[OE-core] bash: Fix CVE-2019-18276
Richard Purdie
richard.purdie at linuxfoundation.org
Tue Feb 18 15:49:10 UTC 2020
On Tue, 2020-02-18 at 15:43 +0000, Mittal, Anuj wrote:
> On Tue, 2020-02-18 at 15:35 +0000, Richard Purdie wrote:
> > On Tue, 2020-02-18 at 10:28 -0500, Chet Ramey wrote:
> > > On 2/17/20 9:46 PM, Huo, De wrote:
> > > > I applied the patch to fix CVE defect CVE-2019-18276.
> > >
> > > That's not exactly an answer to the question of who produced the
> > > patch.
> > > If that patch is the one causing failures when it's applied,
> > > doesn't it
> > > make sense to go back to the person who produced it and ask them
> > > to
> > > update it if necessary?
> >
> > Its likely a general CVE patch where both configure and
> > configure.ac
> > are patched. For OE, we can drop the configure part since we
> > reautoconf
> > the code. Its therefore the OE port of the patch which is likely at
> > fault.
> >
> > Someone just needs to remove that section of the patch.
>
> There are other issues with this patch which should also be fixed I
> think. It has been marked as a Backport while it is not one. The
> patch
> includes changes that are irrelevant to the CVE. And, it should have
> gone to master first.
I shall await guidance from you/Armin then.
Cheers,
Richard
More information about the Openembedded-core
mailing list