aboutsummaryrefslogtreecommitdiffstats
path: root/meta/recipes-core/libxml/libxml2
AgeCommit message (Collapse)Author
2018-10-04libxml2: refresh CVE-2017-8872Ross Burton
The patch associated with the CVE-2017-8872 report was never merged into libxml2, but a slightly different patch for the same problem was. Cherry-pick that as a backport, which also fixes the failing test suite. Signed-off-by: Ross Burton <ross.burton@intel.com>
2018-08-20libxml2: fix CVE-2018-9251 and CVE-2018-14567Hongxu Jia
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2018-08-14libxml2: Fix CVE-2018-14404Andrej Valek
Fix nullptr deref with XPath logic ops If the XPath stack is corrupted, for example by a misbehaving extension function, the "and" and "or" XPath operators could dereference NULL pointers. Check that the XPath stack isn't empty and optimize the logic operators slightly. CVE: CVE-2018-14404 Signed-off-by: Andrej Valek <andrej.valek@siemens.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2018-07-05libxml2: fix CVE-2017-8872Hongxu Jia
The htmlParseTryOrFinish function in HTMLparser.c in libxml2 2.9.4 allows attackers to cause a denial of service (buffer over-read) or information disclosure. https://bugzilla.gnome.org/show_bug.cgi?id=775200 Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2018-05-04libxml2: 2.9.7 -> 2.9.8Andrej Valek
Signed-off-by: Andrej Valek <andrej.valek@siemens.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2018-03-07libxml: refresh patchesRoss Burton
The patch tool will apply patches by default with "fuzz", which is where if the hunk context isn't present but what is there is close enough, it will force the patch in. Whilst this is useful when there's just whitespace changes, when applied to source it is possible for a patch applied with fuzz to produce broken code which still compiles (see #10450). This is obviously bad. We'd like to eventually have do_patch() rejecting any fuzz on these grounds. For that to be realistic the existing patches with fuzz need to be rebased and reviewed. Signed-off-by: Ross Burton <ross.burton@intel.com>
2018-01-13libxml2: fix makefile for ptestsAnuj Mittal
Changes to Makefile in latest version mean when "make -k runtests" is executed, it leads to errors like: | make: *** No rule to make target 'runtest.c', needed by 'runtest.o'. | make: *** No rule to make target 'SAX.c', needed by 'SAX.lo'. | make: *** No rule to make target 'entities.c', needed by 'entities.lo'. | make: *** No rule to make target 'encoding.c', needed by 'encoding.lo'. Make sure that we don't try to check and compile the tests again on the target. Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2017-11-05libxml2: 2.9.4 -> 2.9.5Andrej Valek
Signed-off-by: Andrej Valek <andrej.valek@siemens.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2017-10-06libxml2-ptest: set LC_ALL=en_US.UTF-8Juro Bystricky
We need to specify UTF-8 in the environment to avoid an error such as: UnicodeEncodeError: 'ascii' codec can't encode character '\xe4' Signed-off-by: Juro Bystricky <juro.bystricky@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2017-08-27libxml2: Fix CVE-2017-8872Hongxu Jia
fix global-buffer-overflow in htmlParseTryOrFinish (HTMLparser.c:5403) https://bugzilla.gnome.org/show_bug.cgi?id=775200 Here is the reproduce steps on ubuntu 16.04, use clang with "-fsanitize=address" ... export CC="clang" export CFLAGS="-fsanitize=address" ./configure --disable-shared make clean all -j wget https://bugzilla.gnome.org/attachment.cgi?id=340871 -O poc ./xmllint --html --push poc ==2785==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000a0de21 at pc 0x0000006a7f6e bp 0x7ffdfe940c10 sp 0x7ffdfe940c08 READ of size 1 at 0x000000a0de21 thread T0 #0 0x6a7f6d (/home/jiahongxu/Downloads/libxml2-2.9.4/xmllint+0x6a7f6d) #1 0x6a7356 (/home/jiahongxu/Downloads/libxml2-2.9.4/xmllint+0x6a7356) #2 0x4f4504 (/home/jiahongxu/Downloads/libxml2-2.9.4/xmllint+0x4f4504) #3 0x4f045e (/home/jiahongxu/Downloads/libxml2-2.9.4/xmllint+0x4f045e) #4 0x7f81977d682f (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #5 0x419ad8 (/home/jiahongxu/Downloads/libxml2-2.9.4/xmllint+0x419ad8) ... Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2017-06-27meta: Fix malformed Upstream-Status tagsRoss Burton
