* [PATCH] ncurses: Update 6.4 -> 6.4+20230514
@ 2023-05-17 8:21 Florin Diaconescu
2023-05-17 8:26 ` [OE-core] " Alexander Kanavin
0 siblings, 1 reply; 8+ messages in thread
From: Florin Diaconescu @ 2023-05-17 8:21 UTC (permalink / raw)
To: openembedded-core; +Cc: Florin Diaconescu
Latest patch in ncurses GitHub mirror
Includes the fix for CVE-2023-29491, done in 6.4+20230408
Signed-off-by: Florin Diaconescu <florin.diaconescu009@gmail.com>
---
.../ncurses/{ncurses_6.4.bb => ncurses_6.4+20230514.bb} | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
rename meta/recipes-core/ncurses/{ncurses_6.4.bb => ncurses_6.4+20230514.bb} (78%)
diff --git a/meta/recipes-core/ncurses/ncurses_6.4.bb b/meta/recipes-core/ncurses/ncurses_6.4+20230514.bb
similarity index 78%
rename from meta/recipes-core/ncurses/ncurses_6.4.bb
rename to meta/recipes-core/ncurses/ncurses_6.4+20230514.bb
index 166e30713c..44aaac3613 100644
--- a/meta/recipes-core/ncurses/ncurses_6.4.bb
+++ b/meta/recipes-core/ncurses/ncurses_6.4+20230514.bb
@@ -6,10 +6,10 @@ SRC_URI += "file://0001-tic-hang.patch \
file://exit_prototype.patch \
"
# commit id corresponds to the revision in package version
-SRCREV = "1003914e200fd622a27237abca155ce6bf2e6030"
+SRCREV = "b9f9d6304f6abd71a5fdbfd500a645e521edf8b6"
S = "${WORKDIR}/git"
EXTRA_OECONF += "--with-abi-version=5"
UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+(\.\d+)+)$"
# This is needed when using patchlevel versions like 6.1+20181013
-#CVE_VERSION = "${@d.getVar("PV").split('+')[0]}.${@d.getVar("PV").split('+')[1]}"
+CVE_VERSION = "${@d.getVar("PV").split('+')[0]}.${@d.getVar("PV").split('+')[1]}"
--
2.25.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [OE-core] [PATCH] ncurses: Update 6.4 -> 6.4+20230514
2023-05-17 8:21 [PATCH] ncurses: Update 6.4 -> 6.4+20230514 Florin Diaconescu
@ 2023-05-17 8:26 ` Alexander Kanavin
2023-05-17 8:33 ` Florin Diaconescu
0 siblings, 1 reply; 8+ messages in thread
From: Alexander Kanavin @ 2023-05-17 8:26 UTC (permalink / raw)
To: Florin Diaconescu; +Cc: openembedded-core
Snapshots are not releases, but rather in-progress development work
towards the next release. If the goal is to fix a CVE, then you should
backport the patch.
As explained here:
https://invisible-island.net/ncurses/ncurses.faq.html#latest_version
Alex
On Wed, 17 May 2023 at 10:22, Florin Diaconescu
<florin.diaconescu009@gmail.com> wrote:
>
> Latest patch in ncurses GitHub mirror
> Includes the fix for CVE-2023-29491, done in 6.4+20230408
>
> Signed-off-by: Florin Diaconescu <florin.diaconescu009@gmail.com>
> ---
> .../ncurses/{ncurses_6.4.bb => ncurses_6.4+20230514.bb} | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
> rename meta/recipes-core/ncurses/{ncurses_6.4.bb => ncurses_6.4+20230514.bb} (78%)
>
> diff --git a/meta/recipes-core/ncurses/ncurses_6.4.bb b/meta/recipes-core/ncurses/ncurses_6.4+20230514.bb
> similarity index 78%
> rename from meta/recipes-core/ncurses/ncurses_6.4.bb
> rename to meta/recipes-core/ncurses/ncurses_6.4+20230514.bb
> index 166e30713c..44aaac3613 100644
> --- a/meta/recipes-core/ncurses/ncurses_6.4.bb
> +++ b/meta/recipes-core/ncurses/ncurses_6.4+20230514.bb
> @@ -6,10 +6,10 @@ SRC_URI += "file://0001-tic-hang.patch \
> file://exit_prototype.patch \
> "
> # commit id corresponds to the revision in package version
> -SRCREV = "1003914e200fd622a27237abca155ce6bf2e6030"
> +SRCREV = "b9f9d6304f6abd71a5fdbfd500a645e521edf8b6"
> S = "${WORKDIR}/git"
> EXTRA_OECONF += "--with-abi-version=5"
> UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+(\.\d+)+)$"
>
