expat-2.7.1-160000.3.1

- Fix CVE-2025-59375 / bsc#1249584.
- Add patch file:
  * CVE-2025-59375.patch

- version update to 2.7.1
    Bug fixes:
    [#980] #989  Restore event pointer behavior from Expat 2.6.4
    (that the fix to CVE-2024-8176 changed in 2.7.0);
    affected API functions are:
  - XML_GetCurrentByteCount
  - XML_GetCurrentByteIndex
  - XML_GetCurrentColumnNumber
  - XML_GetCurrentLineNumber
  - XML_GetInputContext
    Other changes:
    [#976] #977  Autotools: Integrate files "fuzz/xml_lpm_fuzzer.{cpp,proto}"
    with Automake that were missing from 2.7.0 release tarballs
    [#983] #984  Fix printf format specifiers for 32bit Emscripten
    [#992]  docs: Promote OpenSSF Best Practices self-certification
    [#978]  tests/benchmark: Resolve mistaken double close
    [#986]  Address compiler warnings
    [#990] #993  Version info bumped from 11:1:10 (libexpat*.so.1.10.1)
    to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/
    for what these numbers do
    Infrastructure:
    [#982]  CI: Start running Perl XML::Parser integration tests
    [#987]  CI: Enforce Clang Static Analyzer clean code
    [#991]  CI: Re-enable warning clang-analyzer-valist.Uninitialized
    for clang-tidy
    [#981]  CI: Cover compilation with musl
    [#983] #984  CI: Cover compilation with 32bit Emscripten
    [#976] #977  CI: Protect against fuzzer files missing from future
    release archives

- version update to 2.7.0 (CVE-2024-8176 [bsc#1239618])
  * Security fixes:
    [#893] #973  CVE-2024-8176 -- Fix crash from chaining a large number
    of entities caused by stack overflow by resolving use of
    recursion, for all three uses of entities:
  - general entities in character data ("<e>&g1;</e>")
  - general entities in attribute values ("<e k1='&g1;'/>")
  - parameter entities ("%p1;")
    Known impact is (reliable and easy) denial of service:
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C
    (Base Score: 7.5, Temporal Score: 7.2)
    Please note that a layer of compression around XML can
    significantly reduce the minimum attack payload size.
  * Other changes:
    [#935] #937  Autotools: Make generated CMake files look for
    libexpat.@SO_MAJOR@.dylib on macOS
    [#925]  Autotools: Sync CMake templates with CMake 3.29
  [#945] #962 #966  CMake: Drop support for CMake <3.13
    [#942]  CMake: Small fuzzing related improvements
    [#921]  docs: Add missing documentation of error code
    XML_ERROR_NOT_STARTED that was introduced with 2.6.4
    [#941]  docs: Document need for C++11 compiler for use from C++
    [#959]  tests/benchmark: Fix a (harmless) TOCTTOU
    [#944]  Windows: Fix installer target location of file xmlwf.xml
    for CMake
    [#953]  Windows: Address warning -Wunknown-warning-option
    about -Wno-pedantic-ms-format from LLVM MinGW
    [#971]  Address Cppcheck warnings
    [#969] #970  Mass-migrate links from http:// to https://
    [#947] #958 ..
    [#974] #975  Document changes since the previous release
    [#974] #975  Version info bumped from 11:0:10 (libexpat*.so.1.10.0)
    to 11:1:10 (libexpat*.so.1.10.1); see https://verbump.de/
    for what these numbers do

- no source changes, just adding jira reference: jsc#SLE-21253

- version update to 2.6.4
  * Security fixes: [bsc#1232601]
    [#915]  CVE-2024-50602 -- Fix crash within function XML_ResumeParser
    from a NULL pointer dereference by disallowing function
    XML_StopParser to (stop or) suspend an unstarted parser.
    A new error code XML_ERROR_NOT_STARTED was introduced to
    properly communicate this situation.  // CWE-476 CWE-754
  * Other changes:
    [#903]  CMake: Add alias target "expat::expat"
    [#905]  docs: Document use via CMake >=3.18 with FetchContent
    and SOURCE_SUBDIR and its consequences
    [#902]  tests: Reduce use of global parser instance
    [#904]  tests: Resolve duplicate handler
  [#317] #918  tests: Improve tests on doctype closing (ex CVE-2019-15903)
    [#914]  Fix signedness of format strings
  [#919] #920  Version info bumped from 10:3:9 (libexpat*.so.1.9.3)
    to 11:0:10 (libexpat*.so.1.10.0); see https://verbump.de/
    for what these numbers do

- updated keyring [https://build.suse.de/request/show/345282]
- modified sources
  % expat.keyring

- Update to 2.6.3:
  * Security fixes:
  - CVE-2024-45490, bsc#1229930 -- Calling function XML_ParseBuffer with
    len < 0 without noticing and then calling XML_GetBuffer
    will have XML_ParseBuffer fail to recognize the problem
    and XML_GetBuffer corrupt memory.
    With the fix, XML_ParseBuffer now complains with error
    XML_ERROR_INVALID_ARGUMENT just like sibling XML_Parse
    has been doing since Expat 2.2.1, and now documented.
    Impact is denial of service to potentially artitrary code
    execution.
  - CVE-2024-45491, bsc#1229931 -- Internal function dtdCopy can have an
    integer overflow for nDefaultAtts on 32-bit platforms
    (where UINT_MAX equals SIZE_MAX).
    Impact is denial of service to potentially artitrary code
    execution.
  - CVE-2024-45492, bsc#1229932 -- Internal function nextScaffoldPart can
    have an integer overflow for m_groupSize on 32-bit
    platforms (where UINT_MAX equals SIZE_MAX).
    Impact is denial of service to potentially artitrary code
    execution.
  * Other changes:
  - Autotools: Sync CMake templates with CMake 3.28
  - Autotools: Always provide path to find(1) for portability
  - Autotools: Ensure that the m4 directory always exists.
  - Autotools: Simplify handling of SIZEOF_VOID_P
  - Autotools: Support non-GNU sed
  - Autotools|CMake: Fix main() to main(void)
  - Autotools|CMake: Fix compile tests for HAVE_SYSCALL_GETRANDOM
  - Autotools|CMake: Stop requiring dos2unix
  - CMake: Fix check for symbols size_t and off_t
  - docs|tests: Convert README to Markdown and update
  - Windows: Drop support for Visual Studio <=15.0/2017
  - Drop needless XML_DTD guards around is_param access
  - Fix typo in a code comment
  - Version info bumped from 10:2:9 (libexpat*.so.1.9.2)
    to 10:3:9 (libexpat*.so.1.9.3); see https://verbump.de/
    for what these numbers do

- update to 2.6.2:
  * CVE-2024-28757 -- Prevent billion laughs attacks with isolated
    use of external parsers (boo#1221289)
  * Reject direct parameter entity recursion and avoid the related
    undefined behavior

- update to 2.6.1:
  * Expose billion laughs API with XML_DTD defined and XML_GE
    undefined, regression from 2.6.0
  * Make tests independent of CPU speed, and thus more robust
- drop libxml2-fix-xmlwf.1-handling.patch, upstream

- Fix handling of xmlwf.1 to avoid workarounds in specfile:
  * Added libxml2-fix-xmlwf.1-handling.patch
- Call buildconf.sh to avoid (future) issues with expat_config.h.in