subject:"\[yocto\] \[RFC\] CVEs on sumo branch"

Re: [yocto] [RFC] CVEs on sumo branch

2018-09-24 Thread Sinan Kaya


On 9/24/2018 10:27 AM, Sinan Kaya wrote:

Here is another one.

https://patches.openembedded.org/patch/154290/


I see you pulled this into rucko-nmut. It is also needed for the sumo
branch.
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] [RFC] CVEs on sumo branch

2018-09-24 Thread Sinan Kaya


On 9/22/2018 10:46 AM, akuster wrote:

Signed-off-by: Zheng Ruoqin
     Signed-off-by: Richard Purdie

What does it take to move this in the right direction?

bring it to my attention like you have.

backported it for the next build round.


Here is another one.

https://patches.openembedded.org/patch/154290/

I'll post

gnupg: CVE-2018-9234

shortly.
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] [RFC] CVEs on sumo branch

2018-09-22 Thread akuster



On 09/21/2018 02:07 PM, Sinan Kaya wrote:
> On 9/21/2018 4:35 PM, akuster808 wrote:
>> I already have in my sumo-next
>> http://git.yoctoproject.org/cgit/cgit.cgi/poky-contrib/log/?h=stable/sumo-next
>>
>> libcroco: patch for CVE-2017-7960
>> 
>>
>>
>> libarchive: CVE-2017-14501
>> 
>>
>>
>> For the rest can you sent them to the proper mailing list
>> openembedded-c...@lists.openembedded.org  via git send-patch.
>
> Actually, I took this from open-embedded master branch.
>
> https://github.com/openembedded/openembedded-core/commit/b9b254da08c1db94ac9ded5f67d7e2e82e3b9be7
>
>
> commit b9b254da08c1db94ac9ded5f67d7e2e82e3b9be7
> Author: Zheng Ruoqin 
> Date:   Tue Jun 26 13:44:17 2018 +0800
>
>     glibc: fix CVE-2018-11237
>
>     glibc: fix CVE-2018-11237
>
>     Signed-off-by: Zheng Ruoqin 
>     Signed-off-by: Richard Purdie 
>
> What does it take to move this in the right direction?
bring it to my attention like you have.

backported it for the next build round.

Thanks,
Armin
>
> I'll take care of the remaining 3.

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] [RFC] CVEs on sumo branch

2018-09-21 Thread Sinan Kaya


On 9/21/2018 4:35 PM, akuster808 wrote:

I already have in my sumo-next
http://git.yoctoproject.org/cgit/cgit.cgi/poky-contrib/log/?h=stable/sumo-next
libcroco: patch for CVE-2017-7960


libarchive: CVE-2017-14501


For the rest can you sent them to the proper mailing list
openembedded-c...@lists.openembedded.org  via git send-patch.


Actually, I took this from open-embedded master branch.

https://github.com/openembedded/openembedded-core/commit/b9b254da08c1db94ac9ded5f67d7e2e82e3b9be7

commit b9b254da08c1db94ac9ded5f67d7e2e82e3b9be7
Author: Zheng Ruoqin 
Date:   Tue Jun 26 13:44:17 2018 +0800

glibc: fix CVE-2018-11237

glibc: fix CVE-2018-11237

Signed-off-by: Zheng Ruoqin 
Signed-off-by: Richard Purdie 

What does it take to move this in the right direction?

I'll take care of the remaining 3.
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] [RFC] CVEs on sumo branch

2018-09-21 Thread Sinan Kaya


On 9/21/2018 4:35 PM, akuster808 wrote:

For the rest can you sent them to the proper mailing list
openembedded-c...@lists.openembedded.org  via git send-patch.

I noticed a few of the patches for recipes need some addition information:
please review
https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines

In general, we need to make sure Master is not affected before I can
take them into Sumo.


Sure, I'll work on it. I'm fairly new to working with the yocto upstream.
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] [RFC] CVEs on sumo branch

2018-09-21 Thread akuster808

Sinan,


On 09/21/2018 12:43 PM, Sinan Kaya wrote:
> I'm sure this has been discussed recently but I wanted to raise this
> question
> one more time as I have seen a lot of CVEs patches getting pulled into
> the sumo
> branch recently.
>
> We started enabling the cve-check feature and are triaging the results
> of CVE
> reports. We think that the following CVEs need attention and need to
> be pulled
> into the sumo branch.
Nice to see another user of this tool.

>
> There are two approaches to solve this problem:
> 1. upgrade these packages to the respective versions:
>
> CVE-2018-13785:
> https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=3b847972b8c6135a695b4a16c836ad2dd1cbb350
> CVE-2018-8740:
> https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=a6646df0cab4bd191974fde33ed8a87b9720557e
> CVE-2017-15874:
> https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=29108755c1c5a23855ab4dda59ea728781b9d75e
> CVE-2017-14501:
> https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=381f016dccb78a8cf52ffde05459ff084b2f15fd
> CVE-2018-11237:
> https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=fb535ac046697db5923575bb23ee419fe7cfbab2
> CVE-2017-7960:
> https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=26d1f906258e1d5a933830ee0e4f051d29ee7585

Typically we do not upgrade packages in stable unless the upgrade is a
bug fix only and it does not break things and it is at the desecration
of the stable branch maintainer.

>
> 2. Apply the attached patches to sumo branch.

I already have in my sumo-next
http://git.yoctoproject.org/cgit/cgit.cgi/poky-contrib/log/?h=stable/sumo-next
libcroco: patch for CVE-2017-7960


libarchive: CVE-2017-14501


For the rest can you sent them to the proper mailing list
openembedded-c...@lists.openembedded.org via git send-patch.

I noticed a few of the patches for recipes need some addition information:
please review
https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines

In general, we need to make sure Master is not affected before I can
take them into Sumo.

Thank you for backporting fixes.

regards,
Armin
>
> We'd like to hear the community opinion.
>
> Sinan
>
>
>
>

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] [RFC] CVEs on sumo branch

2018-09-21 Thread Alexander Kanavin

2018-09-21 21:43 GMT+02:00 Sinan Kaya :
> 2. Apply the attached patches to sumo branch.
>
> We'd like to hear the community opinion.

For stable branches the yocto project tends to be on the conservative
side. Which means option 2: backport the cve fixes.

For the master branch, version upgrades are preferable, unless a
pre-release freeze is in effect.

Alex
-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] [RFC] CVEs on sumo branch

2018-09-21 Thread Sinan Kaya


I'm sure this has been discussed recently but I wanted to raise this question
one more time as I have seen a lot of CVEs patches getting pulled into the sumo
branch recently.

We started enabling the cve-check feature and are triaging the results of CVE
reports. We think that the following CVEs need attention and need to be pulled
into the sumo branch.

There are two approaches to solve this problem:
1. upgrade these packages to the respective versions:

CVE-2018-13785: 
https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=3b847972b8c6135a695b4a16c836ad2dd1cbb350
CVE-2018-8740: 
https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=a6646df0cab4bd191974fde33ed8a87b9720557e
CVE-2017-15874: 
https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=29108755c1c5a23855ab4dda59ea728781b9d75e
CVE-2017-14501: 
https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=381f016dccb78a8cf52ffde05459ff084b2f15fd
CVE-2018-11237: 
https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=fb535ac046697db5923575bb23ee419fe7cfbab2
CVE-2017-7960: 
https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=26d1f906258e1d5a933830ee0e4f051d29ee7585


2. Apply the attached patches to sumo branch.

We'd like to hear the community opinion.

Sinan


From e486e61f26c9d0fd2851a2b1056071b34be65e7d Mon Sep 17 00:00:00 2001
From: Changqing Li 
Date: Tue, 28 Aug 2018 17:39:23 +0800
Subject: [PATCH 1/6] libcroco: patch for CVE-2017-7960

Signed-off-by: Changqing Li 
Signed-off-by: Richard Purdie 
---
 .../libcroco/libcroco/CVE-2017-7960.patch | 56 +++
 .../libcroco/libcroco_0.6.12.bb   |  2 +
 2 files changed, 58 insertions(+)
 create mode 100644 meta/recipes-support/libcroco/libcroco/CVE-2017-7960.patch