> # This is needed when using patchlevel versions like 6.1+20181013
> -#CVE_VERSION = "${@d.getVar("PV").split('+')[0]}.${@d.getVar("PV").split('+')[1]}"
> +CVE_VERSION = "${@d.getVar("PV").split('+')[0]}.${@d.getVar("PV").split('+')[1]}"
> --
> 2.25.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#181473): https://lists.openembedded.org/g/openembedded-core/message/181473
> Mute This Topic: https://lists.openembedded.org/mt/98944133/1686489
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alex.kanavin@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] ncurses: Update 6.4 -> 6.4+20230514
2023-05-17 8:26 ` [OE-core] " Alexander Kanavin
@ 2023-05-17 8:33 ` Florin Diaconescu
2023-05-17 8:35 ` [OE-core] " Alexander Kanavin
0 siblings, 1 reply; 8+ messages in thread
From: Florin Diaconescu @ 2023-05-17 8:33 UTC (permalink / raw)
To: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 352 bytes --]
What's the reasoning behind updating ncurses from 6.3 to 6.3+20220423 in Kirkstone, then?
https://git.yoctoproject.org/poky/commit/meta/recipes-core/ncurses?h=kirkstone&id=e13ce12e4ad79100bd45c751203040ce2a6f1920
Looks like they updated for fixing a CVE as well, and they did not backport the patch on top of 6.3.
"CVE: CVE-2022-29458"
Florin
[-- Attachment #2: Type: text/html, Size: 552 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [OE-core] [PATCH] ncurses: Update 6.4 -> 6.4+20230514
2023-05-17 8:33 ` Florin Diaconescu
@ 2023-05-17 8:35 ` Alexander Kanavin
2023-05-17 8:46 ` Florin Diaconescu
0 siblings, 1 reply; 8+ messages in thread
From: Alexander Kanavin @ 2023-05-17 8:35 UTC (permalink / raw)
To: Florin Diaconescu; +Cc: openembedded-core
The reasoning is that I didn't see that patch so I could react. It
merged but it shouldn't have.
The standard policy is that we're not taking random snapshots in the
middle of a development cycle, and there shouldn't be an exception for
ncurses.
Alex
On Wed, 17 May 2023 at 10:33, Florin Diaconescu
<florin.diaconescu009@gmail.com> wrote:
>
> What's the reasoning behind updating ncurses from 6.3 to 6.3+20220423 in Kirkstone, then?
> https://git.yoctoproject.org/poky/commit/meta/recipes-core/ncurses?h=kirkstone&id=e13ce12e4ad79100bd45c751203040ce2a6f1920
>
> Looks like they updated for fixing a CVE as well, and they did not backport the patch on top of 6.3.
> "CVE: CVE-2022-29458"
>
> Florin
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#181476): https://lists.openembedded.org/g/openembedded-core/message/181476
> Mute This Topic: https://lists.openembedded.org/mt/98944133/1686489
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alex.kanavin@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] ncurses: Update 6.4 -> 6.4+20230514
2023-05-17 8:35 ` [OE-core] " Alexander Kanavin
@ 2023-05-17 8:46 ` Florin Diaconescu
2023-05-17 8:50 ` [OE-core] " Alexander Kanavin
0 siblings, 1 reply; 8+ messages in thread
From: Florin Diaconescu @ 2023-05-17 8:46 UTC (permalink / raw)
To: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 589 bytes --]
What about this, then? Looks like it is commited by you:
http://cgit.openembedded.org/openembedded-core/commit/meta/recipes-core/ncurses?h=kirkstone&id=325fe5f68bc698f78f5c1a14407c0bbb4cba45f7
Indeed, you were updating from a development snapshot to another development snapshot, but judging by the history of this recipe I thought that this was always the case.
http://cgit.openembedded.org/openembedded-core/commit/meta/recipes-core/ncurses?h=kirkstone&id=fdb2a95d5e0265de1172940b6dc71fc7d602e8d1
If the standard policy is that, maybe the CVE_VERSION line should also be removed.
