diff options
| author |   Chen Qi <Qi.Chen@windriver.com> | 2017-05-08 11:12:11 +0800 |
|---|---|---|
| committer |   Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-05-18 14:01:41 +0100 |
| commit | ee55b5685aaa4be92d6d51f8641a559d4e34ce64 (patch) | |
| tree | 7508a83e9ea27d8faf252bec0f00772e8b2847c0 | |
| parent | 1a3247d38939392bfdcb3eff1da7a1e08eff35f9 (diff) | |
| download | openembedded-core-contrib-ee55b5685aaa4be92d6d51f8641a559d4e34ce64.tar.gz | |
cve-check-tool: backport a patch to make CVE checking work
CVE checking in OE didn't work as do_populate_cve_db failed with the following
error message.
[snip]/downloads/CVE_CHECK/nvdcve-2.0-2002.xml is not consistent
Backport a patch to fix this error.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
| -rw-r--r-- | meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb | 1 | ||||
| -rw-r--r-- | meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch | 52 |
2 files changed, 53 insertions, 0 deletions
diff --git a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb index fcd3182931..1f906ee0a4 100644 --- a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb +++ b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb @@ -10,6 +10,7 @@ SRC_URI = "https://github.com/ikeydoherty/${BPN}/releases/download/v${PV}/${BP}. file://check-for-malloc_trim-before-using-it.patch \ file://0001-print-progress-in-percent-when-downloading-CVE-db.patch \ file://0001-curl-allow-overriding-default-CA-certificate-file.patch \ + file://0001-update-Compare-computed-vs-expected-sha256-digit-str.patch \ " SRC_URI[md5sum] = "c5f4247140fc9be3bf41491d31a34155" diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch b/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch new file mode 100644 index 0000000000..458c0cc84e --- /dev/null +++ b/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch @@ -0,0 +1,52 @@ +From b0426e63c9ac61657e029f689bcb8dd051e752c6 Mon Sep 17 00:00:00 2001 +From: Sergey Popovich <popovich_sergei@mail.ua> +Date: Fri, 21 Apr 2017 07:32:23 -0700 +Subject: [PATCH] update: Compare computed vs expected sha256 digit string + ignoring case + +We produce sha256 digest string using %x snprintf() +qualifier for each byte of digest which uses alphabetic +characters from "a" to "f" in lower case to represent +integer values from 10 to 15. + +Previously all of the NVD META files supply sha256 +digest string for corresponding XML file in lower case. + +However due to some reason this changed recently to +provide digest digits in upper case causing fetched +data consistency checks to fail. This prevents database +from being updated periodically. + +While commit c4f6e94 (update: Do not treat sha256 failure +as fatal if requested) adds useful option to skip +digest validation at all and thus provides workaround for +this situation, it might be unacceptable for some +deployments where we need to ensure that downloaded +data is consistent before start parsing it and update +SQLite database. + +Use strcasecmp() to compare two digest strings case +insensitively and addressing this case. + +Upstream-Status: Backport +Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua> +--- + src/update.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/update.c b/src/update.c +index 8588f38..3cc6b67 100644 +--- a/src/update.c ++++ b/src/update.c +@@ -187,7 +187,7 @@ static bool nvdcve_data_ok(const char *meta, const char *data) + snprintf(&csum_data[idx], len, "%02hhx", digest[i]); + } + +- ret = streq(csum_meta, csum_data); ++ ret = !strcasecmp(csum_meta, csum_data); + + err_unmap: + munmap(buffer, length); +-- +2.11.0 + |