Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade expat to 2.1.0 #781

Merged
merged 2 commits into from Feb 21, 2013
Merged

Upgrade expat to 2.1.0 #781

merged 2 commits into from Feb 21, 2013

Conversation

@mdboom
Copy link
Contributor

mdboom commented Feb 14, 2013

In March 2012, there was a new expat release (not on the expat website, but listed on the sourceforge file release page).

There's no new features of use to us, and the API hasn't changed, but there are a few memory leaks, security fixes and compiler compatibility improvements that are nice to have.

mdboom added 2 commits Feb 14, 2013
@eteq

This comment has been minimized.

Copy link
Member

eteq commented Feb 14, 2013

should this be in 0.2?

@embray

This comment has been minimized.

Copy link
Member

embray commented Feb 14, 2013

I don't necessarily see how this would cause any issues, but maybe this would be better for 0.2.1 so that there's no chance of it holding up the tantalizingly close 0.2 release?

@astrofrog

This comment has been minimized.

Copy link
Member

astrofrog commented Feb 14, 2013

I vote for delaying it to 0.2.1, just to avoid any non-trivial changes this close to releasing.

@mdboom

This comment has been minimized.

Copy link
Contributor Author

mdboom commented Feb 14, 2013

I agree. I don't consider this super urgent. There's some theoretical security fixes in there, but it's not clear they're exploitable from Python.

Release 2.1.0 Sat March 24 2012
        - Bug Fixes:
          #1742315: Harmful XML_ParserCreateNS suggestion.
          #2895533: CVE-2012-1147 - Resource leak in readfilemap.c.
          #1785430: Expat build fails on linux-amd64 with gcc version>=4.1 -O3.
          #1983953, 2517952, 2517962, 2649838: 
                Build modifications using autoreconf instead of buildconf.sh.
          #2815947, #2884086: OBJEXT and EXEEXT support while building.
          #1990430: CVE-2009-3720 - Parser crash with special UTF-8 sequences.
          #2517938: xmlwf should return non-zero exit status if not well-formed.
          #2517946: Wrong statement about XMLDecl in xmlwf.1 and xmlwf.sgml.
          #2855609: Dangling positionPtr after error.
          #2894085: CVE-2009-3560 - Buffer over-read and crash in big2_toUtf8().
          #2958794: CVE-2012-1148 - Memory leak in poolGrow.
          #2990652: CMake support.
          #3010819: UNEXPECTED_STATE with a trailing "%" in entity value.
          #3206497: Unitialized memory returned from XML_Parse.
          #3287849: make check fails on mingw-w64.
          #3496608: CVE-2012-0876 - Hash DOS attack.
        - Patches:
          #1749198: pkg-config support.
          #3010222: Fix for bug #3010819.
          #3312568: CMake support.
          #3446384: Report byte offsets for attr names and values.
        - New Features / API changes:
          Added new API member XML_SetHashSalt() that allows setting an intial
                value (salt) for hash calculations. This is part of the fix for
                bug #3496608 to randomize hash parameters.
          When compiled with XML_ATTR_INFO defined, adds new API member
                XML_GetAttributeInfo() that allows retrieving the byte
                offsets for attribute names and values (patch #3446384).
          Added CMake build system.
                See bug #2990652 and patch #3312568.
          Added run-benchmark target to Makefile.in - relies on testdata module
                present in the same relative location as in the repository.
@eteq

This comment has been minimized.

Copy link
Member

eteq commented Feb 21, 2013

The error here seems to be the old 1.4.1 problem - any reason not to merge this?

@embray

This comment has been minimized.

Copy link
Member

embray commented Feb 21, 2013

Oh yeah, we can go ahead with this.

embray added a commit that referenced this pull request Feb 21, 2013
Upgrade expat to 2.1.0
@embray embray merged commit c7aea2f into astropy:master Feb 21, 2013
1 check failed
1 check failed
default The Travis build could not complete due to an error
Details
embray added a commit to embray/astropy that referenced this pull request Mar 29, 2013
@mdboom mdboom deleted the mdboom:utils/xml/expat-2.1.0 branch May 21, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.