Includes a fix for a regression from the fix for CVE-2024-8176.
License-Update: Copyright years change only
(From OE-Core rev: 10b8ac71d5f3cfe4a36a5ad260ac4ec77459268f)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Includes a fix for CVE-2024-28757.
(From OE-Core rev: e3d26fe076499c8a01e02c9951696c3a9ea05fa3)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
ChangeLog:
(https://github.com/libexpat/libexpat/blob/R_2_6_1/expat/Changes)
Bug fixes:
#817 Make tests independent of CPU speed, and thus more robust
#828#836 Expose billion laughs API with XML_DTD defined and
XML_GE undefined, regression from 2.6.0
Other changes:
#829 Hide test-only code behind new internal macro
#833 Autotools: Reject expat_config.h.in defining SIZEOF_VOID_P
#819 Address compiler warnings
#832#834 Version info bumped from 10:0:9 (libexpat*.so.1.9.0)
to 10:1:9 (libexpat*.so.1.9.1); see https://verbump.de/
for what these numbers do
Infrastructure:
#818 CI: Adapt to breaking changes in clang-format
(From OE-Core rev: 1808a9e60d587c705218a3328716cd24a5228dc6)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
License change is due to copyright year changes only.
Changelog:
=========
Security fixes:
#629#640 CVE-2022-40674 -- Heap use-after-free vulnerability in
function doContent. Expected impact is denial of service
or potentially arbitrary code execution.
Bug fixes:
#634 MinGW: Fix mis-compilation for -D__USE_MINGW_ANSI_STDIO=0
#614 docs: Fix documentation on effect of switch XML_DTD on
symbol visibility in doc/reference.html
Other changes:
#638 MinGW: Make fix-xmltest-log.sh drop more Wine bug output
#596#625 Autotools: Sync CMake templates with CMake 3.22
#608 CMake: Migrate from use of CMAKE_*_POSTFIX to
dedicated variables EXPAT_*_POSTFIX to stop affecting
other projects
#597#599 Windows|CMake: Add missing -DXML_STATIC to test runners
and fuzzers
#512#621 Windows|CMake: Render .def file from a template to fix
linking with -DEXPAT_DTD=OFF and/or -DEXPAT_ATTR_INFO=ON
#611#621 MinGW|CMake: Apply MSVC .def file when linking
#622#624 MinGW|CMake: Sync library name with GNU Autotools,
i.e. produce libexpat-1.dll rather than libexpat.dll
by default. Filename libexpat.dll.a is unaffected.
#632 MinGW|CMake: Set missing variable CMAKE_RC_COMPILER in
toolchain file "cmake/mingw-toolchain.cmake" to avoid
error "windres: Command not found" on e.g. Ubuntu 20.04
#597#627 CMake: Unify inconsistent use of set() and option() in
context of public build time options to take need for
set(.. FORCE) in projects using Expat by means of
add_subdirectory(..) off Expat's users' shoulders
#626#641 Stop exporting API symbols when building a static library
#644 Resolve use of deprecated "fgrep" by "grep -F"
#620 CMake: Make documentation on variables a bit more consistent
#636 CMake: Drop leading whitespace from a #cmakedefine line in
file expat_config.h.cmake
#594 xmlwf: Fix harmless variable mix-up in function nsattcmp
#592#593#610 Address Cppcheck warnings
#643 Address Clang 15 compiler warnings
#642#644 Version info bumped from 9:8:8 to 9:9:8;
see https://verbump.de/ for what these numbers do
Infrastructure:
#597#598 CI: Windows: Start covering MSVC 2022
#619 CI: macOS: Migrate off deprecated macOS 10.15
#632 CI: Linux: Make migration off deprecated Ubuntu 18.04 work
#643 CI: Upgrade Clang from 14 to 15
#637 apply-clang-format.sh: Add support for BSD find
#633 coverage.sh: Exclude MinGW headers
#635 coverage.sh: Fix name collision for -funsigned-char
Special thanks to:
David Faure
Felix Wilhelm
Frank Bergmann
Rhodri James
Rosen Penev
Thijs Schreijer
Vincent Torri
and
Google Project Zero
(From OE-Core rev: 93c3f0e8dca180fd2dddf88bd0cfd68c0a70ec4c)
Signed-off-by: Florin Diaconescu <florin.diaconescu009@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changelog:
=========
Other changes:
#587 pkg-config: Move "-lm" to section "Libs.private"
#587 CMake|MSVC: Fix pkg-config section "Libs"
#55#582 CMake|macOS: Start using linker arguments
"-compatibility_version <version>" and
"-current_version <version>" in a way compatible with
GNU Libtool
#590#591 Version info bumped from 9:7:8 to 9:8:8;
see https://verbump.de/ for what these numbers do
Infrastructure:
#589 CI: Upgrade Clang from 13 to 14
Special thanks to:
evpobr
Kai Pastor
Sam James
(From OE-Core rev: 9c98d47dd5415c3b9428cc85e0a8daed14f2a91f)
Signed-off-by: Zheng Ruoqin <zhengrq.fnst@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This is a security fix release containing fixes for CVE-2022-25235, CVE-2022-25236,
CVE-2022-25313, CVE-2022-25314 and CVE-2022-25315.
