---
- branch: pkgsrc-2016Q1
  date: Sat May 21 19:13:45 UTC 2016
  files:
  - new: 1.31.2.1
    old: '1.31'
    path: pkgsrc/textproc/expat/Makefile
    pathrev: pkgsrc/textproc/expat/Makefile@1.31.2.1
    type: modified
  - new: 1.24.2.1
    old: '1.24'
    path: pkgsrc/textproc/expat/distinfo
    pathrev: pkgsrc/textproc/expat/distinfo@1.24.2.1
    type: modified
  - new: 1.1.2.2
    old: '0'
    path: pkgsrc/textproc/expat/patches/patch-CVE-2016-0718-1
    pathrev: pkgsrc/textproc/expat/patches/patch-CVE-2016-0718-1@1.1.2.2
    type: added
  - new: 1.1.2.2
    old: '0'
    path: pkgsrc/textproc/expat/patches/patch-CVE-2016-0718-2
    pathrev: pkgsrc/textproc/expat/patches/patch-CVE-2016-0718-2@1.1.2.2
    type: added
  - new: 1.1.2.2
    old: '0'
    path: pkgsrc/textproc/expat/patches/patch-CVE-2016-0718-3
    pathrev: pkgsrc/textproc/expat/patches/patch-CVE-2016-0718-3@1.1.2.2
    type: added
  - new: 1.1.2.2
    old: '0'
    path: pkgsrc/textproc/expat/patches/patch-CVE-2016-0718-4
    pathrev: pkgsrc/textproc/expat/patches/patch-CVE-2016-0718-4@1.1.2.2
    type: added
  id: 20160521T191345Z.eac0c3755f5cb46b67be099d86d30aae0dca3043
  log: |
    Pullup ticket #5026 - requested by drochner
    textproc/expat: security fix

    Revisions pulled up:
    - textproc/expat/Makefile                                       1.32
    - textproc/expat/distinfo                                       1.25
    - textproc/expat/patches/patch-CVE-2016-0718-1                  1.1
    - textproc/expat/patches/patch-CVE-2016-0718-2                  1.1
    - textproc/expat/patches/patch-CVE-2016-0718-3                  1.1
    - textproc/expat/patches/patch-CVE-2016-0718-4                  1.1

    ---
       Module Name:    pkgsrc
       Committed By:   drochner
       Date:           Tue May 17 19:15:01 UTC 2016

       Modified Files:
               pkgsrc/textproc/expat: Makefile distinfo
       Added Files:
               pkgsrc/textproc/expat/patches: patch-CVE-2016-0718-1
                   patch-CVE-2016-0718-2 patch-CVE-2016-0718-3 patch-CVE-2016-0718-4

       Log Message:
       add patches from upstream to fix possible crashes and memory corruption
       on malformed input (CVE-2016-0718)
       Description: The Expat XML parser mishandles certain kinds of malformed
       input documents, resulting in buffer overflows during processing and
       error reporting. The overflows can manifest as a segmentation fault or
       as memory corruption during a parse operation. The bugs allow for a
       denial of service attack in many applications by an unauthenticated
       attacker, and could conceivably result in remote code execution.

       bump PKGREV

       also add an improvement to the fix for CVE-2015-1283 which was part
       of the 2.1.1 release -- don't rely on defined behaviour on overflows
       of signed integer operations, from upstream git:
       https://sourceforge.net/p/expat/code_git/ci/f0bec73b018caa07d3e75ec8dd967f3785d71bde/

       pkgsrc change: add a hint how to run the pkg's selftest (not enabled
       permanently because this would add a dependency on C++)
  module: pkgsrc
  subject: 'CVS commit: [pkgsrc-2016Q1] pkgsrc/textproc/expat'
  unixtime: '1463858025'
  user: bsiegert