Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

depends: expat 2.2.7 #16270

Merged
merged 1 commit into from Jul 10, 2019
Merged

depends: expat 2.2.7 #16270

merged 1 commit into from Jul 10, 2019

Conversation

fanquake
Copy link
Member

Major changes in expat 2.2.7:

  • #186 #262 Fix extraction of namespace prefixes from XML names;
    XML names with multiple colons could end up in the
    wrong namespace, and take a high amount of RAM and CPU
    resources while processing, opening the door to use for denial-of-service attacks
  • #227 Autotools: Add --without-examples and --without-tests

Full changelog is available here.

@laanwj
Copy link
Member

laanwj commented Jun 25, 2019

and take a high amount of RAM and CPU
resources while processing, opening the door to use for denial-of-service attacks

This would only be a problem if anything llnking expat would be importing XML from untrusted sources, right?
It doesn't even end up in the final binary, it's only used indirectly for tooling (by Qt).
I don't think there's any need to worry about DoS attacks from this.

@bitcoin bitcoin deleted a comment from DrahtBot Jul 2, 2019
@DrahtBot
Copy link
Contributor

DrahtBot commented Jul 7, 2019
edited

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Conflicts

No conflicts as of last run.

@dongcarl
Copy link
Contributor

dongcarl commented Jul 8, 2019

Concept ACK

I believe it's worth it to speed up build times, as the --without-examples and --without-tests flags were only introduced in 2.2.7: libexpat/libexpat@ba1cfbb

@bitcoin bitcoin deleted a comment from DrahtBot Jul 8, 2019
@DrahtBot
Copy link
Contributor

DrahtBot commented Jul 9, 2019

Gitian builds for commit c799976 (master):

Gitian builds for commit 4eb6730 (master and this pull):

@laanwj
Copy link
Member

laanwj commented Jul 10, 2019

ACK 0512f05

@laanwj laanwj merged commit 0512f05 into bitcoin:master Jul 10, 2019
laanwj added a commit that referenced this pull request Jul 10, 2019
@laanwj
Merge #16270: depends: expat 2.2.7
d1fc827 
0512f05 depends: expat 2.2.7 (fanquake)

Pull request description:

  Major changes in expat 2.2.7:

  * [#186](libexpat/libexpat#186) [#262](libexpat/libexpat#262)  Fix extraction of namespace prefixes from XML names;
                      XML names with multiple colons could end up in the
                      wrong namespace, and take a high amount of RAM and CPU
                      resources while processing, opening the door to use for denial-of-service attacks
  * [#227](libexpat/libexpat#227) Autotools: Add --without-examples and --without-tests

  Full changelog is available [here](https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes#L5).

ACKs for top commit:
  laanwj:
    ACK 0512f05

Tree-SHA512: 45162a9b0011107fd59a97dae7b5eb61989dafbec26b1ee497d1b11bf5c6a119971096899caa2998648b82a62db57c629a1560453557146c2496b39a7f3f8de9
@fanquake fanquake deleted the expat-2-2-7 branch January 22, 2020 11:29
deadalnix pushed a commit to Bitcoin-ABC/bitcoin-abc that referenced this pull request Apr 2, 2020
@fanquake @Fabcien
depends: expat 2.2.7
90457de 
Summary:
```
Major changes in expat 2.2.7:

 - #186 #262 Fix extraction of namespace prefixes from XML names;
   XML names with multiple colons could end up in the
   wrong namespace, and take a high amount of RAM and CPU
   resources while processing, opening the door to use for
   denial-of-service attacks
 - #227 Autotools: Add --without-examples and --without-tests
```

Backport of core [[bitcoin/bitcoin#16270 | PR16270]].

Test Plan: Run the Gitian builds.

Reviewers: #bitcoin_abc, deadalnix

Reviewed By: #bitcoin_abc, deadalnix

Differential Revision: https://reviews.bitcoinabc.org/D5631
ftrader pushed a commit to bitcoin-cash-node/bitcoin-cash-node that referenced this pull request Aug 13, 2021
@fanquake @sickpig
depends: expat 2.2.7
7638688 
Summary:
```
Major changes in expat 2.2.7:

 - Bitcoin-ABC#186 Bitcoin-ABC#262 Fix extraction of namespace prefixes from XML names;
   XML names with multiple colons could end up in the
   wrong namespace, and take a high amount of RAM and CPU
   resources while processing, opening the door to use for
   denial-of-service attacks
 - Bitcoin-ABC#227 Autotools: Add --without-examples and --without-tests
```

Backport of core [[bitcoin/bitcoin#16270 | PR16270]].

Test Plan: Run the Gitian builds.

Reviewers: #bitcoin_abc, deadalnix

Reviewed By: #bitcoin_abc, deadalnix

Differential Revision: https://reviews.bitcoinabc.org/D5631
Munkybooty pushed a commit to Munkybooty/dash that referenced this pull request Nov 4, 2021
@laanwj @Munkybooty
Merge bitcoin#16270: depends: expat 2.2.7
6a4af37 
0512f05 depends: expat 2.2.7 (fanquake)

Pull request description:

  Major changes in expat 2.2.7:

  * [dashpay#186](libexpat/libexpat#186) [dashpay#262](libexpat/libexpat#262)  Fix extraction of namespace prefixes from XML names;
                      XML names with multiple colons could end up in the
                      wrong namespace, and take a high amount of RAM and CPU
                      resources while processing, opening the door to use for denial-of-service attacks
  * [dashpay#227](libexpat/libexpat#227) Autotools: Add --without-examples and --without-tests

  Full changelog is available [here](https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes#L5).

ACKs for top commit:
  laanwj:
    ACK 0512f05

Tree-SHA512: 45162a9b0011107fd59a97dae7b5eb61989dafbec26b1ee497d1b11bf5c6a119971096899caa2998648b82a62db57c629a1560453557146c2496b39a7f3f8de9
Munkybooty pushed a commit to Munkybooty/dash that referenced this pull request Nov 6, 2021
@laanwj @Munkybooty
Merge bitcoin#16270: depends: expat 2.2.7
51128fd 
0512f05 depends: expat 2.2.7 (fanquake)

Pull request description:

  Major changes in expat 2.2.7:

  * [dashpay#186](libexpat/libexpat#186) [dashpay#262](libexpat/libexpat#262)  Fix extraction of namespace prefixes from XML names;
                      XML names with multiple colons could end up in the
                      wrong namespace, and take a high amount of RAM and CPU
                      resources while processing, opening the door to use for denial-of-service attacks
  * [dashpay#227](libexpat/libexpat#227) Autotools: Add --without-examples and --without-tests

  Full changelog is available [here](https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes#L5).

ACKs for top commit:
  laanwj:
    ACK 0512f05

Tree-SHA512: 45162a9b0011107fd59a97dae7b5eb61989dafbec26b1ee497d1b11bf5c6a119971096899caa2998648b82a62db57c629a1560453557146c2496b39a7f3f8de9
Munkybooty pushed a commit to Munkybooty/dash that referenced this pull request Nov 12, 2021
@laanwj @Munkybooty
Merge bitcoin#16270: depends: expat 2.2.7
09b4657 
0512f05 depends: expat 2.2.7 (fanquake)

Pull request description:

  Major changes in expat 2.2.7:

  * [dashpay#186](libexpat/libexpat#186) [dashpay#262](libexpat/libexpat#262)  Fix extraction of namespace prefixes from XML names;
                      XML names with multiple colons could end up in the
                      wrong namespace, and take a high amount of RAM and CPU
                      resources while processing, opening the door to use for denial-of-service attacks
  * [dashpay#227](libexpat/libexpat#227) Autotools: Add --without-examples and --without-tests

  Full changelog is available [here](https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes#L5).

ACKs for top commit:
  laanwj:
    ACK 0512f05

Tree-SHA512: 45162a9b0011107fd59a97dae7b5eb61989dafbec26b1ee497d1b11bf5c6a119971096899caa2998648b82a62db57c629a1560453557146c2496b39a7f3f8de9
Munkybooty pushed a commit to Munkybooty/dash that referenced this pull request Nov 16, 2021
@laanwj @Munkybooty
Merge bitcoin#16270: depends: expat 2.2.7
ca3c8da 
0512f05 depends: expat 2.2.7 (fanquake)

Pull request description:

  Major changes in expat 2.2.7:

  * [dashpay#186](libexpat/libexpat#186) [dashpay#262](libexpat/libexpat#262)  Fix extraction of namespace prefixes from XML names;
                      XML names with multiple colons could end up in the
                      wrong namespace, and take a high amount of RAM and CPU
                      resources while processing, opening the door to use for denial-of-service attacks
  * [dashpay#227](libexpat/libexpat#227) Autotools: Add --without-examples and --without-tests

  Full changelog is available [here](https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes#L5).

ACKs for top commit:
  laanwj:
    ACK 0512f05

Tree-SHA512: 45162a9b0011107fd59a97dae7b5eb61989dafbec26b1ee497d1b11bf5c6a119971096899caa2998648b82a62db57c629a1560453557146c2496b39a7f3f8de9
Munkybooty pushed a commit to Munkybooty/dash that referenced this pull request Nov 18, 2021
@laanwj @Munkybooty
Merge bitcoin#16270: depends: expat 2.2.7
1e5321a 
0512f05 depends: expat 2.2.7 (fanquake)

Pull request description:

  Major changes in expat 2.2.7:

  * [dashpay#186](libexpat/libexpat#186) [dashpay#262](libexpat/libexpat#262)  Fix extraction of namespace prefixes from XML names;
                      XML names with multiple colons could end up in the
                      wrong namespace, and take a high amount of RAM and CPU
                      resources while processing, opening the door to use for denial-of-service attacks
  * [dashpay#227](libexpat/libexpat#227) Autotools: Add --without-examples and --without-tests

  Full changelog is available [here](https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes#L5).

ACKs for top commit:
  laanwj:
    ACK 0512f05

Tree-SHA512: 45162a9b0011107fd59a97dae7b5eb61989dafbec26b1ee497d1b11bf5c6a119971096899caa2998648b82a62db57c629a1560453557146c2496b39a7f3f8de9
Munkybooty pushed a commit to Munkybooty/dash that referenced this pull request Nov 24, 2021
@laanwj @Munkybooty
Merge bitcoin#16270: depends: expat 2.2.7
7feae0c 
0512f05 depends: expat 2.2.7 (fanquake)

Pull request description:

  Major changes in expat 2.2.7:

  * [dashpay#186](libexpat/libexpat#186) [dashpay#262](libexpat/libexpat#262)  Fix extraction of namespace prefixes from XML names;
                      XML names with multiple colons could end up in the
                      wrong namespace, and take a high amount of RAM and CPU
                      resources while processing, opening the door to use for denial-of-service attacks
  * [dashpay#227](libexpat/libexpat#227) Autotools: Add --without-examples and --without-tests

  Full changelog is available [here](https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes#L5).

ACKs for top commit:
  laanwj:
    ACK 0512f05

Tree-SHA512: 45162a9b0011107fd59a97dae7b5eb61989dafbec26b1ee497d1b11bf5c6a119971096899caa2998648b82a62db57c629a1560453557146c2496b39a7f3f8de9
Munkybooty pushed a commit to Munkybooty/dash that referenced this pull request Nov 30, 2021
@laanwj @Munkybooty
Merge bitcoin#16270: depends: expat 2.2.7
748f43d 
0512f05 depends: expat 2.2.7 (fanquake)

Pull request description:

  Major changes in expat 2.2.7:

  * [dashpay#186](libexpat/libexpat#186) [dashpay#262](libexpat/libexpat#262)  Fix extraction of namespace prefixes from XML names;
                      XML names with multiple colons could end up in the
                      wrong namespace, and take a high amount of RAM and CPU
                      resources while processing, opening the door to use for denial-of-service attacks
  * [dashpay#227](libexpat/libexpat#227) Autotools: Add --without-examples and --without-tests

  Full changelog is available [here](https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes#L5).

ACKs for top commit:
  laanwj:
    ACK 0512f05

Tree-SHA512: 45162a9b0011107fd59a97dae7b5eb61989dafbec26b1ee497d1b11bf5c6a119971096899caa2998648b82a62db57c629a1560453557146c2496b39a7f3f8de9
Munkybooty pushed a commit to Munkybooty/dash that referenced this pull request Nov 30, 2021
@laanwj @Munkybooty
Merge bitcoin#16270: depends: expat 2.2.7
35e8922 
0512f05 depends: expat 2.2.7 (fanquake)

Pull request description:

  Major changes in expat 2.2.7:

  * [dashpay#186](libexpat/libexpat#186) [dashpay#262](libexpat/libexpat#262)  Fix extraction of namespace prefixes from XML names;
                      XML names with multiple colons could end up in the
                      wrong namespace, and take a high amount of RAM and CPU
                      resources while processing, opening the door to use for denial-of-service attacks
  * [dashpay#227](libexpat/libexpat#227) Autotools: Add --without-examples and --without-tests

  Full changelog is available [here](https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes#L5).

ACKs for top commit:
  laanwj:
    ACK 0512f05

Tree-SHA512: 45162a9b0011107fd59a97dae7b5eb61989dafbec26b1ee497d1b11bf5c6a119971096899caa2998648b82a62db57c629a1560453557146c2496b39a7f3f8de9
@bitcoin bitcoin locked as resolved and limited conversation to collaborators Feb 15, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
Build system
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@fanquake @laanwj @DrahtBot @dongcarl @maflcko