GNOME project libxml2 v2.9.10 and earlier have a global Buffer Overflow
vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c. The issue has
been fixed in commit 8e7c20a1 (20910-GITv2.9.10-103-g8e7c20a1).
Reference:
https://gitlab.gnome.org/GNOME/libxml2/-/issues/178
Upstream patch:
50f06b3efb
(From OE-Core rev: 92dc02b8f03f3586de0a2ec1463b189a3918e303)
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Besides checking DISTRO_FEATURES for required or conflicting features,
being able to check MACHINE_FEATURES and/or COMBINED_FEATURES may also
be useful at times.
Temporarily support the old class name with a warning about future
deprecation.
(From OE-Core rev: 5f4875b950ce199e91f99c8e945a0c709166dc14)
Signed-off-by: Denys Dmytriyenko <denys@ti.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
After eglibc was merged into glibc, Kconfig support was also dropped so
these libc features therefore are not effective anymore and can be
removed
(From OE-Core rev: c62b1cc06613a4cdddf53290e6203559f43fc62d)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
PACKAGE_NO_GCONV is set in libc-package.bbclass if not all of
'libc-charsets libc-locale-code libc-locales' included in
DISTRO_FEATURES. And then no packages glibc-gconv-* glibc-charmap-* and
glibc-localedata-* is created. Update recipes and conf file which depend
on these packages to check required distro features.
(From OE-Core rev: 58446992de0f16a345f1f55b66d0d34d31dc341b)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fetch the test tar ball to a subdirectory in ${S}. This avoids the
following error after having done `devtool modify libxml2`:
| DEBUG: Executing shell function do_configure
| find: ‘.../build/tmp/work/mips32r2el-nf-poky-linux/libxml2/2.9.4-r0/xmlconf/’: No such file or directory
(From OE-Core rev: d0d55add6cb01252a46d829ade75666920b676fa)
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The patch associated with the CVE-2017-8872 report was never merged into
libxml2, but a slightly different patch for the same problem was. Cherry-pick
that as a backport, which also fixes the failing test suite.
(From OE-Core rev: 512869aea6dde1bb2374601f7c4d793ac9edaa42)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fix nullptr deref with XPath logic ops
If the XPath stack is corrupted, for example by a misbehaving extension
function, the "and" and "or" XPath operators could dereference NULL
pointers. Check that the XPath stack isn't empty and optimize the
logic operators slightly.
CVE: CVE-2018-14404
(From OE-Core rev: 69315177732a1d260a3315fe8c4c4c44653ae0c8)
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
for core-image-minimal image, missing these two dependency
will cause below warning and error:
warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
./test/icu_parse_test.xml generated an error
(From OE-Core rev: 848031cf0b89b752c6fedcb63fc6938642a87fd8)
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The patch tool will apply patches by default with "fuzz", which is where if the
hunk context isn't present but what is there is close enough, it will force the
patch in.
Whilst this is useful when there's just whitespace changes, when applied to
source it is possible for a patch applied with fuzz to produce broken code which
still compiles (see #10450). This is obviously bad.
We'd like to eventually have do_patch() rejecting any fuzz on these grounds. For
that to be realistic the existing patches with fuzz need to be rebased and
reviewed.
(From OE-Core rev: d71d6854fadc96fc3c75617af3beba02952fdef6)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Changes to Makefile in latest version mean when "make -k runtests" is executed,
it leads to errors like:
| make: *** No rule to make target 'runtest.c', needed by 'runtest.o'.
| make: *** No rule to make target 'SAX.c', needed by 'SAX.lo'.
| make: *** No rule to make target 'entities.c', needed by 'entities.lo'.
| make: *** No rule to make target 'encoding.c', needed by 'encoding.lo'.
Make sure that we don't try to check and compile the tests again on the target.
(From OE-Core rev: 5cf92ca436e1a1ba60fec8b30b6cb3cfd4842bc8)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
HTTP is more reliable in general so use it instead of FTP.
(From OE-Core rev: bdc71968923941b0720d34a5ce06d82ab2a63b4f)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We need to specify UTF-8 in the environment to avoid an error
such as:
UnicodeEncodeError: 'ascii' codec can't encode character '\xe4'
(From OE-Core rev: d7f1fe6c8419b8c59e601c56245373d094cae298)
Signed-off-by: Juro Bystricky <juro.bystricky@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fix a variety of spelling and format mistakes to improve the ease of reading the
tags programatically.
(From OE-Core rev: 6e1aaf80b0d951b48cd25cb7161ec19448295094)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The new flag doesn't work and the change even broke the XML_PARSE_NONET option.
(From OE-Core rev: 8b586f60778579ee2c9adae429128a07e8437553)
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fix type confusion in xmlValidateOneNamespace
Comment out code that casts xmlNsPtr to xmlAttrPtr. ID types
on namespace declarations make no practical sense anyway.
Fixes bug 780228
CVE: CVE-2017-0663
(From OE-Core rev: a965be7b6a1d730851b4a3bc8fd534b9b2334227)
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fix NULL pointer deref in xmlDumpElementContent
Can only be triggered in recovery mode.
Fixes bug 758422
CVE: CVE-2017-5969
(From OE-Core rev: 0cae039cbe513b7998e067f4f3958af2ec65ed1a)
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fix handling of parameter-entity references
There were two bugs where parameter-entity references could lead to an
unexpected change of the input buffer in xmlParseNameComplex and
xmlDictLookup being called with an invalid pointer.
Fixes bug 781205 and bug 781361
CVE: CVE-2017-9049 CVE-2017-9050
(From OE-Core rev: 2300762fef8fc8e3e56fb07fd4076c1deeba0a9b)
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
xmlSnprintfElementContent failed to correctly check the available
buffer space in two locations.
Fixes bug 781333 and bug 781701
CVE: CVE-2017-9047 CVE-2017-9048
(From OE-Core rev: bb0af023e811907b4e641b39f654ca921ac8794a)
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Since we go through the trouble of copying the Python tests, we may as
well actually run them...
This also avoids the following QA issue:
ERROR: libxml2-2.9.4-r0 do_package_qa: QA Issue:
/usr/lib/libxml2/ptest/python/tests/push.py contained in package
libxml2-ptest requires /usr/bin/python, but no providers found in
RDEPENDS_libxml2-ptest? [file-rdeps]
(From OE-Core rev: 65bc9fac6dc6ba5252bf105659724c768d65f9d9)
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The library libxml2 can provide its own bindings for python2 in addition
to the third party python-lxml and python3-lxml packages if this
functionality is enabled in PACKAGECONFIG.
But in case the functionality is disabled there's no need to depend
on python2.
Make the dependency on python2 enabled only if the python feature
is added to PACKAGECONFIG. Also add missing run-time dependency on make
to libxml2-ptest.
(From OE-Core rev: 3f1be2c3875fc112d9c67af16759091e007e5b99)
Signed-off-by: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
With rss, moving these around was having an increasing overhead and we don't
need them in the native case so remove them.
(From OE-Core rev: 3b8dcd210a494baecead7dd1e568fb60ac93ed9b)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
getVar() now defaults to expanding by default, thus remove the True
option from getVar() calls with a regex search and replace.
Search made with the following regex: getVar ?\(( ?[^,()]*), True\)
(From OE-Core rev: 7c552996597faaee2fbee185b250c0ee30ea3b5f)
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Namespace nodes must be copied to avoid use-after-free errors.
But they don't necessarily have a physical representation in a
document, so simply disallow them in XPointer ranges.
(From OE-Core rev: 00e928bd1c2aed9caeaf9e411743805d2139a023)
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Pascal Bach <pascal.bach@siemens.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
xpath:
- Check for errors after evaluating first operand.
- Add sanity check for empty stack.
- Include comparation in changes from xmlXPathCmpNodesExt to xmlXPathCmpNodes
(From OE-Core rev: 96ef568f75dded56a2123b63dcc8b443f796afe0)
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Pascal Bach <pascal.bach@siemens.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The XML W3C conformance test suite contains thousands of xml files all
marked executable. We dutifully try to strip all these files of debug
info in do_package.
"chmod -x" improves build time by ~40 seconds.
(From OE-Core rev: eb9cdf6b9277d23d1696233fccc4689e6030644c)
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add PACKAGECONFIG for ipv6 and control it based
on DISTRO_FEATURES.
(From OE-Core rev: 1a505037e9a6dc86b523b378d6446baae71f1a2c)
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
