Hi Armin, Thanks a lot.
Can you please share the diff? I am just asking because Joshua is seeing the same sort of issue with the fido branch while my local setup does not complain there either. BR, Awais ________________________________________ From: akuster808 [akuster...@gmail.com] Sent: Friday, January 08, 2016 7:32 AM To: Belal, Awais Cc: openembedded-core@lists.openembedded.org Subject: Re: [OE-core] [dizzy][PATCH] grub2: Fix CVE-2015-8370 Awais, hand applied. merged and pushed to git.yoctoproject.org/poky-contrib.git akuster/dizzy-next thanks, Armin On 01/07/2016 01:56 AM, Belal, Awais wrote: > Hi Armin, > > With dizzy-next from your fork > > awais@alpha:~/yocto/build-dizzy-akuster$ bitbake -c patch grub > Parsing recipes: 100% > |##############################################################| Time: > 00:00:46 > Parsing of 1458 .bb files complete (0 cached, 1458 parsed). 1914 targets, 66 > skipped, 0 masked, 0 errors. > NOTE: Resolving any missing task queue dependencies > > Build Configuration: > BB_VERSION = "1.24.0" > BUILD_SYS = "x86_64-linux" > NATIVELSBSTRING = "Ubuntu-14.04" > TARGET_SYS = "x86_64-poky-linux" > MACHINE = "amdfalconx86" > DISTRO = "poky" > DISTRO_VERSION = "1.7.3" > TUNE_FEATURES = "dbfp4" > TARGET_FPU = "" > meta > meta-yocto > meta-yocto-bsp = > "akuster/dizzy-next:4807ff0ca0abf085e6b81257534a4a62fde88d16" > common > meta-amdfalconx86 = > "(detachedfromorigin/dizzy):84ae10ad68c7b253ab87558c5a6df057c9a84f08" > meta-oe > meta-python = > "(detachedfromorigin/dizzy):7f1df52e9409edcc4d4cd5f34694f8740f56e1bf" > > NOTE: Preparing runqueue > NOTE: Executing SetScene Tasks > NOTE: Executing RunQueue Tasks > NOTE: Tasks Summary: Attempted 10 tasks of which 0 didn't need to be rerun > and all succeeded. > awais@alpha:~/yocto/build-dizzy-akuster$ ls > tmp/work/dbfp4-poky-linux/grub/2.00-r1/ > 0001-Fix-CVE-2015-8370-Grub2-user-pass-vulnerability.patch > 0001-parse_dhcp_vendor-Add-missing-const-qualifiers.patch > check-if-liblzma-is-disabled.patch > fix-endianness-problem.patch > fix-issue-with-flex-2.5.37.patch > grub-2.00 > grub-2.00-add-oe-kernel.patch > grub-2.00-fpmath-sse-387-fix.patch > grub2-remove-sparc64-setup-from-x86-builds.patch > grub-install.in.patch > remove-gets.patch > temp > awais@alpha:~/yocto/build-dizzy-akuster$ > > Pretty odd what's happening :) > > BR, > Awais > > ________________________________________ > From: akuster808 [akuster...@gmail.com] > Sent: Wednesday, January 06, 2016 10:15 PM > To: Belal, Awais > Cc: openembedded-core@lists.openembedded.org > Subject: Re: [OE-core] [dizzy][PATCH] grub2: Fix CVE-2015-8370 > > Awais, > > this is what I am seeing. > > NOTE: Executing RunQueue Tasks > ERROR: Command Error: exit status: 1 Output: > Applying patch 0001-Fix-CVE-2015-8370-Grub2-user-pass-vulnerability.patch > patching file grub-core/lib/crypto.c > Hunk #1 FAILED at 470. > 1 out of 1 hunk FAILED -- rejects in file grub-core/lib/crypto.c > patching file grub-core/normal/auth.c > Hunk #1 FAILED at 174. > 1 out of 1 hunk FAILED -- rejects in file grub-core/normal/auth.c > Patch 0001-Fix-CVE-2015-8370-Grub2-user-pass-vulnerability.patch does > not apply (enforce with -f) > ERROR: Function failed: patch_do_patch > ERROR: Logfile of failure stored in: > /home/akuster/oss/maint/mylayers/poky/build/tmp/work/i586-poky-linux/grub/2.00-r1/temp/log.do_patch.3029 > ERROR: Task 1 > (/home/akuster/oss/maint/mylayers/poky/meta/recipes-bsp/grub/grub_2.00.bb, > do_patch) failed with exit code '1' > > > I am using my contrib akuster/dizzy-next. > > I will hand fixup the changes. please give me a few days. > > - armin > > > On 01/06/2016 01:43 AM, Belal, Awais wrote: >> Ping! >> >> BR, >> Awais >> >> ________________________________________ >> From: openembedded-core-boun...@lists.openembedded.org >> [openembedded-core-boun...@lists.openembedded.org] on behalf of Belal, Awais >> Sent: Monday, January 04, 2016 12:53 PM >> To: akuster808 >> Cc: openembedded-core@lists.openembedded.org >> Subject: Re: [OE-core] [dizzy][PATCH] grub2: Fix CVE-2015-8370 >> >> Hi Armin, >> >> Odd, applies cleanly on dizzy for me. Can you please share the patch log? >> >> On a scratch build dir, I get the following: >> -------------------------------------------------------------- >> awais@alpha:~/yocto/build-dizzy$ bitbake -c patch grub >> Parsing recipes: 100% >> |#############################################################| Time: >> 00:00:36 >> Parsing of 1458 .bb files complete (0 cached, 1458 parsed). 1914 targets, 66 >> skipped, 0 masked, 0 errors. >> NOTE: Resolving any missing task queue dependencies >> >> Build Configuration: >> BB_VERSION = "1.24.0" >> BUILD_SYS = "x86_64-linux" >> NATIVELSBSTRING = "Ubuntu-14.04" >> TARGET_SYS = "x86_64-poky-linux" >> MACHINE = "amdfalconx86" >> DISTRO = "poky" >> DISTRO_VERSION = "1.7.3" >> TUNE_FEATURES = "dbfp4" >> TARGET_FPU = "" >> meta >> meta-yocto >> meta-yocto-bsp = >> "(detachedfromorigin/dizzy):6d34267e0a13e10ab91b60590b27a2b5ba3b7da6" >> common >> meta-amdfalconx86 = >> "(detachedfromorigin/dizzy):84ae10ad68c7b253ab87558c5a6df057c9a84f08" >> meta-oe >> meta-python = >> "(detachedfromorigin/dizzy):7f1df52e9409edcc4d4cd5f34694f8740f56e1bf" >> >> NOTE: Preparing runqueue >> NOTE: Executing SetScene Tasks >> NOTE: Executing RunQueue Tasks >> NOTE: Tasks Summary: Attempted 10 tasks of which 0 didn't need to be rerun >> and all succeeded. >> awais@alpha:~/yocto/build-dizzy$ >> -------------------------------------------------------------- >> >> BR, >> Awais >> >> ________________________________________ >> From: akuster808 [akuster...@gmail.com] >> Sent: Monday, January 04, 2016 7:13 AM >> To: Belal, Awais >> Cc: openembedded-core@lists.openembedded.org >> Subject: Re: [OE-core] [dizzy][PATCH] grub2: Fix CVE-2015-8370 >> >> On 12/31/15 5:38 AM, Belal, Awais wrote: >> Awais, >> >>> Ping! >> This patch does not apply to the current dizzy branch. >> >> is there a dependency patch I missed to apply? >> >> regards, >> Armin >>> >>> BR, >>> Awais >>> >>> ________________________________________ >>> From: openembedded-core-boun...@lists.openembedded.org >>> [openembedded-core-boun...@lists.openembedded.org] on behalf of Belal, Awais >>> Sent: Wednesday, December 23, 2015 4:20 PM >>> To: openembedded-core@lists.openembedded.org >>> Subject: [OE-core] [dizzy][PATCH] grub2: Fix CVE-2015-8370 >>> >>> http://git.savannah.gnu.org/cgit/grub.git/commit/?id=451d80e52d851432e109771bb8febafca7a5f1f2 >>> >>> Signed-off-by: Awais Belal <awais_be...@mentor.com> >>> --- >>> ...E-2015-8370-Grub2-user-pass-vulnerability.patch | 52 >>> ++++++++++++++++++++++ >>> meta/recipes-bsp/grub/grub-efi_2.00.bb | 1 + >>> meta/recipes-bsp/grub/grub_2.00.bb | 1 + >>> 3 files changed, 54 insertions(+) >>> create mode 100644 >>> meta/recipes-bsp/grub/files/0001-Fix-CVE-2015-8370-Grub2-user-pass-vulnerability.patch >>> >>> diff --git >>> a/meta/recipes-bsp/grub/files/0001-Fix-CVE-2015-8370-Grub2-user-pass-vulnerability.patch >>> >>> b/meta/recipes-bsp/grub/files/0001-Fix-CVE-2015-8370-Grub2-user-pass-vulnerability.patch >>> new file mode 100644 >>> index 0000000..f9252e9 >>> --- /dev/null >>> +++ >>> b/meta/recipes-bsp/grub/files/0001-Fix-CVE-2015-8370-Grub2-user-pass-vulnerability.patch >>> @@ -0,0 +1,52 @@ >>> +Upstream-Status: Accepted >>> +Signed-off-by: Awais Belal <awais_be...@mentor.com> >>> + >>> +From 451d80e52d851432e109771bb8febafca7a5f1f2 Mon Sep 17 00:00:00 2001 >>> +From: Hector Marco-Gisbert <hecma...@upv.es> >>> +Date: Wed, 16 Dec 2015 04:57:18 +0000 >>> +Subject: Fix security issue when reading username and password >>> + >>> +This patch fixes two integer underflows at: >>> + * grub-core/lib/crypto.c >>> + * grub-core/normal/auth.c >>> + >>> +CVE-2015-8370 >>> + >>> +Signed-off-by: Hector Marco-Gisbert <hecma...@upv.es> >>> +Signed-off-by: Ismael Ripoll-Ripoll <irip...@disca.upv.es> >>> +Also-By: Andrey Borzenkov <arvidj...@gmail.com> >>> +--- >>> +diff --git a/grub-core/lib/crypto.c b/grub-core/lib/crypto.c >>> +index 010e550..683a8aa 100644 >>> +--- a/grub-core/lib/crypto.c >>> ++++ b/grub-core/lib/crypto.c >>> +@@ -470,7 +470,8 @@ grub_password_get (char buf[], unsigned buf_size) >>> + >>> + if (key == '\b') >>> + { >>> +- cur_len--; >>> ++ if (cur_len) >>> ++ cur_len--; >>> + continue; >>> + } >>> + >>> +diff --git a/grub-core/normal/auth.c b/grub-core/normal/auth.c >>> +index c6bd96e..8615c48 100644 >>> +--- a/grub-core/normal/auth.c >>> ++++ b/grub-core/normal/auth.c >>> +@@ -174,8 +174,11 @@ grub_username_get (char buf[], unsigned buf_size) >>> + >>> + if (key == '\b') >>> + { >>> +- cur_len--; >>> +- grub_printf ("\b"); >>> ++ if (cur_len) >>> ++ { >>> ++ cur_len--; >>> ++ grub_printf ("\b"); >>> ++ } >>> + continue; >>> + } >>> + >>> +-- >>> +cgit v0.9.0.2 >>> diff --git a/meta/recipes-bsp/grub/grub-efi_2.00.bb >>> b/meta/recipes-bsp/grub/grub-efi_2.00.bb >>> index 7674255..6822e7a 100644 >>> --- a/meta/recipes-bsp/grub/grub-efi_2.00.bb >>> +++ b/meta/recipes-bsp/grub/grub-efi_2.00.bb >>> @@ -30,6 +30,7 @@ SRC_URI = "ftp://ftp.gnu.org/gnu/grub/grub-${PV}.tar.gz \ >>> file://grub-2.00-add-oe-kernel.patch \ >>> file://grub-efi-fix-with-glibc-2.20.patch \ >>> >>> file://0001-parse_dhcp_vendor-Add-missing-const-qualifiers.patch \ >>> + >>> file://0001-Fix-CVE-2015-8370-Grub2-user-pass-vulnerability.patch \ >>> " >>> SRC_URI[md5sum] = "e927540b6eda8b024fb0391eeaa4091c" >>> SRC_URI[sha256sum] = >>> "65b39a0558f8c802209c574f4d02ca263a804e8a564bc6caf1cd0fd3b3cc11e3" >>> diff --git a/meta/recipes-bsp/grub/grub_2.00.bb >>> b/meta/recipes-bsp/grub/grub_2.00.bb >>> index d4df676..94b6da9 100644 >>> --- a/meta/recipes-bsp/grub/grub_2.00.bb >>> +++ b/meta/recipes-bsp/grub/grub_2.00.bb >>> @@ -25,6 +25,7 @@ SRC_URI = "ftp://ftp.gnu.org/gnu/grub/grub-${PV}.tar.gz \ >>> file://fix-endianness-problem.patch \ >>> file://grub2-remove-sparc64-setup-from-x86-builds.patch \ >>> file://0001-parse_dhcp_vendor-Add-missing-const-qualifiers.patch >>> \ >>> + >>> file://0001-Fix-CVE-2015-8370-Grub2-user-pass-vulnerability.patch \ >>> " >>> >>> SRC_URI[md5sum] = "e927540b6eda8b024fb0391eeaa4091c" >>> -- >>> 1.9.1 >>> >>> -- >>> _______________________________________________ >>> Openembedded-core mailing list >>> Openembedded-core@lists.openembedded.org >>> http://lists.openembedded.org/mailman/listinfo/openembedded-core >> >> -- >> _______________________________________________ >> Openembedded-core mailing list >> Openembedded-core@lists.openembedded.org >> http://lists.openembedded.org/mailman/listinfo/openembedded-core >> -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
