openembedded-core.git/meta/recipes-core/libxml/libxml2, branch dizzy Mirror of openembedded-core libxml2: CVE-2015-8241 2016-01-30T12:02:02+00:00 Sona Sarmadi sona.sarmadi@enea.com 2015-12-14T12:24:13+00:00 84c6a67baaafee565ac4fad229bd8d07a21da09c Upstream bug (contains reproducer): https://bugzilla.gnome.org/show_bug.cgi?id=756263 Upstream patch: https://git.gnome.org/browse/libxml2/commit/?id= ab2b9a93ff19cedde7befbf2fcc48c6e352b6cbe Signed-off-by: Tudor Florea <tudor.florea@enea.com> Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> 
Upstream bug (contains reproducer):
https://bugzilla.gnome.org/show_bug.cgi?id=756263

Upstream patch:
https://git.gnome.org/browse/libxml2/commit/?id=
ab2b9a93ff19cedde7befbf2fcc48c6e352b6cbe

Signed-off-by: Tudor Florea <tudor.florea@enea.com>
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
libxml2: CVE-2015-8035 2016-01-30T12:02:01+00:00 Sona Sarmadi sona.sarmadi@enea.com 2015-12-14T12:24:12+00:00 e40cae30575a227bb0274869f720dffd816d629a Fixes DoS when parsing specially crafted XML document if XZ support is enabled. References: https://bugzilla.gnome.org/show_bug.cgi?id=757466 Upstream correction: https://git.gnome.org/browse/libxml2/commit/?id= f0709e3ca8f8947f2d91ed34e92e38a4c23eae63 Signed-off-by: Tudor Florea <tudor.florea@enea.com> Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> 
Fixes DoS when parsing specially crafted XML document
if XZ support is enabled.

References:
https://bugzilla.gnome.org/show_bug.cgi?id=757466

Upstream correction:
https://git.gnome.org/browse/libxml2/commit/?id=
f0709e3ca8f8947f2d91ed34e92e38a4c23eae63

Signed-off-by: Tudor Florea <tudor.florea@enea.com>
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
libxml2: CVE-2015-7942 2016-01-30T12:01:59+00:00 Sona Sarmadi sona.sarmadi@enea.com 2015-12-14T12:24:09+00:00 a2980f004519a4baeb4c88ad924e15195fe75e32 Fixes heap-based buffer overflow in xmlParseConditionalSections(). Upstream patch: https://git.gnome.org/browse/libxml2/commit/ ?id=9b8512337d14c8ddf662fcb98b0135f225a1c489 Upstream bug: https://bugzilla.gnome.org/show_bug.cgi?id=756456 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Tudor Florea <tudor.florea@enea.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> 
Fixes heap-based buffer overflow in xmlParseConditionalSections().

Upstream patch:
https://git.gnome.org/browse/libxml2/commit/
?id=9b8512337d14c8ddf662fcb98b0135f225a1c489

Upstream bug:
https://bugzilla.gnome.org/show_bug.cgi?id=756456

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Tudor Florea <tudor.florea@enea.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
libxml2: Security Advisory - libxml2 - CVE-2015-1819 2015-07-20T19:53:09+00:00 Yue Tao Yue.Tao@windriver.com 2015-06-15T01:18:52+00:00 de6e4114d5285ea0d2a53d19c93ce96430cc9e30 for CVE-2015-1819 Enforce the reader to run in constant memory (From OE-Core rev: 9e67d8ae592a37d7c92d6566466b09c83e9ec6a7) Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Conflicts: meta/recipes-core/libxml/libxml2.inc 
for CVE-2015-1819 Enforce the reader to run in constant memory

(From OE-Core rev: 9e67d8ae592a37d7c92d6566466b09c83e9ec6a7)

Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>

Conflicts:
	meta/recipes-core/libxml/libxml2.inc
libxml2: Backport fix for CVE introduced entity issues 2015-02-11T17:39:47+00:00 Richard Purdie richard.purdie@linuxfoundation.org 2015-01-15T09:37:16+00:00 9aa93835d19159ffd7cb212680044fc7f914a68f The CVE fix introduced problems with entity issues, we observed this when building the Yocto Docs in particular. Backport the fix from upstream so we can build our docs correctly. [YOCTO #7134] (From OE-Core rev: af501bd51f9a86edd34e0405bc32dabe21312229) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> 
The CVE fix introduced problems with entity issues, we observed this
when building the Yocto Docs in particular. Backport the fix from
upstream so we can build our docs correctly.

[YOCTO #7134]

(From OE-Core rev: af501bd51f9a86edd34e0405bc32dabe21312229)

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
libxml2: fix CVE-2014-3660 2015-02-11T17:39:47+00:00 Joe MacDonald joe_macdonald@mentor.com 2014-10-20T17:51:21+00:00 de7bc57398aaeb84fc9370d025b87f7711986ada It was discovered that the patch for CVE-2014-0191 for libxml2 is incomplete. It is still possible to have libxml2 incorrectly perform entity substituton even when the application using libxml2 explicitly disables the feature. This can allow a remote denial-of-service attack on systems with libxml2 prior to 2.9.2. References: http://www.openwall.com/lists/oss-security/2014/10/17/7 https://www.ncsc.nl/actueel/nieuwsberichten/kwetsbaarheid-ontdekt-in-libxml2.html (From OE-Core rev: 643597a5c432b2e02033d0cefa3ba4da980d078f) Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> 
It was discovered that the patch for CVE-2014-0191 for libxml2 is
incomplete.  It is still possible to have libxml2 incorrectly perform
entity substituton even when the application using libxml2 explicitly
disables the feature.  This can allow a remote denial-of-service attack on
systems with libxml2 prior to 2.9.2.

References:
    http://www.openwall.com/lists/oss-security/2014/10/17/7
    https://www.ncsc.nl/actueel/nieuwsberichten/kwetsbaarheid-ontdekt-in-libxml2.html

(From OE-Core rev: 643597a5c432b2e02033d0cefa3ba4da980d078f)

Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
libxml2: port AM_PATH_XML2 to use pkg-config 2014-08-15T17:19:56+00:00 Ross Burton ross.burton@intel.com 2014-08-15T12:11:46+00:00 3ea77e69a839572a948ff6f1e51d3ca789ad8eed Upstream AM_PATH_XML2 uses xml2-config which we disable, so port this macro to use pkg-config. Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
Upstream AM_PATH_XML2 uses xml2-config which we disable, so port this macro to
use pkg-config.

Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
libxml2: fix python packaging for nativesdk 2014-06-06T08:25:24+00:00 Paul Eggleton paul.eggleton@linux.intel.com 2014-06-05T09:46:17+00:00 e3d06aa104065748367e1479138f824da5d9951f We enable the python module in nativesdk-libxml2, but the python binary used is in the native sysroot and thus you get the module installed in the wrong path. Even with that fixed the python files are still unpackaged, so create an ${PN}-python package and add them to it. (This does not affect the libxml target build at all since python is disabled for that.) Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
We enable the python module in nativesdk-libxml2, but the python binary
used is in the native sysroot and thus you get the module installed in
the wrong path. Even with that fixed the python files are still
unpackaged, so create an ${PN}-python package and add them to it. (This
does not affect the libxml target build at all since python is disabled
for that.)

Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
libxml2: fix CVE-2014-0191 2014-05-08T12:00:23+00:00 Maxin B. John maxin.john@enea.com 2014-05-07T12:24:15+00:00 674bd59d5e357a4aba18c472ac21712a660a84af It was discovered that libxml2, a library providing support to read, modify and write XML files, incorrectly performs entity substituton in the doctype prolog, even if the application using libxml2 disabled any entity substitution. A remote attacker could provide a specially-crafted XML file that, when processed, would lead to the exhaustion of CPU and memory resources or file descriptors. Reference: https://access.redhat.com/security/cve/CVE-2014-0191 Signed-off-by: Maxin B. John <maxin.john@enea.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> 
It was discovered that libxml2, a library providing support to read,
modify and write XML files, incorrectly performs entity substituton in
the doctype prolog, even if the application using libxml2 disabled any
entity substitution. A remote attacker could provide a
specially-crafted XML file that, when processed, would lead to the
exhaustion of CPU and memory resources or file descriptors.

Reference: https://access.redhat.com/security/cve/CVE-2014-0191

Signed-off-by: Maxin B. John <maxin.john@enea.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
libxml2: remove patch for CVE-2012-2871 2013-09-17T13:13:04+00:00 Ross Burton ross.burton@intel.com 2013-09-17T09:22:17+00:00 e6c60252ab4ba6842f63c6b8a519a85f2ff238fb This CVE patch is actually against Chromium as they ship an internal fork of libxml2 and breaks ABI. The real issue has been resolved in libxslt 1.1.27, and we're shipping 1.1.28. Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
This CVE patch is actually against Chromium as they ship an internal fork of
libxml2 and breaks ABI.  The real issue has been resolved in libxslt 1.1.27, and
we're shipping 1.1.28.

Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>