[PATCH 0/1] libxml2: fix LSB desktop-xml tests failure

[PATCH 0/1] libxml2: fix LSB desktop-xml tests failure

[Hongxu Jia]

The following changes since commit dd36930f3f37b2e0e1258de28ac1b1fa99cf196f:

  bitbake: data_smart: Account for changes in append/prepend/remove in the config hash (2013-09-12 17:03:17 +0100)

are available in the git repository at:

  git://git.pokylinux.org/poky-contrib hongxu/fix-lsb-libxml2
  http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=hongxu/fix-lsb-libxml2

Hongxu Jia (1):
  libxml2: fix LSB desktop-xml tests failure

 meta/recipes-core/libxml/libxml2_2.9.1.bb | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

-- 
1.8.1.2

[PATCH 1/1] libxml2: fix LSB desktop-xml tests failure

[Hongxu Jia]

The commit
http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=8780c5ddf2916bbd42fc67b79c286652aebb1546
add a patch to fix a security issue. It modify include file 'tree.h'
to add 'const char *dummy_children' on 'struct _xmlNs'.

But lsb test suites didn't do this in his own include file, so the LSB
desktop-xml tests failed.

Disable this patch for linuxstdbase could fix this issue.

[YOCTO #5151]

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
---
 meta/recipes-core/libxml/libxml2_2.9.1.bb | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/meta/recipes-core/libxml/libxml2_2.9.1.bb b/meta/recipes-core/libxml/libxml2_2.9.1.bb
index fa9c657..3b031a1 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.1.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.1.bb
@@ -1,6 +1,9 @@
 require libxml2.inc
 
-SRC_URI += "file://libxml2-CVE-2012-2871.patch \
+LIBXML2_CVE = "file://libxml2-CVE-2012-2871.patch"
+LIBXML2_CVE_linuxstdbase = ""
+
+SRC_URI += "${LIBXML2_CVE} \
             http://www.w3.org/XML/Test/xmlts20080827.tar.gz;name=testtar \
 	   "
 
-- 
1.8.1.2

Re: [PATCH 1/1] libxml2: fix LSB desktop-xml tests failure

[Khem Raj]

On Sep 16, 2013, at 4:14 AM, Hongxu Jia <hongxu.jia@windriver.com> wrote:

> The commit
> http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=8780c5ddf2916bbd42fc67b79c286652aebb1546
> add a patch to fix a security issue. It modify include file 'tree.h'
> to add 'const char *dummy_children' on 'struct _xmlNs'.
> 
> But lsb test suites didn't do this in his own include file, so the LSB
> desktop-xml tests failed.

IMO the testcase should be fixed. This is security patch that you are disabling. I don't think LSB compliance
should mean less secure

> 
> Disable this patch for linuxstdbase could fix this issue.
> 
> [YOCTO #5151]
> 
> Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
> ---
> meta/recipes-core/libxml/libxml2_2.9.1.bb | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/meta/recipes-core/libxml/libxml2_2.9.1.bb b/meta/recipes-core/libxml/libxml2_2.9.1.bb
> index fa9c657..3b031a1 100644
> --- a/meta/recipes-core/libxml/libxml2_2.9.1.bb
> +++ b/meta/recipes-core/libxml/libxml2_2.9.1.bb
> @@ -1,6 +1,9 @@
> require libxml2.inc
> 
> -SRC_URI += "file://libxml2-CVE-2012-2871.patch \
> +LIBXML2_CVE = "file://libxml2-CVE-2012-2871.patch"
> +LIBXML2_CVE_linuxstdbase = ""
> +
> +SRC_URI += "${LIBXML2_CVE} \
>             http://www.w3.org/XML/Test/xmlts20080827.tar.gz;name=testtar \
> 	   "
> 
> -- 
> 1.8.1.2
> 
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [PATCH 1/1] libxml2: fix LSB desktop-xml tests failure

[Burton, Ross]

On 16 September 2013 18:09, Khem Raj <raj.khem@gmail.com> wrote:
> IMO the testcase should be fixed. This is security patch that you are disabling. I don't think LSB compliance
> should mean less secure

Yes, what Khem said.

Ross

Re: [PATCH 1/1] libxml2: fix LSB desktop-xml tests failure

[Hongxu Jia]

[-- Attachment #1: Type: text/plain, Size: 2122 bytes --]

On 09/17/2013 01:09 AM, Khem Raj wrote:
> On Sep 16, 2013, at 4:14 AM, Hongxu Jia <hongxu.jia@windriver.com> wrote:
>
>> The commit
>> http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=8780c5ddf2916bbd42fc67b79c286652aebb1546
>> add a patch to fix a security issue. It modify include file 'tree.h'
>> to add 'const char *dummy_children' on 'struct _xmlNs'.
>>
>> But lsb test suites didn't do this in his own include file, so the LSB
>> desktop-xml tests failed.
> IMO the testcase should be fixed. This is security patch that you are disabling. I don't think LSB compliance
> should mean less secure
>

The upstream of libxml2 has not fixed this issue:
git clone git://git.gnome.org/libxml2

And I have filed a bug to them
https://bugzilla.gnome.org/show_bug.cgi?id=708205

After this is fixed and released, also need to report another
bug to LSB to update their libxml2 source code.

The time cycle is long, should we mark this bug as "Waiting For Upstream"
or accept this patch to workaround for LSB test.

Thanks,
Hongxu

>> Disable this patch for linuxstdbase could fix this issue.
>>
>> [YOCTO #5151]
>>
>> Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
>> ---
>> meta/recipes-core/libxml/libxml2_2.9.1.bb | 5 ++++-
>> 1 file changed, 4 insertions(+), 1 deletion(-)
>>
>> diff --git a/meta/recipes-core/libxml/libxml2_2.9.1.bb b/meta/recipes-core/libxml/libxml2_2.9.1.bb
>> index fa9c657..3b031a1 100644
>> --- a/meta/recipes-core/libxml/libxml2_2.9.1.bb
>> +++ b/meta/recipes-core/libxml/libxml2_2.9.1.bb
>> @@ -1,6 +1,9 @@
>> require libxml2.inc
>>
>> -SRC_URI += "file://libxml2-CVE-2012-2871.patch \
>> +LIBXML2_CVE = "file://libxml2-CVE-2012-2871.patch"
>> +LIBXML2_CVE_linuxstdbase = ""
>> +
>> +SRC_URI += "${LIBXML2_CVE} \
>>              http://www.w3.org/XML/Test/xmlts20080827.tar.gz;name=testtar \
>> 	   "
>>
>> -- 
>> 1.8.1.2
>>
>> _______________________________________________
>> Openembedded-core mailing list
>> Openembedded-core@lists.openembedded.org
>> http://lists.openembedded.org/mailman/listinfo/openembedded-core


[-- Attachment #2: Type: text/html, Size: 3805 bytes --]

Re: [PATCH 1/1] libxml2: fix LSB desktop-xml tests failure

[Burton, Ross]

On 17 September 2013 03:36, Hongxu Jia <hongxu.jia@windriver.com> wrote:
> The upstream of libxml2 has not fixed this issue:
> git clone git://git.gnome.org/libxml2
>
> And I have filed a bug to them
> https://bugzilla.gnome.org/show_bug.cgi?id=708205
>
> After this is fixed and released, also need to report another
> bug to LSB to update their libxml2 source code.
>
> The time cycle is long, should we mark this bug as "Waiting For Upstream"
> or accept this patch to workaround for LSB test.

Using my amazing ability of talking to the upstream maintainer (DV in
#xml on irc.gnome.org) I've sorted this out.

The CVE is for *Chromium's fork of libxml*.  Not upstream libxml2.
The patch changes a public structure by adding fields *in the middle*,
so that broke the ABI.  That's two good reasons to revert the patch.
As Daniel has said in the bug, this patch was the quick fix that
Chromium did as they statically link to libxml2 so the API breakage
isn't an issue, the proper fix is already in libxslt.  As long as we
have libxml 2.9.0 and libxslt 1.1.27 onwards (which we do), the issue
is correctly fixed.

So, NAK to this patch, and a revert incoming.

Ross

Re: [PATCH 1/1] libxml2: fix LSB desktop-xml tests failure

[Hongxu Jia]

On 09/17/2013 05:15 PM, Burton, Ross wrote:
> On 17 September 2013 03:36, Hongxu Jia <hongxu.jia@windriver.com> wrote:
>> The upstream of libxml2 has not fixed this issue:
>> git clone git://git.gnome.org/libxml2
>>
>> And I have filed a bug to them
>> https://bugzilla.gnome.org/show_bug.cgi?id=708205
>>
>> After this is fixed and released, also need to report another
>> bug to LSB to update their libxml2 source code.
>>
>> The time cycle is long, should we mark this bug as "Waiting For Upstream"
>> or accept this patch to workaround for LSB test.
> Using my amazing ability of talking to the upstream maintainer (DV in
> #xml on irc.gnome.org) I've sorted this out.
>
> The CVE is for *Chromium's fork of libxml*.  Not upstream libxml2.
> The patch changes a public structure by adding fields *in the middle*,
> so that broke the ABI.  That's two good reasons to revert the patch.
> As Daniel has said in the bug, this patch was the quick fix that
> Chromium did as they statically link to libxml2 so the API breakage
> isn't an issue, the proper fix is already in libxslt.  As long as we
> have libxml 2.9.0 and libxslt 1.1.27 onwards (which we do), the issue
> is correctly fixed.
>
> So, NAK to this patch, and a revert incoming.

Great, the libxml2-CVE-2012-2871.patch is obsolete, abandon it could fix the
LSB desktop-xml tests failure. I wll resend the patch to do this.

Thanks,
Hongxu

> Ross

Re: [PATCH 1/1] libxml2: fix LSB desktop-xml tests failure

[Burton, Ross]

On 17 September 2013 12:10, Hongxu Jia <hongxu.jia@windriver.com> wrote:
>> So, NAK to this patch, and a revert incoming.
>
> Great, the libxml2-CVE-2012-2871.patch is obsolete, abandon it could fix the
> LSB desktop-xml tests failure. I wll resend the patch to do this.

As I said above, a revert was incoming (and is now on the list).

Ross

Re: [PATCH 1/1] libxml2: fix LSB desktop-xml tests failure

[Hongxu Jia]

On 09/17/2013 07:13 PM, Burton, Ross wrote:
> On 17 September 2013 12:10, Hongxu Jia <hongxu.jia@windriver.com> wrote:
>>> So, NAK to this patch, and a revert incoming.
>> Great, the libxml2-CVE-2012-2871.patch is obsolete, abandon it could fix the
>> LSB desktop-xml tests failure. I wll resend the patch to do this.
> As I said above, a revert was incoming (and is now on the list).
>
> Ross

Sorry for the missing. Thank you for your attention.

//Hongxu

Re: [PATCH 0/1] libxml2: fix LSB desktop-xml tests failure

[Khem Raj]

[-- Attachment #1: Type: text/plain, Size: 1373 bytes --]

On Tuesday, September 17, 2013, Burton, Ross wrote:

> On 17 September 2013 03:36, Hongxu Jia <hongxu.jia@windriver.com<javascript:;>>
> wrote:
> > The upstream of libxml2 has not fixed this issue:
> > git clone git://git.gnome.org/libxml2
> >
> > And I have filed a bug to them
> > https://bugzilla.gnome.org/show_bug.cgi?id=708205
> >
> > After this is fixed and released, also need to report another
> > bug to LSB to update their libxml2 source code.
> >
> > The time cycle is long, should we mark this bug as "Waiting For Upstream"
> > or accept this patch to workaround for LSB test.
>
> Using my amazing ability of talking to the upstream maintainer (DV in
> #xml on irc.gnome.org) I've sorted this out.
>
> The CVE is for *Chromium's fork of libxml*.  Not upstream libxml2.
> The patch changes a public structure by adding fields *in the middle*,
> so that broke the ABI.  That's two good reasons to revert the patch.
> As Daniel has said in the bug, this patch was the quick fix that
> Chromium did as they statically link to libxml2 so the API breakage
> isn't an issue, the proper fix is already in libxslt.  As long as we
> have libxml 2.9.0 and libxslt 1.1.27 onwards (which we do), the issue
> is correctly fixed.


Thanks for sorting this out in real good way

>
> So, NAK to this patch, and a revert incoming.
>
> Ross
>

[-- Attachment #2: Type: text/html, Size: 2029 bytes --]