[AUTO-CHERRYPICK] Upgrade expat to 2.6.2 CVE-2023-52425 and CVE-2024-28757 - branch main (#8563)

Co-authored-by: Adub17030MS <110563293+Adub17030MS@users.noreply.github.com>

Author: CBL-Mariner-Bot

SPECS/expat/CVE-2023-52426.patch

@@ -1,5 +1,5 @@
 {
   "Signatures": {
-    "expat-2.5.0.tar.bz2": "6f0e6e01f7b30025fa05c85fdad1e5d0ec7fd35d9f61b22f34998de11969ff67"
+    "expat-2.6.2.tar.bz2": "9c7c1b5dcbc3c237c500a8fb1493e14d9582146dd9b42aa8d3ffb856a3b927e0"
   }
 }

SPECS/expat/expat.signatures.json

@@ -1,17 +1,15 @@
 %define         underscore_version %(echo %{version} | cut -d. -f1-3 --output-delimiter="_")
 Summary:        An XML parser library
 Name:           expat
-Version:        2.5.0
-Release:        2%{?dist}
+Version:        2.6.2
+Release:        1%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Group:          System Environment/GeneralLibraries
 URL:            https://libexpat.github.io/
 Source0:        https://github.com/libexpat/libexpat/releases/download/R_%{underscore_version}/%{name}-%{version}.tar.bz2
 
-Patch0:         CVE-2023-52426.patch
-
 Requires:       %{name}-libs = %{version}-%{release}
 
 %description
@@ -32,7 +30,7 @@ Group:          System Environment/Libraries
 This package contains minimal set of shared expat libraries.
 
 %prep
-%autosetup -p1
+%autosetup
 
 %build
 %configure \
@@ -55,6 +53,7 @@ rm -rf %{buildroot}/%{_docdir}/%{name}
 %files
 %defattr(-,root,root)
 %doc AUTHORS Changes
+%{_mandir}/man1/xmlwf.1.gz
 %{_bindir}/*
 
 %files devel
@@ -68,6 +67,10 @@ rm -rf %{buildroot}/%{_docdir}/%{name}
 %{_libdir}/libexpat.so.1*
 
 %changelog
+* Thu Mar 21 2024 Aditya Dubey <adityadubey@microsoft.com> - 2.6.2-1
+- Upgrading to 2.6.2 to fix CVE-2023-52425 and CVE-2023-28757
+- No longer need Patch CVE-2023-52426 since 2.6.2 fixes it
+
 * Thu Mar 07 2024 Saul Paredes <saulparedes@microsoft.com> - 2.5.0-2
 - Patch CVE-2023-52426
 

SPECS/expat/expat.spec

@@ -3398,8 +3398,8 @@
         "type": "other",
         "other": {
           "name": "expat",
-          "version": "2.5.0",
-          "downloadUrl": "https://github.com/libexpat/libexpat/releases/download/R_2_5_0/expat-2.5.0.tar.bz2"
+          "version": "2.6.2",
+          "downloadUrl": "https://github.com/libexpat/libexpat/releases/download/R_2_6_2/expat-2.6.2.tar.bz2"
         }
       }
     },

cgmanifest.json

@@ -95,9 +95,9 @@ elfutils-libelf-0.186-2.cm2.aarch64.rpm
 elfutils-libelf-devel-0.186-2.cm2.aarch64.rpm
 elfutils-libelf-devel-static-0.186-2.cm2.aarch64.rpm
 elfutils-libelf-lang-0.186-2.cm2.aarch64.rpm
-expat-2.5.0-2.cm2.aarch64.rpm
-expat-devel-2.5.0-2.cm2.aarch64.rpm
-expat-libs-2.5.0-2.cm2.aarch64.rpm
+expat-2.6.2-1.cm2.aarch64.rpm
+expat-devel-2.6.2-1.cm2.aarch64.rpm
+expat-libs-2.6.2-1.cm2.aarch64.rpm
 libpipeline-1.5.5-3.cm2.aarch64.rpm
 libpipeline-devel-1.5.5-3.cm2.aarch64.rpm
 gdbm-1.21-1.cm2.aarch64.rpm

toolkit/resources/manifests/package/pkggen_core_aarch64.txt

@@ -95,9 +95,9 @@ elfutils-libelf-0.186-2.cm2.x86_64.rpm
 elfutils-libelf-devel-0.186-2.cm2.x86_64.rpm
 elfutils-libelf-devel-static-0.186-2.cm2.x86_64.rpm
 elfutils-libelf-lang-0.186-2.cm2.x86_64.rpm
-expat-2.5.0-2.cm2.x86_64.rpm
-expat-devel-2.5.0-2.cm2.x86_64.rpm
-expat-libs-2.5.0-2.cm2.x86_64.rpm
+expat-2.6.2-1.cm2.x86_64.rpm
+expat-devel-2.6.2-1.cm2.x86_64.rpm
+expat-libs-2.6.2-1.cm2.x86_64.rpm
 libpipeline-1.5.5-3.cm2.x86_64.rpm
 libpipeline-devel-1.5.5-3.cm2.x86_64.rpm
 gdbm-1.21-1.cm2.x86_64.rpm

toolkit/resources/manifests/package/pkggen_core_x86_64.txt

@@ -73,10 +73,10 @@ elfutils-libelf-0.186-2.cm2.aarch64.rpm
 elfutils-libelf-devel-0.186-2.cm2.aarch64.rpm
 elfutils-libelf-devel-static-0.186-2.cm2.aarch64.rpm
 elfutils-libelf-lang-0.186-2.cm2.aarch64.rpm
-expat-2.5.0-2.cm2.aarch64.rpm
-expat-debuginfo-2.5.0-2.cm2.aarch64.rpm
-expat-devel-2.5.0-2.cm2.aarch64.rpm
-expat-libs-2.5.0-2.cm2.aarch64.rpm
+expat-2.6.2-1.cm2.aarch64.rpm
+expat-debuginfo-2.6.2-1.cm2.aarch64.rpm
+expat-devel-2.6.2-1.cm2.aarch64.rpm
+expat-libs-2.6.2-1.cm2.aarch64.rpm
 file-5.40-2.cm2.aarch64.rpm
 file-debuginfo-5.40-2.cm2.aarch64.rpm
 file-devel-5.40-2.cm2.aarch64.rpm

toolkit/resources/manifests/package/toolchain_aarch64.txt

@@ -76,10 +76,10 @@ elfutils-libelf-0.186-2.cm2.x86_64.rpm
 elfutils-libelf-devel-0.186-2.cm2.x86_64.rpm
 elfutils-libelf-devel-static-0.186-2.cm2.x86_64.rpm
 elfutils-libelf-lang-0.186-2.cm2.x86_64.rpm
-expat-2.5.0-2.cm2.x86_64.rpm
-expat-debuginfo-2.5.0-2.cm2.x86_64.rpm
-expat-devel-2.5.0-2.cm2.x86_64.rpm
-expat-libs-2.5.0-2.cm2.x86_64.rpm
+expat-2.6.2-1.cm2.x86_64.rpm
+expat-debuginfo-2.6.2-1.cm2.x86_64.rpm
+expat-devel-2.6.2-1.cm2.x86_64.rpm
+expat-libs-2.6.2-1.cm2.x86_64.rpm
 file-5.40-2.cm2.x86_64.rpm
 file-debuginfo-5.40-2.cm2.x86_64.rpm
 file-devel-5.40-2.cm2.x86_64.rpm