* [OE-core][PATCH] expat: upgrade 2.2.10 -> 2.4.1
@ 2021-05-25 9:09 Andrej Valek
2021-05-25 10:03 ` Alexander Kanavin
` (2 more replies)
0 siblings, 3 replies; 9+ messages in thread
From: Andrej Valek @ 2021-05-25 9:09 UTC (permalink / raw)
To: openembedded-core; +Cc: Andrej Valek
Includes lot of security fixes, especially CVE-2013-0340/CWE-776.
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
---
.../expat/0001-Add-output-of-tests-result.patch | 83 ----------------------
.../expat/{expat_2.2.10.bb => expat_2.4.1.bb} | 3 +-
2 files changed, 1 insertion(+), 85 deletions(-)
delete mode 100644 meta/recipes-core/expat/expat/0001-Add-output-of-tests-result.patch
rename meta/recipes-core/expat/{expat_2.2.10.bb => expat_2.4.1.bb} (84%)
diff --git a/meta/recipes-core/expat/expat/0001-Add-output-of-tests-result.patch b/meta/recipes-core/expat/expat/0001-Add-output-of-tests-result.patch
deleted file mode 100644
index c5c18ead74..0000000000
--- a/meta/recipes-core/expat/expat/0001-Add-output-of-tests-result.patch
+++ /dev/null
@@ -1,83 +0,0 @@
-From aa84835a00bfd65e784d58411e76f60658e939dc Mon Sep 17 00:00:00 2001
-From: Oleksandr Popovych <oleksandr.s.popovych@globallogic.com>
-Date: Tue, 18 Feb 2020 19:04:55 +0200
-Subject: [PATCH] Add output of tests result
-
-Added console output of testing results in form 'RESULT: TEST_NAME'.
-
-Changed verbose mode of test application set by '-v' ('--verbose')
-argument to CK_NORMAL.
-Added new supported argument '-vv' ('--extra-verbose') that changes
-verbose mode of test application to CK_VERBOSE. Results of each test
-are shown in output only if this mode is set.
-
-Upstream-Status: Denied
-
-This patch changes potentially deprecated feature that shoud be changed
-in upstream. [https://github.com/libexpat/libexpat/issues/382]
-
-Signed-off-by: Oleksandr Popovych <oleksandr.s.popovych@globallogic.com>
----
- tests/minicheck.c | 10 +++++++++-
- tests/runtests.c | 4 +++-
- 2 files changed, 12 insertions(+), 2 deletions(-)
-
-diff --git a/expat/tests/minicheck.c b/expat/tests/minicheck.c
-index a5a1efb..94fa412 100644
---- a/tests/minicheck.c
-+++ b/tests/minicheck.c
-@@ -164,6 +164,8 @@ srunner_run_all(SRunner *runner, int verbosity) {
- if (tc->setup != NULL) {
- /* setup */
- if (setjmp(env)) {
-+ if (verbosity >= CK_VERBOSE)
-+ printf("SKIP: %s\n", _check_current_function);
- add_failure(runner, verbosity);
- continue;
- }
-@@ -171,6 +173,8 @@ srunner_run_all(SRunner *runner, int verbosity) {
- }
- /* test */
- if (setjmp(env)) {
-+ if (verbosity >= CK_VERBOSE)
-+ printf("FAIL: %s\n", _check_current_function);
- add_failure(runner, verbosity);
- continue;
- }
-@@ -178,12 +182,16 @@ srunner_run_all(SRunner *runner, int verbosity) {
-
- /* teardown */
- if (tc->teardown != NULL) {
-- if (setjmp(env)) {
-+ if (setjmp(env)) {
-+ if (verbosity >= CK_VERBOSE)
-+ printf("PASS: %s\n", _check_current_function);
- add_failure(runner, verbosity);
- continue;
- }
- tc->teardown();
- }
-+ if (verbosity >= CK_VERBOSE)
-+ printf("PASS: %s\n", _check_current_function);
- }
- tc = tc->next_tcase;
- }
-diff --git a/tests/runtests.c b/expat/tests/runtests.c
-index 7791fe0..75724e5 100644
---- a/tests/runtests.c
-+++ b/tests/runtests.c
-@@ -11619,9 +11619,11 @@ main(int argc, char *argv[]) {
- for (i = 1; i < argc; ++i) {
- char *opt = argv[i];
- if (strcmp(opt, "-v") == 0 || strcmp(opt, "--verbose") == 0)
-- verbosity = CK_VERBOSE;
-+ verbosity = CK_NORMAL;
- else if (strcmp(opt, "-q") == 0 || strcmp(opt, "--quiet") == 0)
- verbosity = CK_SILENT;
-+ else if (strcmp(opt, "-vv") == 0 || strcmp(opt, "--extra-verbose") == 0)
-+ verbosity = CK_VERBOSE;
- else {
- fprintf(stderr, "runtests: unknown option '%s'\n", opt);
- return 2;
---
-2.17.1
diff --git a/meta/recipes-core/expat/expat_2.2.10.bb b/meta/recipes-core/expat/expat_2.4.1.bb
similarity index 84%
rename from meta/recipes-core/expat/expat_2.2.10.bb
rename to meta/recipes-core/expat/expat_2.4.1.bb
index fa263775b3..476c5f8cc7 100644
--- a/meta/recipes-core/expat/expat_2.2.10.bb
+++ b/meta/recipes-core/expat/expat_2.4.1.bb
@@ -9,10 +9,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=9e2ce3b3c4c0f2670883a23bbd7c37a9"
SRC_URI = "${SOURCEFORGE_MIRROR}/expat/expat-${PV}.tar.bz2 \
file://libtool-tag.patch \
file://run-ptest \
- file://0001-Add-output-of-tests-result.patch \
"
-SRC_URI[sha256sum] = "b2c160f1b60e92da69de8e12333096aeb0c3bf692d41c60794de278af72135a5"
+SRC_URI[sha256sum] = "2f9b6a580b94577b150a7d5617ad4643a4301a6616ff459307df3e225bcfbf40"
EXTRA_OECMAKE_class-native += "-DEXPAT_BUILD_DOCS=OFF"
--
2.11.0
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [OE-core][PATCH] expat: upgrade 2.2.10 -> 2.4.1
2021-05-25 9:09 [OE-core][PATCH] expat: upgrade 2.2.10 -> 2.4.1 Andrej Valek
@ 2021-05-25 10:03 ` Alexander Kanavin
2021-05-25 10:13 ` [OE-core][PATCH v2] expat: upgrade 2.3.0 " Andrej Valek
[not found] ` <168247B8E1E1063C.25934@lists.openembedded.org>
2 siblings, 0 replies; 9+ messages in thread
From: Alexander Kanavin @ 2021-05-25 10:03 UTC (permalink / raw)
To: Andrej Valek; +Cc: OE-core
[-- Attachment #1: Type: text/plain, Size: 5241 bytes --]
I think you need to rebase this on master first, as it already has 2.3.0.
And removing patches needs to be explained.
Alex
On Tue, 25 May 2021 at 11:10, Andrej Valek <andrej.valek@siemens.com> wrote:
> Includes lot of security fixes, especially CVE-2013-0340/CWE-776.
>
> Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
> ---
> .../expat/0001-Add-output-of-tests-result.patch | 83
> ----------------------
> .../expat/{expat_2.2.10.bb => expat_2.4.1.bb} | 3 +-
> 2 files changed, 1 insertion(+), 85 deletions(-)
> delete mode 100644
> meta/recipes-core/expat/expat/0001-Add-output-of-tests-result.patch
> rename meta/recipes-core/expat/{expat_2.2.10.bb => expat_2.4.1.bb} (84%)
>
> diff --git
> a/meta/recipes-core/expat/expat/0001-Add-output-of-tests-result.patch
> b/meta/recipes-core/expat/expat/0001-Add-output-of-tests-result.patch
> deleted file mode 100644
> index c5c18ead74..0000000000
> --- a/meta/recipes-core/expat/expat/0001-Add-output-of-tests-result.patch
> +++ /dev/null
> @@ -1,83 +0,0 @@
> -From aa84835a00bfd65e784d58411e76f60658e939dc Mon Sep 17 00:00:00 2001
> -From: Oleksandr Popovych <oleksandr.s.popovych@globallogic.com>
> -Date: Tue, 18 Feb 2020 19:04:55 +0200
> -Subject: [PATCH] Add output of tests result
> -
> -Added console output of testing results in form 'RESULT: TEST_NAME'.
> -
> -Changed verbose mode of test application set by '-v' ('--verbose')
> -argument to CK_NORMAL.
> -Added new supported argument '-vv' ('--extra-verbose') that changes
> -verbose mode of test application to CK_VERBOSE. Results of each test
> -are shown in output only if this mode is set.
> -
> -Upstream-Status: Denied
> -
> -This patch changes potentially deprecated feature that shoud be changed
> -in upstream. [https://github.com/libexpat/libexpat/issues/382]
> -
> -Signed-off-by: Oleksandr Popovych <oleksandr.s.popovych@globallogic.com>
> ----
> - tests/minicheck.c | 10 +++++++++-
> - tests/runtests.c | 4 +++-
> - 2 files changed, 12 insertions(+), 2 deletions(-)
> -
> -diff --git a/expat/tests/minicheck.c b/expat/tests/minicheck.c
> -index a5a1efb..94fa412 100644
> ---- a/tests/minicheck.c
> -+++ b/tests/minicheck.c
> -@@ -164,6 +164,8 @@ srunner_run_all(SRunner *runner, int verbosity) {
> - if (tc->setup != NULL) {
> - /* setup */
> - if (setjmp(env)) {
> -+ if (verbosity >= CK_VERBOSE)
> -+ printf("SKIP: %s\n", _check_current_function);
> - add_failure(runner, verbosity);
> - continue;
> - }
> -@@ -171,6 +173,8 @@ srunner_run_all(SRunner *runner, int verbosity) {
> - }
> - /* test */
> - if (setjmp(env)) {
> -+ if (verbosity >= CK_VERBOSE)
> -+ printf("FAIL: %s\n", _check_current_function);
> - add_failure(runner, verbosity);
> - continue;
> - }
> -@@ -178,12 +182,16 @@ srunner_run_all(SRunner *runner, int verbosity) {
> -
> - /* teardown */
> - if (tc->teardown != NULL) {
> -- if (setjmp(env)) {
> -+ if (setjmp(env)) {
> -+ if (verbosity >= CK_VERBOSE)
> -+ printf("PASS: %s\n", _check_current_function);
> - add_failure(runner, verbosity);
> - continue;
> - }
> - tc->teardown();
> - }
> -+ if (verbosity >= CK_VERBOSE)
> -+ printf("PASS: %s\n", _check_current_function);
> - }
> - tc = tc->next_tcase;
> - }
> -diff --git a/tests/runtests.c b/expat/tests/runtests.c
> -index 7791fe0..75724e5 100644
> ---- a/tests/runtests.c
> -+++ b/tests/runtests.c
> -@@ -11619,9 +11619,11 @@ main(int argc, char *argv[]) {
> - for (i = 1; i < argc; ++i) {
> - char *opt = argv[i];
> - if (strcmp(opt, "-v") == 0 || strcmp(opt, "--verbose") == 0)
> -- verbosity = CK_VERBOSE;
> -+ verbosity = CK_NORMAL;
> - else if (strcmp(opt, "-q") == 0 || strcmp(opt, "--quiet") == 0)
> - verbosity = CK_SILENT;
> -+ else if (strcmp(opt, "-vv") == 0 || strcmp(opt, "--extra-verbose")
> == 0)
> -+ verbosity = CK_VERBOSE;
> - else {
> - fprintf(stderr, "runtests: unknown option '%s'\n", opt);
> - return 2;
> ---
> -2.17.1
> diff --git a/meta/recipes-core/expat/expat_2.2.10.bb
> b/meta/recipes-core/expat/expat_2.4.1.bb
> similarity index 84%
> rename from meta/recipes-core/expat/expat_2.2.10.bb
> rename to meta/recipes-core/expat/expat_2.4.1.bb
> index fa263775b3..476c5f8cc7 100644
> --- a/meta/recipes-core/expat/expat_2.2.10.bb
> +++ b/meta/recipes-core/expat/expat_2.4.1.bb
> @@ -9,10 +9,9 @@ LIC_FILES_CHKSUM =
> "file://COPYING;md5=9e2ce3b3c4c0f2670883a23bbd7c37a9"
> SRC_URI = "${SOURCEFORGE_MIRROR}/expat/expat-${PV}.tar.bz2 \
> file://libtool-tag.patch \
> file://run-ptest \
> - file://0001-Add-output-of-tests-result.patch \
> "
>
> -SRC_URI[sha256sum] =
> "b2c160f1b60e92da69de8e12333096aeb0c3bf692d41c60794de278af72135a5"
> +SRC_URI[sha256sum] =
> "2f9b6a580b94577b150a7d5617ad4643a4301a6616ff459307df3e225bcfbf40"
>
> EXTRA_OECMAKE_class-native += "-DEXPAT_BUILD_DOCS=OFF"
>
> --
> 2.11.0
>
>
>
>
>
[-- Attachment #2: Type: text/html, Size: 7289 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* [OE-core][PATCH v2] expat: upgrade 2.3.0 -> 2.4.1
2021-05-25 9:09 [OE-core][PATCH] expat: upgrade 2.2.10 -> 2.4.1 Andrej Valek
2021-05-25 10:03 ` Alexander Kanavin
@ 2021-05-25 10:13 ` Andrej Valek
[not found] ` <168247B8E1E1063C.25934@lists.openembedded.org>
2 siblings, 0 replies; 9+ messages in thread
From: Andrej Valek @ 2021-05-25 10:13 UTC (permalink / raw)
To: openembedded-core; +Cc: Andrej Valek
Includes lot of security fixes, especially CVE-2013-0340/CWE-776.
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
---
meta/recipes-core/expat/{expat_2.3.0.bb => expat_2.4.1.bb} | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
rename meta/recipes-core/expat/{expat_2.3.0.bb => expat_2.4.1.bb} (89%)
diff --git a/meta/recipes-core/expat/expat_2.3.0.bb b/meta/recipes-core/expat/expat_2.4.1.bb
similarity index 89%
rename from meta/recipes-core/expat/expat_2.3.0.bb
rename to meta/recipes-core/expat/expat_2.4.1.bb
index 14d2855df3..a57fc1b23b 100644
--- a/meta/recipes-core/expat/expat_2.3.0.bb
+++ b/meta/recipes-core/expat/expat_2.4.1.bb
@@ -11,7 +11,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/expat/expat-${PV}.tar.bz2 \
file://run-ptest \
"
-SRC_URI[sha256sum] = "f122a20eada303f904d5e0513326c5b821248f2d4d2afbf5c6f1339e511c0586"
+SRC_URI[sha256sum] = "2f9b6a580b94577b150a7d5617ad4643a4301a6616ff459307df3e225bcfbf40"
EXTRA_OECMAKE_class-native += "-DEXPAT_BUILD_DOCS=OFF"
--
2.11.0
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [OE-core][PATCH v2] expat: upgrade 2.3.0 -> 2.4.1
[not found] ` <168247B8E1E1063C.25934@lists.openembedded.org>
@ 2021-05-25 12:50 ` Andrej Valek
2021-05-25 22:17 ` Richard Purdie
2021-05-25 22:18 ` Steve Sakoman
0 siblings, 2 replies; 9+ messages in thread
From: Andrej Valek @ 2021-05-25 12:50 UTC (permalink / raw)
To: openembedded-core; +Cc: Alexander Kanavin
Hello everyone,
I have an another question regarding to backporting this to dunfell branch. Is it possible to apply this upgrade to this branch? I would like to have an very important fix for CVE-2013-0340 (https://github.com/libexpat/libexpat/pull/220) there. But there is a lot of changes, means just applying the patch is not very promising.
How we can handle it?
Thanks,
Andrej
> Subject: [OE-core][PATCH v2] expat: upgrade 2.3.0 -> 2.4.1
>
> Includes lot of security fixes, especially CVE-2013-0340/CWE-776.
>
> Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
> ---
> meta/recipes-core/expat/{expat_2.3.0.bb => expat_2.4.1.bb} | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-) rename meta/recipes-core/expat/{expat_2.3.0.bb => expat_2.4.1.bb} (89%)
>
> diff --git a/meta/recipes-core/expat/expat_2.3.0.bb b/meta/recipes-core/expat/expat_2.4.1.bb
> similarity index 89%
> rename from meta/recipes-core/expat/expat_2.3.0.bb
> rename to meta/recipes-core/expat/expat_2.4.1.bb
> index 14d2855df3..a57fc1b23b 100644
> --- a/meta/recipes-core/expat/expat_2.3.0.bb
> +++ b/meta/recipes-core/expat/expat_2.4.1.bb
> @@ -11,7 +11,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/expat/expat-${PV}.tar.bz2 \
> file://run-ptest \
> "
>
> -SRC_URI[sha256sum] = "f122a20eada303f904d5e0513326c5b821248f2d4d2afbf5c6f1339e511c0586"
> +SRC_URI[sha256sum] = "2f9b6a580b94577b150a7d5617ad4643a4301a6616ff459307df3e225bcfbf40"
>
> EXTRA_OECMAKE_class-native += "-DEXPAT_BUILD_DOCS=OFF"
>
> --
> 2.11.0
>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [OE-core][PATCH v2] expat: upgrade 2.3.0 -> 2.4.1
2021-05-25 12:50 ` Andrej Valek
@ 2021-05-25 22:17 ` Richard Purdie
2021-05-25 22:23 ` Steve Sakoman
2021-05-25 22:18 ` Steve Sakoman
1 sibling, 1 reply; 9+ messages in thread
From: Richard Purdie @ 2021-05-25 22:17 UTC (permalink / raw)
To: Andrej Valek, openembedded-core; +Cc: Alexander Kanavin, Steve Sakoman
On Tue, 2021-05-25 at 12:50 +0000, Andrej Valek wrote:
> Hello everyone,
>
> I have an another question regarding to backporting this to dunfell branch.
> Is it possible to apply this upgrade to this branch? I would like to have
> an very important fix for CVE-2013-0340 (https://github.com/libexpat/libexpat/pull/220)
> there. But there is a lot of changes, means just applying the patch is not very promising.
>
> How we can handle it?
Adding Steve to Cc. It is possible if there is a good case for it and there
aren't bad side effects from the change. I don't know enough about expat here
to comment on that.
I suspect we should be adding something to the expat recipe to make it match
libexpat CVEs, maybe CVE_PRODUCT = "libexpat"?
Cheers,
Richard
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [OE-core][PATCH v2] expat: upgrade 2.3.0 -> 2.4.1
2021-05-25 12:50 ` Andrej Valek
2021-05-25 22:17 ` Richard Purdie
@ 2021-05-25 22:18 ` Steve Sakoman
1 sibling, 0 replies; 9+ messages in thread
From: Steve Sakoman @ 2021-05-25 22:18 UTC (permalink / raw)
To: Andrej Valek; +Cc: openembedded-core, Alexander Kanavin
On Tue, May 25, 2021 at 2:50 AM Andrej Valek <andrej.valek@siemens.com> wrote:
>
> Hello everyone,
>
> I have an another question regarding to backporting this to dunfell branch. Is it possible to apply this upgrade to this branch? I would like to have an very important fix for CVE-2013-0340 (https://github.com/libexpat/libexpat/pull/220) there. But there is a lot of changes, means just applying the patch is not very promising.
It is LTS policy not to do general version upgrades (see "Stable/LTS
Patch Acceptance Policies" at
https://wiki.yoctoproject.org/wiki/Stable_Release_and_LTS)
So unless you can make a case that this is a bug/security fix only
release I'm not able to take this patch.
> How we can handle it?
Perhaps take a crack at backporting the minimal set of patches to fix the CVE?
Steve
> Thanks,
> Andrej
>
> > Subject: [OE-core][PATCH v2] expat: upgrade 2.3.0 -> 2.4.1
> >
> > Includes lot of security fixes, especially CVE-2013-0340/CWE-776.
> >
> > Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
> > ---
> > meta/recipes-core/expat/{expat_2.3.0.bb => expat_2.4.1.bb} | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-) rename meta/recipes-core/expat/{expat_2.3.0.bb => expat_2.4.1.bb} (89%)
> >
> > diff --git a/meta/recipes-core/expat/expat_2.3.0.bb b/meta/recipes-core/expat/expat_2.4.1.bb
> > similarity index 89%
> > rename from meta/recipes-core/expat/expat_2.3.0.bb
> > rename to meta/recipes-core/expat/expat_2.4.1.bb
> > index 14d2855df3..a57fc1b23b 100644
> > --- a/meta/recipes-core/expat/expat_2.3.0.bb
> > +++ b/meta/recipes-core/expat/expat_2.4.1.bb
> > @@ -11,7 +11,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/expat/expat-${PV}.tar.bz2 \
> > file://run-ptest \
> > "
> >
> > -SRC_URI[sha256sum] = "f122a20eada303f904d5e0513326c5b821248f2d4d2afbf5c6f1339e511c0586"
> > +SRC_URI[sha256sum] = "2f9b6a580b94577b150a7d5617ad4643a4301a6616ff459307df3e225bcfbf40"
> >
> > EXTRA_OECMAKE_class-native += "-DEXPAT_BUILD_DOCS=OFF"
> >
> > --
> > 2.11.0
> >
>
>
>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [OE-core][PATCH v2] expat: upgrade 2.3.0 -> 2.4.1
2021-05-25 22:17 ` Richard Purdie
@ 2021-05-25 22:23 ` Steve Sakoman
2021-05-26 6:24 ` Andrej Valek
0 siblings, 1 reply; 9+ messages in thread
From: Steve Sakoman @ 2021-05-25 22:23 UTC (permalink / raw)
To: Richard Purdie; +Cc: Andrej Valek, openembedded-core, Alexander Kanavin
On Tue, May 25, 2021 at 12:17 PM Richard Purdie
<richard.purdie@linuxfoundation.org> wrote:
>
> On Tue, 2021-05-25 at 12:50 +0000, Andrej Valek wrote:
> > Hello everyone,
> >
> > I have an another question regarding to backporting this to dunfell branch.
> > Is it possible to apply this upgrade to this branch? I would like to have
> > an very important fix for CVE-2013-0340 (https://github.com/libexpat/libexpat/pull/220)
> > there. But there is a lot of changes, means just applying the patch is not very promising.
> >
> > How we can handle it?
>
> Adding Steve to Cc. It is possible if there is a good case for it and there
> aren't bad side effects from the change. I don't know enough about expat here
> to comment on that.
Our responses crossed in the mail :-)
I don't know enough about expat to comment on this either. But if
someone who is familiar with expat would care to chime in I am open to
consider whether an exception should be made.
> I suspect we should be adding something to the expat recipe to make it match
> libexpat CVEs, maybe CVE_PRODUCT = "libexpat"?
Yes, good catch, that does appear to be the case. I'll do a little
testing to verify that and will submit a patch.
Steve
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [OE-core][PATCH v2] expat: upgrade 2.3.0 -> 2.4.1
2021-05-25 22:23 ` Steve Sakoman
@ 2021-05-26 6:24 ` Andrej Valek
2021-05-26 15:02 ` Steve Sakoman
0 siblings, 1 reply; 9+ messages in thread
From: Andrej Valek @ 2021-05-26 6:24 UTC (permalink / raw)
To: Steve Sakoman; +Cc: Richard Purdie, openembedded-core, Alexander Kanavin
Hello Steve,
Thank you, that you're taking care of it.
Sorry, but maybe I didn't catch the right approach about the patching. Are you going to create a "fixing CVE" patch or just patch to set "CVE_PRODUCT" ?
Thanks,
Andrej
> On Tue, May 25, 2021 at 12:17 PM Richard Purdie <richard.purdie@linuxfoundation.org> wrote:
>>
>> On Tue, 2021-05-25 at 12:50 +0000, Andrej Valek wrote:
>> > Hello everyone,
>> >
>> > I have an another question regarding to backporting this to dunfell branch.
>> > Is it possible to apply this upgrade to this branch? I would like to
>> > have an very important fix for CVE-2013-0340
>> > (https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fg
>> > ithub.com%2Flibexpat%2Flibexpat%2Fpull%2F220&data=04%7C01%7Candr
>> > ej.valek%40siemens.com%7Cc9695097e1bc47d8261708d91fcbba17%7C38ae3bcd
>> > 95794fd4addab42e1495d55a%7C1%7C0%7C637575782123699324%7CUnknown%7CTW
>> > FpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVC
>> > I6Mn0%3D%7C1000&sdata=jBk29qyJpIq%2BsG0iXhnMoSbv%2F2%2Bd8dKIbuV7
>> > GqP3YA8%3D&reserved=0) there. But there is a lot of changes,
>> > means just applying the patch is not very promising.
>> >
>> > How we can handle it?
