* [Buildroot] [PATCH v2 1/2] package/raptor: security bump version to 2.0.16
@ 2023-06-22 5:17 Bernd Kuhls
2023-06-22 5:17 ` [Buildroot] [PATCH v2 2/2] package/raptor: fix build with newer versions of libxml2 Bernd Kuhls
` (2 more replies)
0 siblings, 3 replies; 8+ messages in thread
From: Bernd Kuhls @ 2023-06-22 5:17 UTC (permalink / raw)
To: buildroot
This version included the patches removed by this commit, no new CVEs
were fixed.
Release notes: https://librdf.org/raptor/RELEASE.html#rel2_0_16
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
---
v2: Removed patches from .checkpackageignore
.checkpackageignore | 2 -
...pace-declarations-correctly-for-XML-.patch | 47 -------------------
...are-namespace-declarations-correctly.patch | 33 -------------
package/raptor/raptor.hash | 4 +-
package/raptor/raptor.mk | 8 +---
5 files changed, 3 insertions(+), 91 deletions(-)
delete mode 100644 package/raptor/0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch
delete mode 100644 package/raptor/0003-XML-Writer-compare-namespace-declarations-correctly.patch
diff --git a/.checkpackageignore b/.checkpackageignore
index 36ab2845d7..07408893ce 100644
--- a/.checkpackageignore
+++ b/.checkpackageignore
@@ -1341,8 +1341,6 @@ package/quotatool/0001-fix-missing-__P-definition-for-musl-compile.patch Upstrea
package/racehound/0001-Fix-module-install-path-lib-instead-of-usr-lib-prefi.patch Upstream
package/ranger/0001-colorscheme-check-for-compiled-python-files.patch Upstream
package/rapidxml/0001-ensure-internal-print-operations-are-declared-before.patch Upstream
-package/raptor/0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch Upstream
-package/raptor/0003-XML-Writer-compare-namespace-declarations-correctly.patch Upstream
package/raspberrypi-usbboot/0001-Makefile-allow-passing-CFLAGS-LDFLAGS.patch Upstream
package/rdesktop/0001-8bit-colors.patch Sob Upstream
package/read-edid/0001-Fix-install-file-list.patch Upstream
diff --git a/package/raptor/0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch b/package/raptor/0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch
deleted file mode 100644
index 406e265cf3..0000000000
--- a/package/raptor/0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 590681e546cd9aa18d57dc2ea1858cb734a3863f Mon Sep 17 00:00:00 2001
-From: Dave Beckett <dave@dajobe.org>
-Date: Sun, 16 Apr 2017 23:15:12 +0100
-Subject: [PATCH] Calcualte max nspace declarations correctly for XML writer
-
-(raptor_xml_writer_start_element_common): Calculate max including for
-each attribute a potential name and value.
-
-Fixes Issues #0000617 http://bugs.librdf.org/mantis/view.php?id=617
-and #0000618 http://bugs.librdf.org/mantis/view.php?id=618
-
-[Peter: fixes CVE-2017-18926, upstream:
- https://github.com/dajobe/raptor/commit/590681e546cd9aa18d57dc2ea1858cb734a3863f]
-Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
----
- src/raptor_xml_writer.c | 7 ++++---
- 1 file changed, 4 insertions(+), 3 deletions(-)
-
-diff --git a/src/raptor_xml_writer.c b/src/raptor_xml_writer.c
-index 693b9468..0d3a36a5 100644
---- a/src/raptor_xml_writer.c
-+++ b/src/raptor_xml_writer.c
-@@ -181,9 +181,10 @@ raptor_xml_writer_start_element_common(raptor_xml_writer* xml_writer,
- size_t nspace_declarations_count = 0;
- unsigned int i;
-
-- /* max is 1 per element and 1 for each attribute + size of declared */
- if(nstack) {
-- int nspace_max_count = element->attribute_count+1;
-+ int nspace_max_count = element->attribute_count * 2; /* attr and value */
-+ if(element->name->nspace)
-+ nspace_max_count++;
- if(element->declared_nspaces)
- nspace_max_count += raptor_sequence_size(element->declared_nspaces);
- if(element->xml_language)
-@@ -237,7 +238,7 @@ raptor_xml_writer_start_element_common(raptor_xml_writer* xml_writer,
- }
- }
-
-- /* Add the attribute + value */
-+ /* Add the attribute's value */
- nspace_declarations[nspace_declarations_count].declaration=
- raptor_qname_format_as_xml(element->attributes[i],
- &nspace_declarations[nspace_declarations_count].length);
---
-2.20.1
-
diff --git a/package/raptor/0003-XML-Writer-compare-namespace-declarations-correctly.patch b/package/raptor/0003-XML-Writer-compare-namespace-declarations-correctly.patch
deleted file mode 100644
index a48a583cb1..0000000000
--- a/package/raptor/0003-XML-Writer-compare-namespace-declarations-correctly.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 4f5dbbffcc1c6cf0398bd03450453289a0979dea Mon Sep 17 00:00:00 2001
-From: Dave Beckett <dave@dajobe.org>
-Date: Sat, 18 Sep 2021 17:40:00 -0700
-Subject: [PATCH] XML Writer : compare namespace declarations correctly
-
-Apply patch from
-0001-CVE-2020-25713-raptor2-malformed-input-file-can-lead.patch.1
-that fixes Issue#0000650 https://bugs.librdf.org/mantis/view.php?id=650
-which overwrote heap during XML writing in parse type literal
-content. This was detected with clang asan.
