Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for CVE-2019-9674

[Rahul Taya]

Hi Martin,

Firstlty i run : devtool modify python

this command applied all the patches in the source code.
After this when i run :

         devtool finish --force-patch-refresh <recipe> <layer_path>

where recipe = python and layer path = /workspace/sources/python

i'm getting message:  workspace/sources/python appears to be in the middle of 
'git am' or 'git apply' - please resolve this first

Can you please help why i'm getting this and how to resolve it ?

Thanks and Regards,
Rahul Taya
________________________________
From: openembedded-devel@lists.openembedded.org 
<openembedded-devel@lists.openembedded.org> on behalf of Martin Jansa via 
lists.openembedded.org <Martin.Jansa=gmail....@lists.openembedded.org>
Sent: Monday, March 1, 2021 8:16 PM
To: Rahul Taya <rahul.t...@kpit.com>
Cc: openembedded-devel <openembedded-devel@lists.openembedded.org>
Subject: Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for 
CVE-2019-9674

> Can you please tell me what i should do if a fuzz is detected while applying 
> patch or i see some warning message ?

The QA warning/error message about patch-fuzz shows you how to easily resolve 
the fuzz with devtool.

If it doesn't apply at all (like that nghttp2 patch), then you need to apply it 
manually by resolving all conflicts and then refresh the patch file (I usually 
create a git repo in ${S} if it isn't there already from SRC_URI, then manually 
apply the failing patch and then git format-patch it).

On Mon, Mar 1, 2021 at 3:26 PM Rahul Taya 
<rahul.t...@kpit.com<mailto:rahul.t...@kpit.com>> wrote:
Hi Martin,

Yes i think you are right it can be possible that i overlooked or missed the 
warning.

Can you please tell me what i should do if a fuzz is detected while applying 
patch or i see some warning message ?


For nghttp patch please check attached screenshot this is the last message that 
i saw.
Can you tell me what next to do for that patch ?

Thanks and Regards,
Rahul Taya
________________________________
From: Martin Jansa <martin.ja...@gmail.com<mailto:martin.ja...@gmail.com>>
Sent: Thursday, February 25, 2021 10:33 PM
To: Rahul Taya <rahul.t...@kpit.com<mailto:rahul.t...@kpit.com>>
Cc: openembedded-devel 
<openembedded-devel@lists.openembedded.org<mailto:openembedded-devel@lists.openembedded.org>>
Subject: Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for 
CVE-2019-9674

Hi Rahul,

you probably don't have patch-fuzz in ERROR_QA and overlooked the warning 
generated by this QA check which is by default only in WARN_QA.

Or you weren't testing it with master branch as the subject says it's for 
dunfell, but it the python version is the same in master and dunfell, so the 
warning should be triggered in both.

On Thu, Feb 25, 2021 at 5:19 PM Rahul Taya 
<rahul.t...@kpit.com<mailto:rahul.t...@kpit.com>> wrote:
Hi Martin,

I have tested my changes before sending to you or ML i don’t know why it is 
failing now at your side.

Thanks and Regards,
Rahul

Get Outlook for 
iOS<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2Fo0ukef&data=04%7C01%7CRahul.Taya%40kpit.com%7C793cbc8188f0469240b008d8dcc0d2a7%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637502068036671086%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=MPfsBf%2BvF%2FG5A8BqZRhXa7VxYOwvA7oSWokj4l%2BnBQs%3D&reserved=0>
________________________________
From: Martin Jansa <martin.ja...@gmail.com<mailto:martin.ja...@gmail.com>>
Sent: Thursday, February 25, 2021 8:25:50 PM
To: Rahul Taya <rahul.t...@kpit.com<mailto:rahul.t...@kpit.com>>
Cc: openembedded-devel 
<openembedded-devel@lists.openembedded.org<mailto:openembedded-devel@lists.openembedded.org>>
Subject: Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for 
CVE-2019-9674

Hi,

normally you should fork meta-python2 and send a link to meta-python2 change I 
can cherry-pick, not the blob in otherwise empty repo.

But as I've said in previous reply, I've already manually applied your change 
in meta-python2 master-next where it's now failing:


ERROR: python-native-2.7.18-r0 do_patch: Fuzz detected:

Applying patch CVE-2019-9674.patch
patching file Doc/library/zipfile.rst
Hunk #1 succeeded at 554 with fuzz 2 (offset -20 lines).


The context lines in the patches can be updated with devtool:

    devtool modify python-native
    devtool finish --force-patch-refresh python-native <layer_path>

Don't forget to review changes done by devtool!

ERROR: python-native-2.7.18-r0 do_patch: QA Issue: Patch log indicates that 
patches do not apply cleanly. [patch-fuzz]


so I'll fix this as well, but next time please better test your changes 
(nghttp2 patch also didn't apply, see my reply there, not sure if you have 
fixed that in v2)


Regards,



On Thu, Feb 25, 2021 at 9:09 AM Rahul Taya 
<rahul.t...@kpit.com<mailto:rahul.t...@kpit.com>> wrote:
Hi Martin,

I removed the emoticons and uploaded the patch to my git repo pls access below 
link:

https://github.com/Rahult9/upstream_patch/blob/main/CVE-2019-9674.patch<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FRahult9%2Fupstream_patch%2Fblob%2Fmain%2FCVE-2019-9674.patch&data=04%7C01%7CRahul.Taya%40kpit.com%7C793cbc8188f0469240b008d8dcc0d2a7%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637502068036681079%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=F8%2BYLk6kzSGFI0Un8Tk3C8pQXhgpbleUkcDhLkhUBRI%3D&reserved=0>


Thanks and Regards,
Rahul Taya
________________________________
From: Martin Jansa <martin.ja...@gmail.com<mailto:martin.ja...@gmail.com>>
Sent: Thursday, February 18, 2021 10:58 PM
To: Rahul Taya <rahul.t...@kpit.com<mailto:rahul.t...@kpit.com>>
Cc: openembedded-devel 
<openembedded-devel@lists.openembedded.org<mailto:openembedded-devel@lists.openembedded.org>>;
 Khem Raj <raj.k...@gmail.com<mailto:raj.k...@gmail.com>>; Nisha Parrakat 
<nisha.parra...@kpit.com<mailto:nisha.parra...@kpit.com>>; Harpritkaur Bhandari 
<harpritkaur.bhand...@kpit.com<mailto:harpritkaur.bhand...@kpit.com>>
Subject: Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for 
CVE-2019-9674

"git am" doesn't like those emoticons in the .patch file..

git am ~/py2/cur/16136689*
error: cannot convert from 8bit to UTF-8
fatal: could not parse patch

either drop them or upload it to some git repo so I can cherry-pick it from 
there.

On Thu, Feb 18, 2021 at 3:18 PM Rahul Taya 
<rahul.t...@kpit.com<mailto:rahul.t...@kpit.com>> wrote:
For python and python-native added patch to fix
CVE-2019-9674

Signed-off-by: Rahul Taya <rahul.t...@kpit.com<mailto:rahul.t...@kpit.com>>
---
 recipes-devtools/python/python.inc            |  1 +
 .../python/python/CVE-2019-9674.patch         | 83 +++++++++++++++++++
 2 files changed, 84 insertions(+)
 create mode 100644 recipes-devtools/python/python/CVE-2019-9674.patch

diff --git a/recipes-devtools/python/python.inc 
b/recipes-devtools/python/python.inc
index a4ba0c5..787f23e 100644
--- a/recipes-devtools/python/python.inc
+++ b/recipes-devtools/python/python.inc
@@ -8,6 +8,7 @@ INC_PR = "r1"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=203a6dbc802ee896020a47161e759642"

