[bug#78337,core-packages-team,4/4] gnu: expat: Update to 2.7.1.
Commit Message
* gnu/packages/xml.scm (expat): Update to 2.7.1.
(expat/fixed): Remove it.
* gnu/packages/patches/expat-CVE-2024-45490.patch: Remove it.
* gnu/packages/patches/expat-CVE-2024-45491.patch: Remove it.
* gnu/packages/patches/expat-CVE-2024-45492.patch: Remove it.
* gnu/local.mk (dist_patch_DATA): Unregister them.
Change-Id: Ia0bc5da202afba0636032e4f4e10051778214944
---
gnu/local.mk | 3 --
.../patches/expat-CVE-2024-45490.patch | 34 -------------------
.../patches/expat-CVE-2024-45491.patch | 34 -------------------
.../patches/expat-CVE-2024-45492.patch | 33 ------------------
gnu/packages/xml.scm | 16 ++-------
5 files changed, 2 insertions(+), 118 deletions(-)
delete mode 100644 gnu/packages/patches/expat-CVE-2024-45490.patch
delete mode 100644 gnu/packages/patches/expat-CVE-2024-45491.patch
delete mode 100644 gnu/packages/patches/expat-CVE-2024-45492.patch
@@ -1258,9 +1258,6 @@ dist_patch_DATA = \
%D%/packages/patches/esmini-use-pkgconfig.patch \
%D%/packages/patches/esmtp-add-lesmtp.patch \
%D%/packages/patches/exercism-disable-self-update.patch \
- %D%/packages/patches/expat-CVE-2024-45490.patch \
- %D%/packages/patches/expat-CVE-2024-45491.patch \
- %D%/packages/patches/expat-CVE-2024-45492.patch \
%D%/packages/patches/extempore-unbundle-external-dependencies.patch \
%D%/packages/patches/extundelete-e2fsprogs-1.44.patch \
%D%/packages/patches/fail2ban-paths-guix-conf.patch \
deleted file mode 100644
@@ -1,34 +0,0 @@
-https://github.com/libexpat/libexpat/commit/5c1a31642e243f4870c0bd1f2afc7597976521bf.patch
-Fixed in 2.6.3.
-Takes only 1 of the 3 patches from
-https://github.com/libexpat/libexpat/pull/890 to take the fix and not the
-tests because that part doesn't apply cleanly.
-
-From 5c1a31642e243f4870c0bd1f2afc7597976521bf Mon Sep 17 00:00:00 2001
-From: Sebastian Pipping <sebastian@pipping.org>
-Date: Mon, 19 Aug 2024 22:26:07 +0200
-Subject: [PATCH] lib: Reject negative len for XML_ParseBuffer
-
-Reported by TaiYou
-
----
- expat/lib/xmlparse.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/lib/xmlparse.c b/lib/xmlparse.c
-index 91682c188..ba1038119 100644
---- a/lib/xmlparse.c
-+++ b/lib/xmlparse.c
-@@ -2038,6 +2038,12 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal) {
-
- if (parser == NULL)
- return XML_STATUS_ERROR;
-+
-+ if (len < 0) {
-+ parser->m_errorCode = XML_ERROR_INVALID_ARGUMENT;
-+ return XML_STATUS_ERROR;
-+ }
-+
- switch (parser->m_parsingStatus.parsing) {
- case XML_SUSPENDED:
- parser->m_errorCode = XML_ERROR_SUSPENDED;
deleted file mode 100644
@@ -1,34 +0,0 @@
-https://github.com/libexpat/libexpat/commit/8e439a9947e9dc80a395c0c7456545d8d9d9e421.patch
-Fixed in 2.6.3.
