Backport patch for gitlab issue mentioned in NVD CVE report.
* https://gitlab.gnome.org/GNOME/libxml2/-/issues/583
Backport also one of 14 patches for older issue with similar errors
to have clean cherry-pick without patch fuzz.
* https://gitlab.gnome.org/GNOME/libxml2/-/issues/344
The CVE is disputed because the maintainer does not think that
errors after memory allocation failures are not critical enough
to warrant a CVE ID.
This patch will formally fix reported error case, trying to backport
another 13 patches and resolve conflicts would be probably overkill
due to disputed state.
This CVE was ignored on master branch (as diputed).
(From OE-Core rev: 03b766e42beb42a2085285308acbcf941f346b06)
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
* but it still won't work well on hosts without libxml2, make
sure to use pre-generated testapi.c in do_compile_ptest
* this is reproducible with SOURCE_DATE_EPOCH set to 0 which
e.g. meta-updater still sets by default for DISTROs which
use it :(, see https://github.com/uptane/meta-updater/pull/35
(From OE-Core rev: 2f78dbcb300e7deae6cf39263e874ee8776d7a7b)
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The fix for the CVE in 2.9.13 caused a regression which
was addressed after 2.9.13. We import that patch here.
(From OE-Core rev: 906ffe5bf83c0e587299aaedb9382ce04c3c7acf)
Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
When the ping test fails due to a timeout we only get limited debug
information. Tweak the code to improve that in case it sheds any light
on intermittent failures.
(From OE-Core rev: df98e96c7a1601798caf7f4882b09406a4fdacd6)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit d81704057950e1970ef7f673fa771834fd2b3f1e)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The project has migrated from www.xmlsoft.org to gitlab.gnome.org.
Update the homepage accordingly, and use gnomebase to construct the
download URL, rather than including it in SRC_URI explicitly.
Note that the download is now in .xz format rather than .gz, so the
sha256sum is updated accordingly. Post-decompression tarballs are
identical, so there is no change to the libxml2 code.
(From OE-Core rev: 38681a213a3b5f57b37257f7d96c4e970032ffe4)
Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 8bc17ceb997f8f31a03e5f5efc41c03ef1df3add)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We're seeing pthread being linked sometimes and not others leading to
non-reproducible target binaries. The reason is mixing the native python
config with the target one. We should use the target one.
(From OE-Core rev: e570efa43d5655afa041bd4ab52fec2de2216e4d)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 1bc5378db760963e2ad46542f2907dd6a592eb66)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
A flaw was found in libxml2. Exponential entity expansion attack
is possible bypassing all existing protection mechanisms and leading
to denial of service.
https://nvd.nist.gov/vuln/detail/CVE-2021-3541
CVE: 2021-3541
(From OE-Core rev: 1699293a7011797895c284d6ad664c66badba426)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability.
Upstream-Status: Backport [from fedora:
https://bugzilla.redhat.com/show_bug.cgi?id=1954243]
(From OE-Core rev: ef2a81a473e7c36a36facb209ca907a7439d36f2)
Signed-off-by: Jasper Orschulko <jasper@fancydomain.eu>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Before, running ptests on core-image-minimal would result in
an error due to missing /bin/bash:
[ -d test ] || ln -s ../libxml2-2.9.10/test .
make: /bin/bash: No such file or directory
make: *** [Makefile:2105: runtests] Error 127
Changing the Makefile to use /bin/sh results in some of the
tests failing, so I have added the missing dependancy on bash.
(From OE-Core rev: bc1d05429da1101d910b4ccf3de5407ddfbedc92)
Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit d2e81298c446aec8d7fcf61fd5023ac30350f205)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
