https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.6
Release notes
Security
[CVE-2025-24928] Fix stack-buffer-overflow in xmlSnprintfElements
[CVE-2024-56171] Fix use-after-free after xmlSchemaItemListAdd
pattern: Fix compilation of explicit child axis
Regressions
xmllint: Support compressed input from stdin
uri: Fix handling of Windows drive letters
reader: Fix return value of xmlTextReaderReadString again
SAX2: Fix xmlSAX2ResolveEntity if systemId is NULL
Portability
dict: Handle ENOSYS from getentropy gracefully
Fix compilation with uclibc (Dario Binacchi)
python: Declare init func with PyMODINIT_FUNC
tests: Fix sanitizer version check on old Apple clang
cmake: Work around broken sys/random.h in old macOS SDKs
Build
autotools: Set AC_CONFIG_AUX_DIR
cmake: Always build Python module as shared library
cmake: add missing Bcrypt link on Windows (Saleem Abdulrasool)
cmake: Fix compatibility in package version file
(From OE-Core rev: 86e16b1081fbe12b4f53fc72bfdff5240da7321a)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
License-Update: hash.c is rewritten and no longer carries a special copyright notice, but dict.c still does
(Copyright file updated to reflect that)
(From OE-Core rev: a14769d40bee751ac1dcd536789e8e346046e141)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Now that bitbake supports the use of inherit_defer, switch all conditional
(variable based) inherits to use this instead. This leads to more a more
deterministic user experience since there is no longer an immediate expansion
and later changes to the variables in question (e.g. a bbappend) are
accounted for.
This patch tries to ensure the behaviour before/after remains as unchanged
as it reasonably can, e.g. by always inherting populate_sdk_base. native
and nativesdk continue to need to be inherited last, hence being used
with inherit_defer in a handful of very specific cases.
(From OE-Core rev: 451363438d38bd4552d5bcec4a92332f5819a5d4)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The vast majority of gnome recipes uses meson. Set it as default
and override the few recipes that still use autotools.
This way we can remove a lot of lines in meta-oe and more important
it would not be needed to explicitly set GNOMEBASEBUILDCLASS = "meson" for newly
created gnome recipe anymore.
(From OE-Core rev: 8b061ea36f8b94b482c5867fe2ba7213288a5aa3)
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This CVE is a use-after-free which theoretically can be an exploit
vector, but this UAF only occurs when malloc() fails. As it's
unlikely that the user can orchestrate malloc() failures at just the
place to break on _this_ malloc and not others it is disputed that this
is actually a security issue.
The underlying bug has been fixed, and will be incorporated into the
next release.
(From OE-Core rev: b93dd888b861aa6df97cd78b70fa9f757cfcdf61)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
lld ends up with errors on some tests
| riscv64-yoe-linux-ld.lld: error: section size decrease is too large
Therefore do not use lld when building ptests
(From OE-Core rev: 154e81bb6b05b23c0c673b431cb7cee868421335)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
these tests do not work with musl's iconv implementation and would need
enabling icu support using --with-icu which we do not enable by default
Additionally enable locale with musl too.
(From OE-Core rev: 03980db15fa1de2f970705364c2316f17428a3aa)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* and switch from tar.gz to tar, because the tar.gz archives upstream are regular tar as well now
https://www.w3.org/XML/Test/ still has 3 separate URLs for .zip, .tar
and .tar.gz, but both tar links return the same file:
xmlts20130923.tar: POSIX tar archive (GNU)
xmlts20130923.tar.gz: POSIX tar archive (GNU)
xmlts20130923.zip: Zip archive data, at least v1.0 to extract, compression method=store
-rw-r--r-- 1 martin martin 5.7M Sep 23 2013 xmlts20130923.tar
-rw-r--r-- 1 martin martin 5.7M Sep 23 2013 xmlts20130923.tar.gz
-rw-r--r-- 1 martin martin 1.6M Sep 23 2013 xmlts20130923.zip
c6b2d42ee50b8b236e711a97d68e6c4b5c8d83e69a2be4722379f08702ea7273 xmlts20130923.tar
c6b2d42ee50b8b236e711a97d68e6c4b5c8d83e69a2be4722379f08702ea7273 xmlts20130923.tar.gz
f9510b3532926e1b4c2e54855b021e4b8a66ec98a5337dcf4ff07e8a41968deb xmlts20130923.zip
(From OE-Core rev: 0ee43418ce37e52f1886b85ff2c7d8cdff9f2039)
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Change ptest away from using the upstream Makefiles to manually running
the tests: they're not actually integrated with automake anyway so this
didn't gain us anything apart from patches we can't send upstream. Drops
the following patches:
- 0001-Make-ptest-run-the-python-tests-if-python-is-enabled.patch
- 0001-Port-gentest.py-to-Python-3.patch
- fix-execution-of-ptests.patch
- remove-fuzz-from-ptests.patch
- runtest.patch
Add a simple patch to install the test binaries via the Makefile:
- install-tests.patch
The Python module is built differently and a number of patches no longer
apply and appear to be redundant, remove:
- python-sitepackages-dir.patch
libxml-m4-use-pkgconfig.patch has been sent upstream now, mark as
backport.
Remove obsolete --without-docbook option.
Remove obsolete xml2Conf.sh packaging.
(From OE-Core rev: ec5f380a14246e31b2a1a12dda9fe2178b1e5f83)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The KDE build uses custom catalogs by setting XML_CATALOG_FILES, so this
wrapper should not override that value if it has already been set.
[RP: Add vardepsexclude since bitbake stores the expanded version of the variable
name in the siginfo data which would expand to a full build path in the native
case]
(From OE-Core rev: a6be6d307fbe69248b4905214712d67bfddf6b92)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* but it still won't work well on hosts without libxml2, make
sure to use pre-generated testapi.c in do_compile_ptest
* this is reproducible with SOURCE_DATE_EPOCH set to 0 which
e.g. meta-updater still sets by default for DISTROs which
use it :(, see https://github.com/uptane/meta-updater/pull/35
(From OE-Core rev: 178cea1593dc6e9a7eb74842615356d90d79f78f)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Install a wrapper around xmllint in native builds to set
XML_CATALOG_FILES to the correct location of the XML catalogues, so that
the callers of this script (like xmlto) don't need to do the same.
(From OE-Core rev: 8159b47e7ddddaca57ade2ecf24d8ff9a0abf26a)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The fix for the CVE in 2.9.13 caused a regression which
was addressed after 2.9.13. We import that patch here.
(From OE-Core rev: f7fd194feb4f7993518388160acd5199fcfc3b26)
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
- new version includes fix for CVE-2022-23308
- drop patche which was upstream
- refresh patch
(From OE-Core rev: d687f1ac2017a1cc94ac4733cd46755d5aabd120)
Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The project has migrated from www.xmlsoft.org to gitlab.gnome.org.
Update the homepage accordingly, and use gnomebase to construct the
download URL, rather than including it in SRC_URI explicitly.
Note that the download is now in .xz format rather than .gz, so the
sha256sum is updated accordingly. Post-decompression tarballs are
identical, so there is no change to the libxml2 code.
(From OE-Core rev: 8bc17ceb997f8f31a03e5f5efc41c03ef1df3add)
Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We're seeing pthread being linked sometimes and not others leading to
non-reproducible target binaries. The reason is mixing the native python
config with the target one. We should use the target one.
(From OE-Core rev: 1bc5378db760963e2ad46542f2907dd6a592eb66)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This is the result of automated script conversion:
scripts/contrib/convert-overrides.py <oe-core directory>
converting the metadata to use ":" as the override character instead of "_".
(From OE-Core rev: 42344347be29f0997cc2f7636d9603b1fe1875ae)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Since oe-core 543e39ad "bitbake.conf: handle cmake -dev files packaging
with default rules" (June 2018) there's no need for recipes to add
${libdir}/cmake or ${datadir}/cmake to FILES_${PN}-dev themselves.
(From OE-Core rev: e6f62b8e639a79626d95568c070a410c24bce25e)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Drop CVE patches which are fixed by the new upstream version.
Modify conflicting patches to apply to the new versions:
libxml2/libxml-m4-use-pkgconfig.patch
libxml2/0001-Make-ptest-run-the-python-tests-if-python-is-enabled.patch
Drop fix-python39, which is merged upstream.
Removed hunk for tstLastError.py from
libxml2/0001-Make-ptest-run-the-python-tests-if-python-is-enabled.patch
since it has been fixed upstream by:
8c3e52e: Updated python/tests/tstLastError.py
libxml2.registerErrorHandler(None,None):
None is not acceptable as first argument
failUnlessEqual replaced by assertEqual
The checksums for the licence file changed because a typo was fixed
across the files. The licence remains the same.
The obsolete MD5 checksums for the tar files have been dropped in
favor of SHA256.
The new release also adds fuzz tests, which are removed from the
makefile to allow the ptests to run. Fuzz testing is done upstream
and there is no need to run them as part of ptests which are
intended for functionality testing.
(From OE-Core rev: c7c429d05ca51b0404f09981f6c9bcad7dc33222)
Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Before, running ptests on core-image-minimal would result in
an error due to missing /bin/bash:
[ -d test ] || ln -s ../libxml2-2.9.10/test .
make: /bin/bash: No such file or directory
make: *** [Makefile:2105: runtests] Error 127
Changing the Makefile to use /bin/sh results in some of the
tests failing, so I have added the missing dependancy on bash.
(From OE-Core rev: d2e81298c446aec8d7fcf61fd5023ac30350f205)
Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Reformatted runtest.patch to allow it to be applied using git am.
This makes it easier to apply the series of patches to the original git repo.
There are no changes to the code of the patch other than the reformat.
Previously, the patch claimed to be a backport, but I have not found an
upstream commit so I've changed the Upstream-Status to pending.
(From OE-Core rev: 0361d625e1573e846a2f03ed90a8b897bc405160)
Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
GNOME project libxml2 v2.9.10 and earlier have a global Buffer Overflow
vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c. The issue has
been fixed in commit 8e7c20a1 (20910-GITv2.9.10-103-g8e7c20a1).
Reference:
https://gitlab.gnome.org/GNOME/libxml2/-/issues/178
Upstream patch:
50f06b3efb
(From OE-Core rev: 92dc02b8f03f3586de0a2ec1463b189a3918e303)
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Besides checking DISTRO_FEATURES for required or conflicting features,
being able to check MACHINE_FEATURES and/or COMBINED_FEATURES may also
be useful at times.
Temporarily support the old class name with a warning about future
deprecation.
(From OE-Core rev: 5f4875b950ce199e91f99c8e945a0c709166dc14)
Signed-off-by: Denys Dmytriyenko <denys@ti.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
After eglibc was merged into glibc, Kconfig support was also dropped so
these libc features therefore are not effective anymore and can be
removed
(From OE-Core rev: c62b1cc06613a4cdddf53290e6203559f43fc62d)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
