* CVE-2022-24765 Git Errors with Bitbake
@ 2022-04-26 8:13 dev-faha
2022-04-26 8:23 ` [OE-core] " Alexander Kanavin
0 siblings, 1 reply; 3+ messages in thread
From: dev-faha @ 2022-04-26 8:13 UTC (permalink / raw)
To: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 524 bytes --]
Hello everyone,
since the patch for CVE-2022-24765 (uncontrolled search for git repositories) arrived we have problems using Git as package source. For some reason git thinks that the repositories do not belong to the user who is invoking the bitbake command, even though when checking the file permission manually they seem to be correct:
"fatal: unsafe repository ('...' is owned by someone else)"
So is bitbake using some mechanism (e.g. fake root?) to invoke the git commands? Is there a workaround to fix this?
[-- Attachment #2: Type: text/html, Size: 550 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [OE-core] CVE-2022-24765 Git Errors with Bitbake
2022-04-26 8:13 CVE-2022-24765 Git Errors with Bitbake dev-faha
@ 2022-04-26 8:23 ` Alexander Kanavin
2022-05-02 12:02 ` dev-faha
0 siblings, 1 reply; 3+ messages in thread
From: Alexander Kanavin @ 2022-04-26 8:23 UTC (permalink / raw)
To: dev-faha; +Cc: OE-core
There is a fix in master for this, and more fixes in master-next.
Alex
On Tue, 26 Apr 2022 at 10:14, <dev-faha@t-online.de> wrote:
>
> Hello everyone,
> since the patch for CVE-2022-24765 (uncontrolled search for git repositories) arrived we have problems using Git as package source. For some reason git thinks that the repositories do not belong to the user who is invoking the bitbake command, even though when checking the file permission manually they seem to be correct:
>
> "fatal: unsafe repository ('...' is owned by someone else)"
>
> So is bitbake using some mechanism (e.g. fake root?) to invoke the git commands? Is there a workaround to fix this?
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#164861): https://lists.openembedded.org/g/openembedded-core/message/164861
> Mute This Topic: https://lists.openembedded.org/mt/90703668/1686489
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alex.kanavin@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Re: CVE-2022-24765 Git Errors with Bitbake
2022-04-26 8:23 ` [OE-core] " Alexander Kanavin
@ 2022-05-02 12:02 ` dev-faha
0 siblings, 0 replies; 3+ messages in thread
From: dev-faha @ 2022-05-02 12:02 UTC (permalink / raw)
To: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 314 bytes --]
Ok thanks. I found the commit id:
https://git.yoctoproject.org/poky/commit/?id=21559199516a31c7635c5f2d874eaa4a92fff0e5
Unfortunately, it will probably take some time until the solution is included on all our build machines.
Until then, we fixed our setup by using PSEUDO_UNLOAD=1 before any git command.
[-- Attachment #2: Type: text/html, Size: 339 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-05-02 12:02 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-04-26 8:13 CVE-2022-24765 Git Errors with Bitbake dev-faha
2022-04-26 8:23 ` [OE-core] " Alexander Kanavin
2022-05-02 12:02 ` dev-faha
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox