openembedded-core.git/meta/recipes-core/libxml/libxml2, branch 2015-4 Mirror of openembedded-core libxml2: Backport fix for CVE introduced entity issues 2015-01-15T16:55:12+00:00 Richard Purdie richard.purdie@linuxfoundation.org 2015-01-15T09:37:16+00:00 af501bd51f9a86edd34e0405bc32dabe21312229 The CVE fix introduced problems with entity issues, we observed this when building the Yocto Docs in particular. Backport the fix from upstream so we can build our docs correctly. [YOCTO #7134] Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
The CVE fix introduced problems with entity issues, we observed this
when building the Yocto Docs in particular. Backport the fix from
upstream so we can build our docs correctly.

[YOCTO #7134]

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
libxml2: upgrade to 2.9.2 2014-12-24T17:48:57+00:00 Hongxu Jia hongxu.jia@windriver.com 2014-12-23T05:09:54+00:00 06f555fa5a36dbf63b26c3734dbbd0b5af16dc33 - Rebase python-sitepackages-dir.patch to 2.9.2 - Drop libxml2-CVE-2014-3660.patch which has been merged to 2.9.2. - Add configure.ac-fix-cross-compiling-warning.patch to fix cross compilation failure. - Tweak do_configure_prepend, use configure.ac to instead of configure.in - Add cmake files to ${PN}-dev Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
- Rebase python-sitepackages-dir.patch to 2.9.2

- Drop libxml2-CVE-2014-3660.patch which has been merged to 2.9.2.

- Add configure.ac-fix-cross-compiling-warning.patch to fix cross
  compilation failure.

- Tweak do_configure_prepend, use configure.ac to instead of configure.in

- Add cmake files to ${PN}-dev

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
libxml2: fix CVE-2014-3660 2014-10-24T16:31:58+00:00 Joe MacDonald joe_macdonald@mentor.com 2014-10-20T17:51:21+00:00 643597a5c432b2e02033d0cefa3ba4da980d078f It was discovered that the patch for CVE-2014-0191 for libxml2 is incomplete. It is still possible to have libxml2 incorrectly perform entity substituton even when the application using libxml2 explicitly disables the feature. This can allow a remote denial-of-service attack on systems with libxml2 prior to 2.9.2. References: http://www.openwall.com/lists/oss-security/2014/10/17/7 https://www.ncsc.nl/actueel/nieuwsberichten/kwetsbaarheid-ontdekt-in-libxml2.html Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> Signed-off-by: Ross Burton <ross.burton@intel.com> 
It was discovered that the patch for CVE-2014-0191 for libxml2 is
incomplete.  It is still possible to have libxml2 incorrectly perform
entity substituton even when the application using libxml2 explicitly
disables the feature.  This can allow a remote denial-of-service attack on
systems with libxml2 prior to 2.9.2.

References:
    http://www.openwall.com/lists/oss-security/2014/10/17/7
    https://www.ncsc.nl/actueel/nieuwsberichten/kwetsbaarheid-ontdekt-in-libxml2.html

Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
libxml2: port AM_PATH_XML2 to use pkg-config 2014-08-15T17:19:56+00:00 Ross Burton ross.burton@intel.com 2014-08-15T12:11:46+00:00 3ea77e69a839572a948ff6f1e51d3ca789ad8eed Upstream AM_PATH_XML2 uses xml2-config which we disable, so port this macro to use pkg-config. Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
Upstream AM_PATH_XML2 uses xml2-config which we disable, so port this macro to
use pkg-config.

Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
libxml2: fix python packaging for nativesdk 2014-06-06T08:25:24+00:00 Paul Eggleton paul.eggleton@linux.intel.com 2014-06-05T09:46:17+00:00 e3d06aa104065748367e1479138f824da5d9951f We enable the python module in nativesdk-libxml2, but the python binary used is in the native sysroot and thus you get the module installed in the wrong path. Even with that fixed the python files are still unpackaged, so create an ${PN}-python package and add them to it. (This does not affect the libxml target build at all since python is disabled for that.) Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
We enable the python module in nativesdk-libxml2, but the python binary
used is in the native sysroot and thus you get the module installed in
the wrong path. Even with that fixed the python files are still
unpackaged, so create an ${PN}-python package and add them to it. (This
does not affect the libxml target build at all since python is disabled
for that.)

Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
libxml2: fix CVE-2014-0191 2014-05-08T12:00:23+00:00 Maxin B. John maxin.john@enea.com 2014-05-07T12:24:15+00:00 674bd59d5e357a4aba18c472ac21712a660a84af It was discovered that libxml2, a library providing support to read, modify and write XML files, incorrectly performs entity substituton in the doctype prolog, even if the application using libxml2 disabled any entity substitution. A remote attacker could provide a specially-crafted XML file that, when processed, would lead to the exhaustion of CPU and memory resources or file descriptors. Reference: https://access.redhat.com/security/cve/CVE-2014-0191 Signed-off-by: Maxin B. John <maxin.john@enea.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> 
It was discovered that libxml2, a library providing support to read,
modify and write XML files, incorrectly performs entity substituton in
the doctype prolog, even if the application using libxml2 disabled any
entity substitution. A remote attacker could provide a
specially-crafted XML file that, when processed, would lead to the
exhaustion of CPU and memory resources or file descriptors.

Reference: https://access.redhat.com/security/cve/CVE-2014-0191

Signed-off-by: Maxin B. John <maxin.john@enea.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
libxml2: remove patch for CVE-2012-2871 2013-09-17T13:13:04+00:00 Ross Burton ross.burton@intel.com 2013-09-17T09:22:17+00:00 e6c60252ab4ba6842f63c6b8a519a85f2ff238fb This CVE patch is actually against Chromium as they ship an internal fork of libxml2 and breaks ABI. The real issue has been resolved in libxslt 1.1.27, and we're shipping 1.1.28. Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
This CVE patch is actually against Chromium as they ship an internal fork of
libxml2 and breaks ABI.  The real issue has been resolved in libxslt 1.1.27, and
we're shipping 1.1.28.

Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Upstream-Status: Correct capitalization 2013-07-18T14:14:40+00:00 Saul Wold sgw@linux.intel.com 2013-07-15T23:44:42+00:00 2d5c457bf888771891e9c29e82ec5a5cecace528 Signed-off-by: Saul Wold <sgw@linux.intel.com> 
Signed-off-by: Saul Wold <sgw@linux.intel.com>
libxml2: Add ptest 2013-07-09T14:56:14+00:00 Mihaela Sendrea mihaela.sendrea@enea.com 2013-07-04T14:23:43+00:00 22cf4cc85fbe21a53ca4684b0b06b9af20b2ecc5 Install libxml2 test suite and run it as ptest. Signed-off-by: Mihaela Sendrea <mihaela.sendrea@enea.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> 
Install libxml2 test suite and run it as ptest.

Signed-off-by: Mihaela Sendrea <mihaela.sendrea@enea.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
libxml2 CVE-2012-2871 2012-12-14T23:17:21+00:00 Li Wang li.wang@windriver.com 2012-12-13T05:54:21+00:00 bc601f96f34ad17a87f599b58e502ec1b2c13fa3 the patch come from: http://src.chromium.org/viewvc/chrome/trunk/src/third_party/libxml/src \ /include/libxml/tree.h?r1=56276&r2=149930 libxml2 2.9.0-rc1 and earlier, as used in Google Chrome before 21.0.1180.89, does not properly support a cast of an unspecified variable during handling of XSL transforms, which allows remote attackers to cause a denial of service or possibly have unknown other impact via a crafted document, related to the _xmlNs data structure in include/libxml/tree.h. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2871 [YOCTO #3580] [ CQID: WIND00376779 ] Upstream-Status: Pending Signed-off-by: Li Wang <li.wang@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> 
the patch come from:
http://src.chromium.org/viewvc/chrome/trunk/src/third_party/libxml/src \
/include/libxml/tree.h?r1=56276&r2=149930

libxml2 2.9.0-rc1 and earlier, as used in Google Chrome before 21.0.1180.89,
does not properly support a cast of an unspecified variable during handling
of XSL transforms, which allows remote attackers to cause a denial of service
or possibly have unknown other impact via a crafted document, related to the
_xmlNs data structure in include/libxml/tree.h.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2871

[YOCTO #3580]
[ CQID: WIND00376779 ]
Upstream-Status: Pending

Signed-off-by: Li Wang <li.wang@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>