* [Buildroot] [PATCH v2 1/2] package/raptor: security bump version to 2.0.16
@ 2023-06-22 5:17 Bernd Kuhls
2023-06-22 5:17 ` [Buildroot] [PATCH v2 2/2] package/raptor: fix build with newer versions of libxml2 Bernd Kuhls
` (2 more replies)
0 siblings, 3 replies; 8+ messages in thread
From: Bernd Kuhls @ 2023-06-22 5:17 UTC (permalink / raw)
To: buildroot
This version included the patches removed by this commit, no new CVEs
were fixed.
Release notes: https://librdf.org/raptor/RELEASE.html#rel2_0_16
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
---
v2: Removed patches from .checkpackageignore
.checkpackageignore | 2 -
...pace-declarations-correctly-for-XML-.patch | 47 -------------------
...are-namespace-declarations-correctly.patch | 33 -------------
package/raptor/raptor.hash | 4 +-
package/raptor/raptor.mk | 8 +---
5 files changed, 3 insertions(+), 91 deletions(-)
delete mode 100644 package/raptor/0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch
delete mode 100644 package/raptor/0003-XML-Writer-compare-namespace-declarations-correctly.patch
diff --git a/.checkpackageignore b/.checkpackageignore
index 36ab2845d7..07408893ce 100644
--- a/.checkpackageignore
+++ b/.checkpackageignore
@@ -1341,8 +1341,6 @@ package/quotatool/0001-fix-missing-__P-definition-for-musl-compile.patch Upstrea
package/racehound/0001-Fix-module-install-path-lib-instead-of-usr-lib-prefi.patch Upstream
package/ranger/0001-colorscheme-check-for-compiled-python-files.patch Upstream
package/rapidxml/0001-ensure-internal-print-operations-are-declared-before.patch Upstream
-package/raptor/0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch Upstream
-package/raptor/0003-XML-Writer-compare-namespace-declarations-correctly.patch Upstream
package/raspberrypi-usbboot/0001-Makefile-allow-passing-CFLAGS-LDFLAGS.patch Upstream
package/rdesktop/0001-8bit-colors.patch Sob Upstream
package/read-edid/0001-Fix-install-file-list.patch Upstream
diff --git a/package/raptor/0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch b/package/raptor/0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch
deleted file mode 100644
index 406e265cf3..0000000000
--- a/package/raptor/0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 590681e546cd9aa18d57dc2ea1858cb734a3863f Mon Sep 17 00:00:00 2001
-From: Dave Beckett <dave@dajobe.org>
-Date: Sun, 16 Apr 2017 23:15:12 +0100
-Subject: [PATCH] Calcualte max nspace declarations correctly for XML writer
-
-(raptor_xml_writer_start_element_common): Calculate max including for
-each attribute a potential name and value.
-
-Fixes Issues #0000617 http://bugs.librdf.org/mantis/view.php?id=617
-and #0000618 http://bugs.librdf.org/mantis/view.php?id=618
-
-[Peter: fixes CVE-2017-18926, upstream:
- https://github.com/dajobe/raptor/commit/590681e546cd9aa18d57dc2ea1858cb734a3863f]
-Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
----
- src/raptor_xml_writer.c | 7 ++++---
- 1 file changed, 4 insertions(+), 3 deletions(-)
-
-diff --git a/src/raptor_xml_writer.c b/src/raptor_xml_writer.c
-index 693b9468..0d3a36a5 100644
---- a/src/raptor_xml_writer.c
-+++ b/src/raptor_xml_writer.c
-@@ -181,9 +181,10 @@ raptor_xml_writer_start_element_common(raptor_xml_writer* xml_writer,
- size_t nspace_declarations_count = 0;
- unsigned int i;
-
-- /* max is 1 per element and 1 for each attribute + size of declared */
- if(nstack) {
-- int nspace_max_count = element->attribute_count+1;
-+ int nspace_max_count = element->attribute_count * 2; /* attr and value */
-+ if(element->name->nspace)
-+ nspace_max_count++;
- if(element->declared_nspaces)
- nspace_max_count += raptor_sequence_size(element->declared_nspaces);
- if(element->xml_language)
-@@ -237,7 +238,7 @@ raptor_xml_writer_start_element_common(raptor_xml_writer* xml_writer,
- }
- }
-
-- /* Add the attribute + value */
-+ /* Add the attribute's value */
- nspace_declarations[nspace_declarations_count].declaration=
- raptor_qname_format_as_xml(element->attributes[i],
- &nspace_declarations[nspace_declarations_count].length);
---
-2.20.1
-
diff --git a/package/raptor/0003-XML-Writer-compare-namespace-declarations-correctly.patch b/package/raptor/0003-XML-Writer-compare-namespace-declarations-correctly.patch
deleted file mode 100644
index a48a583cb1..0000000000
--- a/package/raptor/0003-XML-Writer-compare-namespace-declarations-correctly.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 4f5dbbffcc1c6cf0398bd03450453289a0979dea Mon Sep 17 00:00:00 2001
-From: Dave Beckett <dave@dajobe.org>
-Date: Sat, 18 Sep 2021 17:40:00 -0700
-Subject: [PATCH] XML Writer : compare namespace declarations correctly
-
-Apply patch from
-0001-CVE-2020-25713-raptor2-malformed-input-file-can-lead.patch.1
-that fixes Issue#0000650 https://bugs.librdf.org/mantis/view.php?id=650
-which overwrote heap during XML writing in parse type literal
-content. This was detected with clang asan.
-
-Thanks to Michael Stahl / mst2 for the fix.
-
-[Retrieved from:
-https://github.com/dajobe/raptor/commit/4f5dbbffcc1c6cf0398bd03450453289a0979dea]
-Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
----
- src/raptor_xml_writer.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/raptor_xml_writer.c b/src/raptor_xml_writer.c
-index 56993dc3..4426d38c 100644
---- a/src/raptor_xml_writer.c
-+++ b/src/raptor_xml_writer.c
-@@ -227,7 +227,7 @@ raptor_xml_writer_start_element_common(raptor_xml_writer* xml_writer,
-
- /* check it wasn't an earlier declaration too */
- for(j = 0; j < nspace_declarations_count; j++)
-- if(nspace_declarations[j].nspace == element->attributes[j]->nspace) {
-+ if(nspace_declarations[j].nspace == element->attributes[i]->nspace) {
- declare_me = 0;
- break;
- }
diff --git a/package/raptor/raptor.hash b/package/raptor/raptor.hash
index 2a54bf270d..05e9c53902 100644
--- a/package/raptor/raptor.hash
+++ b/package/raptor/raptor.hash
@@ -1,3 +1,3 @@
# Locally calculated
-sha256 ada7f0ba54787b33485d090d3d2680533520cd4426d2f7fb4782dd4a6a1480ed raptor2-2.0.15.tar.gz
-sha256 6b926a47abfb87451c436fbd4a868defec963d0232c70b806ac02d4a2a6e1968 LICENSE.txt
+sha256 089db78d7ac982354bdbf39d973baf09581e6904ac4c92a98c5caadb3de44680 raptor2-2.0.16.tar.gz
+sha256 0f0c719a05c9f7a0be2051ab83c1470837f595ed23e34989f46fd8eb45cfc251 LICENSE.txt
diff --git a/package/raptor/raptor.mk b/package/raptor/raptor.mk
index 69ac121300..ec7643ce3d 100644
--- a/package/raptor/raptor.mk
+++ b/package/raptor/raptor.mk
@@ -4,7 +4,7 @@
#
################################################################################
-RAPTOR_VERSION = 2.0.15
+RAPTOR_VERSION = 2.0.16
RAPTOR_SOURCE = raptor2-$(RAPTOR_VERSION).tar.gz
RAPTOR_SITE = http://download.librdf.org/source
RAPTOR_DEPENDENCIES = libxml2 libxslt
@@ -17,12 +17,6 @@ RAPTOR_INSTALL_STAGING = YES
# Flag is added to make sure the patch is applied for the configure.ac of raptor.
RAPTOR_AUTORECONF = YES
-# 0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch
-RAPTOR_IGNORE_CVES += CVE-2017-18926
-
-# 0003-XML-Writer-compare-namespace-declarations-correctly.patch
-RAPTOR_IGNORE_CVES += CVE-2020-25713
-
RAPTOR_CONF_OPTS =\
--with-xml2-config=$(STAGING_DIR)/usr/bin/xml2-config \
--with-xslt-config=$(STAGING_DIR)/usr/bin/xslt-config
--
2.39.2
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 8+ messages in thread* [Buildroot] [PATCH v2 2/2] package/raptor: fix build with newer versions of libxml2
2023-06-22 5:17 [Buildroot] [PATCH v2 1/2] package/raptor: security bump version to 2.0.16 Bernd Kuhls
@ 2023-06-22 5:17 ` Bernd Kuhls
2023-06-25 19:19 ` Arnout Vandecappelle via buildroot
2023-06-25 19:18 ` [Buildroot] [PATCH v2 1/2] package/raptor: security bump version to 2.0.16 Arnout Vandecappelle via buildroot
2023-06-25 19:44 ` Arnout Vandecappelle via buildroot
2 siblings, 1 reply; 8+ messages in thread
From: Bernd Kuhls @ 2023-06-22 5:17 UTC (permalink / raw)
To: buildroot
Fixes:
http://autobuild.buildroot.net/results/6a5/6a5139fe86b8370477dc6cb044bf29180bd145df/
Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
---
v2: no changes
...s-to-entities-checked-private-symbol.patch | 35 +++++++++++++++++++
1 file changed, 35 insertions(+)
create mode 100644 package/raptor/0002-Remove-the-access-to-entities-checked-private-symbol.patch
diff --git a/package/raptor/0002-Remove-the-access-to-entities-checked-private-symbol.patch b/package/raptor/0002-Remove-the-access-to-entities-checked-private-symbol.patch
new file mode 100644
index 0000000000..cd9542a9a9
--- /dev/null
+++ b/package/raptor/0002-Remove-the-access-to-entities-checked-private-symbol.patch
@@ -0,0 +1,35 @@
+From 4dbc4c1da2a033c497d84a1291c46f416a9cac51 Mon Sep 17 00:00:00 2001
+From: David Anes <david.anes@suse.com>
+Date: Thu, 4 May 2023 11:54:02 +0200
+Subject: [PATCH] Remove the access to entities 'checked' private symbol for
+ libxml2 2.11.0
+
+Since version 2.11.0, some private symbols that were never intended
+as public API/ABI have been removed from libxml2, therefore the field
+'checked' is no longer present and raptor fails to build in this
+scenario.
