On 09/17/2013 01:09 AM, Khem Raj wrote:
On Sep 16, 2013, at 4:14 AM, Hongxu Jia <hongxu.jia@windriver.com> wrote:


The commit
http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=8780c5ddf2916bbd42fc67b79c286652aebb1546
add a patch to fix a security issue. It modify include file 'tree.h'
to add 'const char *dummy_children' on 'struct _xmlNs'.

But lsb test suites didn't do this in his own include file, so the LSB
desktop-xml tests failed.

IMO the testcase should be fixed. This is security patch that you are disabling. I don't think LSB compliance
should mean less secure

The upstream of libxml2 has not fixed this issue:
git clone git://git.gnome.org/libxml2

And I have filed a bug to them
https://bugzilla.gnome.org/show_bug.cgi?id=708205

After this is fixed and released, also need to report another
bug to LSB to update their libxml2 source code.

The time cycle is long, should we mark this bug as "Waiting For Upstream"
or accept this patch to workaround for LSB test.

Thanks,
Hongxu

Disable this patch for linuxstdbase could fix this issue.

[YOCTO #5151]

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
---
meta/recipes-core/libxml/libxml2_2.9.1.bb | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/meta/recipes-core/libxml/libxml2_2.9.1.bb b/meta/recipes-core/libxml/libxml2_2.9.1.bb
index fa9c657..3b031a1 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.1.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.1.bb
@@ -1,6 +1,9 @@
require libxml2.inc

-SRC_URI += "file://libxml2-CVE-2012-2871.patch \
+LIBXML2_CVE = ""file://libxml2-CVE-2012-2871.patch"
+LIBXML2_CVE_linuxstdbase = ""
+
+SRC_URI += "${LIBXML2_CVE} \
            http://www.w3.org/XML/Test/xmlts20080827.tar.gz;name=testtar \
	   "

-- 
1.8.1.2

_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core