Stowage/cpython
2
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2026-06-17 15:16:42 +00:00
Code Issues Projects Releases Packages Wiki Activity

[3.13] gh-149698: Update bundled expat to 2.8.1 (GH-149699) (#149827)

Browse source 
(cherry picked from commit f1a47e79fb)

Co-authored-by: Stan Ulbrych <stan@python.org>
This commit is contained in:
Miss Islington (bot) 2026-05-14 17:24:39 +02:00 committed by GitHub
parent ae31e50d3f
commit 6fff3e4bc6
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
5 changed files with 44 additions and 18 deletions
Download patch file Download diff file Expand all files Collapse all files

2
Misc/NEWS.d/next/Security/2026-05-11-21-15-07.gh-issue-149698.OudOcW.rst Normal file
View file

@ -0,0 +1,2 @@
Update bundled `libexpat <https://libexpat.github.io/>`_ to version 2.8.1
for the fix for :cve:`2026-45186`.

16
Misc/sbom.spdx.json generated
View file

@ -48,11 +48,11 @@
"checksums": [
{
"algorithm": "SHA1",
"checksumValue": "5343adc95840915b022b1d4524d0acb66b369ba2"
"checksumValue": "58101ef0951568acadd3117033bef084fea24cc1"
},
{
"algorithm": "SHA256",
"checksumValue": "1ec3bad08b6864c2c479e1fd941038c2dcd24c6d9a16400f4da54912d95aa321"
"checksumValue": "52d756026bf09befdb211c453e2009a646d6c6b519e6885e971b2550396619fb"
}
],
"fileName": "Modules/expat/expat.h"
@ -174,11 +174,11 @@
"checksums": [
{
"algorithm": "SHA1",
"checksumValue": "cb0af01558ec7b6474d2bd0c9386380c82618e8f"
"checksumValue": "1dad2ab196cdbe37572674c465bd9187fdbe4495"
},
{
"algorithm": "SHA256",
"checksumValue": "6745a6b8cdd7344d4bd8f27f605363ed746e57ff02d4ebce3eb1806579cd030f"
"checksumValue": "740137e670d2f3b7269364ffb6f60064e6560091850c5d6f2c3bb1b8ca6e3dd1"
}
],
"fileName": "Modules/expat/xmlparse.c"
@ -1548,14 +1548,14 @@
"checksums": [
{
"algorithm": "SHA256",
"checksumValue": "c7cec5f60ea3a42e7780781c6745255c19aa3dbfeeae58646b7132f88dc24780"
"checksumValue": "a52eb72108be160e190b5cafa5bba8663f1313f2013e26060d1c18e26e31067b"
}
],
"downloadLocation": "https://github.com/libexpat/libexpat/releases/download/R_2_8_0/expat-2.8.0.tar.gz",
"downloadLocation": "https://github.com/libexpat/libexpat/releases/download/R_2_8_1/expat-2.8.1.tar.gz",
"externalRefs": [
{
"referenceCategory": "SECURITY",
"referenceLocator": "cpe:2.3:a:libexpat_project:libexpat:2.8.0:*:*:*:*:*:*:*",
"referenceLocator": "cpe:2.3:a:libexpat_project:libexpat:2.8.1:*:*:*:*:*:*:*",
"referenceType": "cpe23Type"
}
],
@ -1563,7 +1563,7 @@
"name": "expat",
"originator": "Organization: Expat development team",
"primaryPackagePurpose": "SOURCE",
"versionInfo": "2.8.0"
"versionInfo": "2.8.1"
},
{
"SPDXID": "SPDXRef-PACKAGE-hacl-star",

2
Modules/expat/expat.h
View file

@ -1094,7 +1094,7 @@ XML_SetReparseDeferralEnabled(XML_Parser parser, XML_Bool enabled);
*/
# define XML_MAJOR_VERSION 2
# define XML_MINOR_VERSION 8
# define XML_MICRO_VERSION 0
# define XML_MICRO_VERSION 1
# ifdef __cplusplus
}

6
Modules/expat/refresh.sh
View file

@ -12,9 +12,9 @@ fi
# Update this when updating to a new version after verifying that the changes
# the update brings in are good. These values are used for verifying the SBOM, too.
expected_libexpat_tag="R_2_8_0"
expected_libexpat_version="2.8.0"
expected_libexpat_sha256="c7cec5f60ea3a42e7780781c6745255c19aa3dbfeeae58646b7132f88dc24780"
expected_libexpat_tag="R_2_8_1"
expected_libexpat_version="2.8.1"
expected_libexpat_sha256="a52eb72108be160e190b5cafa5bba8663f1313f2013e26060d1c18e26e31067b"
expat_dir="$(realpath "$(dirname -- "${BASH_SOURCE[0]}")")"
cd ${expat_dir}

36
Modules/expat/xmlparse.c
View file

@ -1,4 +1,4 @@
/* a5d18f6a50f536615ac1c70304f87d94f99cc85a86b502188952440610ccf0f8 (2.8.0+)
/* 75ef4224f81c052e9e5aeea2ac7de75357d2169ff9908e39edc08b9dc3052513 (2.8.1+)
__ __ _
___\ \/ /_ __ __ _| |_
/ _ \\ /| '_ \ / _` | __|
@ -387,6 +387,7 @@ typedef struct {
int nDefaultAtts;
int allocDefaultAtts;
DEFAULT_ATTRIBUTE *defaultAtts;
HASH_TABLE defaultAttsNames;
} ELEMENT_TYPE;
typedef struct {
@ -3769,6 +3770,8 @@ storeAtts(XML_Parser parser, const ENCODING *enc, const char *attStr,
sizeof(ELEMENT_TYPE));
if (! elementType)
return XML_ERROR_NO_MEMORY;
if (! elementType->defaultAttsNames.parser)
hashTableInit(&(elementType->defaultAttsNames), parser);
if (parser->m_ns && ! setElementTypePrefix(parser, elementType))
return XML_ERROR_NO_MEMORY;
}
@ -7102,10 +7105,10 @@ defineAttribute(ELEMENT_TYPE *type, ATTRIBUTE_ID *attId, XML_Bool isCdata,
if (value || isId) {
/* The handling of default attributes gets messed up if we have
a default which duplicates a non-default. */
int i;
for (i = 0; i < type->nDefaultAtts; i++)
if (attId == type->defaultAtts[i].id)
return 1;
NAMED *const nameFound
= (NAMED *)lookup(parser, &(type->defaultAttsNames), attId->name, 0);
if (nameFound)
return 1;
if (isId && ! type->idAtt && ! attId->xmlns)
type->idAtt = attId;
}
@ -7152,6 +7155,12 @@ defineAttribute(ELEMENT_TYPE *type, ATTRIBUTE_ID *attId, XML_Bool isCdata,
att->isCdata = isCdata;
if (! isCdata)
attId->maybeTokenized = XML_TRUE;
NAMED *const nameAddedOrFound = (NAMED *)lookup(
parser, &(type->defaultAttsNames), attId->name, sizeof(NAMED));
if (! nameAddedOrFound)
return 0;
type->nDefaultAtts += 1;
return 1;
}
@ -7477,6 +7486,7 @@ dtdReset(DTD *p, XML_Parser parser) {
ELEMENT_TYPE *e = (ELEMENT_TYPE *)hashTableIterNext(&iter);
if (! e)
break;
hashTableDestroy(&(e->defaultAttsNames));
if (e->allocDefaultAtts != 0)
FREE(parser, e->defaultAtts);
}
@ -7518,6 +7528,7 @@ dtdDestroy(DTD *p, XML_Bool isDocEntity, XML_Parser parser) {
ELEMENT_TYPE *e = (ELEMENT_TYPE *)hashTableIterNext(&iter);
if (! e)
break;
hashTableDestroy(&(e->defaultAttsNames));
if (e->allocDefaultAtts != 0)
FREE(parser, e->defaultAtts);
}
@ -7611,6 +7622,10 @@ dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd,
sizeof(ELEMENT_TYPE));
if (! newE)
return 0;
if (! newE->defaultAttsNames.parser)
hashTableInit(&(newE->defaultAttsNames), parser);
if (oldE->nDefaultAtts) {
/* Detect and prevent integer overflow.
* The preprocessor guard addresses the "always false" warning
@ -7635,8 +7650,9 @@ dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd,
newE->prefix = (PREFIX *)lookup(oldParser, &(newDtd->prefixes),
oldE->prefix->name, 0);
for (i = 0; i < newE->nDefaultAtts; i++) {
const XML_Char *const attributeName = oldE->defaultAtts[i].id->name;
newE->defaultAtts[i].id = (ATTRIBUTE_ID *)lookup(
oldParser, &(newDtd->attributeIds), oldE->defaultAtts[i].id->name, 0);
oldParser, &(newDtd->attributeIds), attributeName, 0);
newE->defaultAtts[i].isCdata = oldE->defaultAtts[i].isCdata;
if (oldE->defaultAtts[i].value) {
newE->defaultAtts[i].value
@ -7645,6 +7661,12 @@ dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd,
return 0;
} else
newE->defaultAtts[i].value = NULL;
NAMED *const nameAddedOrFound = (NAMED *)lookup(
parser, &(newE->defaultAttsNames), attributeName, sizeof(NAMED));
if (! nameAddedOrFound) {
return 0;
}
}
}
@ -8391,6 +8413,8 @@ getElementType(XML_Parser parser, const ENCODING *enc, const char *ptr,
sizeof(ELEMENT_TYPE));
if (! ret)
return NULL;
if (! ret->defaultAttsNames.parser)
hashTableInit(&(ret->defaultAttsNames), getRootParserOf(parser, NULL));
if (ret->name != name)
poolDiscard(&dtd->pool);
else {