*All* security issues are fixed in master first and then bubble down the stable branches. Otherwise, if you just fix thud we may end up with the next release not having the fix.
So, ideally, we upgrade master to 1.07 and then apply the backport to the stable branches. Ross On Sat, 29 Jun 2019 at 22:50, <[email protected]> wrote: > > Hi, > > > > -----Original Message----- > > From: Burton, Ross <[email protected]> > > Sent: Saturday, June 29, 2019 9:30 PM > > To: [email protected] > > Cc: OE-core <[email protected]> > > Subject: Re: [OE-core] [thud][PATCH v2] bzip2: Fix CVE-2019-12900 > > > > For master, lets upgrade to 1.0.7 instead. > > > Thanks for checking. Probably makes sense, yep. Whereby it's released just > two days ago, after all the years :) Probably have time to expect some newer > version. > > In general, should I have posted this patch against master? As seems I've > targeted thud only, according to the policies below > > https://wiki.yoctoproject.org/wiki/Stable_branch_maintenance > > Or it's going to be merged up, if accepted? > > Thanks > > Anatol > > > Ross > > > > On Sat, 29 Jun 2019 at 20:28, <[email protected]> wrote: > > > > > > From: Anatol Belski <[email protected]> > > > > > > Affects bzip2 <= 1.0.6 > > > > > > Signed-off-by: Anatol Belski <[email protected]> > > > --- > > > .../bzip2/bzip2-1.0.6/CVE-2019-12900.patch | 37 > > +++++++++++++++++++ > > > meta/recipes-extended/bzip2/bzip2_1.0.6.bb | 3 +- > > > 2 files changed, 39 insertions(+), 1 deletion(-) create mode 100644 > > > meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch > > > > > > diff --git > > > a/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch > > > b/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch > > > new file mode 100644 > > > index 0000000000..8313fdcfcc > > > --- /dev/null > > > +++ b/meta/recipes-extended/bzip2/bzip2-1.0.6/CVE-2019-12900.patch > > > @@ -0,0 +1,37 @@ > > > +bzip2: Fix CVE-2019-12900 > > > +Upstream-Status: Accepted > > > > > +[https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d5 > > > +1ef9824db71a8ffee5962cdbc] > > > +CVE: CVE-2019-12900 > > > +Signed-off-by: Albert Astals Cid <[email protected]> > > > + > > > +From 74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc Mon Sep 17 > > 00:00:00 > > > +2001 > > > +From: Albert Astals Cid <[email protected]> > > > +Date: Tue, 28 May 2019 19:35:18 +0200 > > > +Subject: [PATCH] Make sure nSelectors is not out of range > > > + > > > +nSelectors is used in a loop from 0 to nSelectors to access > > > +selectorMtf which is > > > + UChar selectorMtf[BZ_MAX_SELECTORS]; > > > +so if nSelectors is bigger than BZ_MAX_SELECTORS it'll do an invalid > > > +memory access > > > + > > > +Fixes out of bounds access discovered while fuzzying karchive > > > +--- > > > + decompress.c | 2 +- > > > + 1 file changed, 1 insertion(+), 1 deletion(-) > > > + > > > +diff --git a/decompress.c b/decompress.c index ab6a624..f3db91d > > > +100644 > > > +--- a/decompress.c > > > ++++ b/decompress.c > > > +@@ -287,7 +287,7 @@ Int32 BZ2_decompress ( DState* s ) > > > + GET_BITS(BZ_X_SELECTOR_1, nGroups, 3); > > > + if (nGroups < 2 || nGroups > 6) RETURN(BZ_DATA_ERROR); > > > + GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15); > > > +- if (nSelectors < 1) RETURN(BZ_DATA_ERROR); > > > ++ if (nSelectors < 1 || nSelectors > BZ_MAX_SELECTORS) > > > ++ RETURN(BZ_DATA_ERROR); > > > + for (i = 0; i < nSelectors; i++) { > > > + j = 0; > > > + while (True) { > > > +-- > > > +2.21.0 > > > + > > > diff --git a/meta/recipes-extended/bzip2/bzip2_1.0.6.bb > > > b/meta/recipes-extended/bzip2/bzip2_1.0.6.bb > > > index 025f45c472..6791020d05 100644 > > > --- a/meta/recipes-extended/bzip2/bzip2_1.0.6.bb > > > +++ b/meta/recipes-extended/bzip2/bzip2_1.0.6.bb > > > @@ -6,7 +6,7 @@ HOMEPAGE = "https://sourceware.org/bzip2/"; > > > SECTION = "console/utils" > > > LICENSE = "bzip2" > > > LIC_FILES_CHKSUM = > > "file://LICENSE;beginline=4;endline=37;md5=39406315f540c69bd05b1531da > > edd2ae" > > > -PR = "r5" > > > +PR = "r6" > > > > > > SRC_URI = "http://downloads.yoctoproject.org/mirror/sources/${BP}.tar.gz > > \ > > > file://fix-bunzip2-qt-returns-0-for-corrupt-archives.patch > > > \ @@ -14,6 +14,7 @@ SRC_URI = > > "http://downloads.yoctoproject.org/mirror/sources/${BP}.tar.gz \ > > > file://Makefile.am;subdir=${BP} \ > > > file://run-ptest \ > > > file://CVE-2016-3189.patch \ > > > + file://CVE-2019-12900.patch \ > > > " > > > > > > SRC_URI[md5sum] = "00b516f4704d4a7cb50a1d97e6e8e15b" > > > -- > > > 2.17.1 > > > > > > -- > > > _______________________________________________ > > > Openembedded-core mailing list > > > [email protected] > > > http://lists.openembedded.org/mailman/listinfo/openembedded-core > -- _______________________________________________ Openembedded-core mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-core
