[OE-core] bash: Fix CVE-2019-18276
akuster808
akuster808 at gmail.com
Wed Feb 19 15:46:08 UTC 2020
On 2/18/20 7:49 AM, Richard Purdie wrote:
> On Tue, 2020-02-18 at 15:43 +0000, Mittal, Anuj wrote:
>> On Tue, 2020-02-18 at 15:35 +0000, Richard Purdie wrote:
>>> On Tue, 2020-02-18 at 10:28 -0500, Chet Ramey wrote:
>>>> On 2/17/20 9:46 PM, Huo, De wrote:
>>>>> I applied the patch to fix CVE defect CVE-2019-18276.
>>>> That's not exactly an answer to the question of who produced the
>>>> patch.
>>>> If that patch is the one causing failures when it's applied,
>>>> doesn't it
>>>> make sense to go back to the person who produced it and ask them
>>>> to
>>>> update it if necessary?
>>> Its likely a general CVE patch where both configure and
>>> configure.ac
>>> are patched. For OE, we can drop the configure part since we
>>> reautoconf
>>> the code. Its therefore the OE port of the patch which is likely at
>>> fault.
>>>
>>> Someone just needs to remove that section of the patch.
>> There are other issues with this patch which should also be fixed I
>> think. It has been marked as a Backport while it is not one. The
>> patch
>> includes changes that are irrelevant to the CVE. And, it should have
>> gone to master first.
> I shall await guidance from you/Armin then.
We should revert the commit. Ill send a patch.
- Armin
>
> Cheers,
>
> Richard
>
More information about the Openembedded-core
mailing list