Fix a variety of spelling and format mistakes to improve the ease of reading the tags programatically. Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2017-06-23libxml2: Revert "Add an XML_PARSE_NOXXE flag to block all entities loading ↵Andrej Valek
even local" The new flag doesn't work and the change even broke the XML_PARSE_NONET option. Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
2017-06-23libxml2: Fix CVE-2017-0663Andrej Valek
Fix type confusion in xmlValidateOneNamespace Comment out code that casts xmlNsPtr to xmlAttrPtr. ID types on namespace declarations make no practical sense anyway. Fixes bug 780228 CVE: CVE-2017-0663 Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
2017-06-23libxml2: Fix CVE-2017-5969Andrej Valek
Fix NULL pointer deref in xmlDumpElementContent Can only be triggered in recovery mode. Fixes bug 758422 CVE: CVE-2017-5969 Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
2017-06-23libxml2: Fix CVE-2017-9049 and CVE-2017-9050Andrej Valek
Fix handling of parameter-entity references There were two bugs where parameter-entity references could lead to an unexpected change of the input buffer in xmlParseNameComplex and xmlDictLookup being called with an invalid pointer. Fixes bug 781205 and bug 781361 CVE: CVE-2017-9049 CVE-2017-9050 Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
2017-06-23libxml2: Fix CVE-2017-9047 and CVE-2017-9048Andrej Valek
xmlSnprintfElementContent failed to correctly check the available buffer space in two locations. Fixes bug 781333 and bug 781701 CVE: CVE-2017-9047 CVE-2017-9048 Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
2017-06-23libxml2: Avoid reparsing and simplify control flow in xmlParseStartTag2Andrej Valek
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
2017-06-23libxml2: Disable LeakSanitizer when running API testsAndrej Valek
Makefile.am: Disable LeakSanitizer when running API tests The autogenerated API tests leak memory. Upstream-Status: Backported - [https://git.gnome.org/browse/libxml2/commit/?id=ac9a4560ee85b18811ff8ab7791ddfff7b144b0a] Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
2017-06-12libxml2: Make ptest run the Python tests if Python support is enabledPeter Kjellerstedt
Since we go through the trouble of copying the Python tests, we may as well actually run them... This also avoids the following QA issue: ERROR: libxml2-2.9.4-r0 do_package_qa: QA Issue: /usr/lib/libxml2/ptest/python/tests/push.py contained in package libxml2-ptest requires /usr/bin/python, but no providers found in RDEPENDS_libxml2-ptest? [file-rdeps] Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2017-04-28libxml2: CVE-2016-9318Catalin Enache
libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document. Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9318 Upstream patch: https://git.gnome.org/browse/libxml2/commit/?id=2304078555896cf1638c628f50326aeef6f0e0d0 Signed-off-by: Catalin Enache <catalin.enache@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-12-16libxml2: Fix more NULL pointer derefsAndrej Valek
The NULL pointer dereferencing could produced some security problems. This is a preventive security fix. Signed-off-by: Andrej Valek <andrej.valek@siemens.com> Signed-off-by: Pascal Bach <pascal.bach@siemens.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-12-16libxml2: fix CVE-2016-4658 Disallow namespace nodes in XPointer points and ↵Andrej Valek
ranges Namespace nodes must be copied to avoid use-after-free errors. But they don't necessarily have a physical representation in a document, so simply disallow them in XPointer ranges. Signed-off-by: Andrej Valek <andrej.valek@siemens.com> Signed-off-by: Pascal Bach <pascal.bach@siemens.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-12-16libxml2: Necessary changes before fixing CVE-2016-5131Andrej Valek
xpath: - Check for errors after evaluating first operand. - Add sanity check for empty stack. - Include comparation in changes from xmlXPathCmpNodesExt to xmlXPathCmpNodes Signed-off-by: Andrej Valek <andrej.valek@siemens.com> Signed-off-by: Pascal Bach <pascal.bach@siemens.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-11-30libxml2: Security fix CVE-2016-5131Yi Zhao
CVE-2016-5131 libxml2: Use-after-free vulnerability in libxml2 through 2.9.4, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function. External References: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5131 Patch from: https://git.gnome.org/browse/libxml2/commit/?id=9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2016-06-14libxml2: upgrade to 2.9.4Hongxu Jia
- Drop configure.ac-fix-cross-compiling-warning.patch, libxml2 2.9.4 has fixed it Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2016-04-09libxml2: fix AM_PATH_XML2Robert Yang
The code: suppose $1 == 2.7: verdep=ifelse([$1], [], [], [>= $1]) results in: verdep=>= 2.7 This is wrong in shell: bash: 2.7: command not found Use quotation marks to fix the problem. Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2015-12-01libxml2: upgrade to 2.9.3Ross Burton
- Drop all the upstreamed patches - Rework the ansidecl removal so it's contained in a single patch Signed-off-by: Ross Burton <ross.burton@intel.com>
2015-11-25libxml2: fix CVE-2015-7942 and CVE-2015-8035Armin Kuster
CVE-2015-7942 libxml2: heap-based buffer overflow in xmlParseConditionalSections() CVE-2015-8035 libxml2: DoS when parsing specially crafted XML document if XZ support is enabled [YOCTO #8641] Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2015-06-18libxml2: Security Advisory - libxml2 - CVE-2015-1819Yue Tao
for CVE-2015-1819 Enforce the reader to run in constant memory Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2015-04-30libxml2: remove libxml2-CVE-2014-3660.patchRobert Yang
It is a backport patch, and verified that the patch is in the source. Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2015-04-08libxml2: Contain glibc-extentions under __GLIBC__Khem Raj
Makes it more portable Change-Id: I7bbc4cc0ebc26d54248b8433dab94db207615445 Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2015-01-15libxml2: Backport fix for CVE introduced entity issuesRichard Purdie
The CVE fix introduced problems with entity issues, we observed this when building the Yocto Docs in particular. Backport the fix from upstream so we can build our docs correctly. [YOCTO #7134] Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-12-24libxml2: upgrade to 2.9.2Hongxu Jia
- Rebase python-sitepackages-dir.patch to 2.9.2 - Drop libxml2-CVE-2014-3660.patch which has been merged to 2.9.2. - Add configure.ac-fix-cross-compiling-warning.patch to fix cross compilation failure. - Tweak do_configure_prepend, use configure.ac to instead of configure.in - Add cmake files to ${PN}-dev Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-10-24libxml2: fix CVE-2014-3660Joe MacDonald
It was discovered that the patch for CVE-2014-0191 for libxml2 is incomplete. It is still possible to have libxml2 incorrectly perform entity substituton even when the application using libxml2 explicitly disables the feature. This can allow a remote denial-of-service attack on systems with libxml2 prior to 2.9.2. References: http://www.openwall.com/lists/oss-security/2014/10/17/7 https://www.ncsc.nl/actueel/nieuwsberichten/kwetsbaarheid-ontdekt-in-libxml2.html Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
2014-08-15libxml2: port AM_PATH_XML2 to use pkg-configRoss Burton
Upstream AM_PATH_XML2 uses xml2-config which we disable, so port this macro to use pkg-config. Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-06-06libxml2: fix python packaging for nativesdkPaul Eggleton
We enable the python module in nativesdk-libxml2, but the python binary used is in the native sysroot and thus you get the module installed in the wrong path. Even with that fixed the python files are still unpackaged, so create an ${PN}-python package and add them to it. (This does not affect the libxml target build at all since python is disabled for that.) Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2014-05-08libxml2: fix CVE-2014-0191Maxin B. John
