Skip to main content

Expat 2.6.3 released, includes security fixes

For readers new to Expat:

libexpat is a fast streaming XML parser. Alongside libxml2, Expat is one of the most widely used software libre XML parsers written in C, specifically C99. It is cross-platform and licensed under the MIT license.

Expat 2.6.3 has been released earlier today. The key motivation for cutting a release and cutting it now are the three security findings by TaiYou that were assigned identifiers CVE-2024-45490, CVE-2024-45491 and CVE-2024-45492.

Out of the remaining bunch of fixes in and around the build system, the BSD-motivated portability contributions by Dag-Erling Smørgrav stand out with this release. Thanks to everyone who contributed to this release of Expat!

For more details about this release, please check out the change log.

If you maintain Expat packaging or a bundled copy of Expat or a pinned version of Expat somewhere, please update to 2.6.3. Thank you!

Sebastian Pipping

Clone arbitrary single Git commit

git clone allows cloning single commits without history for existing branches and tags through syntax…

git clone --depth 1 --branch <BRANCH_OR_TAG> <REMOTE_URL>

…but not for arbitrary commits. It's not impossible though, and if you want to clone arbitrary single commits — say in CI — it can be done using a trick.

The idea is simple: instead of git clone we combine git init, git remote add, git fetch and git checkout — but how?

Let me demo that for cloning commit 9c6d51b71caeb1e773cabf4ad9ded9bd6e142229 from repository hartwork/git-delete-merged-branches in practice in a Linux Bash terminal:

# 0. Jump to an empty temporary directory
cd "$(mktemp -d)"

# 1. Create an empty Git repository (rather than using "git clone"), without warnings
git -c init.defaultbranch=main init

# 2. Add the target repository as a new remote "origin"
git remote add origin https://github.com/hartwork/git-delete-merged-branches

# 3. Fetch a single commit (and all trees and blobs needed for it)
git fetch --depth 1 origin 9c6d51b71caeb1e773cabf4ad9ded9bd6e142229

# 4. Check out the commit we just fetched, without warnings
git -c advice.detachedHead=false checkout FETCH_HEAD

# 5. Done.

I myself got the idea from GitHub Action actions/checkout — thanks to them!

Did you just learn something of value? Are you struggling with any things Git? Let me know!

Sebastian Pipping

Berlin, 2024

Expat 2.6.2 released, includes security fixes

For readers new to Expat: libexpat is a fast streaming XML parser. Alongside libxml2, Expat is one of the most widely used software libre XML parsers written in C, specifically C99. It is cross-platform and licensed under the MIT license.

Expat 2.6.2 has been released earlier today. This release is the first with a detailed call-for-help banner at the top of the change log — something will have to change. It has literally been said to me that "XKCD 2347 is libexpat". If your employer or business depends on the security of Expat — if, for example, you use Expat to parse input from uploaded files or the network, directly or through another library or application — please make sure this gets the needed attention — thanks!

Regarding actual release content, most importantly, this release fixes the security issue CVE-2024-28757 that can be used to cause denial of service for code like…

XML_Parser parser = XML_ParserCreate(NULL);
XML_Parser ext_parser
  = XML_ExternalEntityParserCreate(parser, NULL, NULL);
enum XML_Status status
  = XML_Parse(ext_parser, doc, (int)strlen(doc), XML_TRUE);

…where all input is sent to the external parser and none to the parent regular parser.
The commit message of commit 1d50b80cf31de87750103656f6eb693746854aa8 explains the problem and solution in more detail.

There is also a bugfix to reject direct parameter entity recursion and to avoid the related undefined behavior. The issue was uncovered by ClusterFuzz/OSS-Fuzz after 20+ years of being unreported; that speaks volumes for the value of fuzzing.

For more details about this release, please check out the change log.

If you maintain Expat packaging or a bundled copy of Expat or a pinned version of Expat somewhere, please update to 2.6.2. Thank you!

Sebastian Pipping

Expat 2.6.0 released, includes security fixes

For readers new to Expat: libexpat is a fast streaming XML parser. Alongside libxml2, Expat is one of the most widely used software libre XML parsers written in C, precisely C99. It is cross-platform and licensed under the MIT license.

Expat 2.6.0 has been released earlier today. Most importantly, this release fixes two security issues — CVE-2023-52425 and CVE-2023-52426 — that can be used to cause denial of service. There are also non-security bugfixes, many improvements to the two official build systems — GNU Autotools and CMake —, enhancements to the documentation and the xmlwf command line tool, new example code element_declarations.c, improved fuzzers, hardened CI security, and many improvements more, both above and below water level. For more details, please check out the change log.

While these are not new learnings, to me this release proved once more that OSS-Fuzz and fuzzing keeps uncovering actual and surprising bugs, and that Clang's AddressSanitizer and UndefinedBehaviorSanitizer have become invaluable to the C/C++ community and can hardly be over-promoted.

I would like to thank everyone who has contributed to this release of Expat in some way, in particular thanks to Snild Dolkow for his work on and around fixing CVE-2023-52425 — two thumbs up!

If you maintain Expat packaging or a bundled copy of Expat or a pinned version of Expat somewhere, please update to 2.6.0. Thank you!

Sebastian Pipping