* Re: bash: Fix CVE-2019-18276 [not found] ` <4f09ab13-9571-3464-2fc3-334bc91b9c09@case.edu> @ 2020-02-18 2:46 ` Huo, De [not found] ` <99d34efd-3a68-0b05-0e15-fbfd360a2f2a@case.edu> 0 siblings, 1 reply; 17+ messages in thread From: Huo, De @ 2020-02-18 2:46 UTC (permalink / raw) To: chet.ramey, Phil Reid, akuster808, Richard Purdie, Patches and discussions about the oe-core layer I applied the patch to fix CVE defect CVE-2019-18276. Can I reproduce this failure on my side? ________________________________________ From: Chet Ramey [chet.ramey@case.edu] Sent: Monday, February 17, 2020 10:24 PM To: Phil Reid; Huo, De; akuster808@gmail.com; Richard Purdie; Patches and discussions about the oe-core layer Cc: chet.ramey@case.edu Subject: Re: bash: Fix CVE-2019-18276 On 2/16/20 9:56 PM, Phil Reid wrote: > Hi All, > > I recently started get the following failure with bash after "b348e31c93f0 > bash: Fix CVE-2019-18276" > was applied to zeus. > > Any thoughts? What is the `Fix CVE-2019-18276' patch? Who supplied it? -- ``The lyf so short, the craft so long to lerne.'' - Chaucer ``Ars longa, vita brevis'' - Hippocrates Chet Ramey, UTech, CWRU chet@case.edu http://tiswww.cwru.edu/~chet/ ^ permalink raw reply [flat|nested] 17+ messages in thread
[parent not found: <99d34efd-3a68-0b05-0e15-fbfd360a2f2a@case.edu>]
* Re: bash: Fix CVE-2019-18276 [not found] ` <99d34efd-3a68-0b05-0e15-fbfd360a2f2a@case.edu> @ 2020-02-18 15:35 ` Richard Purdie 2020-02-18 15:43 ` Mittal, Anuj 2020-02-19 4:01 ` dhuo 1 sibling, 1 reply; 17+ messages in thread From: Richard Purdie @ 2020-02-18 15:35 UTC (permalink / raw) To: chet.ramey, Huo, De, Phil Reid, akuster808, Patches and discussions about the oe-core layer On Tue, 2020-02-18 at 10:28 -0500, Chet Ramey wrote: > On 2/17/20 9:46 PM, Huo, De wrote: > > I applied the patch to fix CVE defect CVE-2019-18276. > > That's not exactly an answer to the question of who produced the patch. > If that patch is the one causing failures when it's applied, doesn't it > make sense to go back to the person who produced it and ask them to > update it if necessary? Its likely a general CVE patch where both configure and configure.ac are patched. For OE, we can drop the configure part since we reautoconf the code. Its therefore the OE port of the patch which is likely at fault. Someone just needs to remove that section of the patch. Cheers, Richard ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: bash: Fix CVE-2019-18276 2020-02-18 15:35 ` Richard Purdie @ 2020-02-18 15:43 ` Mittal, Anuj 2020-02-18 15:49 ` Richard Purdie ` (2 more replies) 0 siblings, 3 replies; 17+ messages in thread From: Mittal, Anuj @ 2020-02-18 15:43 UTC (permalink / raw) To: chet.ramey, richard.purdie, openembedded-core, De.Huo, preid, akuster808 On Tue, 2020-02-18 at 15:35 +0000, Richard Purdie wrote: > On Tue, 2020-02-18 at 10:28 -0500, Chet Ramey wrote: > > On 2/17/20 9:46 PM, Huo, De wrote: > > > I applied the patch to fix CVE defect CVE-2019-18276. > > > > That's not exactly an answer to the question of who produced the > > patch. > > If that patch is the one causing failures when it's applied, > > doesn't it > > make sense to go back to the person who produced it and ask them to > > update it if necessary? > > Its likely a general CVE patch where both configure and configure.ac > are patched. For OE, we can drop the configure part since we > reautoconf > the code. Its therefore the OE port of the patch which is likely at > fault. > > Someone just needs to remove that section of the patch. There are other issues with this patch which should also be fixed I think. It has been marked as a Backport while it is not one. The patch includes changes that are irrelevant to the CVE. And, it should have gone to master first. Thanks, Anuj ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: bash: Fix CVE-2019-18276 2020-02-18 15:43 ` Mittal, Anuj @ 2020-02-18 15:49 ` Richard Purdie 2020-02-19 15:46 ` akuster808 2020-02-19 3:56 ` dhuo 2020-03-03 3:11 ` Yu, Mingli 2 siblings, 1 reply; 17+ messages in thread From: Richard Purdie @ 2020-02-18 15:49 UTC (permalink / raw) To: Mittal, Anuj, chet.ramey, openembedded-core, De.Huo, preid, akuster808 On Tue, 2020-02-18 at 15:43 +0000, Mittal, Anuj wrote: > On Tue, 2020-02-18 at 15:35 +0000, Richard Purdie wrote: > > On Tue, 2020-02-18 at 10:28 -0500, Chet Ramey wrote: > > > On 2/17/20 9:46 PM, Huo, De wrote: > > > > I applied the patch to fix CVE defect CVE-2019-18276. > > > > > > That's not exactly an answer to the question of who produced the > > > patch. > > > If that patch is the one causing failures when it's applied, > > > doesn't it > > > make sense to go back to the person who produced it and ask them > > > to > > > update it if necessary? > > > > Its likely a general CVE patch where both configure and > > configure.ac > > are patched. For OE, we can drop the configure part since we > > reautoconf > > the code. Its therefore the OE port of the patch which is likely at > > fault. > > > > Someone just needs to remove that section of the patch. > > There are other issues with this patch which should also be fixed I > think. It has been marked as a Backport while it is not one. The > patch > includes changes that are irrelevant to the CVE. And, it should have > gone to master first. I shall await guidance from you/Armin then. Cheers, Richard ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: bash: Fix CVE-2019-18276 2020-02-18 15:49 ` Richard Purdie @ 2020-02-19 15:46 ` akuster808 2020-02-19 18:55 ` Richard Purdie 0 siblings, 1 reply; 17+ messages in thread From: akuster808 @ 2020-02-19 15:46 UTC (permalink / raw) To: Richard Purdie, Mittal, Anuj, chet.ramey, openembedded-core, De.Huo, preid On 2/18/20 7:49 AM, Richard Purdie wrote: > On Tue, 2020-02-18 at 15:43 +0000, Mittal, Anuj wrote: >> On Tue, 2020-02-18 at 15:35 +0000, Richard Purdie wrote: >>> On Tue, 2020-02-18 at 10:28 -0500, Chet Ramey wrote: >>>> On 2/17/20 9:46 PM, Huo, De wrote: >>>>> I applied the patch to fix CVE defect CVE-2019-18276. >>>> That's not exactly an answer to the question of who produced the >>>> patch. >>>> If that patch is the one causing failures when it's applied, >>>> doesn't it >>>> make sense to go back to the person who produced it and ask them >>>> to >>>> update it if necessary? >>> Its likely a general CVE patch where both configure and >>> configure.ac >>> are patched. For OE, we can drop the configure part since we >>> reautoconf >>> the code. Its therefore the OE port of the patch which is likely at >>> fault. >>> >>> Someone just needs to remove that section of the patch. >> There are other issues with this patch which should also be fixed I >> think. It has been marked as a Backport while it is not one. The >> patch >> includes changes that are irrelevant to the CVE. And, it should have >> gone to master first. > I shall await guidance from you/Armin then. We should revert the commit. Ill send a patch. - Armin > > Cheers, > > Richard > ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: bash: Fix CVE-2019-18276 2020-02-19 15:46 ` akuster808 @ 2020-02-19 18:55 ` Richard Purdie 0 siblings, 0 replies; 17+ messages in thread From: Richard Purdie @ 2020-02-19 18:55 UTC (permalink / raw) To: akuster808, Mittal, Anuj, chet.ramey, openembedded-core, De.Huo, preid On Wed, 2020-02-19 at 07:46 -0800, akuster808 wrote: > > On 2/18/20 7:49 AM, Richard Purdie wrote: > > On Tue, 2020-02-18 at 15:43 +0000, Mittal, Anuj wrote: > > > On Tue, 2020-02-18 at 15:35 +0000, Richard Purdie wrote: > > > > > > > > Someone just needs to remove that section of the patch. > > > There are other issues with this patch which should also be fixed > > > I > > > think. It has been marked as a Backport while it is not one. The > > > patch > > > includes changes that are irrelevant to the CVE. And, it should > > > have > > > gone to master first. > > I shall await guidance from you/Armin then. > > We should revert the commit. Ill send a patch. Anuj sent it, I've merged it to zeus. Open questions: Should we ship 3.0.2 rc2? Did this patch cause this regression: https://bugzilla.yoctoproject.org/show_bug.cgi?id=13795 Cheers, Richard ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: bash: Fix CVE-2019-18276 2020-02-18 15:43 ` Mittal, Anuj 2020-02-18 15:49 ` Richard Purdie @ 2020-02-19 3:56 ` dhuo 2020-03-03 3:11 ` Yu, Mingli 2 siblings, 0 replies; 17+ messages in thread From: dhuo @ 2020-02-19 3:56 UTC (permalink / raw) To: Mittal, Anuj, chet.ramey, richard.purdie, openembedded-core, preid, akuster808 Hi Anuj, Do you think there is irrelevant changes to the CVE in https://github.com/bminor/bash/commit/ 951bdaad7a18cc0dc1036bba86b18b90874d39ff or in this pach? Could you please specify what's the irrelevant part? I ask this because we also use this patch in our product. Thanks in advance. 在 2020/2/18 23:43, Mittal, Anuj 写道: > On Tue, 2020-02-18 at 15:35 +0000, Richard Purdie wrote: >> On Tue, 2020-02-18 at 10:28 -0500, Chet Ramey wrote: >>> On 2/17/20 9:46 PM, Huo, De wrote: >>>> I applied the patch to fix CVE defect CVE-2019-18276. >>> That's not exactly an answer to the question of who produced the >>> patch. >>> If that patch is the one causing failures when it's applied, >>> doesn't it >>> make sense to go back to the person who produced it and ask them to >>> update it if necessary? >> Its likely a general CVE patch where both configure and configure.ac >> are patched. For OE, we can drop the configure part since we >> reautoconf >> the code. Its therefore the OE port of the patch which is likely at >> fault. >> >> Someone just needs to remove that section of the patch. > There are other issues with this patch which should also be fixed I > think. It has been marked as a Backport while it is not one. The patch > includes changes that are irrelevant to the CVE. And, it should have > gone to master first. > > Thanks, > > Anuj ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: bash: Fix CVE-2019-18276 2020-02-18 15:43 ` Mittal, Anuj 2020-02-18 15:49 ` Richard Purdie 2020-02-19 3:56 ` dhuo @ 2020-03-03 3:11 ` Yu, Mingli 2020-03-03 23:49 ` Mittal, Anuj [not found] ` <ee8f4da6-d917-4dab-d166-62bd7dcf6142@case.edu> 2 siblings, 2 replies; 17+ messages in thread From: Yu, Mingli @ 2020-03-03 3:11 UTC (permalink / raw) To: Mittal, Anuj, chet.ramey, richard.purdie, openembedded-core, Huo, De, preid, akuster808 Hi Anuj, I agree the Backport status is not accurate as the patch doesn't go to master branch, but why do you say the patch is irrelevant to the CVE-2019-18276, could you help to provide more info? Hi Chet, Does https://git.savannah.gnu.org/cgit/bash.git/commit/?h=devel&id=951bdaad7a18cc0dc1036bba86b18b90874d39ff fix the issue reported in CVE-2019-18276? Could you help to provide some info here? Thanks, Mingli ________________________________________ From: openembedded-core-bounces@lists.openembedded.org [openembedded-core-bounces@lists.openembedded.org] on behalf of Mittal, Anuj [anuj.mittal@intel.com] Sent: Tuesday, February 18, 2020 11:43 PM To: chet.ramey@case.edu; richard.purdie@linuxfoundation.org; openembedded-core@lists.openembedded.org; Huo, De; preid@electromag.com.au; akuster808@gmail.com Subject: Re: [OE-core] bash: Fix CVE-2019-18276 On Tue, 2020-02-18 at 15:35 +0000, Richard Purdie wrote: > On Tue, 2020-02-18 at 10:28 -0500, Chet Ramey wrote: > > On 2/17/20 9:46 PM, Huo, De wrote: > > > I applied the patch to fix CVE defect CVE-2019-18276. > > > > That's not exactly an answer to the question of who produced the > > patch. > > If that patch is the one causing failures when it's applied, > > doesn't it > > make sense to go back to the person who produced it and ask them to > > update it if necessary? > > Its likely a general CVE patch where both configure and configure.ac > are patched. For OE, we can drop the configure part since we > reautoconf > the code. Its therefore the OE port of the patch which is likely at > fault. > > Someone just needs to remove that section of the patch. There are other issues with this patch which should also be fixed I think. It has been marked as a Backport while it is not one. The patch includes changes that are irrelevant to the CVE. And, it should have gone to master first. Thanks, Anuj -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: bash: Fix CVE-2019-18276 2020-03-03 3:11 ` Yu, Mingli @ 2020-03-03 23:49 ` Mittal, Anuj 2020-03-04 1:16 ` Yu, Mingli [not found] ` <ee8f4da6-d917-4dab-d166-62bd7dcf6142@case.edu> 1 sibling, 1 reply; 17+ messages in thread From: Mittal, Anuj @ 2020-03-03 23:49 UTC (permalink / raw) To: openembedded-core On Tue, 2020-03-03 at 03:11 +0000, Yu, Mingli wrote: > Hi Anuj, > > I agree the Backport status is not accurate as the patch doesn't go > to master branch, but why do you say the patch is irrelevant to the > CVE-2019-18276, could you help to provide more info? I didn't say that the patch was irrelevant to the CVE. I had said that not all the changes were relevant. I believe the glob changes in the patch were irrelevant. Those changes also introduced a failure in bash ptests. Thanks, Anuj ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: bash: Fix CVE-2019-18276 2020-03-03 23:49 ` Mittal, Anuj @ 2020-03-04 1:16 ` Yu, Mingli 0 siblings, 0 replies; 17+ messages in thread From: Yu, Mingli @ 2020-03-04 1:16 UTC (permalink / raw) To: Mittal, Anuj, openembedded-core Got it, thanks Anuj! Thanks, Mingli ________________________________________ From: openembedded-core-bounces@lists.openembedded.org [openembedded-core-bounces@lists.openembedded.org] on behalf of Mittal, Anuj [anuj.mittal@intel.com] Sent: Wednesday, March 04, 2020 7:49 AM To: openembedded-core@lists.openembedded.org Subject: Re: [OE-core] bash: Fix CVE-2019-18276 On Tue, 2020-03-03 at 03:11 +0000, Yu, Mingli wrote: > Hi Anuj, > > I agree the Backport status is not accurate as the patch doesn't go > to master branch, but why do you say the patch is irrelevant to the > CVE-2019-18276, could you help to provide more info? I didn't say that the patch was irrelevant to the CVE. I had said that not all the changes were relevant. I believe the glob changes in the patch were irrelevant. Those changes also introduced a failure in bash ptests. Thanks, Anuj -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core ^ permalink raw reply [flat|nested] 17+ messages in thread
[parent not found: <ee8f4da6-d917-4dab-d166-62bd7dcf6142@case.edu>]
* Re: bash: Fix CVE-2019-18276 [not found] ` <ee8f4da6-d917-4dab-d166-62bd7dcf6142@case.edu> @ 2020-03-04 1:14 ` Yu, Mingli 0 siblings, 0 replies; 17+ messages in thread From: Yu, Mingli @ 2020-03-04 1:14 UTC (permalink / raw) To: chet.ramey, Mittal, Anuj, richard.purdie, openembedded-core, Huo, De, preid, akuster808 Thanks Chet very much for your confirmation! If the commit fixs the CVE-2019-18276, why is it merged to the master branch? Thanks, Mingli ________________________________________ From: Chet Ramey [chet.ramey@case.edu] Sent: Tuesday, March 03, 2020 9:55 PM To: Yu, Mingli; Mittal, Anuj; richard.purdie@linuxfoundation.org; openembedded-core@lists.openembedded.org; Huo, De; preid@electromag.com.au; akuster808@gmail.com Cc: chet.ramey@case.edu Subject: Re: [OE-core] bash: Fix CVE-2019-18276 On 3/2/20 10:11 PM, Yu, Mingli wrote: > Does https://git.savannah.gnu.org/cgit/bash.git/commit/?h=devel&id=951bdaad7a18cc0dc1036bba86b18b90874d39ff fix the issue reported in CVE-2019-18276? Could you help to provide some info here? Yes, the changes from 6/27 fix the issue in the CVE. -- ``The lyf so short, the craft so long to lerne.'' - Chaucer ``Ars longa, vita brevis'' - Hippocrates Chet Ramey, UTech, CWRU chet@case.edu http://tiswww.cwru.edu/~chet/ ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: bash: Fix CVE-2019-18276 [not found] ` <99d34efd-3a68-0b05-0e15-fbfd360a2f2a@case.edu> 2020-02-18 15:35 ` Richard Purdie @ 2020-02-19 4:01 ` dhuo 1 sibling, 0 replies; 17+ messages in thread From: dhuo @ 2020-02-19 4:01 UTC (permalink / raw) To: chet.ramey, Phil Reid, akuster808, Richard Purdie, Patches and discussions about the oe-core layer Hi All, Do you know how to reproduce this isse on my side? Since we also provide this patch in our current WRLinux product. Thanks in advance. 在 2020/2/18 23:28, Chet Ramey 写道: > On 2/17/20 9:46 PM, Huo, De wrote: >> I applied the patch to fix CVE defect CVE-2019-18276. > That's not exactly an answer to the question of who produced the patch. > If that patch is the one causing failures when it's applied, doesn't it > make sense to go back to the person who produced it and ask them to > update it if necessary? > ^ permalink raw reply [flat|nested] 17+ messages in thread
* bash: Fix CVE-2019-18276 @ 2020-02-17 3:26 Phil Reid 2020-02-17 6:44 ` Andrey Zhizhikin 0 siblings, 1 reply; 17+ messages in thread From: Phil Reid @ 2020-02-17 3:26 UTC (permalink / raw) To: Patches and discussions about the oe-core layer Hi All, I recently started get the following failure with bash after "b348e31c93f0 bash: Fix CVE-2019-18276" was applied to zeus. Any thoughts? NOTE: Applying patch 'bash50-001' (downloads/bash50-001) NOTE: Applying patch 'bash50-002' (downloads/bash50-002) NOTE: Applying patch 'bash50-003' (downloads/bash50-003) NOTE: Applying patch 'bash50-004' (downloads/bash50-004) NOTE: Applying patch 'bash50-005' (downloads/bash50-005) NOTE: Applying patch 'bash50-006' (downloads/bash50-006) NOTE: Applying patch 'bash50-007' (downloads/bash50-007) NOTE: Applying patch 'execute_cmd.patch' (layers/openembedded-core/meta/recipes-extended/bash/bash/execute_cmd.patch) NOTE: Applying patch 'mkbuiltins_have_stringize.patch' (layers/openembedded-core/meta/recipes-extended/bash/bash/mkbuiltins_have_stringize.patch) NOTE: Applying patch 'build-tests.patch' (layers/openembedded-core/meta/recipes-extended/bash/bash/build-tests.patch) NOTE: Applying patch 'test-output.patch' (layers/openembedded-core/meta/recipes-extended/bash/bash/test-output.patch) NOTE: Applying patch 'fix-run-builtins.patch' (layers/openembedded-core/meta/recipes-extended/bash/bash/fix-run-builtins.patch) NOTE: Applying patch 'bash-CVE-2019-18276.patch' (layers/openembedded-core/meta/recipes-extended/bash/bash/bash-CVE-2019-18276.patch) ERROR: Command Error: 'quilt --quiltrc /home/preid/dev/linux/v2019.11/tmp-glibc/work/cortexa9t2hf-neon-emit-linux-gnueabi/bash/5.0-r0/recipe-sysroot-native/etc/quiltrc push' exited with 0 Output: Applying patch bash-CVE-2019-18276.patch patching file MANIFEST patching file bashline.c patching file builtins/help.def patching file config.h.in patching file configure Hunk #1 FAILED at 10281. 1 out of 1 hunk FAILED -- rejects in file configure patching file configure.ac patching file doc/bash.1 patching file doc/bashref.texi patching file lib/glob/glob.c patching file pathexp.c patching file shell.c patching file tests/glob.tests patching file tests/glob6.sub patching file tests/glob7.sub Patch bash-CVE-2019-18276.patch does not apply (enforce with -f) DEBUG: Python function patch_do_patch finished DEBUG: Python function do_patch finished -- Regards Phil Reid ElectroMagnetic Imaging Technology Pty Ltd Development of Geophysical Instrumentation & Software www.electromag.com.au 3 The Avenue, Midland WA 6056, AUSTRALIA Ph: +61 8 9250 8100 Fax: +61 8 9250 7100 Email: preid@electromag.com.au ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: bash: Fix CVE-2019-18276 2020-02-17 3:26 Phil Reid @ 2020-02-17 6:44 ` Andrey Zhizhikin 2020-02-17 9:55 ` Richard Purdie 0 siblings, 1 reply; 17+ messages in thread From: Andrey Zhizhikin @ 2020-02-17 6:44 UTC (permalink / raw) To: Phil Reid; +Cc: Patches and discussions about the oe-core layer On Mon, Feb 17, 2020 at 4:26 AM Phil Reid <preid@electromag.com.au> wrote: > > Hi All, > > I recently started get the following failure with bash after "b348e31c93f0 bash: Fix CVE-2019-18276" > was applied to zeus. > > Any thoughts? > > > NOTE: Applying patch 'bash50-001' (downloads/bash50-001) > NOTE: Applying patch 'bash50-002' (downloads/bash50-002) > NOTE: Applying patch 'bash50-003' (downloads/bash50-003) > NOTE: Applying patch 'bash50-004' (downloads/bash50-004) > NOTE: Applying patch 'bash50-005' (downloads/bash50-005) > NOTE: Applying patch 'bash50-006' (downloads/bash50-006) > NOTE: Applying patch 'bash50-007' (downloads/bash50-007) > NOTE: Applying patch 'execute_cmd.patch' (layers/openembedded-core/meta/recipes-extended/bash/bash/execute_cmd.patch) > NOTE: Applying patch 'mkbuiltins_have_stringize.patch' (layers/openembedded-core/meta/recipes-extended/bash/bash/mkbuiltins_have_stringize.patch) > NOTE: Applying patch 'build-tests.patch' (layers/openembedded-core/meta/recipes-extended/bash/bash/build-tests.patch) > NOTE: Applying patch 'test-output.patch' (layers/openembedded-core/meta/recipes-extended/bash/bash/test-output.patch) > NOTE: Applying patch 'fix-run-builtins.patch' (layers/openembedded-core/meta/recipes-extended/bash/bash/fix-run-builtins.patch) > NOTE: Applying patch 'bash-CVE-2019-18276.patch' (layers/openembedded-core/meta/recipes-extended/bash/bash/bash-CVE-2019-18276.patch) > ERROR: Command Error: 'quilt --quiltrc > /home/preid/dev/linux/v2019.11/tmp-glibc/work/cortexa9t2hf-neon-emit-linux-gnueabi/bash/5.0-r0/recipe-sysroot-native/etc/quiltrc push' exited with 0 Output: > Applying patch bash-CVE-2019-18276.patch > patching file MANIFEST > patching file bashline.c > patching file builtins/help.def > patching file config.h.in > patching file configure > Hunk #1 FAILED at 10281. > 1 out of 1 hunk FAILED -- rejects in file configure > patching file configure.ac > patching file doc/bash.1 > patching file doc/bashref.texi > patching file lib/glob/glob.c > patching file pathexp.c > patching file shell.c > patching file tests/glob.tests > patching file tests/glob6.sub > patching file tests/glob7.sub > Patch bash-CVE-2019-18276.patch does not apply (enforce with -f) > DEBUG: Python function patch_do_patch finished > DEBUG: Python function do_patch finished Had the same issue the day before, re-building bash clean solved it. At first I wanted to report it as well, but then after I tried "-c cleanall" - the issue was gone. Try to do a clean build of bash and see if it is still reproducible. > > -- > Regards > Phil Reid > > ElectroMagnetic Imaging Technology Pty Ltd > Development of Geophysical Instrumentation & Software > www.electromag.com.au > > 3 The Avenue, Midland WA 6056, AUSTRALIA > Ph: +61 8 9250 8100 > Fax: +61 8 9250 7100 > Email: preid@electromag.com.au > -- > _______________________________________________ > Openembedded-core mailing list > Openembedded-core@lists.openembedded.org > http://lists.openembedded.org/mailman/listinfo/openembedded-core -- Regards, Andrey. ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: bash: Fix CVE-2019-18276 2020-02-17 6:44 ` Andrey Zhizhikin @ 2020-02-17 9:55 ` Richard Purdie 2020-02-18 6:41 ` Phil Reid 0 siblings, 1 reply; 17+ messages in thread From: Richard Purdie @ 2020-02-17 9:55 UTC (permalink / raw) To: Andrey Zhizhikin, Phil Reid, Armin Kuster (akuster808@gmail.com) Cc: Patches and discussions about the oe-core layer On Mon, 2020-02-17 at 07:44 +0100, Andrey Zhizhikin wrote: > On Mon, Feb 17, 2020 at 4:26 AM Phil Reid <preid@electromag.com.au> > wrote: > > Hi All, > > > > I recently started get the following failure with bash after > > "b348e31c93f0 bash: Fix CVE-2019-18276" > > was applied to zeus. > > > > Any thoughts? > > > > > > NOTE: Applying patch 'bash50-001' (downloads/bash50-001) > > NOTE: Applying patch 'bash50-002' (downloads/bash50-002) > > NOTE: Applying patch 'bash50-003' (downloads/bash50-003) > > NOTE: Applying patch 'bash50-004' (downloads/bash50-004) > > NOTE: Applying patch 'bash50-005' (downloads/bash50-005) > > NOTE: Applying patch 'bash50-006' (downloads/bash50-006) > > NOTE: Applying patch 'bash50-007' (downloads/bash50-007) > > NOTE: Applying patch 'execute_cmd.patch' (layers/openembedded- > > core/meta/recipes-extended/bash/bash/execute_cmd.patch) > > NOTE: Applying patch 'mkbuiltins_have_stringize.patch' > > (layers/openembedded-core/meta/recipes- > > extended/bash/bash/mkbuiltins_have_stringize.patch) > > NOTE: Applying patch 'build-tests.patch' (layers/openembedded- > > core/meta/recipes-extended/bash/bash/build-tests.patch) > > NOTE: Applying patch 'test-output.patch' (layers/openembedded- > > core/meta/recipes-extended/bash/bash/test-output.patch) > > NOTE: Applying patch 'fix-run-builtins.patch' (layers/openembedded- > > core/meta/recipes-extended/bash/bash/fix-run-builtins.patch) > > NOTE: Applying patch 'bash-CVE-2019-18276.patch' > > (layers/openembedded-core/meta/recipes-extended/bash/bash/bash-CVE- > > 2019-18276.patch) > > ERROR: Command Error: 'quilt --quiltrc > > /home/preid/dev/linux/v2019.11/tmp-glibc/work/cortexa9t2hf-neon- > > emit-linux-gnueabi/bash/5.0-r0/recipe-sysroot-native/etc/quiltrc > > push' exited with 0 Output: > > Applying patch bash-CVE-2019-18276.patch > > patching file MANIFEST > > patching file bashline.c > > patching file builtins/help.def > > patching file config.h.in > > patching file configure > > Hunk #1 FAILED at 10281. > > 1 out of 1 hunk FAILED -- rejects in file configure > > patching file configure.ac > > patching file doc/bash.1 > > patching file doc/bashref.texi > > patching file lib/glob/glob.c > > patching file pathexp.c > > patching file shell.c > > patching file tests/glob.tests > > patching file tests/glob6.sub > > patching file tests/glob7.sub > > Patch bash-CVE-2019-18276.patch does not apply (enforce with -f) > > DEBUG: Python function patch_do_patch finished > > DEBUG: Python function do_patch finished > > Had the same issue the day before, re-building bash clean solved it. > At first I wanted to report it as well, but then after I tried "-c > cleanall" - the issue was gone. > > Try to do a clean build of bash and see if it is still reproducible. I think I understand what happens here. When you do a rebuild, bitbake tries to pop off all the old patches, then apply the new ones. In this case its patching configure which we rebuild. It therefore can't apply the new patch to configure since its changed by the do_configure task. The fix is to remove the configure change from the patch since we just need the configure.ac piece. Cheers, Richard ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: bash: Fix CVE-2019-18276 2020-02-17 9:55 ` Richard Purdie @ 2020-02-18 6:41 ` Phil Reid 2020-02-18 8:14 ` Richard Purdie 0 siblings, 1 reply; 17+ messages in thread From: Phil Reid @ 2020-02-18 6:41 UTC (permalink / raw) To: Richard Purdie, Andrey Zhizhikin, Armin Kuster (akuster808@gmail.com) Cc: Patches and discussions about the oe-core layer On 17/02/2020 17:55, Richard Purdie wrote: > On Mon, 2020-02-17 at 07:44 +0100, Andrey Zhizhikin wrote: >> On Mon, Feb 17, 2020 at 4:26 AM Phil Reid <preid@electromag.com.au> >> wrote: >>> Hi All, >>> >>> I recently started get the following failure with bash after >>> "b348e31c93f0 bash: Fix CVE-2019-18276" >>> was applied to zeus. >>> >>> Any thoughts? >>> >>> >>> NOTE: Applying patch 'bash50-001' (downloads/bash50-001) >>> NOTE: Applying patch 'bash50-002' (downloads/bash50-002) >>> NOTE: Applying patch 'bash50-003' (downloads/bash50-003) >>> NOTE: Applying patch 'bash50-004' (downloads/bash50-004) >>> NOTE: Applying patch 'bash50-005' (downloads/bash50-005) >>> NOTE: Applying patch 'bash50-006' (downloads/bash50-006) >>> NOTE: Applying patch 'bash50-007' (downloads/bash50-007) >>> NOTE: Applying patch 'execute_cmd.patch' (layers/openembedded- >>> core/meta/recipes-extended/bash/bash/execute_cmd.patch) >>> NOTE: Applying patch 'mkbuiltins_have_stringize.patch' >>> (layers/openembedded-core/meta/recipes- >>> extended/bash/bash/mkbuiltins_have_stringize.patch) >>> NOTE: Applying patch 'build-tests.patch' (layers/openembedded- >>> core/meta/recipes-extended/bash/bash/build-tests.patch) >>> NOTE: Applying patch 'test-output.patch' (layers/openembedded- >>> core/meta/recipes-extended/bash/bash/test-output.patch) >>> NOTE: Applying patch 'fix-run-builtins.patch' (layers/openembedded- >>> core/meta/recipes-extended/bash/bash/fix-run-builtins.patch) >>> NOTE: Applying patch 'bash-CVE-2019-18276.patch' >>> (layers/openembedded-core/meta/recipes-extended/bash/bash/bash-CVE- >>> 2019-18276.patch) >>> ERROR: Command Error: 'quilt --quiltrc >>> /home/preid/dev/linux/v2019.11/tmp-glibc/work/cortexa9t2hf-neon- >>> emit-linux-gnueabi/bash/5.0-r0/recipe-sysroot-native/etc/quiltrc >>> push' exited with 0 Output: >>> Applying patch bash-CVE-2019-18276.patch >>> patching file MANIFEST >>> patching file bashline.c >>> patching file builtins/help.def >>> patching file config.h.in >>> patching file configure >>> Hunk #1 FAILED at 10281. >>> 1 out of 1 hunk FAILED -- rejects in file configure >>> patching file configure.ac >>> patching file doc/bash.1 >>> patching file doc/bashref.texi >>> patching file lib/glob/glob.c >>> patching file pathexp.c >>> patching file shell.c >>> patching file tests/glob.tests >>> patching file tests/glob6.sub >>> patching file tests/glob7.sub >>> Patch bash-CVE-2019-18276.patch does not apply (enforce with -f) >>> DEBUG: Python function patch_do_patch finished >>> DEBUG: Python function do_patch finished >> >> Had the same issue the day before, re-building bash clean solved it. >> At first I wanted to report it as well, but then after I tried "-c >> cleanall" - the issue was gone. >> >> Try to do a clean build of bash and see if it is still reproducible. > > I think I understand what happens here. When you do a rebuild, bitbake > tries to pop off all the old patches, then apply the new ones. > > In this case its patching configure which we rebuild. It therefore > can't apply the new patch to configure since its changed by the > do_configure task. > > The fix is to remove the configure change from the patch since we just > need the configure.ac piece. > I've run "bitbake -c cleanall bash" and the build has then succeeded. I guess we wait and see if it pops up again when bash needs to be rebuilt. I did try quickly hacking the patch and removing the configure patch section, but the resulting configure looked different. So I went with the easy option above. Thanks Phil ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: bash: Fix CVE-2019-18276 2020-02-18 6:41 ` Phil Reid @ 2020-02-18 8:14 ` Richard Purdie 0 siblings, 0 replies; 17+ messages in thread From: Richard Purdie @ 2020-02-18 8:14 UTC (permalink / raw) To: Phil Reid, Andrey Zhizhikin, Armin Kuster (akuster808@gmail.com) Cc: Patches and discussions about the oe-core layer On Tue, 2020-02-18 at 14:41 +0800, Phil Reid wrote: > On 17/02/2020 17:55, Richard Purdie wrote: > > On Mon, 2020-02-17 at 07:44 +0100, Andrey Zhizhikin wrote: > > > On Mon, Feb 17, 2020 at 4:26 AM Phil Reid < > > > preid@electromag.com.au> > > > wrote: > > > > Hi All, > > > > > > > > I recently started get the following failure with bash after > > > > "b348e31c93f0 bash: Fix CVE-2019-18276" > > > > was applied to zeus. > > > > > > > > Any thoughts? > > > > > > > > > > > > NOTE: Applying patch 'bash50-001' (downloads/bash50-001) > > > > NOTE: Applying patch 'bash50-002' (downloads/bash50-002) > > > > NOTE: Applying patch 'bash50-003' (downloads/bash50-003) > > > > NOTE: Applying patch 'bash50-004' (downloads/bash50-004) > > > > NOTE: Applying patch 'bash50-005' (downloads/bash50-005) > > > > NOTE: Applying patch 'bash50-006' (downloads/bash50-006) > > > > NOTE: Applying patch 'bash50-007' (downloads/bash50-007) > > > > NOTE: Applying patch 'execute_cmd.patch' (layers/openembedded- > > > > core/meta/recipes-extended/bash/bash/execute_cmd.patch) > > > > NOTE: Applying patch 'mkbuiltins_have_stringize.patch' > > > > (layers/openembedded-core/meta/recipes- > > > > extended/bash/bash/mkbuiltins_have_stringize.patch) > > > > NOTE: Applying patch 'build-tests.patch' (layers/openembedded- > > > > core/meta/recipes-extended/bash/bash/build-tests.patch) > > > > NOTE: Applying patch 'test-output.patch' (layers/openembedded- > > > > core/meta/recipes-extended/bash/bash/test-output.patch) > > > > NOTE: Applying patch 'fix-run-builtins.patch' > > > > (layers/openembedded- > > > > core/meta/recipes-extended/bash/bash/fix-run-builtins.patch) > > > > NOTE: Applying patch 'bash-CVE-2019-18276.patch' > > > > (layers/openembedded-core/meta/recipes-extended/bash/bash/bash- > > > > CVE- > > > > 2019-18276.patch) > > > > ERROR: Command Error: 'quilt --quiltrc > > > > /home/preid/dev/linux/v2019.11/tmp-glibc/work/cortexa9t2hf- > > > > neon- > > > > emit-linux-gnueabi/bash/5.0-r0/recipe-sysroot- > > > > native/etc/quiltrc > > > > push' exited with 0 Output: > > > > Applying patch bash-CVE-2019-18276.patch > > > > patching file MANIFEST > > > > patching file bashline.c > > > > patching file builtins/help.def > > > > patching file config.h.in > > > > patching file configure > > > > Hunk #1 FAILED at 10281. > > > > 1 out of 1 hunk FAILED -- rejects in file configure > > > > patching file configure.ac > > > > patching file doc/bash.1 > > > > patching file doc/bashref.texi > > > > patching file lib/glob/glob.c > > > > patching file pathexp.c > > > > patching file shell.c > > > > patching file tests/glob.tests > > > > patching file tests/glob6.sub > > > > patching file tests/glob7.sub > > > > Patch bash-CVE-2019-18276.patch does not apply (enforce with > > > > -f) > > > > DEBUG: Python function patch_do_patch finished > > > > DEBUG: Python function do_patch finished > > > > > > Had the same issue the day before, re-building bash clean solved > > > it. > > > At first I wanted to report it as well, but then after I tried "- > > > c > > > cleanall" - the issue was gone. > > > > > > Try to do a clean build of bash and see if it is still > > > reproducible. > > > > I think I understand what happens here. When you do a rebuild, > > bitbake > > tries to pop off all the old patches, then apply the new ones. > > > > In this case its patching configure which we rebuild. It therefore > > can't apply the new patch to configure since its changed by the > > do_configure task. > > > > The fix is to remove the configure change from the patch since we > > just > > need the configure.ac piece. > > > I've run "bitbake -c cleanall bash" and the build has then succeeded. > I guess we wait and see if it pops up again when bash needs to be > rebuilt. > > I did try quickly hacking the patch and removing the configure patch > section, but the resulting configure looked different. So I went with > the easy option above. Reproducing should be as simple as: bitbake bash -c configure bitbake bash -c patch -f Cheers, Richard ^ permalink raw reply [flat|nested] 17+ messages in thread
end of thread, other threads:[~2020-03-04 1:16 UTC | newest] Thread overview: 17+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- [not found] <aa0bf5f6-aaf2-bfbf-6488-8d65cbe849f7@electromag.com.au> [not found] ` <4f09ab13-9571-3464-2fc3-334bc91b9c09@case.edu> 2020-02-18 2:46 ` bash: Fix CVE-2019-18276 Huo, De [not found] ` <99d34efd-3a68-0b05-0e15-fbfd360a2f2a@case.edu> 2020-02-18 15:35 ` Richard Purdie 2020-02-18 15:43 ` Mittal, Anuj 2020-02-18 15:49 ` Richard Purdie 2020-02-19 15:46 ` akuster808 2020-02-19 18:55 ` Richard Purdie 2020-02-19 3:56 ` dhuo 2020-03-03 3:11 ` Yu, Mingli 2020-03-03 23:49 ` Mittal, Anuj 2020-03-04 1:16 ` Yu, Mingli [not found] ` <ee8f4da6-d917-4dab-d166-62bd7dcf6142@case.edu> 2020-03-04 1:14 ` Yu, Mingli 2020-02-19 4:01 ` dhuo 2020-02-17 3:26 Phil Reid 2020-02-17 6:44 ` Andrey Zhizhikin 2020-02-17 9:55 ` Richard Purdie 2020-02-18 6:41 ` Phil Reid 2020-02-18 8:14 ` Richard Purdie
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.