Pick commit from 2.13 branch as 2.9 branch is unmaintained now.
(From OE-Core rev: 7777cd6b28988a0981b990d9da9d448dcdfe7b8b)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Pick commit from 2.12 branch as 2.9 branch is unmaintained now.
(From OE-Core rev: fbd708438aba0381a6c4f3d6cfbbd743f89a4f97)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This vulnerability has now a CVE assigned.
(From OE-Core rev: 204ff9dd9c62a8a346e89880b2e15a4c0e9ad6e0)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Pick commit from 2.12 branch.
(From OE-Core rev: ab804cd27ecf7ee65a9feea477140502ecbc0d73)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Backport patch for gitlab issue mentioned in NVD CVE report.
* https://gitlab.gnome.org/GNOME/libxml2/-/issues/583
Backport also one of 14 patches for older issue with similar errors
to have clean cherry-pick without patch fuzz.
* https://gitlab.gnome.org/GNOME/libxml2/-/issues/344
The CVE is disputed because the maintainer does not think that
errors after memory allocation failures are not critical enough
to warrant a CVE ID.
This patch will formally fix reported error case, trying to backport
another 13 patches and resolve conflicts would be probably overkill
due to disputed state.
This CVE was ignored on master branch (as diputed).
(From OE-Core rev: d29a89412b37995857269d617e16ada116f14270)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Xmlsoft Libxml2 v2.11.0 was discovered to contain a global buffer overflow via
the xmlSAX2StartElement() function at /libxml2/SAX2.c. This vulnerability
allows attackers to cause a Denial of Service (DoS) via supplying a crafted XML
file.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-39615
(From OE-Core rev: 9a2ad95caffae37014fa27d9b20d45f9779d0fbf)
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
* switch from tar.gz to tar, because the tar.gz archives upstream are regular tar as well now
https://www.w3.org/XML/Test/ still has 3 separate URLs for .zip, .tar
and .tar.gz, but both tar links return the same file:
xmlts20080827.tar: POSIX tar archive (GNU)
xmlts20080827.tar.gz: POSIX tar archive (GNU)
-rw-r--r-- 1 martin martin 5.7M Sep 1 2008 xmlts20080827.tar
-rw-r--r-- 1 martin martin 5.7M Sep 1 2008 xmlts20080827.tar.gz
9b2c865aba66c6429ca301a7ef048d7eca2cdb7a9106184416710853c7b37d0d xmlts20080827.tar
9b2c865aba66c6429ca301a7ef048d7eca2cdb7a9106184416710853c7b37d0d xmlts20080827.tar.gz
96151685cec997e1f9f3387e3626d61e6284d4d6e66e0e440c209286c03e9cc7 /OE/build/downloads/xmlts20080827.tar.gz
(From OE-Core rev: 55f37f90dc2039fda085c66bb8c6095374b2947f)
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* but it still won't work well on hosts without libxml2, make
sure to use pre-generated testapi.c in do_compile_ptest
* this is reproducible with SOURCE_DATE_EPOCH set to 0 which
e.g. meta-updater still sets by default for DISTROs which
use it :(, see https://github.com/uptane/meta-updater/pull/35
(From OE-Core rev: 8bf4356b1dbaf68f0e6bba3440c9fcf59a525063)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 178cea1593dc6e9a7eb74842615356d90d79f78f)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Security
[CVE-2022-29824] Integer overflow in xmlBuf and xmlBuffer
Fix potential double-free in xmlXPtrStringRangeFunction
Fix memory leak in xmlFindCharEncodingHandler
Normalize XPath strings in-place
Prevent integer-overflow in htmlSkipBlankChars() and xmlSkipBlankChars() (David Kilzer)
Fix leak of xmlElementContent (David Kilzer)
Bug fixes
Fix parsing of subtracted regex character classes
Fix recursion check in xinclude.c
Reset last error in xmlCleanupGlobals
Fix certain combinations of regex range quantifiers
Fix range quantifier on subregex
Improvements
Fix recovery from invalid HTML start tags
Build system, portability
Define LFS macros before including system headers
Initialize XPath floating-point globals
configure: check for icu DEFS (James Hilliard)
configure.ac: produce tar.xz only (GNOME policy) (David Seifert)
CMakeLists.txt: Fix LIBXML_VERSION_NUMBER
Fix build with older Python versions
Fix --without-valid build
(From OE-Core rev: 393b81058f3b970eb906a7f9daa842d8a0747700)
Signed-off-by: Jiaqing Zhao <jiaqing.zhao@linux.intel.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit c4ba21f4012e8859fc793bec7df76e56eb8058ec)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The fix for the CVE in 2.9.13 caused a regression which
was addressed after 2.9.13. We import that patch here.
(From OE-Core rev: f7fd194feb4f7993518388160acd5199fcfc3b26)
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
- new version includes fix for CVE-2022-23308
- drop patche which was upstream
- refresh patch
(From OE-Core rev: d687f1ac2017a1cc94ac4733cd46755d5aabd120)
Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The project has migrated from www.xmlsoft.org to gitlab.gnome.org.
Update the homepage accordingly, and use gnomebase to construct the
download URL, rather than including it in SRC_URI explicitly.
Note that the download is now in .xz format rather than .gz, so the
sha256sum is updated accordingly. Post-decompression tarballs are
identical, so there is no change to the libxml2 code.
