summaryrefslogtreecommitdiffstats
path: root/meta/recipes-core/expat/expat_2.2.10.bb
AgeCommit message (Collapse)Author
2022-03-22expat: fix CVE-2022-25236Kai Kang
Backport patches to fix CVE-2022-25236 for expat. CVE: CVE-2022-25236 (From OE-Core rev: fd0271ee4ff3a45f7c04219fc7571db66fcefb10) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2022-03-22expat: fix CVE-2022-25235Kai Kang
Backport patch to fix CVE-2022-25235 for expat. CVE: CVE-2022-25235 (From OE-Core rev: 60dd7d2deeda838346f30b6f8de28dfac7efac0d) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2022-03-02expat: fix CVE-2022-23990Kai Kang
CVE: CVE-2022-23990 Based on Steve Sakoman's patch for branch dunfell, fix CVE-2022-23990 for expat in branch hardknott. And correct indent as well. (From OE-Core rev: dc30243e7cc1b1c392b999de114b4096d432ef02) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2022-02-10expat: fix CVE-2022-23852Steve Sakoman
Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer for configurations with a nonzero XML_CONTEXT_BYTES. Backport patch from: https://github.com/libexpat/libexpat/commit/847a645152f5ebc10ac63b74b604d0c1a79fae40 CVE: CVE-2022-23852 (From OE-Core rev: 8a50809a0e54c66a8a7aafb1b9bffbec009f8c57) Signed-off-by: Steve Sakoman <steve@sakoman.com> (cherry picked from commit af81bb9d10c0f1e9dcaffc1bbc18ef780eea7127) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2022-01-31expat: fix CVE-2021-46143Steve Sakoman
In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize. Backport patch from: https://github.com/libexpat/libexpat/pull/538/commits/85ae9a2d7d0e9358f356b33977b842df8ebaec2b CVE: CVE-2021-46143 (From OE-Core rev: babe185972eb71058762ca20c349ba2651d0f73d) Signed-off-by: Steve Sakoman <steve@sakoman.com> (cherry picked from commit 41a65d27e4ecdc11977e2944d8af2f51c48f32ec) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2022-01-31expat: fix CVE-2021-45960Steve Sakoman
In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory). Backport patch from: https://github.com/libexpat/libexpat/pull/534/commits/0adcb34c49bee5b19bd29b16a578c510c23597ea CVE: CVE-2021-45960 (From OE-Core rev: 8d475823acf95d81596c1c125bc7dd4d0e0f5f1c) Signed-off-by: Steve Sakoman <steve@sakoman.com> (cherry picked from commit 22fe1dea3164a5cd4d5636376f3671641ada1da9) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2022-01-31expat fix CVE-2022-22822 through CVE-2022-22827Steve Sakoman
xmlparse.c has multiple integer overflows. The involved functions are: - addBinding (CVE-2022-22822) - build_model (CVE-2022-22823) - defineAttribute (CVE-2022-22824) - lookup (CVE-2022-22825) - nextScaffoldPart (CVE-2022-22826) - storeAtts (CVE-2022-22827) Backport patch from: https://github.com/libexpat/libexpat/pull/539/commits/9f93e8036e842329863bf20395b8fb8f73834d9e CVE: CVE-2022-22822 CVE-2022-22823 CVE-2022-22824 CVE-2022-22825 CVE-2022-22826 CVE-2022-22827 (From OE-Core rev: 0d195a98703d690a348719f77e7be78653d14ad3) Signed-off-by: Steve Sakoman <steve@sakoman.com> (cherry picked from commit 3b6c47c0ebae9fdb7a13480daf8f46a8dbb2c9bd) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2021-10-02expat: pull from github releasesKonrad Weihmann
sometimes we can find release tarballs from sourceforge are not fully distributed along all download mirrors leading to fetching failures, depending on what download mirror will be chosen by sourceforge servers. As the project moved to github anyway, it's better to pull the tarballs directly from github releases - serving the very same static artifacts. Add an override UPSTREAM_CHECK_URI to enable devtool upgrade checks (From OE-Core rev: 75cdae00b80e0a64bb02f274cdf8b9a321bd57e5) Signed-off-by: Konrad Weihmann <kweihmann@outlook.com> (backported from commit 2a1743ace5aa41b188f77853d0f00c9e5a359c6d) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2021-06-03expat: set CVE_PRODUCTSteve Sakoman
Upstream database uses both "expat" and "libexpat" to report CVEs (From OE-Core rev: 30357a56df82d3ea11f7288a8c02dd2d201b498a) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2020-11-03expat: upgrade 2.2.9 -> 2.2.10Alexander Kanavin
License-Update: copyright years (From OE-Core rev: ef7e5fbd460e136aa20a519372d4d69574ce73b9) Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
generated by cgit 1.2.3-korg (git 2.39.0) at 2024-05-09 13:26:31 +0000