> On Oct 21, 2016, at 5:55 AM, Alexander Kanavin 
> <alexander.kana...@linux.intel.com> wrote:
> 
> Hello all,
> 
> while updating gnutls to a newer version I came across a rather serious 
> issue: the way we patch source code is very lenient about the context for the 
> lines to be changed. Basically, it's enough for one line before and after the 
> changed line to match, because patch command's default setting for 'fuzz 
> factor' allows it. If these lines happen to be whitespace or braces, then 
> there's nothing to prevent the patch from being applied incorrectly.
> 
> Here's a particularly nasty example of this happening completely silently 
> (compile step works fine too), with security implications:
> https://bugzilla.yoctoproject.org/show_bug.cgi?id=10450
> 
> I think this absolutely needs to be fixed. The downside is that this will 
> break a lot of patches across all layers - after setting the fuzz to zero in 
> oe-core we have 87 recipes that fail to be patched. Maxin and I are currently 
> going through them one by one and getting them fixed.

perhaps a list of the recipes, with steps to configure fuzz factor on wiki 
would enable other folks to
fix them especially the recipe maintainers should care.

> 
> Regards,
> Alex
> --
> _______________________________________________
> yocto mailing list
> yocto@yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

-- 
_______________________________________________
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Reply via email to