[Buildroot] [PATCH v2 1/2] package/raptor: security bump version to 2.0.16

[Buildroot] [PATCH v2 1/2] package/raptor: security bump version to 2.0.16

[Bernd Kuhls]

This version included the patches removed by this commit, no new CVEs
were fixed.

Release notes: https://librdf.org/raptor/RELEASE.html#rel2_0_16

Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
---
v2: Removed patches from .checkpackageignore

 .checkpackageignore                           |  2 -
 ...pace-declarations-correctly-for-XML-.patch | 47 -------------------
 ...are-namespace-declarations-correctly.patch | 33 -------------
 package/raptor/raptor.hash                    |  4 +-
 package/raptor/raptor.mk                      |  8 +---
 5 files changed, 3 insertions(+), 91 deletions(-)
 delete mode 100644 package/raptor/0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch
 delete mode 100644 package/raptor/0003-XML-Writer-compare-namespace-declarations-correctly.patch

diff --git a/.checkpackageignore b/.checkpackageignore
index 36ab2845d7..07408893ce 100644
--- a/.checkpackageignore
+++ b/.checkpackageignore
@@ -1341,8 +1341,6 @@ package/quotatool/0001-fix-missing-__P-definition-for-musl-compile.patch Upstrea
 package/racehound/0001-Fix-module-install-path-lib-instead-of-usr-lib-prefi.patch Upstream
 package/ranger/0001-colorscheme-check-for-compiled-python-files.patch Upstream
 package/rapidxml/0001-ensure-internal-print-operations-are-declared-before.patch Upstream
-package/raptor/0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch Upstream
-package/raptor/0003-XML-Writer-compare-namespace-declarations-correctly.patch Upstream
 package/raspberrypi-usbboot/0001-Makefile-allow-passing-CFLAGS-LDFLAGS.patch Upstream
 package/rdesktop/0001-8bit-colors.patch Sob Upstream
 package/read-edid/0001-Fix-install-file-list.patch Upstream
diff --git a/package/raptor/0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch b/package/raptor/0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch
deleted file mode 100644
index 406e265cf3..0000000000
--- a/package/raptor/0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 590681e546cd9aa18d57dc2ea1858cb734a3863f Mon Sep 17 00:00:00 2001
-From: Dave Beckett <dave@dajobe.org>
-Date: Sun, 16 Apr 2017 23:15:12 +0100
-Subject: [PATCH] Calcualte max nspace declarations correctly for XML writer
-
-(raptor_xml_writer_start_element_common): Calculate max including for
-each attribute a potential name and value.
-
-Fixes Issues #0000617 http://bugs.librdf.org/mantis/view.php?id=617
-and #0000618 http://bugs.librdf.org/mantis/view.php?id=618
-
-[Peter: fixes CVE-2017-18926, upstream:
- https://github.com/dajobe/raptor/commit/590681e546cd9aa18d57dc2ea1858cb734a3863f]
-Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
----
- src/raptor_xml_writer.c | 7 ++++---
- 1 file changed, 4 insertions(+), 3 deletions(-)
-
-diff --git a/src/raptor_xml_writer.c b/src/raptor_xml_writer.c
-index 693b9468..0d3a36a5 100644
---- a/src/raptor_xml_writer.c
-+++ b/src/raptor_xml_writer.c
-@@ -181,9 +181,10 @@ raptor_xml_writer_start_element_common(raptor_xml_writer* xml_writer,
-   size_t nspace_declarations_count = 0;  
-   unsigned int i;
- 
--  /* max is 1 per element and 1 for each attribute + size of declared */
-   if(nstack) {
--    int nspace_max_count = element->attribute_count+1;
-+    int nspace_max_count = element->attribute_count * 2; /* attr and value */
-+    if(element->name->nspace)
-+      nspace_max_count++;
-     if(element->declared_nspaces)
-       nspace_max_count += raptor_sequence_size(element->declared_nspaces);
-     if(element->xml_language)
-@@ -237,7 +238,7 @@ raptor_xml_writer_start_element_common(raptor_xml_writer* xml_writer,
-         }
-       }
- 
--      /* Add the attribute + value */
-+      /* Add the attribute's value */
-       nspace_declarations[nspace_declarations_count].declaration=
-         raptor_qname_format_as_xml(element->attributes[i],
-                                    &nspace_declarations[nspace_declarations_count].length);
--- 
-2.20.1
-
diff --git a/package/raptor/0003-XML-Writer-compare-namespace-declarations-correctly.patch b/package/raptor/0003-XML-Writer-compare-namespace-declarations-correctly.patch
deleted file mode 100644
index a48a583cb1..0000000000
--- a/package/raptor/0003-XML-Writer-compare-namespace-declarations-correctly.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 4f5dbbffcc1c6cf0398bd03450453289a0979dea Mon Sep 17 00:00:00 2001
-From: Dave Beckett <dave@dajobe.org>
-Date: Sat, 18 Sep 2021 17:40:00 -0700
-Subject: [PATCH] XML Writer : compare namespace declarations correctly
-
-Apply patch from
-0001-CVE-2020-25713-raptor2-malformed-input-file-can-lead.patch.1
-that fixes Issue#0000650 https://bugs.librdf.org/mantis/view.php?id=650
-which overwrote heap during XML writing in parse type literal
-content.  This was detected with clang asan.
-
-Thanks to Michael Stahl / mst2 for the fix.
-
-[Retrieved from:
-https://github.com/dajobe/raptor/commit/4f5dbbffcc1c6cf0398bd03450453289a0979dea]
-Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
----
- src/raptor_xml_writer.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/raptor_xml_writer.c b/src/raptor_xml_writer.c
-index 56993dc3..4426d38c 100644
---- a/src/raptor_xml_writer.c
-+++ b/src/raptor_xml_writer.c
-@@ -227,7 +227,7 @@ raptor_xml_writer_start_element_common(raptor_xml_writer* xml_writer,
-           
-           /* check it wasn't an earlier declaration too */
-           for(j = 0; j < nspace_declarations_count; j++)
--            if(nspace_declarations[j].nspace == element->attributes[j]->nspace) {
-+            if(nspace_declarations[j].nspace == element->attributes[i]->nspace) {
-               declare_me = 0;
-               break;
-             }
diff --git a/package/raptor/raptor.hash b/package/raptor/raptor.hash
index 2a54bf270d..05e9c53902 100644
--- a/package/raptor/raptor.hash
+++ b/package/raptor/raptor.hash
@@ -1,3 +1,3 @@
 # Locally calculated
-sha256  ada7f0ba54787b33485d090d3d2680533520cd4426d2f7fb4782dd4a6a1480ed  raptor2-2.0.15.tar.gz
-sha256  6b926a47abfb87451c436fbd4a868defec963d0232c70b806ac02d4a2a6e1968  LICENSE.txt
+sha256  089db78d7ac982354bdbf39d973baf09581e6904ac4c92a98c5caadb3de44680  raptor2-2.0.16.tar.gz
+sha256  0f0c719a05c9f7a0be2051ab83c1470837f595ed23e34989f46fd8eb45cfc251  LICENSE.txt
diff --git a/package/raptor/raptor.mk b/package/raptor/raptor.mk
index 69ac121300..ec7643ce3d 100644
--- a/package/raptor/raptor.mk
+++ b/package/raptor/raptor.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-RAPTOR_VERSION = 2.0.15
+RAPTOR_VERSION = 2.0.16
 RAPTOR_SOURCE = raptor2-$(RAPTOR_VERSION).tar.gz
 RAPTOR_SITE = http://download.librdf.org/source
 RAPTOR_DEPENDENCIES = libxml2 libxslt
@@ -17,12 +17,6 @@ RAPTOR_INSTALL_STAGING = YES
 # Flag is added to make sure the patch is applied for the configure.ac of raptor.
 RAPTOR_AUTORECONF = YES
 
-# 0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch
-RAPTOR_IGNORE_CVES += CVE-2017-18926
-
-# 0003-XML-Writer-compare-namespace-declarations-correctly.patch
-RAPTOR_IGNORE_CVES += CVE-2020-25713
-
 RAPTOR_CONF_OPTS =\
 	--with-xml2-config=$(STAGING_DIR)/usr/bin/xml2-config \
 	--with-xslt-config=$(STAGING_DIR)/usr/bin/xslt-config
-- 
2.39.2

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH v2 2/2] package/raptor: fix build with newer versions of libxml2

[Bernd Kuhls]

Fixes:
http://autobuild.buildroot.net/results/6a5/6a5139fe86b8370477dc6cb044bf29180bd145df/

Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
---
v2: no changes

 ...s-to-entities-checked-private-symbol.patch | 35 +++++++++++++++++++
 1 file changed, 35 insertions(+)
 create mode 100644 package/raptor/0002-Remove-the-access-to-entities-checked-private-symbol.patch

diff --git a/package/raptor/0002-Remove-the-access-to-entities-checked-private-symbol.patch b/package/raptor/0002-Remove-the-access-to-entities-checked-private-symbol.patch
new file mode 100644
index 0000000000..cd9542a9a9
--- /dev/null
+++ b/package/raptor/0002-Remove-the-access-to-entities-checked-private-symbol.patch
@@ -0,0 +1,35 @@
+From 4dbc4c1da2a033c497d84a1291c46f416a9cac51 Mon Sep 17 00:00:00 2001
+From: David Anes <david.anes@suse.com>
+Date: Thu, 4 May 2023 11:54:02 +0200
+Subject: [PATCH] Remove the access to entities 'checked' private symbol for
+ libxml2 2.11.0
+
+Since version 2.11.0, some private symbols that were never intended
+as public API/ABI have been removed from libxml2, therefore the field
+'checked' is no longer present and raptor fails to build in this
+scenario.
+
+Upstream: https://github.com/dajobe/raptor/commit/4dbc4c1da2a033c497d84a1291c46f416a9cac51
+
+Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
+---
+ src/raptor_libxml.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/raptor_libxml.c b/src/raptor_libxml.c
+index 538c2c8e..8bcee139 100644
+--- a/src/raptor_libxml.c
++++ b/src/raptor_libxml.c
+@@ -246,10 +246,11 @@ raptor_libxml_getEntity(void* user_data, const xmlChar *name)
+     
+     ret->owner = 1;
+ 
+-#if LIBXML_VERSION >= 20627
++#if LIBXML_VERSION >= 20627 && LIBXML_VERSION < 21100
+     /* Checked field was released in 2.6.27 on 2006-10-25
+      * http://git.gnome.org/browse/libxml2/commit/?id=a37a6ad91a61d168ecc4b29263def3363fff4da6
+      *
++     * and was later removed in version 2.11.0
+      */
+ 
+     /* Mark this entity as having been checked - never do this again */
-- 
2.39.2

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2 1/2] package/raptor: security bump version to 2.0.16

[Arnout Vandecappelle via buildroot]

On 22/06/2023 07:17, Bernd Kuhls wrote:
> This version included the patches removed by this commit, no new CVEs
> were fixed.

  So, I guess we shouldn't call it a "security bump" then? AFAIU the only reason 
to call it security bump is to flag to Peter that it should be backported to stable.

  Regards,
  Arnout

> 
> Release notes: https://librdf.org/raptor/RELEASE.html#rel2_0_16
> 
> Signed-off-by: Bernd Kuhls <bernd@kuhls.net>
> ---
> v2: Removed patches from .checkpackageignore
> 
>   .checkpackageignore                           |  2 -
>   ...pace-declarations-correctly-for-XML-.patch | 47 -------------------
>   ...are-namespace-declarations-correctly.patch | 33 -------------
>   package/raptor/raptor.hash                    |  4 +-
>   package/raptor/raptor.mk                      |  8 +---
>   5 files changed, 3 insertions(+), 91 deletions(-)
>   delete mode 100644 package/raptor/0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch
>   delete mode 100644 package/raptor/0003-XML-Writer-compare-namespace-declarations-correctly.patch
> 
> diff --git a/.checkpackageignore b/.checkpackageignore
> index 36ab2845d7..07408893ce 100644
> --- a/.checkpackageignore
> +++ b/.checkpackageignore
> @@ -1341,8 +1341,6 @@ package/quotatool/0001-fix-missing-__P-definition-for-musl-compile.patch Upstrea
>   package/racehound/0001-Fix-module-install-path-lib-instead-of-usr-lib-prefi.patch Upstream
>   package/ranger/0001-colorscheme-check-for-compiled-python-files.patch Upstream
>   package/rapidxml/0001-ensure-internal-print-operations-are-declared-before.patch Upstream
> -package/raptor/0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch Upstream
> -package/raptor/0003-XML-Writer-compare-namespace-declarations-correctly.patch Upstream
>   package/raspberrypi-usbboot/0001-Makefile-allow-passing-CFLAGS-LDFLAGS.patch Upstream
>   package/rdesktop/0001-8bit-colors.patch Sob Upstream
>   package/read-edid/0001-Fix-install-file-list.patch Upstream
> diff --git a/package/raptor/0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch b/package/raptor/0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch
> deleted file mode 100644
> index 406e265cf3..0000000000
> --- a/package/raptor/0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch
> +++ /dev/null
> @@ -1,47 +0,0 @@
> -From 590681e546cd9aa18d57dc2ea1858cb734a3863f Mon Sep 17 00:00:00 2001
> -From: Dave Beckett <dave@dajobe.org>
> -Date: Sun, 16 Apr 2017 23:15:12 +0100
> -Subject: [PATCH] Calcualte max nspace declarations correctly for XML writer
> -
> -(raptor_xml_writer_start_element_common): Calculate max including for
> -each attribute a potential name and value.
> -
> -Fixes Issues #0000617 http://bugs.librdf.org/mantis/view.php?id=617
> -and #0000618 http://bugs.librdf.org/mantis/view.php?id=618
> -
> -[Peter: fixes CVE-2017-18926, upstream:
> - https://github.com/dajobe/raptor/commit/590681e546cd9aa18d57dc2ea1858cb734a3863f]
> -Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> ----
> - src/raptor_xml_writer.c | 7 ++++---
> - 1 file changed, 4 insertions(+), 3 deletions(-)
> -
> -diff --git a/src/raptor_xml_writer.c b/src/raptor_xml_writer.c
> -index 693b9468..0d3a36a5 100644
> ---- a/src/raptor_xml_writer.c
> -+++ b/src/raptor_xml_writer.c
> -@@ -181,9 +181,10 @@ raptor_xml_writer_start_element_common(raptor_xml_writer* xml_writer,
> -   size_t nspace_declarations_count = 0;
> -   unsigned int i;
> -
> --  /* max is 1 per element and 1 for each attribute + size of declared */
> -   if(nstack) {
> --    int nspace_max_count = element->attribute_count+1;
> -+    int nspace_max_count = element->attribute_count * 2; /* attr and value */
> -+    if(element->name->nspace)
> -+      nspace_max_count++;
> -     if(element->declared_nspaces)
> -       nspace_max_count += raptor_sequence_size(element->declared_nspaces);
> -     if(element->xml_language)
> -@@ -237,7 +238,7 @@ raptor_xml_writer_start_element_common(raptor_xml_writer* xml_writer,
> -         }
> -       }
> -
> --      /* Add the attribute + value */
> -+      /* Add the attribute's value */
