diff mbox series

[4/4] libxml2: upgrade 2.14.3 -> 2.14.5

Message ID 20250721082103.2262095-4-hongxu.jia@windriver.com
State Accepted, archived
Commit b82cb6d55033ffff79b5a767bd50b06989c0acfc
Headers show
Series [1/4] gpgme: upgrade 1.24.3 -> 2.0.0 | expand

Commit Message

Hongxu Jia July 21, 2025, 8:21 a.m. UTC 
Release notes:

    https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.14.5

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
---
 ...-installation-directories-in-libxml2.patch | 14 ++++----
 .../libxml/libxml2/CVE-2025-6021.patch        | 36 +++----------------
 .../libxml/libxml2/install-tests.patch        |  4 +--
 .../{libxml2_2.14.3.bb => libxml2_2.14.5.bb}  |  2 +-
 4 files changed, 14 insertions(+), 42 deletions(-)
 rename meta/recipes-core/libxml/{libxml2_2.14.3.bb => libxml2_2.14.5.bb} (97%)

Comments

Richard Purdie July 22, 2025, 1:18 p.m. UTC | #1 
On Mon, 2025-07-21 at 16:21 +0800, hongxu via lists.openembedded.org wrote:
> diff --git a/meta/recipes-core/libxml/libxml2_2.14.3.bb b/meta/recipes-core/libxml/libxml2_2.14.5.bb
> similarity index 97%
> rename from meta/recipes-core/libxml/libxml2_2.14.3.bb
> rename to meta/recipes-core/libxml/libxml2_2.14.5.bb
> index 4baab59186e..52b2040122b 100644
> --- a/meta/recipes-core/libxml/libxml2_2.14.3.bb
> +++ b/meta/recipes-core/libxml/libxml2_2.14.5.bb
> @@ -21,7 +21,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20130923.tar;subdir=${BP};name=testt
>             file://CVE-2025-6021.patch \
>             "
>  
> -SRC_URI[archive.sha256sum] = "6de55cacc8c2bc758f2ef6f93c313cb30e4dd5d84ac5d3c7ccbd9344d8cc6833"
> +SRC_URI[archive.sha256sum] = "24175ec30a97cfa86bdf9befb7ccf4613f8f4b2713c5103e0dd0bc9c711a2773"
>  SRC_URI[testtar.sha256sum] = "c6b2d42ee50b8b236e711a97d68e6c4b5c8d83e69a2be4722379f08702ea7273"
>  
>  # Disputed as a security issue, but fixed in d39f780
> 

$ wget https://download.gnome.org/sources//libxml2/2.14/libxml2-2.14.5.tar.xz
$ sha256sum libxml2-2.14.5.tar.xz 
03d006f3537616833c16c53addcdc32a0eb20e55443cba4038307e3fa7d8d44b  libxml2-2.14.5.tar.xz

which would match the failure on:

https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/2060

Any idea what happened here?

Cheers,

Richard
Mathieu Dubois-Briand July 22, 2025, 1:45 p.m. UTC | #2 
On Tue Jul 22, 2025 at 3:18 PM CEST, Richard Purdie via lists.openembedded.org wrote:
> On Mon, 2025-07-21 at 16:21 +0800, hongxu via lists.openembedded.org wrote:
>> diff --git a/meta/recipes-core/libxml/libxml2_2.14.3.bb b/meta/recipes-core/libxml/libxml2_2.14.5.bb
>> similarity index 97%
>> rename from meta/recipes-core/libxml/libxml2_2.14.3.bb
>> rename to meta/recipes-core/libxml/libxml2_2.14.5.bb
>> index 4baab59186e..52b2040122b 100644
>> --- a/meta/recipes-core/libxml/libxml2_2.14.3.bb
>> +++ b/meta/recipes-core/libxml/libxml2_2.14.5.bb
>> @@ -21,7 +21,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20130923.tar;subdir=${BP};name=testt
>>             file://CVE-2025-6021.patch \
>>             "
>>  
>> -SRC_URI[archive.sha256sum] = "6de55cacc8c2bc758f2ef6f93c313cb30e4dd5d84ac5d3c7ccbd9344d8cc6833"
>> +SRC_URI[archive.sha256sum] = "24175ec30a97cfa86bdf9befb7ccf4613f8f4b2713c5103e0dd0bc9c711a2773"
>>  SRC_URI[testtar.sha256sum] = "c6b2d42ee50b8b236e711a97d68e6c4b5c8d83e69a2be4722379f08702ea7273"
>>  
>>  # Disputed as a security issue, but fixed in d39f780
>> 
>
> $ wget https://download.gnome.org/sources//libxml2/2.14/libxml2-2.14.5.tar.xz
> $ sha256sum libxml2-2.14.5.tar.xz 
> 03d006f3537616833c16c53addcdc32a0eb20e55443cba4038307e3fa7d8d44b  libxml2-2.14.5.tar.xz
>
> which would match the failure on:
>
> https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/2060
>
> Any idea what happened here?
>
> Cheers,
>
> Richard

