* CVE-2022-24765 Git Errors with Bitbake
@ 2022-04-26 8:13 dev-faha
2022-04-26 8:23 ` [OE-core] " Alexander Kanavin
0 siblings, 1 reply; 3+ messages in thread
From: dev-faha @ 2022-04-26 8:13 UTC (permalink / raw)
To: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 524 bytes --]
Hello everyone,
since the patch for CVE-2022-24765 (uncontrolled search for git repositories) arrived we have problems using Git as package source. For some reason git thinks that the repositories do not belong to the user who is invoking the bitbake command, even though when checking the file permission manually they seem to be correct:
"fatal: unsafe repository ('...' is owned by someone else)"
So is bitbake using some mechanism (e.g. fake root?) to invoke the git commands? Is there a workaround to fix this?
[-- Attachment #2: Type: text/html, Size: 550 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: [OE-core] CVE-2022-24765 Git Errors with Bitbake 2022-04-26 8:13 CVE-2022-24765 Git Errors with Bitbake dev-faha @ 2022-04-26 8:23 ` Alexander Kanavin 2022-05-02 12:02 ` dev-faha 0 siblings, 1 reply; 3+ messages in thread From: Alexander Kanavin @ 2022-04-26 8:23 UTC (permalink / raw) To: dev-faha; +Cc: OE-core There is a fix in master for this, and more fixes in master-next. Alex On Tue, 26 Apr 2022 at 10:14, <dev-faha@t-online.de> wrote: > > Hello everyone, > since the patch for CVE-2022-24765 (uncontrolled search for git repositories) arrived we have problems using Git as package source. For some reason git thinks that the repositories do not belong to the user who is invoking the bitbake command, even though when checking the file permission manually they seem to be correct: > > "fatal: unsafe repository ('...' is owned by someone else)" > > So is bitbake using some mechanism (e.g. fake root?) to invoke the git commands? Is there a workaround to fix this? > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#164861): https://lists.openembedded.org/g/openembedded-core/message/164861 > Mute This Topic: https://lists.openembedded.org/mt/90703668/1686489 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alex.kanavin@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- > ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Re: CVE-2022-24765 Git Errors with Bitbake 2022-04-26 8:23 ` [OE-core] " Alexander Kanavin @ 2022-05-02 12:02 ` dev-faha 0 siblings, 0 replies; 3+ messages in thread From: dev-faha @ 2022-05-02 12:02 UTC (permalink / raw) To: openembedded-core [-- Attachment #1: Type: text/plain, Size: 314 bytes --] Ok thanks. I found the commit id: https://git.yoctoproject.org/poky/commit/?id=21559199516a31c7635c5f2d874eaa4a92fff0e5 Unfortunately, it will probably take some time until the solution is included on all our build machines. Until then, we fixed our setup by using PSEUDO_UNLOAD=1 before any git command. [-- Attachment #2: Type: text/html, Size: 339 bytes --] ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-05-02 12:02 UTC | newest] Thread overview: 3+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2022-04-26 8:13 CVE-2022-24765 Git Errors with Bitbake dev-faha 2022-04-26 8:23 ` [OE-core] " Alexander Kanavin 2022-05-02 12:02 ` dev-faha
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox