summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorChen Qi <Qi.Chen@windriver.com>2017-05-08 03:12:11 (GMT)
committerRichard Purdie <richard.purdie@linuxfoundation.org>2017-06-05 22:30:21 (GMT)
commitbc45d3a86b85c30ee7ec8dac83d487d6b031820e (patch)
tree4552557f4a20332e05d94456f33a1f570d397495
parentf375c30a173469f15679c47b85432634e5869db4 (diff)
downloadpoky-bc45d3a86b85c30ee7ec8dac83d487d6b031820e.tar.gz
cve-check-tool: backport a patch to make CVE checking work
CVE checking in OE didn't work as do_populate_cve_db failed with the following error message. [snip]/downloads/CVE_CHECK/nvdcve-2.0-2002.xml is not consistent Backport a patch to fix this error. (From OE-Core rev: ee55b5685aaa4be92d6d51f8641a559d4e34ce64) (From OE-Core rev: e0f0a7283c597e783b69aac2c8e8a7663b70262d) Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb1
-rw-r--r--meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch52
2 files changed, 53 insertions, 0 deletions
diff --git a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
index fcd3182..1f906ee 100644
--- a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
+++ b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
@@ -10,6 +10,7 @@ SRC_URI = "https://github.com/ikeydoherty/${BPN}/releases/download/v${PV}/${BP}.
10 file://check-for-malloc_trim-before-using-it.patch \ 10 file://check-for-malloc_trim-before-using-it.patch \
11 file://0001-print-progress-in-percent-when-downloading-CVE-db.patch \ 11 file://0001-print-progress-in-percent-when-downloading-CVE-db.patch \
12 file://0001-curl-allow-overriding-default-CA-certificate-file.patch \ 12 file://0001-curl-allow-overriding-default-CA-certificate-file.patch \
13 file://0001-update-Compare-computed-vs-expected-sha256-digit-str.patch \
13 " 14 "
14 15
15SRC_URI[md5sum] = "c5f4247140fc9be3bf41491d31a34155" 16SRC_URI[md5sum] = "c5f4247140fc9be3bf41491d31a34155"
diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch b/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch
new file mode 100644
index 0000000..458c0cc
--- /dev/null
+++ b/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch
@@ -0,0 +1,52 @@
1From b0426e63c9ac61657e029f689bcb8dd051e752c6 Mon Sep 17 00:00:00 2001
2From: Sergey Popovich <popovich_sergei@mail.ua>
3Date: Fri, 21 Apr 2017 07:32:23 -0700
4Subject: [PATCH] update: Compare computed vs expected sha256 digit string
5 ignoring case
6
7We produce sha256 digest string using %x snprintf()
8qualifier for each byte of digest which uses alphabetic
9characters from "a" to "f" in lower case to represent
10integer values from 10 to 15.
11
12Previously all of the NVD META files supply sha256
13digest string for corresponding XML file in lower case.
14
15However due to some reason this changed recently to
16provide digest digits in upper case causing fetched
17data consistency checks to fail. This prevents database
18from being updated periodically.
19
20While commit c4f6e94 (update: Do not treat sha256 failure
21as fatal if requested) adds useful option to skip
22digest validation at all and thus provides workaround for
23this situation, it might be unacceptable for some
24deployments where we need to ensure that downloaded
25data is consistent before start parsing it and update
26SQLite database.
27
28Use strcasecmp() to compare two digest strings case
29insensitively and addressing this case.
30
31Upstream-Status: Backport
32Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua>
33---
34 src/update.c | 2 +-
35 1 file changed, 1 insertion(+), 1 deletion(-)
36
37diff --git a/src/update.c b/src/update.c
38index 8588f38..3cc6b67 100644
39--- a/src/update.c
40+++ b/src/update.c
41@@ -187,7 +187,7 @@ static bool nvdcve_data_ok(const char *meta, const char *data)
42 snprintf(&csum_data[idx], len, "%02hhx", digest[i]);
43 }
44
45- ret = streq(csum_meta, csum_data);
46+ ret = !strcasecmp(csum_meta, csum_data);
47
48 err_unmap:
49 munmap(buffer, length);
50--
512.11.0
52