Re: [OE-core] [PATCH][dunfell] zlib: backport the fix for CVE-2018-25032

From: Steve Sakoman <steve@sakoman.com>
To: Ralph Siemsen <ralph.siemsen@linaro.org>
Cc: Richard Purdie <richard.purdie@linuxfoundation.org>,
	Mike Crowe <mac@mcrowe.com>, Ross Burton <ross@burtonini.com>,
	"Mittal, Anuj" <anuj.mittal@intel.com>,
	Patches and discussions about the oe-core layer
	<openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core] [PATCH][dunfell] zlib: backport the fix for CVE-2018-25032
Date: Wed, 13 Apr 2022 17:02:33 -1000	[thread overview]
Message-ID: <CAOSpxdZGm9Fjh=8fvS7GtG51ThmToA=8HiY3K1bFN=7FiY=DGQ@mail.gmail.com> (raw)
In-Reply-To: <16E5A41A6E4FF34A.8845@lists.openembedded.org>

On Wed, Apr 13, 2022 at 5:01 PM Steve Sakoman via
lists.openembedded.org <steve=sakoman.com@lists.openembedded.org>
wrote:
>
> On Wed, Apr 13, 2022 at 4:47 PM Ralph Siemsen <ralph.siemsen@linaro.org> wrote:
> >
> > On Wed, 2022-04-13 at 11:39 -1000, Steve Sakoman wrote:
> > > I did another experiment, where I disabled generation of the sha256
> > > entries in Release (by adding --no-sha256 to the apt-ftparchive
> > > command)
> > >
> > > As a result we get past this first hash mismatch in Release, but then
> > > get later hash mismatches when it tries to download .debs.
> >
> > I am able to get past this, albeit with a hack. This fixes the sha256
> > sum in the Release file, as well as verification of the .deb files.
> > The original test then passes:
> >
> > RESULTS - apt.AptRepoTest.test_apt_install_from_repo: PASSED (46.75s)
> >
> > The hack to reduce the optimisation level for apt-native and apt. By
> > default it uses CXXFLAGS="-g -O2". Reducing this to -O1 fixes the
> > checksums.
>
> Nice work!
>
> > > The issue is happening on Fedora 35 and Alma 8, so no
> > > buildtools-tarball in this case!
>
> I've started a build that uses buildtools just to verify that fixes it
> and there aren't any other issues.

FWIW, here is the link to that build - still underway.

Steve

>
> > Fedora 35 is using gcc-11.2.1, could you check what Alma 8 uses?
>
> [sakoman@alma8-ty-1 ~]$ gcc --version
> gcc (GCC) 8.5.0 20210514 (Red Hat 8.5.0-4)
>
> >
> > Here are a few other things I checked, prior to noticing the
> > optimisation level issue:
> >
> > 1) we are using apt 1.2.31; the latest 1.2.y version is 1.2.35
> > - this still has the problem with bad sha256sums
> > - it does include several CVE fixes which we might want
> > - it added a new dependency on systemd
>
> Urgh . . . this last part isn't good since it would be a behavior
> change which isn't OK for LTS
>
> It may be that the best solution is to change to -O1 :-(
>
> Steve
>
> >
> > 2) main branch version is 2.3.5
> > - it switched to CMAKE
> > - many new dependencies
> > - I got it to configure, but not compile
> > - custom crypto code seems to be dropped, in favour of gcrypt
> > - presumably this would fix the sha256 however I cannot confirm
> >
> > Regards,
> > Ralph
> >
> >
> >
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#164384): https://lists.openembedded.org/g/openembedded-core/message/164384
> Mute This Topic: https://lists.openembedded.org/mt/90107518/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>