Hi team,
I am working on CVE-2023-25193<https://nvd.nist.gov/vuln/detail/CVE-2023-25193>
for kirkstone branch. CVE patch has been fixed on 7.0.1(latest version) but
kirkstone has 4.0.1 version. I am trying to backport the patch to 4.0.1 but
since there are lot of code changes and newly added files, I couldn't backport
the patch.
Below is the error log:
NOTE: Executing Tasks
ERROR: harfbuzz-4.0.1-r0 do_patch: Applying patch 'CVE-2023-25193.patch' on
target directory
'/buildarea/eng6/lts22_3268_13feb/build/tmp-glibc/work/core2-64-wrs-linux/harfbuzz/4.0.1-r0/harfbuzz-4.0.1'
CmdError('quilt --quiltrc
/buildarea/eng6/lts22_3268_13feb/build/tmp-glibc/work/core2-64-wrs-linux/harfbuzz/4.0.1-r0/recipe-sysroot-native/etc/quiltrc
push', 0, "stdout: Applying patch CVE-2023-25193.patch
can't find file to patch at input line 13
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|commit 8708b9e081192786c027bb7f5f23d76dbe5c19e8
|Author: Behdad Esfahbod <[email protected]>
|Date: Mon Feb 6 14:51:25 2023 -0700
|
| [GPOS] Avoid O(n^2) behavior in mark-attachment
|
| Better implementation; avoids arbitrary limit on look-back.
|
|diff --git a/src/OT/Layout/GPOS/MarkBasePosFormat1.hh
b/src/OT/Layout/GPOS/MarkBasePosFormat1.hh
|index ebb8c31c6..73839a4c8 100644
|--- a/src/OT/Layout/GPOS/MarkBasePosFormat1.hh
|+++ b/src/OT/Layout/GPOS/MarkBasePosFormat1.hh
--------------------------
No file to patch. Skipping patch.
2 out of 2 hunks ignored
can't find file to patch at input line 120
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|diff --git a/src/OT/Layout/GPOS/MarkLigPosFormat1.hh
b/src/OT/Layout/GPOS/MarkLigPosFormat1.hh
|index 1a8021237..447187102 100644
|--- a/src/OT/Layout/GPOS/MarkLigPosFormat1.hh
|+++ b/src/OT/Layout/GPOS/MarkLigPosFormat1.hh
--------------------------
No file to patch. Skipping patch.
1 out of 1 hunk ignored
patching file src/hb-ot-layout-gsubgpos.hh
Hunk #1 succeeded at 641 with fuzz 2 (offset -71 lines).
Hunk #2 succeeded at 676 with fuzz 1 (offset -77 lines).
Patch CVE-2023-25193.patch does not apply (enforce with -f)
stderr: ")
ERROR: Logfile of failure stored in:
/buildarea/eng6/lts22_3268_13feb/build/tmp-glibc/work/core2-64-wrs-linux/harfbuzz/4.0.1-r0/temp/log.do_patch.384214
ERROR: Task
(/buildarea/eng6/lts22_3268_13feb/layers/oe-core/meta/recipes-graphics/harfbuzz/harfbuzz_4.0.1.bb:do_patch)
failed with exit code '1'
NOTE: Tasks Summary: Attempted 1131 tasks of which 1123 didn't need to be rerun
and 1 failed.
Hence could you suggest how I can proceed further on this or is there any plan
to fix this CVE on kirkstone ?
Thanks,
Soumya
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#177974):
https://lists.openembedded.org/g/openembedded-core/message/177974
Mute This Topic: https://lists.openembedded.org/mt/97356618/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
