Re: [OE-core] [PATCH] libxml2: Upgrade 2.11.5 -> 2.12.5

Sat, 24 Feb 2024 00:37:58 -0800 

You should perhaps check if latest webkitgtk release has a fix, and
simply update to that.

Alex

On Sat, 24 Feb 2024 at 09:13, Simone Weiß <[email protected]> wrote:
>
> On Sat, 2024-02-24 at 07:43 +0000, Richard Purdie wrote:
> > On Fri, 2024-02-23 at 19:18 +0000, Simone Weiß wrote:
> > > From: Simone Weiß <[email protected]>
> > >
> > > Upgraded to address CVE-2024-25062
> > >
> > > License-Update: hash.c was rewritten and now also has MIT license,
> > > trio was totally removed, hence remove license checksum as well.
> > > Files are not mentioned as exception in overall license any more,
> > > therefore, checksum changed there as well.
> > >
> > > Previous upgrades of libxml2 caused issues when building libsoup,
> > > this in the meantime has been adressed via commit "9f57bfb74e280827"
> > > ("libsoup-2.4: Fix build with clang-17 and libxml2-2.12") already.
> > >
> > > Changes:
> > > - [CVE-2024-25062] xmlreader: Don't expand XIncludes when backtracking
> > > - parser: Fix crash in xmlParseInNodeContext with HTML documents
> > >
> > > Signed-off-by: Simone Weiß <[email protected]>
> > > ---
> > >  meta/recipes-core/libxml/libxml2/install-tests.patch      | 8 ++++---
> > > -
> > >  .../libxml/{libxml2_2.11.5.bb => libxml2_2.12.5.bb}       | 8 +++----
> > > -
> > >  2 files changed, 7 insertions(+), 9 deletions(-)
> > >  rename meta/recipes-core/libxml/{libxml2_2.11.5.bb =>
> > > libxml2_2.12.5.bb} (91%)
> > >
> > > diff --git a/meta/recipes-core/libxml/libxml2/install-tests.patch
> > > b/meta/recipes-core/libxml/libxml2/install-tests.patch
> > > index 14ccce5873..4bddf9f05e 100644
> > > --- a/meta/recipes-core/libxml/libxml2/install-tests.patch
> > > +++ b/meta/recipes-core/libxml/libxml2/install-tests.patch
> > > @@ -1,4 +1,4 @@
> > > -From 3fc716357ce1372d9418dc86f24315b34d9808de Mon Sep 17 00:00:00
> > > 2001
> > > +From 582af12c9e89cd3d7c93c63756acb6e8180a776c Mon Sep 17 00:00:00
> > > 2001
> > >  From: Ross Burton <[email protected]>
> > >  Date: Mon, 5 Dec 2022 17:02:32 +0000
> > >  Subject: [PATCH] add yocto-specific install-ptest target
> > > @@ -13,11 +13,11 @@ Signed-off-by: Ross Burton <[email protected]>
> > >   1 file changed, 10 insertions(+)
> > >
> > >  diff --git a/Makefile.am b/Makefile.am
> > > -index 5bc4018..57d27af 100644
> > > +index 0a49d37..1097c63 100644
> > >  --- a/Makefile.am
> > >  +++ b/Makefile.am
> > > -@@ -26,6 +26,16 @@ check_PROGRAMS = \
> > > -       testlimits \
> > > +@@ -27,6 +27,16 @@ check_PROGRAMS = \
> > > +       testparser \
> > >         testrecurse
> > >
> > >  +ptestdir=$(libexecdir)
> > > diff --git a/meta/recipes-core/libxml/libxml2_2.11.5.bb
> > > b/meta/recipes-core/libxml/libxml2_2.12.5.bb
> > > similarity index 91%
> > > rename from meta/recipes-core/libxml/libxml2_2.11.5.bb
> > > rename to meta/recipes-core/libxml/libxml2_2.12.5.bb
> > > index 44336c25e1..01e23b21cc 100644
> > > --- a/meta/recipes-core/libxml/libxml2_2.11.5.bb
> > > +++ b/meta/recipes-core/libxml/libxml2_2.12.5.bb
> > > @@ -4,10 +4,8 @@ HOMEPAGE = "https://gitlab.gnome.org/GNOME/libxml2";
> > >  BUGTRACKER = "http://bugzilla.gnome.org/buglist.cgi?product=libxml2";
> > >  SECTION = "libs"
> > >  LICENSE = "MIT"
> > > -LIC_FILES_CHKSUM =
> > > "file://Copyright;md5=2044417e2e5006b65a8b9067b683fcf1 \
> > > -
> > > file://hash.c;beginline=6;endline=15;md5=e77f77b12cb69e203d8b4090a0eee879
> > >  \
> > > -
> > > file://list.c;beginline=4;endline=13;md5=b9c25b021ccaf287e50060602d20f3a7
> > >  \
> > > -
> > > file://trio.c;beginline=5;endline=14;md5=cd4f61e27f88c1d43df112966b1cd28f
> > > "
> > > +LIC_FILES_CHKSUM =
> > > "file://Copyright;md5=fec7ecfe714722b2bb0aaff7d200c701 \
> > > +
> > > file://list.c;beginline=4;endline=13;md5=b9c25b021ccaf287e50060602d20f3a7
> > > "
> > >
> > >  DEPENDS = "zlib virtual/libiconv"
> > >
> > > @@ -19,7 +17,7 @@ SRC_URI +=
> > > "http://www.w3.org/XML/Test/xmlts20130923.tar;subdir=${BP};name=testt
> > >             file://install-tests.patch \
> > >             "
> > >
> > > -SRC_URI[archive.sha256sum] =
> > > "3727b078c360ec69fa869de14bd6f75d7ee8d36987b071e6928d4720a28df3a6"
> > > +SRC_URI[archive.sha256sum] =
> > > "a972796696afd38073e0f59c283c3a2f5a560b5268b4babc391b286166526b21"
> > >  SRC_URI[testtar.sha256sum] =
> > > "c6b2d42ee50b8b236e711a97d68e6c4b5c8d83e69a2be4722379f08702ea7273"
> > >
> > >  # Disputed as a security issue, but fixed in d39f780
> > >
> >
> > Unfortunately this upgrade breaks webkitgtk:
> >
> > https://autobuilder.yoctoproject.org/typhoon/#/builders/52/builds/8480/steps/11/logs/stdio
> > https://autobuilder.yoctoproject.org/typhoon/#/builders/117/builds/4416/steps/12/logs/stdio
> > https://autobuilder.yoctoproject.org/typhoon/#/builders/45/builds/8643/steps/11/logs/stdio
> >
> > and so on.
> >
> > Cheers,
> >
> Argh sorry, I understood that only libsoup was an issue. I will propose a
> patch to webkitgtk and fix it there, then backport and finally upgrade
> this...
> > Richard
> >
> >
> >
> >
>
>
> 
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#196123): 
https://lists.openembedded.org/g/openembedded-core/message/196123
Mute This Topic: https://lists.openembedded.org/mt/104534962/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to