On Wed, 10 Apr 2024 at 19:11, Khem Raj <[email protected]> wrote: > > On Wed, Apr 10, 2024 at 10:26 AM Beniamin Sandu <[email protected]> > wrote: > > > > I don't know how that CVE tool is doing the checks, but it's doing > > something wrong. > > Both the CVEs that are mentioned in the list, have nothing to do with > > the current library that is built with the recipe. I am actually > > curious as to who is using this library anyway, because it seems to be > > some random implementation with a very similar name. > > Its not random infact, pretty old implementation. > > > The widely used library is the one at: > > https://github.com/arvidn/libtorrent (this is the one used in stuff > > like Deluge, and other torrent software). > > > > CVE-2016-5301 was fixed in: https://github.com/arvidn/libtorrent/pull/782. > > CVE-2009-1760 was fixed in: > > https://github.com/arvidn/libtorrent/commit/eb2203abf51e63b1d5ba0c3e5d972936df96c31a > > > > Maybe we should replace the current recipe or add a separate one to > > build the other library. > > Existing libtorrent in meta-oe is used by rotorrent recipe and I dont > see more users of it > so question is > > 1. Can rtorrent use the arvidn implementation ? if so then we can use > it for libtorrent systemwide > 2. Merge libtorrent into rtorrent recipe since its the only user of it > and libtorrent recipe uses arvidn fork > 3. Create a separate recipe for arvidn implementation
I have started working on a separate recipe a couple of days ago, called libtorrent-rasterbar(which seems it was the original name of the arvidn library, also mentioned it one of the CVEs), but it currently fails to build the python3 bindings for 32-bit arches, and I did not have time to investigate yet. If you feel like taking a look, I can send it right now with python3 bindings disabled and you could add a patch on top, or I can send it sometimes in the future when I get back to it and fix it myself. > > > > > On Wed, 10 Apr 2024 at 18:12, Khem Raj <[email protected]> wrote: > > > > > > Beniamin what is the resolution based on ? before we revert we should find > > > > > > On Wed, Apr 10, 2024 at 10:02 AM Marko, Peter <[email protected]> > > > wrote: > > > > > > > > This CVE reappeared in > > > > https://autobuilder.yocto.io/pub/non-release/patchmetrics-meta-oe/cve-status-master.txt > > > > So it should not have been applied. > > > > > > > > Peter > > > > > > > > -----Original Message----- > > > > From: [email protected] > > > > <[email protected]> On Behalf Of Khem Raj via > > > > lists.openembedded.org > > > > Sent: Sunday, April 7, 2024 17:43 > > > > To: [email protected]; Beniamin Sandu > > > > <[email protected]> > > > > Cc: Khem Raj <[email protected]> > > > > Subject: Re: [oe] [meta-oe][PATCH] libtorrent: remove CVE mention > > > > > > > > > > > > On Fri, 05 Apr 2024 16:13:35 +0100, Beniamin Sandu wrote: > > > > > The CVE mentioned in the recipe applies to a different libtorrent > > > > > library, from: > > > > > https://github.com/arvidn/libtorrent > > > > > > > > > > > > > > > > > > Applied, thanks! > > > > > > > > [1/1] libtorrent: remove CVE mention > > > > commit: 0597c931ffbadf2a2242d8ed9cccb8567953d489 > > > > > > > > Best regards, > > > > -- > > > > Khem Raj <[email protected]>
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#109910): https://lists.openembedded.org/g/openembedded-devel/message/109910 Mute This Topic: https://lists.openembedded.org/mt/105350320/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