-
-Thanks to Michael Stahl / mst2 for the fix.
-
-[Retrieved from:
-https://github.com/dajobe/raptor/commit/4f5dbbffcc1c6cf0398bd03450453289a0979dea]
-Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
----
- src/raptor_xml_writer.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/raptor_xml_writer.c b/src/raptor_xml_writer.c
-index 56993dc3..4426d38c 100644
---- a/src/raptor_xml_writer.c
-+++ b/src/raptor_xml_writer.c
-@@ -227,7 +227,7 @@ raptor_xml_writer_start_element_common(raptor_xml_writer* xml_writer,
-
- /* check it wasn't an earlier declaration too */
- for(j = 0; j < nspace_declarations_count; j++)
-- if(nspace_declarations[j].nspace == element->attributes[j]->nspace) {
-+ if(nspace_declarations[j].nspace == element->attributes[i]->nspace) {
- declare_me = 0;
- break;
- }
diff --git a/package/raptor/raptor.hash b/package/raptor/raptor.hash
index 2a54bf270d..05e9c53902 100644
--- a/package/raptor/raptor.hash
+++ b/package/raptor/raptor.hash
@@ -1,3 +1,3 @@
# Locally calculated
-sha256 ada7f0ba54787b33485d090d3d2680533520cd4426d2f7fb4782dd4a6a1480ed raptor2-2.0.15.tar.gz
-sha256 6b926a47abfb87451c436fbd4a868defec963d0232c70b806ac02d4a2a6e1968 LICENSE.txt
+sha256 089db78d7ac982354bdbf39d973baf09581e6904ac4c92a98c5caadb3de44680 raptor2-2.0.16.tar.gz
+sha256 0f0c719a05c9f7a0be2051ab83c1470837f595ed23e34989f46fd8eb45cfc251 LICENSE.txt
diff --git a/package/raptor/raptor.mk b/package/raptor/raptor.mk
index 69ac121300..ec7643ce3d 100644
--- a/package/raptor/raptor.mk
+++ b/package/raptor/raptor.mk
@@ -4,7 +4,7 @@
#
################################################################################
-RAPTOR_VERSION = 2.0.15
+RAPTOR_VERSION = 2.0.16
RAPTOR_SOURCE = raptor2-$(RAPTOR_VERSION).tar.gz
RAPTOR_SITE = http://download.librdf.org/source
RAPTOR_DEPENDENCIES = libxml2 libxslt
@@ -17,12 +17,6 @@ RAPTOR_INSTALL_STAGING = YES
# Flag is added to make sure the patch is applied for the configure.ac of raptor.
RAPTOR_AUTORECONF = YES
-# 0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch
-RAPTOR_IGNORE_CVES += CVE-2017-18926
-
-# 0003-XML-Writer-compare-namespace-declarations-correctly.patch
-RAPTOR_IGNORE_CVES += CVE-2020-25713
-
RAPTOR_CONF_OPTS =\
--with-xml2-config=$(STAGING_DIR)/usr/bin/xml2-config \
--with-xslt-config=$(STAGING_DIR)/usr/bin/xslt-config
--
2.39.2
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 8+ messages in thread* [Buildroot] [PATCH v2 2/2] package/raptor: fix build with newer versions of libxml2
2023-06-22 5:17 [Buildroot] [PATCH v2 1/2] package/raptor: security bump version to 2.0.16 Bernd Kuhls
@ 2023-06-22 5:17 ` Bernd Kuhls
2023-06-25 19:19 ` Arnout Vandecappelle via buildroot
2023-06-25 19:18 ` [Buildroot] [PATCH v2 1/2] package/raptor: security bump version to 2.0.16 Arnout Vandecappelle via buildroot
2023-06-25 19:44 ` Arnout Vandecappelle via buildroot
2 siblings, 1 reply; 8+ messages in thread
From: Bernd Kuhls @ 2023-06-22 5:17 UTC (permalink / raw)
To: buildroot
Fixes:
http://autobuild.buildroot.net/results/6a5/6a5139fe86b8370477dc6cb044bf29180bd145df/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
---
v2: no changes
...s-to-entities-checked-private-symbol.patch | 35 +++++++++++++++++++
1 file changed, 35 insertions(+)
create mode 100644 package/raptor/0002-Remove-the-access-to-entities-checked-private-symbol.patch
diff --git a/package/raptor/0002-Remove-the-access-to-entities-checked-private-symbol.patch b/package/raptor/0002-Remove-the-access-to-entities-checked-private-symbol.patch
new file mode 100644
index 0000000000..cd9542a9a9
--- /dev/null
+++ b/package/raptor/0002-Remove-the-access-to-entities-checked-private-symbol.patch
@@ -0,0 +1,35 @@
+From 4dbc4c1da2a033c497d84a1291c46f416a9cac51 Mon Sep 17 00:00:00 2001
+From: David Anes <david.anes@suse.com>
+Date: Thu, 4 May 2023 11:54:02 +0200
+Subject: [PATCH] Remove the access to entities 'checked' private symbol for
+ libxml2 2.11.0
+
+Since version 2.11.0, some private symbols that were never intended
+as public API/ABI have been removed from libxml2, therefore the field
+'checked' is no longer present and raptor fails to build in this
+scenario.
