Age | Commit message (Collapse) | Author |
|
Includes a fix for CVE-2022-43680.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
License change is due to copyright year changes only.
Changelog:
=========
Security fixes:
#629 #640 CVE-2022-40674 -- Heap use-after-free vulnerability in
function doContent. Expected impact is denial of service
or potentially arbitrary code execution.
Bug fixes:
#634 MinGW: Fix mis-compilation for -D__USE_MINGW_ANSI_STDIO=0
#614 docs: Fix documentation on effect of switch XML_DTD on
symbol visibility in doc/reference.html
Other changes:
#638 MinGW: Make fix-xmltest-log.sh drop more Wine bug output
#596 #625 Autotools: Sync CMake templates with CMake 3.22
#608 CMake: Migrate from use of CMAKE_*_POSTFIX to
dedicated variables EXPAT_*_POSTFIX to stop affecting
other projects
#597 #599 Windows|CMake: Add missing -DXML_STATIC to test runners
and fuzzers
#512 #621 Windows|CMake: Render .def file from a template to fix
linking with -DEXPAT_DTD=OFF and/or -DEXPAT_ATTR_INFO=ON
#611 #621 MinGW|CMake: Apply MSVC .def file when linking
#622 #624 MinGW|CMake: Sync library name with GNU Autotools,
i.e. produce libexpat-1.dll rather than libexpat.dll
by default. Filename libexpat.dll.a is unaffected.
#632 MinGW|CMake: Set missing variable CMAKE_RC_COMPILER in
toolchain file "cmake/mingw-toolchain.cmake" to avoid
error "windres: Command not found" on e.g. Ubuntu 20.04
#597 #627 CMake: Unify inconsistent use of set() and option() in
context of public build time options to take need for
set(.. FORCE) in projects using Expat by means of
add_subdirectory(..) off Expat's users' shoulders
#626 #641 Stop exporting API symbols when building a static library
#644 Resolve use of deprecated "fgrep" by "grep -F"
#620 CMake: Make documentation on variables a bit more consistent
#636 CMake: Drop leading whitespace from a #cmakedefine line in
file expat_config.h.cmake
#594 xmlwf: Fix harmless variable mix-up in function nsattcmp
#592 #593 #610 Address Cppcheck warnings
#643 Address Clang 15 compiler warnings
#642 #644 Version info bumped from 9:8:8 to 9:9:8;
see https://verbump.de/ for what these numbers do
Infrastructure:
#597 #598 CI: Windows: Start covering MSVC 2022
#619 CI: macOS: Migrate off deprecated macOS 10.15
#632 CI: Linux: Make migration off deprecated Ubuntu 18.04 work
#643 CI: Upgrade Clang from 14 to 15
#637 apply-clang-format.sh: Add support for BSD find
#633 coverage.sh: Exclude MinGW headers
#635 coverage.sh: Fix name collision for -funsigned-char
Special thanks to:
David Faure
Felix Wilhelm
Frank Bergmann
Rhodri James
Rosen Penev
Thijs Schreijer
Vincent Torri
and
Google Project Zero
Signed-off-by: Florin Diaconescu <florin.diaconescu009@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Changelog:
=========
Other changes:
#587 pkg-config: Move "-lm" to section "Libs.private"
#587 CMake|MSVC: Fix pkg-config section "Libs"
#55 #582 CMake|macOS: Start using linker arguments
"-compatibility_version <version>" and
"-current_version <version>" in a way compatible with
GNU Libtool
#590 #591 Version info bumped from 9:7:8 to 9:8:8;
see https://verbump.de/ for what these numbers do
Infrastructure:
#589 CI: Upgrade Clang from 13 to 14
Special thanks to:
evpobr
Kai Pastor
Sam James
Signed-off-by: Zheng Ruoqin <zhengrq.fnst@fujitsu.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This is a security fix release containing fixes for CVE-2022-25235, CVE-2022-25236,
CVE-2022-25313, CVE-2022-25314 and CVE-2022-25315.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Fixes CVE-2022-23852 and CVE-2022-23990.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Upstream mentioned our ptest-runner could likely be simplified. I had a
look at the output and yes, most of the code in the runner is now obsolete
as upstream output is compatible with what we need. Simplify accordingly.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This patch is old. We use cmake for building expat now and libtool isn't even
used. The upstream author asked questions about it and can clearly be dropped
