[Buildroot] [PATCH] package/expat: security bump to version 2.2.8

Thomas Petazzoni thomas.petazzoni at bootlin.com
Sun Sep 15 20:23:21 UTC 2019


On Sun, 15 Sep 2019 22:21:42 +0200
Peter Korsgaard <peter at korsgaard.com> wrote:

> Fixes the following security vulnerability:
> 
> CVE-2019-15903: In libexpat before 2.2.8, crafted XML input could fool the
> parser into changing from DTD parsing to document parsing too early; a
> consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber)
> then resulted in a heap-based buffer over-read.
> 
> While we're at it, also change to use .tar.xz rather than the bigger
> .tar.bz2.
> 
> Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
> ---
>  package/expat/expat.hash | 8 ++++----
>  package/expat/expat.mk   | 4 ++--
>  2 files changed, 6 insertions(+), 6 deletions(-)

Applied to master, thanks.

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com



More information about the buildroot mailing list