git: e3fd2734314d - releng/13.4 - contrib/expat: update libexpat from 2.6.0 to 2.7.1
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 10 Apr 2025 14:59:36 UTC
The branch releng/13.4 has been updated by philip:
URL: https://cgit.FreeBSD.org/src/commit/?id=e3fd2734314db25be464e0199e20b33fe6281972
commit e3fd2734314db25be464e0199e20b33fe6281972
Author: Philip Paeps <philip@FreeBSD.org>
AuthorDate: 2025-04-09 03:58:23 +0000
Commit: Philip Paeps <philip@FreeBSD.org>
CommitDate: 2025-04-10 14:39:15 +0000
contrib/expat: update libexpat from 2.6.0 to 2.7.1
Changes: https://github.com/libexpat/libexpat/blob/R_2_7_1/expat/Changes
Note that libbsdxml(3) is only intended to used by utilities in the
FreeBSD base system. None of the vulnerabilities addressed by expat
releases 2.6.1 - 2.7.1 is exploitable on FreeBSD as supported by the
security-officer@ team.
Approved by: so
Security: FreeBSD-EN-25:05.expat
Security: CVE-2024-8176
Security: CVE-2024-50602
Security: CVE-2024-45490, CVE-2024-45491, CVE-2024-45492
Security: CVE-2024-28757
(cherry picked from commit ffd294a1f4c23863c3e515d16dce31d5509bcb01)
(cherry picked from commit bab279022ba2bed4f216924b3b5fdfc60ced364c)
(cherry picked from commit ba23ab2168ffabc2c5e647a1a37ab9a8fb482bb8)
(cherry picked from commit eab7ed2ec2af6307842abcc94c11743a1058bd11)
(cherry picked from commit 908f215e80fa482aa953c39afa6bb516f561fc00)
(cherry picked from commit 3d46113d21963d4236506f7c8e9c476b1f4aa512)
(cherry picked from commit fe9278888fd4414abe2d922e469cf608005f4c65)
(cherry picked from commit 41b768ae1970ed484abaaea401453c3902df93c2)
(cherry picked from commit 03a1992591b0ae85b6b250255fe56e17f6d919c6)
(cherry picked from commit adc9e9e8dbddcf7d57bcdef0d9d0a0e7c08c15ba)
(cherry picked from commit 00c8538e87c61f1fd57ccd9e02a6d435b68d9a73)
(cherry picked from commit 5630672e6f6d58597a3d6f01928a7703f1cdd207)
---
contrib/expat/COPYING | 2 +-
contrib/expat/Changes | 286 ++++++++++-
contrib/expat/FREEBSD-Xlist | 1 -
contrib/expat/Makefile.am | 10 +-
contrib/expat/Makefile.in | 12 +-
contrib/expat/README.md | 75 ++-
contrib/expat/buildconf.sh | 24 +-
contrib/expat/configure.ac | 45 +-
contrib/expat/doc/Makefile.am | 21 +-
contrib/expat/doc/Makefile.in | 58 ++-
contrib/expat/doc/reference.html | 26 +-
contrib/expat/doc/xmlwf.1 | 2 +-
contrib/expat/doc/xmlwf.xml | 4 +-
contrib/expat/examples/Makefile.in | 2 +-
contrib/expat/examples/element_declarations.c | 9 +-
contrib/expat/expat_config.h.in | 3 -
contrib/expat/fix-xmltest-log.sh | 12 +-
contrib/expat/fuzz/xml_lpm_fuzzer.cpp | 464 ++++++++++++++++++
contrib/expat/fuzz/xml_lpm_fuzzer.proto | 58 +++
contrib/expat/fuzz/xml_parse_fuzzer.c | 2 +-
contrib/expat/fuzz/xml_parsebuffer_fuzzer.c | 2 +-
contrib/expat/lib/Makefile.am | 19 +-
contrib/expat/lib/Makefile.in | 79 ++-
contrib/expat/lib/expat.h | 13 +-
contrib/expat/lib/internal.h | 20 +-
contrib/expat/lib/siphash.h | 3 +-
contrib/expat/lib/xmlparse.c | 659 +++++++++++++++++++-------
contrib/expat/tests/Makefile.am | 11 +-
contrib/expat/tests/Makefile.in | 19 +-
contrib/expat/tests/README.md | 11 +
contrib/expat/tests/README.txt | 13 -
contrib/expat/tests/acc_tests.c | 64 ++-
contrib/expat/tests/alloc_tests.c | 27 ++
contrib/expat/tests/basic_tests.c | 556 ++++++++++++++++++----
contrib/expat/tests/benchmark/Makefile.in | 2 +-
contrib/expat/tests/benchmark/benchmark.c | 57 ++-
contrib/expat/tests/common.c | 64 +--
contrib/expat/tests/common.h | 13 +-
contrib/expat/tests/handlers.c | 59 ++-
contrib/expat/tests/handlers.h | 24 +-
contrib/expat/tests/minicheck.h | 6 +-
contrib/expat/tests/misc_tests.c | 282 +++++++++--
contrib/expat/tests/xmltest.sh | 5 +-
contrib/expat/xmlwf/Makefile.in | 2 +-
contrib/expat/xmlwf/readfilemap.c | 3 +-
contrib/expat/xmlwf/xmlfile.c | 4 +-
lib/libexpat/Makefile | 1 -
lib/libexpat/expat_config.h | 9 +-
lib/libexpat/libbsdxml.3 | 4 +-
49 files changed, 2557 insertions(+), 590 deletions(-)
diff --git a/contrib/expat/COPYING b/contrib/expat/COPYING
index ce9e5939291e..c6d184a8aae8 100644
--- a/contrib/expat/COPYING
+++ b/contrib/expat/COPYING
@@ -1,5 +1,5 @@
Copyright (c) 1998-2000 Thai Open Source Software Center Ltd and Clark Cooper
-Copyright (c) 2001-2022 Expat maintainers
+Copyright (c) 2001-2025 Expat maintainers
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
diff --git a/contrib/expat/Changes b/contrib/expat/Changes
index a7d4caf9ac81..9d6c64b6a460 100644
--- a/contrib/expat/Changes
+++ b/contrib/expat/Changes
@@ -1,6 +1,286 @@
-NOTE: We are looking for help with a few things:
- https://github.com/libexpat/libexpat/labels/help%20wanted
- If you can help, please get in touch. Thanks!
