aboutsummaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch
blob: 458c0cc84e5f7ff0a7e9f1c0d97d4b8dc9a2564d (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
From b0426e63c9ac61657e029f689bcb8dd051e752c6 Mon Sep 17 00:00:00 2001
From: Sergey Popovich <popovich_sergei@mail.ua>
Date: Fri, 21 Apr 2017 07:32:23 -0700
Subject: [PATCH] update: Compare computed vs expected sha256 digit string
 ignoring case

We produce sha256 digest string using %x snprintf()
qualifier for each byte of digest which uses alphabetic
characters from "a" to "f" in lower case to represent
integer values from 10 to 15.

Previously all of the NVD META files supply sha256
digest string for corresponding XML file in lower case.

However due to some reason this changed recently to
provide digest digits in upper case causing fetched
data consistency checks to fail. This prevents database
from being updated periodically.

While commit c4f6e94 (update: Do not treat sha256 failure
as fatal if requested) adds useful option to skip
digest validation at all and thus provides workaround for
this situation, it might be unacceptable for some
deployments where we need to ensure that downloaded
data is consistent before start parsing it and update
SQLite database.

Use strcasecmp() to compare two digest strings case
insensitively and addressing this case.

Upstream-Status: Backport
Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua>
---
 src/update.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/update.c b/src/update.c
index 8588f38..3cc6b67 100644
--- a/src/update.c
+++ b/src/update.c
@@ -187,7 +187,7 @@ static bool nvdcve_data_ok(const char *meta, const char *data)
                 snprintf(&csum_data[idx], len, "%02hhx", digest[i]);
         }
 
-        ret = streq(csum_meta, csum_data);
+        ret = !strcasecmp(csum_meta, csum_data);
 
 err_unmap:
         munmap(buffer, length);
-- 
2.11.0