(From OE-Core rev: b71344dacb71cfc452b335a6f2fb9cb74e2e1ff8)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Upstream mentioned our ptest-runner could likely be simplified. I had a
look at the output and yes, most of the code in the runner is now obsolete
as upstream output is compatible with what we need. Simplify accordingly.
(From OE-Core rev: 9a9f0a4a062a3c2adf2ac75b4fcdedbb7168335b)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This patch is old. We use cmake for building expat now and libtool isn't even
used. The upstream author asked questions about it and can clearly be dropped
so do so.
(From OE-Core rev: 2988a10ac4767ef8db21715124dda6f294448d2a)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Upstream pointed out we were using an old url for HOMEPAGE. Update it to the
current url.
(From OE-Core rev: f3a7e2ba247efe72154c263d1d680aaf3da5b609)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changelog:
=========
#509#510 Link againgst libm for function "isnan"
#513#514 Include expat_config.h as early as possible
#498 Autotools: Include files with release archives:
- buildconf.sh
- fuzz/*.c
#507#519 Autotools: Sync CMake templates
#495#524 CMake: MinGW: Fix pkg-config section "Libs" for
- non-release build types (e.g. -DCMAKE_BUILD_TYPE=Debug)
- multi-config CMake generators (e.g. Ninja Multi-Config)
#502#503 docs: Document that function XML_GetBuffer may return NULL
when asking for a buffer of 0 (zero) bytes size
#522#523 docs: Fix return value docs for both
XML_SetBillionLaughsAttackProtection* functions
#525#526 Version info bumped from 9:1:8 to 9:2:8;
see https://verbump.de/ for what these numbers do
(From OE-Core rev: 98a87bcfa50fc46ea86a085d330f5cbc41ddaaa5)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
sometimes we can find release tarballs from sourceforge are not fully
distributed along all download mirrors leading to fetching faiilures,
depending on what download mirror will be chosen by sourceforge
servers.
As the project moved to github anyway, it's better to pull the tarballs
directly from github releases - serving the very same static artifacts.
Add an override UPSTREAM_CHECK_URI to enable devtool upgrade checks
(From OE-Core rev: 9b5b797b0e9e6f2cb3e29be92c4f9b763c4a41e9)
Signed-off-by: Konrad Weihmann <kweihmann@outlook.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This is the result of automated script conversion:
scripts/contrib/convert-overrides.py <oe-core directory>
converting the metadata to use ":" as the override character instead of "_".
(From OE-Core rev: 42344347be29f0997cc2f7636d9603b1fe1875ae)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Upstream database uses both "expat" and "libexpat" to report CVEs
(From OE-Core rev: 706bdcaec5fd7c59d7877bbefa5ed4ce5b4f3da1)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Includes lot of security fixes, especially CVE-2013-0340/CWE-776.
(From OE-Core rev: 31142d9ddce396a6b490f974e952e7f056e2b192)
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Drop 0001-Add-output-of-tests-result.patch
(difficult to rebase). I have verified that ptests
still pass, and print PASS for every test. If they
start failing we can revisit what kind of output would
be beneficial.
(From OE-Core rev: ef1a76f9c130e7efaecae15ccb1d48a03fa17b9b)
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
For ptest support of expat package:
- expat_2.2.9.bb recipe was switched on cmake-based building system to
avoid cahnges in autotools build system which considered in upstream as
potentially deprecated (https://github.com/libexpat/libexpat/issues/330).
- cmake-native_3.17.3.bb recipe was forced to use bundled version of
expat from CMake source tree. Therefore expat-native package has been removed
from DEPENDS variable for cmake-native recipe. Without
these changes, next dependency loop appears:
Dependency loop #1 found:
Task /home/opopovych/repos/poky/meta/recipes-devtools/cmake/cmake-native_3.17.3.bb:do_compile (dependent Tasks ['cmake-native_3.17.3.bb:do_configure'])
Task /home/opopovych/repos/poky/meta/recipes-devtools/cmake/cmake-native_3.17.3.bb:do_install (dependent Tasks ['cmake-native_3.17.3.bb:do_compile'])
Task /home/opopovych/repos/poky/meta/recipes-devtools/cmake/cmake-native_3.17.3.bb:do_populate_sysroot (dependent Tasks ['cmake-native_3.17.3.bb:do_install'])
Task virtual:native:/home/opopovych/repos/poky/meta/recipes-core/expat/expat_2.2.9.bb:do_prepare_recipe_sysroot (dependent Tasks ['cmake-native_3.17.3.bb:do_populate_sysroot', 'ninja_1.10.0.bb:do_populate_sysroot', 'expat_2.2.9.bb:do_fetch'])
Task virtual:native:/home/opopovych/repos/poky/meta/recipes-core/expat/expat_2.2.9.bb:do_configure (dependent Tasks ['expat_2.2.9.bb:do_patch', 'expat_2.2.9.bb:do_prepare_recipe_sysroot', 'expat_2.2.9.bb:do_generate_toolchain_file', 'expat_2.2.9.bb:do_deploy_source_date_epoch'])
Task virtual:native:/home/opopovych/repos/poky/meta/recipes-core/expat/expat_2.2.9.bb:do_compile (dependent Tasks ['expat_2.2.9.bb:do_configure'])
Task virtual:native:/home/opopovych/repos/poky/meta/recipes-core/expat/expat_2.2.9.bb:do_install (dependent Tasks ['expat_2.2.9.bb:do_compile'])
Task virtual:native:/home/opopovych/repos/poky/meta/recipes-core/expat/expat_2.2.9.bb:do_populate_sysroot (dependent Tasks ['expat_2.2.9.bb:do_install'])
Task /home/opopovych/repos/poky/meta/recipes-devtools/cmake/cmake-native_3.17.3.bb:do_prepare_recipe_sysroot (dependent Tasks ['expat_2.2.9.bb:do_populate_sysroot', 'xz_5.2.5.bb:do_populate_sysroot', 'bzip2_1.0.8.bb:do_populate_sysroot', 'ncurses_6.2.bb:do_populate_sysroot', 'zlib_1.2.11.bb:do_populate_sysroot', 'cmake-native_3.17.3.bb:do_fetch', 'curl_7.71.1.bb:do_populate_sysroot'])
Task /home/opopovych/repos/poky/meta/recipes-devtools/cmake/cmake-native_3.17.3.bb:do_configure (dependent Tasks ['cmake-native_3.17.3.bb:do_deploy_source_date_epoch', 'cmake-native_3.17.3.bb:do_patch', 'cmake-native_3.17.3.bb:do_prepare_recipe_sysroot'])
- run-ptest script that initalizes testing, copies testing
executables' output to log file and measures execution time of each testing
executable was added.
- patch that implements output of each testcase result in testing exectutable
was added.
(From OE-Core rev: 3adba877e1b5e5f69a6d1501611624e2d3789a9b)
Signed-off-by: Oleksandr Popovych <oleksandr.s.popovych@globallogic.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We have a problem when for example, a glibc 2.27 based system builds some
library like libpopt-native and puts it into sstate then it is reused
on a pre glibc-2.27 system to build something which depends on popt like
rpm-native. This results in an error like:
recipe-sysroot-native/usr/lib/libpopt.so: undefined reference to `glob@GLIBC_2.27'
In the past we've had this problem with new symbols like getrandom and
getentropy, here its with a more complex symbol where there is an old
version and a newer version.
We've looked into various options, basically we cannot link against our
uninative libc/ld.so since we don't have the right headers or compiler
link libraries. The compiler doesn't allow you to switch in a new set
either, even if we did want to ship them. Shipping a complete compiler,
dev headers and libs also isn't an option.
On the other hand if we follow the ld man page, it does say:
"""
The reasons for allowing undefined symbol references in shared libraries
specified at link time are that:
- A shared library specified at link time may not be the same as the one
that is available at load time, so the symbol might actually be
resolvable at load time.
"""
which is exactly this case. By the time the binary runs, it will use
our uninative loader and libc and the symbol will be available.
Therefore we basically have a choice, we get weird intermittent bugs,
we drop uninative entirely, or we pass this option.
If we pass the option, we can drop the other workarounds too.
(From OE-Core rev: 75a62ede393bf6b4972390ef5290d50add19341a)
(From OE-Core rev: d18bf7fa8e80d6cfaf3fdbe1ab06eec84b954432)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The patch tool will apply patches by default with "fuzz", which is where if the
hunk context isn't present but what is there is close enough, it will force the
patch in.
Whilst this is useful when there's just whitespace changes, when applied to
source it is possible for a patch applied with fuzz to produce broken code which
still compiles (see #10450). This is obviously bad.
We'd like to eventually have do_patch() rejecting any fuzz on these grounds. For
that to be realistic the existing patches with fuzz need to be rebased and
reviewed.
(From OE-Core rev: c74da9f2a5bd5a42f6c5791aeb4cc45973369818)
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Back in 2010 the expat 2.0.1 tarball wouldn't unpack correctly with old gzip
releases (prior to 1.4). The fix was to explicitly depend on gzip-native to use
our binary instead of the host[1].
We don't ship expat 2.0.1 anymore, and even Centos 7 ships gzip 1.5, so this
workaround can be removed.
[1] oe-core 0ff62b0462
(From OE-Core rev: adc3da99a50c3eb1a1625990e563b7d37f29e3ba)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
getrandom() is only available in glibc 2.25+ and uninative may relocate
binaries onto systems that don't have this function. For now, force
the code to the older codepath until we can come up with a better solution
for this kind of issue.
(From OE-Core rev: da9ac8092497c3f2c246d3534f47e42cb2d9e4e8)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
With recipe specific sysroots, the gzip-replacement-native dance/class
is obsolete, simplify the code accordingly.
(From OE-Core rev: 39865fdf3698a130f792d41853f9c9ca1901e335)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Remove a patch that is no longer needed.
License checksum changes because of a copyright year change.
(From OE-Core rev: 911510181ac933d5d1fc7d88890eb67d5d338acf)
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* Remove backported CVE patch
* Update autotools patch
* Update SRC_URI to match current archive type
(From OE-Core rev: 8a5a90aa6a7f398803f432038d56cdfea1651aaa)
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Completes previous commit b5292d4115a4555a66b5e35acdc67dd71fb8577f.
Updates SUMMARY[doc] (meta/conf/documentation.conf).
Changes:
- rename DESCRIPTION with length < 80 to (non present tag) SUMMARY
- drop final point character at the end of SUMMARY string
- remove trailing whitespace of SUMMARY line
Note: don't bump PR
(From OE-Core rev: ad17dfd31a2b97b3e610a0ea0889f5ecb2a63b97)
Signed-off-by: Matthieu Crapet <Matthieu.Crapet@ingenico.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Remove all PR = "r0" from all .bb files in oe-core. This was done
with the command sed -e '/^PR.*=.*r0\"/d' recipes*/*/*.bb -i
We've switching to the PR server, PR bumps are no longer needed and
this saves people either accidentally bumping them or forgetting to
remove the lines (r0 is the default anyway).
(From OE-Core rev: 58ae94f1b06d0e6234413dbf9869bde85f154c85)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Due to the system providing a copy of gzip, we face some issues when we
'shadow' that copy with our own leading to a varient of race type bugs,
and issues for example if a dependency such as libz is missing but the
binary is still present. We usually rely on our dependency logic to protect
us from this but for gzip, we don't have this protection since its not listed
by all its users (and doing so would be impractical).
This patch installed pigz and gzip into their own directory which we only
add to PATH when we explictly want these binaries in much the same way we do
with perl-native. This means dependency logic is correct when we use the binary
and everything should work well.
The patch adds an explict dependency into image.bbclass since the accelerated
speed of compression is most appreciated at rootfs time.
(From OE-Core rev: 7a98c0ef28822ae1fcee45b14db3edcfd4c7ad8f)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* this isn't probably complete list.. just what failed here
(From OE-Core rev: f586aaa8d00361a9597a546d665077c75cf4d520)
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add Upstream-Status tag to patches for the following recipes:
openssh
dbus-glib
expat
opensp
sgml-common
at
cpio (GPLv3 version)
libpam
icu
(From OE-Core rev: 0702602332ad63c2cfaa207516497bb0b75bfdf3)
Signed-off-by: Scott Garman <scott.a.garman@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
