expat: upgrade to 2.7.3

Message ID	20250926163231.1478264-1-ross.burton@arm.com
State	New
Headers	show Return-Path: <ross.burton@arm.com> ip: 217.140.110.172, mailfrom: ross.burton@arm.com) From: Ross Burton <ross.burton@arm.com> To: openembedded-core@lists.openembedded.org Subject: [PATCH] expat: upgrade to 2.7.3 Date: Fri, 26 Sep 2025 17:32:31 +0100 Message-ID: <20250926163231.1478264-1-ross.burton@arm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable
Series	expat: upgrade to 2.7.3 \| expand expat: upgrade to 2.7.3

Message ID

20250926163231.1478264-1-ross.burton@arm.com

State

New

Headers

From: Ross Burton <ross.burton@arm.com>
To: openembedded-core@lists.openembedded.org
Subject: [PATCH] expat: upgrade to 2.7.3
Date: Fri, 26 Sep 2025 17:32:31 +0100
Message-ID: <20250926163231.1478264-1-ross.burton@arm.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Series

expat: upgrade to 2.7.3 | expand

Commit Message

Ross Burton Sept. 26, 2025, 4:32 p.m. UTC

Security fixes:
- Fix alignment of internal allocations for some non-amd64 architectures
  (e.g. sparc32); fixes up on the fix to CVE-2025-59375 from #1034 (of
  Expat 2.7.2 and related backports)

- Fix a class of false positives where input should have been rejected
  with error XML_ERROR_ASYNC_ENTITY; regression from CVE-2024-8176 fix
  pull request #973 (of Expat 2.7.0 and related backports). Please check
  the added unit tests for example documents.

Other changes:
- Prove and regression-proof absence of integer overflow from function
  expat_realloc
- Remove "harmless" cast that truncated a size_t to unsigned
- Autotools: Remove "ln -s" discovery
- docs: Be consistent with use of floating point around
  XML_SetAllocTrackerMaximumAmplification
- docs: Make it explicit that XML_GetCurrentColumnNumber starts at 0
- docs: Better integrate the effect of the activation thresholds
- docs: Fix an in-comment typo in expat.h
- docs: Fix a typo in README.md
- docs: Improve change log of release 2.7.2
- xmlwf: Resolve use of functions XML_GetErrorLineNumber and
  XML_GetErrorColumnNumber
- Windows: Normalize .bat files to CRLF line endings
- Version info bumped from 12:0:11 (libexpat*.so.1.11.0) to 12:1:11
  (libexpat*.so.1.11.1); see https://verbump.de/ for what these numbers
  do

Signed-off-by: Ross Burton <ross.burton@arm.com>
---
 meta/recipes-core/expat/{expat_2.7.2.bb => expat_2.7.3.bb} | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-core/expat/{expat_2.7.2.bb => expat_2.7.3.bb} (92%)

diff --git a/meta/recipes-core/expat/expat_2.7.2.bb b/meta/recipes-core/expat/expat_2.7.3.bb
similarity index 92%
rename from meta/recipes-core/expat/expat_2.7.2.bb
rename to meta/recipes-core/expat/expat_2.7.3.bb
index 952235d7a04..069254e13c3 100644
--- a/meta/recipes-core/expat/expat_2.7.2.bb
+++ b/meta/recipes-core/expat/expat_2.7.3.bb
@@ -15,7 +15,7 @@  SRC_URI = "${GITHUB_BASE_URI}/download/R_${VERSION_TAG}/expat-${PV}.tar.bz2  \
 GITHUB_BASE_URI = "https://github.com/libexpat/libexpat/releases/"
 UPSTREAM_CHECK_REGEX = "releases/tag/R_(?P<pver>.+)"
 
-SRC_URI[sha256sum] = "976f6c2d358953c22398d64cd93790ba5abc62e02a1bbc204a3a264adea149b8"
+SRC_URI[sha256sum] = "59c31441fec9a66205307749eccfee551055f2d792f329f18d97099e919a3b2f"
 
 EXTRA_OECMAKE:class-native += "-DEXPAT_BUILD_DOCS=OFF"

expat: upgrade to 2.7.3

Commit Message

Patch