[1/1] libxml2: fix LSB desktop-xml tests failure

Submitted by Hongxu Jia on Sept. 16, 2013, 11:14 a.m.

Details

Message ID dd0104c4f2811038c1ee78605e6b81a50045f5f6.1379329974.git.hongxu.jia@windriver.com
State New
Headers show

Commit Message

Hongxu Jia Sept. 16, 2013, 11:14 a.m.
The commit
http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=8780c5ddf2916bbd42fc67b79c286652aebb1546
add a patch to fix a security issue. It modify include file 'tree.h'
to add 'const char *dummy_children' on 'struct _xmlNs'.

But lsb test suites didn't do this in his own include file, so the LSB
desktop-xml tests failed.

Disable this patch for linuxstdbase could fix this issue.

[YOCTO #5151]

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
---
 meta/recipes-core/libxml/libxml2_2.9.1.bb | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

Patch hide | download patch | download mbox

diff --git a/meta/recipes-core/libxml/libxml2_2.9.1.bb b/meta/recipes-core/libxml/libxml2_2.9.1.bb
index fa9c657..3b031a1 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.1.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.1.bb
@@ -1,6 +1,9 @@ 
 require libxml2.inc
 
-SRC_URI += "file://libxml2-CVE-2012-2871.patch \
+LIBXML2_CVE = "file://libxml2-CVE-2012-2871.patch"
+LIBXML2_CVE_linuxstdbase = ""
+
+SRC_URI += "${LIBXML2_CVE} \
             http://www.w3.org/XML/Test/xmlts20080827.tar.gz;name=testtar \
 	   "
 

Comments

Khem Raj Sept. 16, 2013, 5:09 p.m.
On Sep 16, 2013, at 4:14 AM, Hongxu Jia <hongxu.jia@windriver.com> wrote:

> The commit
> http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=8780c5ddf2916bbd42fc67b79c286652aebb1546
> add a patch to fix a security issue. It modify include file 'tree.h'
> to add 'const char *dummy_children' on 'struct _xmlNs'.
> 
> But lsb test suites didn't do this in his own include file, so the LSB
> desktop-xml tests failed.

IMO the testcase should be fixed. This is security patch that you are disabling. I don't think LSB compliance
should mean less secure

> 
> Disable this patch for linuxstdbase could fix this issue.
> 
> [YOCTO #5151]
> 
> Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
> ---
> meta/recipes-core/libxml/libxml2_2.9.1.bb | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/meta/recipes-core/libxml/libxml2_2.9.1.bb b/meta/recipes-core/libxml/libxml2_2.9.1.bb
> index fa9c657..3b031a1 100644
> --- a/meta/recipes-core/libxml/libxml2_2.9.1.bb
> +++ b/meta/recipes-core/libxml/libxml2_2.9.1.bb
> @@ -1,6 +1,9 @@
> require libxml2.inc
> 
> -SRC_URI += "file://libxml2-CVE-2012-2871.patch \
> +LIBXML2_CVE = "file://libxml2-CVE-2012-2871.patch"
> +LIBXML2_CVE_linuxstdbase = ""
> +
> +SRC_URI += "${LIBXML2_CVE} \
>             http://www.w3.org/XML/Test/xmlts20080827.tar.gz;name=testtar \
> 	   "
> 
> -- 
> 1.8.1.2
> 
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
Ross Burton Sept. 16, 2013, 5:15 p.m.
On 16 September 2013 18:09, Khem Raj <raj.khem@gmail.com> wrote:
> IMO the testcase should be fixed. This is security patch that you are disabling. I don't think LSB compliance
> should mean less secure

Yes, what Khem said.

