Patchwork [1/1] libxml2: fix LSB desktop-xml tests failure

login
register
mail settings
Submitter Hongxu Jia
Date Sept. 16, 2013, 11:14 a.m.
Message ID <dd0104c4f2811038c1ee78605e6b81a50045f5f6.1379329974.git.hongxu.jia@windriver.com>
Download mbox | patch
Permalink /patch/58119/
State New
Headers show

Comments

Hongxu Jia - Sept. 16, 2013, 11:14 a.m.
The commit
http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=8780c5ddf2916bbd42fc67b79c286652aebb1546
add a patch to fix a security issue. It modify include file 'tree.h'
to add 'const char *dummy_children' on 'struct _xmlNs'.

But lsb test suites didn't do this in his own include file, so the LSB
desktop-xml tests failed.

Disable this patch for linuxstdbase could fix this issue.

[YOCTO #5151]

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
---
 meta/recipes-core/libxml/libxml2_2.9.1.bb | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)
Khem Raj - Sept. 16, 2013, 5:09 p.m.
On Sep 16, 2013, at 4:14 AM, Hongxu Jia <hongxu.jia@windriver.com> wrote:

> The commit
> http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=8780c5ddf2916bbd42fc67b79c286652aebb1546
> add a patch to fix a security issue. It modify include file 'tree.h'
> to add 'const char *dummy_children' on 'struct _xmlNs'.
> 
> But lsb test suites didn't do this in his own include file, so the LSB
> desktop-xml tests failed.

IMO the testcase should be fixed. This is security patch that you are disabling. I don't think LSB compliance
should mean less secure

> 
> Disable this patch for linuxstdbase could fix this issue.
> 
> [YOCTO #5151]
> 
> Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
> ---
> meta/recipes-core/libxml/libxml2_2.9.1.bb | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/meta/recipes-core/libxml/libxml2_2.9.1.bb b/meta/recipes-core/libxml/libxml2_2.9.1.bb
> index fa9c657..3b031a1 100644
> --- a/meta/recipes-core/libxml/libxml2_2.9.1.bb
> +++ b/meta/recipes-core/libxml/libxml2_2.9.1.bb
> @@ -1,6 +1,9 @@
> require libxml2.inc
> 
> -SRC_URI += "file://libxml2-CVE-2012-2871.patch \
> +LIBXML2_CVE = "file://libxml2-CVE-2012-2871.patch"
> +LIBXML2_CVE_linuxstdbase = ""
> +
> +SRC_URI += "${LIBXML2_CVE} \
>             http://www.w3.org/XML/Test/xmlts20080827.tar.gz;name=testtar \
> 	   "
> 
> -- 
> 1.8.1.2
> 
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
Ross Burton - Sept. 16, 2013, 5:15 p.m.
On 16 September 2013 18:09, Khem Raj <raj.khem@gmail.com> wrote:
> IMO the testcase should be fixed. This is security patch that you are disabling. I don't think LSB compliance
> should mean less secure

Yes, what Khem said.

Ross
Hongxu Jia - Sept. 17, 2013, 2:36 a.m.
On 09/17/2013 01:09 AM, Khem Raj wrote:
> On Sep 16, 2013, at 4:14 AM, Hongxu Jia <hongxu.jia@windriver.com> wrote:
>
>> The commit
>> http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=8780c5ddf2916bbd42fc67b79c286652aebb1546
>> add a patch to fix a security issue. It modify include file 'tree.h'
>> to add 'const char *dummy_children' on 'struct _xmlNs'.
>>
>> But lsb test suites didn't do this in his own include file, so the LSB
>> desktop-xml tests failed.
> IMO the testcase should be fixed. This is security patch that you are disabling. I don't think LSB compliance
> should mean less secure
>

The upstream of libxml2 has not fixed this issue:
git clone git://git.gnome.org/libxml2

And I have filed a bug to them
https://bugzilla.gnome.org/show_bug.cgi?id=708205

After this is fixed and released, also need to report another
bug to LSB to update their libxml2 source code.

