Re: [OpenWrt-Devel] [PATCH] patch: apply upstream cve fixes

Sun, 14 Oct 2018 06:56:42 -0700 

Hi Russell, Kevin

On 14.10.2018 11:34, Russell Senior wrote:


Apply two upstream patches to address two CVEs:

  * CVE-2018-1000156
  * CVE-2018-6952

Add PKG_CPE_ID to Makefile.

Build tested on apm821xx and ar71xx.

Signed-off-by: Russell Senior <[email protected]>
---
  tools/patch/Makefile                          |   2 +
  .../patch/patches/010-CVE-2018-1000156.patch  | 209 ++++++++++++++++++
  tools/patch/patches/020-CVE-2018-6952.patch   |  30 +++
  3 files changed, 240 insertions(+)
  create mode 100644 tools/patch/patches/010-CVE-2018-1000156.patch
  create mode 100644 tools/patch/patches/020-CVE-2018-6952.patch


This change causes tools/patch/compile to fail, with:


make[5]: Leaving directory 
'/var/lib/buildbot/slaves/slashdirt-02/MAIN/build/build_dir/host/patch-2.7.6/src'

Making all in tests

make[5]: Entering directory 
'/var/lib/buildbot/slaves/slashdirt-02/MAIN/build/build_dir/host/patch-2.7.6/tests'
 cd .. && /usr/bin/env bash 
/var/lib/buildbot/slaves/slashdirt-02/MAIN/build/build_dir/host/patch-2.7.6/build-aux/missing 
automake-1.15 --gnu tests/Makefile
/var/lib/buildbot/slaves/slashdirt-02/MAIN/build/build_dir/host/patch-2.7.6/build-aux/missing: 
line 81: automake-1.15: command not found

WARNING: 'automake-1.15' is missing on your system.
         You should only need it if you modified 'Makefile.am' or
         'configure.ac' or m4 files included by 'configure.ac'.
         The 'automake' program is part of the GNU Automake package:
         <http://www.gnu.org/software/automake>
         It also requires GNU Autoconf, GNU m4 and Perl in order to run:
         <http://www.gnu.org/software/autoconf>
         <http://www.gnu.org/software/m4/>
         <http://www.perl.org/>
Makefile:1361: recipe for target 'Makefile.in' failed


Making patch depend on automake allows patch to build successfully, but 
I'm not sure that's the correct fix. Looking casually at the changes in 
the tests/ directory that these CVE patches do, I don't immediately see 
why this pulls in automake.


I worked around this by:
diff --git a/tools/Makefile b/tools/Makefile
index 9a354f6c70..7a9abddad7 100644
--- a/tools/Makefile
+++ b/tools/Makefile
@@ -76,7 +76,7 @@ $(curdir)/zlib/compile := $(curdir)/cmake/compile
 $(curdir)/wrt350nv2-builder/compile := $(curdir)/zlib/compile
 $(curdir)/lzma-old/compile := $(curdir)/zlib/compile
 $(curdir)/make-ext4fs/compile := $(curdir)/zlib/compile
-
+$(curdir)/patch/compile := $(curdir)/automake/compile
 ifneq ($(HOST_OS),Linux)
   tools-y += coreutils
 endif


Regards
/Magnus

_______________________________________________
openwrt-devel mailing list
[email protected]
https://lists.openwrt.org/mailman/listinfo/openwrt-devel






















					Reply via email to