[Buildroot] [PATCH] package/libxml2: properly set LIBXML2_IGNORE

Buildroot Archive on lore.kernel.org
 help / color / mirror / Atom feed

* [Buildroot] [PATCH] package/libxml2: properly set LIBXML2_IGNORE_CVES
@ 2020-02-18 23:36 Thomas Petazzoni
  2020-02-19  7:23 ` Peter Korsgaard
  2020-02-19  9:11 ` Thomas De Schampheleire
  0 siblings, 2 replies; 4+ messages in thread
From: Thomas Petazzoni @ 2020-02-18 23:36 UTC (permalink / raw)
  To: buildroot

The libxml2 package has two patches that fix the two CVEs affecting
libxml2 in version 2.9.10, so let's use LIBXML2_IGNORE_CVES to ensure
these CVEs are no longer reported by pkg-stats.

Cc: Titouan Christophe <titouan.christophe@railnova.eu>
Cc: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
 package/libxml2/libxml2.mk | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/package/libxml2/libxml2.mk b/package/libxml2/libxml2.mk
index f6cf084b2b..ea6a8c1f6d 100644
--- a/package/libxml2/libxml2.mk
+++ b/package/libxml2/libxml2.mk
@@ -9,6 +9,10 @@ LIBXML2_SITE = http://xmlsoft.org/sources
 LIBXML2_INSTALL_STAGING = YES
 LIBXML2_LICENSE = MIT
 LIBXML2_LICENSE_FILES = COPYING
+# 0001-Fix-infinite-loop-in-xmlStringLenDecodeEntities.patch
+LIBXML2_IGNORE_CVES += CVE-2020-7595
+# 0002-Fix-memory-leak-in-xmlSchemaValidateStream.patch
+LIBXML2_IGNORE_CVES += CVE-2019-20388
 LIBXML2_CONFIG_SCRIPTS = xml2-config
 
 # relocation truncated to fit: R_68K_GOT16O
-- 
2.24.1

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [Buildroot] [PATCH] package/libxml2: properly set LIBXML2_IGNORE_CVES
  2020-02-18 23:36 [Buildroot] [PATCH] package/libxml2: properly set LIBXML2_IGNORE_CVES Thomas Petazzoni
@ 2020-02-19  7:23 ` Peter Korsgaard
  2020-02-19  9:11 ` Thomas De Schampheleire
  1 sibling, 0 replies; 4+ messages in thread
From: Peter Korsgaard @ 2020-02-19  7:23 UTC (permalink / raw)
  To: buildroot

>>>>> "Thomas" == Thomas Petazzoni <thomas.petazzoni@bootlin.com> writes:

 > The libxml2 package has two patches that fix the two CVEs affecting
 > libxml2 in version 2.9.10, so let's use LIBXML2_IGNORE_CVES to ensure
 > these CVEs are no longer reported by pkg-stats.

 > Cc: Titouan Christophe <titouan.christophe@railnova.eu>
 > Cc: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
 > Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

Committed, thanks.

-- 
Bye, Peter Korsgaard

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [Buildroot] [PATCH] package/libxml2: properly set LIBXML2_IGNORE_CVES
  2020-02-18 23:36 [Buildroot] [PATCH] package/libxml2: properly set LIBXML2_IGNORE_CVES Thomas Petazzoni
  2020-02-19  7:23 ` Peter Korsgaard
@ 2020-02-19  9:11 ` Thomas De Schampheleire
  2020-02-19 12:28   ` Thomas Petazzoni
  1 sibling, 1 reply; 4+ messages in thread
From: Thomas De Schampheleire @ 2020-02-19  9:11 UTC (permalink / raw)
  To: buildroot

El mi?., 19 feb. 2020 a las 0:37, Thomas Petazzoni
(<thomas.petazzoni@bootlin.com>) escribi?:
>
> The libxml2 package has two patches that fix the two CVEs affecting
> libxml2 in version 2.9.10, so let's use LIBXML2_IGNORE_CVES to ensure
> these CVEs are no longer reported by pkg-stats.
>
> Cc: Titouan Christophe <titouan.christophe@railnova.eu>
> Cc: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
> ---
>  package/libxml2/libxml2.mk | 4 ++++
>  1 file changed, 4 insertions(+)
>
> diff --git a/package/libxml2/libxml2.mk b/package/libxml2/libxml2.mk
> index f6cf084b2b..ea6a8c1f6d 100644
> --- a/package/libxml2/libxml2.mk
> +++ b/package/libxml2/libxml2.mk
> @@ -9,6 +9,10 @@ LIBXML2_SITE = http://xmlsoft.org/sources
>  LIBXML2_INSTALL_STAGING = YES
>  LIBXML2_LICENSE = MIT
>  LIBXML2_LICENSE_FILES = COPYING
> +# 0001-Fix-infinite-loop-in-xmlStringLenDecodeEntities.patch
> +LIBXML2_IGNORE_CVES += CVE-2020-7595
> +# 0002-Fix-memory-leak-in-xmlSchemaValidateStream.patch
> +LIBXML2_IGNORE_CVES += CVE-2019-20388
>  LIBXML2_CONFIG_SCRIPTS = xml2-config
>
>  # relocation truncated to fit: R_68K_GOT16O
> --

Thanks, I was just going to make this change after Peter's mail :-)

What is the update frequency of http://autobuild.buildroot.org/stats/ ?

/Thomas

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [Buildroot] [PATCH] package/libxml2: properly set LIBXML2_IGNORE_CVES
  2020-02-19  9:11 ` Thomas De Schampheleire
@ 2020-02-19 12:28   ` Thomas Petazzoni
  0 siblings, 0 replies; 4+ messages in thread
From: Thomas Petazzoni @ 2020-02-19 12:28 UTC (permalink / raw)
  To: buildroot

On Wed, 19 Feb 2020 10:11:51 +0100
Thomas De Schampheleire <patrickdepinguin@gmail.com> wrote:

> What is the update frequency of http://autobuild.buildroot.org/stats/ ?

Normally every day at 8:00 AM CET. Based on the data of the next branch
when a next branch exists, otherwise using data of the master branch.

However, we will probably want to run it on master / LTS as well in
order to have CVE information for these branches as well.

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2020-02-19 12:28 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-02-18 23:36 [Buildroot] [PATCH] package/libxml2: properly set LIBXML2_IGNORE_CVES Thomas Petazzoni
2020-02-19  7:23 ` Peter Korsgaard
2020-02-19  9:11 ` Thomas De Schampheleire
2020-02-19 12:28   ` Thomas Petazzoni

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox