summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorChen Qi <Qi.Chen@windriver.com>2017-05-08 11:12:11 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2017-05-18 14:01:48 +0100
commitef506f58da3a95fba2696df749b2b81f9c118847 (patch)
tree85c09d7c2e96c8bb27f3944295760d98271cb8c4
parent1dda475da98835853a3500b616053f696b508210 (diff)
downloadpoky-ef506f58da3a95fba2696df749b2b81f9c118847.tar.gz
cve-check-tool: backport a patch to make CVE checking work
CVE checking in OE didn't work as do_populate_cve_db failed with the following error message. [snip]/downloads/CVE_CHECK/nvdcve-2.0-2002.xml is not consistent Backport a patch to fix this error. (From OE-Core rev: ee55b5685aaa4be92d6d51f8641a559d4e34ce64) Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb1
-rw-r--r--meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch52
2 files changed, 53 insertions, 0 deletions
diff --git a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
index fcd3182931..1f906ee0a4 100644
--- a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
+++ b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
@@ -10,6 +10,7 @@ SRC_URI = "https://github.com/ikeydoherty/${BPN}/releases/download/v${PV}/${BP}.
10 file://check-for-malloc_trim-before-using-it.patch \ 10 file://check-for-malloc_trim-before-using-it.patch \
11 file://0001-print-progress-in-percent-when-downloading-CVE-db.patch \ 11 file://0001-print-progress-in-percent-when-downloading-CVE-db.patch \
12 file://0001-curl-allow-overriding-default-CA-certificate-file.patch \ 12 file://0001-curl-allow-overriding-default-CA-certificate-file.patch \
13 file://0001-update-Compare-computed-vs-expected-sha256-digit-str.patch \
13 " 14 "
14 15
15SRC_URI[md5sum] = "c5f4247140fc9be3bf41491d31a34155" 16SRC_URI[md5sum] = "c5f4247140fc9be3bf41491d31a34155"
diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch b/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch
new file mode 100644
index 0000000000..458c0cc84e
--- /dev/null
+++ b/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch
@@ -0,0 +1,52 @@
1From b0426e63c9ac61657e029f689bcb8dd051e752c6 Mon Sep 17 00:00:00 2001
2From: Sergey Popovich <popovich_sergei@mail.ua>
3Date: Fri, 21 Apr 2017 07:32:23 -0700
4Subject: [PATCH] update: Compare computed vs expected sha256 digit string
5 ignoring case
6
7We produce sha256 digest string using %x snprintf()
8qualifier for each byte of digest which uses alphabetic
9characters from "a" to "f" in lower case to represent
10integer values from 10 to 15.
11
12Previously all of the NVD META files supply sha256
13digest string for corresponding XML file in lower case.
14
15However due to some reason this changed recently to
16provide digest digits in upper case causing fetched
17data consistency checks to fail. This prevents database
18from being updated periodically.
19
20While commit c4f6e94 (update: Do not treat sha256 failure
21as fatal if requested) adds useful option to skip
22digest validation at all and thus provides workaround for
23this situation, it might be unacceptable for some
24deployments where we need to ensure that downloaded
25data is consistent before start parsing it and update
26SQLite database.
27
28Use strcasecmp() to compare two digest strings case
29insensitively and addressing this case.
30
31Upstream-Status: Backport
32Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua>
33---
34 src/update.c | 2 +-
35 1 file changed, 1 insertion(+), 1 deletion(-)
36
37diff --git a/src/update.c b/src/update.c
38index 8588f38..3cc6b67 100644
39--- a/src/update.c
40+++ b/src/update.c
41@@ -187,7 +187,7 @@ static bool nvdcve_data_ok(const char *meta, const char *data)
42 snprintf(&csum_data[idx], len, "%02hhx", digest[i]);
43 }
44
45- ret = streq(csum_meta, csum_data);
46+ ret = !strcasecmp(csum_meta, csum_data);
47
48 err_unmap:
49 munmap(buffer, length);
50--
512.11.0
52