Re: [OE-core] [PATCH] libxml2: Upgrade 2.11.5 -> 2.12.5

Sat, 24 Feb 2024 00:13:26 -0800 

On Sat, 2024-02-24 at 07:43 +0000, Richard Purdie wrote:
> On Fri, 2024-02-23 at 19:18 +0000, Simone Weiß wrote:
> > From: Simone Weiß <[email protected]>
> > 
> > Upgraded to address CVE-2024-25062
> > 
> > License-Update: hash.c was rewritten and now also has MIT license,
> > trio was totally removed, hence remove license checksum as well.
> > Files are not mentioned as exception in overall license any more,
> > therefore, checksum changed there as well.
> > 
> > Previous upgrades of libxml2 caused issues when building libsoup,
> > this in the meantime has been adressed via commit "9f57bfb74e280827"
> > ("libsoup-2.4: Fix build with clang-17 and libxml2-2.12") already.
> > 
> > Changes:
> > - [CVE-2024-25062] xmlreader: Don't expand XIncludes when backtracking
> > - parser: Fix crash in xmlParseInNodeContext with HTML documents
> > 
> > Signed-off-by: Simone Weiß <[email protected]>
> > ---
> >  meta/recipes-core/libxml/libxml2/install-tests.patch      | 8 ++++---
> > -
> >  .../libxml/{libxml2_2.11.5.bb => libxml2_2.12.5.bb}       | 8 +++----
> > -
> >  2 files changed, 7 insertions(+), 9 deletions(-)
> >  rename meta/recipes-core/libxml/{libxml2_2.11.5.bb =>
> > libxml2_2.12.5.bb} (91%)
> > 
> > diff --git a/meta/recipes-core/libxml/libxml2/install-tests.patch
> > b/meta/recipes-core/libxml/libxml2/install-tests.patch
> > index 14ccce5873..4bddf9f05e 100644
> > --- a/meta/recipes-core/libxml/libxml2/install-tests.patch
> > +++ b/meta/recipes-core/libxml/libxml2/install-tests.patch
> > @@ -1,4 +1,4 @@
> > -From 3fc716357ce1372d9418dc86f24315b34d9808de Mon Sep 17 00:00:00
> > 2001
> > +From 582af12c9e89cd3d7c93c63756acb6e8180a776c Mon Sep 17 00:00:00
> > 2001
> >  From: Ross Burton <[email protected]>
> >  Date: Mon, 5 Dec 2022 17:02:32 +0000
> >  Subject: [PATCH] add yocto-specific install-ptest target
> > @@ -13,11 +13,11 @@ Signed-off-by: Ross Burton <[email protected]>
> >   1 file changed, 10 insertions(+)
> >  
> >  diff --git a/Makefile.am b/Makefile.am
> > -index 5bc4018..57d27af 100644
> > +index 0a49d37..1097c63 100644
> >  --- a/Makefile.am
> >  +++ b/Makefile.am
> > -@@ -26,6 +26,16 @@ check_PROGRAMS = \
> > -       testlimits \
> > +@@ -27,6 +27,16 @@ check_PROGRAMS = \
> > +       testparser \
> >         testrecurse
> >   
> >  +ptestdir=$(libexecdir)
> > diff --git a/meta/recipes-core/libxml/libxml2_2.11.5.bb
> > b/meta/recipes-core/libxml/libxml2_2.12.5.bb
> > similarity index 91%
> > rename from meta/recipes-core/libxml/libxml2_2.11.5.bb
> > rename to meta/recipes-core/libxml/libxml2_2.12.5.bb
> > index 44336c25e1..01e23b21cc 100644
> > --- a/meta/recipes-core/libxml/libxml2_2.11.5.bb
> > +++ b/meta/recipes-core/libxml/libxml2_2.12.5.bb
> > @@ -4,10 +4,8 @@ HOMEPAGE = "https://gitlab.gnome.org/GNOME/libxml2";
> >  BUGTRACKER = "http://bugzilla.gnome.org/buglist.cgi?product=libxml2";
> >  SECTION = "libs"
> >  LICENSE = "MIT"
> > -LIC_FILES_CHKSUM =
> > "file://Copyright;md5=2044417e2e5006b65a8b9067b683fcf1 \
> > -                   
> > file://hash.c;beginline=6;endline=15;md5=e77f77b12cb69e203d8b4090a0eee879
> >  \
> > -                   
> > file://list.c;beginline=4;endline=13;md5=b9c25b021ccaf287e50060602d20f3a7
> >  \
> > -                   
> > file://trio.c;beginline=5;endline=14;md5=cd4f61e27f88c1d43df112966b1cd28f
> > "
> > +LIC_FILES_CHKSUM =
> > "file://Copyright;md5=fec7ecfe714722b2bb0aaff7d200c701 \
> > +                   
> > file://list.c;beginline=4;endline=13;md5=b9c25b021ccaf287e50060602d20f3a7
> > "
> >  
> >  DEPENDS = "zlib virtual/libiconv"
> >  
> > @@ -19,7 +17,7 @@ SRC_URI +=
> > "http://www.w3.org/XML/Test/xmlts20130923.tar;subdir=${BP};name=testt
> >             file://install-tests.patch \
> >             "
> >  
> > -SRC_URI[archive.sha256sum] =
> > "3727b078c360ec69fa869de14bd6f75d7ee8d36987b071e6928d4720a28df3a6"
> > +SRC_URI[archive.sha256sum] =
> > "a972796696afd38073e0f59c283c3a2f5a560b5268b4babc391b286166526b21"
> >  SRC_URI[testtar.sha256sum] =
> > "c6b2d42ee50b8b236e711a97d68e6c4b5c8d83e69a2be4722379f08702ea7273"
> >  
> >  # Disputed as a security issue, but fixed in d39f780
> > 
> 
> Unfortunately this upgrade breaks webkitgtk:
> 
> https://autobuilder.yoctoproject.org/typhoon/#/builders/52/builds/8480/steps/11/logs/stdio
> https://autobuilder.yoctoproject.org/typhoon/#/builders/117/builds/4416/steps/12/logs/stdio
> https://autobuilder.yoctoproject.org/typhoon/#/builders/45/builds/8643/steps/11/logs/stdio
> 
> and so on.
> 
> Cheers,
> 
Argh sorry, I understood that only libsoup was an issue. I will propose a
patch to webkitgtk and fix it there, then backport and finally upgrade
this... 
> Richard
> 
> 
> 
> 


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#196121): 
https://lists.openembedded.org/g/openembedded-core/message/196121
Mute This Topic: https://lists.openembedded.org/mt/104534962/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to