[OE-core] [PATCH 1/3] readline: Security Advisory - readline - CVE-2014-2524

Petter Mabäcker petter at technux.se
Tue Oct 6 11:23:49 UTC 2015 

 

Petter Mabäcker

Technux
<petter at technux.se>
www.technux.se

2015-10-06 12:06 skrev Burton, Ross:


> On 6 October 2015 at 09:11, Petter Mabäcker <petter at technux.se>
wrote:
> 
>> I played around with the new meta-security-isafw layer and
the cve-check-tool. In readline the cve CVE-2014-2524 is marked as
'missing' by the framework and I was confused to start with, since I saw
that this commit was included. But after looking at the actual patch I
realized that it only contains a report and not the patch itself. My
question is if that is with purpose and due to some decision that the
CVE isn't really causing any harm or if it's by mistake?
> 
> As can be
seen at
http://lists.gnu.org/archive/html/bug-readline/2014-03/msg00057.html [1]
the CVE patch is simply adding a #if defined (DEBUG), which is in the
patch included in oe-core master as readline-6.3/readline63-003. 
> 
>
The tool is probably reporting it as missing as -- if i recall correctly
-- it identifies CVE patches by filename. 
> 
> Ross

Hi Ross, 

That is
correct that the isafw layer assumes that it's named *cve*.patch in
order to understand that it's patched in a separate step. But what I
really meant was that the file readline63-003 just contains information
about the CVE and how to patch the source. It will never be applied on
the source, it is just copied to the WORKDIR. 

$ pwd

~BUILDDIR/tmp/work/core2-64-poky-linux/readline/6.3-r0 
$ls

build
configure-fix.patch norpath.patch readline63-003
temp
config-dirent-symbols.patch configure.sstate readline-6.3
readline-dispatch-multikey.patch
$ grep DEBUG readline-6.3/util.c
$ echo
$?
1

 The patch must be applied by something/someone.. For example
Debian solves it by doing their own .diff patch
(http://http.debian.net/debian/pool/main/r/readline6/readline6_6.3-8.debian.tar.xz).
I can send a suggestion about how to solve this in a proper way. 

BR
Petter 

Links:
------
[1]
http://lists.gnu.org/archive/html/bug-readline/2014-03/msg00057.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20151006/ded30aa0/attachment-0002.html>

More information about the Openembedded-core mailing list