- Fix #1255: Multiple pinnings to vulnerable copies of libexpat.

author Yorgos Thessalonikefs <yorgos@nlnetlabs.nl>

Wed, 26 Mar 2025 13:58:54 +0000 (14:58 +0100)

committer Yorgos Thessalonikefs <yorgos@nlnetlabs.nl>

Wed, 26 Mar 2025 13:58:54 +0000 (14:58 +0100)
author Yorgos Thessalonikefs <yorgos@nlnetlabs.nl>
Wed, 26 Mar 2025 13:58:54 +0000 (14:58 +0100)
committer Yorgos Thessalonikefs <yorgos@nlnetlabs.nl>
Wed, 26 Mar 2025 13:58:54 +0000 (14:58 +0100)
diff --git a/.github/workflows/analysis_ports.yml b/.github/workflows/analysis_ports.yml

index 85b7239129686de1ac163da4cdf0548dae45e120..f843eeb5ea7d8224eca74d8f6dcb4f6c7db7500d 100644 (file)
--- a/.github/workflows/analysis_ports.yml
+++ b/.github/workflows/analysis_ports.yml
@@ -196,6 +196,9 @@ jobs:
            persist-credentials: false
        - name: test_windows
          if: ${{ matrix.test_windows == 'yes' }}
+        env:
+          LIBEXPAT_FNAME: expat-2.7.0
+          LIBEXPAT_VERSION_DIR: R_2_7_0
          shell: bash
          run: |
            export unboundpath=`pwd`
@@ -238,9 +241,9 @@ jobs:
            cd ..
            mkdir expat
            echo "curl expat"
-          curl -L -k -s -S -o expat-2.2.10.tar.gz https://github.com/libexpat/libexpat/releases/download/R_2_2_10/expat-2.2.10.tar.gz
-          tar xzf expat-2.2.10.tar.gz
-          cd expat-2.2.10
+          curl -L -k -s -S -o $LIBEXPAT_FNAME.tar.gz https://github.com/libexpat/libexpat/releases/download/$LIBEXPAT_VERSION_DIR/$LIBEXPAT_FNAME.tar.gz
+          tar xzf $LIBEXPAT_FNAME.tar.gz
+          cd $LIBEXPAT_FNAME
            echo "./configure SHELL=/usr/bin/bash CONFIG_SHELL=/usr/bin/bash --prefix=\"$prepath/expat\" --exec-prefix=\"$prepath/expat\" --bindir=\"$prepath/expat/bin\" --includedir=\"$prepath/expat/include\" --mandir=\"$prepath/expat/man\" --libdir=\"$prepath/expat/lib\""
            ./configure SHELL=/usr/bin/bash CONFIG_SHELL=/usr/bin/bash --prefix="$prepath/expat" --exec-prefix="$prepath/expat" --bindir="$prepath/expat/bin" --includedir="$prepath/expat/include" --mandir="$prepath/expat/man" --libdir="$prepath/expat/lib"
            # fixup SHELL is treated specially, but SHELZZ is not by make.
diff --git a/contrib/android/install_expat.sh b/contrib/android/install_expat.sh

index ffb22322c8031c42a8ad9962c742b015c6816553..5d736b8b96f184d800c49aac3d7e56eb4cfad36f 100755 (executable)
--- a/contrib/android/install_expat.sh
+++ b/contrib/android/install_expat.sh
@@ -1,21 +1,24 @@
  #!/usr/bin/env bash
  
+LIBEXPAT_FNAME=expat-2.7.0
+LIBEXPAT_VERSION_DIR=R_2_7_0
+
  echo "Downloading Expat"
-if ! curl -L -k -s -o expat-2.2.9.tar.gz https://github.com/libexpat/libexpat/releases/download/R_2_2_9/expat-2.2.9.tar.gz;
+if ! curl -L -k -s -o $LIBEXPAT_FNAME.tar.gz https://github.com/libexpat/libexpat/releases/download/$LIBEXPAT_VERSION_DIR/$LIBEXPAT_FNAME.tar.gz;
  then
      echo "Failed to download Expat"
      exit 1
  fi
  
  echo "Unpacking Expat"
-rm -rf ./expat-2.2.9
-if ! tar -xf expat-2.2.9.tar.gz;
+rm -rf ./$LIBEXPAT_FNAME
+if ! tar -xf $LIBEXPAT_FNAME.tar.gz;
  then
      echo "Failed to unpack Expat"
      exit 1
  fi
  
-cd expat-2.2.9 || exit 1
+cd $LIBEXPAT_FNAME || exit 1
  
  echo "Configuring Expat"
  if ! ./configure --build="$AUTOTOOLS_BUILD" --host="$AUTOTOOLS_HOST" --prefix="$ANDROID_PREFIX"; then
diff --git a/contrib/ios/install_expat.sh b/contrib/ios/install_expat.sh

index 9471b5aff2dd352b1a5007393fcd0572c8301cbf..b8e3a9046965ebcece6f588209eee0035a5ef7de 100755 (executable)
--- a/contrib/ios/install_expat.sh
+++ b/contrib/ios/install_expat.sh
@@ -1,21 +1,24 @@
  #!/usr/bin/env bash
  
+LIBEXPAT_FNAME=expat-2.7.0
+LIBEXPAT_VERSION_DIR=R_2_7_0
+
  echo "Downloading Expat"
-if ! curl -L -k -s -o expat-2.2.9.tar.gz https://github.com/libexpat/libexpat/releases/download/R_2_2_9/expat-2.2.9.tar.gz;
+if ! curl -L -k -s -o $LIBEXPAT_FNAME.tar.gz https://github.com/libexpat/libexpat/releases/download/$LIBEXPAT_VERSION_DIR/$LIBEXPAT_FNAME.tar.gz;
  then
      echo "Failed to download Expat"
      exit 1
  fi
  
  echo "Unpacking Expat"
-rm -rf ./expat-2.2.9
-if ! tar -xf expat-2.2.9.tar.gz;
+rm -rf ./$LIBEXPAT_FNAME
+if ! tar -xf $LIBEXPAT_FNAME.tar.gz;
  then
      echo "Failed to unpack Expat"
      exit 1
  fi
  
-cd expat-2.2.9 || exit 1
+cd $LIBEXPAT_FNAME || exit 1
  
  export PKG_CONFIG_PATH="$IOS_PREFIX/lib/pkgconfig"
  
diff --git a/doc/Changelog b/doc/Changelog

index 6e90373aa7cd08c618645814d68257f34773d3fd..3a8a4024b168697ebe32ec75c7547007edea80d4 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,6 @@
+26 March 2025: Yorgos
+       - Fix #1255: Multiple pinnings to vulnerable copies of libexpat.
+
  24 March 2025: Wouter
         - Fix #1254: `send failed: Socket is not connected` and
           `remote address is 0.0.0.0 port 53`.
author	Yorgos Thessalonikefs <yorgos@nlnetlabs.nl>
	Wed, 26 Mar 2025 13:58:54 +0000 (14:58 +0100)
committer	Yorgos Thessalonikefs <yorgos@nlnetlabs.nl>
	Wed, 26 Mar 2025 13:58:54 +0000 (14:58 +0100)
.github/workflows/analysis_ports.yml		patch \| blob \| blame \| history
contrib/android/install_expat.sh		patch \| blob \| blame \| history
contrib/ios/install_expat.sh		patch \| blob \| blame \| history
doc/Changelog		patch \| blob \| blame \| history