From 031996fd39f6be771c772e5063225e8f61927719 Mon Sep 17 00:00:00 2001
From: Don Lewis <truckman@apache.org>
Date: Wed, 10 Aug 2016 21:29:48 +0000
Subject: #i127069#: bundled expat version 2.1.0 has two vulnerabilities

Upgrade bundled expat to version 2.2.0, which fixes:
CVE-2016-5300
CVE-2012-6702

It is not known whether these can be exploited when expat is used
as part of OpenOffice.  All of input files to expat seem to come
from the OpenOffice source.

One patch is needed to the expat source, without which saxparser
crashes during the build.  It has been submitted upstream, see
<https://sourceforge.net/p/expat/bugs/539/>.  It is only triggered
when building expat with -DXML_UNICODE which is not the default,
but this flag is used when building the bundled expat.
---
 external_deps.lst | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'external_deps.lst')

diff --git a/external_deps.lst b/external_deps.lst
index 822a0c92bd98..9963349e322e 100644
--- a/external_deps.lst
+++ b/external_deps.lst
@@ -221,9 +221,9 @@ if (SYSTEM_VIGRA != YES)
     URL2 = $(OOO_EXTRAS)$(MD5)-$(name)
 
 if (SYSTEM_EXPAT != YES)
-    MD5 = dd7dab7a5fea97d2a6a43f511449b7cd
-    name = expat-2.1.0.tar.gz
-    URL1 = http://sourceforge.net/projects/expat/files/expat/2.1.0/expat-2.1.0.tar.gz/download
+    MD5 = 2f47841c829facb346eb6e3fab5212e2
+    name = expat-2.2.0.tar.bz2
+    URL1 = http://downloads.sourceforge.net/project/expat/expat/2.2.0/expat-2.2.0.tar.bz2
     URL2 = $(OOO_EXTRAS)$(MD5)-$(name)
 
 if (SYSTEM_CURL != YES)
-- 
cgit