-
-From 8e439a9947e9dc80a395c0c7456545d8d9d9e421 Mon Sep 17 00:00:00 2001
-From: Sebastian Pipping <sebastian@pipping.org>
-Date: Mon, 19 Aug 2024 22:34:13 +0200
-Subject: [PATCH] lib: Detect integer overflow in dtdCopy
-
-Reported by TaiYou
----
- expat/lib/xmlparse.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/lib/xmlparse.c b/lib/xmlparse.c
-index 91682c188..e2327bdcf 100644
---- a/lib/xmlparse.c
-+++ b/lib/xmlparse.c
-@@ -7016,6 +7016,16 @@ dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd,
- if (! newE)
- return 0;
- if (oldE->nDefaultAtts) {
-+ /* Detect and prevent integer overflow.
-+ * The preprocessor guard addresses the "always false" warning
-+ * from -Wtype-limits on platforms where
-+ * sizeof(int) < sizeof(size_t), e.g. on x86_64. */
-+#if UINT_MAX >= SIZE_MAX
-+ if ((size_t)oldE->nDefaultAtts
-+ > ((size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE))) {
-+ return 0;
-+ }
-+#endif
- newE->defaultAtts
- = ms->malloc_fcn(oldE->nDefaultAtts * sizeof(DEFAULT_ATTRIBUTE));
- if (! newE->defaultAtts) {
deleted file mode 100644
@@ -1,33 +0,0 @@
-https://github.com/libexpat/libexpat/commit/9bf0f2c16ee86f644dd1432507edff94c08dc232.patch
-Fixed in 2.6.3.
-
-From 9bf0f2c16ee86f644dd1432507edff94c08dc232 Mon Sep 17 00:00:00 2001
-From: Sebastian Pipping <sebastian@pipping.org>
-Date: Mon, 19 Aug 2024 22:37:16 +0200
-Subject: [PATCH] lib: Detect integer overflow in function nextScaffoldPart
-
-Reported by TaiYou
----
- expat/lib/xmlparse.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/lib/xmlparse.c b/lib/xmlparse.c
-index 91682c188..f737575ea 100644
---- a/lib/xmlparse.c
-+++ b/lib/xmlparse.c
-@@ -7558,6 +7558,15 @@ nextScaffoldPart(XML_Parser parser) {
- int next;
-
- if (! dtd->scaffIndex) {
-+ /* Detect and prevent integer overflow.
-+ * The preprocessor guard addresses the "always false" warning
-+ * from -Wtype-limits on platforms where
-+ * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
-+#if UINT_MAX >= SIZE_MAX
-+ if (parser->m_groupSize > ((size_t)(-1) / sizeof(int))) {
-+ return -1;
-+ }
-+#endif
- dtd->scaffIndex = (int *)MALLOC(parser, parser->m_groupSize * sizeof(int));
- if (! dtd->scaffIndex)
- return -1;
@@ -127,8 +127,7 @@ (define-public libxmlb
(define-public expat
(package
(name "expat")
- (version "2.5.0")
- (replacement expat/fixed)
+ (version "2.7.1")
(source (let ((dot->underscore (lambda (c) (if (char=? #\. c) #\_ c))))
(origin
(method url-fetch)
@@ -140,7 +139,7 @@ (define-public expat
"/expat-" version ".tar.xz")))
(sha256
(base32
- "1gnwihpfz4x18rwd6cbrdggmfqjzwsdfh1gpmc0ph21c4gq2097g")))))
+ "0c3w446jrrnss3ccgx9z590lpwbpxiqdbxv2a0p036cg9da54i9m")))))
(build-system gnu-build-system)
(arguments
'(#:phases (modify-phases %standard-phases
@@ -164,17 +163,6 @@ (define-public expat
things the parser might find in the XML document (like start tags).")
(license license:expat)))
-(define-public expat/fixed
- (hidden-package
- (package
- (inherit expat)
- (replacement expat/fixed)
- (source (origin
- (inherit (package-source expat))
- (patches (search-patches "expat-CVE-2024-45490.patch"
- "expat-CVE-2024-45491.patch"
- "expat-CVE-2024-45492.patch")))))))
-
(define-public libebml
(package
(name "libebml")