The new flag doesn't work and the change even broke the XML_PARSE_NONET option.
(From OE-Core rev: 8b586f60778579ee2c9adae429128a07e8437553)
(From OE-Core rev: d2b1486bf8773d3eef36c5e77b82e70c88d9c682)
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Since we go through the trouble of copying the Python tests, we may as
well actually run them...
This also avoids the following QA issue:
ERROR: libxml2-2.9.4-r0 do_package_qa: QA Issue:
/usr/lib/libxml2/ptest/python/tests/push.py contained in package
libxml2-ptest requires /usr/bin/python, but no providers found in
RDEPENDS_libxml2-ptest? [file-rdeps]
(From OE-Core rev: 2b9470678d8df152af54899adb4774fb0d481cf3)
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(From OE-Core rev: 30417429cea525e6eb6c3cfbe760ebe7b13f0980)
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fix type confusion in xmlValidateOneNamespace
Comment out code that casts xmlNsPtr to xmlAttrPtr. ID types
on namespace declarations make no practical sense anyway.
Fixes bug 780228
CVE: CVE-2017-0663
(From OE-Core rev: a965be7b6a1d730851b4a3bc8fd534b9b2334227)
(From OE-Core rev: e442e7105ba39ddaed0749614b5ee552f9df2d5a)
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Fix handling of parameter-entity references
There were two bugs where parameter-entity references could lead to an
unexpected change of the input buffer in xmlParseNameComplex and
xmlDictLookup being called with an invalid pointer.
Fixes bug 781205 and bug 781361
CVE: CVE-2017-9049 CVE-2017-9050
(From OE-Core rev: 2300762fef8fc8e3e56fb07fd4076c1deeba0a9b)
(From OE-Core rev: a409c50a09b12caa434b2b06bdcfb6beba43f67f)
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
xmlSnprintfElementContent failed to correctly check the available
buffer space in two locations.
Fixes bug 781333 and bug 781701
CVE: CVE-2017-9047 CVE-2017-9048
(From OE-Core rev: bb0af023e811907b4e641b39f654ca921ac8794a)
(From OE-Core rev: d549b8f3836b2ffda5c59a7ae4d955846c558646)
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier
and other products, does not offer a flag directly indicating that
the current document may be read but other files may not be opened,
which makes it easier for remote attackers to conduct XML External
Entity (XXE) attacks via a crafted document.
Reference:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9318
Upstream patch:
https://git.gnome.org/browse/libxml2/commit/?id=2304078555896cf1638c628f50326aeef6f0e0d0
(From OE-Core rev: 0dd44c00e3b2fbc3befc3f361624a3a60161d979)
Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The library libxml2 can provide its own bindings for python2 in addition
to the third party python-lxml and python3-lxml packages if this
functionality is enabled in PACKAGECONFIG.
But in case the functionality is disabled there's no need to depend
on python2.
Make the dependency on python2 enabled only if the python feature
is added to PACKAGECONFIG. Also add missing run-time dependency on make
to libxml2-ptest.
(From OE-Core rev: 3f1be2c3875fc112d9c67af16759091e007e5b99)
Signed-off-by: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
With rss, moving these around was having an increasing overhead and we don't
need them in the native case so remove them.
(From OE-Core rev: 3b8dcd210a494baecead7dd1e568fb60ac93ed9b)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
getVar() now defaults to expanding by default, thus remove the True
option from getVar() calls with a regex search and replace.
Search made with the following regex: getVar ?\(( ?[^,()]*), True\)
(From OE-Core rev: 7c552996597faaee2fbee185b250c0ee30ea3b5f)
Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The NULL pointer dereferencing could produced some
security problems.
This is a preventive security fix.
(From OE-Core rev: 8f3008114d5000a0865f50833db7c3a3f9808601)
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Pascal Bach <pascal.bach@siemens.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Namespace nodes must be copied to avoid use-after-free errors.
But they don't necessarily have a physical representation in a
document, so simply disallow them in XPointer ranges.
(From OE-Core rev: 00e928bd1c2aed9caeaf9e411743805d2139a023)
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Pascal Bach <pascal.bach@siemens.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
xpath:
- Check for errors after evaluating first operand.
- Add sanity check for empty stack.
- Include comparation in changes from xmlXPathCmpNodesExt to xmlXPathCmpNodes
(From OE-Core rev: 96ef568f75dded56a2123b63dcc8b443f796afe0)
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Pascal Bach <pascal.bach@siemens.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
CVE-2016-5131 libxml2: Use-after-free vulnerability in libxml2 through
2.9.4, as used in Google Chrome before 52.0.2743.82, allows remote
attackers to cause a denial of service or possibly have unspecified
other impact via vectors related to the XPointer range-to function.
External References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5131
Patch from:
https://git.gnome.org/browse/libxml2/commit/?id=9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e
(From OE-Core rev: 640bd2b98ff33e49b42f1087650ebe20d92259a4)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The XML W3C conformance test suite contains thousands of xml files all
marked executable. We dutifully try to strip all these files of debug
info in do_package.
"chmod -x" improves build time by ~40 seconds.
(From OE-Core rev: eb9cdf6b9277d23d1696233fccc4689e6030644c)
Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Add PACKAGECONFIG for ipv6 and control it based
on DISTRO_FEATURES.
(From OE-Core rev: 1a505037e9a6dc86b523b378d6446baae71f1a2c)
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We patch Python's distutils modules to access STAGING_INCDIR/LIBDIR, so when
they are not set, scripts that utilize distutils (e.g. python-config) fail.
Several recipes need to export those manually to prevent such failures,
so let's do that in the class instead.
PYTHON variable is exported because otherwise autotools' python.m4
macro will pick up its own internal default, which may not be the version
that we want.
glib recipe in particular was previously using Python 2.x during build due to python.m4
defaulting to it - now it's using Python 3.x, and so needs a small fix in
deletion of *.pyc files.
(From OE-Core rev: c1e0eb62f2d89b10b187016200018830b1c77945)
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
- Drop configure.ac-fix-cross-compiling-warning.patch,
libxml2 2.9.4 has fixed it
(From OE-Core rev: 323c7cec65603476994dde196f4c2c151d0e0d31)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Andrej Valek
Peter Kjellerstedt
Alexander Kanavin
Catalin Enache
Dmitry Rozhkov
Richard Purdie
Joshua Lock
Yi Zhao
Jussi Kukkonen
Jackie Huang
Hongxu Jia