On 10/21/2016 06:08 PM, akuster wrote:
while updating gnutls to a newer version I came across a rather
serious issue: the way we patch source code is very lenient about the
context for the lines to be changed. Basically, it's enough for one
line before and after the changed line to match, because patch
command's default setting for 'fuzz factor' allows it. If these lines
happen to be whitespace or braces, then there's nothing to prevent the
patch from being applied incorrectly.
Here's a particularly nasty example of this happening completely
silently (compile step works fine too), with security implications:
https://bugzilla.yoctoproject.org/show_bug.cgi?id=10450
I think this absolutely needs to be fixed.
Is there a target milestone for this change?
Currently the plan is to fix all of oe-core and send out a patchset,
including the stricter fuzz setting in time for 2.3 M1. Here's the branch:
https://git.yoctoproject.org/cgit/cgit.cgi/poky-contrib/log/?h=akanavin/fix-patch-fuzz
The downside is that this will break a lot of patches across all
layers - after setting the fuzz to zero in oe-core we have 87 recipes
that fail to be patched. Maxin and I are currently going through them
one by one and getting them fixed.
Is this going to impact the 2.2 release?
If we find any patches that are applied incorrectly (as opposed to just
having out of date context but still applied correctly), then the fixes
will be backported as well.
Alex
--
_______________________________________________
Openembedded-core mailing list
[email protected]
http://lists.openembedded.org/mailman/listinfo/openembedded-core
