-+ return XML_ERROR_NO_MEMORY;
-+ }
-+#endif
-+
- uri = (XML_Char *)MALLOC(parser, (n + EXPAND_SPARE) * sizeof(XML_Char));
- if (! uri)
- return XML_ERROR_NO_MEMORY;
-@@ -3708,6 +3766,21 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
- if (parser->m_freeBindingList) {
- b = parser->m_freeBindingList;
- if (len > b->uriAlloc) {
-+ /* Detect and prevent integer overflow */
-+ if (len > INT_MAX - EXPAND_SPARE) {
-+ return XML_ERROR_NO_MEMORY;
-+ }
-+
-+ /* Detect and prevent integer overflow.
-+ * The preprocessor guard addresses the "always false" warning
-+ * from -Wtype-limits on platforms where
-+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
-+#if UINT_MAX >= SIZE_MAX
-+ if ((unsigned)(len + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) {
-+ return XML_ERROR_NO_MEMORY;
-+ }
-+#endif
-+
- XML_Char *temp = (XML_Char *)REALLOC(
- parser, b->uri, sizeof(XML_Char) * (len + EXPAND_SPARE));
- if (temp == NULL)
-@@ -3720,6 +3793,21 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
- b = (BINDING *)MALLOC(parser, sizeof(BINDING));
- if (! b)
- return XML_ERROR_NO_MEMORY;
-+
-+ /* Detect and prevent integer overflow */
-+ if (len > INT_MAX - EXPAND_SPARE) {
-+ return XML_ERROR_NO_MEMORY;
-+ }
-+ /* Detect and prevent integer overflow.
-+ * The preprocessor guard addresses the "always false" warning
-+ * from -Wtype-limits on platforms where
-+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
-+#if UINT_MAX >= SIZE_MAX
-+ if ((unsigned)(len + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) {
-+ return XML_ERROR_NO_MEMORY;
-+ }
-+#endif
-+
- b->uri
- = (XML_Char *)MALLOC(parser, sizeof(XML_Char) * (len + EXPAND_SPARE));
- if (! b->uri) {
-@@ -6141,7 +6229,24 @@ defineAttribute(ELEMENT_TYPE *type, ATTRIBUTE_ID *attId, XML_Bool isCdata,
- }
- } else {
- DEFAULT_ATTRIBUTE *temp;
-+
-+ /* Detect and prevent integer overflow */
-+ if (type->allocDefaultAtts > INT_MAX / 2) {
-+ return 0;
-+ }
-+
- int count = type->allocDefaultAtts * 2;
-+
-+ /* Detect and prevent integer overflow.
-+ * The preprocessor guard addresses the "always false" warning
-+ * from -Wtype-limits on platforms where
-+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
-+#if UINT_MAX >= SIZE_MAX
-+ if ((unsigned)count > (size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE)) {
-+ return 0;
-+ }
-+#endif
-+
- temp = (DEFAULT_ATTRIBUTE *)REALLOC(parser, type->defaultAtts,
- (count * sizeof(DEFAULT_ATTRIBUTE)));
- if (temp == NULL)
-@@ -6792,8 +6897,20 @@ lookup(XML_Parser parser, HASH_TABLE *table, KEY name, size_t createSize) {
- /* check for overflow (table is half full) */
- if (table->used >> (table->power - 1)) {
- unsigned char newPower = table->power + 1;
-+
-+ /* Detect and prevent invalid shift */
-+ if (newPower >= sizeof(unsigned long) * 8 /* bits per byte */) {
-+ return NULL;
-+ }
-+
- size_t newSize = (size_t)1 << newPower;
- unsigned long newMask = (unsigned long)newSize - 1;
-+
-+ /* Detect and prevent integer overflow */
-+ if (newSize > (size_t)(-1) / sizeof(NAMED *)) {
-+ return NULL;
-+ }
-+
- size_t tsize = newSize * sizeof(NAMED *);
- NAMED **newV = (NAMED **)table->mem->malloc_fcn(tsize);
- if (! newV)
-@@ -7143,6 +7260,20 @@ nextScaffoldPart(XML_Parser parser) {
- if (dtd->scaffCount >= dtd->scaffSize) {
- CONTENT_SCAFFOLD *temp;
- if (dtd->scaffold) {
-+ /* Detect and prevent integer overflow */
-+ if (dtd->scaffSize > UINT_MAX / 2u) {
-+ return -1;
-+ }
-+ /* Detect and prevent integer overflow.
-+ * The preprocessor guard addresses the "always false" warning
-+ * from -Wtype-limits on platforms where
-+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
-+#if UINT_MAX >= SIZE_MAX
-+ if (dtd->scaffSize > (size_t)(-1) / 2u / sizeof(CONTENT_SCAFFOLD)) {
-+ return -1;
-+ }
-+#endif
-+
- temp = (CONTENT_SCAFFOLD *)REALLOC(
- parser, dtd->scaffold, dtd->scaffSize * 2 * sizeof(CONTENT_SCAFFOLD));
- if (temp == NULL)
-@@ -7212,8 +7343,26 @@ build_model(XML_Parser parser) {
- XML_Content *ret;
- XML_Content *cpos;
- XML_Char *str;
-- int allocsize = (dtd->scaffCount * sizeof(XML_Content)
-- + (dtd->contentStringLen * sizeof(XML_Char)));
-+
-+ /* Detect and prevent integer overflow.
-+ * The preprocessor guard addresses the "always false" warning
-+ * from -Wtype-limits on platforms where
-+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
-+#if UINT_MAX >= SIZE_MAX
-+ if (dtd->scaffCount > (size_t)(-1) / sizeof(XML_Content)) {
-+ return NULL;
-+ }
-+ if (dtd->contentStringLen > (size_t)(-1) / sizeof(XML_Char)) {
-+ return NULL;
-+ }
-+#endif
-+ if (dtd->scaffCount * sizeof(XML_Content)
-+ > (size_t)(-1) - dtd->contentStringLen * sizeof(XML_Char)) {
-+ return NULL;
-+ }
-+
-+ const size_t allocsize = (dtd->scaffCount * sizeof(XML_Content)
-+ + (dtd->contentStringLen * sizeof(XML_Char)));
-
- ret = (XML_Content *)MALLOC(parser, allocsize);
- if (! ret)
diff --git a/SOURCES/expat-2.2.10-Prevent-stack-exhaustion-in-build_model.patch b/SOURCES/expat-2.2.10-Prevent-stack-exhaustion-in-build_model.patch
deleted file mode 100644
index cfa7c1b..0000000
--- a/SOURCES/expat-2.2.10-Prevent-stack-exhaustion-in-build_model.patch
+++ /dev/null
@@ -1,255 +0,0 @@
-commit 37b45d8ff0f92a7ea0491dd61a0bceb951af332e
-Author: Tomas Korbar <tkorbar@redhat.com>
-Date: Tue May 3 09:57:53 2022 +0200
-
- Fix CVE-2022-25313
-
-diff --git a/lib/xmlparse.c b/lib/xmlparse.c
-index 0948906..8e84b5a 100644
---- a/lib/xmlparse.c
-+++ b/lib/xmlparse.c
-@@ -7138,44 +7138,15 @@ nextScaffoldPart(XML_Parser parser) {
- return next;
- }
-
--static void
--build_node(XML_Parser parser, int src_node, XML_Content *dest,
-- XML_Content **contpos, XML_Char **strpos) {
-- DTD *const dtd = parser->m_dtd; /* save one level of indirection */
-- dest->type = dtd->scaffold[src_node].type;
-- dest->quant = dtd->scaffold[src_node].quant;
-- if (dest->type == XML_CTYPE_NAME) {
-- const XML_Char *src;
-- dest->name = *strpos;
-- src = dtd->scaffold[src_node].name;
-- for (;;) {
-- *(*strpos)++ = *src;
-- if (! *src)
-- break;
-- src++;
-- }
-- dest->numchildren = 0;
-- dest->children = NULL;
-- } else {
-- unsigned int i;
-- int cn;
-- dest->numchildren = dtd->scaffold[src_node].childcnt;
-- dest->children = *contpos;
-- *contpos += dest->numchildren;
-- for (i = 0, cn = dtd->scaffold[src_node].firstchild; i < dest->numchildren;
-- i++, cn = dtd->scaffold[cn].nextsib) {
-- build_node(parser, cn, &(dest->children[i]), contpos, strpos);
-- }
-- dest->name = NULL;
-- }
--}
--
- static XML_Content *
- build_model(XML_Parser parser) {
-+ /* Function build_model transforms the existing parser->m_dtd->scaffold
-+ * array of CONTENT_SCAFFOLD tree nodes into a new array of
-+ * XML_Content tree nodes followed by a gapless list of zero-terminated
-+ * strings. */
- DTD *const dtd = parser->m_dtd; /* save one level of indirection */
- XML_Content *ret;
-- XML_Content *cpos;
-- XML_Char *str;
-+ XML_Char *str; /* the current string writing location */
-
- /* Detect and prevent integer overflow.
- * The preprocessor guard addresses the "always false" warning
-@@ -7201,10 +7172,96 @@ build_model(XML_Parser parser) {
- if (! ret)
- return NULL;
-
-- str = (XML_Char *)(&ret[dtd->scaffCount]);
-- cpos = &ret[1];
-+ /* What follows is an iterative implementation (of what was previously done
-+ * recursively in a dedicated function called "build_node". The old recursive
-+ * build_node could be forced into stack exhaustion from input as small as a
-+ * few megabyte, and so that was a security issue. Hence, a function call
-+ * stack is avoided now by resolving recursion.)
-+ *
-+ * The iterative approach works as follows:
-+ *
-+ * - We have two writing pointers, both walking up the result array; one does
-+ * the work, the other creates "jobs" for its colleague to do, and leads
-+ * the way:
-+ *
-+ * - The faster one, pointer jobDest, always leads and writes "what job
-+ * to do" by the other, once they reach that place in the
-+ * array: leader "jobDest" stores the source node array index (relative
-+ * to array dtd->scaffold) in field "numchildren".
-+ *
-+ * - The slower one, pointer dest, looks at the value stored in the
-+ * "numchildren" field (which actually holds a source node array index
-+ * at that time) and puts the real data from dtd->scaffold in.
-+ *
-+ * - Before the loop starts, jobDest writes source array index 0
-+ * (where the root node is located) so that dest will have something to do
-+ * when it starts operation.
-+ *
-+ * - Whenever nodes with children are encountered, jobDest appends
-+ * them as new jobs, in order. As a result, tree node siblings are
-+ * adjacent in the resulting array, for example:
-+ *
-+ * [0] root, has two children
-+ * [1] first child of 0, has three children
-+ * [3] first child of 1, does not have children
-+ * [4] second child of 1, does not have children
-+ * [5] third child of 1, does not have children
-+ * [2] second child of 0, does not have children
-+ *
-+ * Or (the same data) presented in flat array view:
-+ *
-+ * [0] root, has two children
-+ *
-+ * [1] first child of 0, has three children
-+ * [2] second child of 0, does not have children
-+ *
-+ * [3] first child of 1, does not have children
-+ * [4] second child of 1, does not have children
-+ * [5] third child of 1, does not have children
-+ *
-+ * - The algorithm repeats until all target array indices have been processed.
-+ */
-+ XML_Content *dest = ret; /* tree node writing location, moves upwards */
-+ XML_Content *const destLimit = &ret[dtd->scaffCount];
-+ XML_Content *jobDest = ret; /* next free writing location in target array */
-+ str = (XML_Char *)&ret[dtd->scaffCount];
-+
-+ /* Add the starting job, the root node (index 0) of the source tree */
-+ (jobDest++)->numchildren = 0;
-+
-+ for (; dest < destLimit; dest++) {
-+ /* Retrieve source tree array index from job storage */
-+ const int src_node = (int)dest->numchildren;
-+
-+ /* Convert item */
-+ dest->type = dtd->scaffold[src_node].type;
-+ dest->quant = dtd->scaffold[src_node].quant;
-+ if (dest->type == XML_CTYPE_NAME) {
-+ const XML_Char *src;
-+ dest->name = str;
-+ src = dtd->scaffold[src_node].name;
-+ for (;;) {
-+ *str++ = *src;
-+ if (! *src)
-+ break;
-+ src++;
-+ }
-+ dest->numchildren = 0;
-+ dest->children = NULL;
-+ } else {
-+ unsigned int i;
-+ int cn;
-+ dest->name = NULL;
-+ dest->numchildren = dtd->scaffold[src_node].childcnt;
-+ dest->children = jobDest;
-+
-+ /* Append scaffold indices of children to array */
-+ for (i = 0, cn = dtd->scaffold[src_node].firstchild;
-+ i < dest->numchildren; i++, cn = dtd->scaffold[cn].nextsib)
-+ (jobDest++)->numchildren = (unsigned int)cn;
-+ }
-+ }
-
-- build_node(parser, 0, ret, &cpos, &str);
- return ret;
- }
-
-diff --git a/tests/runtests.c b/tests/runtests.c
-index 7293d46..05f3083 100644
---- a/tests/runtests.c
-+++ b/tests/runtests.c
-@@ -2677,6 +2677,82 @@ START_TEST(test_dtd_elements) {
- }
- END_TEST
-
-+static void XMLCALL
-+element_decl_check_model(void *userData, const XML_Char *name,
-+ XML_Content *model) {
-+ UNUSED_P(userData);
-+ uint32_t errorFlags = 0;
-+
-+ /* Expected model array structure is this:
-+ * [0] (type 6, quant 0)
-+ * [1] (type 5, quant 0)
-+ * [3] (type 4, quant 0, name "bar")
-+ * [4] (type 4, quant 0, name "foo")
-+ * [5] (type 4, quant 3, name "xyz")
-+ * [2] (type 4, quant 2, name "zebra")
-+ */
-+ errorFlags |= ((xcstrcmp(name, XCS("junk")) == 0) ? 0 : (1u << 0));
-+ errorFlags |= ((model != NULL) ? 0 : (1u << 1));
-+
-+ errorFlags |= ((model[0].type == XML_CTYPE_SEQ) ? 0 : (1u << 2));
-+ errorFlags |= ((model[0].quant == XML_CQUANT_NONE) ? 0 : (1u << 3));
-+ errorFlags |= ((model[0].numchildren == 2) ? 0 : (1u << 4));
-+ errorFlags |= ((model[0].children == &model[1]) ? 0 : (1u << 5));
-+ errorFlags |= ((model[0].name == NULL) ? 0 : (1u << 6));
-+
-+ errorFlags |= ((model[1].type == XML_CTYPE_CHOICE) ? 0 : (1u << 7));
-+ errorFlags |= ((model[1].quant == XML_CQUANT_NONE) ? 0 : (1u << 8));
-+ errorFlags |= ((model[1].numchildren == 3) ? 0 : (1u << 9));
-+ errorFlags |= ((model[1].children == &model[3]) ? 0 : (1u << 10));
-+ errorFlags |= ((model[1].name == NULL) ? 0 : (1u << 11));
-+
-+ errorFlags |= ((model[2].type == XML_CTYPE_NAME) ? 0 : (1u << 12));
-+ errorFlags |= ((model[2].quant == XML_CQUANT_REP) ? 0 : (1u << 13));
-+ errorFlags |= ((model[2].numchildren == 0) ? 0 : (1u << 14));
-+ errorFlags |= ((model[2].children == NULL) ? 0 : (1u << 15));
-+ errorFlags |= ((xcstrcmp(model[2].name, XCS("zebra")) == 0) ? 0 : (1u << 16));
-+
-+ errorFlags |= ((model[3].type == XML_CTYPE_NAME) ? 0 : (1u << 17));
-+ errorFlags |= ((model[3].quant == XML_CQUANT_NONE) ? 0 : (1u << 18));
-+ errorFlags |= ((model[3].numchildren == 0) ? 0 : (1u << 19));
-+ errorFlags |= ((model[3].children == NULL) ? 0 : (1u << 20));
-+ errorFlags |= ((xcstrcmp(model[3].name, XCS("bar")) == 0) ? 0 : (1u << 21));
-+
-+ errorFlags |= ((model[4].type == XML_CTYPE_NAME) ? 0 : (1u << 22));
-+ errorFlags |= ((model[4].quant == XML_CQUANT_NONE) ? 0 : (1u << 23));
-+ errorFlags |= ((model[4].numchildren == 0) ? 0 : (1u << 24));
-+ errorFlags |= ((model[4].children == NULL) ? 0 : (1u << 25));
-+ errorFlags |= ((xcstrcmp(model[4].name, XCS("foo")) == 0) ? 0 : (1u << 26));
-+
-+ errorFlags |= ((model[5].type == XML_CTYPE_NAME) ? 0 : (1u << 27));
-+ errorFlags |= ((model[5].quant == XML_CQUANT_PLUS) ? 0 : (1u << 28));
-+ errorFlags |= ((model[5].numchildren == 0) ? 0 : (1u << 29));
-+ errorFlags |= ((model[5].children == NULL) ? 0 : (1u << 30));
-+ errorFlags |= ((xcstrcmp(model[5].name, XCS("xyz")) == 0) ? 0 : (1u << 31));
-+
-+ XML_SetUserData(g_parser, (void *)(uintptr_t)errorFlags);
-+ XML_FreeContentModel(g_parser, model);
-+}
-+
-+START_TEST(test_dtd_elements_nesting) {
-+ // Payload inspired by a test in Perl's XML::Parser
-+ const char *text = "<!DOCTYPE foo [\n"
-+ "<!ELEMENT junk ((bar|foo|xyz+), zebra*)>\n"
-+ "]>\n"
-+ "<foo/>";
-+
-+ XML_SetUserData(g_parser, (void *)(uintptr_t)-1);
-+
-+ XML_SetElementDeclHandler(g_parser, element_decl_check_model);
-+ if (XML_Parse(g_parser, text, (int)strlen(text), XML_TRUE)
-+ == XML_STATUS_ERROR)
-+ xml_failure(g_parser);
-+
-+ if ((uint32_t)(uintptr_t)XML_GetUserData(g_parser) != 0)
-+ fail("Element declaration model regression detected");
-+}
-+END_TEST
-+
- /* Test foreign DTD handling */
- START_TEST(test_set_foreign_dtd) {
- const char *text1 = "<?xml version='1.0' encoding='us-ascii'?>\n";
-@@ -11487,6 +11563,7 @@ make_suite(void) {
- tcase_add_test(tc_basic, test_memory_allocation);
- tcase_add_test(tc_basic, test_default_current);
- tcase_add_test(tc_basic, test_dtd_elements);
-+ tcase_add_test(tc_basic, test_dtd_elements_nesting);
- tcase_add_test__ifdef_xml_dtd(tc_basic, test_set_foreign_dtd);
- tcase_add_test__ifdef_xml_dtd(tc_basic, test_foreign_dtd_not_standalone);
- tcase_add_test__ifdef_xml_dtd(tc_basic, test_invalid_foreign_dtd);
diff --git a/SOURCES/expat-2.2.10-Protect-against-malicious-namespace-declarations.patch b/SOURCES/expat-2.2.10-Protect-against-malicious-namespace-declarations.patch
deleted file mode 100644
index 9f68836..0000000
--- a/SOURCES/expat-2.2.10-Protect-against-malicious-namespace-declarations.patch
+++ /dev/null
@@ -1,228 +0,0 @@
-commit 5c47ae80738d0985babf06a023b3845169682064
-Author: Tomas Korbar <tkorbar@redhat.com>
-Date: Mon Mar 14 10:22:37 2022 +0100
-
- Protect against malicious namespace declarations
-
-diff --git a/lib/xmlparse.c b/lib/xmlparse.c
-index 5c3f573..901abbf 100644
---- a/lib/xmlparse.c
-+++ b/lib/xmlparse.c
-@@ -638,8 +638,7 @@ XML_ParserCreate(const XML_Char *encodingName) {
-
- XML_Parser XMLCALL
- XML_ParserCreateNS(const XML_Char *encodingName, XML_Char nsSep) {
-- XML_Char tmp[2];
-- *tmp = nsSep;
-+ XML_Char tmp[2] = {nsSep, 0};
- return XML_ParserCreate_MM(encodingName, NULL, tmp);
- }
-
-@@ -1253,8 +1252,7 @@ XML_ExternalEntityParserCreate(XML_Parser oldParser, const XML_Char *context,
- would be otherwise.
- */
- if (parser->m_ns) {
-- XML_Char tmp[2];
-- *tmp = parser->m_namespaceSeparator;
-+ XML_Char tmp[2] = {parser->m_namespaceSeparator, 0};
- parser = parserCreate(encodingName, &parser->m_mem, tmp, newDtd);
- } else {
- parser = parserCreate(encodingName, &parser->m_mem, NULL, newDtd);
-@@ -3526,6 +3524,117 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
- return XML_ERROR_NONE;
- }
-
-+static XML_Bool
-+is_rfc3986_uri_char(XML_Char candidate) {
-+ // For the RFC 3986 ANBF grammar see
-+ // https://datatracker.ietf.org/doc/html/rfc3986#appendix-A
-+
-+ switch (candidate) {
-+ // From rule "ALPHA" (uppercase half)
-+ case 'A':
-+ case 'B':
-+ case 'C':
-+ case 'D':
-+ case 'E':
-+ case 'F':
-+ case 'G':
-+ case 'H':
-+ case 'I':
-+ case 'J':
-+ case 'K':
-+ case 'L':
-+ case 'M':
-+ case 'N':
-+ case 'O':
-+ case 'P':
-+ case 'Q':
-+ case 'R':
-+ case 'S':
-+ case 'T':
-+ case 'U':
-+ case 'V':
-+ case 'W':
-+ case 'X':
-+ case 'Y':
-+ case 'Z':
-+
-+ // From rule "ALPHA" (lowercase half)
-+ case 'a':
-+ case 'b':
-+ case 'c':
-+ case 'd':
-+ case 'e':
-+ case 'f':
-+ case 'g':
-+ case 'h':
-+ case 'i':
-+ case 'j':
-+ case 'k':
-+ case 'l':
-+ case 'm':
-+ case 'n':
-+ case 'o':
-+ case 'p':
-+ case 'q':
-+ case 'r':
-+ case 's':
-+ case 't':
-+ case 'u':
-+ case 'v':
-+ case 'w':
-+ case 'x':
-+ case 'y':
-+ case 'z':
-+
-+ // From rule "DIGIT"
-+ case '0':
-+ case '1':
-+ case '2':
-+ case '3':
-+ case '4':
-+ case '5':
-+ case '6':
-+ case '7':
-+ case '8':
-+ case '9':
-+
-+ // From rule "pct-encoded"
-+ case '%':
-+
-+ // From rule "unreserved"
-+ case '-':
-+ case '.':
-+ case '_':
-+ case '~':
-+
-+ // From rule "gen-delims"
-+ case ':':
-+ case '/':
-+ case '?':
-+ case '#':
-+ case '[':
-+ case ']':
-+ case '@':
-+
-+ // From rule "sub-delims"
-+ case '!':
-+ case '$':
-+ case '&':
-+ case '\'':
-+ case '(':
-+ case ')':
-+ case '*':
-+ case '+':
-+ case ',':
-+ case ';':
-+ case '=':
-+ return XML_TRUE;
-+
-+ default:
-+ return XML_FALSE;
-+ }
-+}
-+
- /* addBinding() overwrites the value of prefix->binding without checking.
- Therefore one must keep track of the old value outside of addBinding().
- */
-@@ -3581,6 +3690,29 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
- if (! mustBeXML && isXMLNS
- && (len > xmlnsLen || uri[len] != xmlnsNamespace[len]))
- isXMLNS = XML_FALSE;
-+
-+ // NOTE: While Expat does not validate namespace URIs against RFC 3986
-+ // today (and is not REQUIRED to do so with regard to the XML 1.0
-+ // namespaces specification) we have to at least make sure, that
-+ // the application on top of Expat (that is likely splitting expanded
-+ // element names ("qualified names") of form
-+ // "[uri sep] local [sep prefix] '\0'" back into 1, 2 or 3 pieces
-+ // in its element handler code) cannot be confused by an attacker
-+ // putting additional namespace separator characters into namespace
-+ // declarations. That would be ambiguous and not to be expected.
-+ //
-+ // While the HTML API docs of function XML_ParserCreateNS have been
-+ // advising against use of a namespace separator character that can
-+ // appear in a URI for >20 years now, some widespread applications
-+ // are using URI characters (':' (colon) in particular) for a
-+ // namespace separator, in practice. To keep these applications
-+ // functional, we only reject namespaces URIs containing the
-+ // application-chosen namespace separator if the chosen separator
-+ // is a non-URI character with regard to RFC 3986.
-+ if (parser->m_ns && (uri[len] == parser->m_namespaceSeparator)
-+ && ! is_rfc3986_uri_char(uri[len])) {
-+ return XML_ERROR_SYNTAX;
-+ }
- }
- isXML = isXML && len == xmlLen;
- isXMLNS = isXMLNS && len == xmlnsLen;
-diff --git a/tests/runtests.c b/tests/runtests.c
-index f03e008..40172d2 100644
---- a/tests/runtests.c
-+++ b/tests/runtests.c
-@@ -7233,6 +7233,37 @@ START_TEST(test_ns_double_colon_doctype) {
- }
- END_TEST
-
-+START_TEST(test_ns_separator_in_uri) {
-+ struct test_case {
-+ enum XML_Status expectedStatus;
-+ const char *doc;
-+ XML_Char namesep;
-+ };
-+ struct test_case cases[] = {
-+ {XML_STATUS_OK, "<doc xmlns='one_two' />", XCS('\n')},
-+ {XML_STATUS_ERROR, "<doc xmlns='one
two' />", XCS('\n')},
-+ {XML_STATUS_OK, "<doc xmlns='one:two' />", XCS(':')},
-+ };
-+
-+ size_t i = 0;
-+ size_t failCount = 0;
-+ for (; i < sizeof(cases) / sizeof(cases[0]); i++) {
-+ XML_Parser parser = XML_ParserCreateNS(NULL, cases[i].namesep);
-+ XML_SetElementHandler(parser, dummy_start_element, dummy_end_element);
-+ if (XML_Parse(parser, cases[i].doc, (int)strlen(cases[i].doc),
-+ /*isFinal*/ XML_TRUE)
-+ != cases[i].expectedStatus) {
-+ failCount++;
-+ }
-+ XML_ParserFree(parser);
-+ }
-+
-+ if (failCount) {
-+ fail("Namespace separator handling is broken");
-+ }
-+}
-+END_TEST
-+
- /* Control variable; the number of times duff_allocator() will successfully
- * allocate */
- #define ALLOC_ALWAYS_SUCCEED (-1)
-@@ -11527,6 +11558,7 @@ make_suite(void) {
- tcase_add_test(tc_namespace, test_ns_utf16_doctype);
- tcase_add_test(tc_namespace, test_ns_invalid_doctype);
- tcase_add_test(tc_namespace, test_ns_double_colon_doctype);
-+ tcase_add_test(tc_namespace, test_ns_separator_in_uri);
-
- suite_add_tcase(s, tc_misc);
- tcase_add_checked_fixture(tc_misc, NULL, basic_teardown);
diff --git a/SOURCES/expat-2.2.10-prevent-integer-overflow-in-doProlog.patch b/SOURCES/expat-2.2.10-prevent-integer-overflow-in-doProlog.patch
deleted file mode 100644
index af9c73c..0000000
--- a/SOURCES/expat-2.2.10-prevent-integer-overflow-in-doProlog.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From ede41d1e186ed2aba88a06e84cac839b770af3a1 Mon Sep 17 00:00:00 2001
-From: Sebastian Pipping <sebastian@pipping.org>
-Date: Wed, 26 Jan 2022 02:36:43 +0100
-Subject: [PATCH 1/2] lib: Prevent integer overflow in doProlog
- (CVE-2022-23990)
-
-The change from "int nameLen" to "size_t nameLen"
-addresses the overflow on "nameLen++" in code
-"for (; name[nameLen++];)" right above the second
-change in the patch.
----
- expat/lib/xmlparse.c | 10 ++++++++--
- 1 file changed, 8 insertions(+), 2 deletions(-)
-
-diff --git a/lib/xmlparse.c b/lib/xmlparse.c
-index 5ce31402..d1d17005 100644
---- a/lib/xmlparse.c
-+++ b/lib/xmlparse.c
-@@ -5372,7 +5372,7 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
- if (dtd->in_eldecl) {
- ELEMENT_TYPE *el;
- const XML_Char *name;
-- int nameLen;
-+ size_t nameLen;
- const char *nxt
- = (quant == XML_CQUANT_NONE ? next : next - enc->minBytesPerChar);
- int myindex = nextScaffoldPart(parser);
-@@ -5388,7 +5388,13 @@ doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end,
- nameLen = 0;
- for (; name[nameLen++];)
- ;
-- dtd->contentStringLen += nameLen;
-+
-+ /* Detect and prevent integer overflow */
-+ if (nameLen > UINT_MAX - dtd->contentStringLen) {
-+ return XML_ERROR_NO_MEMORY;
-+ }
-+
-+ dtd->contentStringLen += (unsigned)nameLen;
- if (parser->m_elementDeclHandler)
- handleDefault = XML_FALSE;
- }
diff --git a/SPECS/expat.spec b/SPECS/expat.spec
index 7508f94..cc03718 100644
--- a/SPECS/expat.spec
+++ b/SPECS/expat.spec
@@ -1,25 +1,14 @@
-%global unversion 2_2_10
+%global unversion 2_4_9
Summary: An XML parser library
Name: expat
Version: %(echo %{unversion} | sed 's/_/./g')
-Release: 12%{?dist}.3
+Release: 1%{?dist}
Source: https://github.com/libexpat/libexpat/archive/R_%{unversion}.tar.gz#/expat-%{version}.tar.gz
URL: https://libexpat.github.io/
License: MIT
BuildRequires: autoconf, libtool, xmlto, gcc-c++
BuildRequires: make
-Patch0: expat-2.2.10-prevent-integer-overflow-in-doProlog.patch
-Patch1: expat-2.2.10-Prevent-more-integer-overflows.patch
-Patch2: expat-2.2.10-Prevent-integer-overflow-on-m_groupSize-in-function.patch
-Patch3: expat-2.2.10-Detect-and-prevent-troublesome-left-shifts.patch
-Patch4: expat-2.2.10-Detect-and-prevent-integer-overflow-in-XML_GetBuffer.patch
-Patch5: expat-2.2.10-Protect-against-malicious-namespace-declarations.patch
-Patch6: expat-2.2.10-Add-missing-validation-of-encoding.patch
-Patch7: expat-2.2.10-Prevent-integer-overflow-in-storeRawNames.patch
-Patch8: expat-2.2.10-Prevent-integer-overflow-in-copyString.patch
-Patch9: expat-2.2.10-Prevent-stack-exhaustion-in-build_model.patch
-Patch10: expat-2.2.10-Ensure-raw-tagnames-are-safe-exiting-internalEntityParser.patch
%description
This is expat, the C library for parsing XML, written by James Clark. Expat
@@ -47,17 +36,6 @@ Install it if you need to link statically with expat.
%prep
%setup -q -n libexpat-R_%{unversion}/expat
-%patch0 -p1 -b .CVE-2022-23990
-%patch1 -p1 -b .CVE-2022-22822-CVE-2022-22827
-%patch2 -p1 -b .CVE-2021-46143
-%patch3 -p1 -b .CVE-2021-45960
-%patch4 -p1 -b .CVE-2022-23852
-%patch5 -p1 -b .CVE-2022-25236
-%patch6 -p1 -b .CVE-2022-25235
-%patch7 -p1 -b .CVE-2022-25315
-%patch8 -p1 -b .CVE-2022-25314
-%patch9 -p1 -b .CVE-2022-25313
-%patch10 -p1 -b .CVE-2022-40674
sed -i 's/install-data-hook/do-nothing-please/' lib/Makefile.am
./buildconf.sh
@@ -86,31 +64,26 @@ make check
%{_mandir}/*/*
%files devel
-%doc doc/reference.html doc/*.png doc/*.css examples/*.c
+%doc doc/reference.html doc/*.css examples/*.c
%{_libdir}/lib*.so
%{_libdir}/pkgconfig/*.pc
%{_includedir}/*.h
+%{_libdir}/cmake/expat-%{version}
%files static
%{_libdir}/lib*.a
%changelog
-* Thu Sep 29 2022 Tomas Korbar <tkorbar@redhat.com> - 2.2.10-12.3
-- Ensure raw tagnames are safe exiting internalEntityParser
+* Thu Sep 29 2022 Tomas Korbar <tkorbar@redhat.com> - 2.4.9-1
+- Rebase to version 2.4.9
- Resolves: CVE-2022-40674
-* Tue May 03 2022 Tomas Korbar <tkorbar@redhat.com> - 2.2.10-12.2
-- Improve fix for CVE-2022-25313
-- Related: CVE-2022-25313
-
-* Tue Apr 26 2022 Tomas Korbar <tkorbar@redhat.com> - 2.2.10-12.1
-- Fix multiple CVEs
-- Resolves: CVE-2022-25314
+* Tue Apr 26 2022 Tomas Korbar <tkorbar@redhat.com> - 2.4.7-1
+- Rebase to version 2.4.7
+- Resolves: rhbz#2067201
- Resolves: CVE-2022-25313
-
-* Wed Mar 16 2022 Tomas Korbar <tkorbar@redhat.com> - 2.2.10-12
-- Build fix for CVE-2022-25236 in rhel-9.0.0
-- Related: CVE-2022-25236
+- Resolves: CVE-2022-25314
+- Resolves: CVE-2022-25236
* Mon Mar 14 2022 Tomas Korbar <tkorbar@redhat.com> - 2.2.10-11
- Improve fix for CVE-2022-25236