[OE-core] [PATCH 1/1] libxml2: fix LSB desktop-xml tests failure
Hongxu Jia
hongxu.jia at windriver.com
Tue Sep 17 11:10:23 UTC 2013
On 09/17/2013 05:15 PM, Burton, Ross wrote:
> On 17 September 2013 03:36, Hongxu Jia <hongxu.jia at windriver.com> wrote:
>> The upstream of libxml2 has not fixed this issue:
>> git clone git://git.gnome.org/libxml2
>>
>> And I have filed a bug to them
>> https://bugzilla.gnome.org/show_bug.cgi?id=708205
>>
>> After this is fixed and released, also need to report another
>> bug to LSB to update their libxml2 source code.
>>
>> The time cycle is long, should we mark this bug as "Waiting For Upstream"
>> or accept this patch to workaround for LSB test.
> Using my amazing ability of talking to the upstream maintainer (DV in
> #xml on irc.gnome.org) I've sorted this out.
>
> The CVE is for *Chromium's fork of libxml*. Not upstream libxml2.
> The patch changes a public structure by adding fields *in the middle*,
> so that broke the ABI. That's two good reasons to revert the patch.
> As Daniel has said in the bug, this patch was the quick fix that
> Chromium did as they statically link to libxml2 so the API breakage
> isn't an issue, the proper fix is already in libxslt. As long as we
> have libxml 2.9.0 and libxslt 1.1.27 onwards (which we do), the issue
> is correctly fixed.
>
> So, NAK to this patch, and a revert incoming.
Great, the libxml2-CVE-2012-2871.patch is obsolete, abandon it could fix the
LSB desktop-xml tests failure. I wll resend the patch to do this.
Thanks,
Hongxu
> Ross
More information about the Openembedded-core
mailing list