| Message ID | 20220111224714.1289840-1-marex@denx.de |
|---|---|
| State | New |
| Headers | show |
| Series | [meta-oe,dunfell,1/5] freerdp: Upgrade to 2.2.0 | expand |
On 1/11/22 2:47 PM, Marek Vasut wrote: > From: Khem Raj <raj.khem@gmail.com> > > (cherry picked from commit f751dcf81a18fe817b40e755a2ba3f54a74d1e02) > Signed-off-by: Khem Raj <raj.khem@gmail.com> > Signed-off-by: Marek Vasut <marex@denx.de> And why should I allow this? -armin > --- > .../freerdp/{freerdp_git.bb => freerdp_2.2.0.bb} | 6 ++---- > 1 file changed, 2 insertions(+), 4 deletions(-) > rename meta-oe/recipes-support/freerdp/{freerdp_git.bb => freerdp_2.2.0.bb} (94%) > > diff --git a/meta-oe/recipes-support/freerdp/freerdp_git.bb b/meta-oe/recipes-support/freerdp/freerdp_2.2.0.bb > similarity index 94% > rename from meta-oe/recipes-support/freerdp/freerdp_git.bb > rename to meta-oe/recipes-support/freerdp/freerdp_2.2.0.bb > index 309acfbff..90ede1297 100644 > --- a/meta-oe/recipes-support/freerdp/freerdp_git.bb > +++ b/meta-oe/recipes-support/freerdp/freerdp_2.2.0.bb > @@ -11,12 +11,10 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" > inherit pkgconfig cmake gitpkgv > > PE = "1" > -PV = "2.0.0+gitr${SRCPV}" > PKGV = "${GITPKGVTAG}" > > -# 2.0.0 release > -SRCREV = "5ab2bed8749747b8e4b2ed431fd102bc726be684" > -SRC_URI = "git://github.com/FreeRDP/FreeRDP.git;branch=master;protocol=https \ > +SRCREV = "d2ba84a6885f57674098fe8e76c5f99d880e580d" > +SRC_URI = "git://github.com/FreeRDP/FreeRDP.git;branch=stable-2.0;protocol=https \ > file://winpr-makecert-Build-with-install-RPATH.patch \ > " > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#94761): https://lists.openembedded.org/g/openembedded-devel/message/94761 > Mute This Topic: https://lists.openembedded.org/mt/88361250/3616698 > Group Owner: openembedded-devel+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [akuster808@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
On 1/12/22 05:42, akuster808 wrote: > > > On 1/11/22 2:47 PM, Marek Vasut wrote: >> From: Khem Raj <raj.khem@gmail.com> >> >> (cherry picked from commit f751dcf81a18fe817b40e755a2ba3f54a74d1e02) >> Signed-off-by: Khem Raj <raj.khem@gmail.com> >> Signed-off-by: Marek Vasut <marex@denx.de> > > And why should I allow this? This ... what ? The SoB line or the update ? SoB line, well, aren't you supposed to add them to backported patches ? If not, then I can resend with them dropped, or drop them where applicable. The update to 2.4.1, because of the CVE fixes.
On 1/11/22 8:57 PM, Marek Vasut wrote: > On 1/12/22 05:42, akuster808 wrote: >> >> >> On 1/11/22 2:47 PM, Marek Vasut wrote: >>> From: Khem Raj <raj.khem@gmail.com> >>> >>> (cherry picked from commit f751dcf81a18fe817b40e755a2ba3f54a74d1e02) >>> Signed-off-by: Khem Raj <raj.khem@gmail.com> >>> Signed-off-by: Marek Vasut <marex@denx.de> >> >> And why should I allow this? > > This ... what ? The SoB line or the update ? What is in the update from 2.2.0 to 2.4.1? I had to look at the release notes myself and found new features being added between those two. New features are not allowed per our process. This patch set will not be included. - armin > > SoB line, well, aren't you supposed to add them to backported patches > ? If not, then I can resend with them dropped, or drop them where > applicable. > > The update to 2.4.1, because of the CVE fixes.
On 1/15/22 14:43, akuster808 wrote: > > > On 1/11/22 8:57 PM, Marek Vasut wrote: >> On 1/12/22 05:42, akuster808 wrote: >>> >>> >>> On 1/11/22 2:47 PM, Marek Vasut wrote: >>>> From: Khem Raj <raj.khem@gmail.com> >>>> >>>> (cherry picked from commit f751dcf81a18fe817b40e755a2ba3f54a74d1e02) >>>> Signed-off-by: Khem Raj <raj.khem@gmail.com> >>>> Signed-off-by: Marek Vasut <marex@denx.de> >>> >>> And why should I allow this? >> >> This ... what ? The SoB line or the update ? > > What is in the update from 2.2.0 to 2.4.1? This patch updates freerdp from 2.0.0 to 2.2.0 , not from 2.2.0 to 2.4.1 , that's a later patch. This one addresses quite a few old CVEs though, see below. > I had to look at the release notes myself and found new features being > added between those two. New features are not allowed per our process. This should all be part of FreeRDP stable-2.0 branch https://github.com/FreeRDP/FreeRDP/tree/stable-2.0 Their active development is happening toward 3.0 release, that's where features are being added. Looking briefly at the debian changelog for the various CVEs this patchset addresses, here is a list: https://metadata.ftp-master.debian.org/changelogs//main/f/freerdp2/freerdp2_2.4.1+dfsg1-1_changelog freerdp2 (2.2.0+dfsg1-1) unstable; urgency=medium * New upstream release. + CVE-2020-15103: Integer overflow due to missing input sanitation in ... freerdp2 (2.1.2+dfsg1-1) unstable; urgency=medium * New upstream release. - CVE-2020-4033: Out of bound read in RLEDECOMPRESS - CVE-2020-4031: Use-After-Free in gdi_SelectObject - CVE-2020-4032: Integer casting vulnerability in `update_recv_secondary_order` - CVE-2020-4030: OOB read in `TrioParse` - CVE-2020-11099: OOB Read in license_read_new_or_upgrade_license_packet - CVE-2020-11098: Out-of-bound read in glyph_cache_put - CVE-2020-11097: OOB read in ntlm_av_pair_get - CVE-2020-11095: Global OOB read in update_recv_primary_order - CVE-2020-11096: Global OOB read in update_read_cache_bitmap_v3_order ... freerdp2 (2.4.1+dfsg1-1) unstable; urgency=medium * New upstream release. (Closes: #999727). - CVE-2021-41160: Fix improper region checks in all clients that allowed out of bound write to memory. (Closes: #1001062). - CVE-2021-41159: Fix improper client input validation for gateway connections that allowed one to overwrite memory. (Closes: #1001061). > This patch set will not be included. I see you've made your decision then. How do you propose those CVEs be closed in dunfell then ? [...]
On 1/16/22 19:05, akuster808 wrote: > > > On 1/15/22 7:45 AM, Marek Vasut wrote: >> On 1/15/22 14:43, akuster808 wrote: >>> >>> >>> On 1/11/22 8:57 PM, Marek Vasut wrote: >>>> On 1/12/22 05:42, akuster808 wrote: >>>>> >>>>> >>>>> On 1/11/22 2:47 PM, Marek Vasut wrote: >>>>>> From: Khem Raj <raj.khem@gmail.com> >>>>>> >>>>>> (cherry picked from commit f751dcf81a18fe817b40e755a2ba3f54a74d1e02) >>>>>> Signed-off-by: Khem Raj <raj.khem@gmail.com> >>>>>> Signed-off-by: Marek Vasut <marex@denx.de> >>>>> >>>>> And why should I allow this? >>>> >>>> This ... what ? The SoB line or the update ? >>> >>> What is in the update from 2.2.0 to 2.4.1? >> >> This patch updates freerdp from 2.0.0 to 2.2.0 , not from 2.2.0 to >> 2.4.1 , that's a later patch. > I still see new features being added in 2.2.0 so the same statements > apply. Until the process changes to allow package updates that include > new features and functionality for a LTS branch, I am going to decline > taking this patch series. What about the large amount of CVE fixes and the fact that this is still a stable-2.0 branch update, not upgrade to 3.x , as explained below ? >> This one addresses quite a few old CVEs though, see below. >> >>> I had to look at the release notes myself and found new features being >>> added between those two. New features are not allowed per our process. >> >> This should all be part of FreeRDP stable-2.0 branch >> https://github.com/FreeRDP/FreeRDP/tree/stable-2.0 >> >> Their active development is happening toward 3.0 release, that's where >> features are being added. >> >> Looking briefly at the debian changelog for the various CVEs this >> patchset addresses, here is a list: >> >> https://metadata.ftp-master.debian.org/changelogs//main/f/freerdp2/freerdp2_2.4.1+dfsg1-1_changelog >> >> >> freerdp2 (2.2.0+dfsg1-1) unstable; urgency=medium >> >> * New upstream release. >> + CVE-2020-15103: Integer overflow due to missing input sanitation in >> ... >> >> freerdp2 (2.1.2+dfsg1-1) unstable; urgency=medium >> >> * New upstream release. >> - CVE-2020-4033: Out of bound read in RLEDECOMPRESS >> - CVE-2020-4031: Use-After-Free in gdi_SelectObject >> - CVE-2020-4032: Integer casting vulnerability in >> `update_recv_secondary_order` >> - CVE-2020-4030: OOB read in `TrioParse` >> - CVE-2020-11099: OOB Read in >> license_read_new_or_upgrade_license_packet >> - CVE-2020-11098: Out-of-bound read in glyph_cache_put >> - CVE-2020-11097: OOB read in ntlm_av_pair_get >> - CVE-2020-11095: Global OOB read in update_recv_primary_order >> - CVE-2020-11096: Global OOB read in >> update_read_cache_bitmap_v3_order >> ... >> >> freerdp2 (2.4.1+dfsg1-1) unstable; urgency=medium >> >> * New upstream release. (Closes: #999727). >> - CVE-2021-41160: Fix improper region checks in all clients that >> allowed >> out of bound write to memory. (Closes: #1001062). >> - CVE-2021-41159: Fix improper client input validation for gateway >> connections that allowed one to overwrite memory. (Closes: >> #1001061). >> >>> This patch set will not be included. >> >> I see you've made your decision then. >> >> How do you propose those CVEs be closed in dunfell then ? >> >> [...] What about this ?
On Sun, Jan 16, 2022 at 7:22 PM Marek Vasut <marex@denx.de> wrote: > On 1/16/22 19:05, akuster808 wrote: > > > > > > On 1/15/22 7:45 AM, Marek Vasut wrote: > >> On 1/15/22 14:43, akuster808 wrote: > >>> > >>> > >>> On 1/11/22 8:57 PM, Marek Vasut wrote: > >>>> On 1/12/22 05:42, akuster808 wrote: > >>>>> > >>>>> > >>>>> On 1/11/22 2:47 PM, Marek Vasut wrote: > >>>>>> From: Khem Raj <raj.khem@gmail.com> > >>>>>> > >>>>>> (cherry picked from commit f751dcf81a18fe817b40e755a2ba3f54a74d1e02) > >>>>>> Signed-off-by: Khem Raj <raj.khem@gmail.com> > >>>>>> Signed-off-by: Marek Vasut <marex@denx.de> > >>>>> > >>>>> And why should I allow this? > >>>> > >>>> This ... what ? The SoB line or the update ? > >>> > >>> What is in the update from 2.2.0 to 2.4.1? > >> > >> This patch updates freerdp from 2.0.0 to 2.2.0 , not from 2.2.0 to > >> 2.4.1 , that's a later patch. > > I still see new features being added in 2.2.0 so the same statements > > apply. Until the process changes to allow package updates that include > > new features and functionality for a LTS branch, I am going to decline > > taking this patch series. > > What about the large amount of CVE fixes and the fact that this is still > a stable-2.0 branch update, not upgrade to 3.x , as explained below ? > > Marek, Are you able to backport needed fixes to 2.2.x series? This would be something Armin would likely accept. Kind regards, Marta
On 1/17/22 18:34, Marta Rybczynska wrote: > On Sun, Jan 16, 2022 at 7:22 PM Marek Vasut <marex@denx.de> wrote: > >> On 1/16/22 19:05, akuster808 wrote: >>> >>> >>> On 1/15/22 7:45 AM, Marek Vasut wrote: >>>> On 1/15/22 14:43, akuster808 wrote: >>>>> >>>>> >>>>> On 1/11/22 8:57 PM, Marek Vasut wrote: >>>>>> On 1/12/22 05:42, akuster808 wrote: >>>>>>> >>>>>>> >>>>>>> On 1/11/22 2:47 PM, Marek Vasut wrote: >>>>>>>> From: Khem Raj <raj.khem@gmail.com> >>>>>>>> >>>>>>>> (cherry picked from commit f751dcf81a18fe817b40e755a2ba3f54a74d1e02) >>>>>>>> Signed-off-by: Khem Raj <raj.khem@gmail.com> >>>>>>>> Signed-off-by: Marek Vasut <marex@denx.de> >>>>>>> >>>>>>> And why should I allow this? >>>>>> >>>>>> This ... what ? The SoB line or the update ? >>>>> >>>>> What is in the update from 2.2.0 to 2.4.1? >>>> >>>> This patch updates freerdp from 2.0.0 to 2.2.0 , not from 2.2.0 to >>>> 2.4.1 , that's a later patch. >>> I still see new features being added in 2.2.0 so the same statements >>> apply. Until the process changes to allow package updates that include >>> new features and functionality for a LTS branch, I am going to decline >>> taking this patch series. >> >> What about the large amount of CVE fixes and the fact that this is still >> a stable-2.0 branch update, not upgrade to 3.x , as explained below ? >> >> > Marek, > Are you able to backport needed fixes to 2.2.x series? This would be > something > Armin would likely accept. I'm not really confident at sifting through the 550 or so patches between freerdp 2.0.0 and 2.4.1 and picking out what ought to be CVE fixes correctly, so that might end up with even worse result. We can likely pick the fixes from debian oldstable freerdp, but those are also last updated in June 2020, and debian stable is on freerdp 2.3.0 now. Also, June 2020 is where freerdp no longer has CVE information in the commit messages, for whatever reason. That's why I think rolling the freerdp forward to latest stable-2.x series is the easiest, the CVEs get reliably closed and there shouldn't be any API/ABI incompatibility.
diff --git a/meta-oe/recipes-support/freerdp/freerdp_git.bb b/meta-oe/recipes-support/freerdp/freerdp_2.2.0.bb similarity index 94% rename from meta-oe/recipes-support/freerdp/freerdp_git.bb rename to meta-oe/recipes-support/freerdp/freerdp_2.2.0.bb index 309acfbff..90ede1297 100644 --- a/meta-oe/recipes-support/freerdp/freerdp_git.bb +++ b/meta-oe/recipes-support/freerdp/freerdp_2.2.0.bb @@ -11,12 +11,10 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57" inherit pkgconfig cmake gitpkgv PE = "1" -PV = "2.0.0+gitr${SRCPV}" PKGV = "${GITPKGVTAG}" -# 2.0.0 release -SRCREV = "5ab2bed8749747b8e4b2ed431fd102bc726be684" -SRC_URI = "git://github.com/FreeRDP/FreeRDP.git;branch=master;protocol=https \ +SRCREV = "d2ba84a6885f57674098fe8e76c5f99d880e580d" +SRC_URI = "git://github.com/FreeRDP/FreeRDP.git;branch=stable-2.0;protocol=https \ file://winpr-makecert-Build-with-install-RPATH.patch \ "