[OE-core] [jethro][fido][PATCH 4/4] openssl: three CVE fixes

akuster808 akuster808 at gmail.com
Sat Dec 12 21:14:52 UTC 2015 


On 12/07/2015 11:49 PM, Anders Darander wrote:
> Hi,
> 
> * Armin Kuster <akuster808 at gmail.com> [151208 02:49]:
> 
>>  meta/recipes-connectivity/openssl/openssl_1.0.2d.bb | 4 ++++
>>  1 file changed, 4 insertions(+)
> 
> I'm just a little curious about this serious, and a few others that I've
> seen recently. They all add a number of CVE-patches, with one commit per
> patch, and as the last commit, they all get added to SRC_URI in a single
> patch.
> 
> What's the reason to do it like this? i

Each CVE patch can be leveraged independently so back porting to other
branches is simpler and less work.  The recipe file is  where merge
conflicts will occur. Not all CVE's are weighted the same so someone who
has a product in the field can easily cherry pick the CVE's they want or
need. This was talked about on IRC a few weeks ago.

> 
> I'd personally prefer to have each CVE-path also add the patch to
> SRC_URI, as that make cherry-picking more straightforward. And it also
> ensures that if we have a need to bisect some issue, that'll work. At
> the same time that will make the meta-data consistent, i.e. no dead
> patches.
> 
> I'd personally even prefer that whole series squashed to one commit,
> compared to this adding a lot of un-applied patches.

That would add more overhead to the work I do internally as I need them
in the format you have seen here.

Are this patches not in the preferred method as described on wiki?

Regards,
- armin

> Any comments on this?


> 
> Cheers,
> Anders
> 
>> diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb b/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb
>> index fd56841..3864e88 100644
>> --- a/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb
>> +++ b/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb
>> @@ -37,6 +37,10 @@ SRC_URI += "file://configure-targets.patch \
>>              file://crypto_use_bigint_in_x86-64_perl.patch \
>>              file://openssl-1.0.2a-x32-asm.patch \
>>              file://ptest_makefile_deps.patch  \
>> +            file://CVE-2015-3193-bn-asm-x86_64-mont5.pl-fix-carry-propagating-bug-CVE.patch \
>> +            file://CVE-2015-3194-1-Add-PSS-parameter-check.patch \
>> +            file://0001-Add-test-for-CVE-2015-3194.patch \
>> +            file://CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch \
>>             "
>

More information about the Openembedded-core mailing list