| CARVIEW |
Select Language
HTTP/2 200
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
set-cookie: PHPSESSID=nt8tehget1rvp5su8mast22871; path=/
content-type: text/html; charset=UTF-8
date: Sat, 27 Dec 2025 16:15:01 GMT
server: Apache
pkgsrc.se | The NetBSD package collection
archivers
audio
benchmarks
biology
cad
chat
comms
converters
cross
crosspkgtools
databases
devel
doc
editors
emulators
filesystems
finance
fonts
games
geography
graphics
ham
inputmethod
lang
mail
math
mbone
meta-pkgs
misc
multimedia
net
news
parallel
pkgtools
print
regress
security
shells
sysutils
textproc
expat
time
wip
wm
www
x11
* = Virtual Category
Path to this page:
./textproc/expat, XML parser library written in C
[
Branch: CURRENT, Version: 2.7.3, Package name: expat-2.7.3, Maintainer: pkgsrc-users
This is James Clark's expat XML parser library in C. It is a stream oriented
parser that requires setting handlers to deal with the structure that the
parser discovers in the document.
Navigation:
-
Browse pkgsrc
(this page)
archivers
audio
benchmarks
biology
cad
chat
comms
converters
cross
crosspkgtools
databases
devel
doc
editors
emulators
filesystems
finance
fonts
games
geography
graphics
ham
inputmethod
lang
math
mbone
meta-pkgs
misc
multimedia
net
news
parallel
pkgtools
regress
security
shells
sysutils
textproc expattime
wip
wm
www
x11
* = Virtual Category
New packages:Path to this page:
./textproc/expat, XML parser library written in C
[ 
CVSweb ] [ 
Homepage ] [ 
RSS ] [ 
Required by ] [ 
Add to tracker ]
Branch: CURRENT, Version: 2.7.3, Package name: expat-2.7.3, Maintainer: pkgsrc-users
This is James Clark's expat XML parser library in C. It is a stream oriented
parser that requires setting handlers to deal with the structure that the
parser discovers in the document.
Master sites:
Filesize: 781.628 KBVersion history: (Expand)
- (2025-09-25) Updated to version: expat-2.7.3
- (2025-09-17) Updated to version: expat-2.7.2
- (2025-03-30) Updated to version: expat-2.7.1
- (2024-09-04) Updated to version: expat-2.6.3
- (2024-03-14) Updated to version: expat-2.6.2
- (2024-03-01) Updated to version: expat-2.6.1
CVS history: (Expand)
| 2025-12-07 09:40:04 by Thomas Klausner | Files touched by this commit (1) |
Log message: expat: improve builtin.mk To fix configure step in abiword: - do not remove too much before scanning before 'pkg-config' in USE_TOOLS - hook to pre-configure to make sure to be called even when pre-configure is overridden |
2025-09-25 09:03:33 by Adam Ciarcinski | Files touched by this commit (3) |  |
Log message: expat: updated to 2.7.3 Release 2.7.3 Wed September 24 2025 Security fixes: Fix alignment of internal allocations for some non-amd64 architectures (e.g. sparc32); fixes up on the fix to CVE-2025-59375 from 1034 (of Expat 2.7.2 and related backports) Fix a class of false positives where input should have been rejected with error XML_ERROR_ASYNC_ENTITY; regression from CVE-2024-8176 fix pull request 973 (of Expat 2.7.0 and related backports). Please check the added unit tests for example documents. Other changes: Prove and regression-proof absence of integer overflow from function expat_realloc Remove "harmless" cast that truncated a size_t to unsigned Autotools: Remove "ln -s" discovery docs: Be consistent with use of floating point around XML_SetAllocTrackerMaximumAmplification docs: Make it explicit that XML_GetCurrentColumnNumber starts at 0 docs: Better integrate the effect of the activation thresholds docs: Fix an in-comment typo in expat.h docs: Fix a typo in README.md docs: Improve change log of release 2.7.2 xmlwf: Resolve use of functions XML_GetErrorLineNumber and XML_GetErrorColumnNumber Windows: Normalize .bat files to CRLF line endings Version info bumped from 12:0:11 (libexpat*.so.1.11.0) to 12:1:11 (libexpat*.so.1.11.1); see https://verbump.de/ for what these numbers do |
| 2025-09-16 23:33:17 by Thomas Klausner | Files touched by this commit (2) | |
Log message:
expat: update to 2.7.2.
Release 2.7.2 Tue September 16 2025
Security fixes:
#1018 #1034 CVE-2025-59375 -- Disallow use of disproportional amounts of
dynamic memory from within an Expat parser (e.g. previously
a ~250 KiB sized document was able to cause allocation of
~800 MiB from the heap, i.e. an "amplification" of \
factor
~3,300); once a threshold (that defaults to 64 MiB) is
reached, a maximum amplification factor (that defaults to
100.0) is enforced, and violating documents are rejected
with an out-of-memory error.
There are two new API functions to fine-tune this new
behavior:
- XML_SetAllocTrackerActivationThreshold
- XML_SetAllocTrackerMaximumAmplification .
If you ever need to increase these defaults for non-attack
XML payload, please file a bug report with libexpat.
There is also a new environment variable
EXPAT_MALLOC_DEBUG=(0|1|2) to control the verbosity
of allocations debugging at runtime, disabled by default.
Known impact is (reliable and easy) denial of service:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C
(Base Score: 7.5, Temporal Score: 7.2)
Please note that a layer of compression around XML can
significantly reduce the minimum attack payload size.
Distributors intending to backport (or cherry-pick) the
fix need to copy 99% of the related pull request, not just
the "lib: Implement tracking of dynamic memory \
allocations"
commit, to not end up with a state that literally does both
too much and too little at the same time. Appending \
".diff"
to the pull request URL could be of help.
Other changes:
#1008 #1017 Autotools: Sync CMake templates with CMake 3.31 for macOS
#1007 CMake: Drop support for CMake <3.15
#1004 CMake: Fix off_t detection for -Werror
#1007 CMake|Windows: Fix -DEXPAT_MSVC_STATIC_CRT=ON
#1013 Windows: Drop support for Visual Studio <=16.0/2019
#1026 xmlwf: Mention supported environment variables in
--help output
#1024 xmlwf: Fix (internal) help generator
#1034 docs: Promote the contract to call function
XML_FreeContentModel when registering a custom
element declaration handler (via a call to function
XML_SetElementDeclHandler)
#1027 docs: Add missing <p>..</p> wrap
#994 docs: Drop AppVeyor badge
#1000 tests: Fix portable_strndup
#1036 Drop casts around malloc/free/realloc that C99 does not need
#1010 Replace empty for-loops with while loops
#1011 Add const with internal XmlInitUnknownEncodingNS
#14 #1037 Drop an OpenVMS support leftover
#999 #1001 Address more clang-tidy warnings
#1030 #1038 Version info bumped from 11:2:10 (libexpat*.so.1.10.2)
to 12:0:11 (libexpat*.so.1.11.0); see https://verbump.de/
for what these numbers do
Infrastructure:
#1003 CI: Cover compilation on FreeBSD
#1009 #1035 CI: Upgrade Clang from 19 to 21
#1031 CI: Make calling Cppcheck without --suppress=objectIndex
and --suppress=unknownMacro possible
#1013 CI|Windows: Get off of deprecated image "windows-2019"
#1008 #1017 ..
#1023 #1025 CI: Adapt to breaking changes in GitHub Actions
|
| 2025-03-30 09:48:15 by Thomas Klausner | Files touched by this commit (3) | |
Log message:
expat: update to 2.7.1.
Release 2.7.1 Thu March 27 2025
Bug fixes:
#980 #989 Restore event pointer behavior from Expat 2.6.4
(that the fix to CVE-2024-8176 changed in 2.7.0);
affected API functions are:
- XML_GetCurrentByteCount
- XML_GetCurrentByteIndex
- XML_GetCurrentColumnNumber
- XML_GetCurrentLineNumber
- XML_GetInputContext
Other changes:
#976 #977 Autotools: Integrate files \
"fuzz/xml_lpm_fuzzer.{cpp,proto}"
with Automake that were missing from 2.7.0 release tarballs
#983 #984 Fix printf format specifiers for 32bit Emscripten
#992 docs: Promote OpenSSF Best Practices self-certification
#978 tests/benchmark: Resolve mistaken double close
#986 Address compiler warnings
#990 #993 Version info bumped from 11:1:10 (libexpat*.so.1.10.1)
to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/
for what these numbers do
Infrastructure:
#982 CI: Start running Perl XML::Parser integration tests
#987 CI: Enforce Clang Static Analyzer clean code
#991 CI: Re-enable warning clang-analyzer-valist.Uninitialized
for clang-tidy
#981 CI: Cover compilation with musl
#983 #984 CI: Cover compilation with 32bit Emscripten
#976 #977 CI: Protect against fuzzer files missing from future
release archives
Release 2.7.0 Thu March 13 2025
Security fixes:
#893 #973 CVE-2024-8176 -- Fix crash from chaining a large number
of entities caused by stack overflow by resolving use of
recursion, for all three uses of entities:
- general entities in character data \
("<e>&g1;</e>")
- general entities in attribute values ("<e \
k1='&g1;'/>")
- parameter entities ("%p1;")
Known impact is (reliable and easy) denial of service:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C
(Base Score: 7.5, Temporal Score: 7.2)
Please note that a layer of compression around XML can
significantly reduce the minimum attack payload size.
Other changes:
#935 #937 Autotools: Make generated CMake files look for
libexpat.@SO_MAJOR@.dylib on macOS
#925 Autotools: Sync CMake templates with CMake 3.29
#945 #962 #966 CMake: Drop support for CMake <3.13
#942 CMake: Small fuzzing related improvements
#921 docs: Add missing documentation of error code
XML_ERROR_NOT_STARTED that was introduced with 2.6.4
#941 docs: Document need for C++11 compiler for use from C++
#959 tests/benchmark: Fix a (harmless) TOCTTOU
#944 Windows: Fix installer target location of file xmlwf.xml
for CMake
#953 Windows: Address warning -Wunknown-warning-option
about -Wno-pedantic-ms-format from LLVM MinGW
#971 Address Cppcheck warnings
#969 #970 Mass-migrate links from https:// to https://
#947 #958 ..
#974 #975 Document changes since the previous release
#974 #975 Version info bumped from 11:0:10 (libexpat*.so.1.10.0)
to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/
for what these numbers do
Infrastructure:
#926 tests: Increase robustness
#927 #932 ..
#930 #933 tests: Increase test coverage
#617 #950 ..
#951 #952 ..
#954 #955 .. Fuzzing: Add new fuzzer "xml_lpm_fuzzer" based on
#961 Google's libprotobuf-mutator ("LPM")
#957 Fuzzing|CI: Start producing fuzzing code coverage reports
#936 CI: Pass -q -q for LCOV >=2.1 in coverage.sh
#942 CI: Small fuzzing related improvements
#139 #203 ..
#791 #946 CI: Make GitHub Actions build using MSVC on Windows and
produce 32bit and 64bit Windows binaries
#956 CI: Get off of about-to-be-removed Ubuntu 20.04
#960 #964 CI: Start uploading to Coverity Scan for static analysis
#972 CI: Stop loading DTD from the internet to address flaky CI
#971 CI: Adapt to breaking changes in Cppcheck
|
| 2024-12-18 16:03:59 by Brook Milligan | Files touched by this commit (2) |
Log message:
textproc/expat: fix file used by other packages to find installed library
On Darwin, the installed expat shared library includes only the major
version number, not minor version and patch, in the name. The
corresponding configure check, however, looks for the full name with
all three parts and fails.
The same problem occurs on Windows and is discussed in issue 485, even
mentioning that Darwin likely has the same issue:
https://github.com/libexpat/libexpat/issues/485
For some reason, the fix (removing minor and patch versions from the
cmake file used by configure) was applied for Windows but not for
Darwin.
See the upstream issue:
https://github.com/libexpat/libexpat/issues/935
which was closed with
https://github.com/libexpat/libexpat/pull/937
--- cmake/autotools/expat-noconfig__macos.cmake.in.orig 2023-08-26 \
12:27:53.000000000 +0000
+++ cmake/autotools/expat-noconfig__macos.cmake.in
@@ -8,12 +8,12 @@ set(CMAKE_IMPORT_FILE_VERSION 1)
# Import target "expat::expat" for configuration "NoConfig"
set_property(TARGET expat::expat APPEND PROPERTY IMPORTED_CONFIGURATIONS NOCONFIG)
set_target_properties(expat::expat PROPERTIES
- IMPORTED_LOCATION_NOCONFIG \
"${_IMPORT_PREFIX}/@LIBDIR_BASENAME@/libexpat.@SO_MAJOR@.@SO_MINOR@.@SO_PAT \
CH@.dylib"
+ IMPORTED_LOCATION_NOCONFIG \
"${_IMPORT_PREFIX}/@LIBDIR_BASENAME@/libexpat.@SO_MAJOR@.dylib"
IMPORTED_SONAME_NOCONFIG "@rpath/libexpat.@SO_MAJOR@.dylib"
)
list(APPEND _cmake_import_check_targets expat::expat )
-list(APPEND _cmake_import_check_files_for_expat::expat \
"${_IMPORT_PREFIX}/@LIBDIR_BASENAME@/libexpat.@SO_MAJOR@.@SO_MINOR@.@SO_PATCH@.dylib" \
)
+list(APPEND _cmake_import_check_files_for_expat::expat \
"${_IMPORT_PREFIX}/@LIBDIR_BASENAME@/libexpat.@SO_MAJOR@.dylib" )
# Commands beyond this point should not need to know the version.
set(CMAKE_IMPORT_FILE_VERSION)
|
| 2024-09-04 15:08:26 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message:
expat: updated to 2.6.3
Release 2.6.3 Wed September 4 2024
Security fixes:
CVE-2024-45490 -- Calling function XML_ParseBuffer with
len < 0 without noticing and then calling XML_GetBuffer
will have XML_ParseBuffer fail to recognize the problem
and XML_GetBuffer corrupt memory.
With the fix, XML_ParseBuffer now complains with error
XML_ERROR_INVALID_ARGUMENT just like sibling XML_Parse
has been doing since Expat 2.2.1, and now documented.
Impact is denial of service to potentially artitrary code
execution.
CVE-2024-45491 -- Internal function dtdCopy can have an
integer overflow for nDefaultAtts on 32-bit platforms
(where UINT_MAX equals SIZE_MAX).
Impact is denial of service to potentially artitrary code
execution.
CVE-2024-45492 -- Internal function nextScaffoldPart can
have an integer overflow for m_groupSize on 32-bit
platforms (where UINT_MAX equals SIZE_MAX).
Impact is denial of service to potentially artitrary code
execution.
Other changes:
Autotools: Sync CMake templates with CMake 3.28
Autotools: Always provide path to find(1) for portability
Autotools: Ensure that the m4 directory always exists.
Autotools: Simplify handling of SIZEOF_VOID_P
Autotools: Support non-GNU sed
Autotools|CMake: Fix main() to main(void)
Autotools|CMake: Fix compile tests for HAVE_SYSCALL_GETRANDOM
Autotools|CMake: Stop requiring dos2unix
CMake: Fix check for symbols size_t and off_t
docs|tests: Convert README to Markdown and update
Windows: Drop support for Visual Studio <=15.0/2017
Drop needless XML_DTD guards around is_param access
Fix typo in a code comment
Version info bumped from 10:2:9 (libexpat*.so.1.9.2)
to 10:3:9 (libexpat*.so.1.9.3); see https://verbump.de/
for what these numbers do
Infrastructure:
Readme: Promote the call for help
CI: Fix various issues
CI: Allow triggering GitHub Actions workflows manually
..
CI: Adapt to breaking changes in GitHub Actions
|
| 2024-03-14 10:15:57 by Thomas Klausner | Files touched by this commit (2) | |
Log message:
expat: update to 2.6.2.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!! <blink>Expat is UNDERSTAFFED and WITHOUT FUNDING.</blink> \
!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Release 2.6.2 Wed March 13 2024
Security fixes:
#839 #842 CVE-2024-28757 -- Prevent billion laughs attacks with
isolated use of external parsers. Please see the commit
message of commit 1d50b80cf31de87750103656f6eb693746854aa8
for details.
Bug fixes:
#839 #841 Reject direct parameter entity recursion
and avoid the related undefined behavior
Other changes:
#847 Autotools: Fix build for DOCBOOK_TO_MAN containing spaces
#837 Add missing #821 and #824 to 2.6.1 change log
#838 #843 Version info bumped from 10:1:9 (libexpat*.so.1.9.1)
to 10:2:9 (libexpat*.so.1.9.2); see https://verbump.de/
for what these numbers do
Special thanks to:
Philippe Antoine
Tomas Korbar
and
Clang UndefinedBehaviorSanitizer
OSS-Fuzz / ClusterFuzz
|
| 2024-03-01 07:50:02 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message:
expat: updated to 2.6.1
Release 2.6.1
Bug fixes:
Make tests independent of CPU speed, and thus more robust
Expose billion laughs API with XML_DTD defined and
XML_GE undefined, regression from 2.6.0
Other changes:
Hide test-only code behind new internal macro
Autotools: Reject expat_config.h.in defining SIZEOF_VOID_P
Address compiler warnings
Version info bumped from 10:0:9 (libexpat*.so.1.9.0)
to 10:1:9 (libexpat*.so.1.9.1); see https://verbump.de/
for what these numbers do
Infrastructure:
CI: Adapt to breaking changes in clang-format
|