| Message ID | 20240405151335.55698-1-beniaminsandu@gmail.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [meta-oe] libtorrent: remove CVE mention | expand |
On Fri, 05 Apr 2024 16:13:35 +0100, Beniamin Sandu wrote: > The CVE mentioned in the recipe applies to a different libtorrent > library, from: > https://github.com/arvidn/libtorrent > > Applied, thanks! [1/1] libtorrent: remove CVE mention commit: 0597c931ffbadf2a2242d8ed9cccb8567953d489 Best regards,
This CVE reappeared in https://autobuilder.yocto.io/pub/non-release/patchmetrics-meta-oe/cve-status-master.txt So it should not have been applied. Peter -----Original Message----- From: openembedded-devel@lists.openembedded.org <openembedded-devel@lists.openembedded.org> On Behalf Of Khem Raj via lists.openembedded.org Sent: Sunday, April 7, 2024 17:43 To: openembedded-devel@lists.openembedded.org; Beniamin Sandu <beniaminsandu@gmail.com> Cc: Khem Raj <raj.khem@gmail.com> Subject: Re: [oe] [meta-oe][PATCH] libtorrent: remove CVE mention On Fri, 05 Apr 2024 16:13:35 +0100, Beniamin Sandu wrote: > The CVE mentioned in the recipe applies to a different libtorrent > library, from: > https://github.com/arvidn/libtorrent > > Applied, thanks! [1/1] libtorrent: remove CVE mention commit: 0597c931ffbadf2a2242d8ed9cccb8567953d489 Best regards, -- Khem Raj <raj.khem@gmail.com>
Beniamin what is the resolution based on ? before we revert we should find On Wed, Apr 10, 2024 at 10:02 AM Marko, Peter <Peter.Marko@siemens.com> wrote: > > This CVE reappeared in https://autobuilder.yocto.io/pub/non-release/patchmetrics-meta-oe/cve-status-master.txt > So it should not have been applied. > > Peter > > -----Original Message----- > From: openembedded-devel@lists.openembedded.org <openembedded-devel@lists.openembedded.org> On Behalf Of Khem Raj via lists.openembedded.org > Sent: Sunday, April 7, 2024 17:43 > To: openembedded-devel@lists.openembedded.org; Beniamin Sandu <beniaminsandu@gmail.com> > Cc: Khem Raj <raj.khem@gmail.com> > Subject: Re: [oe] [meta-oe][PATCH] libtorrent: remove CVE mention > > > On Fri, 05 Apr 2024 16:13:35 +0100, Beniamin Sandu wrote: > > The CVE mentioned in the recipe applies to a different libtorrent > > library, from: > > https://github.com/arvidn/libtorrent > > > > > > Applied, thanks! > > [1/1] libtorrent: remove CVE mention > commit: 0597c931ffbadf2a2242d8ed9cccb8567953d489 > > Best regards, > -- > Khem Raj <raj.khem@gmail.com>
I don't know how that CVE tool is doing the checks, but it's doing something wrong. Both the CVEs that are mentioned in the list, have nothing to do with the current library that is built with the recipe. I am actually curious as to who is using this library anyway, because it seems to be some random implementation with a very similar name. The widely used library is the one at: https://github.com/arvidn/libtorrent (this is the one used in stuff like Deluge, and other torrent software). CVE-2016-5301 was fixed in: https://github.com/arvidn/libtorrent/pull/782. CVE-2009-1760 was fixed in: https://github.com/arvidn/libtorrent/commit/eb2203abf51e63b1d5ba0c3e5d972936df96c31a Maybe we should replace the current recipe or add a separate one to build the other library. On Wed, 10 Apr 2024 at 18:12, Khem Raj <raj.khem@gmail.com> wrote: > > Beniamin what is the resolution based on ? before we revert we should find > > On Wed, Apr 10, 2024 at 10:02 AM Marko, Peter <Peter.Marko@siemens.com> wrote: > > > > This CVE reappeared in https://autobuilder.yocto.io/pub/non-release/patchmetrics-meta-oe/cve-status-master.txt > > So it should not have been applied. > > > > Peter > > > > -----Original Message----- > > From: openembedded-devel@lists.openembedded.org <openembedded-devel@lists.openembedded.org> On Behalf Of Khem Raj via lists.openembedded.org > > Sent: Sunday, April 7, 2024 17:43 > > To: openembedded-devel@lists.openembedded.org; Beniamin Sandu <beniaminsandu@gmail.com> > > Cc: Khem Raj <raj.khem@gmail.com> > > Subject: Re: [oe] [meta-oe][PATCH] libtorrent: remove CVE mention > > > > > > On Fri, 05 Apr 2024 16:13:35 +0100, Beniamin Sandu wrote: > > > The CVE mentioned in the recipe applies to a different libtorrent > > > library, from: > > > https://github.com/arvidn/libtorrent > > > > > > > > > > Applied, thanks! > > > > [1/1] libtorrent: remove CVE mention > > commit: 0597c931ffbadf2a2242d8ed9cccb8567953d489 > > > > Best regards, > > -- > > Khem Raj <raj.khem@gmail.com>
On Wed, Apr 10, 2024 at 10:26 AM Beniamin Sandu <beniaminsandu@gmail.com> wrote: > > I don't know how that CVE tool is doing the checks, but it's doing > something wrong. > Both the CVEs that are mentioned in the list, have nothing to do with > the current library that is built with the recipe. I am actually > curious as to who is using this library anyway, because it seems to be > some random implementation with a very similar name. Its not random infact, pretty old implementation. > The widely used library is the one at: > https://github.com/arvidn/libtorrent (this is the one used in stuff > like Deluge, and other torrent software). > > CVE-2016-5301 was fixed in: https://github.com/arvidn/libtorrent/pull/782. > CVE-2009-1760 was fixed in: > https://github.com/arvidn/libtorrent/commit/eb2203abf51e63b1d5ba0c3e5d972936df96c31a > > Maybe we should replace the current recipe or add a separate one to > build the other library. Existing libtorrent in meta-oe is used by rotorrent recipe and I dont see more users of it so question is 1. Can rtorrent use the arvidn implementation ? if so then we can use it for libtorrent systemwide 2. Merge libtorrent into rtorrent recipe since its the only user of it and libtorrent recipe uses arvidn fork 3. Create a separate recipe for arvidn implementation > > On Wed, 10 Apr 2024 at 18:12, Khem Raj <raj.khem@gmail.com> wrote: > > > > Beniamin what is the resolution based on ? before we revert we should find > > > > On Wed, Apr 10, 2024 at 10:02 AM Marko, Peter <Peter.Marko@siemens.com> wrote: > > > > > > This CVE reappeared in https://autobuilder.yocto.io/pub/non-release/patchmetrics-meta-oe/cve-status-master.txt > > > So it should not have been applied. > > > > > > Peter > > > > > > -----Original Message----- > > > From: openembedded-devel@lists.openembedded.org <openembedded-devel@lists.openembedded.org> On Behalf Of Khem Raj via lists.openembedded.org > > > Sent: Sunday, April 7, 2024 17:43 > > > To: openembedded-devel@lists.openembedded.org; Beniamin Sandu <beniaminsandu@gmail.com> > > > Cc: Khem Raj <raj.khem@gmail.com> > > > Subject: Re: [oe] [meta-oe][PATCH] libtorrent: remove CVE mention > > > > > > > > > On Fri, 05 Apr 2024 16:13:35 +0100, Beniamin Sandu wrote: > > > > The CVE mentioned in the recipe applies to a different libtorrent > > > > library, from: > > > > https://github.com/arvidn/libtorrent > > > > > > > > > > > > > > Applied, thanks! > > > > > > [1/1] libtorrent: remove CVE mention > > > commit: 0597c931ffbadf2a2242d8ed9cccb8567953d489 > > > > > > Best regards, > > > -- > > > Khem Raj <raj.khem@gmail.com>