+ __ __ _
+ ___\ \/ /_ __ __ _| |_
+ / _ \\ /| '_ \ / _` | __|
+ | __// \| |_) | (_| | |_
+ \___/_/\_\ .__/ \__,_|\__|
+ |_| XML parser
+
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!! <blink>Expat is UNDERSTAFFED and WITHOUT FUNDING.</blink> !!
+!! ~~~~~~~~~~~~ !!
+!! The following topics need *additional skilled C developers* to progress !!
+!! in a timely manner or at all (loosely ordered by descending priority): !!
+!! !!
+!! - teaming up on researching and fixing future security reports and !!
+!! ClusterFuzz findings with few-days-max response times in communication !!
+!! in order to (1) have a sound fix ready before the end of a 90 days !!
+!! grace period and (2) in a sustainable manner, !!
+!! - helping CPython Expat bindings with supporting Expat's billion laughs !!
+!! attack protection API (https://github.com/python/cpython/issues/90949): !!
+!! - XML_SetBillionLaughsAttackProtectionActivationThreshold !!
+!! - XML_SetBillionLaughsAttackProtectionMaximumAmplification !!
+!! - helping Perl's XML::Parser Expat bindings with supporting Expat's !!
+!! security API (https://github.com/cpan-authors/XML-Parser/issues/102): !!
+!! - XML_SetBillionLaughsAttackProtectionActivationThreshold !!
+!! - XML_SetBillionLaughsAttackProtectionMaximumAmplification !!
+!! - XML_SetReparseDeferralEnabled !!
+!! - implementing and auto-testing XML 1.0r5 support !!
+!! (needs discussion before pull requests), !!
+!! - smart ideas on fixing the Autotools CMake files generation issue !!
+!! without breaking CI (needs discussion before pull requests), !!
+!! - pushing migration from `int` to `size_t` further !!
+!! including edge-cases test coverage (needs discussion before anything). !!
+!! !!
+!! For details, please reach out via e-mail to sebastian@pipping.org so we !!
+!! can schedule a voice call on the topic, in English or German. !!
+!! !!
+!! THANK YOU! Sebastian Pipping -- Berlin, 2024-03-09 !!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+
+Release 2.7.1 Thu March 27 2025
+ Bug fixes:
+ #980 #989 Restore event pointer behavior from Expat 2.6.4
+ (that the fix to CVE-2024-8176 changed in 2.7.0);
+ affected API functions are:
+ - XML_GetCurrentByteCount
+ - XML_GetCurrentByteIndex
+ - XML_GetCurrentColumnNumber
+ - XML_GetCurrentLineNumber
+ - XML_GetInputContext
+
+ Other changes:
+ #976 #977 Autotools: Integrate files "fuzz/xml_lpm_fuzzer.{cpp,proto}"
+ with Automake that were missing from 2.7.0 release tarballs
+ #983 #984 Fix printf format specifiers for 32bit Emscripten
+ #992 docs: Promote OpenSSF Best Practices self-certification
+ #978 tests/benchmark: Resolve mistaken double close
+ #986 Address compiler warnings
+ #990 #993 Version info bumped from 11:1:10 (libexpat*.so.1.10.1)
+ to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/
+ for what these numbers do
+
+ Infrastructure:
+ #982 CI: Start running Perl XML::Parser integration tests
+ #987 CI: Enforce Clang Static Analyzer clean code
+ #991 CI: Re-enable warning clang-analyzer-valist.Uninitialized
+ for clang-tidy
+ #981 CI: Cover compilation with musl
+ #983 #984 CI: Cover compilation with 32bit Emscripten
+ #976 #977 CI: Protect against fuzzer files missing from future
+ release archives
+
+ Special thanks to:
+ Berkay Eren Ürün
+ Matthew Fernandez
+ and
+ Perl XML::Parser
+
+Release 2.7.0 Thu March 13 2025
+ Security fixes:
+ #893 #973 CVE-2024-8176 -- Fix crash from chaining a large number
+ of entities caused by stack overflow by resolving use of
+ recursion, for all three uses of entities:
+ - general entities in character data ("<e>&g1;</e>")
+ - general entities in attribute values ("<e k1='&g1;'/>")
+ - parameter entities ("%p1;")
+ Known impact is (reliable and easy) denial of service:
+ CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C
+ (Base Score: 7.5, Temporal Score: 7.2)
+ Please note that a layer of compression around XML can
+ significantly reduce the minimum attack payload size.
+
+ Other changes:
+ #935 #937 Autotools: Make generated CMake files look for
+ libexpat.@SO_MAJOR@.dylib on macOS
+ #925 Autotools: Sync CMake templates with CMake 3.29
+ #945 #962 #966 CMake: Drop support for CMake <3.13
+ #942 CMake: Small fuzzing related improvements
+ #921 docs: Add missing documentation of error code
+ XML_ERROR_NOT_STARTED that was introduced with 2.6.4
+ #941 docs: Document need for C++11 compiler for use from C++
+ #959 tests/benchmark: Fix a (harmless) TOCTTOU
+ #944 Windows: Fix installer target location of file xmlwf.xml
+ for CMake
+ #953 Windows: Address warning -Wunknown-warning-option
+ about -Wno-pedantic-ms-format from LLVM MinGW
+ #971 Address Cppcheck warnings
+ #969 #970 Mass-migrate links from http:// to https://
+ #947 #958 ..
+ #974 #975 Document changes since the previous release
+ #974 #975 Version info bumped from 11:0:10 (libexpat*.so.1.10.0)
+ to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/
+ for what these numbers do
+
+ Infrastructure:
+ #926 tests: Increase robustness
+ #927 #932 ..
+ #930 #933 tests: Increase test coverage
+ #617 #950 ..
+ #951 #952 ..
+ #954 #955 .. Fuzzing: Add new fuzzer "xml_lpm_fuzzer" based on
+ #961 Google's libprotobuf-mutator ("LPM")
+ #957 Fuzzing|CI: Start producing fuzzing code coverage reports
+ #936 CI: Pass -q -q for LCOV >=2.1 in coverage.sh
+ #942 CI: Small fuzzing related improvements
+ #139 #203 ..
+ #791 #946 CI: Make GitHub Actions build using MSVC on Windows and
+ produce 32bit and 64bit Windows binaries
+ #956 CI: Get off of about-to-be-removed Ubuntu 20.04
+ #960 #964 CI: Start uploading to Coverity Scan for static analysis
+ #972 CI: Stop loading DTD from the internet to address flaky CI
+ #971 CI: Adapt to breaking changes in Cppcheck
+
+ Special thanks to:
+ Alexander Gieringer
+ Berkay Eren Ürün
+ Hanno Böck
+ Jann Horn
+ Mark Brand
+ Sebastian Andrzej Siewior
+ Snild Dolkow
+ Thomas Pröll
+ Tomas Korbar
+ valord577
+ and
+ Google Project Zero
+ Linutronix
+ Red Hat
+ Siemens
+
+Release 2.6.4 Wed November 6 2024
+ Security fixes:
+ #915 CVE-2024-50602 -- Fix crash within function XML_ResumeParser
+ from a NULL pointer dereference by disallowing function
+ XML_StopParser to (stop or) suspend an unstarted parser.
+ A new error code XML_ERROR_NOT_STARTED was introduced to
+ properly communicate this situation. // CWE-476 CWE-754
+
+ Other changes:
+ #903 CMake: Add alias target "expat::expat"
+ #905 docs: Document use via CMake >=3.18 with FetchContent
+ and SOURCE_SUBDIR and its consequences
+ #902 tests: Reduce use of global parser instance
+ #904 tests: Resolve duplicate handler
+ #317 #918 tests: Improve tests on doctype closing (ex CVE-2019-15903)
+ #914 Fix signedness of format strings
+ #915 For use from C++, expat.h started requiring C++11 due to
+ use of C99 features
+ #919 #920 Version info bumped from 10:3:9 (libexpat*.so.1.9.3)
+ to 11:0:10 (libexpat*.so.1.10.0); see https://verbump.de/
+ for what these numbers do
+
+ Infrastructure:
+ #907 CI: Upgrade Clang from 18 to 19
+ #913 CI: Drop macos-12 and add macos-15
+ #910 CI: Adapt to breaking changes in GitHub Actions
+ #898 Add missing entries to .gitignore
+
+ Special thanks to:
+ Hanno Böck
+ José Eduardo Gutiérrez Conejo
+ José Ricardo Cardona Quesada
+
+Release 2.6.3 Wed September 4 2024
+ Security fixes:
+ #887 #890 CVE-2024-45490 -- Calling function XML_ParseBuffer with
+ len < 0 without noticing and then calling XML_GetBuffer
+ will have XML_ParseBuffer fail to recognize the problem
+ and XML_GetBuffer corrupt memory.
+ With the fix, XML_ParseBuffer now complains with error
+ XML_ERROR_INVALID_ARGUMENT just like sibling XML_Parse
+ has been doing since Expat 2.2.1, and now documented.
+ Impact is denial of service to potentially artitrary code
+ execution.
+ #888 #891 CVE-2024-45491 -- Internal function dtdCopy can have an
+ integer overflow for nDefaultAtts on 32-bit platforms
+ (where UINT_MAX equals SIZE_MAX).
+ Impact is denial of service to potentially artitrary code
+ execution.
+ #889 #892 CVE-2024-45492 -- Internal function nextScaffoldPart can
+ have an integer overflow for m_groupSize on 32-bit
+ platforms (where UINT_MAX equals SIZE_MAX).
+ Impact is denial of service to potentially artitrary code
+ execution.
+
+ Other changes:
+ #851 #879 Autotools: Sync CMake templates with CMake 3.28
+ #853 Autotools: Always provide path to find(1) for portability
+ #861 Autotools: Ensure that the m4 directory always exists.
+ #870 Autotools: Simplify handling of SIZEOF_VOID_P
+ #869 Autotools: Support non-GNU sed
+ #856 Autotools|CMake: Fix main() to main(void)
+ #865 Autotools|CMake: Fix compile tests for HAVE_SYSCALL_GETRANDOM
+ #863 Autotools|CMake: Stop requiring dos2unix
+ #854 #855 CMake: Fix check for symbols size_t and off_t
+ #864 docs|tests: Convert README to Markdown and update
+ #741 Windows: Drop support for Visual Studio <=15.0/2017
+ #886 Drop needless XML_DTD guards around is_param access
+ #885 Fix typo in a code comment
+ #894 #896 Version info bumped from 10:2:9 (libexpat*.so.1.9.2)
+ to 10:3:9 (libexpat*.so.1.9.3); see https://verbump.de/
+ for what these numbers do
+
+ Infrastructure:
+ #880 Readme: Promote the call for help
+ #868 CI: Fix various issues
+ #849 CI: Allow triggering GitHub Actions workflows manually
+ #851 #872 ..
+ #873 #879 CI: Adapt to breaking changes in GitHub Actions
+
+ Special thanks to:
+ Alexander Bluhm
+ Berkay Eren Ürün
+ Dag-Erling Smørgrav
+ Ferenc Géczi
+ TaiYou
+
+Release 2.6.2 Wed March 13 2024
+ Security fixes:
+ #839 #842 CVE-2024-28757 -- Prevent billion laughs attacks with
+ isolated use of external parsers. Please see the commit
+ message of commit 1d50b80cf31de87750103656f6eb693746854aa8
+ for details.
+
+ Bug fixes:
+ #839 #841 Reject direct parameter entity recursion
+ and avoid the related undefined behavior
+
+ Other changes:
+ #847 Autotools: Fix build for DOCBOOK_TO_MAN containing spaces
+ #837 Add missing #821 and #824 to 2.6.1 change log
+ #838 #843 Version info bumped from 10:1:9 (libexpat*.so.1.9.1)
+ to 10:2:9 (libexpat*.so.1.9.2); see https://verbump.de/
+ for what these numbers do
+
+ Special thanks to:
+ Philippe Antoine
+ Tomas Korbar
+ and
+ Clang UndefinedBehaviorSanitizer
+ OSS-Fuzz / ClusterFuzz
+
+Release 2.6.1 Thu February 29 2024
+ Bug fixes:
+ #817 Make tests independent of CPU speed, and thus more robust
+ #828 #836 Expose billion laughs API with XML_DTD defined and
+ XML_GE undefined, regression from 2.6.0
+
+ Other changes:
+ #829 Hide test-only code behind new internal macro
+ #833 Autotools: Reject expat_config.h.in defining SIZEOF_VOID_P
+ #821 #824 Autotools: Fix "make clean" for case:
+ ./configure --without-docbook && make clean all
+ #819 Address compiler warnings
+ #832 #834 Version info bumped from 10:0:9 (libexpat*.so.1.9.0)
+ to 10:1:9 (libexpat*.so.1.9.1); see https://verbump.de/
+ for what these numbers do
+
+ Infrastructure:
+ #818 CI: Adapt to breaking changes in clang-format
+
+ Special thanks to:
+ David Hall
+ Snild Dolkow
Release 2.6.0 Tue February 6 2024
Security fixes:
diff --git a/contrib/expat/FREEBSD-Xlist b/contrib/expat/FREEBSD-Xlist
index c1f2a689fee4..82ceb055ae1e 100644
--- a/contrib/expat/FREEBSD-Xlist
+++ b/contrib/expat/FREEBSD-Xlist
@@ -1,4 +1,3 @@
-# $FreeBSD$
*.MPW
*.cmake
*.def
diff --git a/contrib/expat/Makefile.am b/contrib/expat/Makefile.am
index 9c2259d23e63..c20531a8d6c6 100644
--- a/contrib/expat/Makefile.am
+++ b/contrib/expat/Makefile.am
@@ -6,10 +6,12 @@
# \___/_/\_\ .__/ \__,_|\__|
# |_| XML parser
#
-# Copyright (c) 2017-2023 Sebastian Pipping <sebastian@pipping.org>
+# Copyright (c) 2017-2025 Sebastian Pipping <sebastian@pipping.org>
# Copyright (c) 2018 KangLin <kl222@126.com>
# Copyright (c) 2022 Johnny Jazeix <jazeix@gmail.com>
# Copyright (c) 2023 Sony Corporation / Snild Dolkow <snild@sony.com>
+# Copyright (c) 2024 Alexander Bluhm <alexander.bluhm@gmx.net>
+# Copyright (c) 2024 Dag-Erling Smørgrav <des@des.dev>
# Licensed under the MIT license:
#
# Permission is hereby granted, free of charge, to any person obtaining
@@ -94,6 +96,8 @@ EXTRA_DIST = \
conftools/expat.m4 \
conftools/get-version.sh \
\
+ fuzz/xml_lpm_fuzzer.cpp \
+ fuzz/xml_lpm_fuzzer.proto \
fuzz/xml_parsebuffer_fuzzer.c \
fuzz/xml_parse_fuzzer.c \
\
@@ -114,10 +118,10 @@ buildlib:
@echo 'ERROR: is no longer supported. INSTEAD please:' >&2
@echo 'ERROR:' >&2
@echo 'ERROR: * Mass-patch Makefile.am, e.g.' >&2
- @echo 'ERROR: # find -name Makefile.am -exec sed \' >&2
+ @echo 'ERROR: # find . -name Makefile.am -exec sed \' >&2
@echo 'ERROR: -e "s,libexpat\.la,libexpatw.la," \' >&2
@echo 'ERROR: -e "s,libexpat_la,libexpatw_la," \' >&2
- @echo 'ERROR: -i {} +' >&2
+ @echo 'ERROR: -i.bak {} +' >&2
@echo 'ERROR:' >&2
@echo 'ERROR: * Run automake to re-generate Makefile.in files' >&2
@echo 'ERROR:' >&2
diff --git a/contrib/expat/Makefile.in b/contrib/expat/Makefile.in
index f505224f6fa8..069ec4047eea 100644
--- a/contrib/expat/Makefile.in
+++ b/contrib/expat/Makefile.in
@@ -22,10 +22,12 @@
# \___/_/\_\ .__/ \__,_|\__|
# |_| XML parser
#
-# Copyright (c) 2017-2023 Sebastian Pipping <sebastian@pipping.org>
+# Copyright (c) 2017-2025 Sebastian Pipping <sebastian@pipping.org>
# Copyright (c) 2018 KangLin <kl222@126.com>
# Copyright (c) 2022 Johnny Jazeix <jazeix@gmail.com>
# Copyright (c) 2023 Sony Corporation / Snild Dolkow <snild@sony.com>
+# Copyright (c) 2024 Alexander Bluhm <alexander.bluhm@gmx.net>
+# Copyright (c) 2024 Dag-Erling Smørgrav <des@des.dev>
# Licensed under the MIT license:
#
# Permission is hereby granted, free of charge, to any person obtaining
@@ -384,6 +386,7 @@ RANLIB = @RANLIB@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SIZEOF_VOID_P = @SIZEOF_VOID_P@
SO_MAJOR = @SO_MAJOR@
SO_MINOR = @SO_MINOR@
SO_PATCH = @SO_PATCH@
@@ -397,7 +400,6 @@ ac_ct_AR = @ac_ct_AR@
ac_ct_CC = @ac_ct_CC@
ac_ct_CXX = @ac_ct_CXX@
ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
-ac_cv_sizeof_void_p = @ac_cv_sizeof_void_p@
am__include = @am__include@
am__leading_dot = @am__leading_dot@
am__quote = @am__quote@
@@ -492,6 +494,8 @@ EXTRA_DIST = \
conftools/expat.m4 \
conftools/get-version.sh \
\
+ fuzz/xml_lpm_fuzzer.cpp \
+ fuzz/xml_lpm_fuzzer.proto \
fuzz/xml_parsebuffer_fuzzer.c \
fuzz/xml_parse_fuzzer.c \
\
@@ -1080,10 +1084,10 @@ buildlib:
@echo 'ERROR: is no longer supported. INSTEAD please:' >&2
@echo 'ERROR:' >&2
@echo 'ERROR: * Mass-patch Makefile.am, e.g.' >&2
- @echo 'ERROR: # find -name Makefile.am -exec sed \' >&2
+ @echo 'ERROR: # find . -name Makefile.am -exec sed \' >&2
@echo 'ERROR: -e "s,libexpat\.la,libexpatw.la," \' >&2
@echo 'ERROR: -e "s,libexpat_la,libexpatw_la," \' >&2
- @echo 'ERROR: -i {} +' >&2
+ @echo 'ERROR: -i.bak {} +' >&2
@echo 'ERROR:' >&2
@echo 'ERROR: * Run automake to re-generate Makefile.in files' >&2
@echo 'ERROR:' >&2
diff --git a/contrib/expat/README.md b/contrib/expat/README.md
index 43c4f4f3dbb3..77c6bf27d307 100644
--- a/contrib/expat/README.md
+++ b/contrib/expat/README.md
@@ -3,9 +3,16 @@
[](https://repology.org/metapackage/expat/versions)
[](https://sourceforge.net/projects/expat/files/)
[](https://github.com/libexpat/libexpat/releases)
+[](https://www.bestpractices.dev/projects/10205)
+> [!CAUTION]
+>
+> Expat is **understaffed** and without funding.
+> There is a [call for help with details](https://github.com/libexpat/libexpat/blob/master/expat/Changes)
+> at the top of the `Changes` file.
-# Expat, Release 2.6.0
+
+# Expat, Release 2.7.1
This is Expat, a C99 library for parsing
[XML 1.0 Fourth Edition](https://www.w3.org/TR/2006/REC-xml-20060816/), started by
@@ -16,11 +23,11 @@ are called when the parser discovers the associated structures in the
document being parsed. A start tag is an example of the kind of
structures for which you may register handlers.
-Expat supports the following compilers:
+Expat supports the following C99 compilers:
-- GNU GCC >=4.5
+- GNU GCC >=4.5 (for use from C) or GNU GCC >=4.8.1 (for use from C++)
- LLVM Clang >=3.5
-- Microsoft Visual Studio >=15.0/2017 (rolling `${today} minus 5 years`)
+- Microsoft Visual Studio >=16.0/2019 (rolling `${today} minus 5 years`)
Windows users can use the
[`expat-win32bin-*.*.*.{exe,zip}` download](https://github.com/libexpat/libexpat/releases),
@@ -37,16 +44,16 @@ This license is the same as the MIT/X Consortium license.
## Using libexpat in your CMake-Based Project
-There are two ways of using libexpat with CMake:
+There are three documented ways of using libexpat with CMake:
-### a) Module Mode
+### a) `find_package` with Module Mode
This approach leverages CMake's own [module `FindEXPAT`](https://cmake.org/cmake/help/latest/module/FindEXPAT.html).
Notice the *uppercase* `EXPAT` in the following example:
```cmake
-cmake_minimum_required(VERSION 3.0) # or 3.10, see below
+cmake_minimum_required(VERSION 3.10)
project(hello VERSION 1.0.0)
@@ -56,15 +63,10 @@ add_executable(hello
hello.c
)
-# a) for CMake >=3.10 (see CMake's FindEXPAT docs)
target_link_libraries(hello PUBLIC EXPAT::EXPAT)
-
-# b) for CMake >=3.0
-target_include_directories(hello PRIVATE ${EXPAT_INCLUDE_DIRS})
-target_link_libraries(hello PUBLIC ${EXPAT_LIBRARIES})
```
-### b) Config Mode
+### b) `find_package` with Config Mode
This approach requires files from…
@@ -79,7 +81,7 @@ or
Notice the *lowercase* `expat` in the following example:
```cmake
-cmake_minimum_required(VERSION 3.0)
+cmake_minimum_required(VERSION 3.10)
project(hello VERSION 1.0.0)
@@ -92,6 +94,45 @@ add_executable(hello
target_link_libraries(hello PUBLIC expat::expat)
```
+### c) The `FetchContent` module
+
+This approach — as demonstrated below — requires CMake >=3.18 for both the
+[`FetchContent` module](https://cmake.org/cmake/help/latest/module/FetchContent.html)
+and its support for the `SOURCE_SUBDIR` option to be available.
+
+Please note that:
+- Use of the `FetchContent` module with *non-release* SHA1s or `master`
+ of libexpat is neither advised nor considered officially supported.
+- Pinning to a specific commit is great for robust CI.
+- Pinning to a specific commit needs updating every time there is a new
+ release of libexpat — either manually or through automation —,
+ to not miss out on libexpat security updates.
+
+For an example that pulls in libexpat via Git:
+
+```cmake
+cmake_minimum_required(VERSION 3.18)
+
+include(FetchContent)
+
+project(hello VERSION 1.0.0)
+
+FetchContent_Declare(
+ expat
+ GIT_REPOSITORY https://github.com/libexpat/libexpat/
+ GIT_TAG 000000000_GIT_COMMIT_SHA1_HERE_000000000 # i.e. Git tag R_0_Y_Z
+ SOURCE_SUBDIR expat/
+)
+
+FetchContent_MakeAvailable(expat)
+
+add_executable(hello
+ hello.c
+)
+
+target_link_libraries(hello PUBLIC expat)
+```
+
## Building from a Git Clone
@@ -158,10 +199,10 @@ support this mode of compilation (yet):
1. Mass-patch `Makefile.am` files to use `libexpatw.la` for a library name:
<br/>
- `find -name Makefile.am -exec sed
+ `find . -name Makefile.am -exec sed
-e 's,libexpat\.la,libexpatw.la,'
-e 's,libexpat_la,libexpatw_la,'
- -i {} +`
+ -i.bak {} +`
1. Run `automake` to re-write `Makefile.in` files:<br/>
`automake`
@@ -250,7 +291,7 @@ EXPAT_ENABLE_INSTALL:BOOL=ON
// Use /MT flag (static CRT) when compiling in MSVC
EXPAT_MSVC_STATIC_CRT:BOOL=OFF
-// Build fuzzers via ossfuzz for the expat library
+// Build fuzzers via OSS-Fuzz for the expat library
EXPAT_OSSFUZZ_BUILD:BOOL=OFF
// Build a shared expat library
diff --git a/contrib/expat/buildconf.sh b/contrib/expat/buildconf.sh
index 5e2b3269c256..4e506b30082b 100755
--- a/contrib/expat/buildconf.sh
+++ b/contrib/expat/buildconf.sh
@@ -8,6 +8,7 @@
#
# Copyright (c) 2017-2022 Sebastian Pipping <sebastian@pipping.org>
# Copyright (c) 2018 Marco Maggi <marco.maggi-ipsu@poste.it>
+# Copyright (c) 2024 Dag-Erling Smørgrav <des@des.dev>
# Licensed under the MIT license:
#
# Permission is hereby granted, free of charge, to any person obtaining
@@ -31,25 +32,4 @@
set -e
-# File expat_config.h.in (as generated by autoheader by autoreconf) contains
-# macro SIZEOF_VOID_P which is (1) not really needed by Expat as of today and
-# (2) a problem to "multilib" systems with one shared installed
-# /usr/include/expat_config.h for two Expats with different "void *" sizes
-# installed in e.g. /usr/lib32 and /usr/lib64. Hence we patch macro
-# SIZEOF_VOID_P out of template expat_config.h.in so that configure will
-# not put SIZEOF_VOID_P in the eventual expat_config.h.
-patch_expat_config_h_in() {
- local filename="$1"
- local sizeof_void_p_line_number="$(grep -F -n SIZEOF_VOID_P "${filename}" | awk -F: '{print $1}')"
- [[ ${sizeof_void_p_line_number} =~ ^[0-9]+$ ]] # cheap assert
- local first_line_to_delete=$(( sizeof_void_p_line_number - 1 ))
- local last_line_to_delete=$(( sizeof_void_p_line_number + 1 ))
- # Note: Avoiding "sed -i" only for macOS portability.
- local tempfile="$(mktemp)"
- sed "${first_line_to_delete},${last_line_to_delete}d" "${filename}" > "${tempfile}"
- mv "${tempfile}" "${filename}"
-}
-
-autoreconf --warnings=all --install --verbose "$@"
-
-patch_expat_config_h_in expat_config.h.in
+exec autoreconf --warnings=all --install --verbose "$@"
diff --git a/contrib/expat/configure.ac b/contrib/expat/configure.ac
index a5d1ff9317c8..0c88b8867019 100644
--- a/contrib/expat/configure.ac
+++ b/contrib/expat/configure.ac
@@ -11,7 +11,7 @@ dnl Copyright (c) 2000 Clark Cooper <coopercc@users.sourceforge.net>
dnl Copyright (c) 2000-2005 Fred L. Drake, Jr. <fdrake@users.sourceforge.net>
dnl Copyright (c) 2001-2003 Greg Stein <gstein@users.sourceforge.net>
dnl Copyright (c) 2006-2012 Karl Waclawek <karl@waclawek.net>
-dnl Copyright (c) 2016-2024 Sebastian Pipping <sebastian@pipping.org>
+dnl Copyright (c) 2016-2025 Sebastian Pipping <sebastian@pipping.org>
dnl Copyright (c) 2017 S. P. Zeidler <spz@netbsd.org>
dnl Copyright (c) 2017 Stephen Groat <stephen@groat.us>
dnl Copyright (c) 2017-2020 Joe Orton <jorton@redhat.com>
@@ -22,6 +22,8 @@ dnl Copyright (c) 2018 KangLin <kl222@126.com>
dnl Copyright (c) 2019 Mohammed Khajapasha <mohammed.khajapasha@intel.com>
dnl Copyright (c) 2019 Kishore Kunche <kishore.kunche@intel.com>
dnl Copyright (c) 2020 Jeffrey Walton <noloader@gmail.com>
+dnl Copyright (c) 2024 Ferenc Géczi <ferenc.gm@gmail.com>
+dnl Copyright (c) 2024 Dag-Erling Smørgrav <des@des.dev>
dnl Licensed under the MIT license:
dnl
dnl Permission is hereby granted, free of charge, to any person obtaining
@@ -82,9 +84,9 @@ dnl
dnl If the API changes incompatibly set LIBAGE back to 0
dnl
-LIBCURRENT=10 # sync
-LIBREVISION=0 # with
-LIBAGE=9 # CMakeLists.txt!
+LIBCURRENT=11 # sync
+LIBREVISION=2 # with
+LIBAGE=10 # CMakeLists.txt!
AC_CONFIG_HEADERS([expat_config.h])
AH_TOP([#ifndef EXPAT_CONFIG_H
@@ -160,7 +162,6 @@ AC_C_BIGENDIAN([AC_DEFINE([WORDS_BIGENDIAN], 1)
AC_DEFINE_UNQUOTED([BYTEORDER], $BYTEORDER, [1234 = LILENDIAN, 4321 = BIGENDIAN])
AC_C_CONST
-AC_TYPE_SIZE_T
AC_ARG_WITH([xmlwf],
[AS_HELP_STRING([--without-xmlwf], [do not build xmlwf])],
@@ -215,7 +216,7 @@ AC_LINK_IFELSE([AC_LANG_SOURCE([
#else
# include <stdlib.h> /* for arc4random_buf on BSD */
#endif
- int main() {
+ int main(void) {
char dummy[[123]]; // double brackets for m4
arc4random_buf(dummy, 0U);
return 0;
@@ -232,7 +233,7 @@ AC_LINK_IFELSE([AC_LANG_SOURCE([
#else
# include <stdlib.h>
#endif
- int main() {
+ int main(void) {
arc4random();
return 0;
}
@@ -254,7 +255,7 @@ AS_IF([test "x$with_getrandom" != xno],
AC_LINK_IFELSE([AC_LANG_SOURCE([
#include <stdlib.h> /* for NULL */
#include <sys/random.h>
- int main() {
+ int main(void) {
return getrandom(NULL, 0U, 0U);
}
])],
@@ -275,10 +276,11 @@ AS_HELP_STRING([--without-sys-getrandom],
AS_IF([test "x$with_sys_getrandom" != xno],
[AC_MSG_CHECKING([for syscall SYS_getrandom (Linux 3.17+)])
AC_LINK_IFELSE([AC_LANG_SOURCE([
+ #define _GNU_SOURCE
#include <stdlib.h> /* for NULL */
#include <unistd.h> /* for syscall */
#include <sys/syscall.h> /* for SYS_getrandom */
- int main() {
+ int main(void) {
syscall(SYS_getrandom, NULL, 0, 0);
return 0;
}
@@ -357,11 +359,22 @@ AS_IF([test "x${DOCBOOK_TO_MAN}" != x -a "x$with_docbook" != xno],
page for xmlwf.])])])
dnl This will make sure that a release tarball shipping a pre-rendered xmlwf man page will
-dnl get it installed, independent of whether some flavor of docbook2man is available.
+dnl get it installed, when no working flavor of docbook2man is available (or wanted).
dnl This relies on file xmlwf.1 being at least as recent as its source file xmlwf.xml.
AS_IF([test -f "${srcdir}"/doc/xmlwf.1],
- [AM_CONDITIONAL(WITH_DOCBOOK, [true])],
- [AM_CONDITIONAL(WITH_DOCBOOK, [test "x${DOCBOOK_TO_MAN}" != x])])
+ [AM_CONDITIONAL(WITH_MANPAGE, [true])
+ AS_IF([test "x$with_docbook" = xno -o "x${DOCBOOK_TO_MAN}" = x],
+ [AM_CONDITIONAL(WITH_PREBUILT_MANPAGE, [true])
+ AM_CONDITIONAL(WITH_DISTRIBUTABLE_MANPAGE, [false])],
+ [AM_CONDITIONAL(WITH_PREBUILT_MANPAGE, [false])
+ AM_CONDITIONAL(WITH_DISTRIBUTABLE_MANPAGE, [true])])
+ ],
+ [AS_IF([test "x$with_docbook" != xno -a "x${DOCBOOK_TO_MAN}" != x],
+ [AM_CONDITIONAL(WITH_MANPAGE, [true])
+ AM_CONDITIONAL(WITH_DISTRIBUTABLE_MANPAGE, [true])],
+ [AM_CONDITIONAL(WITH_MANPAGE, [false])
+ AM_CONDITIONAL(WITH_DISTRIBUTABLE_MANPAGE, [false])])
+ AM_CONDITIONAL(WITH_PREBUILT_MANPAGE, [false])])
dnl Configure CMake file templates
dnl NOTE: The *_TRUE variables read here are Automake conditionals
@@ -392,7 +405,6 @@ LIBDIR_BASENAME="$(basename "${libdir}")"
SO_MAJOR="$(expr "${LIBCURRENT}" - "${LIBAGE}")"
SO_MINOR="${LIBAGE}"
SO_PATCH="${LIBREVISION}"
-AC_CHECK_SIZEOF([void *]) # sets ac_cv_sizeof_void_p
AC_SUBST([EXPAT_ATTR_INFO])
AC_SUBST([EXPAT_DTD])
AC_SUBST([EXPAT_LARGE_SIZE])
@@ -405,8 +417,13 @@ AC_SUBST([LIBDIR_BASENAME])
AC_SUBST([SO_MAJOR])
AC_SUBST([SO_MINOR])
AC_SUBST([SO_PATCH])
-AC_SUBST([ac_cv_sizeof_void_p])
+dnl The canonical way of doing this is AC_CHECK_SIZEOF(void *), but
+dnl that adds SIZEOF_VOID_P to expat_config.h.in, making it difficult
+dnl to have 32-bit and 64-bit versions of libexpat installed on the
+dnl same system with a single, shared copy of the header.
+AC_COMPUTE_INT(SIZEOF_VOID_P, [sizeof(void *)])
+AC_SUBST([SIZEOF_VOID_P])
dnl write the Automake flags we set
AC_SUBST([AM_CPPFLAGS])
diff --git a/contrib/expat/doc/Makefile.am b/contrib/expat/doc/Makefile.am
index c3a3ce59c1b9..3bea96e9aa6f 100644
--- a/contrib/expat/doc/Makefile.am
+++ b/contrib/expat/doc/Makefile.am
@@ -6,9 +6,10 @@
# \___/_/\_\ .__/ \__,_|\__|
# |_| XML parser
#
-# Copyright (c) 2017-2022 Sebastian Pipping <sebastian@pipping.org>
+# Copyright (c) 2017-2024 Sebastian Pipping <sebastian@pipping.org>
# Copyright (c) 2017 Stephen Groat <stephen@groat.us>
# Copyright (c) 2017 Joe Orton <jorton@redhat.com>
+# Copyright (c) 2024 Tomas Korbar <tkorbar@redhat.com>
# Licensed under the MIT license:
#
# Permission is hereby granted, free of charge, to any person obtaining
@@ -32,26 +33,24 @@
.PHONY: dist-hook # not inside conditional to avoid automake warning
-if WITH_DOCBOOK
+if WITH_MANPAGE
dist_man_MANS = xmlwf.1
xmlwf.1: xmlwf.xml
-rm -f $@
- $(DOCBOOK_TO_MAN) $<
+ test "x$(DOCBOOK_TO_MAN)" != x && $(DOCBOOK_TO_MAN) $<
test -f $@ || mv XMLWF.1 $@
-else
+endif
+
+if !WITH_DISTRIBUTABLE_MANPAGE
dist-hook:
@echo 'ERROR: Configure with --with-docbook for "make dist".' 1>&2
@false
endif
-# https://www.gnu.org/software/automake/manual/automake.html#What-Gets-Cleaned
-.PHONY: clean-local
-clean-local: clean-local-check
-
-.PHONY: clean-local-check
-clean-local-check:
- $(RM) xmlwf.1
+if !WITH_PREBUILT_MANPAGE
+CLEANFILES = xmlwf.1
+endif
EXTRA_DIST = \
ok.min.css \
diff --git a/contrib/expat/doc/Makefile.in b/contrib/expat/doc/Makefile.in
index 18f86be3947b..72deb0565d94 100644
--- a/contrib/expat/doc/Makefile.in
+++ b/contrib/expat/doc/Makefile.in
@@ -22,9 +22,10 @@
# \___/_/\_\ .__/ \__,_|\__|
# |_| XML parser
#
-# Copyright (c) 2017-2022 Sebastian Pipping <sebastian@pipping.org>
+# Copyright (c) 2017-2024 Sebastian Pipping <sebastian@pipping.org>
# Copyright (c) 2017 Stephen Groat <stephen@groat.us>
# Copyright (c) 2017 Joe Orton <jorton@redhat.com>
+# Copyright (c) 2024 Tomas Korbar <tkorbar@redhat.com>
# Licensed under the MIT license:
#
# Permission is hereby granted, free of charge, to any person obtaining
@@ -285,6 +286,7 @@ RANLIB = @RANLIB@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+SIZEOF_VOID_P = @SIZEOF_VOID_P@
SO_MAJOR = @SO_MAJOR@
SO_MINOR = @SO_MINOR@
SO_PATCH = @SO_PATCH@
@@ -298,7 +300,6 @@ ac_ct_AR = @ac_ct_AR@
ac_ct_CC = @ac_ct_CC@
ac_ct_CXX = @ac_ct_CXX@
ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
-ac_cv_sizeof_void_p = @ac_cv_sizeof_void_p@
am__include = @am__include@
am__leading_dot = @am__leading_dot@
am__quote = @am__quote@
@@ -345,7 +346,8 @@ target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
-@WITH_DOCBOOK_TRUE@dist_man_MANS = xmlwf.1
+@WITH_MANPAGE_TRUE@dist_man_MANS = xmlwf.1
+@WITH_PREBUILT_MANPAGE_FALSE@CLEANFILES = xmlwf.1
EXTRA_DIST = \
ok.min.css \
reference.html \
@@ -439,7 +441,7 @@ ctags CTAGS:
cscope cscopelist:
-@WITH_DOCBOOK_TRUE@dist-hook:
+@WITH_DISTRIBUTABLE_MANPAGE_TRUE@dist-hook:
distdir: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) distdir-am
@@ -505,6 +507,7 @@ install-strip:
mostlyclean-generic:
clean-generic:
+ -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
distclean-generic:
-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
@@ -515,7 +518,7 @@ maintainer-clean-generic:
@echo "it deletes files that may require special tools to rebuild."
clean: clean-am
-clean-am: clean-generic clean-libtool clean-local mostlyclean-am
+clean-am: clean-generic clean-libtool mostlyclean-am
distclean: distclean-am
-rm -f Makefile
@@ -584,38 +587,31 @@ uninstall-man: uninstall-man1
.MAKE: install-am install-strip
.PHONY: all all-am check check-am clean clean-generic clean-libtool \
- clean-local cscopelist-am ctags-am dist-hook distclean \
- distclean-generic distclean-libtool distdir dvi dvi-am html \
- html-am info info-am install install-am install-data \
- install-data-am install-dvi install-dvi-am install-exec \
- install-exec-am install-html install-html-am install-info \
- install-info-am install-man install-man1 install-pdf \
- install-pdf-am install-ps install-ps-am install-strip \
- installcheck installcheck-am installdirs maintainer-clean \
- maintainer-clean-generic mostlyclean mostlyclean-generic \
- mostlyclean-libtool pdf pdf-am ps ps-am tags-am uninstall \
- uninstall-am uninstall-man uninstall-man1
+ cscopelist-am ctags-am dist-hook distclean distclean-generic \
+ distclean-libtool distdir dvi dvi-am html html-am info info-am \
+ install install-am install-data install-data-am install-dvi \
+ install-dvi-am install-exec install-exec-am install-html \
+ install-html-am install-info install-info-am install-man \
+ install-man1 install-pdf install-pdf-am install-ps \
+ install-ps-am install-strip installcheck installcheck-am \
+ installdirs maintainer-clean maintainer-clean-generic \
+ mostlyclean mostlyclean-generic mostlyclean-libtool pdf pdf-am \
+ ps ps-am tags-am uninstall uninstall-am uninstall-man \
+ uninstall-man1
.PRECIOUS: Makefile
.PHONY: dist-hook # not inside conditional to avoid automake warning
-@WITH_DOCBOOK_TRUE@xmlwf.1: xmlwf.xml
-@WITH_DOCBOOK_TRUE@ -rm -f $@
-@WITH_DOCBOOK_TRUE@ $(DOCBOOK_TO_MAN) $<
-@WITH_DOCBOOK_TRUE@ test -f $@ || mv XMLWF.1 $@
-@WITH_DOCBOOK_FALSE@dist-hook:
-@WITH_DOCBOOK_FALSE@ @echo 'ERROR: Configure with --with-docbook for "make dist".' 1>&2
-@WITH_DOCBOOK_FALSE@ @false
-
-# https://www.gnu.org/software/automake/manual/automake.html#What-Gets-Cleaned
-.PHONY: clean-local
-clean-local: clean-local-check
-
-.PHONY: clean-local-check
*** 4429 LINES SKIPPED ***