From: "Petter Mabäcker" <petter@technux.se>
To: "Burton, Ross" <ross.burton@intel.com>
Cc: Openembedded core <openembedded-core@lists.openembedded.org>
Subject: Re: [PATCH 1/3] readline: Security Advisory - readline - CVE-2014-2524
Date: Tue, 06 Oct 2015 13:23:49 +0200 [thread overview]
Message-ID: <fb59210fb91a5209c3d3ce6dbce38ff1@technux.se> (raw)
In-Reply-To: <CAJTo0LZjxvCgVLFGVhn0O2PCWTGYFOM46zZ7KG_tqOZgzd9xgQ@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 2057 bytes --]
Petter Mabäcker
Technux
<petter@technux.se>
www.technux.se
2015-10-06 12:06 skrev Burton, Ross:
> On 6 October 2015 at 09:11, Petter Mabäcker <petter@technux.se>
wrote:
>
>> I played around with the new meta-security-isafw layer and
the cve-check-tool. In readline the cve CVE-2014-2524 is marked as
'missing' by the framework and I was confused to start with, since I saw
that this commit was included. But after looking at the actual patch I
realized that it only contains a report and not the patch itself. My
question is if that is with purpose and due to some decision that the
CVE isn't really causing any harm or if it's by mistake?
>
> As can be
seen at
http://lists.gnu.org/archive/html/bug-readline/2014-03/msg00057.html [1]
the CVE patch is simply adding a #if defined (DEBUG), which is in the
patch included in oe-core master as readline-6.3/readline63-003.
>
>
The tool is probably reporting it as missing as -- if i recall correctly
-- it identifies CVE patches by filename.
>
> Ross
Hi Ross,
That is
correct that the isafw layer assumes that it's named *cve*.patch in
order to understand that it's patched in a separate step. But what I
really meant was that the file readline63-003 just contains information
about the CVE and how to patch the source. It will never be applied on
the source, it is just copied to the WORKDIR.
$ pwd
~BUILDDIR/tmp/work/core2-64-poky-linux/readline/6.3-r0
$ls
build
configure-fix.patch norpath.patch readline63-003
temp
config-dirent-symbols.patch configure.sstate readline-6.3
readline-dispatch-multikey.patch
$ grep DEBUG readline-6.3/util.c
$ echo
$?
1
The patch must be applied by something/someone.. For example
Debian solves it by doing their own .diff patch
(http://http.debian.net/debian/pool/main/r/readline6/readline6_6.3-8.debian.tar.xz).
I can send a suggestion about how to solve this in a proper way.
BR
Petter
Links:
------
[1]
http://lists.gnu.org/archive/html/bug-readline/2014-03/msg00057.html
[-- Attachment #2: Type: text/html, Size: 3614 bytes --]
next prev parent reply other threads:[~2015-10-06 11:23 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-10-16 9:48 [PATCH 0/3] CVE fixes of package readline and gnupg Kai Kang
2014-10-16 9:48 ` [PATCH 1/3] readline: Security Advisory - readline - CVE-2014-2524 Kai Kang
2014-10-16 11:20 ` Burton, Ross
2014-10-16 21:31 ` Burton, Ross
2014-10-20 3:15 ` Kang Kai
2014-10-20 6:00 ` Kang Kai
2015-10-06 8:11 ` Petter Mabäcker
2015-10-06 10:06 ` Burton, Ross
2015-10-06 11:23 ` Petter Mabäcker [this message]
2015-10-06 12:58 ` Burton, Ross
2015-10-06 13:43 ` Petter Mabäcker
2015-10-06 14:08 ` Burton, Ross
2015-10-06 15:30 ` Petter Mabäcker
2015-10-08 2:13 ` Kang Kai
2015-10-09 7:14 ` Petter Mabäcker
2015-10-08 4:31 ` Marko Lindqvist
2015-10-09 6:53 ` Petter Mabäcker
2014-10-16 9:48 ` [PATCH 2/3] gnupg: CVE-2013-4242 Kai Kang
2014-10-16 9:48 ` [PATCH 3/3] gnupg_1.4.7: add package config libusb Kai Kang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=fb59210fb91a5209c3d3ce6dbce38ff1@technux.se \
--to=petter@technux.se \
--cc=openembedded-core@lists.openembedded.org \
--cc=ross.burton@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.