untrusted comment: verify with openbsd-75-base.pub RWRGj1pRpprAfqoyYxBWo8dRSTUNMBPLW/kL6q39+70VUtFbrHPU03TGh4SLB+ntXGOzrhlAXHV6daJ0NAmt/rwHJhdMLoxjwwc= OpenBSD 7.5 errata 021, April 1, 2025: In libexpat fix regression of behavior introduced by previous errata. Apply by doing: signify -Vep /etc/signify/openbsd-75-base.pub -x 021_expat.patch.sig \ -m - | (cd /usr/src && patch -p0) And then rebuild and install libexpat: cd /usr/src/lib/libexpat make obj make make install Index: lib/libexpat/Changes =================================================================== RCS file: /cvs/src/lib/libexpat/Changes,v diff -u -p -r1.24.4.3 Changes --- lib/libexpat/Changes 16 Mar 2025 21:28:30 -0000 1.24.4.3 +++ lib/libexpat/Changes 29 Mar 2025 21:36:33 -0000 @@ -2,6 +2,19 @@ NOTE: We are looking for help with a few https://github.com/libexpat/libexpat/labels/help%20wanted If you can help, please get in touch. Thanks! + Bug fixes: + #980 #989 Restore event pointer behavior from Expat 2.6.4 + (that the fix to CVE-2024-8176 changed in 2.7.0); + affected API functions are: + - XML_GetCurrentByteCount + - XML_GetCurrentByteIndex + - XML_GetCurrentColumnNumber + - XML_GetCurrentLineNumber + - XML_GetInputContext + + Other changes: + #986 Address compiler warnings + Security fixes: #893 #973 CVE-2024-8176 -- Fix crash from chaining a large number of entities caused by stack overflow by resolving use of Index: lib/libexpat/lib/xmlparse.c =================================================================== RCS file: /cvs/src/lib/libexpat/lib/xmlparse.c,v diff -u -p -r1.37.2.3 xmlparse.c --- lib/libexpat/lib/xmlparse.c 16 Mar 2025 21:28:30 -0000 1.37.2.3 +++ lib/libexpat/lib/xmlparse.c 29 Mar 2025 21:36:33 -0000 @@ -1,4 +1,4 @@ -/* 7d6840a33c250b74adb0ba295d6ec818dccebebaffc8c3ed27d0b29c28adbeb3 (2.7.0+) +/* d19ae032c224863c1527ba44d228cc34b99192c3a4c5a27af1f4e054d45ee031 (2.7.1+) __ __ _ ___\ \/ /_ __ __ _| |_ / _ \\ /| '_ \ / _` | __| @@ -3391,12 +3391,13 @@ doContent(XML_Parser parser, int startTa break; /* LCOV_EXCL_STOP */ } - *eventPP = s = next; switch (parser->m_parsingStatus.parsing) { case XML_SUSPENDED: + *eventPP = next; *nextPtr = next; return XML_ERROR_NONE; case XML_FINISHED: + *eventPP = next; return XML_ERROR_ABORTED; case XML_PARSING: if (parser->m_reenter) { @@ -3405,6 +3406,7 @@ doContent(XML_Parser parser, int startTa } /* Fall through */ default:; + *eventPP = s = next; } } /* not reached */ @@ -4321,12 +4323,13 @@ doCdataSection(XML_Parser parser, const /* LCOV_EXCL_STOP */ } - *eventPP = s = next; switch (parser->m_parsingStatus.parsing) { case XML_SUSPENDED: + *eventPP = next; *nextPtr = next; return XML_ERROR_NONE; case XML_FINISHED: + *eventPP = next; return XML_ERROR_ABORTED; case XML_PARSING: if (parser->m_reenter) { @@ -4334,6 +4337,7 @@ doCdataSection(XML_Parser parser, const } /* Fall through */ default:; + *eventPP = s = next; } } /* not reached */ @@ -5940,12 +5944,13 @@ epilogProcessor(XML_Parser parser, const default: return XML_ERROR_JUNK_AFTER_DOC_ELEMENT; } - parser->m_eventPtr = s = next; switch (parser->m_parsingStatus.parsing) { case XML_SUSPENDED: + parser->m_eventPtr = next; *nextPtr = next; return XML_ERROR_NONE; case XML_FINISHED: + parser->m_eventPtr = next; return XML_ERROR_ABORTED; case XML_PARSING: if (parser->m_reenter) { @@ -5953,6 +5958,7 @@ epilogProcessor(XML_Parser parser, const } /* Fall through */ default:; + parser->m_eventPtr = s = next; } } } @@ -8237,7 +8243,7 @@ entityTrackingReportStats(XML_Parser roo (void *)rootParser, rootParser->m_entity_stats.countEverOpened, rootParser->m_entity_stats.currentDepth, rootParser->m_entity_stats.maximumDepthSeen, - (rootParser->m_entity_stats.currentDepth - 1) * 2, "", + ((int)rootParser->m_entity_stats.currentDepth - 1) * 2, "", entity->is_param ? "%" : "&", entityName, action, entity->textLen, sourceLine); }