302/302: gnu: expat: Update to 2.7.1.

Wed, 14 May 2025 06:29:11 -0700 

andreas pushed a commit to branch core-packages-team
in repository guix.

commit 2027745bdd5e279a85b702aa40dee08ef89586e7
Author: Zheng Junjie <z572@z572.online>
AuthorDate: Thu May 8 23:16:39 2025 +0800

    gnu: expat: Update to 2.7.1.
    
    * gnu/packages/xml.scm (expat): Update to 2.7.1.
    (expat/fixed): Remove it.
    * gnu/packages/patches/expat-CVE-2024-45490.patch: Remove it.
    * gnu/packages/patches/expat-CVE-2024-45491.patch: Remove it.
    * gnu/packages/patches/expat-CVE-2024-45492.patch: Remove it.
    * gnu/local.mk (dist_patch_DATA): Unregister them.
    
    Change-Id: Ia0bc5da202afba0636032e4f4e10051778214944
---
 gnu/local.mk                                    |  3 ---
 gnu/packages/patches/expat-CVE-2024-45490.patch | 34 -------------------------
 gnu/packages/patches/expat-CVE-2024-45491.patch | 34 -------------------------
 gnu/packages/patches/expat-CVE-2024-45492.patch | 33 ------------------------
 gnu/packages/xml.scm                            | 16 ++----------
 5 files changed, 2 insertions(+), 118 deletions(-)

diff --git a/gnu/local.mk b/gnu/local.mk
index 1b016ad59f..d9bac43edd 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1259,9 +1259,6 @@ dist_patch_DATA =                                         
\
   %D%/packages/patches/esmini-use-pkgconfig.patch              \
   %D%/packages/patches/esmtp-add-lesmtp.patch          \
   %D%/packages/patches/exercism-disable-self-update.patch      \
-  %D%/packages/patches/expat-CVE-2024-45490.patch      \
-  %D%/packages/patches/expat-CVE-2024-45491.patch      \
-  %D%/packages/patches/expat-CVE-2024-45492.patch      \
   %D%/packages/patches/extempore-unbundle-external-dependencies.patch  \
   %D%/packages/patches/extundelete-e2fsprogs-1.44.patch                \
   %D%/packages/patches/fail2ban-paths-guix-conf.patch          \
diff --git a/gnu/packages/patches/expat-CVE-2024-45490.patch 
b/gnu/packages/patches/expat-CVE-2024-45490.patch
deleted file mode 100644
index f876e78651..0000000000
--- a/gnu/packages/patches/expat-CVE-2024-45490.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-https://github.com/libexpat/libexpat/commit/5c1a31642e243f4870c0bd1f2afc7597976521bf.patch
-Fixed in 2.6.3.
-Takes only 1 of the 3 patches from
-https://github.com/libexpat/libexpat/pull/890 to take the fix and not the
-tests because that part doesn't apply cleanly.
-
-From 5c1a31642e243f4870c0bd1f2afc7597976521bf Mon Sep 17 00:00:00 2001
-From: Sebastian Pipping <sebast...@pipping.org>
-Date: Mon, 19 Aug 2024 22:26:07 +0200
-Subject: [PATCH] lib: Reject negative len for XML_ParseBuffer
-
-Reported by TaiYou
-
----
- expat/lib/xmlparse.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/lib/xmlparse.c b/lib/xmlparse.c
-index 91682c188..ba1038119 100644
---- a/lib/xmlparse.c
-+++ b/lib/xmlparse.c
-@@ -2038,6 +2038,12 @@ XML_ParseBuffer(XML_Parser parser, int len, int 
isFinal) {
- 
-   if (parser == NULL)
-     return XML_STATUS_ERROR;
-+
-+  if (len < 0) {
-+    parser->m_errorCode = XML_ERROR_INVALID_ARGUMENT;
-+    return XML_STATUS_ERROR;
-+  }
-+
-   switch (parser->m_parsingStatus.parsing) {
-   case XML_SUSPENDED:
-     parser->m_errorCode = XML_ERROR_SUSPENDED;
diff --git a/gnu/packages/patches/expat-CVE-2024-45491.patch 
b/gnu/packages/patches/expat-CVE-2024-45491.patch
deleted file mode 100644
index 8ff10559bf..0000000000
--- a/gnu/packages/patches/expat-CVE-2024-45491.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-https://github.com/libexpat/libexpat/commit/8e439a9947e9dc80a395c0c7456545d8d9d9e421.patch
-Fixed in 2.6.3.
-
-From 8e439a9947e9dc80a395c0c7456545d8d9d9e421 Mon Sep 17 00:00:00 2001
-From: Sebastian Pipping <sebast...@pipping.org>
-Date: Mon, 19 Aug 2024 22:34:13 +0200
-Subject: [PATCH] lib: Detect integer overflow in dtdCopy
-
-Reported by TaiYou
----
- expat/lib/xmlparse.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/lib/xmlparse.c b/lib/xmlparse.c
-index 91682c188..e2327bdcf 100644
---- a/lib/xmlparse.c
-+++ b/lib/xmlparse.c
-@@ -7016,6 +7016,16 @@ dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD 
*oldDtd,
-     if (! newE)
-       return 0;
-     if (oldE->nDefaultAtts) {
-+      /* Detect and prevent integer overflow.
-+       * The preprocessor guard addresses the "always false" warning
-+       * from -Wtype-limits on platforms where
-+       * sizeof(int) < sizeof(size_t), e.g. on x86_64. */
-+#if UINT_MAX >= SIZE_MAX
-+      if ((size_t)oldE->nDefaultAtts
-+          > ((size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE))) {
-+        return 0;
-+      }
-+#endif
-       newE->defaultAtts
-           = ms->malloc_fcn(oldE->nDefaultAtts * sizeof(DEFAULT_ATTRIBUTE));
-       if (! newE->defaultAtts) {
diff --git a/gnu/packages/patches/expat-CVE-2024-45492.patch 
b/gnu/packages/patches/expat-CVE-2024-45492.patch
deleted file mode 100644
index 852a9b3f59..0000000000
--- a/gnu/packages/patches/expat-CVE-2024-45492.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-https://github.com/libexpat/libexpat/commit/9bf0f2c16ee86f644dd1432507edff94c08dc232.patch
-Fixed in 2.6.3.
-
-From 9bf0f2c16ee86f644dd1432507edff94c08dc232 Mon Sep 17 00:00:00 2001
-From: Sebastian Pipping <sebast...@pipping.org>
-Date: Mon, 19 Aug 2024 22:37:16 +0200
-Subject: [PATCH] lib: Detect integer overflow in function nextScaffoldPart
-
-Reported by TaiYou
----
- expat/lib/xmlparse.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/lib/xmlparse.c b/lib/xmlparse.c
-index 91682c188..f737575ea 100644
---- a/lib/xmlparse.c
-+++ b/lib/xmlparse.c
-@@ -7558,6 +7558,15 @@ nextScaffoldPart(XML_Parser parser) {
-   int next;
- 
-   if (! dtd->scaffIndex) {
-+    /* Detect and prevent integer overflow.
-+     * The preprocessor guard addresses the "always false" warning
-+     * from -Wtype-limits on platforms where
-+     * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
-+#if UINT_MAX >= SIZE_MAX
-+    if (parser->m_groupSize > ((size_t)(-1) / sizeof(int))) {
-+      return -1;
-+    }
-+#endif
-     dtd->scaffIndex = (int *)MALLOC(parser, parser->m_groupSize * 
sizeof(int));
-     if (! dtd->scaffIndex)
-       return -1;
diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index f29d5d2adc..5eb9be68c7 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -127,8 +127,7 @@ the entire document.")
 (define-public expat
   (package
     (name "expat")
-    (version "2.5.0")
-    (replacement expat/fixed)
+    (version "2.7.1")
     (source (let ((dot->underscore (lambda (c) (if (char=? #\. c) #\_ c))))
               (origin
                 (method url-fetch)
@@ -140,7 +139,7 @@ the entire document.")
                             "/expat-" version ".tar.xz")))
                 (sha256
                  (base32
-                  "1gnwihpfz4x18rwd6cbrdggmfqjzwsdfh1gpmc0ph21c4gq2097g")))))
+                  "0c3w446jrrnss3ccgx9z590lpwbpxiqdbxv2a0p036cg9da54i9m")))))
     (build-system gnu-build-system)
     (arguments
      '(#:phases (modify-phases %standard-phases
@@ -164,17 +163,6 @@ stream-oriented parser in which an application registers 
handlers for
 things the parser might find in the XML document (like start tags).")
     (license license:expat)))
 
-(define-public expat/fixed
- (hidden-package
-  (package
-    (inherit expat)
-    (replacement expat/fixed)
-    (source (origin
-              (inherit (package-source expat))
-              (patches (search-patches "expat-CVE-2024-45490.patch"
-                                       "expat-CVE-2024-45491.patch"
-                                       "expat-CVE-2024-45492.patch")))))))
-
 (define-public libebml
   (package
     (name "libebml")

Reply via email to