Did you run "devtool modify python" twice? If the first call failed to apply patches you need to go into workspace/sources/python and finish applying it manually.
But as said in previous e-mails I've already updated your python patch to apply cleanly (and it's in meta-python2/master-next), so I'm not sure what you're trying to do now. On Wed, Mar 3, 2021 at 2:51 PM Rahul Taya <[email protected]> wrote: > Hi Martin, > > Firstlty i run : *devtool modify python* > > this command applied all the patches in the source code. > After this when i run : > > devtool finish --force-patch-refresh <recipe> <layer_path> > > where recipe = python and layer path = /workspace/sources/python > > i'm getting message: *workspace/sources/python appears to be in the > middle of 'git am' or 'git apply' - please resolve this first* > > Can you please help why i'm getting this and how to resolve it ? > > Thanks and Regards, > Rahul Taya > ------------------------------ > *From:* [email protected] < > [email protected]> on behalf of Martin Jansa via > lists.openembedded.org <[email protected]> > *Sent:* Monday, March 1, 2021 8:16 PM > *To:* Rahul Taya <[email protected]> > *Cc:* openembedded-devel <[email protected]> > *Subject:* Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for > CVE-2019-9674 > > > Can you please tell me what i should do if a fuzz is detected while > applying patch or i see some warning message ? > > The QA warning/error message about patch-fuzz shows you how to easily > resolve the fuzz with devtool. > > If it doesn't apply at all (like that nghttp2 patch), then you need to > apply it manually by resolving all conflicts and then refresh the patch > file (I usually create a git repo in ${S} if it isn't there already from > SRC_URI, then manually apply the failing patch and then git format-patch > it). > > On Mon, Mar 1, 2021 at 3:26 PM Rahul Taya <[email protected]> wrote: > > Hi Martin, > > Yes i think you are right it can be possible that i overlooked or missed > the warning. > > Can you please tell me what i should do if a fuzz is detected while > applying patch or i see some warning message ? > > > For nghttp patch please check attached screenshot this is the last message > that i saw. > Can you tell me what next to do for that patch ? > > Thanks and Regards, > Rahul Taya > ------------------------------ > *From:* Martin Jansa <[email protected]> > *Sent:* Thursday, February 25, 2021 10:33 PM > *To:* Rahul Taya <[email protected]> > *Cc:* openembedded-devel <[email protected]> > *Subject:* Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for > CVE-2019-9674 > > Hi Rahul, > > you probably don't have patch-fuzz in ERROR_QA and overlooked the warning > generated by this QA check which is by default only in WARN_QA. > > Or you weren't testing it with master branch as the subject says it's for > dunfell, but it the python version is the same in master and dunfell, so > the warning should be triggered in both. > > On Thu, Feb 25, 2021 at 5:19 PM Rahul Taya <[email protected]> wrote: > > Hi Martin, > > I have tested my changes before sending to you or ML i donโt know why it > is failing now at your side. > > Thanks and Regards, > Rahul > > Get Outlook for iOS > <https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2Fo0ukef&data=04%7C01%7CRahul.Taya%40kpit.com%7C793cbc8188f0469240b008d8dcc0d2a7%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637502068036671086%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=MPfsBf%2BvF%2FG5A8BqZRhXa7VxYOwvA7oSWokj4l%2BnBQs%3D&reserved=0> > ------------------------------ > *From:* Martin Jansa <[email protected]> > *Sent:* Thursday, February 25, 2021 8:25:50 PM > *To:* Rahul Taya <[email protected]> > *Cc:* openembedded-devel <[email protected]> > *Subject:* Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for > CVE-2019-9674 > > Hi, > > normally you should fork meta-python2 and send a link to meta-python2 > change I can cherry-pick, not the blob in otherwise empty repo. > > But as I've said in previous reply, I've already manually applied your > change in meta-python2 master-next where it's now failing: > > ERROR: python-native-2.7.18-r0 do_patch: Fuzz detected: > > Applying patch CVE-2019-9674.patch > patching file Doc/library/zipfile.rst > Hunk #1 succeeded at 554 with fuzz 2 (offset -20 lines). > > > The context lines in the patches can be updated with devtool: > > devtool modify python-native > devtool finish --force-patch-refresh python-native <layer_path> > > Don't forget to review changes done by devtool! > > ERROR: python-native-2.7.18-r0 do_patch: QA Issue: Patch log indicates that > patches do not apply cleanly. [patch-fuzz] > > > so I'll fix this as well, but next time please better test your changes > (nghttp2 patch also didn't apply, see my reply there, not sure if you have > fixed that in v2) > > > Regards, > > > > > On Thu, Feb 25, 2021 at 9:09 AM Rahul Taya <[email protected]> wrote: > > Hi Martin, > > I removed the emoticons and uploaded the patch to my git repo pls access > below link: > > https://github.com/Rahult9/upstream_patch/blob/main/CVE-2019-9674.patch > <https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FRahult9%2Fupstream_patch%2Fblob%2Fmain%2FCVE-2019-9674.patch&data=04%7C01%7CRahul.Taya%40kpit.com%7C793cbc8188f0469240b008d8dcc0d2a7%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637502068036681079%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=F8%2BYLk6kzSGFI0Un8Tk3C8pQXhgpbleUkcDhLkhUBRI%3D&reserved=0> > > > Thanks and Regards, > Rahul Taya > ------------------------------ > *From:* Martin Jansa <[email protected]> > *Sent:* Thursday, February 18, 2021 10:58 PM > *To:* Rahul Taya <[email protected]> > *Cc:* openembedded-devel <[email protected]>; > Khem Raj <[email protected]>; Nisha Parrakat <[email protected]>; > Harpritkaur Bhandari <[email protected]> > *Subject:* Re: [oe] [meta-python2][dunfell][PATCH] python: Add fix for > CVE-2019-9674 > > "git am" doesn't like those emoticons in the .patch file.. > > git am ~/py2/cur/16136689* > error: cannot convert from 8bit to UTF-8 > fatal: could not parse patch > > either drop them or upload it to some git repo so I can cherry-pick it > from there. > > On Thu, Feb 18, 2021 at 3:18 PM Rahul Taya <[email protected]> wrote: > > For python and python-native added patch to fix > CVE-2019-9674 > > Signed-off-by: Rahul Taya <[email protected]> > --- > recipes-devtools/python/python.inc | 1 + > .../python/python/CVE-2019-9674.patch | 83 +++++++++++++++++++ > 2 files changed, 84 insertions(+) > create mode 100644 recipes-devtools/python/python/CVE-2019-9674.patch > > diff --git a/recipes-devtools/python/python.inc > b/recipes-devtools/python/python.inc > index a4ba0c5..787f23e 100644 > --- a/recipes-devtools/python/python.inc > +++ b/recipes-devtools/python/python.inc > @@ -8,6 +8,7 @@ INC_PR = "r1" > LIC_FILES_CHKSUM = "file://LICENSE;md5=203a6dbc802ee896020a47161e759642" > > SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz > <https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.python.org%2Fftp%2Fpython%2F%24%257BPV%257D%2FPython-%24%257BPV%257D.tar.xz&data=04%7C01%7CRahul.Taya%40kpit.com%7C793cbc8188f0469240b008d8dcc0d2a7%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637502068036681079%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Agwev%2FNAmBIVpMFGVO43e9fodCQDP51na6X9vRcF220%3D&reserved=0> > \ > + file://CVE-2019-9674.patch \ > " > > SRC_URI[sha256sum] = > "b62c0e7937551d0cc02b8fd5cb0f544f9405bafc9a54d3808ed4594812edef43" > diff --git a/recipes-devtools/python/python/CVE-2019-9674.patch > b/recipes-devtools/python/python/CVE-2019-9674.patch > new file mode 100644 > index 0000000..647d9da > --- /dev/null > +++ b/recipes-devtools/python/python/CVE-2019-9674.patch > @@ -0,0 +1,83 @@ > +From 3ba51d587f6897a45301ce9126300c14fcd4eba2 Mon Sep 17 00:00:00 2001 > +From: JunWei Song <[email protected]> > +Date: Wed, 11 Sep 2019 23:04:12 +0800 > +Subject: [PATCH] bpo-36260: Add pitfalls to zipfile module documentation > + (#13378) > +MIME-Version: 1.0 > +Content-Type: text/plain; charset=UTF-8 > +Content-Transfer-Encoding: 8bit > + > +* bpo-36260: Add pitfalls to zipfile module documentation > + > +We saw vulnerability warning description (including zip bomb) in > Doc/library/xml.rst file. > +This gave us the idea of documentation improvement. > + > +So, we moved a little bit forward :P > +And the doc patch can be found (pr). > + > +* fix trailing whitespace > + > +* ๐๐ค Added by blurb_it. > + > +* Reformat text for consistency. > + > +Upstream-Status: Backport[ > http://archive.ubuntu.com/ubuntu/pool/main/p/python3.5/python3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz > <https://apc01.safelinks.protection.outlook.com/?url=http:%2F%2Farchive.ubuntu.com%2Fubuntu%2Fpool%2Fmain%2Fp%2Fpython3.5%2Fpython3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz&data=04%7C01%7CRahul.Taya%40kpit.com%7C793cbc8188f0469240b008d8dcc0d2a7%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637502068036691075%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=xTmtwvOtDUoFvuP9MyBRE5Majy%2BcqtsU5qhT83ruVuU%3D&reserved=0> > ] > +CVE: CVE-2019-9674 > +Link: > http://archive.ubuntu.com/ubuntu/pool/main/p/python3.5/python3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz > <https://apc01.safelinks.protection.outlook.com/?url=http:%2F%2Farchive.ubuntu.com%2Fubuntu%2Fpool%2Fmain%2Fp%2Fpython3.5%2Fpython3.5_3.5.2-2ubuntu0~16.04.12.debian.tar.xz&data=04%7C01%7CRahul.Taya%40kpit.com%7C793cbc8188f0469240b008d8dcc0d2a7%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637502068036701068%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=USaFhHgPBdg4QgGHYpo9FRhLyBt2Rv3pPeOhkVYyhRo%3D&reserved=0> > +Comment: From the original patch skipped changes for file > +Misc/NEWS.d/next/Documentation/2019-06-04-09-29-00.bpo-36260.WrGuc-.rst > +as this file is not present in our source code. > +--- > + Doc/library/zipfile.rst | 41 +++++++++++++++++++ > + 1 files changed, 41 insertions(+) > + > +diff --git a/Doc/library/zipfile.rst b/Doc/library/zipfile.rst > +index b421ea5..2e0a91d 100644 > +--- a/Doc/library/zipfile.rst > ++++ b/Doc/library/zipfile.rst > +@@ -574,4 +574,45 @@ Instances have the following attributes: > + > + Size of the uncompressed file. > + > ++Decompression pitfalls > ++---------------------- > ++ > ++The extraction in zipfile module might fail due to some pitfalls listed > below. > ++ > ++From file itself > ++~~~~~~~~~~~~~~~~ > ++ > ++Decompression may fail due to incorrect password / CRC checksum / ZIP > format or > ++unsupported compression method / decryption. > ++ > ++File System limitations > ++~~~~~~~~~~~~~~~~~~~~~~~ > ++ > ++Exceeding limitations on different file systems can cause decompression > failed. > ++Such as allowable characters in the directory entries, length of the > file name, > ++length of the pathname, size of a single file, and number of files, etc. > ++ > ++Resources limitations > ++~~~~~~~~~~~~~~~~~~~~~ > ++ > ++The lack of memory or disk volume would lead to decompression > ++failed. For example, decompression bombs (aka `ZIP bomb`_) > ++apply to zipfile library that can cause disk volume exhaustion. > ++ > ++Interruption > ++~~~~~~~~~~~~ > ++ > ++Interruption during the decompression, such as pressing control-C or > killing the > ++decompression process may result in incomplete decompression of the > archive. > ++ > ++Default behaviors of extraction > ++~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > ++ > ++Not knowing the default extraction behaviors > ++can cause unexpected decompression results. > ++For example, when extracting the same archive twice, > ++it overwrites files without asking. > ++ > ++ > ++.. _ZIP bomb: https://en.wikipedia.org/wiki/Zip_bomb > <https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FZip_bomb&data=04%7C01%7CRahul.Taya%40kpit.com%7C793cbc8188f0469240b008d8dcc0d2a7%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637502068036701068%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=cpU3nEPoLWqOsKeDGTeSDXmMgYhKbgh96viKBG%2F%2BD1A%3D&reserved=0> > + .. _PKZIP Application Note: > https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT > <https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpkware.cachefly.net%2Fwebdocs%2Fcasestudies%2FAPPNOTE.TXT&data=04%7C01%7CRahul.Taya%40kpit.com%7C793cbc8188f0469240b008d8dcc0d2a7%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637502068036711063%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=6r6U9Vm9nwtHzdnNnsBEmGw7tAIAot5uWkop%2FbEuKMg%3D&reserved=0> > -- > 2.17.1 > > This message contains information that may be privileged or confidential > and is the property of the KPIT Technologies Ltd. It is intended only for > the person to whom it is addressed. If you are not the intended recipient, > you are not authorized to read, print, retain copy, disseminate, > distribute, or use this message or any part thereof. If you receive this > message in error, please notify the sender immediately and delete all > copies of this message. KPIT Technologies Ltd. does not accept any > liability for virus infected mails. > > > > This message contains information that may be privileged or confidential > and is the property of the KPIT Technologies Ltd. It is intended only for > the person to whom it is addressed. If you are not the intended recipient, > you are not authorized to read, print, retain copy, disseminate, > distribute, or use this message or any part thereof. If you receive this > message in error, please notify the sender immediately and delete all > copies of this message. KPIT Technologies Ltd. does not accept any > liability for virus infected mails. > > This message contains information that may be privileged or confidential > and is the property of the KPIT Technologies Ltd. It is intended only for > the person to whom it is addressed. If you are not the intended recipient, > you are not authorized to read, print, retain copy, disseminate, > distribute, or use this message or any part thereof. If you receive this > message in error, please notify the sender immediately and delete all > copies of this message. KPIT Technologies Ltd. does not accept any > liability for virus infected mails. > > This message contains information that may be privileged or confidential > and is the property of the KPIT Technologies Ltd. It is intended only for > the person to whom it is addressed. If you are not the intended recipient, > you are not authorized to read, print, retain copy, disseminate, > distribute, or use this message or any part thereof. If you receive this > message in error, please notify the sender immediately and delete all > copies of this message. KPIT Technologies Ltd. does not accept any > liability for virus infected mails. > > This message contains information that may be privileged or confidential > and is the property of the KPIT Technologies Ltd. It is intended only for > the person to whom it is addressed. If you are not the intended recipient, > you are not authorized to read, print, retain copy, disseminate, > distribute, or use this message or any part thereof. If you receive this > message in error, please notify the sender immediately and delete all > copies of this message. KPIT Technologies Ltd. does not accept any > liability for virus infected mails. >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#89841): https://lists.openembedded.org/g/openembedded-devel/message/89841 Mute This Topic: https://lists.openembedded.org/mt/80729615/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
