Age | Commit message (Collapse) | Author |
|
Backport patches to fix CVE-2022-25236 for expat.
CVE: CVE-2022-25236
(From OE-Core rev: fd0271ee4ff3a45f7c04219fc7571db66fcefb10)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Backport patch to fix CVE-2022-25235 for expat.
CVE: CVE-2022-25235
(From OE-Core rev: 60dd7d2deeda838346f30b6f8de28dfac7efac0d)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
CVE: CVE-2022-23990
Based on Steve Sakoman's patch for branch dunfell, fix CVE-2022-23990
for expat in branch hardknott.
And correct indent as well.
(From OE-Core rev: dc30243e7cc1b1c392b999de114b4096d432ef02)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer
for configurations with a nonzero XML_CONTEXT_BYTES.
Backport patch from:
https://github.com/libexpat/libexpat/commit/847a645152f5ebc10ac63b74b604d0c1a79fae40
CVE: CVE-2022-23852
(From OE-Core rev: 8a50809a0e54c66a8a7aafb1b9bffbec009f8c57)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
(cherry picked from commit af81bb9d10c0f1e9dcaffc1bbc18ef780eea7127)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an
integer overflow exists for m_groupSize.
Backport patch from:
https://github.com/libexpat/libexpat/pull/538/commits/85ae9a2d7d0e9358f356b33977b842df8ebaec2b
CVE: CVE-2021-46143
(From OE-Core rev: babe185972eb71058762ca20c349ba2651d0f73d)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
(cherry picked from commit 41a65d27e4ecdc11977e2944d8af2f51c48f32ec)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more)
places in the storeAtts function in xmlparse.c can lead to realloc
misbehavior (e.g., allocating too few bytes, or only freeing memory).
Backport patch from:
https://github.com/libexpat/libexpat/pull/534/commits/0adcb34c49bee5b19bd29b16a578c510c23597ea
CVE: CVE-2021-45960
(From OE-Core rev: 8d475823acf95d81596c1c125bc7dd4d0e0f5f1c)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
(cherry picked from commit 22fe1dea3164a5cd4d5636376f3671641ada1da9)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
xmlparse.c has multiple integer overflows. The involved functions are:
- addBinding (CVE-2022-22822)
- build_model (CVE-2022-22823)
- defineAttribute (CVE-2022-22824)
- lookup (CVE-2022-22825)
- nextScaffoldPart (CVE-2022-22826)
- storeAtts (CVE-2022-22827)
Backport patch from:
https://github.com/libexpat/libexpat/pull/539/commits/9f93e8036e842329863bf20395b8fb8f73834d9e
CVE: CVE-2022-22822 CVE-2022-22823 CVE-2022-22824 CVE-2022-22825 CVE-2022-22826 CVE-2022-22827
(From OE-Core rev: 0d195a98703d690a348719f77e7be78653d14ad3)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
(cherry picked from commit 3b6c47c0ebae9fdb7a13480daf8f46a8dbb2c9bd)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
sometimes we can find release tarballs from sourceforge are not fully
distributed along all download mirrors leading to fetching failures,
depending on what download mirror will be chosen by sourceforge
servers.
As the project moved to github anyway, it's better to pull the tarballs
directly from github releases - serving the very same static artifacts.
Add an override UPSTREAM_CHECK_URI to enable devtool upgrade checks
(From OE-Core rev: 75cdae00b80e0a64bb02f274cdf8b9a321bd57e5)
Signed-off-by: Konrad Weihmann <kweihmann@outlook.com>
(backported from commit 2a1743ace5aa41b188f77853d0f00c9e5a359c6d)
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Upstream database uses both "expat" and "libexpat" to report CVEs
(From OE-Core rev: 30357a56df82d3ea11f7288a8c02dd2d201b498a)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
License-Update: copyright years
(From OE-Core rev: ef7e5fbd460e136aa20a519372d4d69574ce73b9)
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|