Index index by Group index by Distribution index by Vendor index by creation date index by Name Mirrors Help Search

libexpat-devel-2.7.5-1.1 RPM for i586

From OpenSuSE Ports Tumbleweed for i586

Name: libexpat-devel Distribution: openSUSE Tumbleweed
Version: 2.7.5 Vendor: openSUSE
Release: 1.1 Build date: Thu Mar 26 15:09:21 2026
Group: Development/Libraries/C and C++ Build host: reproducible
Size: 67750 Source RPM: expat-2.7.5-1.1.src.rpm
Packager: http://bugs.opensuse.org
Url: https://libexpat.github.io
Summary: Development files for expat, an XML parser toolkit
Expat is an XML parser library written in C. It is a stream-oriented
parser in which an application registers handlers for things the
parser might find in the XML document (like start tags).

This package contains the development headers for the library found
in libexpat.

Provides

Requires

License

MIT

Changelog

* Thu Mar 26 2026 David Anes <david.anes@suse.com>
  - version update to 2.7.5 (bsc#1259711, bsc#1259729, bsc#1259726)
    * CVE-2026-32776 -- Fix NULL function pointer dereference for
      empty external parameter entities; it takes use of both
      functions XML_ExternalEntityParserCreate and
      XML_SetParamEntityParsing for an application to be
      vulnerable.
    * CVE-2026-32777 -- Protect from XML_TOK_INSTANCE_START
      infinite loop in function entityValueProcessor; it takes
      use of both functions XML_ExternalEntityParserCreate and
      XML_SetParamEntityParsing for an application to be
      vulnerable.
    * CVE-2026-32778 -- Fix NULL dereference in function setContext
      on retry after an earlier ouf-of-memory condition; it takes
      use of function XML_ParserCreateNS or XML_ParserCreate_MM
      for an application to be vulnerable.
    * See full changelog here:
      https://github.com/libexpat/libexpat/blob/R_2_7_5/expat/Changes
* Tue Feb 03 2026 Petr Gajdos <pgajdos@suse.com>
  - version update to 2.7.4
    * CVE-2026-24515 -- Function XML_ExternalEntityParserCreate
      failed to copy the encoding handler data passed to
      XML_SetUnknownEncodingHandler from the parent to the new
      subparser. This can cause a NULL dereference (CWE-476) from
      external entities that declare use of an unknown encoding.
      The expected impact is denial of service. It takes use of
      both functions XML_ExternalEntityParserCreate and
      XML_SetUnknownEncodingHandler for an application to be
      vulnerable.
    * CVE-2026-25210 -- Add missing check for integer overflow
      related to buffer size determination in function doContent
    * lib: Fix missing undoing of group size expansion in doProlog
      failure cases
    * xmlwf: Fix a memory leak
    * WASI: Fix format specifiers for 32bit WASI SDK
  - fixes [bsc#1257144] and [bsc#1257496]
* Sat Sep 27 2025 Christoph G <foss@grueninger.de>
  - version update to 2.7.3
    * Fix alignment of internal allocations for some non-amd64
      architectures (e.g. sparc32); fixes up on the fix to
      CVE-2025-59375 (of Expat 2.7.2)
    * Fix a class of false positives where input should have been
      rejected with error XML_ERROR_ASYNC_ENTITY; regression from
      CVE-2024-8176 (of Expat 2.7.0)
    * Prove and regression-proof absence of integer overflow
      from function expat_realloc
    * Remove "harmless" cast that truncated a size_t to unsigned
    * xmlwf: Resolve use of functions XML_GetErrorLineNumber
      and XML_GetErrorColumnNumber
* Mon Sep 22 2025 pgajdos@suse.com
  - version update to 2.7.2 [bsc#1249584]
    * CVE-2025-59375 -- Disallow use of disproportional amounts of
      dynamic memory from within an Expat parser
    * xmlwf: Fix (internal) help generator
    * xmlwf: Mention supported environment variables in
    - -help output
    * see Changes for details
* Fri Mar 28 2025 pgajdos@suse.com
  - version update to 2.7.1
      Bug fixes:
      [#980] #989  Restore event pointer behavior from Expat 2.6.4
      (that the fix to CVE-2024-8176 changed in 2.7.0);
      affected API functions are:
    - XML_GetCurrentByteCount
    - XML_GetCurrentByteIndex
    - XML_GetCurrentColumnNumber
    - XML_GetCurrentLineNumber
    - XML_GetInputContext
      Other changes:
      [#976] #977  Autotools: Integrate files "fuzz/xml_lpm_fuzzer.{cpp,proto}"
      with Automake that were missing from 2.7.0 release tarballs
      [#983] #984  Fix printf format specifiers for 32bit Emscripten
      [#992]  docs: Promote OpenSSF Best Practices self-certification
      [#978]  tests/benchmark: Resolve mistaken double close
      [#986]  Address compiler warnings
      [#990] #993  Version info bumped from 11:1:10 (libexpat*.so.1.10.1)
      to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/
      for what these numbers do
      Infrastructure:
      [#982]  CI: Start running Perl XML::Parser integration tests
      [#987]  CI: Enforce Clang Static Analyzer clean code
      [#991]  CI: Re-enable warning clang-analyzer-valist.Uninitialized
      for clang-tidy
      [#981]  CI: Cover compilation with musl
      [#983] #984  CI: Cover compilation with 32bit Emscripten
      [#976] #977  CI: Protect against fuzzer files missing from future
      release archives
* Fri Mar 14 2025 pgajdos@suse.com
  - version update to 2.7.0 (CVE-2024-8176 [bsc#1239618])
    * Security fixes:
      [#893] #973  CVE-2024-8176 -- Fix crash from chaining a large number
      of entities caused by stack overflow by resolving use of
      recursion, for all three uses of entities:
    - general entities in character data ("<e>&g1;</e>")
    - general entities in attribute values ("<e k1='&g1;'/>")
    - parameter entities ("%p1;")
      Known impact is (reliable and easy) denial of service:
      CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C
      (Base Score: 7.5, Temporal Score: 7.2)
      Please note that a layer of compression around XML can
      significantly reduce the minimum attack payload size.
    * Other changes:
      [#935] #937  Autotools: Make generated CMake files look for
      libexpat.@SO_MAJOR@.dylib on macOS
      [#925]  Autotools: Sync CMake templates with CMake 3.29
    [#945] #962 #966  CMake: Drop support for CMake <3.13
      [#942]  CMake: Small fuzzing related improvements
      [#921]  docs: Add missing documentation of error code
      XML_ERROR_NOT_STARTED that was introduced with 2.6.4
      [#941]  docs: Document need for C++11 compiler for use from C++
      [#959]  tests/benchmark: Fix a (harmless) TOCTTOU
      [#944]  Windows: Fix installer target location of file xmlwf.xml
      for CMake
      [#953]  Windows: Address warning -Wunknown-warning-option
      about -Wno-pedantic-ms-format from LLVM MinGW
      [#971]  Address Cppcheck warnings
      [#969] #970  Mass-migrate links from http:// to https://
      [#947] #958 ..
      [#974] #975  Document changes since the previous release
      [#974] #975  Version info bumped from 11:0:10 (libexpat*.so.1.10.0)
      to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/
      for what these numbers do
* Tue Nov 12 2024 pgajdos@suse.com
  - no source changes, just adding jira reference: jsc#SLE-21253
* Thu Nov 07 2024 pgajdos@suse.com
  - version update to 2.6.4
    * Security fixes: [bsc#1232601]
      [#915]  CVE-2024-50602 -- Fix crash within function XML_ResumeParser
      from a NULL pointer dereference by disallowing function
      XML_StopParser to (stop or) suspend an unstarted parser.
      A new error code XML_ERROR_NOT_STARTED was introduced to
      properly communicate this situation.  // CWE-476 CWE-754
    * Other changes:
      [#903]  CMake: Add alias target "expat::expat"
      [#905]  docs: Document use via CMake >=3.18 with FetchContent
      and SOURCE_SUBDIR and its consequences
      [#902]  tests: Reduce use of global parser instance
      [#904]  tests: Resolve duplicate handler
    [#317] #918  tests: Improve tests on doctype closing (ex CVE-2019-15903)
      [#914]  Fix signedness of format strings
    [#919] #920  Version info bumped from 10:3:9 (libexpat*.so.1.9.3)
      to 11:0:10 (libexpat*.so.1.10.0); see https://verbump.de/
      for what these numbers do
* Thu Sep 26 2024 pgajdos@suse.com
  - updated keyring [https://build.suse.de/request/show/345282]
  - modified sources
    % expat.keyring
* Thu Sep 05 2024 David Anes <david.anes@suse.com>
  - Update to 2.6.3:
    * Security fixes:
    - CVE-2024-45490, bsc#1229930 -- Calling function XML_ParseBuffer with
      len < 0 without noticing and then calling XML_GetBuffer
      will have XML_ParseBuffer fail to recognize the problem
      and XML_GetBuffer corrupt memory.
      With the fix, XML_ParseBuffer now complains with error
      XML_ERROR_INVALID_ARGUMENT just like sibling XML_Parse
      has been doing since Expat 2.2.1, and now documented.
      Impact is denial of service to potentially artitrary code
      execution.
    - CVE-2024-45491, bsc#1229931 -- Internal function dtdCopy can have an
      integer overflow for nDefaultAtts on 32-bit platforms
      (where UINT_MAX equals SIZE_MAX).
      Impact is denial of service to potentially artitrary code
      execution.
    - CVE-2024-45492, bsc#1229932 -- Internal function nextScaffoldPart can
      have an integer overflow for m_groupSize on 32-bit
      platforms (where UINT_MAX equals SIZE_MAX).
      Impact is denial of service to potentially artitrary code
      execution.
    * Other changes:
    - Autotools: Sync CMake templates with CMake 3.28
    - Autotools: Always provide path to find(1) for portability
    - Autotools: Ensure that the m4 directory always exists.
    - Autotools: Simplify handling of SIZEOF_VOID_P
    - Autotools: Support non-GNU sed
    - Autotools|CMake: Fix main() to main(void)
    - Autotools|CMake: Fix compile tests for HAVE_SYSCALL_GETRANDOM
    - Autotools|CMake: Stop requiring dos2unix
    - CMake: Fix check for symbols size_t and off_t
    - docs|tests: Convert README to Markdown and update
    - Windows: Drop support for Visual Studio <=15.0/2017
    - Drop needless XML_DTD guards around is_param access
    - Fix typo in a code comment
    - Version info bumped from 10:2:9 (libexpat*.so.1.9.2)
      to 10:3:9 (libexpat*.so.1.9.3); see https://verbump.de/
      for what these numbers do
* Wed Mar 13 2024 Andreas Stieger <andreas.stieger@gmx.de>
  - update to 2.6.2:
    * CVE-2024-28757 -- Prevent billion laughs attacks with isolated
      use of external parsers (boo#1221289)
    * Reject direct parameter entity recursion and avoid the related
      undefined behavior
* Fri Mar 01 2024 Andreas Stieger <andreas.stieger@gmx.de>
  - update to 2.6.1:
    * Expose billion laughs API with XML_DTD defined and XML_GE
      undefined, regression from 2.6.0
    * Make tests independent of CPU speed, and thus more robust
  - drop libxml2-fix-xmlwf.1-handling.patch, upstream
* Tue Feb 20 2024 David Anes <david.anes@suse.com>
  - Fix handling of xmlwf.1 to avoid workarounds in specfile:
    * Added libxml2-fix-xmlwf.1-handling.patch
  - Call buildconf.sh to avoid (future) issues with expat_config.h.in
* Mon Feb 12 2024 David Anes <david.anes@suse.com>
  - Update keyring automatically from keyserver during OBS service run.
  - Explicitly use --without-docbook (before it was implicit).
  - Include missing files for documentation and examples.
  - Add manpage for xmlwf, which is now available in the released tarball.
  - Clean the spec file a bit.
  - Update to 2.6.0:
    * Security fixes:
    - CVE-2023-52425 (boo#1219559, bsc#1221563)