It was discovered that libxml2, a library providing support to read, modify and write XML files, incorrectly performs entity substituton in the doctype prolog, even if the application using libxml2 disabled any entity substitution. A remote attacker could provide a specially-crafted XML file that, when processed, would lead to the exhaustion of CPU and memory resources or file descriptors. Reference: https://access.redhat.com/security/cve/CVE-2014-0191 Signed-off-by: Maxin B. John <maxin.john@enea.com> Signed-off-by: Saul Wold <sgw@linux.intel.com>
2013-09-17libxml2: remove patch for CVE-2012-2871Ross Burton
This CVE patch is actually against Chromium as they ship an internal fork of libxml2 and breaks ABI. The real issue has been resolved in libxslt 1.1.27, and we're shipping 1.1.28. Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2013-07-18Upstream-Status: Correct capitalizationSaul Wold
Signed-off-by: Saul Wold <sgw@linux.intel.com>
2013-07-09libxml2: Add ptestMihaela Sendrea
Install libxml2 test suite and run it as ptest. Signed-off-by: Mihaela Sendrea <mihaela.sendrea@enea.com> Signed-off-by: Saul Wold <sgw@linux.intel.com>
2012-12-14libxml2 CVE-2012-2871Li Wang
the patch come from: http://src.chromium.org/viewvc/chrome/trunk/src/third_party/libxml/src \ /include/libxml/tree.h?r1=56276&r2=149930 libxml2 2.9.0-rc1 and earlier, as used in Google Chrome before 21.0.1180.89, does not properly support a cast of an unspecified variable during handling of XSL transforms, which allows remote attackers to cause a denial of service or possibly have unknown other impact via a crafted document, related to the _xmlNs data structure in include/libxml/tree.h. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2871 [YOCTO #3580] [ CQID: WIND00376779 ] Upstream-Status: Pending Signed-off-by: Li Wang <li.wang@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com>
2012-07-10libxml2: Fix libzypp ansidecl related build failuresRichard Purdie
cmake looks at all include statements, even if they're not used. To make builds deterministic and avoid needing to add binutils as a dependency for libzypp, completely remove the include from the header file, even if it is never used. This avoids issues where you'd build binutils, then libzypp, then remove binutils (and hence ansidecl.h) and then recompile libzypp which would still have the dependency and hence fail. Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2012-06-25libxml2: Update to 2.8.0Saul Wold
removed 2 patches that are now fixed upstream updated hash.c LIC_FILES_CHKSUM due to updating the date to 2012 Signed-off-by: Saul Wold <sgw@linux.intel.com>
2012-05-25libxml2: fix build with automake 1.12Nitin A Kamble
Signed-off-by: Nitin A Kamble <nitin.a.kamble@intel.com>
2012-01-09libxml2: add shared library version info to libxml shared librariesMatthew McClintock
This fixes an issue with RPM where it checks version imformation for binaries linked against libxml and fails because it's missing info | error: Failed dependencies: | libxml2.so.2(LIBXML2_2.6.0) is needed by fmc-0.9.7+2-r2.1.ppce500mc | libxml2.so.2(LIBXML2_2.4.30) is needed by fmc-0.9.7+2-r2.1.ppce500mc | ERROR: Function 'do_rootfs' failed (see Note: fmc is just an example recipe/name Signed-off-by: Matthew McClintock <msm@freescale.com>
2011-04-18libxml2: upgrade to version 2.7.8Qing He
[YOCTO #978] from 2.7.7 fixes CVE-2010-4008 Signed-off-by: Qing He <qing.he@intel.com>
2010-08-27Major layout change to the packages directoryRichard Purdie
Having one monolithic packages directory makes it hard to find things and is generally overwhelming. This commit splits it into several logical sections roughly based on function, recipes.txt gives more information about the classifications used. The opportunity is also used to switch from "packages" to "recipes" as used in OpenEmbedded as the term "packages" can be confusing to people and has many different meanings. Not all recipes have been classified yet, this is just a first pass at separating things out. Some packages are moved to meta-extras as they're no longer actively used or maintained. Signed-off-by: Richard Purdie <rpurdie@linux.intel.com>