+
+Upstream: https://github.com/dajobe/raptor/commit/4dbc4c1da2a033c497d84a1291c46f416a9cac51
+
+Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
+---
+ src/raptor_libxml.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/raptor_libxml.c b/src/raptor_libxml.c
+index 538c2c8e..8bcee139 100644
+--- a/src/raptor_libxml.c
++++ b/src/raptor_libxml.c
+@@ -246,10 +246,11 @@ raptor_libxml_getEntity(void* user_data, const xmlChar *name)
+
+ ret->owner = 1;
+
+-#if LIBXML_VERSION >= 20627
++#if LIBXML_VERSION >= 20627 && LIBXML_VERSION < 21100
+ /* Checked field was released in 2.6.27 on 2006-10-25
+ * http://git.gnome.org/browse/libxml2/commit/?id=a37a6ad91a61d168ecc4b29263def3363fff4da6
+ *
++ * and was later removed in version 2.11.0
+ */
+
+ /* Mark this entity as having been checked - never do this again */
--
2.39.2
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [Buildroot] [PATCH v2 2/2] package/raptor: fix build with newer versions of libxml2
2023-06-22 5:17 ` [Buildroot] [PATCH v2 2/2] package/raptor: fix build with newer versions of libxml2 Bernd Kuhls
@ 2023-06-25 19:19 ` Arnout Vandecappelle via buildroot
0 siblings, 0 replies; 8+ messages in thread
From: Arnout Vandecappelle via buildroot @ 2023-06-25 19:19 UTC (permalink / raw)
To: Bernd Kuhls, buildroot
On 22/06/2023 07:17, Bernd Kuhls wrote:
> Fixes:
> http://autobuild.buildroot.net/results/6a5/6a5139fe86b8370477dc6cb044bf29180bd145df/
>
> Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Applied to master, thanks.
Regards,
Arnout
> ---
> v2: no changes
>
> ...s-to-entities-checked-private-symbol.patch | 35 +++++++++++++++++++
> 1 file changed, 35 insertions(+)
> create mode 100644 package/raptor/0002-Remove-the-access-to-entities-checked-private-symbol.patch
>
> diff --git a/package/raptor/0002-Remove-the-access-to-entities-checked-private-symbol.patch b/package/raptor/0002-Remove-the-access-to-entities-checked-private-symbol.patch
> new file mode 100644
> index 0000000000..cd9542a9a9
> --- /dev/null
> +++ b/package/raptor/0002-Remove-the-access-to-entities-checked-private-symbol.patch
> @@ -0,0 +1,35 @@
> +From 4dbc4c1da2a033c497d84a1291c46f416a9cac51 Mon Sep 17 00:00:00 2001
> +From: David Anes <david.anes@suse.com>
> +Date: Thu, 4 May 2023 11:54:02 +0200
> +Subject: [PATCH] Remove the access to entities 'checked' private symbol for
> + libxml2 2.11.0
> +
> +Since version 2.11.0, some private symbols that were never intended
> +as public API/ABI have been removed from libxml2, therefore the field
> +'checked' is no longer present and raptor fails to build in this
> +scenario.
> +
> +Upstream: https://github.com/dajobe/raptor/commit/4dbc4c1da2a033c497d84a1291c46f416a9cac51
> +
> +Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
> +---
> + src/raptor_libxml.c | 3 ++-
> + 1 file changed, 2 insertions(+), 1 deletion(-)
> +
> +diff --git a/src/raptor_libxml.c b/src/raptor_libxml.c
> +index 538c2c8e..8bcee139 100644
> +--- a/src/raptor_libxml.c
> ++++ b/src/raptor_libxml.c
> +@@ -246,10 +246,11 @@ raptor_libxml_getEntity(void* user_data, const xmlChar *name)
> +
> + ret->owner = 1;
> +
> +-#if LIBXML_VERSION >= 20627
> ++#if LIBXML_VERSION >= 20627 && LIBXML_VERSION < 21100
> + /* Checked field was released in 2.6.27 on 2006-10-25
> + * http://git.gnome.org/browse/libxml2/commit/?id=a37a6ad91a61d168ecc4b29263def3363fff4da6
> + *
> ++ * and was later removed in version 2.11.0
> + */
> +
> + /* Mark this entity as having been checked - never do this again */
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [Buildroot] [PATCH v2 1/2] package/raptor: security bump version to 2.0.16
2023-06-22 5:17 [Buildroot] [PATCH v2 1/2] package/raptor: security bump version to 2.0.16 Bernd Kuhls
2023-06-22 5:17 ` [Buildroot] [PATCH v2 2/2] package/raptor: fix build with newer versions of libxml2 Bernd Kuhls
@ 2023-06-25 19:18 ` Arnout Vandecappelle via buildroot
2023-06-25 19:24 ` Peter Korsgaard
2023-06-25 19:44 ` Arnout Vandecappelle via buildroot
2 siblings, 1 reply; 8+ messages in thread
From: Arnout Vandecappelle via buildroot @ 2023-06-25 19:18 UTC (permalink / raw)
To: Bernd Kuhls, buildroot, Peter Korsgaard
On 22/06/2023 07:17, Bernd Kuhls wrote:
> This version included the patches removed by this commit, no new CVEs
> were fixed.
So, I guess we shouldn't call it a "security bump" then? AFAIU the only reason
to call it security bump is to flag to Peter that it should be backported to stable.
Regards,
Arnout
>
> Release notes: https://librdf.org/raptor/RELEASE.html#rel2_0_16
>
> Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
> ---
> v2: Removed patches from .checkpackageignore
>
> .checkpackageignore | 2 -
> ...pace-declarations-correctly-for-XML-.patch | 47 -------------------
> ...are-namespace-declarations-correctly.patch | 33 -------------
> package/raptor/raptor.hash | 4 +-
> package/raptor/raptor.mk | 8 +---
> 5 files changed, 3 insertions(+), 91 deletions(-)
> delete mode 100644 package/raptor/0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch
> delete mode 100644 package/raptor/0003-XML-Writer-compare-namespace-declarations-correctly.patch
>
> diff --git a/.checkpackageignore b/.checkpackageignore
> index 36ab2845d7..07408893ce 100644
> --- a/.checkpackageignore
> +++ b/.checkpackageignore
> @@ -1341,8 +1341,6 @@ package/quotatool/0001-fix-missing-__P-definition-for-musl-compile.patch Upstrea
> package/racehound/0001-Fix-module-install-path-lib-instead-of-usr-lib-prefi.patch Upstream
> package/ranger/0001-colorscheme-check-for-compiled-python-files.patch Upstream
> package/rapidxml/0001-ensure-internal-print-operations-are-declared-before.patch Upstream
> -package/raptor/0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch Upstream
> -package/raptor/0003-XML-Writer-compare-namespace-declarations-correctly.patch Upstream
> package/raspberrypi-usbboot/0001-Makefile-allow-passing-CFLAGS-LDFLAGS.patch Upstream
> package/rdesktop/0001-8bit-colors.patch Sob Upstream
> package/read-edid/0001-Fix-install-file-list.patch Upstream
> diff --git a/package/raptor/0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch b/package/raptor/0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch
> deleted file mode 100644
> index 406e265cf3..0000000000
> --- a/package/raptor/0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch
> +++ /dev/null
> @@ -1,47 +0,0 @@
> -From 590681e546cd9aa18d57dc2ea1858cb734a3863f Mon Sep 17 00:00:00 2001
> -From: Dave Beckett <dave@dajobe.org>
> -Date: Sun, 16 Apr 2017 23:15:12 +0100
> -Subject: [PATCH] Calcualte max nspace declarations correctly for XML writer
> -
> -(raptor_xml_writer_start_element_common): Calculate max including for
> -each attribute a potential name and value.
