Stable merges takes time it’s already staged see
On Thu, Oct 21, 2021 at 7:05 PM Chen Qi <Qi.Chen@windriver.com> wrote:
Hi Armin & Randy,
Could this patch be merged into hardknott?Or should I send out V2 with detailed change log?
Regards,Qi
From: Chen, Qi <Qi.Chen@windriver.com>
Sent: Thursday, October 21, 2021 10:10
To: MacLeod, Randy <Randy.MacLeod@windriver.com>; Armin Kuster <akuster808@gmail.com>; openembedded-devel@lists.openembedded.org <openembedded-devel@lists.openembedded.org>
Subject: Re: [oe][meta-filesystem][hardknott][PATCH] ntfs-3g-ntfsprogs: upgrade to 2021.8.22Hi Randy,
- It's used by anaconda. I searched OE, and didn't find any other place.
- I don't think it's worth the effort to identify and fix them one by one.
Regards,Qi
From: MacLeod, Randy <Randy.MacLeod@windriver.com>
Sent: Thursday, October 21, 2021 1:06
To: Armin Kuster <akuster808@gmail.com>; Chen, Qi <Qi.Chen@windriver.com>; openembedded-devel@lists.openembedded.org <openembedded-devel@lists.openembedded.org>
Subject: Re: [oe][meta-filesystem][hardknott][PATCH] ntfs-3g-ntfsprogs: upgrade to 2021.8.22On 2021-10-19 11:09 a.m., Armin Kuster wrote:
>
>
> On 10/18/21 9:59 PM, Chen Qi wrote:
>> This upgrade revolves a bunch of CVEs. See more details in:
>> https://github.com/tuxera/ntfs-3g/security/advisories/GHSA-q759-8j5v-q5jp.
> Seems reasonable to me.
>
> -armin
I"m tempted to agree but I don't know enough about how ntfs-36 is
used. I think we need more information and a more detailed commit
log explaining why we think that the uprev is okay.
Qi,
Does it provide a library and header files that developers use?
Debian has a patch that we could make use of:
https://security-tracker.debian.org/tracker/CVE-2021-35266
$ apt-get source ntfs-3g
$ fd security.patch
ntfs-3g-2017.3.23AR.3/debian/patches/aug2021-security.patch
$ diffstat `fd aug`
include/ntfs-3g/attrib.h | 1
include/ntfs-3g/index.h | 4 +
include/ntfs-3g/volume.h | 5 ++
libntfs-3g/acls.c | 4 +
libntfs-3g/attrib.c | 332
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++------
libntfs-3g/bootsect.c | 8 +++
libntfs-3g/compress.c | 22 +++++++++-
libntfs-3g/dir.c | 109
+++++++++++++++++++-------------------------------
libntfs-3g/index.c | 183
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-------------------
libntfs-3g/inode.c | 24 ++++++-----
libntfs-3g/lcnalloc.c | 15 ++++--
libntfs-3g/mft.c | 70 +++++++++++++++++++++++++++++++-
libntfs-3g/volume.c | 81 ++++++++++++++++++++++++++++---------
ntfsprogs/ntfscp.c | 3 -
ntfsprogs/ntfsfix.c | 17 ++++++-
src/lowntfs-3g.c | 384
+++++++++++++++++++++++++++++++++++++++++-----------------------------------------------------------------------------------------------------------------------------------------
src/ntfs-3g.c | 23 ++++++----
17 files changed, 818 insertions(+), 467 deletions(-)
compared to the diff of the uprev:
$ git diff 2017.3.23..2021.8.22 | diffstat | tail -1
69 files changed, 3220 insertions(+), 705 deletions(-)
../Randy
>>
>> These CVEs cannot be reolved one by one. Upgrading the package
>> is the only reasonable way.
>>
>> Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
>> ---
>> ...-ntfsprogs_2017.3.23.bb => ntfs-3g-ntfsprogs_2021.8.22.bb} | 4 ++--
>> 1 file changed, 2 insertions(+), 2 deletions(-)
>> rename meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/{ntfs-3g-ntfsprogs_2017.3.23.bb => ntfs-3g-ntfsprogs_2021.8.22.bb} (92%)
>>
>> diff --git a/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2017.3.23.bb b/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2021.8.22.bb
>> similarity index 92%
>> rename from meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2017.3.23.bb
>> rename to meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2021.8.22.bb
>> index 6f5cb6cee..19b2d6ca2 100644
>> --- a/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2017.3.23.bb
>> +++ b/meta-filesystems/recipes-filesystems/ntfs-3g-ntfsprogs/ntfs-3g-ntfsprogs_2021.8.22.bb
>> @@ -10,8 +10,8 @@ SRC_URI = "http://tuxera.com/opensource/ntfs-3g_ntfsprogs-${PV}.tgz \
>> file://0001-libntfs-3g-Makefile.am-fix-install-failed-while-host.patch \
>> "
>> S = "${WORKDIR}/ntfs-3g_ntfsprogs-${PV}"
>> -SRC_URI[md5sum] = "d97474ae1954f772c6d2fa386a6f462c"
>> -SRC_URI[sha256sum] = "3e5a021d7b761261836dcb305370af299793eedbded731df3d6943802e1262d5"
>> +SRC_URI[md5sum] = "90da343e78877d388eb34cefae6799ae"
>> +SRC_URI[sha256sum] = "55b883aa05d94b2ec746ef3966cb41e66bed6db99f22ddd41d1b8b94bb202efb"
>>
>> UPSTREAM_CHECK_URI = "https://www.tuxera.com/community/open-source-ntfs-3g/"
>> UPSTREAM_CHECK_REGEX = "ntfs-3g_ntfsprogs-(?P<pver>\d+(\.\d+)+)\.tgz"
>>
>>
>>
>
>
>
>
>
--
# Randy MacLeod
# Wind River Linux
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#93524): https://lists.openembedded.org/g/openembedded-devel/message/93524
Mute This Topic: https://lists.openembedded.org/mt/86433129/1997914
Group Owner: openembedded-devel+owner@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [raj.khem@gmail.com]
-=-=-=-=-=-=-=-=-=-=-=-