>>
>> Adding Steve to Cc. It is possible if there is a good case for it and
>> there aren't bad side effects from the change. I don't know enough
>> about expat here to comment on that.
>
> Our responses crossed in the mail :-)
>
> I don't know enough about expat to comment on this either. But if someone who is familiar with expat would care to chime in I am open to consider whether an exception should be made.
>
>> I suspect we should be adding something to the expat recipe to make it
>> match libexpat CVEs, maybe CVE_PRODUCT = "libexpat"?
>
> Yes, good catch, that does appear to be the case. I'll do a little testing to verify that and will submit a patch.
>
> Steve
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [OE-core][PATCH v2] expat: upgrade 2.3.0 -> 2.4.1
2021-05-26 6:24 ` Andrej Valek
@ 2021-05-26 15:02 ` Steve Sakoman
0 siblings, 0 replies; 9+ messages in thread
From: Steve Sakoman @ 2021-05-26 15:02 UTC (permalink / raw)
To: Valek, Andrej; +Cc: Richard Purdie, openembedded-core, Alexander Kanavin
On Tue, May 25, 2021 at 8:24 PM Valek, Andrej <andrej.valek@siemens.com> wrote:
>
> Hello Steve,
>
> Thank you, that you're taking care of it.
> Sorry, but maybe I didn't catch the right approach about the patching. Are you going to create a "fixing CVE" patch or just patch to set "CVE_PRODUCT" ?
I will submit a patch to set CVE_PRODUCT, since we are currently not
detecting expat CVE's. I'm not planning to do a patch to fix
CVE-2013-0340, I will leave that to someone who is more familiar with
expat.
Steve
>
> Thanks,
> Andrej
>
> > On Tue, May 25, 2021 at 12:17 PM Richard Purdie <richard.purdie@linuxfoundation.org> wrote:
> >>
> >> On Tue, 2021-05-25 at 12:50 +0000, Andrej Valek wrote:
> >> > Hello everyone,
> >> >
> >> > I have an another question regarding to backporting this to dunfell branch.
> >> > Is it possible to apply this upgrade to this branch? I would like to
> >> > have an very important fix for CVE-2013-0340
> >> > (https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fg
> >> > ithub.com%2Flibexpat%2Flibexpat%2Fpull%2F220&data=04%7C01%7Candr
> >> > ej.valek%40siemens.com%7Cc9695097e1bc47d8261708d91fcbba17%7C38ae3bcd
> >> > 95794fd4addab42e1495d55a%7C1%7C0%7C637575782123699324%7CUnknown%7CTW
> >> > FpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVC
> >> > I6Mn0%3D%7C1000&sdata=jBk29qyJpIq%2BsG0iXhnMoSbv%2F2%2Bd8dKIbuV7
> >> > GqP3YA8%3D&reserved=0) there. But there is a lot of changes,
> >> > means just applying the patch is not very promising.
> >> >
> >> > How we can handle it?
> >>
> >> Adding Steve to Cc. It is possible if there is a good case for it and
> >> there aren't bad side effects from the change. I don't know enough
> >> about expat here to comment on that.
> >
> > Our responses crossed in the mail :-)
> >
> > I don't know enough about expat to comment on this either. But if someone who is familiar with expat would care to chime in I am open to consider whether an exception should be made.
> >
> >> I suspect we should be adding something to the expat recipe to make it
> >> match libexpat CVEs, maybe CVE_PRODUCT = "libexpat"?
> >
> > Yes, good catch, that does appear to be the case. I'll do a little testing to verify that and will submit a patch.
> >
> > Steve
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2021-05-26 15:02 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-05-25 9:09 [OE-core][PATCH] expat: upgrade 2.2.10 -> 2.4.1 Andrej Valek
2021-05-25 10:03 ` Alexander Kanavin
2021-05-25 10:13 ` [OE-core][PATCH v2] expat: upgrade 2.3.0 " Andrej Valek
[not found] ` <168247B8E1E1063C.25934@lists.openembedded.org>
2021-05-25 12:50 ` Andrej Valek
2021-05-25 22:17 ` Richard Purdie
2021-05-25 22:23 ` Steve Sakoman
2021-05-26 6:24 ` Andrej Valek
2021-05-26 15:02 ` Steve Sakoman
2021-05-25 22:18 ` Steve Sakoman
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.