so do so.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Primarily a security fix release which includes:
CVE-2021-45960
CVE-2021-46143
CVE-2022-22822
CVE-2022-22823
CVE-2022-22824
CVE-2022-22825
CVE-2022-22826
CVE-2022-22827
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Upstream pointed out we were using an old url for HOMEPAGE. Update it to the
current url.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Changelog:
=========
#509 #510 Link againgst libm for function "isnan"
#513 #514 Include expat_config.h as early as possible
#498 Autotools: Include files with release archives:
- buildconf.sh
- fuzz/*.c
#507 #519 Autotools: Sync CMake templates
#495 #524 CMake: MinGW: Fix pkg-config section "Libs" for
- non-release build types (e.g. -DCMAKE_BUILD_TYPE=Debug)
- multi-config CMake generators (e.g. Ninja Multi-Config)
#502 #503 docs: Document that function XML_GetBuffer may return NULL
when asking for a buffer of 0 (zero) bytes size
#522 #523 docs: Fix return value docs for both
XML_SetBillionLaughsAttackProtection* functions
#525 #526 Version info bumped from 9:1:8 to 9:2:8;
see https://verbump.de/ for what these numbers do
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
sometimes we can find release tarballs from sourceforge are not fully
distributed along all download mirrors leading to fetching faiilures,
depending on what download mirror will be chosen by sourceforge
servers.
As the project moved to github anyway, it's better to pull the tarballs
directly from github releases - serving the very same static artifacts.
Add an override UPSTREAM_CHECK_URI to enable devtool upgrade checks
Signed-off-by: Konrad Weihmann <kweihmann@outlook.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This is the result of automated script conversion:
scripts/contrib/convert-overrides.py <oe-core directory>
converting the metadata to use ":" as the override character instead of "_".
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Upstream database uses both "expat" and "libexpat" to report CVEs
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Includes lot of security fixes, especially CVE-2013-0340/CWE-776.
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Drop 0001-Add-output-of-tests-result.patch
(difficult to rebase). I have verified that ptests
still pass, and print PASS for every test. If they
start failing we can revisit what kind of output would
be beneficial.
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
License-Update: copyright years
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
For ptest support of expat package:
- expat_2.2.9.bb recipe was switched on cmake-based building system to
avoid cahnges in autotools build system which considered in upstream as
potentially deprecated (https://github.com/libexpat/libexpat/issues/330).
- cmake-native_3.17.3.bb recipe was forced to use bundled version of
expat from CMake source tree. Therefore expat-native package has been removed
from DEPENDS variable for cmake-native recipe. Without
these changes, next dependency loop appears:
Dependency loop #1 found:
Task /home/opopovych/repos/poky/meta/recipes-devtools/cmake/cmake-native_3.17.3.bb:do_compile (dependent Tasks ['cmake-native_3.17.3.bb:do_configure'])
Task /home/opopovych/repos/poky/meta/recipes-devtools/cmake/cmake-native_3.17.3.bb:do_install (dependent Tasks ['cmake-native_3.17.3.bb:do_compile'])
Task /home/opopovych/repos/poky/meta/recipes-devtools/cmake/cmake-native_3.17.3.bb:do_populate_sysroot (dependent Tasks ['cmake-native_3.17.3.bb:do_install'])
Task virtual:native:/home/opopovych/repos/poky/meta/recipes-core/expat/expat_2.2.9.bb:do_prepare_recipe_sysroot (dependent Tasks ['cmake-native_3.17.3.bb:do_populate_sysroot', 'ninja_1.10.0.bb:do_populate_sysroot', 'expat_2.2.9.bb:do_fetch'])
Task virtual:native:/home/opopovych/repos/poky/meta/recipes-core/expat/expat_2.2.9.bb:do_configure (dependent Tasks ['expat_2.2.9.bb:do_patch', 'expat_2.2.9.bb:do_prepare_recipe_sysroot', 'expat_2.2.9.bb:do_generate_toolchain_file', 'expat_2.2.9.bb:do_deploy_source_date_epoch'])
Task virtual:native:/home/opopovych/repos/poky/meta/recipes-core/expat/expat_2.2.9.bb:do_compile (dependent Tasks ['expat_2.2.9.bb:do_configure'])
