[dunfell,5/7] classes: cve-check: Get shared database lock

Message ID	374dd13db2c4fa92793f12c93d68d09304f77c17.1662603861.git.steve@sakoman.com
State	Accepted, archived
Commit	374dd13db2c4fa92793f12c93d68d09304f77c17
Headers	show Return-Path: <steve@sakoman.com> ip: 209.85.210.173, mailfrom: steve@sakoman.com) From: Steve Sakoman <steve@sakoman.com> To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 5/7] classes: cve-check: Get shared database lock Date: Wed, 7 Sep 2022 16:28:30 -1000 Message-Id: <374dd13db2c4fa92793f12c93d68d09304f77c17.1662603861.git.steve@sakoman.com> In-Reply-To: <cover.1662603861.git.steve@sakoman.com> References: <cover.1662603861.git.steve@sakoman.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[dunfell,1/7] sqlite: CVE-2022-35737 assertion failure \| expand [dunfell,1/7] sqlite: CVE-2022-35737 assertion failure [dunfell,2/7] curl: Backport patch for CVE-2022-35252 [dunfell,3/7] libarchive: Fix CVE-2021-23177 issue [dunfell,4/7] libarchive: Fix CVE-2021-31566 issue [dunfell,5/7] classes: cve-check: Get shared database lock [dunfell,6/7] cve-check: close cursors as soon as possible [dunfell,7/7] vim: Upgrade 9.0.0242 -> 9.0.0341

Message ID

374dd13db2c4fa92793f12c93d68d09304f77c17.1662603861.git.steve@sakoman.com

State

Accepted, archived

Commit

374dd13db2c4fa92793f12c93d68d09304f77c17

Headers

From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][dunfell 5/7] classes: cve-check: Get shared database lock
Date: Wed,  7 Sep 2022 16:28:30 -1000
Message-Id: 
 <374dd13db2c4fa92793f12c93d68d09304f77c17.1662603861.git.steve@sakoman.com>
In-Reply-To: <cover.1662603861.git.steve@sakoman.com>
References: <cover.1662603861.git.steve@sakoman.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[dunfell,1/7] sqlite: CVE-2022-35737 assertion failure | expand

Commit Message

Steve Sakoman Sept. 8, 2022, 2:28 a.m. UTC

From: Joshua Watt <JPEWhacker@gmail.com>

The CVE check database needs to have a shared lock acquired on it before
it is accessed. This to prevent cve-update-db-native from deleting the
database file out from underneath it.

[YOCTO #14899]

Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 20a9911b73df62a0d0d1884e57085f13ac5016dd)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes/cve-check.bbclass | 23 ++++++++++++-----------
 1 file changed, 12 insertions(+), 11 deletions(-)

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 9eb9a95574..c0d4e2a972 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -138,17 +138,18 @@  python do_cve_check () {
     """
     from oe.cve_check import get_patched_cves
 
-    if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")):
-        try:
-            patched_cves = get_patched_cves(d)
-        except FileNotFoundError:
-            bb.fatal("Failure in searching patches")
-        whitelisted, patched, unpatched, status = check_cves(d, patched_cves)
-        if patched or unpatched or (d.getVar("CVE_CHECK_COVERAGE") == "1" and status):
-            cve_data = get_cve_info(d, patched + unpatched + whitelisted)
-            cve_write_data(d, patched, unpatched, whitelisted, cve_data, status)
-    else:
-        bb.note("No CVE database found, skipping CVE check")
+    with bb.utils.fileslocked([d.getVar("CVE_CHECK_DB_FILE_LOCK")], shared=True):
+        if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")):
+            try:
+                patched_cves = get_patched_cves(d)
+            except FileNotFoundError:
+                bb.fatal("Failure in searching patches")
+            ignored, patched, unpatched, status = check_cves(d, patched_cves)
+            if patched or unpatched or (d.getVar("CVE_CHECK_COVERAGE") == "1" and status):
+                cve_data = get_cve_info(d, patched + unpatched + ignored)
+                cve_write_data(d, patched, unpatched, ignored, cve_data, status)
+        else:
+            bb.note("No CVE database found, skipping CVE check")
 
 }

[dunfell,5/7] classes: cve-check: Get shared database lock

Commit Message

Patch