diff mbox series

[kirkstone,09/11] externalsrc: Ensure SRCREV is processed before accessing SRC_URI

Message ID f6563cca6c4bf627e904d81fbe5b0b0f2b16a107.1703124430.git.steve@sakoman.com
State Accepted, archived
Commit f6563cca6c4bf627e904d81fbe5b0b0f2b16a107
Headers show
Series [kirkstone,01/11] ghostscript: Backport fix for CVE-2023-46751 | expand

Commit Message

Steve Sakoman Dec. 21, 2023, 2:09 a.m. UTC 
From: Yoann Congal <yoann.congal@smile.fr>

When SRCREV is used, call bb.fetch.get_srcrev() before accessing
SRC_URI. Without this new bb.fetch.get_srcrev() call, SRC_URI might be
accessed before SRCREV had a chance to be processed.

In master, this is fixed by https://git.yoctoproject.org/poky/commit/?id=62afa02d01794376efab75623f42e7e08af08526
However, this commit is not suited for backport since it is quite invasive.
The part of the commit that fix the bug is:
    --- a/meta/classes/externalsrc.bbclass
    +++ b/meta/classes/externalsrc.bbclass
    @@ -63,6 +63,7 @@ python () {
             else:
                 d.setVar('B', '${WORKDIR}/${BPN}-${PV}')

    +        bb.fetch.get_hashvalue(d)
             local_srcuri = []
             fetch = bb.fetch2.Fetch((d.getVar('SRC_URI') or '').split(), d)
             for url in fetch.urls:

NB: bb.fetch.get_hashvalue() does not exist in kirkstone but is
equivalent to bb.fetch.get_srcrev().

Fixes [YOCTO #14918]

Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Suggested-by: Chris Wyse <chris.wyse@wysechoice.net>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/classes/externalsrc.bbclass | 4 ++++
 1 file changed, 4 insertions(+)
diff mbox series

Patch

diff --git a/meta/classes/externalsrc.bbclass b/meta/classes/externalsrc.bbclass
index 97d7379d9f..a209730240 100644
--- a/meta/classes/externalsrc.bbclass
+++ b/meta/classes/externalsrc.bbclass
@@ -62,6 +62,10 @@  python () {
         else:
             d.setVar('B', '${WORKDIR}/${BPN}-${PV}')
 
+        if d.getVar('SRCREV', "INVALID") != "INVALID":
+            # Ensure SRCREV has been processed before accessing SRC_URI
+            bb.fetch.get_srcrev(d)
+
         local_srcuri = []
         fetch = bb.fetch2.Fetch((d.getVar('SRC_URI') or '').split(), d)
         for url in fetch.urls: