[OE-core] bash: Fix CVE-2019-18276
dhuo
de.huo at windriver.com
Wed Feb 19 03:56:19 UTC 2020
Hi Anuj,
Do you think there is irrelevant changes to the CVE in
https://github.com/bminor/bash/commit/
951bdaad7a18cc0dc1036bba86b18b90874d39ff or in this pach?
Could you please specify what's the irrelevant part?
I ask this because we also use this patch in our product.
Thanks in advance.
在 2020/2/18 23:43, Mittal, Anuj 写道:
> On Tue, 2020-02-18 at 15:35 +0000, Richard Purdie wrote:
>> On Tue, 2020-02-18 at 10:28 -0500, Chet Ramey wrote:
>>> On 2/17/20 9:46 PM, Huo, De wrote:
>>>> I applied the patch to fix CVE defect CVE-2019-18276.
>>> That's not exactly an answer to the question of who produced the
>>> patch.
>>> If that patch is the one causing failures when it's applied,
>>> doesn't it
>>> make sense to go back to the person who produced it and ask them to
>>> update it if necessary?
>> Its likely a general CVE patch where both configure and configure.ac
>> are patched. For OE, we can drop the configure part since we
>> reautoconf
>> the code. Its therefore the OE port of the patch which is likely at
>> fault.
>>
>> Someone just needs to remove that section of the patch.
> There are other issues with this patch which should also be fixed I
> think. It has been marked as a Backport while it is not one. The patch
> includes changes that are irrelevant to the CVE. And, it should have
> gone to master first.
>
> Thanks,
>
> Anuj
More information about the Openembedded-core
mailing list