openembedded-core.git/meta/recipes-core/libxml, branch pyro Mirror of openembedded-core libxml2: CVE-2016-9318 2017-04-28T10:26:07+00:00 Catalin Enache catalin.enache@windriver.com 2017-04-14T08:43:32+00:00 0dd44c00e3b2fbc3befc3f361624a3a60161d979 libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document. Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9318 Upstream patch: https://git.gnome.org/browse/libxml2/commit/?id=2304078555896cf1638c628f50326aeef6f0e0d0 Signed-off-by: Catalin Enache <catalin.enache@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> 
libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier
and other products, does not offer a flag directly indicating that
the current document may be read but other files may not be opened,
which makes it easier for remote attackers to conduct XML External
Entity (XXE) attacks via a crafted document.

Reference:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9318

Upstream patch:
https://git.gnome.org/browse/libxml2/commit/?id=2304078555896cf1638c628f50326aeef6f0e0d0

Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
libxml2: make dependencies on python conditional 2017-04-05T11:36:46+00:00 Dmitry Rozhkov dmitry.rozhkov@linux.intel.com 2017-04-04T06:46:46+00:00 3f1be2c3875fc112d9c67af16759091e007e5b99 The library libxml2 can provide its own bindings for python2 in addition to the third party python-lxml and python3-lxml packages if this functionality is enabled in PACKAGECONFIG. But in case the functionality is disabled there's no need to depend on python2. Make the dependency on python2 enabled only if the python feature is added to PACKAGECONFIG. Also add missing run-time dependency on make to libxml2-ptest. Signed-off-by: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> 
The library libxml2 can provide its own bindings for python2 in addition
to the third party python-lxml and python3-lxml packages if this
functionality is enabled in PACKAGECONFIG.

But in case the functionality is disabled there's no need to depend
on python2.

Make the dependency on python2 enabled only if the python feature
is added to PACKAGECONFIG. Also add missing run-time dependency on make
to libxml2-ptest.

Signed-off-by: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
recipes: Make use of the new bb.utils.filter() function 2017-03-01T11:17:22+00:00 Peter Kjellerstedt peter.kjellerstedt@axis.com 2017-02-27T13:02:50+00:00 0a1427bf9aeeda6bee2cc0af8da4ea5fd90aef6f Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
libxml2: Drop docs in native case 2017-01-28T23:31:17+00:00 Richard Purdie richard.purdie@linuxfoundation.org 2017-01-27T16:57:53+00:00 3b8dcd210a494baecead7dd1e568fb60ac93ed9b With rss, moving these around was having an increasing overhead and we don't need them in the native case so remove them. Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
With rss, moving these around was having an increasing overhead and we don't
need them in the native case so remove them.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
meta: remove True option to getVar calls 2016-12-16T08:30:03+00:00 Joshua Lock joshua.g.lock@intel.com 2016-12-14T21:13:04+00:00 7c552996597faaee2fbee185b250c0ee30ea3b5f getVar() now defaults to expanding by default, thus remove the True option from getVar() calls with a regex search and replace. Search made with the following regex: getVar ?\(( ?[^,()]*), True\) Signed-off-by: Joshua Lock <joshua.g.lock@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> 
getVar() now defaults to expanding by default, thus remove the True
option from getVar() calls with a regex search and replace.

Search made with the following regex: getVar ?\(( ?[^,()]*), True\)

Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
libxml2: Fix more NULL pointer derefs 2016-12-16T08:30:02+00:00 Andrej Valek andrej.valek@siemens.com 2016-12-12T13:20:21+00:00 8f3008114d5000a0865f50833db7c3a3f9808601 The NULL pointer dereferencing could produced some security problems. This is a preventive security fix. Signed-off-by: Andrej Valek <andrej.valek@siemens.com> Signed-off-by: Pascal Bach <pascal.bach@siemens.com> Signed-off-by: Ross Burton <ross.burton@intel.com> 
The NULL pointer dereferencing could produced some
security problems.
This is a preventive security fix.

Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Pascal Bach <pascal.bach@siemens.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
libxml2: fix CVE-2016-4658 Disallow namespace nodes in XPointer points and ranges 2016-12-16T08:30:01+00:00 Andrej Valek andrej.valek@siemens.com 2016-12-12T13:20:20+00:00 00e928bd1c2aed9caeaf9e411743805d2139a023 Namespace nodes must be copied to avoid use-after-free errors. But they don't necessarily have a physical representation in a document, so simply disallow them in XPointer ranges. Signed-off-by: Andrej Valek <andrej.valek@siemens.com> Signed-off-by: Pascal Bach <pascal.bach@siemens.com> Signed-off-by: Ross Burton <ross.burton@intel.com> 
Namespace nodes must be copied to avoid use-after-free errors.
But they don't necessarily have a physical representation in a
document, so simply disallow them in XPointer ranges.

Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Pascal Bach <pascal.bach@siemens.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
libxml2: Necessary changes before fixing CVE-2016-5131 2016-12-16T08:30:01+00:00 Andrej Valek andrej.valek@siemens.com 2016-12-12T13:20:19+00:00 96ef568f75dded56a2123b63dcc8b443f796afe0 xpath: - Check for errors after evaluating first operand. - Add sanity check for empty stack. - Include comparation in changes from xmlXPathCmpNodesExt to xmlXPathCmpNodes Signed-off-by: Andrej Valek <andrej.valek@siemens.com> Signed-off-by: Pascal Bach <pascal.bach@siemens.com> Signed-off-by: Ross Burton <ross.burton@intel.com> 
xpath:
 - Check for errors after evaluating first operand.
 - Add sanity check for empty stack.
 - Include comparation in changes from xmlXPathCmpNodesExt to xmlXPathCmpNodes

Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Pascal Bach <pascal.bach@siemens.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
libxml2: Security fix CVE-2016-5131 2016-11-30T15:47:15+00:00 Yi Zhao yi.zhao@windriver.com 2016-11-28T09:55:40+00:00 640bd2b98ff33e49b42f1087650ebe20d92259a4 CVE-2016-5131 libxml2: Use-after-free vulnerability in libxml2 through 2.9.4, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function. External References: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5131 Patch from: https://git.gnome.org/browse/libxml2/commit/?id=9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> 
CVE-2016-5131 libxml2: Use-after-free vulnerability in libxml2 through
2.9.4, as used in Google Chrome before 52.0.2743.82, allows remote
attackers to cause a denial of service or possibly have unspecified
other impact via vectors related to the XPointer range-to function.

External References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5131

Patch from:
https://git.gnome.org/browse/libxml2/commit/?id=9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
libxml2: Make tests non-executable 2016-10-15T08:59:54+00:00 Jussi Kukkonen jussi.kukkonen@intel.com 2016-10-14T18:38:40+00:00 eb9cdf6b9277d23d1696233fccc4689e6030644c The XML W3C conformance test suite contains thousands of xml files all marked executable. We dutifully try to strip all these files of debug info in do_package. "chmod -x" improves build time by ~40 seconds. Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> 
The XML W3C conformance test suite contains thousands of xml files all
marked executable. We dutifully try to strip all these files of debug
info in do_package.

"chmod -x" improves build time by ~40 seconds.

Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>