[-- Attachment #2: Type: text/html, Size: 987 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [OE-core] [PATCH] ncurses: Update 6.4 -> 6.4+20230514
2023-05-17 8:46 ` Florin Diaconescu
@ 2023-05-17 8:50 ` Alexander Kanavin
2023-05-17 8:55 ` Florin Diaconescu
0 siblings, 1 reply; 8+ messages in thread
From: Alexander Kanavin @ 2023-05-17 8:50 UTC (permalink / raw)
To: Florin Diaconescu; +Cc: openembedded-core
This was back when it wasn't clear to us what ncurses snapshots are.
Somehow we thought they are bugfixes on top of a stable version. Now
it is clear that is not the case.
Alex
On Wed, 17 May 2023 at 10:46, Florin Diaconescu
<florin.diaconescu009@gmail.com> wrote:
>
> What about this, then? Looks like it is commited by you:
> http://cgit.openembedded.org/openembedded-core/commit/meta/recipes-core/ncurses?h=kirkstone&id=325fe5f68bc698f78f5c1a14407c0bbb4cba45f7
> Indeed, you were updating from a development snapshot to another development snapshot, but judging by the history of this recipe I thought that this was always the case.
> http://cgit.openembedded.org/openembedded-core/commit/meta/recipes-core/ncurses?h=kirkstone&id=fdb2a95d5e0265de1172940b6dc71fc7d602e8d1
>
> If the standard policy is that, maybe the CVE_VERSION line should also be removed.
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#181480): https://lists.openembedded.org/g/openembedded-core/message/181480
> Mute This Topic: https://lists.openembedded.org/mt/98944133/1686489
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alex.kanavin@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] ncurses: Update 6.4 -> 6.4+20230514
2023-05-17 8:50 ` [OE-core] " Alexander Kanavin
@ 2023-05-17 8:55 ` Florin Diaconescu
2023-05-17 9:00 ` [OE-core] " Alexander Kanavin
0 siblings, 1 reply; 8+ messages in thread
From: Florin Diaconescu @ 2023-05-17 8:55 UTC (permalink / raw)
To: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 279 bytes --]
Thanks for explaining this. In this case, the other patch that I made to ncurses ("ncurses: change GitHub mirror") is not necessary (at least until they release ncurses 6.5). I made that commit so that an updated developer snapshot can be applied on top (this patch).
Florin
[-- Attachment #2: Type: text/html, Size: 287 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [OE-core] [PATCH] ncurses: Update 6.4 -> 6.4+20230514
2023-05-17 8:55 ` Florin Diaconescu
@ 2023-05-17 9:00 ` Alexander Kanavin
0 siblings, 0 replies; 8+ messages in thread
From: Alexander Kanavin @ 2023-05-17 9:00 UTC (permalink / raw)
To: Florin Diaconescu; +Cc: openembedded-core
Right, but if you can backport the CVE instead, that would be appreciated.
Alex
On Wed, 17 May 2023 at 10:56, Florin Diaconescu
<florin.diaconescu009@gmail.com> wrote:
>
> Thanks for explaining this. In this case, the other patch that I made to ncurses ("ncurses: change GitHub mirror") is not necessary (at least until they release ncurses 6.5). I made that commit so that an updated developer snapshot can be applied on top (this patch).
>
> Florin
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#181482): https://lists.openembedded.org/g/openembedded-core/message/181482
> Mute This Topic: https://lists.openembedded.org/mt/98944133/1686489
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alex.kanavin@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2023-05-17 9:00 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-05-17 8:21 [PATCH] ncurses: Update 6.4 -> 6.4+20230514 Florin Diaconescu
2023-05-17 8:26 ` [OE-core] " Alexander Kanavin
2023-05-17 8:33 ` Florin Diaconescu
2023-05-17 8:35 ` [OE-core] " Alexander Kanavin
2023-05-17 8:46 ` Florin Diaconescu
2023-05-17 8:50 ` [OE-core] " Alexander Kanavin
2023-05-17 8:55 ` Florin Diaconescu
2023-05-17 9:00 ` [OE-core] " Alexander Kanavin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox