[OpenWrt-Devel] [PATCH] patch: apply upstream cve fixes

Hauke Mehrtens hauke at hauke-m.de
Sun Oct 14 16:44:39 EDT 2018


On 10/14/2018 03:55 PM, Magnus Kroken wrote:
> Hi Russell, Kevin
> 
> On 14.10.2018 11:34, Russell Senior wrote:
>>
>> Apply two upstream patches to address two CVEs:
>>
>>   * CVE-2018-1000156
>>   * CVE-2018-6952
>>
>> Add PKG_CPE_ID to Makefile.
>>
>> Build tested on apm821xx and ar71xx.
>>
>> Signed-off-by: Russell Senior <russell at personaltelco.net>
>> ---
>>   tools/patch/Makefile                          |   2 +
>>   .../patch/patches/010-CVE-2018-1000156.patch  | 209 ++++++++++++++++++
>>   tools/patch/patches/020-CVE-2018-6952.patch   |  30 +++
>>   3 files changed, 240 insertions(+)
>>   create mode 100644 tools/patch/patches/010-CVE-2018-1000156.patch
>>   create mode 100644 tools/patch/patches/020-CVE-2018-6952.patch
> 
> This change causes tools/patch/compile to fail, with:
> 
> make[5]: Leaving directory
> '/var/lib/buildbot/slaves/slashdirt-02/MAIN/build/build_dir/host/patch-2.7.6/src'
> 
> Making all in tests
> make[5]: Entering directory
> '/var/lib/buildbot/slaves/slashdirt-02/MAIN/build/build_dir/host/patch-2.7.6/tests'
> 
>  cd .. && /usr/bin/env bash
> /var/lib/buildbot/slaves/slashdirt-02/MAIN/build/build_dir/host/patch-2.7.6/build-aux/missing
> automake-1.15 --gnu tests/Makefile
> /var/lib/buildbot/slaves/slashdirt-02/MAIN/build/build_dir/host/patch-2.7.6/build-aux/missing:
> line 81: automake-1.15: command not found
> WARNING: 'automake-1.15' is missing on your system.
>          You should only need it if you modified 'Makefile.am' or
>          'configure.ac' or m4 files included by 'configure.ac'.
>          The 'automake' program is part of the GNU Automake package:
>          <http://www.gnu.org/software/automake>
>          It also requires GNU Autoconf, GNU m4 and Perl in order to run:
>          <http://www.gnu.org/software/autoconf>
>          <http://www.gnu.org/software/m4/>
>          <http://www.perl.org/>
> Makefile:1361: recipe for target 'Makefile.in' failed
> 
> Making patch depend on automake allows patch to build successfully, but
> I'm not sure that's the correct fix. Looking casually at the changes in
> the tests/ directory that these CVE patches do, I don't immediately see
> why this pulls in automake.
> 
> I worked around this by:
> diff --git a/tools/Makefile b/tools/Makefile
> index 9a354f6c70..7a9abddad7 100644
> --- a/tools/Makefile
> +++ b/tools/Makefile
> @@ -76,7 +76,7 @@ $(curdir)/zlib/compile := $(curdir)/cmake/compile
>  $(curdir)/wrt350nv2-builder/compile := $(curdir)/zlib/compile
>  $(curdir)/lzma-old/compile := $(curdir)/zlib/compile
>  $(curdir)/make-ext4fs/compile := $(curdir)/zlib/compile
> -
> +$(curdir)/patch/compile := $(curdir)/automake/compile
>  ifneq ($(HOST_OS),Linux)
>    tools-y += coreutils
>  endif
> 
> 
> Regards
> /Magnus

This is fixed now in master.

It looks like make detects that test/Makefile.am was modified after
test/Makefile.in and then wants to run automake again, but that fails
because automake is not installed.

tools/Makefile adds a dependency to tools/patch/compile for every
package which has a patches directory, when you add
$(curdir)/patch/compile := $(curdir)/automake/compile
It ends up in circular dependencies and we get some other build errors.

I removed the changes to the test/ directory form the patch and then it
works.

Hauke

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20181014/219c5ef7/attachment.sig>
-------------- next part --------------
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel


More information about the openwrt-devel mailing list