Expat 2.6.0 released, includes security fixes
For readers new to Expat: libexpat is a fast streaming XML parser. Alongside libxml2, Expat is one of the most widely used software libre XML parsers written in C, precisely C99. It is cross-platform and licensed under the MIT license.
Expat 2.6.0
has been released
earlier today.
Most importantly, this release fixes two security issues —
CVE-2023-52425
and CVE-2023-52426 —
that can be used to cause denial of service.
There are also non-security bugfixes,
many improvements to the two official build systems
— GNU Autotools and CMake —,
enhancements to the documentation and
the xmlwf command line tool,
new example code element_declarations.c
,
improved fuzzers,
hardened CI security,
and many improvements more,
both above and below water level.
For more details, please
check out the change log.
While these are not new learnings, to me this release proved once more that OSS-Fuzz and fuzzing keeps uncovering actual and surprising bugs, and that Clang's AddressSanitizer and UndefinedBehaviorSanitizer have become invaluable to the C/C++ community and can hardly be over-promoted.
I would like to thank everyone who has contributed to this release of Expat in some way, in particular thanks to Snild Dolkow for his work on and around fixing CVE-2023-52425 — two thumbs up!
If you maintain Expat packaging or a bundled copy of Expat or a pinned version of Expat somewhere, please update to 2.6.0. Thank you!
Sebastian Pipping
(German) Fwd: BYE, BYE KUMMER - Das letzte Konzert (Live aus der Wuhlheide)
What I Learned from Migrating to a Phone with Android 13
I recently migrated from a phone with with Android 8 to one with Android 13. I learned some interesting things about recent Android in the process and some related workarounds that I would like to share.
I did get a new phone for security updates only, Android 8 with no updates from Huawei for 12+ months was asking for a replacement more and more every day. I had both phones, old and new, at hand working and charged. The plan was to get the new phone set up with contacts, messaging (Signal + Telegram), banking, two-factor apps (Google Authenticator), and a few small tools, all while only uploading the bare minimum to the Google cloud, and so that the new phone would roughly feel like the old one except with security updates.
Here's what I ran into:
I cannot install Telegram unless I prove my 18+ age to Google. How?
That makes some sense, so how do prove to Google that I'm 18+? They offer a test bank transfer or uploading passport pictures. Google has no business with my passport so I tried my VISA card and learned that debit cards are not supported — why?! — they want credit, and I don't have any, never had, never needed to. The VISA card stunt was already over my limit for nothing but installing an app, passport pictures beyond what I would even try. So what else could I do?
It turns out that installing an APK works for 18+ apps without age verification. For Telegram, their website offers an official APK download, so that was download, install, done.
How about the general case, though? APK download websites are no option to me for security, but is that the end?
It turns out, one Android phone can send an installed app's APK file to another. So I needed to find a secure way to export, send, receive, install.
Sharing APK files among two Android phones?
I found these general approaches:
- a) Use the app share feature of F-Droid
- b) Use APKShare to share the APK file directly
- c) Use APK Explorer & Editor to write split APKs to storage and share these files via a file manager like Files.
In the process I learned that F-Droid's app sharing only works for F-Droid apps,
fair enough.
And stock Android feature "share via Bluetooth" rejects transfer
of .apk
and (Signal) .backup
files but can be fooled via renaming files.
Renaming the file only works though if you have a local file to begin with,
which is not the case with APKShare.
It turns out that LocalSend,
that uses WiFi rather than Bluetooth, has no problem sharing .apk
files,
is friendly to use, and can be selected when asked for an app to share
a file with. LocalSend solved that problem.
In the case of split APKs, I found the files produced by APK Explorer & Editor
at location /storage/emulated/0/Android/data/com.apk.editor/*/*.apk
and SAI for a way to install them on the new phone.
While playing with file transfer, screens tend to turn off faster than ideal all the time, but Coffee is great for forcing the display to stay awake.
No button to toggle Silent/Sound/Vibration in Quick Settings? Restore!
At some point I noticed that the Quick Settings (near the top of the screen) lack a button to toggle the phone from silent, to vibration only, to speakers enabled. Turns out Sound Toggle solves that problem, that was a glad find.
No numbers row on top of the keyboard? Settings!
For the missing numbers row, GBoard fortunately has a setting to bring the numbers row back.
That's all I have for now, have a good time with Android.
Best, Sebastian