    - - Fix quadratic runtime issues with big tokens
      that can cause denial of service, in partial where
      dealing with compressed XML input.  Applications
      that parsed a document in one go -- a single call to
      functions XML_Parse or XML_ParseBuffer -- were not affected.
      The smaller the chunks/buffers you use for parsing
      previously, the bigger the problem prior to the fix.
      Backporters should be careful to no omit parts of
      pull request #789 and to include earlier pull request #771,
      in order to not break the fix.
    - CVE-2023-52426 (boo#1219561)
    - - Fix billion laughs attacks for users
      compiling *without* XML_DTD defined (which is not common).
      Users with XML_DTD defined have been protected since
      Expat >=2.4.0 (and that was CVE-2013-0340 back then).
    * Bug fixes:
    - Fix parse-size-dependent "invalid token" error for
      external entities that start with a byte order mark
    - Fix NULL pointer dereference in setContext via
      XML_ExternalEntityParserCreate for compilation with
      XML_DTD undefined
    - Protect against closing entities out of order
    * Other changes:
    - Improve support for arc4random/arc4random_buf
    - Improve buffer growth in XML_GetBuffer and XML_Parse
    - xmlwf: Support --help and --version
    - xmlwf: Support custom buffer size for XML_GetBuffer and read
    - xmlwf: Improve language and URL clickability in help output
    - examples: Add new example "element_declarations.c"
    - Be stricter about macro XML_CONTEXT_BYTES at build time
    - Make inclusion to expat_config.h consistent
    - Autotools: configure.ac: Support --disable-maintainer-mode
    - Autotools: Sync CMake templates with CMake 3.26
    - Autotools: Make installation of shipped man page doc/xmlwf.1
      independent of docbook2man availability
    - Autotools|CMake: Add missing -DXML_STATIC to pkg-config file
      section "Cflags.private" in order to fix compilation
      against static libexpat using pkg-config on Windows
    - Autotools|CMake: Require a C99 compiler
      (a de-facto requirement already since Expat 2.2.2 of 2017)
    - Autotools|CMake: Fix PACKAGE_BUGREPORT variable
    - Autotools|CMake: Make test suite require a C++11 compiler
    - CMake: Require CMake >=3.5.0
    - CMake: Lowercase off_t and size_t to help a bug in Meson
    - CMake: Sort xmlwf sources alphabetically
    - CMake|Windows: Fix generation of DLL file version info
    - CMake: Build tests/benchmark/benchmark.c as well for
      a build with -DEXPAT_BUILD_TESTS=ON
    - docs: Document the importance of isFinal + adjust tests
      accordingly
    - docs: Improve use of "NULL" and "null"
    - docs: Be specific about version of XML (XML 1.0r4)
      and version of C (C99); (XML 1.0r5 will need a sponsor.)
    - docs: reference.html: Promote function XML_ParseBuffer more
    - docs: reference.html: Add HTML anchors to XML_* macros
    - docs: reference.html: Upgrade to OK.css 1.2.0
    - docs: Fix typos
    - docs|CI: Use HTTPS URLs instead of HTTP at various places
    - Address compiler warnings
    - Address clang-tidy warnings
    - Version info bumped from 9:10:8 (libexpat*.so.1.8.10)
      to 10:0:9 (libexpat*.so.1.9.0); see https://verbump.de/
      for what these numbers do

Files

/usr/include/expat.h
/usr/include/expat_config.h
/usr/include/expat_external.h
/usr/lib/cmake
/usr/lib/cmake/expat-2.7.5
/usr/lib/cmake/expat-2.7.5/expat-config-version.cmake
/usr/lib/cmake/expat-2.7.5/expat-config.cmake
/usr/lib/cmake/expat-2.7.5/expat-noconfig.cmake
/usr/lib/cmake/expat-2.7.5/expat.cmake
/usr/lib/libexpat.so
/usr/lib/pkgconfig/expat.pc
/usr/share/licenses/libexpat-devel
/usr/share/licenses/libexpat-devel/COPYING


Generated by rpm2html 1.8.1

Fabrice Bellet, Tue Apr 21 22:39:17 2026