> -       nspace_declarations[nspace_declarations_count].declaration=
> -         raptor_qname_format_as_xml(element->attributes[i],
> -                                    &nspace_declarations[nspace_declarations_count].length);
> ---
> -2.20.1
> -
> diff --git a/package/raptor/0003-XML-Writer-compare-namespace-declarations-correctly.patch b/package/raptor/0003-XML-Writer-compare-namespace-declarations-correctly.patch
> deleted file mode 100644
> index a48a583cb1..0000000000
> --- a/package/raptor/0003-XML-Writer-compare-namespace-declarations-correctly.patch
> +++ /dev/null
> @@ -1,33 +0,0 @@
> -From 4f5dbbffcc1c6cf0398bd03450453289a0979dea Mon Sep 17 00:00:00 2001
> -From: Dave Beckett <dave@dajobe.org>
> -Date: Sat, 18 Sep 2021 17:40:00 -0700
> -Subject: [PATCH] XML Writer : compare namespace declarations correctly
> -
> -Apply patch from
> -0001-CVE-2020-25713-raptor2-malformed-input-file-can-lead.patch.1
> -that fixes Issue#0000650 https://bugs.librdf.org/mantis/view.php?id=650
> -which overwrote heap during XML writing in parse type literal
> -content.  This was detected with clang asan.
> -
> -Thanks to Michael Stahl / mst2 for the fix.
> -
> -[Retrieved from:
> -https://github.com/dajobe/raptor/commit/4f5dbbffcc1c6cf0398bd03450453289a0979dea]
> -Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> ----
> - src/raptor_xml_writer.c | 2 +-
> - 1 file changed, 1 insertion(+), 1 deletion(-)
> -
> -diff --git a/src/raptor_xml_writer.c b/src/raptor_xml_writer.c
> -index 56993dc3..4426d38c 100644
> ---- a/src/raptor_xml_writer.c
> -+++ b/src/raptor_xml_writer.c
> -@@ -227,7 +227,7 @@ raptor_xml_writer_start_element_common(raptor_xml_writer* xml_writer,
> -
> -           /* check it wasn't an earlier declaration too */
> -           for(j = 0; j < nspace_declarations_count; j++)
> --            if(nspace_declarations[j].nspace == element->attributes[j]->nspace) {
> -+            if(nspace_declarations[j].nspace == element->attributes[i]->nspace) {
> -               declare_me = 0;
> -               break;
> -             }
> diff --git a/package/raptor/raptor.hash b/package/raptor/raptor.hash
> index 2a54bf270d..05e9c53902 100644
> --- a/package/raptor/raptor.hash
> +++ b/package/raptor/raptor.hash
> @@ -1,3 +1,3 @@
>   # Locally calculated
> -sha256  ada7f0ba54787b33485d090d3d2680533520cd4426d2f7fb4782dd4a6a1480ed  raptor2-2.0.15.tar.gz
> -sha256  6b926a47abfb87451c436fbd4a868defec963d0232c70b806ac02d4a2a6e1968  LICENSE.txt
> +sha256  089db78d7ac982354bdbf39d973baf09581e6904ac4c92a98c5caadb3de44680  raptor2-2.0.16.tar.gz
> +sha256  0f0c719a05c9f7a0be2051ab83c1470837f595ed23e34989f46fd8eb45cfc251  LICENSE.txt
> diff --git a/package/raptor/raptor.mk b/package/raptor/raptor.mk
> index 69ac121300..ec7643ce3d 100644
> --- a/package/raptor/raptor.mk
> +++ b/package/raptor/raptor.mk
> @@ -4,7 +4,7 @@
>   #
>   ################################################################################
>   
> -RAPTOR_VERSION = 2.0.15
> +RAPTOR_VERSION = 2.0.16
>   RAPTOR_SOURCE = raptor2-$(RAPTOR_VERSION).tar.gz
>   RAPTOR_SITE = http://download.librdf.org/source
>   RAPTOR_DEPENDENCIES = libxml2 libxslt
> @@ -17,12 +17,6 @@ RAPTOR_INSTALL_STAGING = YES
>   # Flag is added to make sure the patch is applied for the configure.ac of raptor.
>   RAPTOR_AUTORECONF = YES
>   
> -# 0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch
> -RAPTOR_IGNORE_CVES += CVE-2017-18926
> -
> -# 0003-XML-Writer-compare-namespace-declarations-correctly.patch
> -RAPTOR_IGNORE_CVES += CVE-2020-25713
> -
>   RAPTOR_CONF_OPTS =\
>   	--with-xml2-config=$(STAGING_DIR)/usr/bin/xml2-config \
>   	--with-xslt-config=$(STAGING_DIR)/usr/bin/xslt-config
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2 2/2] package/raptor: fix build with newer versions of libxml2

[Arnout Vandecappelle via buildroot]

On 22/06/2023 07:17, Bernd Kuhls wrote:
> Fixes:
> http://autobuild.buildroot.net/results/6a5/6a5139fe86b8370477dc6cb044bf29180bd145df/
> 
> Signed-off-by: Bernd Kuhls <bernd@kuhls.net>

  Applied to master, thanks.

  Regards,
  Arnout

> ---
> v2: no changes
> 
>   ...s-to-entities-checked-private-symbol.patch | 35 +++++++++++++++++++
>   1 file changed, 35 insertions(+)
>   create mode 100644 package/raptor/0002-Remove-the-access-to-entities-checked-private-symbol.patch
> 
> diff --git a/package/raptor/0002-Remove-the-access-to-entities-checked-private-symbol.patch b/package/raptor/0002-Remove-the-access-to-entities-checked-private-symbol.patch
> new file mode 100644
> index 0000000000..cd9542a9a9
> --- /dev/null
> +++ b/package/raptor/0002-Remove-the-access-to-entities-checked-private-symbol.patch
> @@ -0,0 +1,35 @@
> +From 4dbc4c1da2a033c497d84a1291c46f416a9cac51 Mon Sep 17 00:00:00 2001
> +From: David Anes <david.anes@suse.com>
> +Date: Thu, 4 May 2023 11:54:02 +0200
> +Subject: [PATCH] Remove the access to entities 'checked' private symbol for
> + libxml2 2.11.0
> +
> +Since version 2.11.0, some private symbols that were never intended
> +as public API/ABI have been removed from libxml2, therefore the field
> +'checked' is no longer present and raptor fails to build in this
> +scenario.
> +
> +Upstream: https://github.com/dajobe/raptor/commit/4dbc4c1da2a033c497d84a1291c46f416a9cac51
> +
> +Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
> +---
> + src/raptor_libxml.c | 3 ++-
> + 1 file changed, 2 insertions(+), 1 deletion(-)
> +
> +diff --git a/src/raptor_libxml.c b/src/raptor_libxml.c
> +index 538c2c8e..8bcee139 100644
> +--- a/src/raptor_libxml.c
> ++++ b/src/raptor_libxml.c
> +@@ -246,10 +246,11 @@ raptor_libxml_getEntity(void* user_data, const xmlChar *name)
> +
> +     ret->owner = 1;
> +
> +-#if LIBXML_VERSION >= 20627
> ++#if LIBXML_VERSION >= 20627 && LIBXML_VERSION < 21100
> +     /* Checked field was released in 2.6.27 on 2006-10-25
> +      * http://git.gnome.org/browse/libxml2/commit/?id=a37a6ad91a61d168ecc4b29263def3363fff4da6
> +      *
> ++     * and was later removed in version 2.11.0
> +      */
> +
> +     /* Mark this entity as having been checked - never do this again */
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2 1/2] package/raptor: security bump version to 2.0.16

