From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DB5F7C433FE for ; Thu, 14 Apr 2022 16:03:54 +0000 (UTC) Received: from mail-ej1-f53.google.com (mail-ej1-f53.google.com [209.85.218.53]) by mx.groups.io with SMTP id smtpd.web12.7275.1649905400948826006 for ; Wed, 13 Apr 2022 20:03:21 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=eLkSyT3H; spf=softfail (domain: sakoman.com, ip: 209.85.218.53, mailfrom: steve@sakoman.com) Received: by mail-ej1-f53.google.com with SMTP id ks6so7575212ejb.1 for ; Wed, 13 Apr 2022 20:03:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=XRfYFuLZOZkH8pSXmyi1Ma9nr73FhSVo9ieZv6GwzFE=; b=eLkSyT3HKWejeTXUdsGn8ViFtb4RwhnsabU+afhSqXtS2ptD6VCrglmzd3X1yPxE+i zJC19bBdamin34pNeMJINesiUQ61dfdSxvZFK8lNOZcvkJhTVArapk3BueCV3otLQj1J ILMTa6PzSsz46EkTsmUpL6lUEOa5RswkPwpe5pbW9OnQM8g5kqihWvexv8gFISwjEYl2 x5J0R5RQ71zyVH0blNj4hO36MZH1h1XGF7YQTcI7H+CaYU8/sEBuGDOrJNjGVOyVE3pG Eu90WTY6TgiYjfF5LCbXnXGfA7AWq+S0D3cqJjeaBj2CAoeNJ2d69im+axm/+iaZ89gP 4meg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=XRfYFuLZOZkH8pSXmyi1Ma9nr73FhSVo9ieZv6GwzFE=; b=6AZGKibUvX5WqT5KsaAQqVk4ZxLrzm+1P8ZOxF1sBmH1SPdsqmhxatSOBVmX9FUduF 3qgacIS1PTigOWPspeRsARyQsYV8tYpfY1YxXKnoyt7GMmQsonQCsjsjQdeTxk6wfCAD hpJ+p84BPNnmfyARebnTCd49qE//6MFES/ftLeV71TLX06e4np0V9Ink00+0YcT7Lyjf oHAf0Q7x8wziphdut7B5Qu3rjolucCLUc83yU6PLedcsLELdbJlCgC+jrmzchAfnrA2y OI2DAtz1qJd+4SPjlkw6Ea3/F7qr6wRPnChpcme1nUf0priAjABp63murJEqWVQshrGO 593w== X-Gm-Message-State: AOAM531uLqIjq5i6tqZtblSJ9V44HSRsozoZtWacVfWPVxXw2uSwtTgx cvudr5t4rXD1q/WrXb2gQ16P/e7XYXciTrDT0HPFHQ== X-Google-Smtp-Source: ABdhPJzOXKXDK20GiQjFVpp/ENCoBSn73khJN7yDaf8zxmWfaRY8SHhvDC2NnAsOxqodtX/ZG+P3uDjAyTitu2hzDkY= X-Received: by 2002:a17:906:9c83:b0:6df:839a:a6d0 with SMTP id fj3-20020a1709069c8300b006df839aa6d0mr549496ejc.419.1649905399483; Wed, 13 Apr 2022 20:03:19 -0700 (PDT) MIME-Version: 1.0 References: <16E57E79FD292EFA.13992@lists.openembedded.org> <16E5A41A6E4FF34A.8845@lists.openembedded.org> In-Reply-To: From: Steve Sakoman Date: Wed, 13 Apr 2022 17:03:08 -1000 Message-ID: Subject: Re: [OE-core] [PATCH][dunfell] zlib: backport the fix for CVE-2018-25032 To: Ralph Siemsen Cc: Richard Purdie , Mike Crowe , Ross Burton , "Mittal, Anuj" , Patches and discussions about the oe-core layer Content-Type: text/plain; charset="UTF-8" List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 14 Apr 2022 16:03:54 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/164386 On Wed, Apr 13, 2022 at 5:02 PM Steve Sakoman wrote: > > On Wed, Apr 13, 2022 at 5:01 PM Steve Sakoman via > lists.openembedded.org > wrote: > > > > On Wed, Apr 13, 2022 at 4:47 PM Ralph Siemsen wrote: > > > > > > On Wed, 2022-04-13 at 11:39 -1000, Steve Sakoman wrote: > > > > I did another experiment, where I disabled generation of the sha256 > > > > entries in Release (by adding --no-sha256 to the apt-ftparchive > > > > command) > > > > > > > > As a result we get past this first hash mismatch in Release, but then > > > > get later hash mismatches when it tries to download .debs. > > > > > > I am able to get past this, albeit with a hack. This fixes the sha256 > > > sum in the Release file, as well as verification of the .deb files. > > > The original test then passes: > > > > > > RESULTS - apt.AptRepoTest.test_apt_install_from_repo: PASSED (46.75s) > > > > > > The hack to reduce the optimisation level for apt-native and apt. By > > > default it uses CXXFLAGS="-g -O2". Reducing this to -O1 fixes the > > > checksums. > > > > Nice work! > > > > > > The issue is happening on Fedora 35 and Alma 8, so no > > > > buildtools-tarball in this case! > > > > I've started a build that uses buildtools just to verify that fixes it > > and there aren't any other issues. > > FWIW, here is the link to that build - still underway. Sigh, here is the link: https://autobuilder.yoctoproject.org/typhoon/#/builders/50/builds/5078 > > Steve > > > > > > Fedora 35 is using gcc-11.2.1, could you check what Alma 8 uses? > > > > [sakoman@alma8-ty-1 ~]$ gcc --version > > gcc (GCC) 8.5.0 20210514 (Red Hat 8.5.0-4) > > > > > > > > Here are a few other things I checked, prior to noticing the > > > optimisation level issue: > > > > > > 1) we are using apt 1.2.31; the latest 1.2.y version is 1.2.35 > > > - this still has the problem with bad sha256sums > > > - it does include several CVE fixes which we might want > > > - it added a new dependency on systemd > > > > Urgh . . . this last part isn't good since it would be a behavior > > change which isn't OK for LTS > > > > It may be that the best solution is to change to -O1 :-( > > > > Steve > > > > > > > > 2) main branch version is 2.3.5 > > > - it switched to CMAKE > > > - many new dependencies > > > - I got it to configure, but not compile > > > - custom crypto code seems to be dropped, in favour of gcrypt > > > - presumably this would fix the sha256 however I cannot confirm > > > > > > Regards, > > > Ralph > > > > > > > > > > > > > -=-=-=-=-=-=-=-=-=-=-=- > > Links: You receive all messages sent to this group. > > View/Reply Online (#164384): https://lists.openembedded.org/g/openembedded-core/message/164384 > > Mute This Topic: https://lists.openembedded.org/mt/90107518/3620601 > > Group Owner: openembedded-core+owner@lists.openembedded.org > > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com] > > -=-=-=-=-=-=-=-=-=-=-=- > >