Attention all: patches for upstream source will be applied with stricter criteria for context

Attention all: patches for upstream source will be applied with stricter criteria for context

[Alexander Kanavin]

Hello all,

while updating gnutls to a newer version I came across a rather serious 
issue: the way we patch source code is very lenient about the context 
for the lines to be changed. Basically, it's enough for one line before 
and after the changed line to match, because patch command's default 
setting for 'fuzz factor' allows it. If these lines happen to be 
whitespace or braces, then there's nothing to prevent the patch from 
being applied incorrectly.

Here's a particularly nasty example of this happening completely 
silently (compile step works fine too), with security implications:
https://bugzilla.yoctoproject.org/show_bug.cgi?id=10450

I think this absolutely needs to be fixed. The downside is that this 
will break a lot of patches across all layers - after setting the fuzz 
to zero in oe-core we have 87 recipes that fail to be patched. Maxin and 
I are currently going through them one by one and getting them fixed.

Regards,
Alex

Re: Attention all: patches for upstream source will be applied with stricter criteria for context

[akuster]

On 10/21/2016 05:55 AM, Alexander Kanavin wrote:
> Hello all,
>
> while updating gnutls to a newer version I came across a rather 
> serious issue: the way we patch source code is very lenient about the 
> context for the lines to be changed. Basically, it's enough for one 
> line before and after the changed line to match, because patch 
> command's default setting for 'fuzz factor' allows it. If these lines 
> happen to be whitespace or braces, then there's nothing to prevent the 
> patch from being applied incorrectly.
>
> Here's a particularly nasty example of this happening completely 
> silently (compile step works fine too), with security implications:
> https://bugzilla.yoctoproject.org/show_bug.cgi?id=10450
>
> I think this absolutely needs to be fixed. 

Is there a target milestone for this change?

> The downside is that this will break a lot of patches across all 
> layers - after setting the fuzz to zero in oe-core we have 87 recipes 
> that fail to be patched. Maxin and I are currently going through them 
> one by one and getting them fixed.

Is this going to impact the 2.2 release?

- armin
>
> Regards,
> Alex

Re: [yocto] Attention all: patches for upstream source will be applied with stricter criteria for context

[Alexander Kanavin]

On 10/21/2016 06:08 PM, akuster wrote:
>> while updating gnutls to a newer version I came across a rather
>> serious issue: the way we patch source code is very lenient about the
>> context for the lines to be changed. Basically, it's enough for one
>> line before and after the changed line to match, because patch
>> command's default setting for 'fuzz factor' allows it. If these lines
>> happen to be whitespace or braces, then there's nothing to prevent the
>> patch from being applied incorrectly.
>>
>> Here's a particularly nasty example of this happening completely
>> silently (compile step works fine too), with security implications:
>> https://bugzilla.yoctoproject.org/show_bug.cgi?id=10450
>>
>> I think this absolutely needs to be fixed.
>
> Is there a target milestone for this change?

Currently the plan is to fix all of oe-core and send out a patchset, 
including the stricter fuzz setting in time for 2.3 M1. Here's the branch:
https://git.yoctoproject.org/cgit/cgit.cgi/poky-contrib/log/?h=akanavin/fix-patch-fuzz

>> The downside is that this will break a lot of patches across all
>> layers - after setting the fuzz to zero in oe-core we have 87 recipes
>> that fail to be patched. Maxin and I are currently going through them
>> one by one and getting them fixed.
>
> Is this going to impact the 2.2 release?

If we find any patches that are applied incorrectly (as opposed to just 
having out of date context but still applied correctly), then the fixes 
will be backported as well.

Alex

Re: Attention all: patches for upstream source will be applied with stricter criteria for context

[Khem Raj]

[-- Attachment #1: Type: text/plain, Size: 1398 bytes --]


> On Oct 21, 2016, at 5:55 AM, Alexander Kanavin <alexander.kanavin@linux.intel.com> wrote:
> 
> Hello all,
> 
> while updating gnutls to a newer version I came across a rather serious issue: the way we patch source code is very lenient about the context for the lines to be changed. Basically, it's enough for one line before and after the changed line to match, because patch command's default setting for 'fuzz factor' allows it. If these lines happen to be whitespace or braces, then there's nothing to prevent the patch from being applied incorrectly.
> 
> Here's a particularly nasty example of this happening completely silently (compile step works fine too), with security implications:
> https://bugzilla.yoctoproject.org/show_bug.cgi?id=10450
> 
> I think this absolutely needs to be fixed. The downside is that this will break a lot of patches across all layers - after setting the fuzz to zero in oe-core we have 87 recipes that fail to be patched. Maxin and I are currently going through them one by one and getting them fixed.

perhaps a list of the recipes, with steps to configure fuzz factor on wiki would enable other folks to
fix them especially the recipe maintainers should care.

> 
> Regards,
> Alex
> --
> _______________________________________________
> yocto mailing list
> yocto@yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto


[-- Attachment #2: Message signed with OpenPGP using GPGMail --]
[-- Type: application/pgp-signature, Size: 211 bytes --]

Re: [yocto] Attention all: patches for upstream source will be applied with stricter criteria for context

[Khem Raj]

[-- Attachment #1: Type: text/plain, Size: 1398 bytes --]


> On Oct 21, 2016, at 5:55 AM, Alexander Kanavin <alexander.kanavin@linux.intel.com> wrote:
> 
> Hello all,
> 
> while updating gnutls to a newer version I came across a rather serious issue: the way we patch source code is very lenient about the context for the lines to be changed. Basically, it's enough for one line before and after the changed line to match, because patch command's default setting for 'fuzz factor' allows it. If these lines happen to be whitespace or braces, then there's nothing to prevent the patch from being applied incorrectly.
> 
> Here's a particularly nasty example of this happening completely silently (compile step works fine too), with security implications:
> https://bugzilla.yoctoproject.org/show_bug.cgi?id=10450
> 
> I think this absolutely needs to be fixed. The downside is that this will break a lot of patches across all layers - after setting the fuzz to zero in oe-core we have 87 recipes that fail to be patched. Maxin and I are currently going through them one by one and getting them fixed.

perhaps a list of the recipes, with steps to configure fuzz factor on wiki would enable other folks to
fix them especially the recipe maintainers should care.

> 
> Regards,
> Alex
> --
> _______________________________________________
> yocto mailing list
> yocto@yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto


[-- Attachment #2: Message signed with OpenPGP using GPGMail --]
[-- Type: application/pgp-signature, Size: 211 bytes --]

Re: [yocto] Attention all: patches for upstream source will be applied with stricter criteria for context

[Alexander Kanavin]

On 10/21/2016 08:05 PM, Khem Raj wrote:
>> while updating gnutls to a newer version I came across a rather serious issue: the way we patch source code is very lenient about the context for the lines to be changed. Basically, it's enough for one line before and after the changed line to match, because patch command's default setting for 'fuzz factor' allows it. If these lines happen to be whitespace or braces, then there's nothing to prevent the patch from being applied incorrectly.
>>
>> Here's a particularly nasty example of this happening completely silently (compile step works fine too), with security implications:
>> https://bugzilla.yoctoproject.org/show_bug.cgi?id=10450
>>
>> I think this absolutely needs to be fixed. The downside is that this will break a lot of patches across all layers - after setting the fuzz to zero in oe-core we have 87 recipes that fail to be patched. Maxin and I are currently going through them one by one and getting them fixed.
>
> perhaps a list of the recipes, with steps to configure fuzz factor on wiki would enable other folks to
> fix them especially the recipe maintainers should care.

The bug has the instructions for that. If folks want to help out, that's 
the place to start.

Alex