 SRC_URI = 
"http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz<https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.python.org%2Fftp%2Fpython%2F%24%257BPV%257D%2FPython-%24%257BPV%257D.tar.xz&data=04%7C01%7CRahul.Taya%40kpit.com%7C793cbc8188f0469240b008d8dcc0d2a7%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637502068036681079%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Agwev%2FNAmBIVpMFGVO43e9fodCQDP51na6X9vRcF220%3D&reserved=0>
 \
+           file://CVE-2019-9674.patch \
            "

 SRC_URI[sha256sum] = 
"b62c0e7937551d0cc02b8fd5cb0f544f9405bafc9a54d3808ed4594812edef43"
diff --git a/recipes-devtools/python/python/CVE-2019-9674.patch 
b/recipes-devtools/python/python/CVE-2019-9674.patch
new file mode 100644
index 0000000..647d9da
--- /dev/null
+++ b/recipes-devtools/python/python/CVE-2019-9674.patch
@@ -0,0 +1,83 @@
+From 3ba51d587f6897a45301ce9126300c14fcd4eba2 Mon Sep 17 00:00:00 2001
+From: JunWei Song <sungboss2...@gmail.com<mailto:sungboss2...@gmail.com>>
+Date: Wed, 11 Sep 2019 23:04:12 +0800
+Subject: [PATCH] bpo-36260: Add pitfalls to zipfile module documentation
+ (#13378)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+* bpo-36260: Add pitfalls to zipfile module documentation
+
+We saw vulnerability warning description (including zip bomb) in 
Doc/library/xml.rst file.
+This gave us the idea of documentation improvement.
+
+So, we moved a little bit forward :P
+And the doc patch can be found (pr).
+
+* fix trailing whitespace
+
+* 📜🤖 Added by blurb_it.
+
+* Reformat text for consistency.
+
+Upstream-Status: 
Backport[http://archive.ubuntu.com/ubuntu/pool/main/p/python3.5/python3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz<https://apc01.safelinks.protection.outlook.com/?url=http:%2F%2Farchive.ubuntu.com%2Fubuntu%2Fpool%2Fmain%2Fp%2Fpython3.5%2Fpython3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz&data=04%7C01%7CRahul.Taya%40kpit.com%7C793cbc8188f0469240b008d8dcc0d2a7%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637502068036691075%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=xTmtwvOtDUoFvuP9MyBRE5Majy%2BcqtsU5qhT83ruVuU%3D&reserved=0>]
+CVE: CVE-2019-9674
+Link: 
http://archive.ubuntu.com/ubuntu/pool/main/p/python3.5/python3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz<https://apc01.safelinks.protection.outlook.com/?url=http:%2F%2Farchive.ubuntu.com%2Fubuntu%2Fpool%2Fmain%2Fp%2Fpython3.5%2Fpython3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz&data=04%7C01%7CRahul.Taya%40kpit.com%7C793cbc8188f0469240b008d8dcc0d2a7%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637502068036701068%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=USaFhHgPBdg4QgGHYpo9FRhLyBt2Rv3pPeOhkVYyhRo%3D&reserved=0>
+Comment: From the original patch skipped changes for file
+Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst
+as this file is not present in our source code.
+---
+ Doc/library/zipfile.rst                       | 41 +++++++++++++++++++
+ 1 files changed, 41 insertions(+)
+
+diff --git a/Doc/library/zipfile.rst b/Doc/library/zipfile.rst
+index b421ea5..2e0a91d 100644
+--- a/Doc/library/zipfile.rst
++++ b/Doc/library/zipfile.rst
+@@ -574,4 +574,45 @@ Instances have the following attributes:
+
+    Size of the uncompressed file.
+
++Decompression pitfalls
++----------------------
++
++The extraction in zipfile module might fail due to some pitfalls listed below.
++
++From file itself
++~~~~~~~~~~~~~~~~
++
++Decompression may fail due to incorrect password / CRC checksum / ZIP format 
or
++unsupported compression method / decryption.
++
++File System limitations
++~~~~~~~~~~~~~~~~~~~~~~~
++
++Exceeding limitations on different file systems can cause decompression 
failed.
++Such as allowable characters in the directory entries, length of the file 
name,
++length of the pathname, size of a single file, and number of files, etc.
++
++Resources limitations
++~~~~~~~~~~~~~~~~~~~~~
++
++The lack of memory or disk volume would lead to decompression
++failed. For example, decompression bombs (aka `ZIP bomb`_)
++apply to zipfile library that can cause disk volume exhaustion.
++
++Interruption
++~~~~~~~~~~~~
++
++Interruption during the decompression, such as pressing control-C or killing 
the
++decompression process may result in incomplete decompression of the archive.
++
++Default behaviors of extraction
++~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
++
++Not knowing the default extraction behaviors
++can cause unexpected decompression results.
++For example, when extracting the same archive twice,
++it overwrites files without asking.
++
++
++.. _ZIP bomb: 
https://en.wikipedia.org/wiki/Zip_bomb<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FZip_bomb&data=04%7C01%7CRahul.Taya%40kpit.com%7C793cbc8188f0469240b008d8dcc0d2a7%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637502068036701068%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=cpU3nEPoLWqOsKeDGTeSDXmMgYhKbgh96viKBG%2F%2BD1A%3D&reserved=0>
+ .. _PKZIP Application Note: 
https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpkware.cachefly.net%2Fwebdocs%2Fcasestudies%2FAPPNOTE.TXT&data=04%7C01%7CRahul.Taya%40kpit.com%7C793cbc8188f0469240b008d8dcc0d2a7%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637502068036711063%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=6r6U9Vm9nwtHzdnNnsBEmGw7tAIAot5uWkop%2FbEuKMg%3D&reserved=0>
--
2.17.1

