+ Anuj for meta-intel-qat use of yasm-native.
On 2022-10-13 10:05, Randy MacLeod wrote:
On 2022-10-13 02:33, Khem Raj wrote:
On Wed, Oct 12, 2022 at 10:59 PM Polampalli, Archana
<[email protected]
<mailto:[email protected]>> wrote:
Hi Khem Raj,
I Have seen the link, issue is in Open.
Could you please confirm open embedded is going to provide the fix.
If someone in community signs up for it then yes
and in this case, the community is us (Wind River and other folks
using yasm in OE)
so that may be you providing the fix Archana.
I'll explain more offline.
The yasm CVEs have come up again. Sigh.
Upstream seems not to be interested in fixing CVEs:
https://github.com/yasm/yasm/commits/master
We only need yasm-native (1) so does anyone object to
moving this recipe to yasm-native_git.bb ? This small change
would make it clear that images/tagets/machines are not _directly_
vulnerable
due to the fuzzing errors people are generating which result in CVEs.
../Randy
meta-oe.git on master [$?]
❯ rg yasm
meta-multimedia/recipes-multimedia/aom/aom_3.4.0.bb
18:DEPENDS = " yasm-native"
meta-oe/recipes-devtools/yasm/yasm_git.bb
3:HOMEPAGE = "http://www.tortall.net/projects/yasm/";
13:SRC_URI = "git://github.com/yasm/yasm.git;branch=master;protocol=https \
meta-oe/recipes-core/packagegroups/packagegroup-meta-oe.bb
310: yasm \
meta-oe.git on master [$?]
❯ rg yasm ../meta-browser.git/
../meta-browser.git/meta-firefox/recipes-browser/firefox/firefox_68.9.0esr.bb
8: yasm-native nasm-native unzip-native \
../meta-browser.git/meta-firefox/recipes-browser/firefox/firefox/fixes/pre-generated-old-configure.patch
8213:+ { echo "configure: error: Building ICU requires
either yasm or a GNU assembler. If you do not have either of those
available for this platform you must use --without-intl-api" 1>&2; echo
"configure: error: Building ICU requires either yasm or a GNU assembler.
If you do not have either of those available for this platform you must
use --without-intl-api" 1>&5; exit 1; }
meta-oe.git on master [$?]
❯ rg yasm ../meta-intel-qat.git/
../meta-intel-qat.git/recipes-extended/qat/qat17_4.20.0-00001.bb
10:DEPENDS += "boost udev zlib openssl yasm-native"
182:# yasm encodes path to the input file and doesn't provide any option
to workaround it.
../Randy
Regards,
Archana
------------------------------------------------------------------------
*From:* Khem Raj <[email protected] <mailto:[email protected]>>
*Sent:* Thursday, October 13, 2022 4:00 AM
*To:* Polampalli, Archana <[email protected]
<mailto:[email protected]>>
*Cc:* [email protected]
<mailto:[email protected]>
<[email protected]
<mailto:[email protected]>>
*Subject:* Re: [oe] Security Advisory - yasm - CVE-2021-33461
[Please note: This e-mail is from an EXTERNAL e-mail address]
On Wed, Oct 12, 2022 at 10:24 AM Polampalli, Archana
<[email protected]
<mailto:[email protected]>> wrote:
>
> HI,
>
> Could you please confirm is there any security fix providing
for CVE-2021-33461.
seems to be open https://github.com/yasm/yasm/issues/161
<https://github.com/yasm/yasm/issues/161>
>
>
> Regards,
> Archana
>
> >
--
# Randy MacLeod
# Wind River Linux
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#101846):
https://lists.openembedded.org/g/openembedded-devel/message/101846
Mute This Topic: https://lists.openembedded.org/mt/97961540/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