The time cycle is long, should we mark this bug as "Waiting For Upstream"
or accept this patch to workaround for LSB test.

Thanks,
Hongxu

>> Disable this patch for linuxstdbase could fix this issue.
>>
>> [YOCTO #5151]
>>
>> Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
>> ---
>> meta/recipes-core/libxml/libxml2_2.9.1.bb | 5 ++++-
>> 1 file changed, 4 insertions(+), 1 deletion(-)
>>
>> diff --git a/meta/recipes-core/libxml/libxml2_2.9.1.bb b/meta/recipes-core/libxml/libxml2_2.9.1.bb
>> index fa9c657..3b031a1 100644
>> --- a/meta/recipes-core/libxml/libxml2_2.9.1.bb
>> +++ b/meta/recipes-core/libxml/libxml2_2.9.1.bb
>> @@ -1,6 +1,9 @@
>> require libxml2.inc
>>
>> -SRC_URI += "file://libxml2-CVE-2012-2871.patch \
>> +LIBXML2_CVE = "file://libxml2-CVE-2012-2871.patch"
>> +LIBXML2_CVE_linuxstdbase = ""
>> +
>> +SRC_URI += "${LIBXML2_CVE} \
>>              http://www.w3.org/XML/Test/xmlts20080827.tar.gz;name=testtar \
>> 	   "
>>
>> -- 
>> 1.8.1.2
>>
>> _______________________________________________
>> Openembedded-core mailing list
>> Openembedded-core@lists.openembedded.org
>> http://lists.openembedded.org/mailman/listinfo/openembedded-core
Ross Burton - Sept. 17, 2013, 9:15 a.m.
On 17 September 2013 03:36, Hongxu Jia <hongxu.jia@windriver.com> wrote:
> The upstream of libxml2 has not fixed this issue:
> git clone git://git.gnome.org/libxml2
>
> And I have filed a bug to them
> https://bugzilla.gnome.org/show_bug.cgi?id=708205
>
> After this is fixed and released, also need to report another
> bug to LSB to update their libxml2 source code.
>
> The time cycle is long, should we mark this bug as "Waiting For Upstream"
> or accept this patch to workaround for LSB test.

Using my amazing ability of talking to the upstream maintainer (DV in
#xml on irc.gnome.org) I've sorted this out.

The CVE is for *Chromium's fork of libxml*.  Not upstream libxml2.
The patch changes a public structure by adding fields *in the middle*,
so that broke the ABI.  That's two good reasons to revert the patch.
As Daniel has said in the bug, this patch was the quick fix that
Chromium did as they statically link to libxml2 so the API breakage
isn't an issue, the proper fix is already in libxslt.  As long as we
have libxml 2.9.0 and libxslt 1.1.27 onwards (which we do), the issue
is correctly fixed.

So, NAK to this patch, and a revert incoming.

Ross
Hongxu Jia - Sept. 17, 2013, 11:10 a.m.
On 09/17/2013 05:15 PM, Burton, Ross wrote:
> On 17 September 2013 03:36, Hongxu Jia <hongxu.jia@windriver.com> wrote:
>> The upstream of libxml2 has not fixed this issue:
>> git clone git://git.gnome.org/libxml2
>>
>> And I have filed a bug to them
>> https://bugzilla.gnome.org/show_bug.cgi?id=708205
>>
>> After this is fixed and released, also need to report another
>> bug to LSB to update their libxml2 source code.
>>
>> The time cycle is long, should we mark this bug as "Waiting For Upstream"
>> or accept this patch to workaround for LSB test.
> Using my amazing ability of talking to the upstream maintainer (DV in
> #xml on irc.gnome.org) I've sorted this out.
>
> The CVE is for *Chromium's fork of libxml*.  Not upstream libxml2.
> The patch changes a public structure by adding fields *in the middle*,
> so that broke the ABI.  That's two good reasons to revert the patch.
> As Daniel has said in the bug, this patch was the quick fix that
> Chromium did as they statically link to libxml2 so the API breakage
> isn't an issue, the proper fix is already in libxslt.  As long as we
> have libxml 2.9.0 and libxslt 1.1.27 onwards (which we do), the issue
> is correctly fixed.
>
> So, NAK to this patch, and a revert incoming.

Great, the libxml2-CVE-2012-2871.patch is obsolete, abandon it could fix the
LSB desktop-xml tests failure. I wll resend the patch to do this.

Thanks,
Hongxu

> Ross
Ross Burton - Sept. 17, 2013, 11:13 a.m.
On 17 September 2013 12:10, Hongxu Jia <hongxu.jia@windriver.com> wrote:
>> So, NAK to this patch, and a revert incoming.
>
> Great, the libxml2-CVE-2012-2871.patch is obsolete, abandon it could fix the
> LSB desktop-xml tests failure. I wll resend the patch to do this.

As I said above, a revert was incoming (and is now on the list).

Ross
Hongxu Jia - Sept. 17, 2013, 11:18 a.m.
On 09/17/2013 07:13 PM, Burton, Ross wrote:
> On 17 September 2013 12:10, Hongxu Jia <hongxu.jia@windriver.com> wrote:
>>> So, NAK to this patch, and a revert incoming.
>> Great, the libxml2-CVE-2012-2871.patch is obsolete, abandon it could fix the
>> LSB desktop-xml tests failure. I wll resend the patch to do this.
> As I said above, a revert was incoming (and is now on the list).
>
> Ross

Sorry for the missing. Thank you for your attention.

//Hongxu
Khem Raj - Sept. 17, 2013, 2:24 p.m.
On Tuesday, September 17, 2013, Burton, Ross wrote:

> On 17 September 2013 03:36, Hongxu Jia <hongxu.jia@windriver.com<javascript:;>>
> wrote:
> > The upstream of libxml2 has not fixed this issue:
> > git clone git://git.gnome.org/libxml2
> >
> > And I have filed a bug to them
> > https://bugzilla.gnome.org/show_bug.cgi?id=708205
> >
> > After this is fixed and released, also need to report another
> > bug to LSB to update their libxml2 source code.
> >
> > The time cycle is long, should we mark this bug as "Waiting For Upstream"
> > or accept this patch to workaround for LSB test.
>
> Using my amazing ability of talking to the upstream maintainer (DV in
> #xml on irc.gnome.org) I've sorted this out.
>
> The CVE is for *Chromium's fork of libxml*.  Not upstream libxml2.
> The patch changes a public structure by adding fields *in the middle*,
> so that broke the ABI.  That's two good reasons to revert the patch.
> As Daniel has said in the bug, this patch was the quick fix that
> Chromium did as they statically link to libxml2 so the API breakage
> isn't an issue, the proper fix is already in libxslt.  As long as we
> have libxml 2.9.0 and libxslt 1.1.27 onwards (which we do), the issue
> is correctly fixed.


Thanks for sorting this out in real good way

>
> So, NAK to this patch, and a revert incoming.
>
> Ross
>

Patch

diff --git a/meta/recipes-core/libxml/libxml2_2.9.1.bb b/meta/recipes-core/libxml/libxml2_2.9.1.bb
index fa9c657..3b031a1 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.1.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.1.bb
@@ -1,6 +1,9 @@ 
 require libxml2.inc
 
-SRC_URI += "file://libxml2-CVE-2012-2871.patch \
+LIBXML2_CVE = "file://libxml2-CVE-2012-2871.patch"
+LIBXML2_CVE_linuxstdbase = ""
+
+SRC_URI += "${LIBXML2_CVE} \
             http://www.w3.org/XML/Test/xmlts20080827.tar.gz;name=testtar \
 	   "