* [PATCH 1/5] cve-check: honor RM_OLD_IMAGE flag
2017-06-05 7:21 [PATCH 0/5] cve-check improvements Peter Marko
@ 2017-06-05 7:21 ` Peter Marko
2017-06-05 11:05 ` Marko, Peter
2017-06-05 7:21 ` [PATCH 2/5] cve-check: add do_rootfs dependency on cve-check Peter Marko
` (8 subsequent siblings)
9 siblings, 1 reply; 14+ messages in thread
From: Peter Marko @ 2017-06-05 7:21 UTC (permalink / raw)
To: openembedded-core
Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
meta/classes/cve-check.bbclass | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 3a9e227..d8ac412 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -96,6 +96,8 @@ python cve_check_write_rootfs_manifest () {
manifest_link = os.path.join(deploy_dir, "%s.cve" % link_name)
# If we already have another manifest, update symlinks
if os.path.exists(os.path.realpath(manifest_link)):
+ if d.getVar('RM_OLD_IMAGE') == "1":
+ os.remove(os.path.realpath(manifest_link))
os.remove(manifest_link)
os.symlink(os.path.basename(manifest_name), manifest_link)
bb.plain("Image CVE report stored in: %s" % manifest_name)
--
2.1.4
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH 2/5] cve-check: add do_rootfs dependency on cve-check
2017-06-05 7:21 [PATCH 0/5] cve-check improvements Peter Marko
2017-06-05 7:21 ` [PATCH 1/5] cve-check: honor RM_OLD_IMAGE flag Peter Marko
@ 2017-06-05 7:21 ` Peter Marko
2017-06-05 7:21 ` [PATCH 3/5] cve-check: do not parse error output Peter Marko
` (7 subsequent siblings)
9 siblings, 0 replies; 14+ messages in thread
From: Peter Marko @ 2017-06-05 7:21 UTC (permalink / raw)
To: openembedded-core
Since do_rootfs depends on cve-check results of all recipes,
we need to recursively depend on recipe do_cve_check.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
meta/classes/cve-check.bbclass | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index d8ac412..f851ec4 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -104,6 +104,7 @@ python cve_check_write_rootfs_manifest () {
}
ROOTFS_POSTPROCESS_COMMAND_prepend = "${@'cve_check_write_rootfs_manifest; ' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}"
+do_rootfs[recrdeptask] += "${@'do_cve_check' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}"
def get_patches_cves(d):
"""
--
2.1.4
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH 3/5] cve-check: do not parse error output
2017-06-05 7:21 [PATCH 0/5] cve-check improvements Peter Marko
2017-06-05 7:21 ` [PATCH 1/5] cve-check: honor RM_OLD_IMAGE flag Peter Marko
2017-06-05 7:21 ` [PATCH 2/5] cve-check: add do_rootfs dependency on cve-check Peter Marko
@ 2017-06-05 7:21 ` Peter Marko
2017-06-05 7:21 ` [PATCH 4/5] cve-check: clean cve-check recipe result before re-building Peter Marko
` (6 subsequent siblings)
9 siblings, 0 replies; 14+ messages in thread
From: Peter Marko @ 2017-06-05 7:21 UTC (permalink / raw)
To: openembedded-core
Sometimes there are control messages in cve-check-tool printed to
stderr. These lead to parsing error and thus failed build.
This can happen for instance when cve database needs to be
refreshed during build.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
meta/classes/cve-check.bbclass | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index f851ec4..9007a6e 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -174,7 +174,7 @@ def check_cves(d, patched_cves):
f.write("%s,%s,%s," % (bpn, pv, cves))
cmd.append(faux)
- output = subprocess.check_output(cmd, stderr=subprocess.STDOUT).decode("utf-8")
+ output = subprocess.check_output(cmd).decode("utf-8")
bb.debug(2, "Output of command %s:\n%s" % ("\n".join(cmd), output))
except subprocess.CalledProcessError as e:
bb.warn("Couldn't check for CVEs: %s (output %s)" % (e, e.output))
--
2.1.4
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH 4/5] cve-check: clean cve-check recipe result before re-building
2017-06-05 7:21 [PATCH 0/5] cve-check improvements Peter Marko
` (2 preceding siblings ...)
2017-06-05 7:21 ` [PATCH 3/5] cve-check: do not parse error output Peter Marko
@ 2017-06-05 7:21 ` Peter Marko
2017-06-05 7:21 ` [PATCH 5/5] cve-check-tool: fix crash on exceptions Peter Marko
` (5 subsequent siblings)
9 siblings, 0 replies; 14+ messages in thread
From: Peter Marko @ 2017-06-05 7:21 UTC (permalink / raw)
To: openembedded-core
If there is cve report for a recipe in previous build and there
is no result for current one, old cves are kept in CVE_CHECK_DIR.
This happens on version upgrade or when cve/recipe is whitelisted.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
meta/classes/cve-check.bbclass | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 9007a6e..21f3225 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -83,6 +83,11 @@ python cve_check_write_rootfs_manifest () {
import shutil
+ if d.getVar("CVE_CHECK_COPY_FILES") == "1":
+ deploy_file = os.path.join(d.getVar("CVE_CHECK_DIR"), d.getVar("PN"))
+ if os.path.exists(deploy_file):
+ bb.utils.remove(deploy_file)
+
if os.path.exists(d.getVar("CVE_CHECK_TMP_FILE")):
bb.note("Writing rootfs CVE manifest")
deploy_dir = d.getVar("DEPLOY_DIR_IMAGE")
--
2.1.4
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH 5/5] cve-check-tool: fix crash on exceptions
2017-06-05 7:21 [PATCH 0/5] cve-check improvements Peter Marko
` (3 preceding siblings ...)
2017-06-05 7:21 ` [PATCH 4/5] cve-check: clean cve-check recipe result before re-building Peter Marko
@ 2017-06-05 7:21 ` Peter Marko
2017-06-07 6:04 ` [PATCH v2 0/4] cve-check improvements Peter Marko
` (4 subsequent siblings)
9 siblings, 0 replies; 14+ messages in thread
From: Peter Marko @ 2017-06-05 7:21 UTC (permalink / raw)
To: openembedded-core
This fixes cve-check-tool crashes on exceptions.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
.../cve-check-tool/cve-check-tool_5.6.4.bb | 1 +
...01-Fix-freeing-memory-allocated-by-sqlite.patch | 50 ++++++++++++++++++++++
2 files changed, 51 insertions(+)
create mode 100644 meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch
diff --git a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
index 1f906ee..4829b11 100644
--- a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
+++ b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
@@ -11,6 +11,7 @@ SRC_URI = "https://github.com/ikeydoherty/${BPN}/releases/download/v${PV}/${BP}.
file://0001-print-progress-in-percent-when-downloading-CVE-db.patch \
file://0001-curl-allow-overriding-default-CA-certificate-file.patch \
file://0001-update-Compare-computed-vs-expected-sha256-digit-str.patch \
+ file://0001-Fix-freeing-memory-allocated-by-sqlite.patch \
"
SRC_URI[md5sum] = "c5f4247140fc9be3bf41491d31a34155"
diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch b/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch
new file mode 100644
index 0000000..4a82cf2
--- /dev/null
+++ b/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch
@@ -0,0 +1,50 @@
+From a3353429652f83bb8b0316500faa88fa2555542d Mon Sep 17 00:00:00 2001
+From: Peter Marko <peter.marko@siemens.com>
+Date: Thu, 13 Apr 2017 23:09:52 +0200
+Subject: [PATCH] Fix freeing memory allocated by sqlite
+
+Upstream-Status: Backport
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ src/core.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/core.c b/src/core.c
+index 6263031..6788f16 100644
+--- a/src/core.c
++++ b/src/core.c
+@@ -82,7 +82,7 @@ static bool ensure_table(CveDB *self)
+ rc = sqlite3_exec(self->db, query, NULL, NULL, &err);
+ if (rc != SQLITE_OK) {
+ fprintf(stderr, "ensure_table(): %s\n", err);
+- free(err);
++ sqlite3_free(err);
+ return false;
+ }
+
+@@ -91,7 +91,7 @@ static bool ensure_table(CveDB *self)
+ rc = sqlite3_exec(self->db, query, NULL, NULL, &err);
+ if (rc != SQLITE_OK) {
+ fprintf(stderr, "ensure_table(): %s\n", err);
+- free(err);
++ sqlite3_free(err);
+ return false;
+ }
+
+@@ -99,11 +99,11 @@ static bool ensure_table(CveDB *self)
+ rc = sqlite3_exec(self->db, query, NULL, NULL, &err);
+ if (rc != SQLITE_OK) {
+ fprintf(stderr, "ensure_table(): %s\n", err);
+- free(err);
++ sqlite3_free(err);
+ return false;
+ }
+ if (err) {
+- free(err);
++ sqlite3_free(err);
+ }
+
+ return true;
+--
+2.1.4
+
--
2.1.4
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH v2 0/4] cve-check improvements
2017-06-05 7:21 [PATCH 0/5] cve-check improvements Peter Marko
` (4 preceding siblings ...)
2017-06-05 7:21 ` [PATCH 5/5] cve-check-tool: fix crash on exceptions Peter Marko
@ 2017-06-07 6:04 ` Peter Marko
2017-06-07 6:04 ` [PATCH v2 1/4] cve-check: add do_rootfs dependency on cve-check Peter Marko
` (3 subsequent siblings)
9 siblings, 0 replies; 14+ messages in thread
From: Peter Marko @ 2017-06-07 6:04 UTC (permalink / raw)
To: openembedded-core
Hi,
this series of patches fixes some issues with cve-check functionality.
v2: drop patch for RM_OLD_IMAGE handling
Peter Marko (4):
cve-check: add do_rootfs dependency on cve-check
cve-check: do not parse error output
cve-check: clean cve-check recipe result before re-building
cve-check-tool: fix crash on exceptions
meta/classes/cve-check.bbclass | 8 +++-
.../cve-check-tool/cve-check-tool_5.6.4.bb | 1 +
...01-Fix-freeing-memory-allocated-by-sqlite.patch | 50 ++++++++++++++++++++++
3 files changed, 58 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch
--
2.1.4
^ permalink raw reply [flat|nested] 14+ messages in thread
* [PATCH v2 1/4] cve-check: add do_rootfs dependency on cve-check
2017-06-05 7:21 [PATCH 0/5] cve-check improvements Peter Marko
` (5 preceding siblings ...)
2017-06-07 6:04 ` [PATCH v2 0/4] cve-check improvements Peter Marko
@ 2017-06-07 6:04 ` Peter Marko
2017-06-07 6:04 ` [PATCH v2 2/4] cve-check: do not parse error output Peter Marko
` (2 subsequent siblings)
9 siblings, 0 replies; 14+ messages in thread
From: Peter Marko @ 2017-06-07 6:04 UTC (permalink / raw)
To: openembedded-core
Since do_rootfs depends on cve-check results of all recipes,
we need to recursively depend on recipe do_cve_check.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
meta/classes/cve-check.bbclass | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 3a9e227..660fe7a 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -102,6 +102,7 @@ python cve_check_write_rootfs_manifest () {
}
ROOTFS_POSTPROCESS_COMMAND_prepend = "${@'cve_check_write_rootfs_manifest; ' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}"
+do_rootfs[recrdeptask] += "${@'do_cve_check' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}"
def get_patches_cves(d):
"""
--
2.1.4
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH v2 2/4] cve-check: do not parse error output
2017-06-05 7:21 [PATCH 0/5] cve-check improvements Peter Marko
` (6 preceding siblings ...)
2017-06-07 6:04 ` [PATCH v2 1/4] cve-check: add do_rootfs dependency on cve-check Peter Marko
@ 2017-06-07 6:04 ` Peter Marko
2017-06-07 6:04 ` [PATCH v2 3/4] cve-check: clean cve-check recipe result before re-building Peter Marko
2017-06-07 6:04 ` [PATCH v2 4/4] cve-check-tool: fix crash on exceptions Peter Marko
9 siblings, 0 replies; 14+ messages in thread
From: Peter Marko @ 2017-06-07 6:04 UTC (permalink / raw)
To: openembedded-core
Sometimes there are control messages in cve-check-tool printed to
stderr. These lead to parsing error and thus failed build.
This can happen for instance when cve database needs to be
refreshed during build.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
meta/classes/cve-check.bbclass | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 660fe7a..1f0b691 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -172,7 +172,7 @@ def check_cves(d, patched_cves):
f.write("%s,%s,%s," % (bpn, pv, cves))
cmd.append(faux)
- output = subprocess.check_output(cmd, stderr=subprocess.STDOUT).decode("utf-8")
+ output = subprocess.check_output(cmd).decode("utf-8")
bb.debug(2, "Output of command %s:\n%s" % ("\n".join(cmd), output))
except subprocess.CalledProcessError as e:
bb.warn("Couldn't check for CVEs: %s (output %s)" % (e, e.output))
--
2.1.4
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH v2 3/4] cve-check: clean cve-check recipe result before re-building
2017-06-05 7:21 [PATCH 0/5] cve-check improvements Peter Marko
` (7 preceding siblings ...)
2017-06-07 6:04 ` [PATCH v2 2/4] cve-check: do not parse error output Peter Marko
@ 2017-06-07 6:04 ` Peter Marko
2017-06-07 6:04 ` [PATCH v2 4/4] cve-check-tool: fix crash on exceptions Peter Marko
9 siblings, 0 replies; 14+ messages in thread
From: Peter Marko @ 2017-06-07 6:04 UTC (permalink / raw)
To: openembedded-core
If there is cve report for a recipe in previous build and there
is no result for current one, old cves are kept in CVE_CHECK_DIR.
This happens on version upgrade or when cve/recipe is whitelisted.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
meta/classes/cve-check.bbclass | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 1f0b691..6f5b0f5 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -83,6 +83,11 @@ python cve_check_write_rootfs_manifest () {
import shutil
+ if d.getVar("CVE_CHECK_COPY_FILES") == "1":
+ deploy_file = os.path.join(d.getVar("CVE_CHECK_DIR"), d.getVar("PN"))
+ if os.path.exists(deploy_file):
+ bb.utils.remove(deploy_file)
+
if os.path.exists(d.getVar("CVE_CHECK_TMP_FILE")):
bb.note("Writing rootfs CVE manifest")
deploy_dir = d.getVar("DEPLOY_DIR_IMAGE")
--
2.1.4
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH v2 4/4] cve-check-tool: fix crash on exceptions
2017-06-05 7:21 [PATCH 0/5] cve-check improvements Peter Marko
` (8 preceding siblings ...)
2017-06-07 6:04 ` [PATCH v2 3/4] cve-check: clean cve-check recipe result before re-building Peter Marko
@ 2017-06-07 6:04 ` Peter Marko
2017-06-07 16:03 ` Leonardo Sandoval
9 siblings, 1 reply; 14+ messages in thread
From: Peter Marko @ 2017-06-07 6:04 UTC (permalink / raw)
To: openembedded-core
This fixes cve-check-tool crashes on exceptions.
Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
.../cve-check-tool/cve-check-tool_5.6.4.bb | 1 +
...01-Fix-freeing-memory-allocated-by-sqlite.patch | 50 ++++++++++++++++++++++
2 files changed, 51 insertions(+)
create mode 100644 meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch
diff --git a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
index 1f906ee..4829b11 100644
--- a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
+++ b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
@@ -11,6 +11,7 @@ SRC_URI = "https://github.com/ikeydoherty/${BPN}/releases/download/v${PV}/${BP}.
file://0001-print-progress-in-percent-when-downloading-CVE-db.patch \
file://0001-curl-allow-overriding-default-CA-certificate-file.patch \
file://0001-update-Compare-computed-vs-expected-sha256-digit-str.patch \
+ file://0001-Fix-freeing-memory-allocated-by-sqlite.patch \
"
SRC_URI[md5sum] = "c5f4247140fc9be3bf41491d31a34155"
diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch b/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch
new file mode 100644
index 0000000..4a82cf2
--- /dev/null
+++ b/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch
@@ -0,0 +1,50 @@
+From a3353429652f83bb8b0316500faa88fa2555542d Mon Sep 17 00:00:00 2001
+From: Peter Marko <peter.marko@siemens.com>
+Date: Thu, 13 Apr 2017 23:09:52 +0200
+Subject: [PATCH] Fix freeing memory allocated by sqlite
+
+Upstream-Status: Backport
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ src/core.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/core.c b/src/core.c
+index 6263031..6788f16 100644
+--- a/src/core.c
++++ b/src/core.c
+@@ -82,7 +82,7 @@ static bool ensure_table(CveDB *self)
+ rc = sqlite3_exec(self->db, query, NULL, NULL, &err);
+ if (rc != SQLITE_OK) {
+ fprintf(stderr, "ensure_table(): %s\n", err);
+- free(err);
++ sqlite3_free(err);
+ return false;
+ }
+
+@@ -91,7 +91,7 @@ static bool ensure_table(CveDB *self)
+ rc = sqlite3_exec(self->db, query, NULL, NULL, &err);
+ if (rc != SQLITE_OK) {
+ fprintf(stderr, "ensure_table(): %s\n", err);
+- free(err);
++ sqlite3_free(err);
+ return false;
+ }
+
+@@ -99,11 +99,11 @@ static bool ensure_table(CveDB *self)
+ rc = sqlite3_exec(self->db, query, NULL, NULL, &err);
+ if (rc != SQLITE_OK) {
+ fprintf(stderr, "ensure_table(): %s\n", err);
+- free(err);
++ sqlite3_free(err);
+ return false;
+ }
+ if (err) {
+- free(err);
++ sqlite3_free(err);
+ }
+
+ return true;
+--
+2.1.4
+
--
2.1.4
^ permalink raw reply related [flat|nested] 14+ messages in thread
* Re: [PATCH v2 4/4] cve-check-tool: fix crash on exceptions
2017-06-07 6:04 ` [PATCH v2 4/4] cve-check-tool: fix crash on exceptions Peter Marko
@ 2017-06-07 16:03 ` Leonardo Sandoval
2017-06-07 16:20 ` Marko, Peter
0 siblings, 1 reply; 14+ messages in thread
From: Leonardo Sandoval @ 2017-06-07 16:03 UTC (permalink / raw)
To: Peter Marko; +Cc: openembedded-core
the commit shortlog does not match what the patch is doing, unless the
new replaced function is the one avoiding exceptions..
On Wed, 2017-06-07 at 08:04 +0200, Peter Marko wrote:
> This fixes cve-check-tool crashes on exceptions.
>
> Signed-off-by: Peter Marko <peter.marko@siemens.com>
> ---
> .../cve-check-tool/cve-check-tool_5.6.4.bb | 1 +
> ...01-Fix-freeing-memory-allocated-by-sqlite.patch | 50 ++++++++++++++++++++++
> 2 files changed, 51 insertions(+)
> create mode 100644 meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch
>
> diff --git a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
> index 1f906ee..4829b11 100644
> --- a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
> +++ b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
> @@ -11,6 +11,7 @@ SRC_URI = "https://github.com/ikeydoherty/${BPN}/releases/download/v${PV}/${BP}.
> file://0001-print-progress-in-percent-when-downloading-CVE-db.patch \
> file://0001-curl-allow-overriding-default-CA-certificate-file.patch \
> file://0001-update-Compare-computed-vs-expected-sha256-digit-str.patch \
> + file://0001-Fix-freeing-memory-allocated-by-sqlite.patch \
> "
>
> SRC_URI[md5sum] = "c5f4247140fc9be3bf41491d31a34155"
> diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch b/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch
> new file mode 100644
> index 0000000..4a82cf2
> --- /dev/null
> +++ b/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch
> @@ -0,0 +1,50 @@
> +From a3353429652f83bb8b0316500faa88fa2555542d Mon Sep 17 00:00:00 2001
> +From: Peter Marko <peter.marko@siemens.com>
> +Date: Thu, 13 Apr 2017 23:09:52 +0200
> +Subject: [PATCH] Fix freeing memory allocated by sqlite
> +
> +Upstream-Status: Backport
> +Signed-off-by: Peter Marko <peter.marko@siemens.com>
> +---
> + src/core.c | 8 ++++----
> + 1 file changed, 4 insertions(+), 4 deletions(-)
> +
> +diff --git a/src/core.c b/src/core.c
> +index 6263031..6788f16 100644
> +--- a/src/core.c
> ++++ b/src/core.c
> +@@ -82,7 +82,7 @@ static bool ensure_table(CveDB *self)
> + rc = sqlite3_exec(self->db, query, NULL, NULL, &err);
> + if (rc != SQLITE_OK) {
> + fprintf(stderr, "ensure_table(): %s\n", err);
> +- free(err);
> ++ sqlite3_free(err);
> + return false;
> + }
> +
> +@@ -91,7 +91,7 @@ static bool ensure_table(CveDB *self)
> + rc = sqlite3_exec(self->db, query, NULL, NULL, &err);
> + if (rc != SQLITE_OK) {
> + fprintf(stderr, "ensure_table(): %s\n", err);
> +- free(err);
> ++ sqlite3_free(err);
> + return false;
> + }
> +
> +@@ -99,11 +99,11 @@ static bool ensure_table(CveDB *self)
> + rc = sqlite3_exec(self->db, query, NULL, NULL, &err);
> + if (rc != SQLITE_OK) {
> + fprintf(stderr, "ensure_table(): %s\n", err);
> +- free(err);
> ++ sqlite3_free(err);
> + return false;
> + }
> + if (err) {
> +- free(err);
> ++ sqlite3_free(err);
> + }
> +
> + return true;
> +--
> +2.1.4
> +
> --
> 2.1.4
>
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH v2 4/4] cve-check-tool: fix crash on exceptions
2017-06-07 16:03 ` Leonardo Sandoval
@ 2017-06-07 16:20 ` Marko, Peter
0 siblings, 0 replies; 14+ messages in thread
From: Marko, Peter @ 2017-06-07 16:20 UTC (permalink / raw)
To: openembedded-core
> the commit shortlog does not match what the patch is doing, unless the new replaced function is the one avoiding exceptions..
The fixed issue is tracked under https://github.com/ikeydoherty/cve-check-tool/issues/60
It says "crash on bad pointer free".
It fixes crash when freeing invalid pointer, which happened on sqlite exceptions.
If necessary, I can update the commit message with longer explanation.
On Wed, 2017-06-07 at 08:04 +0200, Peter Marko wrote:
> This fixes cve-check-tool crashes on exceptions.
>
> Signed-off-by: Peter Marko <peter.marko@siemens.com>
> ---
> .../cve-check-tool/cve-check-tool_5.6.4.bb | 1 +
> ...01-Fix-freeing-memory-allocated-by-sqlite.patch | 50
> ++++++++++++++++++++++
> 2 files changed, 51 insertions(+)
> create mode 100644
> meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-all
> ocated-by-sqlite.patch
>
> diff --git
> a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
> b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
> index 1f906ee..4829b11 100644
> --- a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
> +++ b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
> @@ -11,6 +11,7 @@ SRC_URI = "https://github.com/ikeydoherty/${BPN}/releases/download/v${PV}/${BP}.
> file://0001-print-progress-in-percent-when-downloading-CVE-db.patch \
> file://0001-curl-allow-overriding-default-CA-certificate-file.patch \
>
> file://0001-update-Compare-computed-vs-expected-sha256-digit-str.patch
> \
> + file://0001-Fix-freeing-memory-allocated-by-sqlite.patch \
> "
>
> SRC_URI[md5sum] = "c5f4247140fc9be3bf41491d31a34155"
> diff --git
> a/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-a
> llocated-by-sqlite.patch
> b/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-a
> llocated-by-sqlite.patch
> new file mode 100644
> index 0000000..4a82cf2
> --- /dev/null
> +++ b/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memo
> +++ ry-allocated-by-sqlite.patch
> @@ -0,0 +1,50 @@
> +From a3353429652f83bb8b0316500faa88fa2555542d Mon Sep 17 00:00:00
> +2001
> +From: Peter Marko <peter.marko@siemens.com>
> +Date: Thu, 13 Apr 2017 23:09:52 +0200
> +Subject: [PATCH] Fix freeing memory allocated by sqlite
> +
> +Upstream-Status: Backport
> +Signed-off-by: Peter Marko <peter.marko@siemens.com>
> +---
> + src/core.c | 8 ++++----
> + 1 file changed, 4 insertions(+), 4 deletions(-)
> +
> +diff --git a/src/core.c b/src/core.c
> +index 6263031..6788f16 100644
> +--- a/src/core.c
> ++++ b/src/core.c
> +@@ -82,7 +82,7 @@ static bool ensure_table(CveDB *self)
> + rc = sqlite3_exec(self->db, query, NULL, NULL, &err);
> + if (rc != SQLITE_OK) {
> + fprintf(stderr, "ensure_table(): %s\n", err);
> +- free(err);
> ++ sqlite3_free(err);
> + return false;
> + }
> +
> +@@ -91,7 +91,7 @@ static bool ensure_table(CveDB *self)
> + rc = sqlite3_exec(self->db, query, NULL, NULL, &err);
> + if (rc != SQLITE_OK) {
> + fprintf(stderr, "ensure_table(): %s\n", err);
> +- free(err);
> ++ sqlite3_free(err);
> + return false;
> + }
> +
> +@@ -99,11 +99,11 @@ static bool ensure_table(CveDB *self)
> + rc = sqlite3_exec(self->db, query, NULL, NULL, &err);
> + if (rc != SQLITE_OK) {
> + fprintf(stderr, "ensure_table(): %s\n", err);
> +- free(err);
> ++ sqlite3_free(err);
> + return false;
> + }
> + if (err) {
> +- free(err);
> ++ sqlite3_free(err);
> + }
> +
> + return true;
> +--
> +2.1.4
> +
> --
> 2.1.4
>
^ permalink raw reply [flat|nested] 14+ messages in thread