[Peter Korsgaard]

>>>>> "Arnout" == Arnout Vandecappelle <arnout@mind.be> writes:

 > On 22/06/2023 07:17, Bernd Kuhls wrote:
 >> This version included the patches removed by this commit, no new CVEs
 >> were fixed.

 >  So, I guess we shouldn't call it a "security bump" then? AFAIU the
 >  only reason to call it security bump is to flag to Peter that it
 > should be backported to stable.


And that is even not necessary. I do look at all commits getting applied
to master to (try to) decide if something should be backported, E.G. if
it is a (security) bugfix and also applies to the version in LTS.

If you already had a look at think it should be backported, then just
state that in the commit message (E.G. fixes foo since the bump to
version x.y.z in commit sha1).

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2 1/2] package/raptor: security bump version to 2.0.16

[Arnout Vandecappelle via buildroot]

On 25/06/2023 21:24, Peter Korsgaard wrote:
>>>>>> "Arnout" == Arnout Vandecappelle <arnout@mind.be> writes:
> 
>   > On 22/06/2023 07:17, Bernd Kuhls wrote:
>   >> This version included the patches removed by this commit, no new CVEs
>   >> were fixed.
> 
>   >  So, I guess we shouldn't call it a "security bump" then? AFAIU the
>   >  only reason to call it security bump is to flag to Peter that it
>   > should be backported to stable.
> 
> 
> And that is even not necessary. I do look at all commits getting applied
> to master to (try to) decide if something should be backported, E.G. if
> it is a (security) bugfix and also applies to the version in LTS.

  Oh. I saw you sometimes change the subject line to include "security bump" 
when the submitter forgets to...

  Regards,
  Arnout

> 
> If you already had a look at think it should be backported, then just
> state that in the commit message (E.G. fixes foo since the bump to
> version x.y.z in commit sha1).
> 
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2 1/2] package/raptor: security bump version to 2.0.16

[Peter Korsgaard]

>>>>> "Arnout" == Arnout Vandecappelle <arnout@mind.be> writes:

 > On 25/06/2023 21:24, Peter Korsgaard wrote:
 >>>>>>> "Arnout" == Arnout Vandecappelle <arnout@mind.be> writes:
 >> > On 22/06/2023 07:17, Bernd Kuhls wrote:
 >> >> This version included the patches removed by this commit, no new CVEs
 >> >> were fixed.
 >> >  So, I guess we shouldn't call it a "security bump" then? AFAIU
 >> the
 >> >  only reason to call it security bump is to flag to Peter that it
 >> > should be backported to stable.
 >> 
 >> And that is even not necessary. I do look at all commits getting applied
 >> to master to (try to) decide if something should be backported, E.G. if
 >> it is a (security) bugfix and also applies to the version in LTS.

 >  Oh. I saw you sometimes change the subject line to include "security
 >  bump" when the submitter forgets to...

Sure, if it is a security bump then we normally mention it in the commit
message and I sometimes fix that up when applying if the contributor
forgot to do so - But my point is that I don't just look at

git log --grep 'security bump'

Or something like that, I really skim through all commit on master.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2 1/2] package/raptor: security bump version to 2.0.16

[Arnout Vandecappelle via buildroot]

On 22/06/2023 07:17, Bernd Kuhls wrote:
> This version included the patches removed by this commit, no new CVEs
> were fixed.
> 
> Release notes: https://librdf.org/raptor/RELEASE.html#rel2_0_16
> 
> Signed-off-by: Bernd Kuhls <bernd@kuhls.net>

  Applied to master, thanks.

