[OE-core][PATCH] expat: upgrade 2.2.10 -> 2.4.1

[OE-core][PATCH] expat: upgrade 2.2.10 -> 2.4.1

[Andrej Valek]

Includes lot of security fixes, especially CVE-2013-0340/CWE-776.

Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
---
 .../expat/0001-Add-output-of-tests-result.patch    | 83 ----------------------
 .../expat/{expat_2.2.10.bb => expat_2.4.1.bb}      |  3 +-
 2 files changed, 1 insertion(+), 85 deletions(-)
 delete mode 100644 meta/recipes-core/expat/expat/0001-Add-output-of-tests-result.patch
 rename meta/recipes-core/expat/{expat_2.2.10.bb => expat_2.4.1.bb} (84%)

diff --git a/meta/recipes-core/expat/expat/0001-Add-output-of-tests-result.patch b/meta/recipes-core/expat/expat/0001-Add-output-of-tests-result.patch
deleted file mode 100644
index c5c18ead74..0000000000
--- a/meta/recipes-core/expat/expat/0001-Add-output-of-tests-result.patch
+++ /dev/null
@@ -1,83 +0,0 @@
-From aa84835a00bfd65e784d58411e76f60658e939dc Mon Sep 17 00:00:00 2001
-From: Oleksandr Popovych <oleksandr.s.popovych@globallogic.com>
-Date: Tue, 18 Feb 2020 19:04:55 +0200
-Subject: [PATCH] Add output of tests result
-
-Added console output of testing results in form 'RESULT: TEST_NAME'.
-
-Changed verbose mode of test application set by '-v' ('--verbose')
-argument to CK_NORMAL.
-Added new supported argument '-vv' ('--extra-verbose') that changes
-verbose mode of test application to CK_VERBOSE. Results of each test
-are shown in output only if this mode is set.
-
-Upstream-Status: Denied
-
-This patch changes potentially deprecated feature that shoud be changed
-in upstream. [https://github.com/libexpat/libexpat/issues/382]
-
-Signed-off-by: Oleksandr Popovych <oleksandr.s.popovych@globallogic.com>
----
- tests/minicheck.c | 10 +++++++++-
- tests/runtests.c  |  4 +++-
- 2 files changed, 12 insertions(+), 2 deletions(-)
-
-diff --git a/expat/tests/minicheck.c b/expat/tests/minicheck.c
-index a5a1efb..94fa412 100644
---- a/tests/minicheck.c
-+++ b/tests/minicheck.c
-@@ -164,6 +164,8 @@ srunner_run_all(SRunner *runner, int verbosity) {
-       if (tc->setup != NULL) {
-         /* setup */
-         if (setjmp(env)) {
-+          if (verbosity >= CK_VERBOSE)
-+            printf("SKIP: %s\n", _check_current_function);
-           add_failure(runner, verbosity);
-           continue;
-         }
-@@ -171,6 +173,8 @@ srunner_run_all(SRunner *runner, int verbosity) {
-       }
-       /* test */
-       if (setjmp(env)) {
-+        if (verbosity >= CK_VERBOSE)
-+          printf("FAIL: %s\n", _check_current_function);
-         add_failure(runner, verbosity);
-         continue;
-       }
-@@ -178,12 +182,16 @@ srunner_run_all(SRunner *runner, int verbosity) {
-
-       /* teardown */
-       if (tc->teardown != NULL) {
--        if (setjmp(env)) {
-+        if (setjmp(env)) {
-+          if (verbosity >= CK_VERBOSE)
-+           printf("PASS: %s\n", _check_current_function);
-           add_failure(runner, verbosity);
-           continue;
-         }
-         tc->teardown();
-       }
-+      if (verbosity >= CK_VERBOSE)
-+        printf("PASS: %s\n", _check_current_function);
-     }
-     tc = tc->next_tcase;
-   }
-diff --git a/tests/runtests.c b/expat/tests/runtests.c
-index 7791fe0..75724e5 100644
---- a/tests/runtests.c
-+++ b/tests/runtests.c
-@@ -11619,9 +11619,11 @@ main(int argc, char *argv[]) {
-   for (i = 1; i < argc; ++i) {
-     char *opt = argv[i];
-     if (strcmp(opt, "-v") == 0 || strcmp(opt, "--verbose") == 0)
--      verbosity = CK_VERBOSE;
-+      verbosity = CK_NORMAL;
-     else if (strcmp(opt, "-q") == 0 || strcmp(opt, "--quiet") == 0)
-       verbosity = CK_SILENT;
-+    else if (strcmp(opt, "-vv") == 0 || strcmp(opt, "--extra-verbose") == 0)
-+	verbosity = CK_VERBOSE;
-     else {
-       fprintf(stderr, "runtests: unknown option '%s'\n", opt);
-       return 2;
---
-2.17.1
diff --git a/meta/recipes-core/expat/expat_2.2.10.bb b/meta/recipes-core/expat/expat_2.4.1.bb
similarity index 84%
rename from meta/recipes-core/expat/expat_2.2.10.bb
rename to meta/recipes-core/expat/expat_2.4.1.bb
index fa263775b3..476c5f8cc7 100644
--- a/meta/recipes-core/expat/expat_2.2.10.bb
+++ b/meta/recipes-core/expat/expat_2.4.1.bb
@@ -9,10 +9,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=9e2ce3b3c4c0f2670883a23bbd7c37a9"
 SRC_URI = "${SOURCEFORGE_MIRROR}/expat/expat-${PV}.tar.bz2 \
            file://libtool-tag.patch \
 	   file://run-ptest \
-	   file://0001-Add-output-of-tests-result.patch \
 	  "
 
-SRC_URI[sha256sum] = "b2c160f1b60e92da69de8e12333096aeb0c3bf692d41c60794de278af72135a5"
+SRC_URI[sha256sum] = "2f9b6a580b94577b150a7d5617ad4643a4301a6616ff459307df3e225bcfbf40"
 
 EXTRA_OECMAKE_class-native += "-DEXPAT_BUILD_DOCS=OFF"
 
-- 
2.11.0

Re: [OE-core][PATCH] expat: upgrade 2.2.10 -> 2.4.1

[Alexander Kanavin]

[-- Attachment #1: Type: text/plain, Size: 5241 bytes --]

I think you need to rebase this on master first, as it already has 2.3.0.

And removing patches needs to be explained.

Alex

On Tue, 25 May 2021 at 11:10, Andrej Valek <andrej.valek@siemens.com> wrote:

> Includes lot of security fixes, especially CVE-2013-0340/CWE-776.
>
> Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
> ---
>  .../expat/0001-Add-output-of-tests-result.patch    | 83
> ----------------------
>  .../expat/{expat_2.2.10.bb => expat_2.4.1.bb}      |  3 +-
>  2 files changed, 1 insertion(+), 85 deletions(-)
>  delete mode 100644
> meta/recipes-core/expat/expat/0001-Add-output-of-tests-result.patch
>  rename meta/recipes-core/expat/{expat_2.2.10.bb => expat_2.4.1.bb} (84%)
>
> diff --git
> a/meta/recipes-core/expat/expat/0001-Add-output-of-tests-result.patch
> b/meta/recipes-core/expat/expat/0001-Add-output-of-tests-result.patch
> deleted file mode 100644
> index c5c18ead74..0000000000
> --- a/meta/recipes-core/expat/expat/0001-Add-output-of-tests-result.patch
> +++ /dev/null
> @@ -1,83 +0,0 @@
> -From aa84835a00bfd65e784d58411e76f60658e939dc Mon Sep 17 00:00:00 2001
> -From: Oleksandr Popovych <oleksandr.s.popovych@globallogic.com>
> -Date: Tue, 18 Feb 2020 19:04:55 +0200
> -Subject: [PATCH] Add output of tests result
> -
> -Added console output of testing results in form 'RESULT: TEST_NAME'.
> -
> -Changed verbose mode of test application set by '-v' ('--verbose')
> -argument to CK_NORMAL.
> -Added new supported argument '-vv' ('--extra-verbose') that changes
> -verbose mode of test application to CK_VERBOSE. Results of each test
> -are shown in output only if this mode is set.
> -
> -Upstream-Status: Denied
> -
> -This patch changes potentially deprecated feature that shoud be changed
> -in upstream. [https://github.com/libexpat/libexpat/issues/382]
> -
> -Signed-off-by: Oleksandr Popovych <oleksandr.s.popovych@globallogic.com>
> ----
> - tests/minicheck.c | 10 +++++++++-
> - tests/runtests.c  |  4 +++-
> - 2 files changed, 12 insertions(+), 2 deletions(-)
> -
> -diff --git a/expat/tests/minicheck.c b/expat/tests/minicheck.c
> -index a5a1efb..94fa412 100644
> ---- a/tests/minicheck.c
> -+++ b/tests/minicheck.c
> -@@ -164,6 +164,8 @@ srunner_run_all(SRunner *runner, int verbosity) {
> -       if (tc->setup != NULL) {
> -         /* setup */
> -         if (setjmp(env)) {
> -+          if (verbosity >= CK_VERBOSE)
> -+            printf("SKIP: %s\n", _check_current_function);
> -           add_failure(runner, verbosity);
> -           continue;
> -         }
> -@@ -171,6 +173,8 @@ srunner_run_all(SRunner *runner, int verbosity) {
> -       }
> -       /* test */
> -       if (setjmp(env)) {
> -+        if (verbosity >= CK_VERBOSE)
> -+          printf("FAIL: %s\n", _check_current_function);
> -         add_failure(runner, verbosity);
> -         continue;
> -       }
> -@@ -178,12 +182,16 @@ srunner_run_all(SRunner *runner, int verbosity) {
> -
> -       /* teardown */
> -       if (tc->teardown != NULL) {
> --        if (setjmp(env)) {
> -+        if (setjmp(env)) {
> -+          if (verbosity >= CK_VERBOSE)
> -+           printf("PASS: %s\n", _check_current_function);
> -           add_failure(runner, verbosity);
> -           continue;
> -         }
> -         tc->teardown();
> -       }
> -+      if (verbosity >= CK_VERBOSE)
> -+        printf("PASS: %s\n", _check_current_function);
> -     }
> -     tc = tc->next_tcase;
> -   }
> -diff --git a/tests/runtests.c b/expat/tests/runtests.c
> -index 7791fe0..75724e5 100644
> ---- a/tests/runtests.c
> -+++ b/tests/runtests.c
> -@@ -11619,9 +11619,11 @@ main(int argc, char *argv[]) {
> -   for (i = 1; i < argc; ++i) {
> -     char *opt = argv[i];
> -     if (strcmp(opt, "-v") == 0 || strcmp(opt, "--verbose") == 0)
> --      verbosity = CK_VERBOSE;
> -+      verbosity = CK_NORMAL;
> -     else if (strcmp(opt, "-q") == 0 || strcmp(opt, "--quiet") == 0)
> -       verbosity = CK_SILENT;
> -+    else if (strcmp(opt, "-vv") == 0 || strcmp(opt, "--extra-verbose")
> == 0)
> -+      verbosity = CK_VERBOSE;
> -     else {
> -       fprintf(stderr, "runtests: unknown option '%s'\n", opt);
> -       return 2;
> ---
> -2.17.1
> diff --git a/meta/recipes-core/expat/expat_2.2.10.bb
> b/meta/recipes-core/expat/expat_2.4.1.bb
> similarity index 84%
> rename from meta/recipes-core/expat/expat_2.2.10.bb
> rename to meta/recipes-core/expat/expat_2.4.1.bb
> index fa263775b3..476c5f8cc7 100644
> --- a/meta/recipes-core/expat/expat_2.2.10.bb
> +++ b/meta/recipes-core/expat/expat_2.4.1.bb
> @@ -9,10 +9,9 @@ LIC_FILES_CHKSUM =
> "file://COPYING;md5=9e2ce3b3c4c0f2670883a23bbd7c37a9"
>  SRC_URI = "${SOURCEFORGE_MIRROR}/expat/expat-${PV}.tar.bz2 \
>             file://libtool-tag.patch \
>            file://run-ptest \
> -          file://0001-Add-output-of-tests-result.patch \
>           "
>
> -SRC_URI[sha256sum] =
> "b2c160f1b60e92da69de8e12333096aeb0c3bf692d41c60794de278af72135a5"
> +SRC_URI[sha256sum] =
> "2f9b6a580b94577b150a7d5617ad4643a4301a6616ff459307df3e225bcfbf40"
>
>  EXTRA_OECMAKE_class-native += "-DEXPAT_BUILD_DOCS=OFF"
>
> --
> 2.11.0
>
>
> 
>
>

[-- Attachment #2: Type: text/html, Size: 7289 bytes --]

[OE-core][PATCH v2] expat: upgrade 2.3.0 -> 2.4.1

[Andrej Valek]

Includes lot of security fixes, especially CVE-2013-0340/CWE-776.

Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
---
 meta/recipes-core/expat/{expat_2.3.0.bb => expat_2.4.1.bb} | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename meta/recipes-core/expat/{expat_2.3.0.bb => expat_2.4.1.bb} (89%)

diff --git a/meta/recipes-core/expat/expat_2.3.0.bb b/meta/recipes-core/expat/expat_2.4.1.bb
similarity index 89%
rename from meta/recipes-core/expat/expat_2.3.0.bb
rename to meta/recipes-core/expat/expat_2.4.1.bb
index 14d2855df3..a57fc1b23b 100644
--- a/meta/recipes-core/expat/expat_2.3.0.bb
+++ b/meta/recipes-core/expat/expat_2.4.1.bb
@@ -11,7 +11,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/expat/expat-${PV}.tar.bz2 \
            file://run-ptest \
            "
 
-SRC_URI[sha256sum] = "f122a20eada303f904d5e0513326c5b821248f2d4d2afbf5c6f1339e511c0586"
+SRC_URI[sha256sum] = "2f9b6a580b94577b150a7d5617ad4643a4301a6616ff459307df3e225bcfbf40"
 
 EXTRA_OECMAKE_class-native += "-DEXPAT_BUILD_DOCS=OFF"
 
-- 
2.11.0

Re: [OE-core][PATCH v2] expat: upgrade 2.3.0 -> 2.4.1

[Andrej Valek]

Hello everyone,

I have an another question regarding to backporting this to dunfell branch. Is it possible to apply this upgrade to this branch? I would like to have an very important fix for CVE-2013-0340 (https://github.com/libexpat/libexpat/pull/220) there. But there is a lot of changes, means just applying the patch is not very promising.

How we can handle it?

Thanks,
Andrej

> Subject: [OE-core][PATCH v2] expat: upgrade 2.3.0 -> 2.4.1
>
> Includes lot of security fixes, especially CVE-2013-0340/CWE-776.
>
> Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
> ---
>  meta/recipes-core/expat/{expat_2.3.0.bb => expat_2.4.1.bb} | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)  rename meta/recipes-core/expat/{expat_2.3.0.bb => expat_2.4.1.bb} (89%)
>
> diff --git a/meta/recipes-core/expat/expat_2.3.0.bb b/meta/recipes-core/expat/expat_2.4.1.bb
> similarity index 89%
> rename from meta/recipes-core/expat/expat_2.3.0.bb
> rename to meta/recipes-core/expat/expat_2.4.1.bb
> index 14d2855df3..a57fc1b23b 100644
> --- a/meta/recipes-core/expat/expat_2.3.0.bb
> +++ b/meta/recipes-core/expat/expat_2.4.1.bb
> @@ -11,7 +11,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/expat/expat-${PV}.tar.bz2 \
>             file://run-ptest \
>             "
>  
> -SRC_URI[sha256sum] = "f122a20eada303f904d5e0513326c5b821248f2d4d2afbf5c6f1339e511c0586"
> +SRC_URI[sha256sum] = "2f9b6a580b94577b150a7d5617ad4643a4301a6616ff459307df3e225bcfbf40"
>  
>  EXTRA_OECMAKE_class-native += "-DEXPAT_BUILD_DOCS=OFF"
>  
> --
> 2.11.0
>

Re: [OE-core][PATCH v2] expat: upgrade 2.3.0 -> 2.4.1

[Richard Purdie]

On Tue, 2021-05-25 at 12:50 +0000, Andrej Valek wrote:
> Hello everyone,
> 
> I have an another question regarding to backporting this to dunfell branch. 
> Is it possible to apply this upgrade to this branch? I would like to have 
> an very important fix for CVE-2013-0340 (https://github.com/libexpat/libexpat/pull/220) 
> there. But there is a lot of changes, means just applying the patch is not very promising.
> 
> How we can handle it?

Adding Steve to Cc. It is possible if there is a good case for it and there
aren't bad side effects from the change. I don't know enough about expat here
to comment on that.

I suspect we should be adding something to the expat recipe to make it match 
libexpat CVEs, maybe CVE_PRODUCT = "libexpat"?

Cheers,

Richard

Re: [OE-core][PATCH v2] expat: upgrade 2.3.0 -> 2.4.1

[Steve Sakoman]

On Tue, May 25, 2021 at 2:50 AM Andrej Valek <andrej.valek@siemens.com> wrote:
>
> Hello everyone,
>
> I have an another question regarding to backporting this to dunfell branch. Is it possible to apply this upgrade to this branch? I would like to have an very important fix for CVE-2013-0340 (https://github.com/libexpat/libexpat/pull/220) there. But there is a lot of changes, means just applying the patch is not very promising.

It is LTS policy not to do general version upgrades (see "Stable/LTS
Patch Acceptance Policies" at
https://wiki.yoctoproject.org/wiki/Stable_Release_and_LTS)

So unless you can make a case that this is a bug/security fix only
release I'm not able to take this patch.

> How we can handle it?

Perhaps take a crack at backporting the minimal set of patches to fix the CVE?

Steve

> Thanks,
> Andrej
>
> > Subject: [OE-core][PATCH v2] expat: upgrade 2.3.0 -> 2.4.1
> >
> > Includes lot of security fixes, especially CVE-2013-0340/CWE-776.
> >
> > Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
> > ---
> >  meta/recipes-core/expat/{expat_2.3.0.bb => expat_2.4.1.bb} | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)  rename meta/recipes-core/expat/{expat_2.3.0.bb => expat_2.4.1.bb} (89%)
> >
> > diff --git a/meta/recipes-core/expat/expat_2.3.0.bb b/meta/recipes-core/expat/expat_2.4.1.bb
> > similarity index 89%
> > rename from meta/recipes-core/expat/expat_2.3.0.bb
> > rename to meta/recipes-core/expat/expat_2.4.1.bb
> > index 14d2855df3..a57fc1b23b 100644
> > --- a/meta/recipes-core/expat/expat_2.3.0.bb
> > +++ b/meta/recipes-core/expat/expat_2.4.1.bb
> > @@ -11,7 +11,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/expat/expat-${PV}.tar.bz2 \
> >             file://run-ptest \
> >             "
> >
> > -SRC_URI[sha256sum] = "f122a20eada303f904d5e0513326c5b821248f2d4d2afbf5c6f1339e511c0586"
> > +SRC_URI[sha256sum] = "2f9b6a580b94577b150a7d5617ad4643a4301a6616ff459307df3e225bcfbf40"
> >
> >  EXTRA_OECMAKE_class-native += "-DEXPAT_BUILD_DOCS=OFF"
> >
> > --
> > 2.11.0
> >
>
> 
>

Re: [OE-core][PATCH v2] expat: upgrade 2.3.0 -> 2.4.1

[Steve Sakoman]

On Tue, May 25, 2021 at 12:17 PM Richard Purdie
<richard.purdie@linuxfoundation.org> wrote:
>
> On Tue, 2021-05-25 at 12:50 +0000, Andrej Valek wrote:
> > Hello everyone,
> >
> > I have an another question regarding to backporting this to dunfell branch.
> > Is it possible to apply this upgrade to this branch? I would like to have
> > an very important fix for CVE-2013-0340 (https://github.com/libexpat/libexpat/pull/220)
> > there. But there is a lot of changes, means just applying the patch is not very promising.
> >
> > How we can handle it?
>
> Adding Steve to Cc. It is possible if there is a good case for it and there
> aren't bad side effects from the change. I don't know enough about expat here
> to comment on that.

Our responses crossed in the mail :-)

I don't know enough about expat to comment on this either.  But if
someone who is familiar with expat would care to chime in I am open to
consider whether an exception should be made.

> I suspect we should be adding something to the expat recipe to make it match
> libexpat CVEs, maybe CVE_PRODUCT = "libexpat"?

Yes, good catch, that does appear to be the case.  I'll do a little
testing to verify that and will submit a patch.

Steve

Re: [OE-core][PATCH v2] expat: upgrade 2.3.0 -> 2.4.1

[Andrej Valek]

Hello Steve,

Thank you, that you're taking care of it.
Sorry, but maybe I didn't catch the right approach about the patching. Are you going to create a "fixing CVE" patch or just patch to set "CVE_PRODUCT" ?

