[OpenWrt-Devel] [PATCH] patch: apply upstream cve fixes
Hauke Mehrtens
hauke at hauke-m.de
Sun Oct 14 16:44:39 EDT 2018
On 10/14/2018 03:55 PM, Magnus Kroken wrote:
> Hi Russell, Kevin
>
> On 14.10.2018 11:34, Russell Senior wrote:
>>
>> Apply two upstream patches to address two CVEs:
>>
>> * CVE-2018-1000156
>> * CVE-2018-6952
>>
>> Add PKG_CPE_ID to Makefile.
>>
>> Build tested on apm821xx and ar71xx.
>>
>> Signed-off-by: Russell Senior <russell at personaltelco.net>
>> ---
>> tools/patch/Makefile | 2 +
>> .../patch/patches/010-CVE-2018-1000156.patch | 209 ++++++++++++++++++
>> tools/patch/patches/020-CVE-2018-6952.patch | 30 +++
>> 3 files changed, 240 insertions(+)
>> create mode 100644 tools/patch/patches/010-CVE-2018-1000156.patch
>> create mode 100644 tools/patch/patches/020-CVE-2018-6952.patch
>
> This change causes tools/patch/compile to fail, with:
>
> make[5]: Leaving directory
> '/var/lib/buildbot/slaves/slashdirt-02/MAIN/build/build_dir/host/patch-2.7.6/src'
>
> Making all in tests
> make[5]: Entering directory
> '/var/lib/buildbot/slaves/slashdirt-02/MAIN/build/build_dir/host/patch-2.7.6/tests'
>
> cd .. && /usr/bin/env bash
> /var/lib/buildbot/slaves/slashdirt-02/MAIN/build/build_dir/host/patch-2.7.6/build-aux/missing
> automake-1.15 --gnu tests/Makefile
> /var/lib/buildbot/slaves/slashdirt-02/MAIN/build/build_dir/host/patch-2.7.6/build-aux/missing:
> line 81: automake-1.15: command not found
> WARNING: 'automake-1.15' is missing on your system.
> You should only need it if you modified 'Makefile.am' or
> 'configure.ac' or m4 files included by 'configure.ac'.
> The 'automake' program is part of the GNU Automake package:
> <http://www.gnu.org/software/automake>
> It also requires GNU Autoconf, GNU m4 and Perl in order to run:
> <http://www.gnu.org/software/autoconf>
> <http://www.gnu.org/software/m4/>
> <http://www.perl.org/>
> Makefile:1361: recipe for target 'Makefile.in' failed
>
> Making patch depend on automake allows patch to build successfully, but
> I'm not sure that's the correct fix. Looking casually at the changes in
> the tests/ directory that these CVE patches do, I don't immediately see
> why this pulls in automake.
>
> I worked around this by:
> diff --git a/tools/Makefile b/tools/Makefile
> index 9a354f6c70..7a9abddad7 100644
> --- a/tools/Makefile
> +++ b/tools/Makefile
> @@ -76,7 +76,7 @@ $(curdir)/zlib/compile := $(curdir)/cmake/compile
> $(curdir)/wrt350nv2-builder/compile := $(curdir)/zlib/compile
> $(curdir)/lzma-old/compile := $(curdir)/zlib/compile
> $(curdir)/make-ext4fs/compile := $(curdir)/zlib/compile
> -
> +$(curdir)/patch/compile := $(curdir)/automake/compile
> ifneq ($(HOST_OS),Linux)
> tools-y += coreutils
> endif
>
>
> Regards
> /Magnus
This is fixed now in master.
It looks like make detects that test/Makefile.am was modified after
test/Makefile.in and then wants to run automake again, but that fails
because automake is not installed.
tools/Makefile adds a dependency to tools/patch/compile for every
package which has a patches directory, when you add
$(curdir)/patch/compile := $(curdir)/automake/compile
It ends up in circular dependencies and we get some other build errors.
I removed the changes to the test/ directory form the patch and then it
works.
Hauke
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20181014/219c5ef7/attachment.sig>
-------------- next part --------------
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list