Re: [PATCH][jethro][fido][ 00/15] Libxml2: multiple security fixes

All of lore.kernel.org
 help / color / mirror / Atom feed

From: akuster808 <akuster808@gmail.com>
To: Joshua Lock <joshua.lock@collabora.co.uk>,
	openembedded-core@lists.openembedded.org
Subject: Re: [PATCH][jethro][fido][ 00/15] Libxml2: multiple security fixes
Date: Mon, 21 Dec 2015 08:12:06 -0800	[thread overview]
Message-ID: <567824D6.6050106@gmail.com> (raw)
In-Reply-To: <5671D1FE.7010306@collabora.co.uk>



On 12/16/2015 01:05 PM, Joshua Lock wrote:
> Hi Armin,
> 
> On 05/12/15 19:35, Armin Kuster wrote:
>> Each CVE is an independant patch so they can be easily merged to other
>> distros
>> and/or stable branches.
> 
> As others have mentioned elsewhere I think this would be much nicer if
> each patch was added to the SRC_URI in the same commit which introduces
> the patch.
> 
> In addition, I believe it would also make sense to have 2 patches for
> the same CVE applied at once?
> 
> Ideally this series would be 11 patches, each of which updated SRC_URI
> and added the patch files to fix a single CVE.
> 

That make sense to me.

> What do you think? 

I will have more free time soon so I can rend the series in a few days.

I am more than happy to take this series and make the
> suggested change (11 commits, each editing SRC_URI) myself before
> requesting my fido-next branch be merged?

- armin
> 
> Thanks,
> 
> Joshua
> 
>> I have included two previous CVE's sent for jethro which can be ignored.
>> I put the CVE's in order as there where fixed upstream.
>>
>> Armin Kuster (15):
>>    libxml2: security fix CVE-2015-7941-1
>>    libxml2: security fix CVE-2015-7941-2
>>    libxml2: security fix CVE-2015-8317
>>    libxml2: security fix CVE-2015-7942
>>    libxml2: security fix CVE-2015-7942-2
>>    libxml2: security fix CVE-2015-8317
>>    libxml2: security fix CVE-2015-7498
>>    libxml2: security fix CVE-2015-7497
>>    libxml2: security fix CVE-2015-7499-1
>>    libxml2: security fix CVE-2015-7499-2
>>    libxml2: depend fix security issue CVE-2015-7500
>>    libxml2: security fix CVE-2015-7500
>>    libxml2: security fix CVE-2015-8242
>>    libxml2: security fix CVE-2015-5312
>>    libxml2: multiple security fixes.
>>
>>   meta/recipes-core/libxml/libxml2.inc               |  14 +++
>>   ...-2015-5312-Another-entity-expansion-issue.patch |  39 ++++++
>>   ...97-Avoid-an-heap-buffer-overflow-in-xmlDi.patch |  40 ++++++
>>   ...00-Fix-memory-access-error-due-to-incorre.patch | 131
>> +++++++++++++++++++
>>   ...2015-8035-Fix-XZ-compression-support-loop.patch |  38 ++++++
>>   ...42-Buffer-overead-with-HTML-parser-in-pus.patch |  49 ++++++++
>>   ...n-name-parsing-at-the-end-of-current-inpu.patch | 138
>> +++++++++++++++++++++
>>   ...ssing-entities-after-encoding-conversion-.patch |  89 +++++++++++++
>>   ...99-1-Add-xmlHaltParser-to-stop-the-parser.patch |  88 +++++++++++++
>>   ...VE-2015-7499-2-Detect-incoherency-on-GROW.patch |  43 +++++++
>>   ...top-parsing-on-entities-boundaries-errors.patch |  39 ++++++
>>   ...leanup-conditional-section-error-handling.patch |  56 +++++++++
>>   ...ror-in-previous-Conditional-section-patch.patch |  35 ++++++
>>   ...iation-of-overflow-in-Conditional-section.patch |  39 ++++++
>>   ...ng-early-on-if-encoding-conversion-failed.patch |  42 +++++++
>>   15 files changed, 880 insertions(+)
>>   create mode 100644
>> meta/recipes-core/libxml/libxml2/0001-CVE-2015-5312-Another-entity-expansion-issue.patch
>>
>>   create mode 100644
>> meta/recipes-core/libxml/libxml2/0001-CVE-2015-7497-Avoid-an-heap-buffer-overflow-in-xmlDi.patch
>>
>>   create mode 100644
>> meta/recipes-core/libxml/libxml2/0001-CVE-2015-7500-Fix-memory-access-error-due-to-incorre.patch
>>
>>   create mode 100644
>> meta/recipes-core/libxml/libxml2/0001-CVE-2015-8035-Fix-XZ-compression-support-loop.patch
>>
>>   create mode 100644
>> meta/recipes-core/libxml/libxml2/0001-CVE-2015-8242-Buffer-overead-with-HTML-parser-in-pus.patch
>>
>>   create mode 100644
>> meta/recipes-core/libxml/libxml2/0001-Fix-a-bug-on-name-parsing-at-the-end-of-current-inpu.patch
>>
>>   create mode 100644
>> meta/recipes-core/libxml/libxml2/CVE-2015-7498-Avoid-processing-entities-after-encoding-conversion-.patch
>>
>>   create mode 100644
>> meta/recipes-core/libxml/libxml2/CVE-2015-7499-1-Add-xmlHaltParser-to-stop-the-parser.patch
>>
>>   create mode 100644
>> meta/recipes-core/libxml/libxml2/CVE-2015-7499-2-Detect-incoherency-on-GROW.patch
>>
>>   create mode 100644
>> meta/recipes-core/libxml/libxml2/CVE-2015-7941-1-Stop-parsing-on-entities-boundaries-errors.patch
>>
>>   create mode 100644
>> meta/recipes-core/libxml/libxml2/CVE-2015-7941-2-Cleanup-conditional-section-error-handling.patch
>>
>>   create mode 100644
>> meta/recipes-core/libxml/libxml2/CVE-2015-7942-2-Fix-an-error-in-previous-Conditional-section-patch.patch
>>
>>   create mode 100644
>> meta/recipes-core/libxml/libxml2/CVE-2015-7942-Another-variation-of-overflow-in-Conditional-section.patch
>>
>>   create mode 100644
>> meta/recipes-core/libxml/libxml2/CVE-2015-8317-Fail-parsing-early-on-if-encoding-conversion-failed.patch
>>
>>
>

     prev parent reply	other threads:[~2015-12-21 16:12 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-12-05 19:35 [PATCH][jethro][fido][ 00/15] Libxml2: multiple security fixes Armin Kuster
2015-12-05 19:35 ` [PATCH][jethro][fido] 01/15] libxml2: security fix CVE-2015-7941-1 Armin Kuster
2015-12-05 19:35 ` [PATCH][jethro][fido] 02/15] libxml2: security fix CVE-2015-7941-2 Armin Kuster
2015-12-05 19:35 ` [PATCH][jethro][fido] 03/15] libxml2: security fix CVE-2015-8317 Armin Kuster
2015-12-05 19:35 ` [PATCH][jethro][fido] 04/15] libxml2: security fix CVE-2015-7942 Armin Kuster
2015-12-05 19:35 ` [PATCH][jethro][fido] 05/15] libxml2: security fix CVE-2015-7942-2 Armin Kuster
2015-12-05 19:35 ` [PATCH][jethro][fido] 06/15] libxml2: security fix CVE-2015-8317 Armin Kuster
2015-12-05 19:35 ` [PATCH][jethro][fido] 07/15] libxml2: security fix CVE-2015-7498 Armin Kuster
2015-12-05 19:35 ` [PATCH][jethro][fido] 08/15] libxml2: security fix CVE-2015-7497 Armin Kuster
2015-12-05 19:35 ` [PATCH][jethro][fido] 09/15] libxml2: security fix CVE-2015-7499-1 Armin Kuster
2015-12-05 19:35 ` [PATCH][jethro][fido] 10/15] libxml2: security fix CVE-2015-7499-2 Armin Kuster
2015-12-05 19:35 ` [PATCH][jethro][fido] 11/15] libxml2: depend fix security issue CVE-2015-7500 Armin Kuster
2015-12-05 19:35 ` [PATCH][jethro][fido] 12/15] libxml2: security fix CVE-2015-7500 Armin Kuster
2015-12-05 19:35 ` [PATCH][jethro][fido] 13/15] libxml2: security fix CVE-2015-8242 Armin Kuster
2015-12-05 19:35 ` [PATCH][jethro][fido] 14/15] libxml2: security fix CVE-2015-5312 Armin Kuster
2015-12-05 19:35 ` [PATCH][jethro][fido] 15/15] libxml2: multiple security fixes Armin Kuster
2015-12-08  8:16 ` [PATCH][jethro][fido][ 00/15] Libxml2: " Robert Yang
2015-12-16 21:05 ` Joshua Lock
2015-12-21 16:12   ` akuster808 [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=567824D6.6050106@gmail.com \
    --to=akuster808@gmail.com \
    --cc=joshua.lock@collabora.co.uk \
    --cc=openembedded-core@lists.openembedded.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.