+
+Upstream: https://github.com/dajobe/raptor/commit/4dbc4c1da2a033c497d84a1291c46f416a9cac51
+
+Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
+---
+ src/raptor_libxml.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/raptor_libxml.c b/src/raptor_libxml.c
+index 538c2c8e..8bcee139 100644
+--- a/src/raptor_libxml.c
++++ b/src/raptor_libxml.c
+@@ -246,10 +246,11 @@ raptor_libxml_getEntity(void* user_data, const xmlChar *name)
+
+ ret->owner = 1;
+
+-#if LIBXML_VERSION >= 20627
++#if LIBXML_VERSION >= 20627 && LIBXML_VERSION < 21100
+ /* Checked field was released in 2.6.27 on 2006-10-25
+ * http://git.gnome.org/browse/libxml2/commit/?id=a37a6ad91a61d168ecc4b29263def3363fff4da6
+ *
++ * and was later removed in version 2.11.0
+ */
+
+ /* Mark this entity as having been checked - never do this again */
--
2.39.2
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [Buildroot] [PATCH v2 2/2] package/raptor: fix build with newer versions of libxml2
2023-06-22 5:17 ` [Buildroot] [PATCH v2 2/2] package/raptor: fix build with newer versions of libxml2 Bernd Kuhls
@ 2023-06-25 19:19 ` Arnout Vandecappelle via buildroot
0 siblings, 0 replies; 8+ messages in thread
From: Arnout Vandecappelle via buildroot @ 2023-06-25 19:19 UTC (permalink / raw)
To: Bernd Kuhls, buildroot
On 22/06/2023 07:17, Bernd Kuhls wrote:
> Fixes:
> http://autobuild.buildroot.net/results/6a5/6a5139fe86b8370477dc6cb044bf29180bd145df/
>
> Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Applied to master, thanks.
Regards,
Arnout
> ---
> v2: no changes
>
> ...s-to-entities-checked-private-symbol.patch | 35 +++++++++++++++++++
> 1 file changed, 35 insertions(+)
> create mode 100644 package/raptor/0002-Remove-the-access-to-entities-checked-private-symbol.patch
>
> diff --git a/package/raptor/0002-Remove-the-access-to-entities-checked-private-symbol.patch b/package/raptor/0002-Remove-the-access-to-entities-checked-private-symbol.patch
> new file mode 100644
> index 0000000000..cd9542a9a9
> --- /dev/null
> +++ b/package/raptor/0002-Remove-the-access-to-entities-checked-private-symbol.patch
> @@ -0,0 +1,35 @@
> +From 4dbc4c1da2a033c497d84a1291c46f416a9cac51 Mon Sep 17 00:00:00 2001
> +From: David Anes <david.anes@suse.com>
> +Date: Thu, 4 May 2023 11:54:02 +0200
> +Subject: [PATCH] Remove the access to entities 'checked' private symbol for
> + libxml2 2.11.0
> +
> +Since version 2.11.0, some private symbols that were never intended
> +as public API/ABI have been removed from libxml2, therefore the field
> +'checked' is no longer present and raptor fails to build in this
> +scenario.
> +
> +Upstream: https://github.com/dajobe/raptor/commit/4dbc4c1da2a033c497d84a1291c46f416a9cac51
> +
> +Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
> +---
> + src/raptor_libxml.c | 3 ++-
> + 1 file changed, 2 insertions(+), 1 deletion(-)
> +
> +diff --git a/src/raptor_libxml.c b/src/raptor_libxml.c
> +index 538c2c8e..8bcee139 100644
> +--- a/src/raptor_libxml.c
> ++++ b/src/raptor_libxml.c
> +@@ -246,10 +246,11 @@ raptor_libxml_getEntity(void* user_data, const xmlChar *name)
> +
> + ret->owner = 1;
> +
> +-#if LIBXML_VERSION >= 20627
> ++#if LIBXML_VERSION >= 20627 && LIBXML_VERSION < 21100
> + /* Checked field was released in 2.6.27 on 2006-10-25
> + * http://git.gnome.org/browse/libxml2/commit/?id=a37a6ad91a61d168ecc4b29263def3363fff4da6
> + *
> ++ * and was later removed in version 2.11.0
> + */
> +
> + /* Mark this entity as having been checked - never do this again */
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [Buildroot] [PATCH v2 1/2] package/raptor: security bump version to 2.0.16
2023-06-22 5:17 [Buildroot] [PATCH v2 1/2] package/raptor: security bump version to 2.0.16 Bernd Kuhls
2023-06-22 5:17 ` [Buildroot] [PATCH v2 2/2] package/raptor: fix build with newer versions of libxml2 Bernd Kuhls
@ 2023-06-25 19:18 ` Arnout Vandecappelle via buildroot
2023-06-25 19:24 ` Peter Korsgaard
2023-06-25 19:44 ` Arnout Vandecappelle via buildroot
2 siblings, 1 reply; 8+ messages in thread
From: Arnout Vandecappelle via buildroot @ 2023-06-25 19:18 UTC (permalink / raw)
To: Bernd Kuhls, buildroot, Peter Korsgaard
On 22/06/2023 07:17, Bernd Kuhls wrote:
> This version included the patches removed by this commit, no new CVEs
> were fixed.
So, I guess we shouldn't call it a "security bump" then? AFAIU the only reason
to call it security bump is to flag to Peter that it should be backported to stable.
Regards,
Arnout
>
> Release notes: https://librdf.org/raptor/RELEASE.html#rel2_0_16
>
> Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
> ---
> v2: Removed patches from .checkpackageignore
>
> .checkpackageignore | 2 -
> ...pace-declarations-correctly-for-XML-.patch | 47 -------------------
> ...are-namespace-declarations-correctly.patch | 33 -------------
> package/raptor/raptor.hash | 4 +-
> package/raptor/raptor.mk | 8 +---
> 5 files changed, 3 insertions(+), 91 deletions(-)
> delete mode 100644 package/raptor/0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch
> delete mode 100644 package/raptor/0003-XML-Writer-compare-namespace-declarations-correctly.patch
>
> diff --git a/.checkpackageignore b/.checkpackageignore
> index 36ab2845d7..07408893ce 100644
> --- a/.checkpackageignore
> +++ b/.checkpackageignore
> @@ -1341,8 +1341,6 @@ package/quotatool/0001-fix-missing-__P-definition-for-musl-compile.patch Upstrea
> package/racehound/0001-Fix-module-install-path-lib-instead-of-usr-lib-prefi.patch Upstream
> package/ranger/0001-colorscheme-check-for-compiled-python-files.patch Upstream
> package/rapidxml/0001-ensure-internal-print-operations-are-declared-before.patch Upstream
> -package/raptor/0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch Upstream
> -package/raptor/0003-XML-Writer-compare-namespace-declarations-correctly.patch Upstream
> package/raspberrypi-usbboot/0001-Makefile-allow-passing-CFLAGS-LDFLAGS.patch Upstream
> package/rdesktop/0001-8bit-colors.patch Sob Upstream
> package/read-edid/0001-Fix-install-file-list.patch Upstream
> diff --git a/package/raptor/0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch b/package/raptor/0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch
> deleted file mode 100644
> index 406e265cf3..0000000000
> --- a/package/raptor/0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch
> +++ /dev/null
> @@ -1,47 +0,0 @@
> -From 590681e546cd9aa18d57dc2ea1858cb734a3863f Mon Sep 17 00:00:00 2001
> -From: Dave Beckett <dave@dajobe.org>
> -Date: Sun, 16 Apr 2017 23:15:12 +0100
> -Subject: [PATCH] Calcualte max nspace declarations correctly for XML writer
> -
> -(raptor_xml_writer_start_element_common): Calculate max including for
> -each attribute a potential name and value.