It looks like the file changed on the remote, my build this morning did
succeed but not the next ones.
Richard Purdie July 22, 2025, 2:17 p.m. UTC | #3 
On Tue, 2025-07-22 at 15:45 +0200, Mathieu Dubois-Briand wrote:
> On Tue Jul 22, 2025 at 3:18 PM CEST, Richard Purdie via lists.openembedded.org wrote:
> > On Mon, 2025-07-21 at 16:21 +0800, hongxu via lists.openembedded.org wrote:
> > > diff --git a/meta/recipes-core/libxml/libxml2_2.14.3.bb b/meta/recipes-core/libxml/libxml2_2.14.5.bb
> > > similarity index 97%
> > > rename from meta/recipes-core/libxml/libxml2_2.14.3.bb
> > > rename to meta/recipes-core/libxml/libxml2_2.14.5.bb
> > > index 4baab59186e..52b2040122b 100644
> > > --- a/meta/recipes-core/libxml/libxml2_2.14.3.bb
> > > +++ b/meta/recipes-core/libxml/libxml2_2.14.5.bb
> > > @@ -21,7 +21,7 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20130923.tar;subdir=${BP};name=testt
> > >             file://CVE-2025-6021.patch \
> > >             "
> > >  
> > > -SRC_URI[archive.sha256sum] = "6de55cacc8c2bc758f2ef6f93c313cb30e4dd5d84ac5d3c7ccbd9344d8cc6833"
> > > +SRC_URI[archive.sha256sum] = "24175ec30a97cfa86bdf9befb7ccf4613f8f4b2713c5103e0dd0bc9c711a2773"
> > >  SRC_URI[testtar.sha256sum] = "c6b2d42ee50b8b236e711a97d68e6c4b5c8d83e69a2be4722379f08702ea7273"
> > >  
> > >  # Disputed as a security issue, but fixed in d39f780
> > > 
> > 
> > $ wget https://download.gnome.org/sources//libxml2/2.14/libxml2-2.14.5.tar.xz
> > $ sha256sum libxml2-2.14.5.tar.xz 
> > 03d006f3537616833c16c53addcdc32a0eb20e55443cba4038307e3fa7d8d44b  libxml2-2.14.5.tar.xz
> > 
> > which would match the failure on:
> > 
> > https://autobuilder.yoctoproject.org/valkyrie/#/builders/29/builds/2060
> > 
> > Any idea what happened here?
> > 
> > Cheers,
> > 
> > Richard
> 
> It looks like the file changed on the remote, my build this morning did
> succeed but not the next ones.

https://download.gnome.org/sources/libxml2/2.14/libxml2-2.14.4.sha256sum

suggests that checksum is for 2.14.4. Whether the wrong file was in
place on the server or quite what happened, I'm not sure...

Cheers,

Richard
diff mbox series

Patch

diff --git a/meta/recipes-core/libxml/libxml2/0001-Revert-cmake-Fix-installation-directories-in-libxml2.patch b/meta/recipes-core/libxml/libxml2/0001-Revert-cmake-Fix-installation-directories-in-libxml2.patch
index 6ea5adafa22..627f8472c38 100644
--- a/meta/recipes-core/libxml/libxml2/0001-Revert-cmake-Fix-installation-directories-in-libxml2.patch
+++ b/meta/recipes-core/libxml/libxml2/0001-Revert-cmake-Fix-installation-directories-in-libxml2.patch
@@ -1,4 +1,4 @@ 
-From 55ed199fdb55a1a600616ba14ad0feedcf828d86 Mon Sep 17 00:00:00 2001
+From 1a7e177a7315c856a2f0e3c2a17ee0fd9e297bc9 Mon Sep 17 00:00:00 2001
 From: Peter Marko <peter.marko@siemens.com>
 Date: Mon, 26 May 2025 21:11:14 +0200
 Subject: [PATCH] Revert "cmake: Fix installation directories in
@@ -15,10 +15,10 @@  Signed-off-by: Peter Marko <peter.marko@siemens.com>
  3 files changed, 7 insertions(+), 18 deletions(-)
 
 diff --git a/configure.ac b/configure.ac
-index 40e75151..d21ebfe5 100644
+index aaa02e3..fb241bb 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -1061,17 +1061,6 @@ AC_SUBST(XML_PRIVATE_LIBS)
+@@ -1065,17 +1065,6 @@ AC_SUBST(XML_PRIVATE_LIBS)
  AC_SUBST(XML_PRIVATE_CFLAGS)
  AC_SUBST(XML_INCLUDEDIR)
  
@@ -37,7 +37,7 @@  index 40e75151..d21ebfe5 100644
  AC_DEFINE_UNQUOTED([XML_SYSCONFDIR], ["$XML_SYSCONFDIR"],
                     [System configuration directory (/etc)])
 diff --git a/libxml2-config.cmake.in b/libxml2-config.cmake.in
-index 4945dda4..31036805 100644
+index e040a75..dc0d6b8 100644
 --- a/libxml2-config.cmake.in
 +++ b/libxml2-config.cmake.in
 @@ -24,17 +24,20 @@
@@ -66,7 +66,7 @@  index 4945dda4..31036805 100644
  set(LIBXML2_LIBRARIES ${LIBXML2_LIBRARY})
  set(LIBXML2_INCLUDE_DIRS ${LIBXML2_INCLUDE_DIR})
 diff --git a/meson.build b/meson.build
-index 4c59211d..3e5f25d3 100644
+index 98bc6e3..3ef0bd0 100644
 --- a/meson.build
 +++ b/meson.build
 @@ -599,9 +599,6 @@ config_cmake = configuration_data()
@@ -77,5 +77,5 @@  index 4c59211d..3e5f25d3 100644
 -config_cmake.set('INSTALL_INCLUDEDIR', dir_include)
 -config_cmake.set('INSTALL_LIBDIR', dir_lib)
  config_cmake.set('VERSION', meson.project_version())
- config_cmake.set('WITH_HTTP', want_http.to_int().to_string())
- config_cmake.set('WITH_ICONV', want_iconv.to_int().to_string())
+ config_cmake.set10('BUILD_SHARED_LIBS',
+                    get_option('default_library') != 'static')
diff --git a/meta/recipes-core/libxml/libxml2/CVE-2025-6021.patch b/meta/recipes-core/libxml/libxml2/CVE-2025-6021.patch
index 157486848b9..0b73bceb245 100644
--- a/meta/recipes-core/libxml/libxml2/CVE-2025-6021.patch
+++ b/meta/recipes-core/libxml/libxml2/CVE-2025-6021.patch
@@ -1,4 +1,4 @@ 
-From 33d7969baf541326a35e2fbe31943c46af8c71db Mon Sep 17 00:00:00 2001
+From e546e423d69ec9b3c71167d3c3140fa1b9af93c7 Mon Sep 17 00:00:00 2001
 From: Nick Wellnhofer <wellnhofer@aevum.de>
 Date: Tue, 27 May 2025 12:53:17 +0200
 Subject: [PATCH] tree: Fix integer overflow in xmlBuildQName
@@ -14,11 +14,11 @@  CVE: CVE-2025-6021
 Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/libxml2/-/commit/acbbeef9f5dcdcc901c5f3fa14d583ef8cfd22f0]
 Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
 ---
- tree.c | 9 ++++++---
- 1 file changed, 6 insertions(+), 3 deletions(-)
+ tree.c | 1 +
+ 1 file changed, 1 insertion(+)
 
 diff --git a/tree.c b/tree.c
-index 7454b07..22ec11c 100644
+index e14bc62..22ec11c 100644
 --- a/tree.c
 +++ b/tree.c
 @@ -23,6 +23,7 @@
@@ -29,31 +29,3 @@  index 7454b07..22ec11c 100644
  
  #ifdef LIBXML_ZLIB_ENABLED
  #include <zlib.h>
-@@ -168,10 +169,10 @@ xmlGetParameterEntityFromDtd(const xmlDtd *dtd, const xmlChar *name) {
- xmlChar *
- xmlBuildQName(const xmlChar *ncname, const xmlChar *prefix,
- 	      xmlChar *memory, int len) {
--    int lenn, lenp;
-+    size_t lenn, lenp;
-     xmlChar *ret;
- 
--    if (ncname == NULL) return(NULL);
-+    if ((ncname == NULL) || (len < 0)) return(NULL);
-     if (prefix == NULL) return((xmlChar *) ncname);
- 
- #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
-@@ -182,8 +183,10 @@ xmlBuildQName(const xmlChar *ncname, const xmlChar *prefix,
- 
-     lenn = strlen((char *) ncname);
-     lenp = strlen((char *) prefix);
-+    if (lenn >= SIZE_MAX - lenp - 1)
-+        return(NULL);
- 
--    if ((memory == NULL) || (len < lenn + lenp + 2)) {
-+    if ((memory == NULL) || ((size_t) len < lenn + lenp + 2)) {
- 	ret = xmlMalloc(lenn + lenp + 2);
- 	if (ret == NULL)
- 	    return(NULL);
--- 
-2.34.1
-
diff --git a/meta/recipes-core/libxml/libxml2/install-tests.patch b/meta/recipes-core/libxml/libxml2/install-tests.patch
index 789aeca119f..4c1faa83cbb 100644
--- a/meta/recipes-core/libxml/libxml2/install-tests.patch
+++ b/meta/recipes-core/libxml/libxml2/install-tests.patch
@@ -1,4 +1,4 @@ 
-From 8c1054eacb430472068f21e4840749c384e8e866 Mon Sep 17 00:00:00 2001
+From 7e99fef6eae0642a3f1e511e4d24abf7d6d28f50 Mon Sep 17 00:00:00 2001
 From: Ross Burton <ross.burton@arm.com>
 Date: Mon, 5 Dec 2022 17:02:32 +0000
 Subject: [PATCH] add yocto-specific install-ptest target
@@ -12,7 +12,7 @@  Signed-off-by: Ross Burton <ross.burton@arm.com>
  1 file changed, 10 insertions(+)
 
 diff --git a/Makefile.am b/Makefile.am
-index 4cb9a5c..8adcd7e 100644
+index 6f98144..ecb3b54 100644
 --- a/Makefile.am
 +++ b/Makefile.am
 @@ -26,6 +26,16 @@ check_PROGRAMS = \
diff --git a/meta/recipes-core/libxml/libxml2_2.14.3.bb b/meta/recipes-core/libxml/libxml2_2.14.5.bb
similarity index 97%
rename from meta/recipes-core/libxml/libxml2_2.14.3.bb
rename to meta/recipes-core/libxml/libxml2_2.14.5.bb
index 4baab59186e..52b2040122b 100644
--- a/meta/recipes-core/libxml/libxml2_2.14.3.bb
+++ b/meta/recipes-core/libxml/libxml2_2.14.5.bb
@@ -21,7 +21,7 @@  SRC_URI += "http://www.w3.org/XML/Test/xmlts20130923.tar;subdir=${BP};name=testt
            file://CVE-2025-6021.patch \
            "
 
-SRC_URI[archive.sha256sum] = "6de55cacc8c2bc758f2ef6f93c313cb30e4dd5d84ac5d3c7ccbd9344d8cc6833"
+SRC_URI[archive.sha256sum] = "24175ec30a97cfa86bdf9befb7ccf4613f8f4b2713c5103e0dd0bc9c711a2773"
 SRC_URI[testtar.sha256sum] = "c6b2d42ee50b8b236e711a97d68e6c4b5c8d83e69a2be4722379f08702ea7273"
 
 # Disputed as a security issue, but fixed in d39f780