Task virtual:native:/home/opopovych/repos/poky/meta/recipes-core/expat/expat_2.2.9.bb:do_install (dependent Tasks ['expat_2.2.9.bb:do_compile'])
Task virtual:native:/home/opopovych/repos/poky/meta/recipes-core/expat/expat_2.2.9.bb:do_populate_sysroot (dependent Tasks ['expat_2.2.9.bb:do_install'])
Task /home/opopovych/repos/poky/meta/recipes-devtools/cmake/cmake-native_3.17.3.bb:do_prepare_recipe_sysroot (dependent Tasks ['expat_2.2.9.bb:do_populate_sysroot', 'xz_5.2.5.bb:do_populate_sysroot', 'bzip2_1.0.8.bb:do_populate_sysroot', 'ncurses_6.2.bb:do_populate_sysroot', 'zlib_1.2.11.bb:do_populate_sysroot', 'cmake-native_3.17.3.bb:do_fetch', 'curl_7.71.1.bb:do_populate_sysroot'])
Task /home/opopovych/repos/poky/meta/recipes-devtools/cmake/cmake-native_3.17.3.bb:do_configure (dependent Tasks ['cmake-native_3.17.3.bb:do_deploy_source_date_epoch', 'cmake-native_3.17.3.bb:do_patch', 'cmake-native_3.17.3.bb:do_prepare_recipe_sysroot'])
- run-ptest script that initalizes testing, copies testing
executables' output to log file and measures execution time of each testing
executable was added.
- patch that implements output of each testcase result in testing exectutable
was added.
Signed-off-by: Oleksandr Popovych <oleksandr.s.popovych@globallogic.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Zang Ruochen <zangrc.fnst@cn.fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Oleksandr Kravchuk <open.source@oleksandr-kravchuk.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Removed patch is not appropriate anymore.
Signed-off-by: Oleksandr Kravchuk <open.source@oleksandr-kravchuk.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
We have a problem when for example, a glibc 2.27 based system builds some
library like libpopt-native and puts it into sstate then it is reused
on a pre glibc-2.27 system to build something which depends on popt like
rpm-native. This results in an error like:
recipe-sysroot-native/usr/lib/libpopt.so: undefined reference to `glob@GLIBC_2.27'
In the past we've had this problem with new symbols like getrandom and
getentropy, here its with a more complex symbol where there is an old
version and a newer version.
We've looked into various options, basically we cannot link against our
uninative libc/ld.so since we don't have the right headers or compiler
link libraries. The compiler doesn't allow you to switch in a new set
either, even if we did want to ship them. Shipping a complete compiler,
dev headers and libs also isn't an option.
On the other hand if we follow the ld man page, it does say:
"""
The reasons for allowing undefined symbol references in shared libraries
specified at link time are that:
- A shared library specified at link time may not be the same as the one
that is available at load time, so the symbol might actually be
resolvable at load time.
"""
which is exactly this case. By the time the binary runs, it will use
our uninative loader and libc and the symbol will be available.
Therefore we basically have a choice, we get weird intermittent bugs,
we drop uninative entirely, or we pass this option.
If we pass the option, we can drop the other workarounds too.
(From OE-Core rev: 75a62ede393bf6b4972390ef5290d50add19341a)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The patch tool will apply patches by default with "fuzz", which is where if the
hunk context isn't present but what is there is close enough, it will force the
patch in.
Whilst this is useful when there's just whitespace changes, when applied to
source it is possible for a patch applied with fuzz to produce broken code which
still compiles (see #10450). This is obviously bad.
We'd like to eventually have do_patch() rejecting any fuzz on these grounds. For
that to be realistic the existing patches with fuzz need to be rebased and
reviewed.
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Back in 2010 the expat 2.0.1 tarball wouldn't unpack correctly with old gzip
releases (prior to 1.4). The fix was to explicitly depend on gzip-native to use
our binary instead of the host[1].
We don't ship expat 2.0.1 anymore, and even Centos 7 ships gzip 1.5, so this
workaround can be removed.
[1] oe-core 0ff62b0462f3f64672bd4704de9a192eb1a730d1
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Signed-off-by: Dengke Du <dengke.du@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
getrandom() is only available in glibc 2.25+ and uninative may relocate
binaries onto systems that don't have this function. For now, force
the code to the older codepath until we can come up with a better solution
for this kind of issue.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Dengke Du <dengke.du@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The COPYING file in expat has the following changes:
2001-20016 to 2001-2017
Signed-off-by: Dengke Du <dengke.du@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
With recipe specific sysroots, the gzip-replacement-native dance/class
is obsolete, simplify the code accordingly.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Remove a patch that is no longer needed.
License checksum changes because of a copyright year change.
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Fix CVE-2016-0718: expat XML parser crashes on malformed input
External References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0718
https://bugzilla.redhat.com/show_bug.cgi?id=1296102
https://bugzilla.suse.com/show_bug.cgi?id=979441
Patch from:
https://bugzilla.redhat.com/show_bug.cgi?id=1296102
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
* Remove backported CVE patch
* Update autotools patch
* Update SRC_URI to match current archive type
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Add CVE-2015-1283 patch for fixing integer overflow bug in expat.
Details are at below link:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1283
Patch comes from:
https://hg.mozilla.org/releases/mozilla-esr31/rev/2f3e78643f5c
https://codereview.chromium.org/1224303003
Signed-off-by: Zhixiong Chi <Zhixiong.Chi@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
Completes previous commit b5292d4115a4555a66b5e35acdc67dd71fb8577f.
Updates SUMMARY[doc] (meta/conf/documentation.conf).
Changes:
- rename DESCRIPTION with length < 80 to (non present tag) SUMMARY
- drop final point character at the end of SUMMARY string
- remove trailing whitespace of SUMMARY line
Note: don't bump PR
Signed-off-by: Matthieu Crapet <Matthieu.Crapet@ingenico.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
Remove all PR = "r0" from all .bb files in oe-core. This was done
with the command sed -e '/^PR.*=.*r0\"/d' recipes*/*/*.bb -i
We've switching to the PR server, PR bumps are no longer needed and
this saves people either accidentally bumping them or forgetting to
remove the lines (r0 is the default anyway).
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Marko Lindqvist <cazfi74@gmail.com>
|
|
Due to the system providing a copy of gzip, we face some issues when we
'shadow' that copy with our own leading to a varient of race type bugs,
and issues for example if a dependency such as libz is missing but the
binary is still present. We usually rely on our dependency logic to protect
us from this but for gzip, we don't have this protection since its not listed
by all its users (and doing so would be impractical).
This patch installed pigz and gzip into their own directory which we only
add to PATH when we explictly want these binaries in much the same way we do
with perl-native. This means dependency logic is correct when we use the binary
and everything should work well.
The patch adds an explict dependency into image.bbclass since the accelerated
speed of compression is most appreciated at rootfs time.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
to rebuild after perl upgrade
* this isn't probably complete list.. just what failed here
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Add Upstream-Status tag to patches for the following recipes:
openssh
dbus-glib
expat
opensp
sgml-common
at
cpio (GPLv3 version)
libpam
icu
Signed-off-by: Scott Garman <scott.a.garman@intel.com>
|
|
Signed-off-by: Saul Wold <sgw@linux.intel.com>
|
|
Add COPYING file checksum to bb file
Signed-off-by: Mei Lei <lei.mei@intel.com>
|
|
[BUGID #281]
Evaluate and update each package in recipes-core to ensure they have a
consistent summary and description.
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
|
|
Having one monolithic packages directory makes it hard to find things
and is generally overwhelming. This commit splits it into several
logical sections roughly based on function, recipes.txt gives more
information about the classifications used.
The opportunity is also used to switch from "packages" to "recipes"
as used in OpenEmbedded as the term "packages" can be confusing to
people and has many different meanings.
Not all recipes have been classified yet, this is just a first pass
at separating things out. Some packages are moved to meta-extras as
they're no longer actively used or maintained.
Signed-off-by: Richard Purdie <rpurdie@linux.intel.com>
|