| Message ID | 20230517082146.578-1-florin.diaconescu009@gmail.com |
|---|---|
| State | New |
| Headers | show |
| Series | ncurses: Update 6.4 -> 6.4+20230514 | expand |
Snapshots are not releases, but rather in-progress development work towards the next release. If the goal is to fix a CVE, then you should backport the patch. As explained here: https://invisible-island.net/ncurses/ncurses.faq.html#latest_version Alex On Wed, 17 May 2023 at 10:22, Florin Diaconescu <florin.diaconescu009@gmail.com> wrote: > > Latest patch in ncurses GitHub mirror > Includes the fix for CVE-2023-29491, done in 6.4+20230408 > > Signed-off-by: Florin Diaconescu <florin.diaconescu009@gmail.com> > --- > .../ncurses/{ncurses_6.4.bb => ncurses_6.4+20230514.bb} | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > rename meta/recipes-core/ncurses/{ncurses_6.4.bb => ncurses_6.4+20230514.bb} (78%) > > diff --git a/meta/recipes-core/ncurses/ncurses_6.4.bb b/meta/recipes-core/ncurses/ncurses_6.4+20230514.bb > similarity index 78% > rename from meta/recipes-core/ncurses/ncurses_6.4.bb > rename to meta/recipes-core/ncurses/ncurses_6.4+20230514.bb > index 166e30713c..44aaac3613 100644 > --- a/meta/recipes-core/ncurses/ncurses_6.4.bb > +++ b/meta/recipes-core/ncurses/ncurses_6.4+20230514.bb > @@ -6,10 +6,10 @@ SRC_URI += "file://0001-tic-hang.patch \ > file://exit_prototype.patch \ > " > # commit id corresponds to the revision in package version > -SRCREV = "1003914e200fd622a27237abca155ce6bf2e6030" > +SRCREV = "b9f9d6304f6abd71a5fdbfd500a645e521edf8b6" > S = "${WORKDIR}/git" > EXTRA_OECONF += "--with-abi-version=5" > UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+(\.\d+)+)$" > > # This is needed when using patchlevel versions like 6.1+20181013 > -#CVE_VERSION = "${@d.getVar("PV").split('+')[0]}.${@d.getVar("PV").split('+')[1]}" > +CVE_VERSION = "${@d.getVar("PV").split('+')[0]}.${@d.getVar("PV").split('+')[1]}" > -- > 2.25.1 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#181473): https://lists.openembedded.org/g/openembedded-core/message/181473 > Mute This Topic: https://lists.openembedded.org/mt/98944133/1686489 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alex.kanavin@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
What's the reasoning behind updating ncurses from 6.3 to 6.3+20220423 in Kirkstone, then? https://git.yoctoproject.org/poky/commit/meta/recipes-core/ncurses?h=kirkstone&id=e13ce12e4ad79100bd45c751203040ce2a6f1920 Looks like they updated for fixing a CVE as well, and they did not backport the patch on top of 6.3. "CVE: CVE-2022-29458" Florin
The reasoning is that I didn't see that patch so I could react. It merged but it shouldn't have. The standard policy is that we're not taking random snapshots in the middle of a development cycle, and there shouldn't be an exception for ncurses. Alex On Wed, 17 May 2023 at 10:33, Florin Diaconescu <florin.diaconescu009@gmail.com> wrote: > > What's the reasoning behind updating ncurses from 6.3 to 6.3+20220423 in Kirkstone, then? > https://git.yoctoproject.org/poky/commit/meta/recipes-core/ncurses?h=kirkstone&id=e13ce12e4ad79100bd45c751203040ce2a6f1920 > > Looks like they updated for fixing a CVE as well, and they did not backport the patch on top of 6.3. > "CVE: CVE-2022-29458" > > Florin > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#181476): https://lists.openembedded.org/g/openembedded-core/message/181476 > Mute This Topic: https://lists.openembedded.org/mt/98944133/1686489 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alex.kanavin@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
What about this, then? Looks like it is commited by you: http://cgit.openembedded.org/openembedded-core/commit/meta/recipes-core/ncurses?h=kirkstone&id=325fe5f68bc698f78f5c1a14407c0bbb4cba45f7 Indeed, you were updating from a development snapshot to another development snapshot, but judging by the history of this recipe I thought that this was always the case. http://cgit.openembedded.org/openembedded-core/commit/meta/recipes-core/ncurses?h=kirkstone&id=fdb2a95d5e0265de1172940b6dc71fc7d602e8d1 If the standard policy is that, maybe the CVE_VERSION line should also be removed.
This was back when it wasn't clear to us what ncurses snapshots are. Somehow we thought they are bugfixes on top of a stable version. Now it is clear that is not the case. Alex On Wed, 17 May 2023 at 10:46, Florin Diaconescu <florin.diaconescu009@gmail.com> wrote: > > What about this, then? Looks like it is commited by you: > http://cgit.openembedded.org/openembedded-core/commit/meta/recipes-core/ncurses?h=kirkstone&id=325fe5f68bc698f78f5c1a14407c0bbb4cba45f7 > Indeed, you were updating from a development snapshot to another development snapshot, but judging by the history of this recipe I thought that this was always the case. > http://cgit.openembedded.org/openembedded-core/commit/meta/recipes-core/ncurses?h=kirkstone&id=fdb2a95d5e0265de1172940b6dc71fc7d602e8d1 > > If the standard policy is that, maybe the CVE_VERSION line should also be removed. > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#181480): https://lists.openembedded.org/g/openembedded-core/message/181480 > Mute This Topic: https://lists.openembedded.org/mt/98944133/1686489 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alex.kanavin@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
Thanks for explaining this. In this case, the other patch that I made to ncurses ("ncurses: change GitHub mirror") is not necessary (at least until they release ncurses 6.5). I made that commit so that an updated developer snapshot can be applied on top (this patch).
Florin
Right, but if you can backport the CVE instead, that would be appreciated. Alex On Wed, 17 May 2023 at 10:56, Florin Diaconescu <florin.diaconescu009@gmail.com> wrote: > > Thanks for explaining this. In this case, the other patch that I made to ncurses ("ncurses: change GitHub mirror") is not necessary (at least until they release ncurses 6.5). I made that commit so that an updated developer snapshot can be applied on top (this patch). > > Florin > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#181482): https://lists.openembedded.org/g/openembedded-core/message/181482 > Mute This Topic: https://lists.openembedded.org/mt/98944133/1686489 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alex.kanavin@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
diff --git a/meta/recipes-core/ncurses/ncurses_6.4.bb b/meta/recipes-core/ncurses/ncurses_6.4+20230514.bb similarity index 78% rename from meta/recipes-core/ncurses/ncurses_6.4.bb rename to meta/recipes-core/ncurses/ncurses_6.4+20230514.bb index 166e30713c..44aaac3613 100644 --- a/meta/recipes-core/ncurses/ncurses_6.4.bb +++ b/meta/recipes-core/ncurses/ncurses_6.4+20230514.bb @@ -6,10 +6,10 @@ SRC_URI += "file://0001-tic-hang.patch \ file://exit_prototype.patch \ " # commit id corresponds to the revision in package version -SRCREV = "1003914e200fd622a27237abca155ce6bf2e6030" +SRCREV = "b9f9d6304f6abd71a5fdbfd500a645e521edf8b6" S = "${WORKDIR}/git" EXTRA_OECONF += "--with-abi-version=5" UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+(\.\d+)+)$" # This is needed when using patchlevel versions like 6.1+20181013 -#CVE_VERSION = "${@d.getVar("PV").split('+')[0]}.${@d.getVar("PV").split('+')[1]}" +CVE_VERSION = "${@d.getVar("PV").split('+')[0]}.${@d.getVar("PV").split('+')[1]}"
Latest patch in ncurses GitHub mirror Includes the fix for CVE-2023-29491, done in 6.4+20230408 Signed-off-by: Florin Diaconescu <florin.diaconescu009@gmail.com> --- .../ncurses/{ncurses_6.4.bb => ncurses_6.4+20230514.bb} | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) rename meta/recipes-core/ncurses/{ncurses_6.4.bb => ncurses_6.4+20230514.bb} (78%)