<feed xmlns='http://www.w3.org/2005/Atom'>
<title>buildroot/package/expat, branch 2017.08.1</title>
<subtitle>OpenPOWER buildroot sources</subtitle>
<id>https://git.raptorcs.com/git/buildroot/atom?h=2017.08.1</id>
<link rel='self' href='https://git.raptorcs.com/git/buildroot/atom?h=2017.08.1'/>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/'/>
<updated>2017-07-17T07:06:23+00:00</updated>
<entry>
<title>expat: fix build on and for kernel older than 3.17</title>
<updated>2017-07-17T07:06:23+00:00</updated>
<author>
<name>Baruch Siach</name>
<email>baruch@tkos.co.il</email>
</author>
<published>2017-07-17T04:11:38+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=5242701f3aa8426cdf2cc9a176ef06194db93d5f'/>
<id>urn:sha1:5242701f3aa8426cdf2cc9a176ef06194db93d5f</id>
<content type='text'>
The expat build system now fails when the getrandom() system call is not
supported. This affect both host and target builds. Define XML_POOR_ENTROPY
for target kernels older than 3.17 to fix the build. For the host package
define XML_POOR_ENTROPY unconditionally since we have no easy way to know the
host kernel version. Note that expat will still use getrandom() on the host
when it is available, we don't make security any worse.

Fixes (host):
http://autobuild.buildroot.net/results/928/928dc2b56d931da84055fdfe78929d1f956de53b/
http://autobuild.buildroot.net/results/ee9/ee90d0a456cbce4c7f22e5f61006612bd9ba30d5/
http://autobuild.buildroot.net/results/dac/dac7231242123ae3dcaa6bbdd65b44fe8d8cb20c/

Fixes (target):
http://autobuild.buildroot.net/results/308/308e830219fdfebb5aa6aef51c1dc784254998f6/
http://autobuild.buildroot.net/results/73f/73fa946b0a2205e946ad414079f88e4bdb416f00/
http://autobuild.buildroot.net/results/9d7/9d7bad22ace7fa211b31d752a2255e07cede68be/

[Peter: also use HOST_CPPFLAGS]
Signed-off-by: Baruch Siach &lt;baruch@tkos.co.il&gt;
Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
</content>
</entry>
<entry>
<title>expat: security bump to version 2.2.2</title>
<updated>2017-07-16T21:25:54+00:00</updated>
<author>
<name>Baruch Siach</name>
<email>baruch@tkos.co.il</email>
</author>
<published>2017-07-16T17:41:45+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=b3eca095003aecde94414fd1f01a831f1af198ec'/>
<id>urn:sha1:b3eca095003aecde94414fd1f01a831f1af198ec</id>
<content type='text'>
Changes (security fixes):

[MOX-006]      Fix non-NULL parser parameter validation in XML_Parse;
                 resulted in NULL dereference, previously

Drop upstream patch.

Signed-off-by: Baruch Siach &lt;baruch@tkos.co.il&gt;
Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
</content>
</entry>
<entry>
<title>expat: fix patch that doesn't apply properly</title>
<updated>2017-06-20T05:40:25+00:00</updated>
<author>
<name>Thomas Petazzoni</name>
<email>thomas.petazzoni@free-electrons.com</email>
</author>
<published>2017-06-20T05:40:25+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=1940a66114bb6962dfdcee928e5c5fa5f29c0be7'/>
<id>urn:sha1:1940a66114bb6962dfdcee928e5c5fa5f29c0be7</id>
<content type='text'>
Fixes:

  http://autobuild.buildroot.net/results/23f799009ae10c5de2b06a7747a28804818204c2/

Signed-off-by: Thomas Petazzoni &lt;thomas.petazzoni@free-electrons.com&gt;
</content>
</entry>
<entry>
<title>expat: security bump to version 2.2.1</title>
<updated>2017-06-19T20:06:03+00:00</updated>
<author>
<name>Peter Korsgaard</name>
<email>peter@korsgaard.com</email>
</author>
<published>2017-06-18T21:20:04+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=c0ad6ded018ffbc33f7f52a4bbcc6f08a14bfbd6'/>
<id>urn:sha1:c0ad6ded018ffbc33f7f52a4bbcc6f08a14bfbd6</id>
<content type='text'>
Fixes:

- CVE-2017-9233 - External entity infinite loop DoS. See:
  https://libexpat.github.io/doc/cve-2017-9233/

- CVE-2016-9063 -- Detect integer overflow

And further more:

- Fix regression from fix to CVE-2016-0718 cutting off longer tag names.

- Extend fix for CVE-2016-5300 (use getrandom() if available).

- Extend fix for CVE-2012-0876 (Change hash algorithm to William Ahern's
  version of SipHash).

Also add an upstream patch to fix detection of getrandom().

Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
Signed-off-by: Thomas Petazzoni &lt;thomas.petazzoni@free-electrons.com&gt;
</content>
</entry>
<entry>
<title>expat: add explicit dependencies for host variant</title>
<updated>2016-07-03T06:48:05+00:00</updated>
<author>
<name>Julien Floret</name>
<email>julien.floret@6wind.com</email>
</author>
<published>2016-07-02T22:20:40+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=3aa12cc0dadaaeba6d3ed15c85422d96a86973fe'/>
<id>urn:sha1:3aa12cc0dadaaeba6d3ed15c85422d96a86973fe</id>
<content type='text'>
Signed-off-by: Julien Floret &lt;julien.floret@6wind.com&gt;
Signed-off-by: Thomas Petazzoni &lt;thomas.petazzoni@free-electrons.com&gt;
</content>
</entry>
<entry>
<title>expat: security bump to version 2.2.0</title>
<updated>2016-06-23T19:11:14+00:00</updated>
<author>
<name>Gustavo Zacarias</name>
<email>gustavo.zacarias@free-electrons.com</email>
</author>
<published>2016-06-23T00:56:01+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=c27ecf49304a4b95d438d5496a98ae8d52abbcb2'/>
<id>urn:sha1:c27ecf49304a4b95d438d5496a98ae8d52abbcb2</id>
<content type='text'>
Fixes:

CVE-2016-4472 - Improve insufficient fix to CVE-2015-1283 /
CVE-2015-2716 introduced with Expat 2.1.1

CVE-2016-5300 - Use more entropy for hash initialization than the
original fix to CVE-2012-0876

CVE-2012-6702 - Resolve troublesome internal call to srand that was
introduced with Expat 2.1.0 when addressing CVE-2012-0876

Signed-off-by: Gustavo Zacarias &lt;gustavo.zacarias@free-electrons.com&gt;
Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
</content>
</entry>
<entry>
<title>expat: add fix for CVE-2016-0718</title>
<updated>2016-05-22T21:06:41+00:00</updated>
<author>
<name>Gustavo Zacarias</name>
<email>gustavo@zacarias.com.ar</email>
</author>
<published>2016-05-19T12:33:54+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=f53b54ad115013261f8435cf005166c6b8698706'/>
<id>urn:sha1:f53b54ad115013261f8435cf005166c6b8698706</id>
<content type='text'>
Fixes:
CVE-2016-0718 - The Expat XML parser mishandles certain kinds of
malformed input documents, resulting in buffer overflows during
processing and error reporting. The overflows can manifest as a
segmentation fault or as memory corruption during a parse operation. The
bugs allow for a denial of service attack in many applications by an
unauthenticated attacker, and could conceivably result in remote code
execution.

Signed-off-by: Gustavo Zacarias &lt;gustavo@zacarias.com.ar&gt;
Signed-off-by: Thomas Petazzoni &lt;thomas.petazzoni@free-electrons.com&gt;
</content>
</entry>
<entry>
<title>expat: bump to version 2.1.1</title>
<updated>2016-03-14T07:48:43+00:00</updated>
<author>
<name>Gustavo Zacarias</name>
<email>gustavo@zacarias.com.ar</email>
</author>
<published>2016-03-14T01:46:10+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=63b9681d64fc00414b3bf28306d4059239daf7db'/>
<id>urn:sha1:63b9681d64fc00414b3bf28306d4059239daf7db</id>
<content type='text'>
Drop 0001-fix-CVE-2015-1283.patch since it's upstream.

Signed-off-by: Gustavo Zacarias &lt;gustavo@zacarias.com.ar&gt;
Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
</content>
</entry>
<entry>
<title>expat: add security patch for CVE-2015-1283</title>
<updated>2015-09-01T19:56:34+00:00</updated>
<author>
<name>Gustavo Zacarias</name>
<email>gustavo@zacarias.com.ar</email>
</author>
<published>2015-09-01T18:42:29+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=67d6276c1bd050b362b11658ae0c7b4da73e227e'/>
<id>urn:sha1:67d6276c1bd050b362b11658ae0c7b4da73e227e</id>
<content type='text'>
Fixes:
CVE-2015-1283 - Multiple integer overflows in the XML_GetBuffer
function.

Signed-off-by: Gustavo Zacarias &lt;gustavo@zacarias.com.ar&gt;
Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
</content>
</entry>
<entry>
<title>package: add hashes for SourceForge-hosted packages</title>
<updated>2014-12-28T21:21:16+00:00</updated>
<author>
<name>Yann E. MORIN</name>
<email>yann.morin.1998@free.fr</email>
</author>
<published>2014-12-28T12:19:29+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=2ced21f8f982ef199b99ccc1f35dff6611b90c89'/>
<id>urn:sha1:2ced21f8f982ef199b99ccc1f35dff6611b90c89</id>
<content type='text'>
Since SourceForge sometimes serves us faulty tarballs, we can tons of
autobuild failures:
    http://autobuild.buildroot.org/results/9fb/9fba5bf086a4e7a29e5f7156ec43847db7aacfc4/
    http://autobuild.buildroot.org/results/6c8/6c837b244c45ac3b3a887734a371cd6d226cf216/
    ...

Fix that by adding hash files for all SourceForge-hosted packages (thos
etht did not already have it).

We normally prefer to use hashes published by upstream, but hunting them
all one by one is a tedious task, so those hashes were all locally
computed with a script that searched for SF-hosted packages, downloades
the associated tarball, computed the hash, and stored it in the
corresponding .hash file.

Also, SF publishes sha1 hashes, while I used the stronger sha256, since
sha1 is now considered to be relatively weak.

Signed-off-by: "Yann E. MORIN" &lt;yann.morin.1998@free.fr&gt;
Cc: Peter Korsgaard &lt;jacmet@uclibc.org&gt;
Cc: Thomas Petazzoni &lt;thomas.petazzoni@free-electrons.com&gt;
Cc: Maxime Hadjinlian &lt;maxime.hadjinlian@gmail.com&gt;
Cc: Richard Braun &lt;rbraun@sceen.net&gt;
Cc: Nathaniel Roach &lt;nroach44@gmail.com&gt;
Signed-off-by: Thomas Petazzoni &lt;thomas.petazzoni@free-electrons.com&gt;
</content>
</entry>
</feed>