Ross
Hongxu Jia Sept. 17, 2013, 2:36 a.m.
On 09/17/2013 01:09 AM, Khem Raj wrote:
> On Sep 16, 2013, at 4:14 AM, Hongxu Jia <hongxu.jia@windriver.com> wrote:
>
>> The commit
>> http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=8780c5ddf2916bbd42fc67b79c286652aebb1546
>> add a patch to fix a security issue. It modify include file 'tree.h'
>> to add 'const char *dummy_children' on 'struct _xmlNs'.
>>
>> But lsb test suites didn't do this in his own include file, so the LSB
>> desktop-xml tests failed.
> IMO the testcase should be fixed. This is security patch that you are disabling. I don't think LSB compliance
> should mean less secure
>

The upstream of libxml2 has not fixed this issue:
git clone git://git.gnome.org/libxml2

And I have filed a bug to them
https://bugzilla.gnome.org/show_bug.cgi?id=708205

After this is fixed and released, also need to report another
bug to LSB to update their libxml2 source code.

The time cycle is long, should we mark this bug as "Waiting For Upstream"
or accept this patch to workaround for LSB test.

Thanks,
Hongxu

>> Disable this patch for linuxstdbase could fix this issue.
>>
>> [YOCTO #5151]
>>
>> Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
>> ---
>> meta/recipes-core/libxml/libxml2_2.9.1.bb | 5 ++++-
>> 1 file changed, 4 insertions(+), 1 deletion(-)
>>
>> diff --git a/meta/recipes-core/libxml/libxml2_2.9.1.bb b/meta/recipes-core/libxml/libxml2_2.9.1.bb
>> index fa9c657..3b031a1 100644
>> --- a/meta/recipes-core/libxml/libxml2_2.9.1.bb
>> +++ b/meta/recipes-core/libxml/libxml2_2.9.1.bb
>> @@ -1,6 +1,9 @@
>> require libxml2.inc
>>
>> -SRC_URI += "file://libxml2-CVE-2012-2871.patch \
>> +LIBXML2_CVE = "file://libxml2-CVE-2012-2871.patch"
>> +LIBXML2_CVE_linuxstdbase = ""
>> +
>> +SRC_URI += "${LIBXML2_CVE} \
>>              http://www.w3.org/XML/Test/xmlts20080827.tar.gz;name=testtar \
>> 	   "
>>
>> -- 
>> 1.8.1.2
>>
>> _______________________________________________
>> Openembedded-core mailing list
>> Openembedded-core@lists.openembedded.org
>> http://lists.openembedded.org/mailman/listinfo/openembedded-core
Ross Burton Sept. 17, 2013, 9:15 a.m.
On 17 September 2013 03:36, Hongxu Jia <hongxu.jia@windriver.com> wrote:
> The upstream of libxml2 has not fixed this issue:
> git clone git://git.gnome.org/libxml2
>
> And I have filed a bug to them
> https://bugzilla.gnome.org/show_bug.cgi?id=708205
>
> After this is fixed and released, also need to report another
> bug to LSB to update their libxml2 source code.
>
> The time cycle is long, should we mark this bug as "Waiting For Upstream"
> or accept this patch to workaround for LSB test.

Using my amazing ability of talking to the upstream maintainer (DV in
#xml on irc.gnome.org) I've sorted this out.

The CVE is for *Chromium's fork of libxml*.  Not upstream libxml2.
The patch changes a public structure by adding fields *in the middle*,
so that broke the ABI.  That's two good reasons to revert the patch.
As Daniel has said in the bug, this patch was the quick fix that
Chromium did as they statically link to libxml2 so the API breakage
isn't an issue, the proper fix is already in libxslt.  As long as we
have libxml 2.9.0 and libxslt 1.1.27 onwards (which we do), the issue
is correctly fixed.

So, NAK to this patch, and a revert incoming.

Ross
Hongxu Jia Sept. 17, 2013, 11:10 a.m.
On 09/17/2013 05:15 PM, Burton, Ross wrote:
> On 17 September 2013 03:36, Hongxu Jia <hongxu.jia@windriver.com> wrote:
>> The upstream of libxml2 has not fixed this issue:
>> git clone git://git.gnome.org/libxml2
>>
>> And I have filed a bug to them
>> https://bugzilla.gnome.org/show_bug.cgi?id=708205
>>
>> After this is fixed and released, also need to report another
>> bug to LSB to update their libxml2 source code.
>>
>> The time cycle is long, should we mark this bug as "Waiting For Upstream"
>> or accept this patch to workaround for LSB test.
> Using my amazing ability of talking to the upstream maintainer (DV in
> #xml on irc.gnome.org) I've sorted this out.
>
> The CVE is for *Chromium's fork of libxml*.  Not upstream libxml2.
> The patch changes a public structure by adding fields *in the middle*,
> so that broke the ABI.  That's two good reasons to revert the patch.
> As Daniel has said in the bug, this patch was the quick fix that
> Chromium did as they statically link to libxml2 so the API breakage
> isn't an issue, the proper fix is already in libxslt.  As long as we
> have libxml 2.9.0 and libxslt 1.1.27 onwards (which we do), the issue
> is correctly fixed.
>
> So, NAK to this patch, and a revert incoming.

Great, the libxml2-CVE-2012-2871.patch is obsolete, abandon it could fix the
LSB desktop-xml tests failure. I wll resend the patch to do this.

Thanks,
Hongxu

> Ross
Ross Burton Sept. 17, 2013, 11:13 a.m.
On 17 September 2013 12:10, Hongxu Jia <hongxu.jia@windriver.com> wrote:
>> So, NAK to this patch, and a revert incoming.
>
> Great, the libxml2-CVE-2012-2871.patch is obsolete, abandon it could fix the
> LSB desktop-xml tests failure. I wll resend the patch to do this.

As I said above, a revert was incoming (and is now on the list).

Ross
Hongxu Jia Sept. 17, 2013, 11:18 a.m.
On 09/17/2013 07:13 PM, Burton, Ross wrote:
> On 17 September 2013 12:10, Hongxu Jia <hongxu.jia@windriver.com> wrote:
>>> So, NAK to this patch, and a revert incoming.
>> Great, the libxml2-CVE-2012-2871.patch is obsolete, abandon it could fix the
>> LSB desktop-xml tests failure. I wll resend the patch to do this.
> As I said above, a revert was incoming (and is now on the list).
>
> Ross

Sorry for the missing. Thank you for your attention.

//Hongxu
Khem Raj Sept. 17, 2013, 2:24 p.m.
On Tuesday, September 17, 2013, Burton, Ross wrote:

> On 17 September 2013 03:36, Hongxu Jia <hongxu.jia@windriver.com<javascript:;>>
> wrote:
> > The upstream of libxml2 has not fixed this issue:
> > git clone git://git.gnome.org/libxml2
> >
> > And I have filed a bug to them
> > https://bugzilla.gnome.org/show_bug.cgi?id=708205
> >
> > After this is fixed and released, also need to report another
> > bug to LSB to update their libxml2 source code.
> >
> > The time cycle is long, should we mark this bug as "Waiting For Upstream"
> > or accept this patch to workaround for LSB test.
>
> Using my amazing ability of talking to the upstream maintainer (DV in
> #xml on irc.gnome.org) I've sorted this out.
>
> The CVE is for *Chromium's fork of libxml*.  Not upstream libxml2.
> The patch changes a public structure by adding fields *in the middle*,
> so that broke the ABI.  That's two good reasons to revert the patch.
> As Daniel has said in the bug, this patch was the quick fix that
> Chromium did as they statically link to libxml2 so the API breakage
> isn't an issue, the proper fix is already in libxslt.  As long as we
> have libxml 2.9.0 and libxslt 1.1.27 onwards (which we do), the issue
> is correctly fixed.


Thanks for sorting this out in real good way

>
> So, NAK to this patch, and a revert incoming.
>
> Ross
>