> -
> -Fixes Issues #0000617 http://bugs.librdf.org/mantis/view.php?id=617
> -and #0000618 http://bugs.librdf.org/mantis/view.php?id=618
> -
> -[Peter: fixes CVE-2017-18926, upstream:
> - https://github.com/dajobe/raptor/commit/590681e546cd9aa18d57dc2ea1858cb734a3863f]
> -Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> ----
> - src/raptor_xml_writer.c | 7 ++++---
> - 1 file changed, 4 insertions(+), 3 deletions(-)
> -
> -diff --git a/src/raptor_xml_writer.c b/src/raptor_xml_writer.c
> -index 693b9468..0d3a36a5 100644
> ---- a/src/raptor_xml_writer.c
> -+++ b/src/raptor_xml_writer.c
> -@@ -181,9 +181,10 @@ raptor_xml_writer_start_element_common(raptor_xml_writer* xml_writer,
> - size_t nspace_declarations_count = 0;
> - unsigned int i;
> -
> -- /* max is 1 per element and 1 for each attribute + size of declared */
> - if(nstack) {
> -- int nspace_max_count = element->attribute_count+1;
> -+ int nspace_max_count = element->attribute_count * 2; /* attr and value */
> -+ if(element->name->nspace)
> -+ nspace_max_count++;
> - if(element->declared_nspaces)
> - nspace_max_count += raptor_sequence_size(element->declared_nspaces);
> - if(element->xml_language)
> -@@ -237,7 +238,7 @@ raptor_xml_writer_start_element_common(raptor_xml_writer* xml_writer,
> - }
> - }
> -
> -- /* Add the attribute + value */
> -+ /* Add the attribute's value */
> - nspace_declarations[nspace_declarations_count].declaration=
> - raptor_qname_format_as_xml(element->attributes[i],
> - &nspace_declarations[nspace_declarations_count].length);
> ---
> -2.20.1
> -
> diff --git a/package/raptor/0003-XML-Writer-compare-namespace-declarations-correctly.patch b/package/raptor/0003-XML-Writer-compare-namespace-declarations-correctly.patch
> deleted file mode 100644
> index a48a583cb1..0000000000
> --- a/package/raptor/0003-XML-Writer-compare-namespace-declarations-correctly.patch
> +++ /dev/null
> @@ -1,33 +0,0 @@
> -From 4f5dbbffcc1c6cf0398bd03450453289a0979dea Mon Sep 17 00:00:00 2001
> -From: Dave Beckett <dave@dajobe.org>
> -Date: Sat, 18 Sep 2021 17:40:00 -0700
> -Subject: [PATCH] XML Writer : compare namespace declarations correctly
> -
> -Apply patch from
> -0001-CVE-2020-25713-raptor2-malformed-input-file-can-lead.patch.1
> -that fixes Issue#0000650 https://bugs.librdf.org/mantis/view.php?id=650
> -which overwrote heap during XML writing in parse type literal
> -content. This was detected with clang asan.
> -
> -Thanks to Michael Stahl / mst2 for the fix.
> -
> -[Retrieved from:
> -https://github.com/dajobe/raptor/commit/4f5dbbffcc1c6cf0398bd03450453289a0979dea]
> -Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> ----
> - src/raptor_xml_writer.c | 2 +-
> - 1 file changed, 1 insertion(+), 1 deletion(-)
> -
> -diff --git a/src/raptor_xml_writer.c b/src/raptor_xml_writer.c
> -index 56993dc3..4426d38c 100644
> ---- a/src/raptor_xml_writer.c
> -+++ b/src/raptor_xml_writer.c
> -@@ -227,7 +227,7 @@ raptor_xml_writer_start_element_common(raptor_xml_writer* xml_writer,
> -
> - /* check it wasn't an earlier declaration too */
> - for(j = 0; j < nspace_declarations_count; j++)
> -- if(nspace_declarations[j].nspace == element->attributes[j]->nspace) {
> -+ if(nspace_declarations[j].nspace == element->attributes[i]->nspace) {
> - declare_me = 0;
> - break;
> - }
> diff --git a/package/raptor/raptor.hash b/package/raptor/raptor.hash
> index 2a54bf270d..05e9c53902 100644
> --- a/package/raptor/raptor.hash
> +++ b/package/raptor/raptor.hash
> @@ -1,3 +1,3 @@
> # Locally calculated
> -sha256 ada7f0ba54787b33485d090d3d2680533520cd4426d2f7fb4782dd4a6a1480ed raptor2-2.0.15.tar.gz
> -sha256 6b926a47abfb87451c436fbd4a868defec963d0232c70b806ac02d4a2a6e1968 LICENSE.txt
> +sha256 089db78d7ac982354bdbf39d973baf09581e6904ac4c92a98c5caadb3de44680 raptor2-2.0.16.tar.gz
> +sha256 0f0c719a05c9f7a0be2051ab83c1470837f595ed23e34989f46fd8eb45cfc251 LICENSE.txt
> diff --git a/package/raptor/raptor.mk b/package/raptor/raptor.mk
> index 69ac121300..ec7643ce3d 100644
> --- a/package/raptor/raptor.mk
> +++ b/package/raptor/raptor.mk
> @@ -4,7 +4,7 @@
> #
> ################################################################################
>
> -RAPTOR_VERSION = 2.0.15
> +RAPTOR_VERSION = 2.0.16
> RAPTOR_SOURCE = raptor2-$(RAPTOR_VERSION).tar.gz
> RAPTOR_SITE = http://download.librdf.org/source
> RAPTOR_DEPENDENCIES = libxml2 libxslt
> @@ -17,12 +17,6 @@ RAPTOR_INSTALL_STAGING = YES
> # Flag is added to make sure the patch is applied for the configure.ac of raptor.
> RAPTOR_AUTORECONF = YES
>
> -# 0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch
> -RAPTOR_IGNORE_CVES += CVE-2017-18926
> -
> -# 0003-XML-Writer-compare-namespace-declarations-correctly.patch
> -RAPTOR_IGNORE_CVES += CVE-2020-25713
> -
> RAPTOR_CONF_OPTS =\
> --with-xml2-config=$(STAGING_DIR)/usr/bin/xml2-config \
> --with-xslt-config=$(STAGING_DIR)/usr/bin/xslt-config
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: [Buildroot] [PATCH v2 1/2] package/raptor: security bump version to 2.0.16
2023-06-25 19:18 ` [Buildroot] [PATCH v2 1/2] package/raptor: security bump version to 2.0.16 Arnout Vandecappelle via buildroot
@ 2023-06-25 19:24 ` Peter Korsgaard
2023-06-25 19:34 ` Arnout Vandecappelle via buildroot
0 siblings, 1 reply; 8+ messages in thread
From: Peter Korsgaard @ 2023-06-25 19:24 UTC (permalink / raw)
To: Arnout Vandecappelle; +Cc: Bernd Kuhls, buildroot
>>>>> "Arnout" == Arnout Vandecappelle <arnout@mind.be> writes:
> On 22/06/2023 07:17, Bernd Kuhls wrote:
>> This version included the patches removed by this commit, no new CVEs
>> were fixed.
> So, I guess we shouldn't call it a "security bump" then? AFAIU the
> only reason to call it security bump is to flag to Peter that it
> should be backported to stable.
And that is even not necessary. I do look at all commits getting applied
to master to (try to) decide if something should be backported, E.G. if
it is a (security) bugfix and also applies to the version in LTS.
If you already had a look at think it should be backported, then just
state that in the commit message (E.G. fixes foo since the bump to
version x.y.z in commit sha1).
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [Buildroot] [PATCH v2 1/2] package/raptor: security bump version to 2.0.16
2023-06-25 19:24 ` Peter Korsgaard
@ 2023-06-25 19:34 ` Arnout Vandecappelle via buildroot
2023-06-25 19:42 ` Peter Korsgaard
0 siblings, 1 reply; 8+ messages in thread
From: Arnout Vandecappelle via buildroot @ 2023-06-25 19:34 UTC (permalink / raw)
To: Peter Korsgaard; +Cc: Bernd Kuhls, buildroot
On 25/06/2023 21:24, Peter Korsgaard wrote:
>>>>>> "Arnout" == Arnout Vandecappelle <arnout@mind.be> writes:
>
> > On 22/06/2023 07:17, Bernd Kuhls wrote:
> >> This version included the patches removed by this commit, no new CVEs
> >> were fixed.
>
> > So, I guess we shouldn't call it a "security bump" then? AFAIU the
> > only reason to call it security bump is to flag to Peter that it
> > should be backported to stable.
>
>
> And that is even not necessary. I do look at all commits getting applied
> to master to (try to) decide if something should be backported, E.G. if
> it is a (security) bugfix and also applies to the version in LTS.
Oh. I saw you sometimes change the subject line to include "security bump"
when the submitter forgets to...
Regards,
Arnout
>
> If you already had a look at think it should be backported, then just
> state that in the commit message (E.G. fixes foo since the bump to
> version x.y.z in commit sha1).
>
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [Buildroot] [PATCH v2 1/2] package/raptor: security bump version to 2.0.16
2023-06-25 19:34 ` Arnout Vandecappelle via buildroot
@ 2023-06-25 19:42 ` Peter Korsgaard
0 siblings, 0 replies; 8+ messages in thread
From: Peter Korsgaard @ 2023-06-25 19:42 UTC (permalink / raw)
To: Arnout Vandecappelle; +Cc: Bernd Kuhls, buildroot
>>>>> "Arnout" == Arnout Vandecappelle <arnout@mind.be> writes:
> On 25/06/2023 21:24, Peter Korsgaard wrote:
>>>>>>> "Arnout" == Arnout Vandecappelle <arnout@mind.be> writes:
>> > On 22/06/2023 07:17, Bernd Kuhls wrote:
>> >> This version included the patches removed by this commit, no new CVEs
>> >> were fixed.
>> > So, I guess we shouldn't call it a "security bump" then? AFAIU
>> the
>> > only reason to call it security bump is to flag to Peter that it
>> > should be backported to stable.
>>
>> And that is even not necessary. I do look at all commits getting applied
>> to master to (try to) decide if something should be backported, E.G. if
>> it is a (security) bugfix and also applies to the version in LTS.
> Oh. I saw you sometimes change the subject line to include "security
> bump" when the submitter forgets to...
Sure, if it is a security bump then we normally mention it in the commit
message and I sometimes fix that up when applying if the contributor
forgot to do so - But my point is that I don't just look at
git log --grep 'security bump'
Or something like that, I really skim through all commit on master.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [Buildroot] [PATCH v2 1/2] package/raptor: security bump version to 2.0.16
2023-06-22 5:17 [Buildroot] [PATCH v2 1/2] package/raptor: security bump version to 2.0.16 Bernd Kuhls
2023-06-22 5:17 ` [Buildroot] [PATCH v2 2/2] package/raptor: fix build with newer versions of libxml2 Bernd Kuhls
2023-06-25 19:18 ` [Buildroot] [PATCH v2 1/2] package/raptor: security bump version to 2.0.16 Arnout Vandecappelle via buildroot
@ 2023-06-25 19:44 ` Arnout Vandecappelle via buildroot
2 siblings, 0 replies; 8+ messages in thread
From: Arnout Vandecappelle via buildroot @ 2023-06-25 19:44 UTC (permalink / raw)
To: Bernd Kuhls, buildroot
On 22/06/2023 07:17, Bernd Kuhls wrote:
> This version included the patches removed by this commit, no new CVEs
> were fixed.
>
> Release notes: https://librdf.org/raptor/RELEASE.html#rel2_0_16
>
> Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
Applied to master, thanks.
Regards,
Arnout
> ---
> v2: Removed patches from .checkpackageignore
>
> .checkpackageignore | 2 -
> ...pace-declarations-correctly-for-XML-.patch | 47 -------------------
> ...are-namespace-declarations-correctly.patch | 33 -------------
> package/raptor/raptor.hash | 4 +-
> package/raptor/raptor.mk | 8 +---
> 5 files changed, 3 insertions(+), 91 deletions(-)
> delete mode 100644 package/raptor/0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch
> delete mode 100644 package/raptor/0003-XML-Writer-compare-namespace-declarations-correctly.patch
>
> diff --git a/.checkpackageignore b/.checkpackageignore
> index 36ab2845d7..07408893ce 100644
> --- a/.checkpackageignore
> +++ b/.checkpackageignore
> @@ -1341,8 +1341,6 @@ package/quotatool/0001-fix-missing-__P-definition-for-musl-compile.patch Upstrea
> package/racehound/0001-Fix-module-install-path-lib-instead-of-usr-lib-prefi.patch Upstream
> package/ranger/0001-colorscheme-check-for-compiled-python-files.patch Upstream
> package/rapidxml/0001-ensure-internal-print-operations-are-declared-before.patch Upstream
> -package/raptor/0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch Upstream
> -package/raptor/0003-XML-Writer-compare-namespace-declarations-correctly.patch Upstream
> package/raspberrypi-usbboot/0001-Makefile-allow-passing-CFLAGS-LDFLAGS.patch Upstream
> package/rdesktop/0001-8bit-colors.patch Sob Upstream
> package/read-edid/0001-Fix-install-file-list.patch Upstream
> diff --git a/package/raptor/0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch b/package/raptor/0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch
> deleted file mode 100644
> index 406e265cf3..0000000000
> --- a/package/raptor/0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch
> +++ /dev/null
> @@ -1,47 +0,0 @@
> -From 590681e546cd9aa18d57dc2ea1858cb734a3863f Mon Sep 17 00:00:00 2001
> -From: Dave Beckett <dave@dajobe.org>
> -Date: Sun, 16 Apr 2017 23:15:12 +0100
> -Subject: [PATCH] Calcualte max nspace declarations correctly for XML writer
> -
> -(raptor_xml_writer_start_element_common): Calculate max including for
> -each attribute a potential name and value.
> -
> -Fixes Issues #0000617 http://bugs.librdf.org/mantis/view.php?id=617
> -and #0000618 http://bugs.librdf.org/mantis/view.php?id=618
> -
> -[Peter: fixes CVE-2017-18926, upstream:
> - https://github.com/dajobe/raptor/commit/590681e546cd9aa18d57dc2ea1858cb734a3863f]
> -Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> ----
> - src/raptor_xml_writer.c | 7 ++++---
> - 1 file changed, 4 insertions(+), 3 deletions(-)
> -
> -diff --git a/src/raptor_xml_writer.c b/src/raptor_xml_writer.c
> -index 693b9468..0d3a36a5 100644
> ---- a/src/raptor_xml_writer.c
> -+++ b/src/raptor_xml_writer.c
> -@@ -181,9 +181,10 @@ raptor_xml_writer_start_element_common(raptor_xml_writer* xml_writer,
> - size_t nspace_declarations_count = 0;
> - unsigned int i;
> -
> -- /* max is 1 per element and 1 for each attribute + size of declared */
> - if(nstack) {
> -- int nspace_max_count = element->attribute_count+1;
> -+ int nspace_max_count = element->attribute_count * 2; /* attr and value */
> -+ if(element->name->nspace)
> -+ nspace_max_count++;
> - if(element->declared_nspaces)
> - nspace_max_count += raptor_sequence_size(element->declared_nspaces);
> - if(element->xml_language)
> -@@ -237,7 +238,7 @@ raptor_xml_writer_start_element_common(raptor_xml_writer* xml_writer,
> - }
> - }
> -
> -- /* Add the attribute + value */
> -+ /* Add the attribute's value */
> - nspace_declarations[nspace_declarations_count].declaration=
> - raptor_qname_format_as_xml(element->attributes[i],
> - &nspace_declarations[nspace_declarations_count].length);
> ---
> -2.20.1
> -
> diff --git a/package/raptor/0003-XML-Writer-compare-namespace-declarations-correctly.patch b/package/raptor/0003-XML-Writer-compare-namespace-declarations-correctly.patch
> deleted file mode 100644
> index a48a583cb1..0000000000
> --- a/package/raptor/0003-XML-Writer-compare-namespace-declarations-correctly.patch
> +++ /dev/null
> @@ -1,33 +0,0 @@
> -From 4f5dbbffcc1c6cf0398bd03450453289a0979dea Mon Sep 17 00:00:00 2001
> -From: Dave Beckett <dave@dajobe.org>
> -Date: Sat, 18 Sep 2021 17:40:00 -0700
> -Subject: [PATCH] XML Writer : compare namespace declarations correctly
> -
> -Apply patch from
> -0001-CVE-2020-25713-raptor2-malformed-input-file-can-lead.patch.1
> -that fixes Issue#0000650 https://bugs.librdf.org/mantis/view.php?id=650
> -which overwrote heap during XML writing in parse type literal
> -content. This was detected with clang asan.
> -
> -Thanks to Michael Stahl / mst2 for the fix.
> -
> -[Retrieved from:
> -https://github.com/dajobe/raptor/commit/4f5dbbffcc1c6cf0398bd03450453289a0979dea]
> -Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> ----
> - src/raptor_xml_writer.c | 2 +-
> - 1 file changed, 1 insertion(+), 1 deletion(-)
> -
> -diff --git a/src/raptor_xml_writer.c b/src/raptor_xml_writer.c
> -index 56993dc3..4426d38c 100644
> ---- a/src/raptor_xml_writer.c
> -+++ b/src/raptor_xml_writer.c
> -@@ -227,7 +227,7 @@ raptor_xml_writer_start_element_common(raptor_xml_writer* xml_writer,
> -
> - /* check it wasn't an earlier declaration too */
> - for(j = 0; j < nspace_declarations_count; j++)
> -- if(nspace_declarations[j].nspace == element->attributes[j]->nspace) {
> -+ if(nspace_declarations[j].nspace == element->attributes[i]->nspace) {
> - declare_me = 0;
> - break;
> - }
> diff --git a/package/raptor/raptor.hash b/package/raptor/raptor.hash
> index 2a54bf270d..05e9c53902 100644
> --- a/package/raptor/raptor.hash
> +++ b/package/raptor/raptor.hash
> @@ -1,3 +1,3 @@
> # Locally calculated
> -sha256 ada7f0ba54787b33485d090d3d2680533520cd4426d2f7fb4782dd4a6a1480ed raptor2-2.0.15.tar.gz
> -sha256 6b926a47abfb87451c436fbd4a868defec963d0232c70b806ac02d4a2a6e1968 LICENSE.txt
> +sha256 089db78d7ac982354bdbf39d973baf09581e6904ac4c92a98c5caadb3de44680 raptor2-2.0.16.tar.gz
> +sha256 0f0c719a05c9f7a0be2051ab83c1470837f595ed23e34989f46fd8eb45cfc251 LICENSE.txt
> diff --git a/package/raptor/raptor.mk b/package/raptor/raptor.mk
> index 69ac121300..ec7643ce3d 100644
> --- a/package/raptor/raptor.mk
> +++ b/package/raptor/raptor.mk
> @@ -4,7 +4,7 @@
> #
> ################################################################################
>
> -RAPTOR_VERSION = 2.0.15
> +RAPTOR_VERSION = 2.0.16
> RAPTOR_SOURCE = raptor2-$(RAPTOR_VERSION).tar.gz
> RAPTOR_SITE = http://download.librdf.org/source
> RAPTOR_DEPENDENCIES = libxml2 libxslt
> @@ -17,12 +17,6 @@ RAPTOR_INSTALL_STAGING = YES
> # Flag is added to make sure the patch is applied for the configure.ac of raptor.
> RAPTOR_AUTORECONF = YES
>
> -# 0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch
> -RAPTOR_IGNORE_CVES += CVE-2017-18926
> -
> -# 0003-XML-Writer-compare-namespace-declarations-correctly.patch
> -RAPTOR_IGNORE_CVES += CVE-2020-25713
> -
> RAPTOR_CONF_OPTS =\
> --with-xml2-config=$(STAGING_DIR)/usr/bin/xml2-config \
> --with-xslt-config=$(STAGING_DIR)/usr/bin/xslt-config
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2023-06-25 19:44 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-06-22 5:17 [Buildroot] [PATCH v2 1/2] package/raptor: security bump version to 2.0.16 Bernd Kuhls
2023-06-22 5:17 ` [Buildroot] [PATCH v2 2/2] package/raptor: fix build with newer versions of libxml2 Bernd Kuhls
2023-06-25 19:19 ` Arnout Vandecappelle via buildroot
2023-06-25 19:18 ` [Buildroot] [PATCH v2 1/2] package/raptor: security bump version to 2.0.16 Arnout Vandecappelle via buildroot
2023-06-25 19:24 ` Peter Korsgaard
2023-06-25 19:34 ` Arnout Vandecappelle via buildroot
2023-06-25 19:42 ` Peter Korsgaard
2023-06-25 19:44 ` Arnout Vandecappelle via buildroot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox