diff options
author | Chen Qi <Qi.Chen@windriver.com> | 2017-05-08 11:12:11 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-05-18 14:01:48 +0100 |
commit | ef506f58da3a95fba2696df749b2b81f9c118847 (patch) | |
tree | 85c09d7c2e96c8bb27f3944295760d98271cb8c4 /meta/recipes-devtools | |
parent | 1dda475da98835853a3500b616053f696b508210 (diff) | |
download | poky-ef506f58da3a95fba2696df749b2b81f9c118847.tar.gz |
cve-check-tool: backport a patch to make CVE checking work
CVE checking in OE didn't work as do_populate_cve_db failed with the following
error message.
[snip]/downloads/CVE_CHECK/nvdcve-2.0-2002.xml is not consistent
Backport a patch to fix this error.
(From OE-Core rev: ee55b5685aaa4be92d6d51f8641a559d4e34ce64)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools')
-rw-r--r-- | meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb | 1 | ||||
-rw-r--r-- | meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch | 52 |
2 files changed, 53 insertions, 0 deletions
diff --git a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb index fcd3182931..1f906ee0a4 100644 --- a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb +++ b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb | |||
@@ -10,6 +10,7 @@ SRC_URI = "https://github.com/ikeydoherty/${BPN}/releases/download/v${PV}/${BP}. | |||
10 | file://check-for-malloc_trim-before-using-it.patch \ | 10 | file://check-for-malloc_trim-before-using-it.patch \ |
11 | file://0001-print-progress-in-percent-when-downloading-CVE-db.patch \ | 11 | file://0001-print-progress-in-percent-when-downloading-CVE-db.patch \ |
12 | file://0001-curl-allow-overriding-default-CA-certificate-file.patch \ | 12 | file://0001-curl-allow-overriding-default-CA-certificate-file.patch \ |
13 | file://0001-update-Compare-computed-vs-expected-sha256-digit-str.patch \ | ||
13 | " | 14 | " |
14 | 15 | ||
15 | SRC_URI[md5sum] = "c5f4247140fc9be3bf41491d31a34155" | 16 | SRC_URI[md5sum] = "c5f4247140fc9be3bf41491d31a34155" |
diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch b/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch new file mode 100644 index 0000000000..458c0cc84e --- /dev/null +++ b/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch | |||
@@ -0,0 +1,52 @@ | |||
1 | From b0426e63c9ac61657e029f689bcb8dd051e752c6 Mon Sep 17 00:00:00 2001 | ||
2 | From: Sergey Popovich <popovich_sergei@mail.ua> | ||
3 | Date: Fri, 21 Apr 2017 07:32:23 -0700 | ||
4 | Subject: [PATCH] update: Compare computed vs expected sha256 digit string | ||
5 | ignoring case | ||
6 | |||
7 | We produce sha256 digest string using %x snprintf() | ||
8 | qualifier for each byte of digest which uses alphabetic | ||
9 | characters from "a" to "f" in lower case to represent | ||
10 | integer values from 10 to 15. | ||
11 | |||
12 | Previously all of the NVD META files supply sha256 | ||
13 | digest string for corresponding XML file in lower case. | ||
14 | |||
15 | However due to some reason this changed recently to | ||
16 | provide digest digits in upper case causing fetched | ||
17 | data consistency checks to fail. This prevents database | ||
18 | from being updated periodically. | ||
19 | |||
20 | While commit c4f6e94 (update: Do not treat sha256 failure | ||
21 | as fatal if requested) adds useful option to skip | ||
22 | digest validation at all and thus provides workaround for | ||
23 | this situation, it might be unacceptable for some | ||
24 | deployments where we need to ensure that downloaded | ||
25 | data is consistent before start parsing it and update | ||
26 | SQLite database. | ||
27 | |||
28 | Use strcasecmp() to compare two digest strings case | ||
29 | insensitively and addressing this case. | ||
30 | |||
31 | Upstream-Status: Backport | ||
32 | Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua> | ||
33 | --- | ||
34 | src/update.c | 2 +- | ||
35 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
36 | |||
37 | diff --git a/src/update.c b/src/update.c | ||
38 | index 8588f38..3cc6b67 100644 | ||
39 | --- a/src/update.c | ||
40 | +++ b/src/update.c | ||
41 | @@ -187,7 +187,7 @@ static bool nvdcve_data_ok(const char *meta, const char *data) | ||
42 | snprintf(&csum_data[idx], len, "%02hhx", digest[i]); | ||
43 | } | ||
44 | |||
45 | - ret = streq(csum_meta, csum_data); | ||
46 | + ret = !strcasecmp(csum_meta, csum_data); | ||
47 | |||
48 | err_unmap: | ||
49 | munmap(buffer, length); | ||
50 | -- | ||
51 | 2.11.0 | ||
52 | |||