diff --git a/meta/recipes-support/libcroco/libcroco/CVE-2017-7960.patch 
b/meta/recipes-support/libcroco/libcroco/CVE-2017-7960.patch
new file mode 100644
index 00..f6f43c3d26
--- /dev/null
+++ b/meta/recipes-support/libcroco/libcroco/CVE-2017-7960.patch
@@ -0,0 +1,56 @@
+input: check end of input before reading a byte
+
+When reading bytes we weren't check that the index wasn't
+out of bound and this could produce an invalid read which
+could deal to a security bug.
+
+Upstream-Status: Backport[https://gitlab.gnome.org/GNOME/libcroco/
+ commit/898e3a8c8c0314d2e6b106809a8e3e93cf9d4394]
+
+CVE: CVE-2017-7960 
+
+Signed-off-by: Changqing Li 
+
+diff --git a/src/cr-input.c b/src/cr-input.c
+index 
49000b1f5f07fe057135f1b8fc69bdcf9613e300..3b63a88ee3b1c56778e58172d147d958951bf099
 100644
+--- a/src/cr-input.c
 b/src/cr-input.c
+@@ -256,7 +256,7 @@ cr_input_new_from_uri (const gchar * a_file_uri, enum 
CREncoding a_enc)
+  *we should  free buf here because it's own by CRInput.
+  *(see the last parameter of cr_input_new_from_buf().
+  */
+-buf = NULL ;
++buf = NULL;
+ }
+ 
+  cleanup:
+@@ -404,6 +404,8 @@ cr_input_get_nb_bytes_left (CRInput const * a_this)
+ enum CRStatus
+ cr_input_read_byte (CRInput * a_this, guchar * a_byte)
+ {
++gulong nb_bytes_left = 0;
++
+ g_return_val_if_fail (a_this && PRIVATE (a_this)
+   && a_byte, CR_BAD_PARAM_ERROR);
+ 
+@@ -413,6 +415,12 @@ cr_input_read_byte (CRInput * a_this, guchar * a_byte)
+ if (PRIVATE (a_this)->end_of_input == TRUE)
+ return CR_END_OF_INPUT_ERROR;
+ 
++nb_bytes_left = cr_input_get_nb_bytes_left (a_this);
++
++if (nb_bytes_left < 1) {
++return CR_END_OF_INPUT_ERROR;
++}
++
+ *a_byte = PRIVATE (a_this)->in_buf[PRIVATE (a_this)->next_byte_index];
+ 
+ if (PRIVATE (a_this)->nb_bytes -
+@@ -477,7 +485,6 @@ cr_input_read_char (CRInput * a_this, guint32 * a_char)
+ if (*a_char == '\n') {
+ PRIVATE (a_this)->end_of_line = TRUE;
+ }
+-
+ }
+ 
+ return status;
diff --git a/meta/recipes-support/libcroco/libcroco_0.6.12.bb 
b/meta/recipes-support/libcroco/libcroco_0.6.12.bb
index d86ddd6464..5b962ee738 100644
--- a/meta/recipes-support/libcroco/libcroco_0.6.12.bb
+++ b/meta/recipes-support/libcroco/libcroco_0.6.12.bb
@@ -16,5 +16,7 @@ BINCONFIG = "${bindir}/croco-0.6-config"
 
 inherit gnomebase gtk-doc binconfig-disabled
 
+SRC_URI += "file://CVE-2017-7960.patch"
+
 SRC_URI[archive.md5sum] = "bc0984fce078ba2ce29f9500c6b9ddce"
 SRC_URI[archive.sha256sum] = 
"ddc4b5546c9fb4280a5017e2707fbd4839034ed1aba5b7d4372212f34f84f860"
-- 
2.19.0

From 297a200543cafe043b870c668acd14b2e21381fd Mon Sep 17 00:00:00 2001
From: Zheng Ruoqin 
Date: Tue, 26 Jun 2018 13:44:17 +0800
Subject: [PATCH 2/6] glibc: fix CVE-2018-11237

glibc: fix CVE-2018-11237

Signed-off-by: Zheng Ruoqin 
Signed-off-by: Richard Purdie 
---
 .../glibc/glibc/CVE-2018-11237.patch  | 82 +++
 meta/recipes-core/glibc/glibc_2.27.bb |  1 +
 2 files changed, 83

Re: [yocto] [RFC] CVEs on sumo branch

Re: [yocto] [RFC] CVEs on sumo branch

Re: [yocto] [RFC] CVEs on sumo branch

Re: [yocto] [RFC] CVEs on sumo branch

Re: [yocto] [RFC] CVEs on sumo branch

Re: [yocto] [RFC] CVEs on sumo branch

Re: [yocto] [RFC] CVEs on sumo branch

[yocto] [RFC] CVEs on sumo branch

8 matches

Site Navigation

Mail list logo

Footer information