# # spec file for package expat # # Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via https://bugs.opensuse.org/ # Name: expat Version: 2.1.0 Release: 0 URL: http://expat.sourceforge.net/ # bug437293 %ifarch ppc64 Obsoletes: expat-64bit %endif # Summary: XML Parser Toolkit License: MIT Group: Development/Libraries/C and C++ Source0: http://downloads.sourceforge.net/project/%{name}/%{name}/%{version}/%{name}-%{version}.tar.gz Source1: %{name}faq.html Source2: baselibs.conf Patch2: expat-visibility.patch Patch3: expat-alloc-size.patch Patch4: config-guess-sub-update.patch # PATCH-FIX-UPSTREAM bnc#980391 CVE-2015-1283 kstreitova@suse.com -- fix multiple integer overflows Patch5: expat-2.1.0-heap_buffer_overflow.patch # PATCH-FIX-UPSTREAM bnc#979441 CVE-2016-0718 kstreitova@suse.com -- XML parser crashes on malformed input Patch6: expat-2.1.0-parser_crashes_on_malformed_input.patch Patch7: expat-2.1.1-CVE-2012-6702.patch # PATCH-FIX-UPSTREAM bsc#1047236 CVE-2017-9233 pmonrealgonzalez@suse.com -- External Entity Vulnerability Patch8: expat-CVE-2017-9233.patch # PATCH-FIX-UPSTREAM bsc#1047240 CVE-2016-9063 pmonrealgonzalez@suse.com -- Possible integer overflow to fix inside XML_Parse Patch9: expat-2.1.0-CVE-2016-9063.patch # PATCH-FIX-UPSTREAM bsc#1139937 CVE-2018-20843 pmonrealgonzalez@suse.com -- Fix extraction of namespace prefixes from XML names Patch10: expat-CVE-2018-20843.patch # PATCH-FIX-UPSTREAM bsc#1149429 CVE-2019-15903 crafted XML input results in heap-based buffer over-read Patch11: expat-CVE-2019-15903.patch Patch12: expat-CVE-2019-15903-tests.patch # PATCH-FIX-UPSTREAM bsc#1194251 CVE-2021-45960TCH-FIX-UPSTREAM bsc#1194251 CVE-2021-45960 a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior # - https://github.com/libexpat/libexpat/pull/534/commits/0adcb34c49bee5b19bd29b16a578c510c23597ea Patch13: expat-CVE-2021-45960.patch # PATCH-FIX-UPSTREAM bsc#1194362 CVE-2021-46143 integer overflow exists for m_groupSize in doProlog # - https://github.com/libexpat/libexpat/pull/538/commits/85ae9a2d7d0e9358f356b33977b842df8ebaec2b Patch14: expat-CVE-2021-46143.patch # PATCH-FIX-UPSTREAM bsc#1194474 CVE-2022-22822 integer overflow in addBinding in xmlparse.c # - https://github.com/libexpat/libexpat/pull/539/commits/9f93e8036e842329863bf20395b8fb8f73834d9e Patch15: expat-CVE-2022-22822.patch # PATCH-FIX-UPSTREAM bsc#1194476 CVE-2022-22823 integer overflow in build_model in xmlparse.c # - https://github.com/libexpat/libexpat/pull/539/commits/9f93e8036e842329863bf20395b8fb8f73834d9e Patch16: expat-CVE-2022-22823.patch # PATCH-FIX-UPSTREAM bsc#1194477 CVE-2022-22824 integer overflow in defineAttribute in xmlparse.c # - https://github.com/libexpat/libexpat/pull/539/commits/9f93e8036e842329863bf20395b8fb8f73834d9e Patch17: expat-CVE-2022-22824.patch # PATCH-FIX-UPSTREAM bsc#1194478 CVE-2022-22825 integer overflow in lookup in xmlparse.c # - https://github.com/libexpat/libexpat/pull/539/commits/9f93e8036e842329863bf20395b8fb8f73834d9e Patch18: expat-CVE-2022-22825.patch # PATCH-FIX-UPSTREAM bsc#1194479 CVE-2022-22826 integer overflow in nextScaffoldPart in xmlparse.c # - https://github.com/libexpat/libexpat/pull/539/commits/9f93e8036e842329863bf20395b8fb8f73834d9e Patch19: expat-CVE-2022-22826.patch # PATCH-FIX-UPSTREAM bsc#1194480 CVE-2022-22827 integer overflow in storeAtts in xmlparse.c # - https://github.com/libexpat/libexpat/pull/539/commits/9f93e8036e842329863bf20395b8fb8f73834d9e Patch20: expat-CVE-2022-22827.patch # PATCH-FIX-UPSTREAM bsc#1195054 CVE-2022-23852 Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES # - https://github.com/libexpat/libexpat/pull/550/commits/847a645152f5ebc10ac63b74b604d0c1a79fae40 # - https://github.com/libexpat/libexpat/pull/550/commits/acf956f14bf79a5e6383a969aaffec98bfbc2e44 Patch21: expat-CVE-2022-23852.patch # PATCH-FIX-UPSTREAM bsc#1195217 CVE-2022-23990: expat: integer overflow in the doProlog function # - https://github.com/libexpat/libexpat/pull/551/commits/ede41d1e186ed2aba88a06e84cac839b770af3a1 Patch22: expat-CVE-2022-23990.patch # Stack exhaustion in build_model() via uncontrolled recursion # UPSTREAM-FIX: (CVE-2022-25313, bsc#1196168) https://github.com/libexpat/libexpat/pull/558 Patch23: %{name}-CVE-2022-25313.patch # UPSTREAM-FIX: (CVE-2022-25313) Fix for patch as it introduced a regression: https://github.com/libexpat/libexpat/pull/566 Patch24: %{name}-CVE-2022-25313-fix-regression.patch # Integer overflow in storeRawNames # UPSTREAM-FIX: (CVE-2022-25315, bsc#1196171) https://github.com/libexpat/libexpat/pull/559 Patch25: %{name}-CVE-2022-25315.patch # xmlparse.c in Expat before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs # UPSTREAM-FIX: (CVE-2022-25236, bsc#1196025) https://github.com/libexpat/libexpat/pull/561 Patch26: %{name}-CVE-2022-25236.patch # xmltok_impl.c in Expat before 2.4.5 does not check whether a UTF-8 character is valid in a certain context. # UPSTREAM-FIX: (CVE-2022-25235, bsc#1196026) https://github.com/libexpat/libexpat/pull/562 Patch27: %{name}-CVE-2022-25235.patch # In order to fix CVE-2022-25235, we need to backport a previous patch # that did introduce copyString function and fixes issues with protocolEncodingName # https://github.com/libexpat/libexpat/commit/196bea60b1ef161d6a2957e6ddab00e2cb6c60ec Patch28: %{name}-CVE-2022-25314-before.patch # Integer overflow in copyString # UPSTREAM-FIX: (CVE-2022-25314, bsc#1196169) https://github.com/libexpat/libexpat/pull/560 Patch29: %{name}-CVE-2022-25314.patch # [>=2.4.5] Fix to CVE-2022-25236 breaks biboumi, ClairMeta, jxmlease, libwbxml, openleadr-python, rnv, xmltodict # UPSTREAM-FIX: (CVE-2022-25236, bsc#1196784) https://github.com/libexpat/libexpat/pull/577 Patch30: %{name}-CVE-2022-25236-relax-fix.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: autoconf >= 2.58 BuildRequires: gcc-c++ BuildRequires: libtool BuildRequires: pkg-config %description Expat is an XML parser library written in C. It is a stream-oriented parser in which an application registers handlers for things the parser might find in the XML document (like start tags). %package -n libexpat1 Summary: XML Parser Toolkit # bug437293 Group: Development/Libraries/C and C++ %ifarch ppc64 Obsoletes: expat-64bit %endif # %description -n libexpat1 Expat is an XML parser library written in C. It is a stream-oriented parser in which an application registers handlers for things the parser might find in the XML document (like start tags). %package -n libexpat-devel Summary: XML Parser Toolkit Group: Development/Libraries/C and C++ Requires: glibc-devel Requires: libexpat1 = %{version} %description -n libexpat-devel Expat is an XML parser library written in C. It is a stream-oriented parser in which an application registers handlers for things the parser might find in the XML document (like start tags). This package contains the development headers for the library found in libexpat. %prep %setup -q -n expat-2.1.0 %patch2 -p1 %patch3 %patch4 %patch5 -p1 %patch6 -p1 %patch7 -p2 %patch8 -p2 %patch9 -p2 %patch10 -p2 %patch11 -p1 %patch12 -p1 %patch13 -p1 %patch14 -p1 %patch15 -p1 %patch16 -p1 %patch17 -p1 %patch18 -p1 %patch19 -p1 %patch20 -p1 %patch21 -p1 %patch22 -p1 %patch23 -p1 %patch24 -p1 %patch25 -p1 %patch26 -p1 %patch27 -p1 %patch28 -p1 %patch29 -p1 %patch30 -p1 cp %{S:1} . rm -f examples/*.dsp %build autoreconf -fi %configure --disable-static --with-pic make %{?_smp_mflags} %install make DESTDIR=$RPM_BUILD_ROOT install rm doc/xmlwf.1 # remove .la file rm -f %{buildroot}%{_libdir}/libexpat.la %check make check %post -n libexpat1 -p /sbin/ldconfig %postun -n libexpat1 -p /sbin/ldconfig %files %defattr(-, root, root) %license COPYING %doc Changes README examples expatfaq.html %doc doc/expat.png doc/reference.html doc/style.css doc/valid-xhtml10.png %doc %{_mandir}/man?/* %{_bindir}/xmlwf %files -n libexpat1 %defattr(-, root, root) %{_libdir}/libexpat.so.* %files -n libexpat-devel %defattr(-, root, root) %{_includedir}/* %{_libdir}/libexpat.so %{_libdir}/pkgconfig/expat.pc %changelog