[OE-core] ✗ patchtest: failure for "[v1] busybox: CVE-2017-15874..." and 2 more
Peter Kjellerstedt
peter.kjellerstedt at axis.com
Sat Sep 22 00:35:43 UTC 2018
> -----Original Message-----
> From: openembedded-core-bounces at lists.openembedded.org <openembedded-
> core-bounces at lists.openembedded.org> On Behalf Of Sinan Kaya
> Sent: den 22 september 2018 00:53
> To: openembedded-core at lists.openembedded.org
> Subject: Re: [OE-core] ✗ patchtest: failure for "[v1] busybox: CVE-
> 2017-15874..." and 2 more
>
> On 9/21/2018 6:33 PM, Patchwork wrote:
> > == Series Details ==
> >
> > Series: "[v1] busybox: CVE-2017-15874..." and 2 more
> > Revision: 1
> > URL : https://patchwork.openembedded.org/series/14184/
> > State : failure
> >
> > == Summary ==
> >
> >
> > Thank you for submitting this patch series to OpenEmbedded Core. This
> > is an automated response. Several tests have been executed on the
> > proposed series by patchtest resulting in the following failures:
> >
> >
> >
> > * Issue Series does not apply on top of target branch
> [test_series_merge_on_head]
> > Suggested fix Rebase your series on top of targeted branch
> > Targeted branch master (currently at 957a2f95b8)
> >
>
> These patches do not apply to the master branch because they were
> intended for the sumo branch as a security fix. Is there a way to
> specify what particular branch this patch is targeting?
Add "[sumo]" to the subject.
> Another reason is that package versions on master branch are newer.
>
> > * Issue A patch file has been added, but does not have a
> Signed-off-by tag [test_signed_off_by_presence]
> > Suggested fix Sign off the added patch file (meta/recipes-
> multimedia/libpng/files/CVE-2018-13785.patch)
> >
>
> the original patch doesn't have a signed-off. What's the policy?
You should add a Signed-off-by with your own name to the patches.
> > * Issue Added patch file is missing Upstream-Status in
> the header [test_upstream_status_presence_format]
> > Suggested fix Add Upstream-Status: <Valid status> to the header
> of meta/recipes-core/busybox/busybox/CVE-2017-15874.patch
> > Standard format Upstream-Status: <Valid status>
> > Valid status Pending, Accepted, Backport, Denied,
> Inappropriate [reason], Submitted [where]
> >
>
> I'm fairly new to this. I believe I have this tag. Do I have a mistake?
The Upstream-Status should be in the patch, not the commit message.
> commit b3761a1a9b05c97028034a44be27400114ccf526
> Author: Sinan Kaya <okaya at kernel.org>
> Date: Fri Sep 21 04:20:44 2018 +0000
>
> busybox: CVE-2017-15874
>
> * CVE-2017-15874
> busybox: Integer underflow in
> archival/libarchive/decompress_unlzma.c
>
> (cherry picked from 9ac42c500586fa5f10a1f6d22c3f797df11b1f6b)
>
> Affects busybox <= 1.27.2
>
> Upstream-Status: Backport [
> https://git.busybox.net/busybox/commit/?id=9ac42c500586fa5f10a1f6d22c3f
> 797df11b1f6b]
> CVE: CVE-2017-15874
> Ref: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-15874
> Signed-off-by: Sinan Kaya <okaya at kernel.org>
>
> >
> >
> > If you believe any of these test results are incorrect, please reply
> to the
> > mailing list (openembedded-core at lists.openembedded.org) raising your
> concerns.
> > Otherwise we would appreciate you correcting the issues and
> submitting a new
> > version of the patchset if applicable. Please ensure you
> add/increment the
> > version number when sending the new version (i.e. [PATCH] -> [PATCH
> v2] ->
> > [PATCH v3] -> ...).
> >
> > ---
> > Guidelines:
> https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines
> > Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
> > Test suite: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe
//Peter
More information about the Openembedded-core
mailing list