The Apache Haus Forum

Forum Topics => Apache 2.4 => Topic started by: Jan-E on October 07, 2017, 04:01:07 AM

Title: Building Expat 2.2.4 for VC9/VC11
Post by: Jan-E on October 07, 2017, 04:01:07 AM
In the release-notes you stated:
Quote
Expat went C99 coding style in one file and doesn't build on VC versions below 12 which is why the difference. That said, Expat version 2.2.3 was a security release fixing CVE-2017-11742 DLL hijacking vulnerability in Windows and 2.2.4 just has one other minor bug fix.

I tried to build Expat 2.2.4 for lower VC-versions and it looks like I succeeded. The libexpat devs are using Appveyor to build a shared expat.lib + expat.dll for VC's as low as VC10. I changed their Appveyor.yml a bit:
The results can be found at https://ci.appveyor.com/project/Jan-E/libexpat/build/libexpat-29

The expat.lib and the project files can be downloaded as artifact. For instance, the VC11 x64 lib is here:
https://ci.appveyor.com/project/Jan-E/libexpat/build/libexpat-29/job/l1iv9ke0ohnexeml/artifacts

The only thing I could not achieve with Appveyor is a v2.2.4 VC9 x64 build. But using the same commands I did that locally and added the project-files and the expat.lib to my repo. The expat.lib is here:
https://github.com/Jan-E/libexpat/tree/master/expat/Release

I did not test the resulting lib's with Apache 2.4.28 yet, but the first steps are promising.
Title: Re: Building Expat 2.2.4 for VC9/VC11
Post by: Gregg on October 07, 2017, 10:35:09 PM
The problems will be fixed in 2.2.5 with commits e0b290eb (https://github.com/libexpat/libexpat/commit/e0b290eb3d8f4c4b45137a7d7f4f8db812145bd2#diff-149f07af3600b7f3eb6049f137e8dadc) and b4b89c2 (https://github.com/libexpat/libexpat/commit/b4b89c2ab0cc5325a41360c25ef9d2ccbe617e5c#diff-149f07af3600b7f3eb6049f137e8dadc)

I have run into b4b89c2 and others on many 3rd-party modules so my VC versions less than 12 have custom headers in VC's include folder for stdbool, stdint, etc, depending on what's missing per VC version.

That said APR-util compiles in the static library so CVE-2017-11742 doesn't really exist for us I don't think.