On Wed, 10 Apr 2024 at 19:11, Khem Raj <raj.khem@gmail.com> wrote: > > On Wed, Apr 10, 2024 at 10:26 AM Beniamin Sandu <beniaminsandu@gmail.com> wrote: > > > > I don't know how that CVE tool is doing the checks, but it's doing > > something wrong. > > Both the CVEs that are mentioned in the list, have nothing to do with > > the current library that is built with the recipe. I am actually > > curious as to who is using this library anyway, because it seems to be > > some random implementation with a very similar name. > > Its not random infact, pretty old implementation. > > > The widely used library is the one at: > > https://github.com/arvidn/libtorrent (this is the one used in stuff > > like Deluge, and other torrent software). > > > > CVE-2016-5301 was fixed in: https://github.com/arvidn/libtorrent/pull/782. > > CVE-2009-1760 was fixed in: > > https://github.com/arvidn/libtorrent/commit/eb2203abf51e63b1d5ba0c3e5d972936df96c31a > > > > Maybe we should replace the current recipe or add a separate one to > > build the other library. > > Existing libtorrent in meta-oe is used by rotorrent recipe and I dont > see more users of it > so question is > > 1. Can rtorrent use the arvidn implementation ? if so then we can use > it for libtorrent systemwide > 2. Merge libtorrent into rtorrent recipe since its the only user of it > and libtorrent recipe uses arvidn fork > 3. Create a separate recipe for arvidn implementation I have started working on a separate recipe a couple of days ago, called libtorrent-rasterbar(which seems it was the original name of the arvidn library, also mentioned it one of the CVEs), but it currently fails to build the python3 bindings for 32-bit arches, and I did not have time to investigate yet. If you feel like taking a look, I can send it right now with python3 bindings disabled and you could add a patch on top, or I can send it sometimes in the future when I get back to it and fix it myself. > > > > > On Wed, 10 Apr 2024 at 18:12, Khem Raj <raj.khem@gmail.com> wrote: > > > > > > Beniamin what is the resolution based on ? before we revert we should find > > > > > > On Wed, Apr 10, 2024 at 10:02 AM Marko, Peter <Peter.Marko@siemens.com> wrote: > > > > > > > > This CVE reappeared in https://autobuilder.yocto.io/pub/non-release/patchmetrics-meta-oe/cve-status-master.txt > > > > So it should not have been applied. > > > > > > > > Peter > > > > > > > > -----Original Message----- > > > > From: openembedded-devel@lists.openembedded.org <openembedded-devel@lists.openembedded.org> On Behalf Of Khem Raj via lists.openembedded.org > > > > Sent: Sunday, April 7, 2024 17:43 > > > > To: openembedded-devel@lists.openembedded.org; Beniamin Sandu <beniaminsandu@gmail.com> > > > > Cc: Khem Raj <raj.khem@gmail.com> > > > > Subject: Re: [oe] [meta-oe][PATCH] libtorrent: remove CVE mention > > > > > > > > > > > > On Fri, 05 Apr 2024 16:13:35 +0100, Beniamin Sandu wrote: > > > > > The CVE mentioned in the recipe applies to a different libtorrent > > > > > library, from: > > > > > https://github.com/arvidn/libtorrent > > > > > > > > > > > > > > > > > > Applied, thanks! > > > > > > > > [1/1] libtorrent: remove CVE mention > > > > commit: 0597c931ffbadf2a2242d8ed9cccb8567953d489 > > > > > > > > Best regards, > > > > -- > > > > Khem Raj <raj.khem@gmail.com>
On Wed, 10 Apr 2024 at 19:36, Beniamin Sandu <beniaminsandu@gmail.com> wrote: > > On Wed, 10 Apr 2024 at 19:11, Khem Raj <raj.khem@gmail.com> wrote: > > > > On Wed, Apr 10, 2024 at 10:26 AM Beniamin Sandu <beniaminsandu@gmail.com> wrote: > > > > > > I don't know how that CVE tool is doing the checks, but it's doing > > > something wrong. > > > Both the CVEs that are mentioned in the list, have nothing to do with > > > the current library that is built with the recipe. I am actually > > > curious as to who is using this library anyway, because it seems to be > > > some random implementation with a very similar name. > > > > Its not random infact, pretty old implementation. > > > > > The widely used library is the one at: > > > https://github.com/arvidn/libtorrent (this is the one used in stuff > > > like Deluge, and other