(From OE-Core rev: 8bc17ceb997f8f31a03e5f5efc41c03ef1df3add)
Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We're seeing pthread being linked sometimes and not others leading to
non-reproducible target binaries. The reason is mixing the native python
config with the target one. We should use the target one.
(From OE-Core rev: 1bc5378db760963e2ad46542f2907dd6a592eb66)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This is the result of automated script conversion:
scripts/contrib/convert-overrides.py <oe-core directory>
converting the metadata to use ":" as the override character instead of "_".
(From OE-Core rev: 42344347be29f0997cc2f7636d9603b1fe1875ae)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Since oe-core 543e39ad "bitbake.conf: handle cmake -dev files packaging
with default rules" (June 2018) there's no need for recipes to add
${libdir}/cmake or ${datadir}/cmake to FILES_${PN}-dev themselves.
(From OE-Core rev: e6f62b8e639a79626d95568c070a410c24bce25e)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Drop CVE patches which are fixed by the new upstream version.
Modify conflicting patches to apply to the new versions:
libxml2/libxml-m4-use-pkgconfig.patch
libxml2/0001-Make-ptest-run-the-python-tests-if-python-is-enabled.patch
Drop fix-python39, which is merged upstream.
Removed hunk for tstLastError.py from
libxml2/0001-Make-ptest-run-the-python-tests-if-python-is-enabled.patch
since it has been fixed upstream by:
8c3e52e: Updated python/tests/tstLastError.py
libxml2.registerErrorHandler(None,None):
None is not acceptable as first argument
failUnlessEqual replaced by assertEqual
The checksums for the licence file changed because a typo was fixed
across the files. The licence remains the same.
The obsolete MD5 checksums for the tar files have been dropped in
favor of SHA256.
The new release also adds fuzz tests, which are removed from the
makefile to allow the ptests to run. Fuzz testing is done upstream
and there is no need to run them as part of ptests which are
intended for functionality testing.
(From OE-Core rev: c7c429d05ca51b0404f09981f6c9bcad7dc33222)
Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Before, running ptests on core-image-minimal would result in
an error due to missing /bin/bash:
[ -d test ] || ln -s ../libxml2-2.9.10/test .
make: /bin/bash: No such file or directory
make: *** [Makefile:2105: runtests] Error 127
Changing the Makefile to use /bin/sh results in some of the
tests failing, so I have added the missing dependancy on bash.
(From OE-Core rev: d2e81298c446aec8d7fcf61fd5023ac30350f205)
Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Reformatted runtest.patch to allow it to be applied using git am.
This makes it easier to apply the series of patches to the original git repo.
There are no changes to the code of the patch other than the reformat.
Previously, the patch claimed to be a backport, but I have not found an
upstream commit so I've changed the Upstream-Status to pending.
(From OE-Core rev: 0361d625e1573e846a2f03ed90a8b897bc405160)
Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
GNOME project libxml2 v2.9.10 and earlier have a global Buffer Overflow
vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c. The issue has
been fixed in commit 8e7c20a1 (20910-GITv2.9.10-103-g8e7c20a1).
Reference:
https://gitlab.gnome.org/GNOME/libxml2/-/issues/178
Upstream patch:
50f06b3efb
(From OE-Core rev: 92dc02b8f03f3586de0a2ec1463b189a3918e303)
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Besides checking DISTRO_FEATURES for required or conflicting features,
being able to check MACHINE_FEATURES and/or COMBINED_FEATURES may also
be useful at times.
Temporarily support the old class name with a warning about future
deprecation.
(From OE-Core rev: 5f4875b950ce199e91f99c8e945a0c709166dc14)
Signed-off-by: Denys Dmytriyenko <denys@ti.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
After eglibc was merged into glibc, Kconfig support was also dropped so
these libc features therefore are not effective anymore and can be
removed
(From OE-Core rev: c62b1cc06613a4cdddf53290e6203559f43fc62d)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
PACKAGE_NO_GCONV is set in libc-package.bbclass if not all of
'libc-charsets libc-locale-code libc-locales' included in
DISTRO_FEATURES. And then no packages glibc-gconv-* glibc-charmap-* and
glibc-localedata-* is created. Update recipes and conf file which depend
on these packages to check required distro features.
(From OE-Core rev: 58446992de0f16a345f1f55b66d0d34d31dc341b)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fetch the test tar ball to a subdirectory in ${S}. This avoids the
following error after having done `devtool modify libxml2`:
| DEBUG: Executing shell function do_configure
| find: ‘.../build/tmp/work/mips32r2el-nf-poky-linux/libxml2/2.9.4-r0/xmlconf/’: No such file or directory
(From OE-Core rev: d0d55add6cb01252a46d829ade75666920b676fa)
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The patch associated with the CVE-2017-8872 report was never merged into
libxml2, but a slightly different patch for the same problem was. Cherry-pick
that as a backport, which also fixes the failing test suite.
(From OE-Core rev: 512869aea6dde1bb2374601f7c4d793ac9edaa42)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fix nullptr deref with XPath logic ops
If the XPath stack is corrupted, for example by a misbehaving extension
function, the "and" and "or" XPath operators could dereference NULL
pointers. Check that the XPath stack isn't empty and optimize the
logic operators slightly.
CVE: CVE-2018-14404
(From OE-Core rev: 69315177732a1d260a3315fe8c4c4c44653ae0c8)
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
for core-image-minimal image, missing these two dependency
will cause below warning and error:
warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
./test/icu_parse_test.xml generated an error
(From OE-Core rev: 848031cf0b89b752c6fedcb63fc6938642a87fd8)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
