Stable merges takes time it’s already staged see https://git.openembedded.org/meta-openembedded-contrib/log/?h=stable/hardknott-nut On Thu, Oct 21, 2021 at 7:05 PM Chen Qi wrote: > Hi Armin & Randy, > > Could this patch be merged into hardknott? > Or should I send out V2 with detailed change log? > > Regards, > Qi > ------------------------------ > *From:* Chen, Qi > *Sent:* Thursday, October 21, 2021 10:10 > *To:* MacLeod, Randy ; Armin Kuster < > akuster808@gmail.com>; openembedded-devel@lists.openembedded.org < > openembedded-devel@lists.openembedded.org> > > *Subject:* Re: [oe][meta-filesystem][hardknott][PATCH] ntfs-3g-ntfsprogs: > upgrade to 2021.8.22 > > Hi Randy, > > > 1. It's used by anaconda. I searched OE, and didn't find any other > place. > > > 1. I don't think it's worth the effort to identify and fix them one by > one. > > Regards, > Qi > ------------------------------ > *From:* MacLeod, Randy > *Sent:* Thursday, October 21, 2021 1:06 > *To:* Armin Kuster ; Chen, Qi ; > openembedded-devel@lists.openembedded.org < > openembedded-devel@lists.openembedded.org> > *Subject:* Re: [oe][meta-filesystem][hardknott][PATCH] ntfs-3g-ntfsprogs: > upgrade to 2021.8.22 > > On 2021-10-19 11:09 a.m., Armin Kuster wrote: > > > > > > On 10/18/21 9:59 PM, Chen Qi wrote: > >> This upgrade revolves a bunch of CVEs. See more details in: > >> > https://github.com/tuxera/ntfs-3g/security/advisories/GHSA-q759-8j5v-q5jp. > > Seems reasonable to me. > > > > -armin > > I"m tempted to agree but I don't know enough about how ntfs-36 is > used. I think we need more information and a more detailed commit > log explaining why we think that the uprev is okay. > > Qi, > Does it provide a library and header files that developers use? > > Debian has a patch that we could make use of: > https://security-tracker.debian.org/tracker/CVE-2021-35266 > > $ apt-get source ntfs-3g > > $ fd security.patch > > ntfs-3g-2017.3.23AR.3/debian/patches/aug2021-security.patch > > > $ diffstat `fd aug` > > include/ntfs-3g/attrib.h | 1 > > include/ntfs-3g/index.h | 4 + > > include/ntfs-3g/volume.h | 5 ++ > > libntfs-3g/acls.c | 4 + > > libntfs-3g/attrib.c | 332 > > +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++------ > > libntfs-3g/bootsect.c | 8 +++ > > libntfs-3g/compress.c | 22 +++++++++- > > libntfs-3g/dir.c | 109 > +++++++++++++++++++------------------------------- > > libntfs-3g/index.c | 183 > > +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++------------------- > > libntfs-3g/inode.c | 24 ++++++----- > > libntfs-3g/lcnalloc.c | 15 ++++-- > > libntfs-3g/mft.c | 70 +++++++++++++++++++++++++++++++- > > libntfs-3g/volume.c | 81 ++++++++++++++++++++++++++++--------- > > ntfsprogs/ntfscp.c | 3 - > > ntfsprogs/ntfsfix.c | 17 ++++++- > > src/lowntfs-3g.c | 384 > > +++++++++++++++++++++++++++++++++++++++++----------------------------------------------------------------------------------------------------------------------------------------- > > src/ntfs-3g.c | 23 ++++++---- > > 17 files changed, 818 insertions(+), 467 deletions(-) > > > compared to the diff of the uprev: > > $ git diff 2017.3.23..2021.8.22 | diffstat | tail -1 > > 69 files changed, 3220 insertions(+), 705 deletions(-) > > > > ../Randy > > >> > >> These CVEs cannot be reolved one by one. Upgrading the package > >> is the only reasonable way. > >> > >> Signed-off-by: Chen Qi > >> --- > >> ...-ntfsprogs_2017.3.23.bb => ntfs-3g-ntfsprogs_2021.8.22.bb} | 4 > ++-- > >> 1 file changed, 2 insertions(+), 2 deletions(-) > >> rename meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/{ > ntfs-3g-ntfsprogs_2017.3.23.bb => ntfs-3g-ntfsprogs_2021.8.22.bb} (92%) > >> > >> diff --git a/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ > ntfs-3g-ntfsprogs_2017.3.23.bb > b/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ > ntfs-3g-ntfsprogs_2021.8.22.bb > >> similarity index 92% > >> rename from meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ > ntfs-3g-ntfsprogs_2017.3.23.bb > >> rename to meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ > ntfs-3g-ntfsprogs_2021.8.22.bb > >> index 6f5cb6cee..19b2d6ca2 100644 > >> --- a/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ > ntfs-3g-ntfsprogs_2017.3.23.bb > >> +++ b/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ > ntfs-3g-ntfsprogs_2021.8.22.bb > >> @@ -10,8 +10,8 @@ SRC_URI = " > http://tuxera.com/opensource/ntfs-3g_ntfsprogs-${PV}.tgz \ > >> > file://0001-libntfs-3g-Makefile.am-fix-install-failed-while-host.patch \ > >> " > >> S = "${WORKDIR}/ntfs-3g_ntfsprogs-${PV}" > >> -SRC_URI[md5sum] = "d97474ae1954f772c6d2fa386a6f462c" > >> -SRC_URI[sha256sum] = > "3e5a021d7b761261836dcb305370af299793eedbded731df3d6943802e1262d5" > >> +SRC_URI[md5sum] = "90da343e78877d388eb34cefae6799ae" > >> +SRC_URI[sha256sum] = > "55b883aa05d94b2ec746ef3966cb41e66bed6db99f22ddd41d1b8b94bb202efb" > >> > >> UPSTREAM_CHECK_URI = " > https://www.tuxera.com/community/open-source-ntfs-3g/" > >> UPSTREAM_CHECK_REGEX = "ntfs-3g_ntfsprogs-(?P\d+(\.\d+)+)\.tgz" > >> > >> > >> > > > > > > > > > > > > > -- > # Randy MacLeod > # Wind River Linux > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#93524): > https://lists.openembedded.org/g/openembedded-devel/message/93524 > Mute This Topic: https://lists.openembedded.org/mt/86433129/1997914 > Group Owner: openembedded-devel+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [ > raj.khem@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- > >