Re: [OE-core][dunfell][PATCH v2] curl: Add fix for CVE-2022-27781 CVE-2022-27782

Sun, 05 Jun 2022 15:04:04 -0700 

> On Jun 1, 2022, at 9:07 AM, Steve Sakoman <st...@sakoman.com> wrote:
> 
> On Tue, May 31, 2022 at 11:01 PM Riyaz Ahmed Khan <rak3...@gmail.com> wrote:
>> 
>> From: Riyaz Khan <riyaz.k...@kpit.com>
>> 
>> Add patches for CVE issues: CVE-2022-27781 CVE-2022-27782
>> 
>> CVE-2022-27781
>> Link: 
>> [https://github.com/curl/curl/commit/5c7da89d404bf59c8dd82a001119a16d18365917]
> 
> Unfortunately, this is still failing:
> 
> ERROR: curl-7.69.1-r0 do_patch: Applying patch 'CVE-2022-27781.patch'
> on target directory
> '/home/steve/builds/poky-contrib/build/tmp/work/core2-64-poky-linux/curl/7.69.1-r0/curl-7.69.1'
> Command Error: 'quilt --quiltrc
> /home/steve/builds/poky-contrib/build/tmp/work/core2-64-poky-linux/curl/7.69.1-r0/recipe-sysroot-native/etc/quiltrc
> push' exited with 0 Output:
> Applying patch CVE-2022-27781.patch
> patching file lib/vtls/nss.c
> Hunk #1 FAILED at 983.
> Hunk #2 succeeded at 986 (offset -32 lines).
> 1 out of 2 hunks FAILED -- rejects in file lib/vtls/nss.c
> Patch CVE-2022-27781.patch does not apply (enforce with -f)
> ERROR: Logfile of failure stored in:
> /home/steve/builds/poky-contrib/build/tmp/work/core2-64-poky-linux/curl/7.69.1-r0/temp/log.do_patch.1303805
> ERROR: Task 
> (/home/steve/builds/poky-contrib/meta/recipes-support/curl/curl_7.69.1.bb:do_patch)
> failed with exit code '1'
> 
> Steve

I just sent a patch that should address these two CVEs. The patches did require 
some modification from the kirkstone patches to apply since the curl code has 
changed a bit.

For some reason these curl CVEs seem to stay reserved well after they’re 
published and fixed so they don’t show up in the CVE reports.

Thanks,
Robert
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#166584): 
https://lists.openembedded.org/g/openembedded-core/message/166584
Mute This Topic: https://lists.openembedded.org/mt/91471123/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to