untrusted comment: verify with openbsd-76-base.pub
RWTkuwn4mbq8ogUqbVnpHplMFUIsfP+lu0OvBY1Obzol5yBpOM76uSZiI0pL2eLIndINmR+kO/TasXWQQcAQjzrrqxUZ68Hr9AE=
OpenBSD 7.6 errata 011, April 1, 2025:
In libexpat fix regression of behavior introduced by previous errata.
Apply by doing:
signify -Vep /etc/signify/openbsd-76-base.pub -x 011_expat.patch.sig \
-m - | (cd /usr/src && patch -p0)
And then rebuild and install libexpat:
cd /usr/src/lib/libexpat
make obj
make
make install
Index: lib/libexpat/Changes
===================================================================
RCS file: /cvs/src/lib/libexpat/Changes,v
diff -u -p -r1.27.2.2 Changes
--- lib/libexpat/Changes 16 Mar 2025 21:30:12 -0000 1.27.2.2
+++ lib/libexpat/Changes 29 Mar 2025 21:39:08 -0000
@@ -30,6 +30,19 @@
!! THANK YOU! Sebastian Pipping -- Berlin, 2024-03-09 !!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+ Bug fixes:
+ #980 #989 Restore event pointer behavior from Expat 2.6.4
+ (that the fix to CVE-2024-8176 changed in 2.7.0);
+ affected API functions are:
+ - XML_GetCurrentByteCount
+ - XML_GetCurrentByteIndex
+ - XML_GetCurrentColumnNumber
+ - XML_GetCurrentLineNumber
+ - XML_GetInputContext
+
+ Other changes:
+ #986 Address compiler warnings
+
Security fixes:
#893 #973 CVE-2024-8176 -- Fix crash from chaining a large number
of entities caused by stack overflow by resolving use of
Index: lib/libexpat/lib/xmlparse.c
===================================================================
RCS file: /cvs/src/lib/libexpat/lib/xmlparse.c,v
diff -u -p -r1.39.2.2 xmlparse.c
--- lib/libexpat/lib/xmlparse.c 16 Mar 2025 21:30:12 -0000 1.39.2.2
+++ lib/libexpat/lib/xmlparse.c 29 Mar 2025 21:39:09 -0000
@@ -1,4 +1,4 @@
-/* 7d6840a33c250b74adb0ba295d6ec818dccebebaffc8c3ed27d0b29c28adbeb3 (2.7.0+)
+/* d19ae032c224863c1527ba44d228cc34b99192c3a4c5a27af1f4e054d45ee031 (2.7.1+)
__ __ _
___\ \/ /_ __ __ _| |_
/ _ \\ /| '_ \ / _` | __|
@@ -3399,12 +3399,13 @@ doContent(XML_Parser parser, int startTa
break;
/* LCOV_EXCL_STOP */
}
- *eventPP = s = next;
switch (parser->m_parsingStatus.parsing) {
case XML_SUSPENDED:
+ *eventPP = next;
*nextPtr = next;
return XML_ERROR_NONE;
case XML_FINISHED:
+ *eventPP = next;
return XML_ERROR_ABORTED;
case XML_PARSING:
if (parser->m_reenter) {
@@ -3413,6 +3414,7 @@ doContent(XML_Parser parser, int startTa
}
/* Fall through */
default:;
+ *eventPP = s = next;
}
}
/* not reached */
@@ -4329,12 +4331,13 @@ doCdataSection(XML_Parser parser, const
/* LCOV_EXCL_STOP */
}
- *eventPP = s = next;
switch (parser->m_parsingStatus.parsing) {
case XML_SUSPENDED:
+ *eventPP = next;
*nextPtr = next;
return XML_ERROR_NONE;
case XML_FINISHED:
+ *eventPP = next;
return XML_ERROR_ABORTED;
case XML_PARSING:
if (parser->m_reenter) {
@@ -4342,6 +4345,7 @@ doCdataSection(XML_Parser parser, const
}
/* Fall through */
default:;
+ *eventPP = s = next;
}
}
/* not reached */
@@ -5948,12 +5952,13 @@ epilogProcessor(XML_Parser parser, const
default:
return XML_ERROR_JUNK_AFTER_DOC_ELEMENT;
}
- parser->m_eventPtr = s = next;
switch (parser->m_parsingStatus.parsing) {
case XML_SUSPENDED:
+ parser->m_eventPtr = next;
*nextPtr = next;
return XML_ERROR_NONE;
case XML_FINISHED:
+ parser->m_eventPtr = next;
return XML_ERROR_ABORTED;
case XML_PARSING:
if (parser->m_reenter) {
@@ -5961,6 +5966,7 @@ epilogProcessor(XML_Parser parser, const
}
/* Fall through */
default:;
+ parser->m_eventPtr = s = next;
}
}
}
@@ -8242,7 +8248,7 @@ entityTrackingReportStats(XML_Parser roo
(void *)rootParser, rootParser->m_entity_stats.countEverOpened,
rootParser->m_entity_stats.currentDepth,
rootParser->m_entity_stats.maximumDepthSeen,
- (rootParser->m_entity_stats.currentDepth - 1) * 2, "",
+ ((int)rootParser->m_entity_stats.currentDepth - 1) * 2, "",
entity->is_param ? "%" : "&", entityName, action, entity->textLen,
sourceLine);
}