| Message ID | 20240223191859.6912-1-simone.p.weiss@posteo.com |
|---|---|
| State | New |
| Headers | show |
| Series | libxml2: Upgrade 2.11.5 -> 2.12.5 | expand |
On Fri, 2024-02-23 at 19:18 +0000, Simone Weiß wrote: > From: Simone Weiß <simone.p.weiss@posteo.com> > > Upgraded to address CVE-2024-25062 > > License-Update: hash.c was rewritten and now also has MIT license, > trio was totally removed, hence remove license checksum as well. > Files are not mentioned as exception in overall license any more, > therefore, checksum changed there as well. > > Previous upgrades of libxml2 caused issues when building libsoup, > this in the meantime has been adressed via commit "9f57bfb74e280827" > ("libsoup-2.4: Fix build with clang-17 and libxml2-2.12") already. > > Changes: > - [CVE-2024-25062] xmlreader: Don't expand XIncludes when backtracking > - parser: Fix crash in xmlParseInNodeContext with HTML documents > > Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com> > --- > meta/recipes-core/libxml/libxml2/install-tests.patch | 8 ++++---- > .../libxml/{libxml2_2.11.5.bb => libxml2_2.12.5.bb} | 8 +++----- > 2 files changed, 7 insertions(+), 9 deletions(-) > rename meta/recipes-core/libxml/{libxml2_2.11.5.bb => libxml2_2.12.5.bb} (91%) > > diff --git a/meta/recipes-core/libxml/libxml2/install-tests.patch b/meta/recipes-core/libxml/libxml2/install-tests.patch > index 14ccce5873..4bddf9f05e 100644 > --- a/meta/recipes-core/libxml/libxml2/install-tests.patch > +++ b/meta/recipes-core/libxml/libxml2/install-tests.patch > @@ -1,4 +1,4 @@ > -From 3fc716357ce1372d9418dc86f24315b34d9808de Mon Sep 17 00:00:00 2001 > +From 582af12c9e89cd3d7c93c63756acb6e8180a776c Mon Sep 17 00:00:00 2001 > From: Ross Burton <ross.burton@arm.com> > Date: Mon, 5 Dec 2022 17:02:32 +0000 > Subject: [PATCH] add yocto-specific install-ptest target > @@ -13,11 +13,11 @@ Signed-off-by: Ross Burton <ross.burton@arm.com> > 1 file changed, 10 insertions(+) > > diff --git a/Makefile.am b/Makefile.am > -index 5bc4018..57d27af 100644 > +index 0a49d37..1097c63 100644 > --- a/Makefile.am > +++ b/Makefile.am > -@@ -26,6 +26,16 @@ check_PROGRAMS = \ > - testlimits \ > +@@ -27,6 +27,16 @@ check_PROGRAMS = \ > + testparser \ > testrecurse > > +ptestdir=$(libexecdir) > diff --git a/meta/recipes-core/libxml/libxml2_2.11.5.bb b/meta/recipes-core/libxml/libxml2_2.12.5.bb > similarity index 91% > rename from meta/recipes-core/libxml/libxml2_2.11.5.bb > rename to meta/recipes-core/libxml/libxml2_2.12.5.bb > index 44336c25e1..01e23b21cc 100644 > --- a/meta/recipes-core/libxml/libxml2_2.11.5.bb > +++ b/meta/recipes-core/libxml/libxml2_2.12.5.bb > @@ -4,10 +4,8 @@ HOMEPAGE = "https://gitlab.gnome.org/GNOME/libxml2" > BUGTRACKER = "http://bugzilla.gnome.org/buglist.cgi?product=libxml2" > SECTION = "libs" > LICENSE = "MIT" > -LIC_FILES_CHKSUM = "file://Copyright;md5=2044417e2e5006b65a8b9067b683fcf1 \ > - file://hash.c;beginline=6;endline=15;md5=e77f77b12cb69e203d8b4090a0eee879 \ > - file://list.c;beginline=4;endline=13;md5=b9c25b021ccaf287e50060602d20f3a7 \ > - file://trio.c;beginline=5;endline=14;md5=cd4f61e27f88c1d43df112966b1cd28f" > +LIC_FILES_CHKSUM = "file://Copyright;md5=fec7ecfe714722b2bb0aaff7d200c701 \ > + file://list.c;beginline=4;endline=13;md5=b9c25b021ccaf287e50060602d20f3a7" > > DEPENDS = "zlib virtual/libiconv" > > @@ -19,7 +17,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20130923.tar;subdir=${BP};name=testt > file://install-tests.patch \ > " > > -SRC_URI[archive.sha256sum] = "3727b078c360ec69fa869de14bd6f75d7ee8d36987b071e6928d4720a28df3a6" > +SRC_URI[archive.sha256sum] = "a972796696afd38073e0f59c283c3a2f5a560b5268b4babc391b286166526b21" > SRC_URI[testtar.sha256sum] = "c6b2d42ee50b8b236e711a97d68e6c4b5c8d83e69a2be4722379f08702ea7273" > > # Disputed as a security issue, but fixed in d39f780 > Unfortunately this upgrade breaks webkitgtk: https://autobuilder.yoctoproject.org/typhoon/#/builders/52/builds/8480/steps/11/logs/stdio https://autobuilder.yoctoproject.org/typhoon/#/builders/117/builds/4416/steps/12/logs/stdio https://autobuilder.yoctoproject.org/typhoon/#/builders/45/builds/8643/steps/11/logs/stdio and so on. Cheers, Richard
On Sat, 2024-02-24 at 07:43 +0000, Richard Purdie wrote: > On Fri, 2024-02-23 at 19:18 +0000, Simone Weiß wrote: > > From: Simone Weiß <simone.p.weiss@posteo.com> > > > > Upgraded to address CVE-2024-25062 > > > > License-Update: hash.c was rewritten and now also has MIT license, > > trio was totally removed, hence remove license checksum as well. > > Files are not mentioned as exception in overall license any more, > > therefore, checksum changed there as well. > > > > Previous upgrades of libxml2 caused issues when building libsoup, > > this in the meantime has been adressed via commit "9f57bfb74e280827" > > ("libsoup-2.4: Fix build with clang-17 and libxml2-2.12") already. > > > > Changes: > > - [CVE-2024-25062] xmlreader: Don't expand XIncludes when backtracking > > - parser: Fix crash in xmlParseInNodeContext with HTML documents > > > > Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com> > > --- > > meta/recipes-core/libxml/libxml2/install-tests.patch | 8 ++++--- > > - > > .../libxml/{libxml2_2.11.5.bb => libxml2_2.12.5.bb} | 8 +++---- > > - > > 2 files changed, 7 insertions(+), 9 deletions(-) > > rename meta/recipes-core/libxml/{libxml2_2.11.5.bb => > > libxml2_2.12.5.bb} (91%) > > > > diff --git a/meta/recipes-core/libxml/libxml2/install-tests.patch > > b/meta/recipes-core/libxml/libxml2/install-tests.patch > > index 14ccce5873..4bddf9f05e 100644 > > --- a/meta/recipes-core/libxml/libxml2/install-tests.patch > > +++ b/meta/recipes-core/libxml/libxml2/install-tests.patch > > @@ -1,4 +1,4 @@ > > -From 3fc716357ce1372d9418dc86f24315b34d9808de Mon Sep 17 00:00:00 > > 2001 > > +From 582af12c9e89cd3d7c93c63756acb6e8180a776c Mon Sep 17 00:00:00 > > 2001 > > From: Ross Burton <ross.burton@arm.com> > > Date: Mon, 5 Dec 2022 17:02:32 +0000 > > Subject: [PATCH] add yocto-specific install-ptest target > > @@ -13,11 +13,11 @@ Signed-off-by: Ross Burton <ross.burton@arm.com> > > 1 file changed, 10 insertions(+) > > > > diff --git a/Makefile.am b/Makefile.am > > -index 5bc4018..57d27af 100644 > > +index 0a49d37..1097c63 100644 > > --- a/Makefile.am > > +++ b/Makefile.am > > -@@ -26,6 +26,16 @@ check_PROGRAMS = \ > > - testlimits \ > > +@@ -27,6 +27,16 @@ check_PROGRAMS = \ > > + testparser \ > > testrecurse > > > > +ptestdir=$(libexecdir) > > diff --git a/meta/recipes-core/libxml/libxml2_2.11.5.bb > > b/meta/recipes-core/libxml/libxml2_2.12.5.bb > > similarity index 91% > > rename from meta/recipes-core/libxml/libxml2_2.11.5.bb > > rename to meta/recipes-core/libxml/libxml2_2.12.5.bb > > index 44336c25e1..01e23b21cc 100644 > > --- a/meta/recipes-core/libxml/libxml2_2.11.5.bb > > +++ b/meta/recipes-core/libxml/libxml2_2.12.5.bb > > @@ -4,10 +4,8 @@ HOMEPAGE = "https://gitlab.gnome.org/GNOME/libxml2" > > BUGTRACKER = "http://bugzilla.gnome.org/buglist.cgi?product=libxml2" > > SECTION = "libs" > > LICENSE = "MIT" > > -LIC_FILES_CHKSUM = > > "file://Copyright;md5=2044417e2e5006b65a8b9067b683fcf1 \ > > - > > file://hash.c;beginline=6;endline=15;md5=e77f77b12cb69e203d8b4090a0eee879 > > \ > > - > > file://list.c;beginline=4;endline=13;md5=b9c25b021ccaf287e50060602d20f3a7 > > \ > > - > > file://trio.c;beginline=5;endline=14;md5=cd4f61e27f88c1d43df112966b1cd28f > > " > > +LIC_FILES_CHKSUM = > > "file://Copyright;md5=fec7ecfe714722b2bb0aaff7d200c701 \ > > + > > file://list.c;beginline=4;endline=13;md5=b9c25b021ccaf287e50060602d20f3a7 > > " > > > > DEPENDS = "zlib virtual/libiconv" > > > > @@ -19,7 +17,7 @@ SRC_URI += > > "http://www.w3.org/XML/Test/xmlts20130923.tar;subdir=${BP};name=testt > > file://install-tests.patch \ > > " > > > > -SRC_URI[archive.sha256sum] = > > "3727b078c360ec69fa869de14bd6f75d7ee8d36987b071e6928d4720a28df3a6" > > +SRC_URI[archive.sha256sum] = > > "a972796696afd38073e0f59c283c3a2f5a560b5268b4babc391b286166526b21" > > SRC_URI[testtar.sha256sum] = > > "c6b2d42ee50b8b236e711a97d68e6c4b5c8d83e69a2be4722379f08702ea7273" > > > > # Disputed as a security issue, but fixed in d39f780 > > > > Unfortunately this upgrade breaks webkitgtk: > > https://autobuilder.yoctoproject.org/typhoon/#/builders/52/builds/8480/steps/11/logs/stdio > https://autobuilder.yoctoproject.org/typhoon/#/builders/117/builds/4416/steps/12/logs/stdio > https://autobuilder.yoctoproject.org/typhoon/#/builders/45/builds/8643/steps/11/logs/stdio > > and so on. > > Cheers, > Argh sorry, I understood that only libsoup was an issue. I will propose a patch to webkitgtk and fix it there, then backport and finally upgrade this... > Richard > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#196120): > https://lists.openembedded.org/g/openembedded-core/message/196120 > Mute This Topic: https://lists.openembedded.org/mt/104534962/8052774 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: > https://lists.openembedded.org/g/openembedded-core/unsub [simone.p.weiss@posteo.com > ] > -=-=-=-=-=-=-=-=-=-=-=- >
You should perhaps check if latest webkitgtk release has a fix, and simply update to that. Alex On Sat, 24 Feb 2024 at 09:13, Simone Weiß <simone.weiss@posteo.net> wrote: > > On Sat, 2024-02-24 at 07:43 +0000, Richard Purdie wrote: > > On Fri, 2024-02-23 at 19:18 +0000, Simone Weiß wrote: > > > From: Simone Weiß <simone.p.weiss@posteo.com> > > > > > > Upgraded to address CVE-2024-25062 > > > > > > License-Update: hash.c was rewritten and now also has MIT license, > > > trio was totally removed, hence remove license checksum as well. > > > Files are not mentioned as exception in overall license any more, > > > therefore, checksum changed there as well. > > > > > > Previous upgrades of libxml2 caused issues when building libsoup, > > > this in the meantime has been adressed via commit "9f57bfb74e280827" > > > ("libsoup-2.4: Fix build with clang-17 and libxml2-2.12") already. > > > > > > Changes: > > > - [CVE-2024-25062] xmlreader: Don't expand XIncludes when backtracking > > > - parser: Fix crash in xmlParseInNodeContext with HTML documents > > > > > > Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com> > > > --- > > > meta/recipes-core/libxml/libxml2/install-tests.patch | 8 ++++--- > > > - > > > .../libxml/{libxml2_2.11.5.bb => libxml2_2.12.5.bb} | 8 +++---- > > > - > > > 2 files changed, 7 insertions(+), 9 deletions(-) > > > rename meta/recipes-core/libxml/{libxml2_2.11.5.bb => > > > libxml2_2.12.5.bb} (91%) > > > > > > diff --git a/meta/recipes-core/libxml/libxml2/install-tests.patch > > > b/meta/recipes-core/libxml/libxml2/install-tests.patch > > > index 14ccce5873..4bddf9f05e 100644 > > > --- a/meta/recipes-core/libxml/libxml2/install-tests.patch > > > +++ b/meta/recipes-core/libxml/libxml2/install-tests.patch > > > @@ -1,4 +1,4 @@ > > > -From 3fc716357ce1372d9418dc86f24315b34d9808de Mon Sep 17 00:00:00 > > > 2001 > > > +From 582af12c9e89cd3d7c93c63756acb6e8180a776c Mon Sep 17 00:00:00 > > > 2001 > > > From: Ross Burton <ross.burton@arm.com> > > > Date: Mon, 5 Dec 2022 17:02:32 +0000 > > > Subject: [PATCH] add yocto-specific install-ptest target > > > @@ -13,11 +13,11 @@ Signed-off-by: Ross Burton <ross.burton@arm.com> > > > 1 file changed, 10 insertions(+) > > > > > > diff --git a/Makefile.am b/Makefile.am > > > -index 5bc4018..57d27af 100644 > > > +index 0a49d37..1097c63 100644 > > > --- a/Makefile.am > > > +++ b/Makefile.am > > > -@@ -26,6 +26,16 @@ check_PROGRAMS = \ > > > - testlimits \ > > > +@@ -27,6 +27,16 @@ check_PROGRAMS = \ > > > + testparser \ > > > testrecurse > > > > > > +ptestdir=$(libexecdir) > > > diff --git a/meta/recipes-core/libxml/libxml2_2.11.5.bb > > > b/meta/recipes-core/libxml/libxml2_2.12.5.bb > > > similarity index 91% > > > rename from meta/recipes-core/libxml/libxml2_2.11.5.bb > > > rename to meta/recipes-core/libxml/libxml2_2.12.5.bb > > > index 44336c25e1..01e23b21cc 100644 > > > --- a/meta/recipes-core/libxml/libxml2_2.11.5.bb > > > +++ b/meta/recipes-core/libxml/libxml2_2.12.5.bb > > > @@ -4,10 +4,8 @@ HOMEPAGE = "https://gitlab.gnome.org/GNOME/libxml2" > > > BUGTRACKER = "http://bugzilla.gnome.org/buglist.cgi?product=libxml2" > > > SECTION = "libs" > > > LICENSE = "MIT" > > > -LIC_FILES_CHKSUM = > > > "file://Copyright;md5=2044417e2e5006b65a8b9067b683fcf1 \ > > > - > > > file://hash.c;beginline=6;endline=15;md5=e77f77b12cb69e203d8b4090a0eee879 > > > \ > > > - > > > file://list.c;beginline=4;endline=13;md5=b9c25b021ccaf287e50060602d20f3a7 > > > \ > > > - > > > file://trio.c;beginline=5;endline=14;md5=cd4f61e27f88c1d43df112966b1cd28f > > > " > > > +LIC_FILES_CHKSUM = > > > "file://Copyright;md5=fec7ecfe714722b2bb0aaff7d200c701 \ > > > + > > > file://list.c;beginline=4;endline=13;md5=b9c25b021ccaf287e50060602d20f3a7 > > > " > > > > > > DEPENDS = "zlib virtual/libiconv" > > > > > > @@ -19,7 +17,7 @@ SRC_URI += > > > "http://www.w3.org/XML/Test/xmlts20130923.tar;subdir=${BP};name=testt > > > file://install-tests.patch \ > > > " > > > > > > -SRC_URI[archive.sha256sum] = > > > "3727b078c360ec69fa869de14bd6f75d7ee8d36987b071e6928d4720a28df3a6" > > > +SRC_URI[archive.sha256sum] = > > > "a972796696afd38073e0f59c283c3a2f5a560b5268b4babc391b286166526b21" > > > SRC_URI[testtar.sha256sum] = > > > "c6b2d42ee50b8b236e711a97d68e6c4b5c8d83e69a2be4722379f08702ea7273" > > > > > > # Disputed as a security issue, but fixed in d39f780 > > > > > > > Unfortunately this upgrade breaks webkitgtk: > > > > https://autobuilder.yoctoproject.org/typhoon/#/builders/52/builds/8480/steps/11/logs/stdio > > https://autobuilder.yoctoproject.org/typhoon/#/builders/117/builds/4416/steps/12/logs/stdio > > https://autobuilder.yoctoproject.org/typhoon/#/builders/45/builds/8643/steps/11/logs/stdio > > > > and so on. > > > > Cheers, > > > Argh sorry, I understood that only libsoup was an issue. I will propose a > patch to webkitgtk and fix it there, then backport and finally upgrade > this... > > Richard > > > > > > > > > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#196121): https://lists.openembedded.org/g/openembedded-core/message/196121 > Mute This Topic: https://lists.openembedded.org/mt/104534962/1686489 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alex.kanavin@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
diff --git a/meta/recipes-core/libxml/libxml2/install-tests.patch b/meta/recipes-core/libxml/libxml2/install-tests.patch index 14ccce5873..4bddf9f05e 100644 --- a/meta/recipes-core/libxml/libxml2/install-tests.patch +++ b/meta/recipes-core/libxml/libxml2/install-tests.patch @@ -1,4 +1,4 @@ -From 3fc716357ce1372d9418dc86f24315b34d9808de Mon Sep 17 00:00:00 2001 +From 582af12c9e89cd3d7c93c63756acb6e8180a776c Mon Sep 17 00:00:00 2001 From: Ross Burton <ross.burton@arm.com> Date: Mon, 5 Dec 2022 17:02:32 +0000 Subject: [PATCH] add yocto-specific install-ptest target @@ -13,11 +13,11 @@ Signed-off-by: Ross Burton <ross.burton@arm.com> 1 file changed, 10 insertions(+) diff --git a/Makefile.am b/Makefile.am -index 5bc4018..57d27af 100644 +index 0a49d37..1097c63 100644 --- a/Makefile.am +++ b/Makefile.am -@@ -26,6 +26,16 @@ check_PROGRAMS = \ - testlimits \ +@@ -27,6 +27,16 @@ check_PROGRAMS = \ + testparser \ testrecurse +ptestdir=$(libexecdir) diff --git a/meta/recipes-core/libxml/libxml2_2.11.5.bb b/meta/recipes-core/libxml/libxml2_2.12.5.bb similarity index 91% rename from meta/recipes-core/libxml/libxml2_2.11.5.bb rename to meta/recipes-core/libxml/libxml2_2.12.5.bb index 44336c25e1..01e23b21cc 100644 --- a/meta/recipes-core/libxml/libxml2_2.11.5.bb +++ b/meta/recipes-core/libxml/libxml2_2.12.5.bb @@ -4,10 +4,8 @@ HOMEPAGE = "https://gitlab.gnome.org/GNOME/libxml2" BUGTRACKER = "http://bugzilla.gnome.org/buglist.cgi?product=libxml2" SECTION = "libs" LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://Copyright;md5=2044417e2e5006b65a8b9067b683fcf1 \ - file://hash.c;beginline=6;endline=15;md5=e77f77b12cb69e203d8b4090a0eee879 \ - file://list.c;beginline=4;endline=13;md5=b9c25b021ccaf287e50060602d20f3a7 \ - file://trio.c;beginline=5;endline=14;md5=cd4f61e27f88c1d43df112966b1cd28f" +LIC_FILES_CHKSUM = "file://Copyright;md5=fec7ecfe714722b2bb0aaff7d200c701 \ + file://list.c;beginline=4;endline=13;md5=b9c25b021ccaf287e50060602d20f3a7" DEPENDS = "zlib virtual/libiconv" @@ -19,7 +17,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20130923.tar;subdir=${BP};name=testt file://install-tests.patch \ " -SRC_URI[archive.sha256sum] = "3727b078c360ec69fa869de14bd6f75d7ee8d36987b071e6928d4720a28df3a6" +SRC_URI[archive.sha256sum] = "a972796696afd38073e0f59c283c3a2f5a560b5268b4babc391b286166526b21" SRC_URI[testtar.sha256sum] = "c6b2d42ee50b8b236e711a97d68e6c4b5c8d83e69a2be4722379f08702ea7273" # Disputed as a security issue, but fixed in d39f780