From: "Mike Crowe" <yocto@mac.mcrowe.com>
To: Steve Sakoman <steve@sakoman.com>
Cc: Patches and discussions about the oe-core layer
<openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core] [dunfell][PATCH v2] curl: Fix CVE-2021-22924 and CVE-2021-22925
Date: Wed, 4 Aug 2021 20:42:17 +0100 [thread overview]
Message-ID: <20210804194217.GA18303@mcrowe.com> (raw)
In-Reply-To: <CAOSpxdbthf5JtAGYri==t=izjpTXFbWU733YtxRXjTgQ+pjcTg@mail.gmail.com>
On Wednesday 04 August 2021 at 08:05:27 -1000, Steve Sakoman wrote:
> On Wed, Aug 4, 2021 at 7:27 AM Steve Sakoman via
> lists.openembedded.org <steve=sakoman.com@lists.openembedded.org>
> wrote:
> >
> > On Wed, Aug 4, 2021 at 7:06 AM Mike Crowe via lists.openembedded.org
> > <yocto=mac.mcrowe.com@lists.openembedded.org> wrote:
> > >
> > > curl v7.78 contained fixes for five CVEs:
> > >
> > > CVE-2021-22922[1] and CVE-2021-22923[2] are only present when support
> > > for metalink is enabled. EXTRA_OECONF contains "--without-libmetalink"
> > > so these fixes are unnecessary.
> > >
> > > CVE-2021-22926[3] only affects builds for MacOS.
> > >
> > > CVE-2021-22924[4] and CVE-2021-22925[5] are both applicable. Take the
> > > patches from Ubuntu 20.04 curl_7.68.0-1ubuntu2.6 package which is close
> > > enough that the patch for CVE-2021-22924 applies without conflicts. The
> > > CVE-2021-22925 patch required only a small tweak to apply.
> > >
> > > [1] https://curl.se/docs/CVE-2021-22922.html
> > > [2] https://curl.se/docs/CVE-2021-22923.html
> > > [3] https://curl.se/docs/CVE-2021-22926.html
> > > [4] https://curl.se/docs/CVE-2021-22924.html
> > > [5] https://curl.se/docs/CVE-2021-22925.html
> >
> > This patch wouldn't apply because there's another curl CVE fix in my
> > testing queue (curl: Fix for CVE-2021-22898):
> >
> > https://lists.openembedded.org/g/openembedded-core/message/154145
> >
> > I went ahead and did the required fixup so no need for you to do anything.
>
> Sigh. I spoke too soon. Your CVE-2021-22925 patch and the previous
> CVE-2021-22898 patch both touch lib/telnet.c so your patch won't apply
> now.
>
> You mentioned that you had to tweak the CVE-2021-22925 patch, might
> this be related to the CVE-2021-22898 fix (which is a one-liner)?
Ah, yes. That's the change I had to accommodate. You can either tweak my
patch (just adding the "== 2" to the patch should work - that's the
opposite of what I did) or just drop your CVE-2021-22898 patch since the
CVE-2021-22925 patch supersedes it.)
Alternatively, I can do whichever of those you prefer tomorrow if you wish.
Thanks.
Mike.
next prev parent reply other threads:[~2021-08-04 19:42 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-04 17:05 [dunfell][PATCH v2] curl: Fix CVE-2021-22924 and CVE-2021-22925 Mike Crowe
2021-08-04 17:27 ` [OE-core] " Steve Sakoman
[not found] ` <16982A916A07A38B.6121@lists.openembedded.org>
2021-08-04 18:05 ` Steve Sakoman
2021-08-04 19:42 ` Mike Crowe [this message]
2021-08-04 19:53 ` Steve Sakoman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210804194217.GA18303@mcrowe.com \
--to=yocto@mac.mcrowe.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=steve@sakoman.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.