From bc45d3a86b85c30ee7ec8dac83d487d6b031820e Mon Sep 17 00:00:00 2001 From: Chen Qi Date: Mon, 8 May 2017 11:12:11 +0800 Subject: cve-check-tool: backport a patch to make CVE checking work CVE checking in OE didn't work as do_populate_cve_db failed with the following error message. [snip]/downloads/CVE_CHECK/nvdcve-2.0-2002.xml is not consistent Backport a patch to fix this error. (From OE-Core rev: ee55b5685aaa4be92d6d51f8641a559d4e34ce64) (From OE-Core rev: e0f0a7283c597e783b69aac2c8e8a7663b70262d) Signed-off-by: Chen Qi Signed-off-by: Ross Burton Signed-off-by: Richard Purdie --- ...are-computed-vs-expected-sha256-digit-str.patch | 52 ++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch (limited to 'meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch') diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch b/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch new file mode 100644 index 0000000000..458c0cc84e --- /dev/null +++ b/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch @@ -0,0 +1,52 @@ +From b0426e63c9ac61657e029f689bcb8dd051e752c6 Mon Sep 17 00:00:00 2001 +From: Sergey Popovich +Date: Fri, 21 Apr 2017 07:32:23 -0700 +Subject: [PATCH] update: Compare computed vs expected sha256 digit string + ignoring case + +We produce sha256 digest string using %x snprintf() +qualifier for each byte of digest which uses alphabetic +characters from "a" to "f" in lower case to represent +integer values from 10 to 15. + +Previously all of the NVD META files supply sha256 +digest string for corresponding XML file in lower case. + +However due to some reason this changed recently to +provide digest digits in upper case causing fetched +data consistency checks to fail. This prevents database +from being updated periodically. + +While commit c4f6e94 (update: Do not treat sha256 failure +as fatal if requested) adds useful option to skip +digest validation at all and thus provides workaround for +this situation, it might be unacceptable for some +deployments where we need to ensure that downloaded +data is consistent before start parsing it and update +SQLite database. + +Use strcasecmp() to compare two digest strings case +insensitively and addressing this case. + +Upstream-Status: Backport +Signed-off-by: Sergey Popovich +--- + src/update.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/update.c b/src/update.c +index 8588f38..3cc6b67 100644 +--- a/src/update.c ++++ b/src/update.c +@@ -187,7 +187,7 @@ static bool nvdcve_data_ok(const char *meta, const char *data) + snprintf(&csum_data[idx], len, "%02hhx", digest[i]); + } + +- ret = streq(csum_meta, csum_data); ++ ret = !strcasecmp(csum_meta, csum_data); + + err_unmap: + munmap(buffer, length); +-- +2.11.0 + -- cgit v1.2.3-54-g00ecf