This message contains information that may be privileged or confidential and is 
the property of the KPIT Technologies Ltd. It is intended only for the person 
to whom it is addressed. If you are not the intended recipient, you are not 
authorized to read, print, retain copy, disseminate, distribute, or use this 
message or any part thereof. If you receive this message in error, please 
notify the sender immediately and delete all copies of this message. KPIT 
Technologies Ltd. does not accept any liability for virus infected mails.



This message contains information that may be privileged or confidential and is 
the property of the KPIT Technologies Ltd. It is intended only for the person 
to whom it is addressed. If you are not the intended recipient, you are not 
authorized to read, print, retain copy, disseminate, distribute, or use this 
message or any part thereof. If you receive this message in error, please 
notify the sender immediately and delete all copies of this message. KPIT 
Technologies Ltd. does not accept any liability for virus infected mails.
This message contains information that may be privileged or confidential and is 
the property of the KPIT Technologies Ltd. It is intended only for the person 
to whom it is addressed. If you are not the intended recipient, you are not 
authorized to read, print, retain copy, disseminate, distribute, or use this 
message or any part thereof. If you receive this message in error, please 
notify the sender immediately and delete all copies of this message. KPIT 
Technologies Ltd. does not accept any liability for virus infected mails.
This message contains information that may be privileged or confidential and is 
the property of the KPIT Technologies Ltd. It is intended only for the person 
to whom it is addressed. If you are not the intended recipient, you are not 
authorized to read, print, retain copy, disseminate, distribute, or use this 
message or any part thereof. If you receive this message in error, please 
notify the sender immediately and delete all copies of this message. KPIT 
Technologies Ltd. does not accept any liability for virus infected mails.
This message contains information that may be privileged or confidential and is 
the property of the KPIT Technologies Ltd. It is intended only for the person 
to whom it is addressed. If you are not the intended recipient, you are not 
authorized to read, print, retain copy, disseminate, distribute, or use this 
message or any part thereof. If you receive this message in error, please 
notify the sender immediately and delete all copies of this message. KPIT 
Technologies Ltd. does not accept any liability for virus infected mails.

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#89840): 
https://lists.openembedded.org/g/openembedded-devel/message/89840
Mute This Topic: https://lists.openembedded.org/mt/80729615/21656
Group Owner: openembedded-devel+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-