4
ERROR: Task
(/home/steve/builds/poky-contrib-kirkstone/meta/recipes-support/nghttp2/nghttp2_1.47.0.bb:do_patch)
failed with exit code '1'
Make sure you are using the current kirkstone head, and don't have a
bbappend for nghttp2 in another included layer.
Steve
__
> From: Steve Sakoman
> Sent: Tuesday, January 30, 2024 10:39 PM
> To: aszh07
> Cc: openembedded-core@lists.openembedded.org
> ; Virendra Kumar Thakur
> ; Zahir Hussain Sikkendar Basha
>
> Subject: Re: [OE-core][kirkstone][PATCH V2] nghttp2: fix CVE-2023-44487
>
> Caution: This email originated from outside of the KPIT. Do not click links
> or open attachments unless you recognize the sender and know the content is
> safe.
>
> This fails at build time:
>
> ERROR: nghttp2-1.47.0-r0 do_patch: Applying patch
> 'CVE-2023-44487.patch' on target directory
> '/home/steve/builds/poky-contrib-kirkstone/build/tmp/work/core2-64-poky-linux/nghttp2/1.47.0-r0/nghttp2-1.47.0'
> CmdError('quilt --quiltrc
> /home/steve/builds/poky-contrib-kirkstone/build/tmp/work/core2-64-poky-linux/nghttp2/1.47.0-r0/recipe-sysroot-native/etc/quiltrc
> push', 0, 'stdout: Applying patch CVE-2023-44487.patch
> patching file CMakeLists.txt
> Hunk #1 succeeded at 301 (offset 39 lines).
> Hunk #2 succeeded at 342 (offset 39 lines).
> patching file cmakeconfig.h.in
> Hunk #1 succeeded at 31 (offset -3 lines).
> Hunk #2 succeeded at 76 (offset -3 lines).
> patching file configure.ac
> Hunk #1 succeeded at 922 (offset 315 lines).
> Hunk #2 succeeded at 997 (offset 315 lines).
> Hunk #3 succeeded at 1023 (offset 315 lines).
> patching file doc/Makefile.am
> Hunk #1 FAILED at 69.
> 1 out of 1 hunk FAILED -- rejects in file doc/Makefile.am
> patching file lib/CMakeLists.txt
> patching file lib/Makefile.am
> Hunk #1 FAILED at 49.
> Hunk #2 FAILED at 65.
> 2 out of 2 hunks FAILED -- rejects in file lib/Makefile.am
> patching file lib/includes/nghttp2/nghttp2.h
> Hunk #1 succeeded at 2800 (offset 37 lines).
> patching file lib/nghttp2_option.c
> patching file lib/nghttp2_ratelim.c
> patching file lib/nghttp2_ratelim.h
> patching file lib/nghttp2_session.c
> Hunk #4 succeeded at 4164 (offset 9 lines).
> Hunk #5 succeeded at 4210 (offset 9 lines).
> Hunk #6 succeeded at 6991 (offset -3 lines).
> patching file lib/nghttp2_session.h
> Hunk #4 succeeded at 234 (offset -3 lines).
> patching file lib/nghttp2_time.c
> patching file lib/nghttp2_time.h
> patching file tests/nghttp2_ratelim_test.c
> patching file tests/nghttp2_ratelim_test.h
> patching file tests/nghttp2_session_test.c
> Hunk #1 succeeded at 11089 (offset 276 lines).
> patching file tests/nghttp2_session_test.h
> Hunk #1 succeeded at 162 (offset 2 lines).
> patching file tests/CMakeLists.txt
> patching file tests/Makefile.am
> Hunk #1 FAILED at 40.
> 1 out of 1 hunk FAILED -- rejects in file tests/Makefile.am
> patching file lib/nghttp2_option.h
> patching file tests/main.c
> Hunk #2 succeeded at 330 (offset 6 lines).
> Hunk #3 succeeded at 428 (offset 7 lines).
> Patch CVE-2023-44487.patch does not apply (enforce with -f)
>
> Steve
>
> On Mon, Jan 29, 2024 at 9:17 PM aszh07 wrote:
> >
> > From: Zahir Hussain
> >
> > The HTTP/2 protocol allows a denial of service (server resource consumption)
> > because request cancellation can reset many streams quickly, as exploited in
> > the wild in August through October 2023.
> >
> > References:
> > https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnvd.nist.gov%2Fvuln%2Fdetail%2FCVE-2023-44487=05%7C02%7Czahir.basha%40kpit.com%7Ce5eb9b3c40f742bf7ecf08dc21b65033%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C638422314179045832%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C=pCq7emMjyZCqLQHlPRpJX%2Fhk7kgUe3YLRN4rQE2FB%2BQ%3D=0
> > https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnghttp2%2Fnghttp2%2Fcommit%2F72b4af6143681f528f1d237b21a9a7aee1738832=05%7C02%7Czahir.basha%40kpit.com%7Ce5eb9b3c40f742bf7ecf08dc21b65033%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C638422314179052912%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C=GONGty7xd57TIExm%2BoaI2oOQUfCW4h1%2BIMNO4vMB%2BDo%3D=0
> >
> > Signed-off-by: Zahir Hussain
> > ---
> > .../nghttp2/nghttp2/CVE-2023-44487.patch | 926 ++
> > .../recipes-support/nghttp2/nghttp2_1.47.0.bb | 1 +
> > 2 files changed, 927 insertions(+)
> > create mode 100644
> > meta/recipes-support/nghttp2/nghttp2/CVE-2023-44487.patch
> >
> > diff --git a/meta/recipes-support/nghttp2/nghttp2/CVE-2023-44487.patch
> > b/meta/recipes-suppor