  Regards,
  Arnout

> ---
> v2: Removed patches from .checkpackageignore
> 
>   .checkpackageignore                           |  2 -
>   ...pace-declarations-correctly-for-XML-.patch | 47 -------------------
>   ...are-namespace-declarations-correctly.patch | 33 -------------
>   package/raptor/raptor.hash                    |  4 +-
>   package/raptor/raptor.mk                      |  8 +---
>   5 files changed, 3 insertions(+), 91 deletions(-)
>   delete mode 100644 package/raptor/0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch
>   delete mode 100644 package/raptor/0003-XML-Writer-compare-namespace-declarations-correctly.patch
> 
> diff --git a/.checkpackageignore b/.checkpackageignore
> index 36ab2845d7..07408893ce 100644
> --- a/.checkpackageignore
> +++ b/.checkpackageignore
> @@ -1341,8 +1341,6 @@ package/quotatool/0001-fix-missing-__P-definition-for-musl-compile.patch Upstrea
>   package/racehound/0001-Fix-module-install-path-lib-instead-of-usr-lib-prefi.patch Upstream
>   package/ranger/0001-colorscheme-check-for-compiled-python-files.patch Upstream
>   package/rapidxml/0001-ensure-internal-print-operations-are-declared-before.patch Upstream
> -package/raptor/0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch Upstream
> -package/raptor/0003-XML-Writer-compare-namespace-declarations-correctly.patch Upstream
>   package/raspberrypi-usbboot/0001-Makefile-allow-passing-CFLAGS-LDFLAGS.patch Upstream
>   package/rdesktop/0001-8bit-colors.patch Sob Upstream
>   package/read-edid/0001-Fix-install-file-list.patch Upstream
> diff --git a/package/raptor/0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch b/package/raptor/0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch
> deleted file mode 100644
> index 406e265cf3..0000000000
> --- a/package/raptor/0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch
> +++ /dev/null
> @@ -1,47 +0,0 @@
> -From 590681e546cd9aa18d57dc2ea1858cb734a3863f Mon Sep 17 00:00:00 2001
> -From: Dave Beckett <dave@dajobe.org>
> -Date: Sun, 16 Apr 2017 23:15:12 +0100
> -Subject: [PATCH] Calcualte max nspace declarations correctly for XML writer
> -
> -(raptor_xml_writer_start_element_common): Calculate max including for
> -each attribute a potential name and value.
> -
> -Fixes Issues #0000617 http://bugs.librdf.org/mantis/view.php?id=617
> -and #0000618 http://bugs.librdf.org/mantis/view.php?id=618
> -
> -[Peter: fixes CVE-2017-18926, upstream:
> - https://github.com/dajobe/raptor/commit/590681e546cd9aa18d57dc2ea1858cb734a3863f]
> -Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> ----
> - src/raptor_xml_writer.c | 7 ++++---
> - 1 file changed, 4 insertions(+), 3 deletions(-)
> -
> -diff --git a/src/raptor_xml_writer.c b/src/raptor_xml_writer.c
> -index 693b9468..0d3a36a5 100644
> ---- a/src/raptor_xml_writer.c
> -+++ b/src/raptor_xml_writer.c
> -@@ -181,9 +181,10 @@ raptor_xml_writer_start_element_common(raptor_xml_writer* xml_writer,
> -   size_t nspace_declarations_count = 0;
> -   unsigned int i;
> -
> --  /* max is 1 per element and 1 for each attribute + size of declared */
> -   if(nstack) {
> --    int nspace_max_count = element->attribute_count+1;
> -+    int nspace_max_count = element->attribute_count * 2; /* attr and value */
> -+    if(element->name->nspace)
> -+      nspace_max_count++;
> -     if(element->declared_nspaces)
> -       nspace_max_count += raptor_sequence_size(element->declared_nspaces);
> -     if(element->xml_language)
> -@@ -237,7 +238,7 @@ raptor_xml_writer_start_element_common(raptor_xml_writer* xml_writer,
> -         }
> -       }
> -
> --      /* Add the attribute + value */
> -+      /* Add the attribute's value */
> -       nspace_declarations[nspace_declarations_count].declaration=
> -         raptor_qname_format_as_xml(element->attributes[i],
> -                                    &nspace_declarations[nspace_declarations_count].length);
> ---
> -2.20.1
> -
> diff --git a/package/raptor/0003-XML-Writer-compare-namespace-declarations-correctly.patch b/package/raptor/0003-XML-Writer-compare-namespace-declarations-correctly.patch
> deleted file mode 100644
> index a48a583cb1..0000000000
> --- a/package/raptor/0003-XML-Writer-compare-namespace-declarations-correctly.patch
> +++ /dev/null
> @@ -1,33 +0,0 @@
> -From 4f5dbbffcc1c6cf0398bd03450453289a0979dea Mon Sep 17 00:00:00 2001
> -From: Dave Beckett <dave@dajobe.org>
> -Date: Sat, 18 Sep 2021 17:40:00 -0700
> -Subject: [PATCH] XML Writer : compare namespace declarations correctly
> -
> -Apply patch from
> -0001-CVE-2020-25713-raptor2-malformed-input-file-can-lead.patch.1
> -that fixes Issue#0000650 https://bugs.librdf.org/mantis/view.php?id=650
> -which overwrote heap during XML writing in parse type literal
> -content.  This was detected with clang asan.
> -
> -Thanks to Michael Stahl / mst2 for the fix.
> -
> -[Retrieved from:
> -https://github.com/dajobe/raptor/commit/4f5dbbffcc1c6cf0398bd03450453289a0979dea]
> -Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> ----
> - src/raptor_xml_writer.c | 2 +-
> - 1 file changed, 1 insertion(+), 1 deletion(-)
> -
> -diff --git a/src/raptor_xml_writer.c b/src/raptor_xml_writer.c
> -index 56993dc3..4426d38c 100644
> ---- a/src/raptor_xml_writer.c
> -+++ b/src/raptor_xml_writer.c
> -@@ -227,7 +227,7 @@ raptor_xml_writer_start_element_common(raptor_xml_writer* xml_writer,
> -
> -           /* check it wasn't an earlier declaration too */
> -           for(j = 0; j < nspace_declarations_count; j++)
> --            if(nspace_declarations[j].nspace == element->attributes[j]->nspace) {
> -+            if(nspace_declarations[j].nspace == element->attributes[i]->nspace) {
> -               declare_me = 0;
> -               break;
> -             }
> diff --git a/package/raptor/raptor.hash b/package/raptor/raptor.hash
> index 2a54bf270d..05e9c53902 100644
> --- a/package/raptor/raptor.hash
> +++ b/package/raptor/raptor.hash
> @@ -1,3 +1,3 @@
>   # Locally calculated
> -sha256  ada7f0ba54787b33485d090d3d2680533520cd4426d2f7fb4782dd4a6a1480ed  raptor2-2.0.15.tar.gz
> -sha256  6b926a47abfb87451c436fbd4a868defec963d0232c70b806ac02d4a2a6e1968  LICENSE.txt
> +sha256  089db78d7ac982354bdbf39d973baf09581e6904ac4c92a98c5caadb3de44680  raptor2-2.0.16.tar.gz
> +sha256  0f0c719a05c9f7a0be2051ab83c1470837f595ed23e34989f46fd8eb45cfc251  LICENSE.txt
> diff --git a/package/raptor/raptor.mk b/package/raptor/raptor.mk
> index 69ac121300..ec7643ce3d 100644
> --- a/package/raptor/raptor.mk
> +++ b/package/raptor/raptor.mk
> @@ -4,7 +4,7 @@
>   #
>   ################################################################################
>   
> -RAPTOR_VERSION = 2.0.15
> +RAPTOR_VERSION = 2.0.16
>   RAPTOR_SOURCE = raptor2-$(RAPTOR_VERSION).tar.gz
>   RAPTOR_SITE = http://download.librdf.org/source
>   RAPTOR_DEPENDENCIES = libxml2 libxslt
> @@ -17,12 +17,6 @@ RAPTOR_INSTALL_STAGING = YES
>   # Flag is added to make sure the patch is applied for the configure.ac of raptor.
>   RAPTOR_AUTORECONF = YES
>   
> -# 0002-Calcualte-max-nspace-declarations-correctly-for-XML-.patch
> -RAPTOR_IGNORE_CVES += CVE-2017-18926
> -
> -# 0003-XML-Writer-compare-namespace-declarations-correctly.patch
> -RAPTOR_IGNORE_CVES += CVE-2020-25713
> -
>   RAPTOR_CONF_OPTS =\
>   	--with-xml2-config=$(STAGING_DIR)/usr/bin/xml2-config \
>   	--with-xslt-config=$(STAGING_DIR)/usr/bin/xslt-config
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot