[OE-core] bash: Fix CVE-2019-18276

Yu, Mingli Mingli.Yu at windriver.com
Tue Mar 3 03:11:00 UTC 2020


Hi Anuj,

I agree the Backport status is not accurate as the patch doesn't go to master branch, but why do you say the patch is irrelevant to the CVE-2019-18276, could you help to provide more info?

Hi Chet,
Does https://git.savannah.gnu.org/cgit/bash.git/commit/?h=devel&id=951bdaad7a18cc0dc1036bba86b18b90874d39ff fix the issue reported in CVE-2019-18276? Could you help to provide some info here?

Thanks,
Mingli
________________________________________
From: openembedded-core-bounces at lists.openembedded.org [openembedded-core-bounces at lists.openembedded.org] on behalf of Mittal, Anuj [anuj.mittal at intel.com]
Sent: Tuesday, February 18, 2020 11:43 PM
To: chet.ramey at case.edu; richard.purdie at linuxfoundation.org; openembedded-core at lists.openembedded.org; Huo, De; preid at electromag.com.au; akuster808 at gmail.com
Subject: Re: [OE-core] bash: Fix CVE-2019-18276

On Tue, 2020-02-18 at 15:35 +0000, Richard Purdie wrote:
> On Tue, 2020-02-18 at 10:28 -0500, Chet Ramey wrote:
> > On 2/17/20 9:46 PM, Huo, De wrote:
> > >  I applied the patch to fix CVE defect CVE-2019-18276.
> >
> > That's not exactly an answer to the question of who produced the
> > patch.
> > If that patch is the one causing failures when it's applied,
> > doesn't it
> > make sense to go back to the person who produced it and ask them to
> > update it if necessary?
>
> Its likely a general CVE patch where both configure and configure.ac
> are patched. For OE, we can drop the configure part since we
> reautoconf
> the code. Its therefore the OE port of the patch which is likely at
> fault.
>
> Someone just needs to remove that section of the patch.

There are other issues with this patch which should also be fixed I
think. It has been marked as a Backport while it is not one. The patch
includes changes that are irrelevant to the CVE. And, it should have
gone to master first.


Thanks,

Anuj
--
_______________________________________________
Openembedded-core mailing list
Openembedded-core at lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core


More information about the Openembedded-core mailing list