Re: [OE-core] [PATCH][dunfell] zlib: backport the fix for CVE-2018-25032

From: Jose Quaresma <quaresma.jose@gmail.com>
To: Steve Sakoman <steve@sakoman.com>
Cc: Ralph Siemsen <ralph.siemsen@linaro.org>,
	Ross Burton <ross@burtonini.com>,
	"Mittal, Anuj" <anuj.mittal@intel.com>,
	Patches and discussions about the oe-core layer
	<openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core] [PATCH][dunfell] zlib: backport the fix for CVE-2018-25032
Date: Wed, 13 Apr 2022 18:11:07 +0100	[thread overview]
Message-ID: <CANPvuRkB_u-EqDJEjzcM60ptKw4hF2pjhPP1cpbjEp5_kW7kOw@mail.gmail.com> (raw)
In-Reply-To: <CAOSpxdYONLK8BhmNjx9uj9BDb0P=bAiJ-uAKG1edHjBnzvHc9g@mail.gmail.com>

[-- Attachment #1: Type: text/plain, Size: 5275 bytes --]

Hi,

Steve Sakoman <steve@sakoman.com> escreveu no dia quarta, 13/04/2022 à(s)
17:02:

> On Wed, Apr 13, 2022 at 5:31 AM Steve Sakoman via
> lists.openembedded.org <steve=sakoman.com@lists.openembedded.org>
> wrote:
> >
> > On Tue, Apr 12, 2022 at 3:21 PM Ralph Siemsen <ralph.siemsen@linaro.org>
> wrote:
> > >
> > > On Tue, Apr 12, 2022 at 5:49 PM Steve Sakoman <steve@sakoman.com>
> wrote:
> > >
> > > > I added a debug option to the failing command and did another
> autobuilder run.
> > > >
> > > > You can see the output here:
> > > >
> > > > https://errors.yoctoproject.org/Errors/Details/654608/
> > >
> > > Okay, same error, "Hash Sum mismatch". And if I squint between all the
> > > URL-encoding, I can see the md5/sha1/sha256/sha512sum values.
> > >
> > > The "apt update" command is doing the following:
> > > - fetch the file called "Release"
> > > - fetch the file called "Packages.gz" --> error occurs here
> > >
> > > Looking inside the Release file, it is plain text, and contains the
> > > md5/sha1/sha256/sha512 sums of both Packages and Packages.gz (and also
> > > the first two lines of Release).
> > >
> > > Manually checking each of those sums reveals an inconsistency: all the
> > > sha256 values inside Release are incorrect, while all the other
> > > md1/sha1/sha512 values are correct.
> > >
> > > And when we look at the URL-encoded debug info... the sha256 value is
> > > the correct one for Packages.gz (as computed manually). However it
> > > does not match the (incorrect) value within the Release file. Thus it
> > > seems apt-get is justified when it complains about "Hash Sum
> > > mismatch".
> > >
> > > Going back to my Ubuntu system, and looking at the generated Release
> > > file... all the checksums are correct, including the sha256sum.
> > >
> > > So I am now looking into how Release file gets generated... as the
> > > problem appears to be there... and it happens on Fedora but not
> > > Ubuntu.
> >
> > As far as I can tell it is done here:
> >
> >
> https://git.yoctoproject.org/poky/tree/meta/lib/oe/package_manager.py?h=dunfell#n301
> >
> > > One additional point to add: on the same Fedora 35 system, I did a
> > > full rebuild *without* with xz/gzip CVE fixes, and the apt failure
> > > still occurs. To be certain, I nuked cache, sstate-cache and tmp (so
> > > basically the entire build directory) and the rebuild took several
> > > hours.
> >
> > Now that is really strange!  In my experience it has only appeared
> > after adding the zlib or xz CVE fix patches.
> >
> > I just started two runs on the autobuilder, with the zlib patch as the
> > only difference.  Both on Fedora 35.
>
> Both runs completed and I'm still seeing success without the zlib patch:
>
> https://autobuilder.yoctoproject.org/typhoon/#/builders/50/builds/5069
>
> and failure with the patch:
>
> https://autobuilder.yoctoproject.org/typhoon/#/builders/50/builds/5070

It seems the test that failed is something related with the apt.
Is this repo hosted on 192.168.7.5 shared between master and dunfell
branches?
I ask this because there are some issues with apt [1] on master and it can
be related to this.

[1] apt: add apt selftest to test signed package feeds)

Started HTTPService on 0.0.0.0:35637
Traceback (most recent call last):
File
"/home/pokybuild/yocto-worker/pkgman-deb-non-deb/build/meta/lib/oeqa/core/decorator/__init__.py",
line 36, in wrapped_f
return func(*args, **kwargs)
File
"/home/pokybuild/yocto-worker/pkgman-deb-non-deb/build/meta/lib/oeqa/core/decorator/__init__.py",
line 36, in wrapped_f
return func(*args, **kwargs)
File
"/home/pokybuild/yocto-worker/pkgman-deb-non-deb/build/meta/lib/oeqa/core/decorator/__init__.py",
line 36, in wrapped_f
return func(*args, **kwargs)
File
"/home/pokybuild/yocto-worker/pkgman-deb-non-deb/build/meta/lib/oeqa/runtime/cases/apt.py",
line 50, in test_apt_install_from_repo
self.pkg('update')
File
"/home/pokybuild/yocto-worker/pkgman-deb-non-deb/build/meta/lib/oeqa/runtime/cases/apt.py",
line 17, in pkg
self.assertEqual(status, expected, message)
AssertionError: 100 != 0 : apt-get update
Ign:1 http://192.168.7.5:42261 ./ InRelease
Get:2 http://192.168.7.5:42261 ./ Release [1213 B]
Ign:3 http://192.168.7.5:42261 ./ Release.gpg
Get:4 http://192.168.7.5:42261 ./ Packages [59.3 kB]
Err:4 http://192.168.7.5:42261 ./ Packages
Hash Sum mismatch
Fetched 60.5 kB in 20s (3020 B/s)
Reading package lists...
W: The repository 'http://192.168.7.5:42261 ./ Release' is not signed.
E: Failed to fetch http://192.168.7.5:42261/./Packages.gz Hash Sum mismatch
E: Some index files failed to download. They have been ignored, or old ones
used instead.

Jose

>
> Steve
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#164339):
> https://lists.openembedded.org/g/openembedded-core/message/164339
> Mute This Topic: https://lists.openembedded.org/mt/90107518/5052612
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [
> quaresma.jose@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>

-- 
Best regards,

José Quaresma

[-- Attachment #2: Type: text/html, Size: 16336 bytes --]