> -
> -Fixes Issues #0000617 http://bugs.librdf.org/mantis/view.php?id=617
> -and #0000618 http://bugs.librdf.org/mantis/view.php?id=618
> -
> -[Peter: fixes CVE-2017-18926, upstream:
> - https://github.com/dajobe/raptor/commit/590681e546cd9aa18d57dc2ea1858cb734a3863f]
> -Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> ----
> - src/raptor_xml_writer.c | 7 ++++---
> - 1 file changed, 4 insertions(+), 3 deletions(-)
> -
> -diff --git a/src/raptor_xml_writer.c b/src/raptor_xml_writer.c
> -index 693b9468..0d3a36a5 100644
> ---- a/src/raptor_xml_writer.c
> -+++ b/src/raptor_xml_writer.c
> -@@ -181,9 +181,10 @@ raptor_xml_writer_start_element_common(raptor_xml_writer* xml_writer,
> - size_t nspace_declarations_count = 0;
> - unsigned int i;
> -
> -- /* max is 1 per element and 1 for each attribute + size of declared */
> - if(nstack) {
> -- int nspace_max_count = element->attribute_count+1;
> -+ int nspace_max_count = element->attribute_count * 2; /* attr and value */
> -+ if(element->name->nspace)
> -+ nspace_max_count++;
> - if(element->declared_nspaces)
> - nspace_max_count += raptor_sequence_size(element->declared_nspaces);
> - if(element->xml_language)
> -@@ -237,7 +238,7 @@ raptor_xml_writer_start_element_common(raptor_xml_writer* xml_writer,
> - }
> - }
> -
> -- /* Add the attribute + value */
> -+ /* Add the attribute's value */
> - nspace_declarations[nspace_declarations_count].declaration=
> - raptor_qname_format_as_xml(element->attributes[i],
> - &nspace_declarations[nspace_declarations_count].length);
> ---
> -2.20.1
> -
> diff --git a/package/raptor/0003-XML-Writer-compare-namespace-declarations-correctly.patch b/package/raptor/0003-XML-Writer-compare-namespace-declarations-correctly.patch
> deleted file mode 100644
> index a48a583cb1..0000000000
> --- a/package/raptor/0003-XML-Writer-compare-namespace-declarations-correctly.patch
> +++ /dev/null
> @@ -1,33 +0,0 @@
> -From 4f5dbbffcc1c6cf0398bd03450453289a0979dea Mon Sep 17 00:00:00 2001
> -From: Dave Beckett <dave@dajobe.org>
> -Date: Sat, 18 Sep 2021 17:40:00 -0700
> -Subject: [PATCH] XML Writer : compare namespace declarations correctly
> -
> -Apply patch from
> -0001-CVE-2020-25713-raptor2-malformed-input-file-can-lead.patch.1
> -that fixes Issue#0000650 https://bugs.librdf.org/mantis/view.php?id=650
> -which overwrote heap during XML writing in parse type literal
> -content. This was detected with clang asan.
> -
> -Thanks to Michael Stahl / mst2 for the fix.
> -
> -[Retrieved from:
> -https://github.com/dajobe/raptor/commit/4f5dbbffcc1c6cf0398bd03450453289a0979dea]
> -Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> ----
> - src/raptor_xml_writer.c | 2 +-
> - 1 file changed, 1 insertion(+), 1 deletion(-)
> -
> -diff --git a/src/raptor_xml_writer.c b/src/raptor_xml_writer.c
> -index 56993dc3..4426d38c 100644
> ---- a/src/raptor_xml_writer.c
> -+++ b/src/raptor_xml_writer.c
> -@@ -227,7 +227,7 @@ raptor_xml_writer_start_element_common(raptor_xml_writer* xml_writer,
> -
> - /* check it wasn't an earlier declaration too */
> - for(j = 0; j < nspace_declarations_count; j++)
> -- if(nspace_declarations[j].nspace == element->attributes[j]->nspace) {
> -+ if(nspace_declarations[j].nspace == element->attributes[i]->nspace) {
> - declare_me = 0;
> - break;
> - }
> diff --git a/package/raptor/raptor.hash b/package/raptor/raptor.hash
> index 2a54bf270d..05e9c53902 100644
> --- a/package/raptor/raptor.hash
> +++ b/package/raptor/raptor.hash
> @@ -1,3 +1,3 @@
> # Locally calculated
> -sha256 ada7f0ba54787b33485d090d3d2680533520cd4426d2f7fb4782dd4a6a1480ed raptor2-2.0.15.tar.gz
> -sha256 6b926a47abfb87451c436fbd4a868defec963d0232c70b806ac02d4a2a6e1968 LICENSE.txt
> +sha256 089db78d7ac982354bdbf39d973baf09581e6904ac4c92a98c5caadb3de44680 raptor2-2.0.16.tar.gz
> +sha256 0f0c719a05c9f7a0be2051ab83c1470837f595ed23e34989f46fd8eb45cfc251 LICENSE.txt
> diff --git a/package/raptor/raptor.mk b/package/raptor/raptor.mk
> index 69ac121300..ec7643ce3d 100644
> --- a/package/raptor/raptor.mk
> +++ b/package/raptor/raptor.mk
> @@ -4,7 +4,7 @@
> #
> ################################################################################
>
> -RAPTOR_VERSION = 2.0.15
> +RAPTOR_VERSION = 2.0.16
> RAPTOR_SOURCE = raptor2-$(RAPTOR_VERSION).tar.gz
> RAPTOR_SITE = http://download.librdf.org/source
> RAPTOR_DEPENDENCIES = libxml2 libxslt
> @@ -17,12 +17,6 @@ RAPTOR_INSTALL_STAGING = YES
> # Flag is added to make sure the patch is applied for the configure.ac of raptor.
