[OE-core] [yocto] Attention all: patches for upstream source will be applied with stricter criteria for context
Khem Raj
raj.khem at gmail.com
Fri Oct 21 17:05:13 UTC 2016
> On Oct 21, 2016, at 5:55 AM, Alexander Kanavin <alexander.kanavin at linux.intel.com> wrote:
>
> Hello all,
>
> while updating gnutls to a newer version I came across a rather serious issue: the way we patch source code is very lenient about the context for the lines to be changed. Basically, it's enough for one line before and after the changed line to match, because patch command's default setting for 'fuzz factor' allows it. If these lines happen to be whitespace or braces, then there's nothing to prevent the patch from being applied incorrectly.
>
> Here's a particularly nasty example of this happening completely silently (compile step works fine too), with security implications:
> https://bugzilla.yoctoproject.org/show_bug.cgi?id=10450
>
> I think this absolutely needs to be fixed. The downside is that this will break a lot of patches across all layers - after setting the fuzz to zero in oe-core we have 87 recipes that fail to be patched. Maxin and I are currently going through them one by one and getting them fixed.
perhaps a list of the recipes, with steps to configure fuzz factor on wiki would enable other folks to
fix them especially the recipe maintainers should care.
>
> Regards,
> Alex
> --
> _______________________________________________
> yocto mailing list
> yocto at yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 204 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20161021/6b6b8121/attachment-0002.sig>
More information about the Openembedded-core
mailing list