On Tue, May 25, 2021 at 8:24 PM Valek, Andrej <andrej.va...@siemens.com> wrote: > > Hello Steve, > > Thank you, that you're taking care of it. > Sorry, but maybe I didn't catch the right approach about the patching. Are > you going to create a "fixing CVE" patch or just patch to set "CVE_PRODUCT" ?
I will submit a patch to set CVE_PRODUCT, since we are currently not detecting expat CVE's. I'm not planning to do a patch to fix CVE-2013-0340, I will leave that to someone who is more familiar with expat. Steve > > Thanks, > Andrej > > > On Tue, May 25, 2021 at 12:17 PM Richard Purdie > > <richard.pur...@linuxfoundation.org> wrote: > >> > >> On Tue, 2021-05-25 at 12:50 +0000, Andrej Valek wrote: > >> > Hello everyone, > >> > > >> > I have an another question regarding to backporting this to dunfell > >> > branch. > >> > Is it possible to apply this upgrade to this branch? I would like to > >> > have an very important fix for CVE-2013-0340 > >> > (https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fg > >> > ithub.com%2Flibexpat%2Flibexpat%2Fpull%2F220&data=04%7C01%7Candr > >> > ej.valek%40siemens.com%7Cc9695097e1bc47d8261708d91fcbba17%7C38ae3bcd > >> > 95794fd4addab42e1495d55a%7C1%7C0%7C637575782123699324%7CUnknown%7CTW > >> > FpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVC > >> > I6Mn0%3D%7C1000&sdata=jBk29qyJpIq%2BsG0iXhnMoSbv%2F2%2Bd8dKIbuV7 > >> > GqP3YA8%3D&reserved=0) there. But there is a lot of changes, > >> > means just applying the patch is not very promising. > >> > > >> > How we can handle it? > >> > >> Adding Steve to Cc. It is possible if there is a good case for it and > >> there aren't bad side effects from the change. I don't know enough > >> about expat here to comment on that. > > > > Our responses crossed in the mail :-) > > > > I don't know enough about expat to comment on this either. But if someone > > who is familiar with expat would care to chime in I am open to consider > > whether an exception should be made. > > > >> I suspect we should be adding something to the expat recipe to make it > >> match libexpat CVEs, maybe CVE_PRODUCT = "libexpat"? > > > > Yes, good catch, that does appear to be the case. I'll do a little testing > > to verify that and will submit a patch. > > > > Steve
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#152264): https://lists.openembedded.org/g/openembedded-core/message/152264 Mute This Topic: https://lists.openembedded.org/mt/83074955/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-