expat: Update to version 2.7.2
- Update from version 2.7.1 to 2.7.2
- Update of rootfile
- CVE fix
- Changelog
2.7.2
Security fixes:
CVE-2025-59375 -- Disallow use of disproportional amounts of
dynamic memory from within an Expat parser (e.g. previously
a ~250 KiB sized document was able to cause allocation of
~800 MiB from the heap, i.e. an "amplification" of factor
~3,300); once a threshold (that defaults to 64 MiB) is
reached, a maximum amplification factor (that defaults to
100.0) is enforced, and violating documents are rejected
with an out-of-memory error.
There are two new API functions to fine-tune this new
behavior:
- XML_SetAllocTrackerActivationThreshold
- XML_SetAllocTrackerMaximumAmplification .
If you ever need to increase these defaults for non-attack
XML payload, please file a bug report with libexpat.
There is also a new environment variable
EXPAT_MALLOC_DEBUG=(0|1|2) to control the verbosity
of allocations debugging at runtime, disabled by default.
Known impact is (reliable and easy) denial of service:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C
(Base Score: 7.5, Temporal Score: 7.2)
Please note that a layer of compression around XML can
significantly reduce the minimum attack payload size.
Distributors intending to backport (or cherry-pick) the
fix need to copy 99% of the related pull request, not just
the "lib: Implement tracking of dynamic memory allocations"
commit, to not end up with a state that literally does both
too much and too little at the same time. Appending ".diff"
to the pull request URL could be of help.
Other changes:
Autotools: Sync CMake templates with CMake 3.31 for macOS
CMake: Drop support for CMake <3.15
CMake: Fix off_t detection for -Werror
CMake|Windows: Fix -DEXPAT_MSVC_STATIC_CRT=ON
Windows: Drop support for Visual Studio <=16.0/2019
xmlwf: Mention supported environment variables in
--help output
xmlwf: Fix (internal) help generator
docs: Promote the contract to call function
XML_FreeContentModel when registering a custom
element declaration handler (via a call to function
XML_SetElementDeclHandler)
docs: Add missing <p>..</p> wrap
docs: Drop AppVeyor badge
tests: Fix portable_strndup
Drop casts around malloc/free/realloc that C99 does not need
Replace empty for-loops with while loops
Add const with internal XmlInitUnknownEncodingNS
Drop an OpenVMS support leftover
Address more clang-tidy warnings
Version info bumped from 11:2:10 (libexpat*.so.1.10.2)
to 12:0:11 (libexpat*.so.1.11.0); see https://verbump.de/
for what these numbers do
Infrastructure:
CI: Cover compilation on FreeBSD
CI: Upgrade Clang from 19 to 21
CI: Make calling Cppcheck without --suppress=objectIndex
and --suppress=unknownMacro possible
CI|Windows: Get off of deprecated image "windows-2019"
CI: Adapt to breaking changes in GitHub Actions
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
projects / ipfire-2.x.git / commit
