[OpenWrt-Devel] [PATCH] patch: apply upstream cve fixes

Magnus Kroken mkroken at gmail.com
Sun Oct 14 09:55:18 EDT 2018


Hi Russell, Kevin

On 14.10.2018 11:34, Russell Senior wrote:
> 
> Apply two upstream patches to address two CVEs:
> 
>   * CVE-2018-1000156
>   * CVE-2018-6952
> 
> Add PKG_CPE_ID to Makefile.
> 
> Build tested on apm821xx and ar71xx.
> 
> Signed-off-by: Russell Senior <russell at personaltelco.net>
> ---
>   tools/patch/Makefile                          |   2 +
>   .../patch/patches/010-CVE-2018-1000156.patch  | 209 ++++++++++++++++++
>   tools/patch/patches/020-CVE-2018-6952.patch   |  30 +++
>   3 files changed, 240 insertions(+)
>   create mode 100644 tools/patch/patches/010-CVE-2018-1000156.patch
>   create mode 100644 tools/patch/patches/020-CVE-2018-6952.patch

This change causes tools/patch/compile to fail, with:

make[5]: Leaving directory 
'/var/lib/buildbot/slaves/slashdirt-02/MAIN/build/build_dir/host/patch-2.7.6/src'
Making all in tests
make[5]: Entering directory 
'/var/lib/buildbot/slaves/slashdirt-02/MAIN/build/build_dir/host/patch-2.7.6/tests'
  cd .. && /usr/bin/env bash 
/var/lib/buildbot/slaves/slashdirt-02/MAIN/build/build_dir/host/patch-2.7.6/build-aux/missing 
automake-1.15 --gnu tests/Makefile
/var/lib/buildbot/slaves/slashdirt-02/MAIN/build/build_dir/host/patch-2.7.6/build-aux/missing: 
line 81: automake-1.15: command not found
WARNING: 'automake-1.15' is missing on your system.
          You should only need it if you modified 'Makefile.am' or
          'configure.ac' or m4 files included by 'configure.ac'.
          The 'automake' program is part of the GNU Automake package:
          <http://www.gnu.org/software/automake>
          It also requires GNU Autoconf, GNU m4 and Perl in order to run:
          <http://www.gnu.org/software/autoconf>
          <http://www.gnu.org/software/m4/>
          <http://www.perl.org/>
Makefile:1361: recipe for target 'Makefile.in' failed

Making patch depend on automake allows patch to build successfully, but 
I'm not sure that's the correct fix. Looking casually at the changes in 
the tests/ directory that these CVE patches do, I don't immediately see 
why this pulls in automake.

I worked around this by:
diff --git a/tools/Makefile b/tools/Makefile
index 9a354f6c70..7a9abddad7 100644
--- a/tools/Makefile
+++ b/tools/Makefile
@@ -76,7 +76,7 @@ $(curdir)/zlib/compile := $(curdir)/cmake/compile
  $(curdir)/wrt350nv2-builder/compile := $(curdir)/zlib/compile
  $(curdir)/lzma-old/compile := $(curdir)/zlib/compile
  $(curdir)/make-ext4fs/compile := $(curdir)/zlib/compile
-
+$(curdir)/patch/compile := $(curdir)/automake/compile
  ifneq ($(HOST_OS),Linux)
    tools-y += coreutils
  endif


Regards
/Magnus

_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel



More information about the openwrt-devel mailing list