Thanks,
Andrej

> On Tue, May 25, 2021 at 12:17 PM Richard Purdie <richard.purdie@linuxfoundation.org> wrote:
>>
>> On Tue, 2021-05-25 at 12:50 +0000, Andrej Valek wrote:
>> > Hello everyone,
>> >
>> > I have an another question regarding to backporting this to dunfell branch.
>> > Is it possible to apply this upgrade to this branch? I would like to 
>> > have an very important fix for CVE-2013-0340 
>> > (https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fg
>> > ithub.com%2Flibexpat%2Flibexpat%2Fpull%2F220&amp;data=04%7C01%7Candr
>> > ej.valek%40siemens.com%7Cc9695097e1bc47d8261708d91fcbba17%7C38ae3bcd
>> > 95794fd4addab42e1495d55a%7C1%7C0%7C637575782123699324%7CUnknown%7CTW
>> > FpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVC
>> > I6Mn0%3D%7C1000&amp;sdata=jBk29qyJpIq%2BsG0iXhnMoSbv%2F2%2Bd8dKIbuV7
>> > GqP3YA8%3D&amp;reserved=0) there. But there is a lot of changes, 
>> > means just applying the patch is not very promising.
>> >
>> > How we can handle it?
>>
>> Adding Steve to Cc. It is possible if there is a good case for it and 
>> there aren't bad side effects from the change. I don't know enough 
>> about expat here to comment on that.
>
> Our responses crossed in the mail :-)
>
> I don't know enough about expat to comment on this either.  But if someone who is familiar with expat would care to chime in I am open to consider whether an exception should be made.
>
>> I suspect we should be adding something to the expat recipe to make it 
>> match libexpat CVEs, maybe CVE_PRODUCT = "libexpat"?
>
> Yes, good catch, that does appear to be the case.  I'll do a little testing to verify that and will submit a patch.
>
> Steve

Re: [OE-core][PATCH v2] expat: upgrade 2.3.0 -> 2.4.1

[Steve Sakoman]

On Tue, May 25, 2021 at 8:24 PM Valek, Andrej <andrej.valek@siemens.com> wrote:
>
> Hello Steve,
>
> Thank you, that you're taking care of it.
> Sorry, but maybe I didn't catch the right approach about the patching. Are you going to create a "fixing CVE" patch or just patch to set "CVE_PRODUCT" ?

I will submit a patch to set CVE_PRODUCT, since we are currently not
detecting expat CVE's.  I'm not planning to do a patch to fix
CVE-2013-0340, I will leave that to someone who is more familiar with
expat.

Steve

>
> Thanks,
> Andrej
>
> > On Tue, May 25, 2021 at 12:17 PM Richard Purdie <richard.purdie@linuxfoundation.org> wrote:
> >>
> >> On Tue, 2021-05-25 at 12:50 +0000, Andrej Valek wrote:
> >> > Hello everyone,
> >> >
> >> > I have an another question regarding to backporting this to dunfell branch.
> >> > Is it possible to apply this upgrade to this branch? I would like to
> >> > have an very important fix for CVE-2013-0340
> >> > (https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fg
> >> > ithub.com%2Flibexpat%2Flibexpat%2Fpull%2F220&amp;data=04%7C01%7Candr
> >> > ej.valek%40siemens.com%7Cc9695097e1bc47d8261708d91fcbba17%7C38ae3bcd
> >> > 95794fd4addab42e1495d55a%7C1%7C0%7C637575782123699324%7CUnknown%7CTW
> >> > FpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVC
> >> > I6Mn0%3D%7C1000&amp;sdata=jBk29qyJpIq%2BsG0iXhnMoSbv%2F2%2Bd8dKIbuV7
> >> > GqP3YA8%3D&amp;reserved=0) there. But there is a lot of changes,
> >> > means just applying the patch is not very promising.
> >> >
> >> > How we can handle it?
> >>
> >> Adding Steve to Cc. It is possible if there is a good case for it and
> >> there aren't bad side effects from the change. I don't know enough
> >> about expat here to comment on that.
> >
> > Our responses crossed in the mail :-)
> >
> > I don't know enough about expat to comment on this either.  But if someone who is familiar with expat would care to chime in I am open to consider whether an exception should be made.
> >
> >> I suspect we should be adding something to the expat recipe to make it
> >> match libexpat CVEs, maybe CVE_PRODUCT = "libexpat"?
> >
> > Yes, good catch, that does appear to be the case.  I'll do a little testing to verify that and will submit a patch.
> >
> > Steve