[PATCH 0/1] cve-check-tool: backport a patch to make CVE checking work

Openembedded Core Discussions
 help / color / mirror / Atom feed

* [PATCH 0/1] cve-check-tool: backport a patch to make CVE checking work
@ 2017-05-08  3:12 Chen Qi
  2017-05-08  3:12 ` [PATCH 1/1] " Chen Qi
  0 siblings, 1 reply; 2+ messages in thread
From: Chen Qi @ 2017-05-08  3:12 UTC (permalink / raw)
  To: openembedded-core

The following changes since commit 381897c64069ea43d595380a3ae913bcc79cf7e1:

  build-appliance-image: Update to master head revision (2017-05-01 08:56:47 +0100)

are available in the git repository at:

  git://git.pokylinux.org/poky-contrib ChenQi/cve-check-tool
  http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=ChenQi/cve-check-tool

Chen Qi (1):
  cve-check-tool: backport a patch to make CVE checking work

 .../cve-check-tool/cve-check-tool_5.6.4.bb         |  1 +
 ...are-computed-vs-expected-sha256-digit-str.patch | 52 ++++++++++++++++++++++
 2 files changed, 53 insertions(+)
 create mode 100644 meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch

-- 
1.9.1



^ permalink raw reply	[flat|nested] 2+ messages in thread

* [PATCH 1/1] cve-check-tool: backport a patch to make CVE checking work
  2017-05-08  3:12 [PATCH 0/1] cve-check-tool: backport a patch to make CVE checking work Chen Qi
@ 2017-05-08  3:12 ` Chen Qi
  0 siblings, 0 replies; 2+ messages in thread
From: Chen Qi @ 2017-05-08  3:12 UTC (permalink / raw)
  To: openembedded-core

CVE checking in OE didn't work as do_populate_cve_db failed with the following
error message.

  [snip]/downloads/CVE_CHECK/nvdcve-2.0-2002.xml is not consistent

Backport a patch to fix this error.

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
 .../cve-check-tool/cve-check-tool_5.6.4.bb         |  1 +
 ...are-computed-vs-expected-sha256-digit-str.patch | 52 ++++++++++++++++++++++
 2 files changed, 53 insertions(+)
 create mode 100644 meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch

diff --git a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
index fcd3182..1f906ee 100644
--- a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
+++ b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
@@ -10,6 +10,7 @@ SRC_URI = "https://github.com/ikeydoherty/${BPN}/releases/download/v${PV}/${BP}.
            file://check-for-malloc_trim-before-using-it.patch \
            file://0001-print-progress-in-percent-when-downloading-CVE-db.patch \
            file://0001-curl-allow-overriding-default-CA-certificate-file.patch \
+           file://0001-update-Compare-computed-vs-expected-sha256-digit-str.patch \
           "
 
 SRC_URI[md5sum] = "c5f4247140fc9be3bf41491d31a34155"
diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch b/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch
new file mode 100644
index 0000000..458c0cc
--- /dev/null
+++ b/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch
@@ -0,0 +1,52 @@
+From b0426e63c9ac61657e029f689bcb8dd051e752c6 Mon Sep 17 00:00:00 2001
+From: Sergey Popovich <popovich_sergei@mail.ua>
+Date: Fri, 21 Apr 2017 07:32:23 -0700
+Subject: [PATCH] update: Compare computed vs expected sha256 digit string
+ ignoring case
+
+We produce sha256 digest string using %x snprintf()
+qualifier for each byte of digest which uses alphabetic
+characters from "a" to "f" in lower case to represent
+integer values from 10 to 15.
+
+Previously all of the NVD META files supply sha256
+digest string for corresponding XML file in lower case.
+
+However due to some reason this changed recently to
+provide digest digits in upper case causing fetched
+data consistency checks to fail. This prevents database
+from being updated periodically.
+
+While commit c4f6e94 (update: Do not treat sha256 failure
+as fatal if requested) adds useful option to skip
+digest validation at all and thus provides workaround for
+this situation, it might be unacceptable for some
+deployments where we need to ensure that downloaded
+data is consistent before start parsing it and update
+SQLite database.
+
+Use strcasecmp() to compare two digest strings case
+insensitively and addressing this case.
+
+Upstream-Status: Backport
+Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua>
+---
+ src/update.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/update.c b/src/update.c
+index 8588f38..3cc6b67 100644
+--- a/src/update.c
++++ b/src/update.c
+@@ -187,7 +187,7 @@ static bool nvdcve_data_ok(const char *meta, const char *data)
+                 snprintf(&csum_data[idx], len, "%02hhx", digest[i]);
+         }
+ 
+-        ret = streq(csum_meta, csum_data);
++        ret = !strcasecmp(csum_meta, csum_data);
+ 
+ err_unmap:
+         munmap(buffer, length);
+-- 
+2.11.0
+
-- 
1.9.1



^ permalink raw reply related	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2017-05-08  3:09 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-05-08  3:12 [PATCH 0/1] cve-check-tool: backport a patch to make CVE checking work Chen Qi
2017-05-08  3:12 ` [PATCH 1/1] " Chen Qi

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox