From: Randy MacLeod <randy.macleod@windriver.com>
To: Armin Kuster <akuster808@gmail.com>,
Chen Qi <Qi.Chen@windriver.com>,
openembedded-devel@lists.openembedded.org
Subject: Re: [oe][meta-filesystem][hardknott][PATCH] ntfs-3g-ntfsprogs: upgrade to 2021.8.22
Date: Wed, 20 Oct 2021 13:06:10 -0400 [thread overview]
Message-ID: <4d0ea54a-fb51-982d-2936-027fe91c4d9d@windriver.com> (raw)
In-Reply-To: <b73a6500-6db3-57ec-2ccb-4616a719d276@gmail.com>
On 2021-10-19 11:09 a.m., Armin Kuster wrote:
>
>
> On 10/18/21 9:59 PM, Chen Qi wrote:
>> This upgrade revolves a bunch of CVEs. See more details in:
>> https://github.com/tuxera/ntfs-3g/security/advisories/GHSA-q759-8j5v-q5jp.
> Seems reasonable to me.
>
> -armin
I"m tempted to agree but I don't know enough about how ntfs-36 is
used. I think we need more information and a more detailed commit
log explaining why we think that the uprev is okay.
Qi,
Does it provide a library and header files that developers use?
Debian has a patch that we could make use of:
https://security-tracker.debian.org/tracker/CVE-2021-35266
$ apt-get source ntfs-3g
$ fd security.patch
ntfs-3g-2017.3.23AR.3/debian/patches/aug2021-security.patch
$ diffstat `fd aug`
include/ntfs-3g/attrib.h | 1
include/ntfs-3g/index.h | 4 +
include/ntfs-3g/volume.h | 5 ++
libntfs-3g/acls.c | 4 +
libntfs-3g/attrib.c | 332
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++------
libntfs-3g/bootsect.c | 8 +++
libntfs-3g/compress.c | 22 +++++++++-
libntfs-3g/dir.c | 109
+++++++++++++++++++-------------------------------
libntfs-3g/index.c | 183
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-------------------
libntfs-3g/inode.c | 24 ++++++-----
libntfs-3g/lcnalloc.c | 15 ++++--
libntfs-3g/mft.c | 70 +++++++++++++++++++++++++++++++-
libntfs-3g/volume.c | 81 ++++++++++++++++++++++++++++---------
ntfsprogs/ntfscp.c | 3 -
ntfsprogs/ntfsfix.c | 17 ++++++-
src/lowntfs-3g.c | 384
+++++++++++++++++++++++++++++++++++++++++-----------------------------------------------------------------------------------------------------------------------------------------
src/ntfs-3g.c | 23 ++++++----
17 files changed, 818 insertions(+), 467 deletions(-)
compared to the diff of the uprev:
$ git diff 2017.3.23..2021.8.22 | diffstat | tail -1
69 files changed, 3220 insertions(+), 705 deletions(-)
../Randy
>>
>> These CVEs cannot be reolved one by one. Upgrading the package
>> is the only reasonable way.
>>
>> Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
>> ---
>> ...-ntfsprogs_2017.3.23.bb => ntfs-3g-ntfsprogs_2021.8.22.bb} | 4 ++--
>> 1 file changed, 2 insertions(+), 2 deletions(-)
>> rename meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/{ntfs-3g-ntfsprogs_2017.3.23.bb => ntfs-3g-ntfsprogs_2021.8.22.bb} (92%)
>>
>> diff --git a/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2017.3.23.bb b/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2021.8.22.bb
>> similarity index 92%
>> rename from meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2017.3.23.bb
>> rename to meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2021.8.22.bb
>> index 6f5cb6cee..19b2d6ca2 100644
>> --- a/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2017.3.23.bb
>> +++ b/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2021.8.22.bb
>> @@ -10,8 +10,8 @@ SRC_URI = "http://tuxera.com/opensource/ntfs-3g_ntfsprogs-${PV}.tgz \
>> file://0001-libntfs-3g-Makefile.am-fix-install-failed-while-host.patch \
>> "
>> S = "${WORKDIR}/ntfs-3g_ntfsprogs-${PV}"
>> -SRC_URI[md5sum] = "d97474ae1954f772c6d2fa386a6f462c"
>> -SRC_URI[sha256sum] = "3e5a021d7b761261836dcb305370af299793eedbded731df3d6943802e1262d5"
>> +SRC_URI[md5sum] = "90da343e78877d388eb34cefae6799ae"
>> +SRC_URI[sha256sum] = "55b883aa05d94b2ec746ef3966cb41e66bed6db99f22ddd41d1b8b94bb202efb"
>>
>> UPSTREAM_CHECK_URI = "https://www.tuxera.com/community/open-source-ntfs-3g/"
>> UPSTREAM_CHECK_REGEX = "ntfs-3g_ntfsprogs-(?P<pver>\d+(\.\d+)+)\.tgz"
>>
>>
>>
>
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#93467): https://lists.openembedded.org/g/openembedded-devel/message/93467
> Mute This Topic: https://lists.openembedded.org/mt/86433129/3616765
> Group Owner: openembedded-devel+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [randy.macleod@windriver.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
--
# Randy MacLeod
# Wind River Linux
next prev parent reply other threads:[~2021-10-20 17:06 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-19 4:59 [oe][meta-filesystem][hardknott][PATCH] ntfs-3g-ntfsprogs: upgrade to 2021.8.22 Chen Qi
2021-10-19 15:09 ` akuster808
2021-10-20 17:06 ` Randy MacLeod [this message]
2021-10-21 2:10 ` Chen, Qi
2021-10-22 2:05 ` Chen, Qi
2021-10-22 4:31 ` Khem Raj
2021-10-22 5:27 ` ChenQi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4d0ea54a-fb51-982d-2936-027fe91c4d9d@windriver.com \
--to=randy.macleod@windriver.com \
--cc=Qi.Chen@windriver.com \
--cc=akuster808@gmail.com \
--cc=openembedded-devel@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).