diff mbox series

[dunfell,1/2] libxslt: update to v1.1.35

Message ID 20220601105312.29861-1-omkarpatil10.93@gmail.com
State New, archived
Headers show
Series [dunfell,1/2] libxslt: update to v1.1.35 | expand

Commit Message

Omkar Patil June 1, 2022, 10:53 a.m. UTC 
From: Markus Volk <f_l_k@t-online.de>

Security

[CVE-2021-30560] Fix use-after-free in xsltApplyTemplates
Fix memory leak in xsltDocumentElem (David King)
Fix memory leak in xsltCompileIdKeyPattern (David King)
Fix double-free with stylesheets containing entity nodes

Fixed regressions

Fix performance regression with predicates in patterns
Fix regression in xsltComputeSortResult

Bug fixes

Fix conflict resolution for templates with same priority
Fix xsl:number generating invalid UTF-8
Support attribute value templates in xsl:sort lang attributes
Don't pass first xsl:sort in xsl:apply-templates twice
Fix quadratic runtime with text and xsl:message

Don't allow empty EXSLT durations

Improvements

Add xsltproc --huge Argument via libxml XML_PARSE_HUGE (William N. Braswell, Jr.)

Tests, code quality, fuzzing

Remove .travis.yml
Fix some misleading indentation (David King)
Use actual types for templates in struct _xsltStylesheet
Add CI for CMake on MSVC (Markus Rickert)
Check for null pointer before calling freelocale
Add CI test for Python 3
Don't set maxDepth in XPath contexts
Transfer XPath limits to XPtr context
Stop using maxParserDepth XPath limit
Make long-to-double cast explicit in date.c
Disable LeakSanitizer
Run clang CI tests with -Wimplicit-int-conversion
Fix implicit-int-conversion warning in exslt/crypto.c
Fix clang -Wimplicit-int-conversion warning (David Kilzer)
Fix clang -Wconditional-uninitialized warning in libxslt/numbers.c (David Kilzer)
Fix -Wshadow warnings in libexslt/dynamic.c (David Kilzer)
Also search parent dir for source XML when fuzzing

Build system, portability

Add CMake build files (Markus Rickert)
Initial support for Python 3 (Suleyman Poyraz)
Call ANSI versions of WinAPI functions explicitly
Remove redundant flags from pkg-config files
Suppress automake warning in tests/XSLTMark
Fix linking libexslt dynamic library when using MinGW (Vadim Zeitlin)
Added platform specific path separators (Dmitriy Korovkin)
win32: allow passing *FLAGS on command line
Fix export of xsltExtMarker on Windows (David Kilzer)
Fix redundant includes already in libexslt.h (David Kilzer)
Minor fixes to configure.js
Fix variable syntax in Python configuration
Add new EXSLT string tests to EXTRA_DIST
Fix xml2-config check in configure script
win32: Add configuration for profiler (Chun-wei Fan)
Check whether 'xml2-config --dynamic' is supported

Documentation

Add Makefile rule to regenerate xsltproc.html
Update links
Remove MAINTAINERS
Upload documentation to GitLab Pages
Add documentation in devhelp format
Add --enable-rebuild-docs configure option
Fix libexslt header summaries
Fix validity of tutorial XML (David King)
Use DocBook URL for tutorial DTD (David King)
Update libxslt.doap
Add missing options to xsltproc man page

(From OE-Core rev: 6b5b1486bbd381b2b657645e91a1712332ddcb94)

Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit daa312851681c55d81391b37a30a518f3e74e540)

Signed-off-by: Omkar Patil <omkarpatil10.93@gmail.com>
---
 .../libxslt/{libxslt_1.1.34.bb => libxslt_1.1.35.bb}        | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)
 rename meta/recipes-support/libxslt/{libxslt_1.1.34.bb => libxslt_1.1.35.bb} (89%)

Comments

Steve Sakoman June 1, 2022, 3:03 p.m. UTC | #1 
On Wed, Jun 1, 2022 at 12:53 AM omkar <omkarpatil10.93@gmail.com> wrote:
>
> From: Markus Volk <f_l_k@t-online.de>
>
> Security
>
> [CVE-2021-30560] Fix use-after-free in xsltApplyTemplates
> Fix memory leak in xsltDocumentElem (David King)
> Fix memory leak in xsltCompileIdKeyPattern (David King)
> Fix double-free with stylesheets containing entity nodes
>
> Fixed regressions
>
> Fix performance regression with predicates in patterns
> Fix regression in xsltComputeSortResult
>
> Bug fixes
>
> Fix conflict resolution for templates with same priority
> Fix xsl:number generating invalid UTF-8
> Support attribute value templates in xsl:sort lang attributes
> Don't pass first xsl:sort in xsl:apply-templates twice
> Fix quadratic runtime with text and xsl:message
>
> Don't allow empty EXSLT durations
>
> Improvements
> Add xsltproc --huge Argument via libxml XML_PARSE_HUGE (William N. Braswell, Jr.)
>
> Tests, code quality, fuzzing
>
> Remove .travis.yml
> Fix some misleading indentation (David King)
> Use actual types for templates in struct _xsltStylesheet
> Add CI for CMake on MSVC (Markus Rickert)
> Check for null pointer before calling freelocale
> Add CI test for Python 3
> Don't set maxDepth in XPath contexts
> Transfer XPath limits to XPtr context
> Stop using maxParserDepth XPath limit
> Make long-to-double cast explicit in date.c
> Disable LeakSanitizer
> Run clang CI tests with -Wimplicit-int-conversion
> Fix implicit-int-conversion warning in exslt/crypto.c
> Fix clang -Wimplicit-int-conversion warning (David Kilzer)
> Fix clang -Wconditional-uninitialized warning in libxslt/numbers.c (David Kilzer)
> Fix -Wshadow warnings in libexslt/dynamic.c (David Kilzer)
> Also search parent dir for source XML when fuzzing
>
> Build system, portability
>
> Add CMake build files (Markus Rickert)
> Initial support for Python 3 (Suleyman Poyraz)
> Call ANSI versions of WinAPI functions explicitly
> Remove redundant flags from pkg-config files
> Suppress automake warning in tests/XSLTMark
> Fix linking libexslt dynamic library when using MinGW (Vadim Zeitlin)
> Added platform specific path separators (Dmitriy Korovkin)
> win32: allow passing *FLAGS on command line
> Fix export of xsltExtMarker on Windows (David Kilzer)
> Fix redundant includes already in libexslt.h (David Kilzer)
> Minor fixes to configure.js
> Fix variable syntax in Python configuration
> Add new EXSLT string tests to EXTRA_DIST
> Fix xml2-config check in configure script
> win32: Add configuration for profiler (Chun-wei Fan)
> Check whether 'xml2-config --dynamic' is supported
>
> Documentation
>
> Add Makefile rule to regenerate xsltproc.html
> Update links
> Remove MAINTAINERS
> Upload documentation to GitLab Pages
> Add documentation in devhelp format
> Add --enable-rebuild-docs configure option
> Fix libexslt header summaries
> Fix validity of tutorial XML (David King)
> Use DocBook URL for tutorial DTD (David King)
> Update libxslt.doap
> Add missing options to xsltproc man page

This seems to be much more than a bug fix/security release, so I'm not
sure it is suitable for an LTS branch.

If the intent was to fix CVE-2021-30560, I'd prefer to see a patch
adding the relevant commits for just that fix.

Thanks for helping out with CVEs, I appreciate it!

