From: "Mike Crowe" <yocto@mac.mcrowe.com>
To: Steve Sakoman <steve@sakoman.com>
Cc: Patches and discussions about the oe-core layer
<openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core] [dunfell][PATCH v2] curl: Fix CVE-2021-22924 and CVE-2021-22925
Date: Wed, 4 Aug 2021 20:42:17 +0100 [thread overview]
Message-ID: <20210804194217.GA18303@mcrowe.com> (raw)
In-Reply-To: <CAOSpxdbthf5JtAGYri==t=izjpTXFbWU733YtxRXjTgQ+pjcTg@mail.gmail.com>
On Wednesday 04 August 2021 at 08:05:27 -1000, Steve Sakoman wrote:
> On Wed, Aug 4, 2021 at 7:27 AM Steve Sakoman via
> lists.openembedded.org <steve=sakoman.com@lists.openembedded.org>
> wrote:
> >
> > On Wed, Aug 4, 2021 at 7:06 AM Mike Crowe via lists.openembedded.org
> > <yocto=mac.mcrowe.com@lists.openembedded.org> wrote:
> > >
> > > curl v7.78 contained fixes for five CVEs:
> > >
> > > CVE-2021-22922[1] and CVE-2021-22923[2] are only present when support
> > > for metalink is enabled. EXTRA_OECONF contains "--without-libmetalink"
> > > so these fixes are unnecessary.
> > >
> > > CVE-2021-22926[3] only affects builds for MacOS.
> > >
> > > CVE-2021-22924[4] and CVE-2021-22925[5] are both applicable. Take the
> > > patches from Ubuntu 20.04 curl_7.68.0-1ubuntu2.6 package which is close
> > > enough that the patch for CVE-2021-22924 applies without conflicts. The
> > > CVE-2021-22925 patch required only a small tweak to apply.
> > >
> > > [1] https://curl.se/docs/CVE-2021-22922.html
> > > [2] https://curl.se/docs/CVE-2021-22923.html
> > > [3] https://curl.se/docs/CVE-2021-22926.html
> > > [4] https://curl.se/docs/CVE-2021-22924.html
> > > [5] https://curl.se/docs/CVE-2021-22925.html
> >
> > This patch wouldn't apply because there's another curl CVE fix in my
> > testing queue (curl: Fix for CVE-2021-22898):
> >
> > https://lists.openembedded.org/g/openembedded-core/message/154145
> >
> > I went ahead and did the required fixup so no need for you to do anything.
>
> Sigh. I spoke too soon. Your CVE-2021-22925 patch and the previous
> CVE-2021-22898 patch both touch lib/telnet.c so your patch won't apply
> now.
>
> You mentioned that you had to tweak the CVE-2021-22925 patch, might
> this be related to the CVE-2021-22898 fix (which is a one-liner)?
Ah, yes. That's the change I had to accommodate. You can either tweak my
patch (just adding the "== 2" to the patch should work - that's the
opposite of what I did) or just drop your CVE-2021-22898 patch since the
CVE-2021-22925 patch supersedes it.)
Alternatively, I can do whichever of those you prefer tomorrow if you wish.
Thanks.
Mike.
next prev parent reply other threads:[~2021-08-04 19:42 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-04 17:05 [dunfell][PATCH v2] curl: Fix CVE-2021-22924 and CVE-2021-22925 Mike Crowe
2021-08-04 17:27 ` [OE-core] " Steve Sakoman
[not found] ` <16982A916A07A38B.6121@lists.openembedded.org>
2021-08-04 18:05 ` Steve Sakoman
2021-08-04 19:42 ` Mike Crowe [this message]
2021-08-04 19:53 ` Steve Sakoman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210804194217.GA18303@mcrowe.com \
--to=yocto@mac.mcrowe.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=steve@sakoman.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox