Expat (2.7.1)

2.7.110 May 2025 14:45 minor bugfix: : #980 #989 Restore event pointer behavior from Expat 2.6.4. (that the to CVE-2024-8176 changed in 2.7.0); affected API functions are: - XML_GetCurrentByteCount. - XML_GetCurrentByteIndex. - XML_GetCurrentColumnNumber. - XML_GetCurrentLineNumber. - XML_GetInputContext. Other changes: #976 #977 Autotools: Integrate files "fuzz/xml_lpm_fuzzer. cpp,proto " with Automake that were missing from 2.7.0 release tarballs. #983 #984 printf format specifiers for 32bit Emscripten. docs: Promote OpenSSF Best Practices self-certification tests/benchmark: Resolve mistaken double #986 Address Frama-C warnings #990 #993 Version info bumped from 11:1:10 (libexpat*.so.1.10.1) to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/ for what these numbers do. Infrastructure: CI: Start running Perl XML::Parser integration tests CI: Enforce Clang Static Analyzer clean code CI: Re-enable warning clang-analyzer-valist.Uninitialized for clang-tidy. CI: Cover compilation with musl #983 #984 CI: Cover compilation with 32bit Emscripten. #976 #977 CI: Protect against fuzzer files missing from future release archives. Special thanks to: Berkay Eren Ürün Matthew Fernandez and Perl XML::Parser.

2.6.323 Nov 2024 06:05 minor bugfix: Security : #887 #890 CVE-2024-45490 -- Calling function XML_ParseBuffer with len 0 without noticing and then calling XML_GetBuffer will have XML_ParseBuffer fail to recognize the problem and XML_GetBuffer corrupt memory. With the, XML_ParseBuffer now complains with error XML_ERROR_INVALID_ARGUMENT just like sibling XML_Parse has been doing since Expat 2.2.1, and now documented. Impact is denial of service to potentially artitrary code execution. #888 #891 CVE-2024-45491 -- Internal function dtdCopy can have an integer overflow for nDefaultAtts on 32-bit platforms. (where UINT_MAX equals SIZE_MAX). Impact is denial of service to potentially artitrary code execution. #889 #892 CVE-2024-45492 -- Internal function nextScaffoldPart can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX). Impact is denial of service to potentially artitrary code execution. Other changes: #851 #879 Autotools: Sync CMake templates with CMake 3.28. Autotools: Always provide path to find(1) for portability Autotools: Ensure that the m4 directory always exists. Autotools: Simplify handling of SIZEOF_VOID_P Autotools: Support non-GNU sed Autotools CMake: main() to main(void) Autotools CMake: compile tests for HAVE_SYSCALL_GETRANDOM Autotools CMake: Stop requiring dos2unix #854 #855 CMake: check for symbols size_t and off_t. docs tests: Convert README to Markdown and update Windows: Drop support for Visual Studio

2.6.413 Nov 2024 23:44 minor feature: Security : CVE-2024-50602 -- crash within function XML_ResumeParser from a NULL pointer dereference by disallowing function XML_StopParser to (stop or) suspend an unstarted parser. A new error code XML_ERROR_NOT_STARTED was introduced to properly communicate this situation. // CWE-476 CWE-754. Other changes: CMake: Add alias target "expat::expat" docs: Document use via CMake =3.18 with FetchContent and SOURCE_SUBDIR and its consequences. tests: Reduce use of global parser instance tests: Resolve duplicate handler #317 #918 tests: Improve tests on doctype closing (ex CVE-2019-15903). signedness of format strings #919 #920 Version info bumped from 10:3:9 (libexpat*.so.1.9.3) to 11:0:10 (libexpat*.so.1.10.0); see https://verbump.de/ for what these numbers do. Infrastructure: CI: Upgrade Clang from 18 to 19 CI: Drop macos-12 and add macos-15 CI: Adapt to breaking changes in GitHub Actions Add missing entries to.gitignore Special thanks to: Hanno Böck José Eduardo Gutiérrez Conejo José Ricardo Cardona Quesada.

2.6.213 Mar 2024 21:36 minor bugfix: ecurity : #839 #842 CVE-2024-28757 -- Prevent billion laughs attacks with isolated use of external parsers. Please see the commit message of commit 1d50b80cf31de87750103656f6eb693746854aa8 for details. : #839 #841 Reject direct parameter entity recursion and avoid the related undefined behavior. Other changes: Autotools: build for DOCBOOK_TO_MAN containing spaces Add missing #821 and #824 to 2.6.1 change log #838 #843 Version info bumped from 10:1:9 (libexpat*.so.1.9.1) to 10:2:9 (libexpat*.so.1.9.2); see https://verbump.de/ for what these numbers do. Special thanks to: Philippe Antoine Tomas Korbar and Clang UndefinedBehaviorSanitizer OSS-Fuzz / ClusterFuzz.

2.6.101 Mar 2024 10:05 minor feature: : Make tests independent of CPU speed, and thus more robust #828 #836 Expose billion laughs API with XML_DTD defined and XML_GE undefined, regression from 2.6.0. Other changes: Hide test-only code behind new internal macro Autotools: Reject expat_config.h.in defining SIZEOF_VOID_P Address compiler warnings #832 #834 Version info bumped from 10:0:9 (libexpat*.so.1.9.0) to 10:1:9 (libexpat*.so.1.9.1); see https://verbump.de/ for what these numbers do. Infrastructure: CI: Adapt to breaking changes in clang-format Special thanks to: David Hall Snild Dolkow.

2.6.011 Feb 2024 03:55 major bugfix: Security fixes: #789 #814 CVE-2023-52425 -- Fix quadratic runtime issues with big tokens that can cause denial of service, in partial where dealing with compressed XML input. Applications that parsed a document in one go -- a single call to functions XML_Parse or XML_ParseBuffer -- were not affected. The smaller the chunks/buffers you use for parsing previously, the bigger the problem prior to the fix. Backporters should be careful to no omit parts of pull request #789 and to include earlier pull request #771, in order to not break the fix. #777 CVE-2023-52426 -- Fix billion laughs attacks for users compiling *without* XML_DTD defined (which is not common). Users with XML_DTD defined have been protected since Expat =2.4.0 (and that was CVE-2013-0340 back then). Bug fixes: #753 Fix parse-size-dependent "invalid token" error for external entities that start with a byte order mark #780 Fix NULL pointer dereference in setContext via XML_ExternalEntityParserCreate for compilation with XML_DTD undefined #812 #813 Protect against closing entities out of order Other changes: #723 Improve support for arc4random/arc4random_buf #771 #788 Improve buffer growth in XML_GetBuffer and XML_Parse #761 #770 xmlwf: Support --help and --version #759 #770 xmlwf: Support custom buffer size for XML_GetBuffer and read #744 xmlwf: Improve language and URL clickability in help output #673 examples: Add new example "element_declarations.c" #764 Be stricter about macro XML_CONTEXT_BYTES at build time #765 Make inclusion to expat_config.h consist

2.5.011 Dec 2022 15:09 security: Security fixes: #616 #649 #650 CVE-2022-43680 -- Fix heap use-after-free after overeager destruction of a shared DTD in function XML_ExternalEntityParserCreate in out-of-memory situations. Expected impact is denial of service or potentially arbitrary code execution. Bug fixes: #612 #645 Fix corruption from undefined entities #613 #654 Fix case when parsing was suspended while processing nested entities #616 #652 #653 Stop leaking opening tag bindings after a closing tag mismatch error where a parser is reset through XML_ParserReset and then reused to parse #656 CMake: Fix generation of pkg-config file #658 MinGW CMake: Fix static library name Other changes: #663 Protect header expat_config.h from multiple inclusion #666 examples: Make use of XML_GetBuffer and be more consistent across examples #648 Address compiler warnings #667 #668 Version info bumped from 9:9:8 to 9:10:8; see https://verbump.de/ for what these numbers do Special thanks to: Jann Horn Mark Brand Osyotr Rhodri James and Google Project Zero

R_2_2_928 Sep 2019 20:08 minor feature: Changelog: https://github.com/libexpat/libexpat/blob/ version/expat/Changes

Expat 2.7.1

Recent Releases

Links

Submitted by

Manage

Share project