Steve

> (From OE-Core rev: 6b5b1486bbd381b2b657645e91a1712332ddcb94)
>
> Signed-off-by: Markus Volk <f_l_k@t-online.de>
> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
> (cherry picked from commit daa312851681c55d81391b37a30a518f3e74e540)
>
> Signed-off-by: Omkar Patil <omkarpatil10.93@gmail.com>
> ---
>  .../libxslt/{libxslt_1.1.34.bb => libxslt_1.1.35.bb}        | 6 ++----
>  1 file changed, 2 insertions(+), 4 deletions(-)
>  rename meta/recipes-support/libxslt/{libxslt_1.1.34.bb => libxslt_1.1.35.bb} (89%)
>
> diff --git a/meta/recipes-support/libxslt/libxslt_1.1.34.bb b/meta/recipes-support/libxslt/libxslt_1.1.35.bb
> similarity index 89%
> rename from meta/recipes-support/libxslt/libxslt_1.1.34.bb
> rename to meta/recipes-support/libxslt/libxslt_1.1.35.bb
> index 63cce6fe06..0f25043743 100644
> --- a/meta/recipes-support/libxslt/libxslt_1.1.34.bb
> +++ b/meta/recipes-support/libxslt/libxslt_1.1.35.bb
> @@ -13,11 +13,9 @@ LIC_FILES_CHKSUM = "file://Copyright;md5=0cd9a07afbeb24026c9b03aecfeba458"
>  SECTION = "libs"
>  DEPENDS = "libxml2"
>
> -SRC_URI = "http://xmlsoft.org/sources/libxslt-${PV}.tar.gz \
> -          "
> +SRC_URI = "https://download.gnome.org/sources/libxslt/1.1/libxslt-${PV}.tar.xz"
>
> -SRC_URI[md5sum] = "db8765c8d076f1b6caafd9f2542a304a"
> -SRC_URI[sha256sum] = "98b1bd46d6792925ad2dfe9a87452ea2adebf69dcb9919ffd55bf926a7f93f7f"
> +SRC_URI[sha256sum] = "8247f33e9a872c6ac859aa45018bc4c4d00b97e2feac9eebc10c93ce1f34dd79"
>
>  UPSTREAM_CHECK_REGEX = "libxslt-(?P<pver>\d+(\.\d+)+)\.tar"
>
> --
> 2.17.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#166372): https://lists.openembedded.org/g/openembedded-core/message/166372
> Mute This Topic: https://lists.openembedded.org/mt/91472461/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
diff mbox series

Patch

diff --git a/meta/recipes-support/libxslt/libxslt_1.1.34.bb b/meta/recipes-support/libxslt/libxslt_1.1.35.bb
similarity index 89%
rename from meta/recipes-support/libxslt/libxslt_1.1.34.bb
rename to meta/recipes-support/libxslt/libxslt_1.1.35.bb
index 63cce6fe06..0f25043743 100644
--- a/meta/recipes-support/libxslt/libxslt_1.1.34.bb
+++ b/meta/recipes-support/libxslt/libxslt_1.1.35.bb
@@ -13,11 +13,9 @@  LIC_FILES_CHKSUM = "file://Copyright;md5=0cd9a07afbeb24026c9b03aecfeba458"
 SECTION = "libs"
 DEPENDS = "libxml2"
 
-SRC_URI = "http://xmlsoft.org/sources/libxslt-${PV}.tar.gz \
-          "
+SRC_URI = "https://download.gnome.org/sources/libxslt/1.1/libxslt-${PV}.tar.xz"
 
-SRC_URI[md5sum] = "db8765c8d076f1b6caafd9f2542a304a"
-SRC_URI[sha256sum] = "98b1bd46d6792925ad2dfe9a87452ea2adebf69dcb9919ffd55bf926a7f93f7f"
+SRC_URI[sha256sum] = "8247f33e9a872c6ac859aa45018bc4c4d00b97e2feac9eebc10c93ce1f34dd79"
 
 UPSTREAM_CHECK_REGEX = "libxslt-(?P<pver>\d+(\.\d+)+)\.tar"