torrent software). > > > > > > CVE-2016-5301 was fixed in: https://github.com/arvidn/libtorrent/pull/782. > > > CVE-2009-1760 was fixed in: > > > https://github.com/arvidn/libtorrent/commit/eb2203abf51e63b1d5ba0c3e5d972936df96c31a > > > > > > Maybe we should replace the current recipe or add a separate one to > > > build the other library. > > > > Existing libtorrent in meta-oe is used by rotorrent recipe and I dont > > see more users of it > > so question is > > > > 1. Can rtorrent use the arvidn implementation ? if so then we can use > > it for libtorrent systemwide > > 2. Merge libtorrent into rtorrent recipe since its the only user of it > > and libtorrent recipe uses arvidn fork > > 3. Create a separate recipe for arvidn implementation > > I have started working on a separate recipe a couple of days ago, > called libtorrent-rasterbar(which seems it was the original name of > the arvidn library, also mentioned it one of the CVEs), but it > currently fails to build the python3 bindings for 32-bit arches, and I > did not have time to investigate yet. > If you feel like taking a look, I can send it right now with python3 > bindings disabled and you could add a patch on top, or I can send it > sometimes in the future when I get back to it and fix it myself. I fixed the build and sent a patch to add this recipe. At the moment, I don't know what needs to be done to map those CVEs to the new recipe, so please adjust if needed. > > > > > > > > > On Wed, 10 Apr 2024 at 18:12, Khem Raj <raj.khem@gmail.com> wrote: > > > > > > > > Beniamin what is the resolution based on ? before we revert we should find > > > > > > > > On Wed, Apr 10, 2024 at 10:02 AM Marko, Peter <Peter.Marko@siemens.com> wrote: > > > > > > > > > > This CVE reappeared in https://autobuilder.yocto.io/pub/non-release/patchmetrics-meta-oe/cve-status-master.txt > > > > > So it should not have been applied. > > > > > > > > > > Peter > > > > > > > > > > -----Original Message----- > > > > > From: openembedded-devel@lists.openembedded.org <openembedded-devel@lists.openembedded.org> On Behalf Of Khem Raj via lists.openembedded.org > > > > > Sent: Sunday, April 7, 2024 17:43 > > > > > To: openembedded-devel@lists.openembedded.org; Beniamin Sandu <beniaminsandu@gmail.com> > > > > > Cc: Khem Raj <raj.khem@gmail.com> > > > > > Subject: Re: [oe] [meta-oe][PATCH] libtorrent: remove CVE mention > > > > > > > > > > > > > > > On Fri, 05 Apr 2024 16:13:35 +0100, Beniamin Sandu wrote: > > > > > > The CVE mentioned in the recipe applies to a different libtorrent > > > > > > library, from: > > > > > > https://github.com/arvidn/libtorrent > > > > > > > > > > > > > > > > > > > > > > Applied, thanks! > > > > > > > > > > [1/1] libtorrent: remove CVE mention > > > > > commit: 0597c931ffbadf2a2242d8ed9cccb8567953d489 > > > > > > > > > > Best regards, > > > > > -- > > > > > Khem Raj <raj.khem@gmail.com>
diff --git a/meta-oe/recipes-connectivity/libtorrent/libtorrent_git.bb b/meta-oe/recipes-connectivity/libtorrent/libtorrent_git.bb index c235547fe..38f5f63fc 100644 --- a/meta-oe/recipes-connectivity/libtorrent/libtorrent_git.bb +++ b/meta-oe/recipes-connectivity/libtorrent/libtorrent_git.bb @@ -13,8 +13,6 @@ SRCREV = "e60f222241319aaae482789517ad00ae9344bd13" UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>\d+(\.\d+)+)" -CVE_STATUS[CVE-2009-1760] = "backported-patch: patched in our product" - S = "${WORKDIR}/git" PACKAGECONFIG ??= "instrumentation aligned"
The CVE mentioned in the recipe applies to a different libtorrent library, from: https://github.com/arvidn/libtorrent Signed-off-by: Beniamin Sandu <beniaminsandu@gmail.com> --- meta-oe/recipes-connectivity/libtorrent/libtorrent_git.bb | 2 -- 1 file changed, 2 deletions(-)