> RAPTOR_AUTORECONF = YES
>
> -# 0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch
> -RAPTOR_IGNORE_CVES += CVE-2017-18926
> -
> -# 0003-XML-Writer-compare-namespace-declarations-correctly.patch
> -RAPTOR_IGNORE_CVES += CVE-2020-25713
> -
> RAPTOR_CONF_OPTS =\
> --with-xml2-config=$(STAGING_DIR)/usr/bin/xml2-config \
> --with-xslt-config=$(STAGING_DIR)/usr/bin/xslt-config
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: [Buildroot] [PATCH v2 1/2] package/raptor: security bump version to 2.0.16
2023-06-25 19:18 ` [Buildroot] [PATCH v2 1/2] package/raptor: security bump version to 2.0.16 Arnout Vandecappelle via buildroot
@ 2023-06-25 19:24 ` Peter Korsgaard
2023-06-25 19:34 ` Arnout Vandecappelle via buildroot
0 siblings, 1 reply; 8+ messages in thread
From: Peter Korsgaard @ 2023-06-25 19:24 UTC (permalink / raw)
To: Arnout Vandecappelle; +Cc: Bernd Kuhls, buildroot
>>>>> "Arnout" == Arnout Vandecappelle <arnout@mind.be> writes:
> On 22/06/2023 07:17, Bernd Kuhls wrote:
>> This version included the patches removed by this commit, no new CVEs
>> were fixed.
> So, I guess we shouldn't call it a "security bump" then? AFAIU the
> only reason to call it security bump is to flag to Peter that it
> should be backported to stable.
And that is even not necessary. I do look at all commits getting applied
to master to (try to) decide if something should be backported, E.G. if
it is a (security) bugfix and also applies to the version in LTS.
If you already had a look at think it should be backported, then just
state that in the commit message (E.G. fixes foo since the bump to
version x.y.z in commit sha1).
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [Buildroot] [PATCH v2 1/2] package/raptor: security bump version to 2.0.16
2023-06-25 19:24 ` Peter Korsgaard
@ 2023-06-25 19:34 ` Arnout Vandecappelle via buildroot
2023-06-25 19:42 ` Peter Korsgaard
0 siblings, 1 reply; 8+ messages in thread
From: Arnout Vandecappelle via buildroot @ 2023-06-25 19:34 UTC (permalink / raw)
To: Peter Korsgaard; +Cc: Bernd Kuhls, buildroot
On 25/06/2023 21:24, Peter Korsgaard wrote:
>>>>>> "Arnout" == Arnout Vandecappelle <arnout@mind.be> writes:
>
> > On 22/06/2023 07:17, Bernd Kuhls wrote:
> >> This version included the patches removed by this commit, no new CVEs
> >> were fixed.
>
> > So, I guess we shouldn't call it a "security bump" then? AFAIU the
> > only reason to call it security bump is to flag to Peter that it
> > should be backported to stable.
>
>
> And that is even not necessary. I do look at all commits getting applied
> to master to (try to) decide if something should be backported, E.G. if
> it is a (security) bugfix and also applies to the version in LTS.
Oh. I saw you sometimes change the subject line to include "security bump"
when the submitter forgets to...
Regards,
Arnout
>
> If you already had a look at think it should be backported, then just
> state that in the commit message (E.G. fixes foo since the bump to
> version x.y.z in commit sha1).
>
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [Buildroot] [PATCH v2 1/2] package/raptor: security bump version to 2.0.16
2023-06-25 19:34 ` Arnout Vandecappelle via buildroot
@ 2023-06-25 19:42 ` Peter Korsgaard
0 siblings, 0 replies; 8+ messages in thread
From: Peter Korsgaard @ 2023-06-25 19:42 UTC (permalink / raw)
To: Arnout Vandecappelle; +Cc: Bernd Kuhls, buildroot
>>>>> "Arnout" == Arnout Vandecappelle <arnout@mind.be> writes:
> On 25/06/2023 21:24, Peter Korsgaard wrote:
>>>>>>> "Arnout" == Arnout Vandecappelle <arnout@mind.be> writes:
>> > On 22/06/2023 07:17, Bernd Kuhls wrote:
>> >> This version included the patches removed by this commit, no new CVEs
>> >> were fixed.
>> > So, I guess we shouldn't call it a "security bump" then? AFAIU
>> the
>> > only reason to call it security bump is to flag to Peter that it
>> > should be backported to stable.
>>
>> And that is even not necessary. I do look at all commits getting applied
>> to master to (try to) decide if something should be backported, E.G. if
>> it is a (security) bugfix and also applies to the version in LTS.
> Oh. I saw you sometimes change the subject line to include "security
> bump" when the submitter forgets to...
Sure, if it is a security bump then we normally mention it in the commit
message and I sometimes fix that up when applying if the contributor
forgot to do so - But my point is that I don't just look at
git log --grep 'security bump'
Or something like that, I really skim through all commit on master.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [Buildroot] [PATCH v2 1/2] package/raptor: security bump version to 2.0.16
2023-06-22 5:17 [Buildroot] [PATCH v2 1/2] package/raptor: security bump version to 2.0.16 Bernd Kuhls
2023-06-22 5:17 ` [Buildroot] [PATCH v2 2/2] package/raptor: fix build with newer versions of libxml2 Bernd Kuhls
2023-06-25 19:18 ` [Buildroot] [PATCH v2 1/2] package/raptor: security bump version to 2.0.16 Arnout Vandecappelle via buildroot
@ 2023-06-25 19:44 ` Arnout Vandecappelle via buildroot
2 siblings, 0 replies; 8+ messages in thread
From: Arnout Vandecappelle via buildroot @ 2023-06-25 19:44 UTC (permalink / raw)
To: Bernd Kuhls, buildroot
On 22/06/2023 07:17, Bernd Kuhls wrote:
> This version included the patches removed by this commit, no new CVEs
> were fixed.
>
> Release notes: https://librdf.org/raptor/RELEASE.html#rel2_0_16
>
> Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Applied to master, thanks.
Regards,
Arnout
> ---
> v2: Removed patches from .checkpackageignore
>
> .checkpackageignore | 2 -
> ...pace-declarations-correctly-for-XML-.patch | 47 -------------------
> ...are-namespace-declarations-correctly.patch | 33 -------------
> package/raptor/raptor.hash | 4 +-
> package/raptor/raptor.mk | 8 +---
> 5 files changed, 3 insertions(+), 91 deletions(-)
> delete mode 100644 package/raptor/0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch
> delete mode 100644 package/raptor/0003-XML-Writer-compare-namespace-declarations-correctly.patch
>
> diff --git a/.checkpackageignore b/.checkpackageignore
> index 36ab2845d7..07408893ce 100644
> --- a/.checkpackageignore
> +++ b/.checkpackageignore
> @@ -1341,8 +1341,6 @@ package/quotatool/0001-fix-missing-__P-definition-for-musl-compile.patch Upstrea
> package/racehound/0001-Fix-module-install-path-lib-instead-of-usr-lib-prefi.patch Upstream
> package/ranger/0001-colorscheme-check-for-compiled-python-files.patch Upstream
> package/rapidxml/0001-ensure-internal-print-operations-are-declared-before.patch Upstream
> -package/raptor/0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch Upstream
> -package/raptor/0003-XML-Writer-compare-namespace-declarations-correctly.patch Upstream
> package/raspberrypi-usbboot/0001-Makefile-allow-passing-CFLAGS-LDFLAGS.patch Upstream
> package/rdesktop/0001-8bit-colors.patch Sob Upstream
> package/read-edid/0001-Fix-install-file-list.patch Upstream
> diff --git a/package/raptor/0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch b/package/raptor/0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch
> deleted file mode 100644
> index 406e265cf3..0000000000
> --- a/package/raptor/0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch
> +++ /dev/null
> @@ -1,47 +0,0 @@
> -From 590681e546cd9aa18d57dc2ea1858cb734a3863f Mon Sep 17 00:00:00 2001
> -From: Dave Beckett <dave@dajobe.org>
> -Date: Sun, 16 Apr 2017 23:15:12 +0100
> -Subject: [PATCH] Calcualte max nspace declarations correctly for XML writer
> -
> -(raptor_xml_writer_start_element_common): Calculate max including for
> -each attribute a potential name and value.
> -
> -Fixes Issues #0000617 http://bugs.librdf.org/mantis/view.php?id=617
> -and #0000618 http://bugs.librdf.org/mantis/view.php?id=618
> -
> -[Peter: fixes CVE-2017-18926, upstream:
> - https://github.com/dajobe/raptor/commit/590681e546cd9aa18d57dc2ea1858cb734a3863f]
> -Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> ----
> - src/raptor_xml_writer.c | 7 ++++---
> - 1 file changed, 4 insertions(+), 3 deletions(-)
> -
> -diff --git a/src/raptor_xml_writer.c b/src/raptor_xml_writer.c
> -index 693b9468..0d3a36a5 100644
> ---- a/src/raptor_xml_writer.c
> -+++ b/src/raptor_xml_writer.c
> -@@ -181,9 +181,10 @@ raptor_xml_writer_start_element_common(raptor_xml_writer* xml_writer,
> - size_t nspace_declarations_count = 0;
> - unsigned int i;
> -
> -- /* max is 1 per element and 1 for each attribute + size of declared */
> - if(nstack) {
> -- int nspace_max_count = element->attribute_count+1;
> -+ int nspace_max_count = element->attribute_count * 2; /* attr and value */
> -+ if(element->name->nspace)
> -+ nspace_max_count++;
> - if(element->declared_nspaces)
> - nspace_max_count += raptor_sequence_size(element->declared_nspaces);
> - if(element->xml_language)
> -@@ -237,7 +238,7 @@ raptor_xml_writer_start_element_common(raptor_xml_writer* xml_writer,
> - }
> - }
> -
> -- /* Add the attribute + value */
> -+ /* Add the attribute's value */
> - nspace_declarations[nspace_declarations_count].declaration=
> - raptor_qname_format_as_xml(element->attributes[i],
> - &nspace_declarations[nspace_declarations_count].length);
> ---
> -2.20.1
> -
> diff --git a/package/raptor/0003-XML-Writer-compare-namespace-declarations-correctly.patch b/package/raptor/0003-XML-Writer-compare-namespace-declarations-correctly.patch
> deleted file mode 100644
> index a48a583cb1..0000000000
> --- a/package/raptor/0003-XML-Writer-compare-namespace-declarations-correctly.patch
> +++ /dev/null
> @@ -1,33 +0,0 @@
> -From 4f5dbbffcc1c6cf0398bd03450453289a0979dea Mon Sep 17 00:00:00 2001
> -From: Dave Beckett <dave@dajobe.org>
> -Date: Sat, 18 Sep 2021 17:40:00 -0700
> -Subject: [PATCH] XML Writer : compare namespace declarations correctly
> -
> -Apply patch from
> -0001-CVE-2020-25713-raptor2-malformed-input-file-can-lead.patch.1
> -that fixes Issue#0000650 https://bugs.librdf.org/mantis/view.php?id=650
> -which overwrote heap during XML writing in parse type literal
> -content. This was detected with clang asan.
> -
> -Thanks to Michael Stahl / mst2 for the fix.
> -
> -[Retrieved from:
> -https://github.com/dajobe/raptor/commit/4f5dbbffcc1c6cf0398bd03450453289a0979dea]
> -Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> ----
> - src/raptor_xml_writer.c | 2 +-
> - 1 file changed, 1 insertion(+), 1 deletion(-)
> -
> -diff --git a/src/raptor_xml_writer.c b/src/raptor_xml_writer.c
> -index 56993dc3..4426d38c 100644
> ---- a/src/raptor_xml_writer.c
> -+++ b/src/raptor_xml_writer.c
> -@@ -227,7 +227,7 @@ raptor_xml_writer_start_element_common(raptor_xml_writer* xml_writer,
> -
> - /* check it wasn't an earlier declaration too */
> - for(j = 0; j < nspace_declarations_count; j++)
> -- if(nspace_declarations[j].nspace == element->attributes[j]->nspace) {
> -+ if(nspace_declarations[j].nspace == element->attributes[i]->nspace) {
> - declare_me = 0;
> - break;
> - }
> diff --git a/package/raptor/raptor.hash b/package/raptor/raptor.hash
> index 2a54bf270d..05e9c53902 100644
> --- a/package/raptor/raptor.hash
> +++ b/package/raptor/raptor.hash
> @@ -1,3 +1,3 @@
> # Locally calculated
> -sha256 ada7f0ba54787b33485d090d3d2680533520cd4426d2f7fb4782dd4a6a1480ed raptor2-2.0.15.tar.gz
> -sha256 6b926a47abfb87451c436fbd4a868defec963d0232c70b806ac02d4a2a6e1968 LICENSE.txt
> +sha256 089db78d7ac982354bdbf39d973baf09581e6904ac4c92a98c5caadb3de44680 raptor2-2.0.16.tar.gz
> +sha256 0f0c719a05c9f7a0be2051ab83c1470837f595ed23e34989f46fd8eb45cfc251 LICENSE.txt
> diff --git a/package/raptor/raptor.mk b/package/raptor/raptor.mk
> index 69ac121300..ec7643ce3d 100644
> --- a/package/raptor/raptor.mk
> +++ b/package/raptor/raptor.mk
> @@ -4,7 +4,7 @@
> #
> ################################################################################
>
> -RAPTOR_VERSION = 2.0.15
> +RAPTOR_VERSION = 2.0.16
> RAPTOR_SOURCE = raptor2-$(RAPTOR_VERSION).tar.gz
> RAPTOR_SITE = http://download.librdf.org/source
> RAPTOR_DEPENDENCIES = libxml2 libxslt
> @@ -17,12 +17,6 @@ RAPTOR_INSTALL_STAGING = YES
> # Flag is added to make sure the patch is applied for the configure.ac of raptor.
> RAPTOR_AUTORECONF = YES
>
> -# 0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch
> -RAPTOR_IGNORE_CVES += CVE-2017-18926
> -
> -# 0003-XML-Writer-compare-namespace-declarations-correctly.patch
> -RAPTOR_IGNORE_CVES += CVE-2020-25713
> -
> RAPTOR_CONF_OPTS =\
> --with-xml2-config=$(STAGING_DIR)/usr/bin/xml2-config \
> --with-xslt-config=$(STAGING_DIR)/usr/bin/xslt-config
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2023-06-25 19:44 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-06-22 5:17 [Buildroot] [PATCH v2 1/2] package/raptor: security bump version to 2.0.16 Bernd Kuhls
2023-06-22 5:17 ` [Buildroot] [PATCH v2 2/2] package/raptor: fix build with newer versions of libxml2 Bernd Kuhls
2023-06-25 19:19 ` Arnout Vandecappelle via buildroot
2023-06-25 19:18 ` [Buildroot] [PATCH v2 1/2] package/raptor: security bump version to 2.0.16 Arnout Vandecappelle via buildroot
2023-06-25 19:24 ` Peter Korsgaard
2023-06-25 19:34 ` Arnout Vandecappelle via buildroot
2023-06-25 19:42 ` Peter Korsgaard
2023-06-25 19:44 ` Arnout Vandecappelle via buildroot
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.