[OE-core] bash: Fix CVE-2019-18276
Mittal, Anuj
anuj.mittal at intel.com
Tue Feb 18 15:43:50 UTC 2020
On Tue, 2020-02-18 at 15:35 +0000, Richard Purdie wrote:
> On Tue, 2020-02-18 at 10:28 -0500, Chet Ramey wrote:
> > On 2/17/20 9:46 PM, Huo, De wrote:
> > > I applied the patch to fix CVE defect CVE-2019-18276.
> >
> > That's not exactly an answer to the question of who produced the
> > patch.
> > If that patch is the one causing failures when it's applied,
> > doesn't it
> > make sense to go back to the person who produced it and ask them to
> > update it if necessary?
>
> Its likely a general CVE patch where both configure and configure.ac
> are patched. For OE, we can drop the configure part since we
> reautoconf
> the code. Its therefore the OE port of the patch which is likely at
> fault.
>
> Someone just needs to remove that section of the patch.
There are other issues with this patch which should also be fixed I
think. It has been marked as a Backport while it is not one. The patch
includes changes that are irrelevant to the CVE. And, it should have
gone to master first.
Thanks,
Anuj
More information about the Openembedded-core
mailing list