| Message ID | 20241112195921.1587206-1-peter.marko@siemens.com |
|---|---|
| State | Under Review |
| Delegated to: | Steve Sakoman |
| Headers | show |
| Series | [kirkstone] glib-2.0: patch regression of CVE-2023-32665 | expand |
Thank you for your submission. Patchtest identified one or more issues with the patch. Please see the log below for more information: --- Testing patch /home/patchtest/share/mboxes/kirkstone-glib-2.0-patch-regression-of-CVE-2023-32665.patch FAIL: test CVE tag format: Missing or incorrectly formatted CVE tag in patch file. Correct or include the CVE tag in the patch with format: "CVE: CVE-YYYY-XXXX" (test_patch.TestPatch.test_cve_tag_format) PASS: pretest src uri left files (test_metadata.TestMetadata.pretest_src_uri_left_files) PASS: test CVE check ignore (test_metadata.TestMetadata.test_cve_check_ignore) PASS: test Signed-off-by presence (test_mbox.TestMbox.test_signed_off_by_presence) PASS: test Signed-off-by presence (test_patch.TestPatch.test_signed_off_by_presence) PASS: test Upstream-Status presence (test_patch.TestPatch.test_upstream_status_presence_format) PASS: test author valid (test_mbox.TestMbox.test_author_valid) PASS: test commit message presence (test_mbox.TestMbox.test_commit_message_presence) PASS: test commit message user tags (test_mbox.TestMbox.test_commit_message_user_tags) PASS: test lic files chksum modified not mentioned (test_metadata.TestMetadata.test_lic_files_chksum_modified_not_mentioned) PASS: test max line length (test_metadata.TestMetadata.test_max_line_length) PASS: test mbox format (test_mbox.TestMbox.test_mbox_format) PASS: test non-AUH upgrade (test_mbox.TestMbox.test_non_auh_upgrade) PASS: test shortlog format (test_mbox.TestMbox.test_shortlog_format) PASS: test shortlog length (test_mbox.TestMbox.test_shortlog_length) PASS: test src uri left files (test_metadata.TestMetadata.test_src_uri_left_files) PASS: test target mailing list (test_mbox.TestMbox.test_target_mailing_list) SKIP: pretest pylint: No python related patches, skipping test (test_python_pylint.PyLint.pretest_pylint) SKIP: test bugzilla entry format: No bug ID found (test_mbox.TestMbox.test_bugzilla_entry_format) SKIP: test lic files chksum presence: No added recipes, skipping test (test_metadata.TestMetadata.test_lic_files_chksum_presence) SKIP: test license presence: No added recipes, skipping test (test_metadata.TestMetadata.test_license_presence) SKIP: test pylint: No python related patches, skipping test (test_python_pylint.PyLint.test_pylint) SKIP: test series merge on head: Merge test is disabled for now (test_mbox.TestMbox.test_series_merge_on_head) SKIP: test summary presence: No added recipes, skipping test (test_metadata.TestMetadata.test_summary_presence) --- Please address the issues identified and submit a new revision of the patch, or alternatively, reply to this email with an explanation of why the patch should be accepted. If you believe these results are due to an error in patchtest, please submit a bug at https://bugzilla.yoctoproject.org/ (use the 'Patchtest' category under 'Yocto Project Subprojects'). For more information on specific failures, see: https://wiki.yoctoproject.org/wiki/Patchtest. Thank you!
This is a false positive as this patch is not fixing a CVE. Peter > -----Original Message----- > From: patchtest@automation.yoctoproject.org > <patchtest@automation.yoctoproject.org> > Sent: Tuesday, November 12, 2024 21:16 > To: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com> > Cc: openembedded-core@lists.openembedded.org > Subject: Patchtest results for [OE-core][kirkstone][PATCH] glib-2.0: patch > regression of CVE-2023-32665 > > Thank you for your submission. Patchtest identified one > or more issues with the patch. Please see the log below for > more information: > > --- > Testing patch /home/patchtest/share/mboxes/kirkstone-glib-2.0-patch- > regression-of-CVE-2023-32665.patch > > FAIL: test CVE tag format: Missing or incorrectly formatted CVE tag in patch file. > Correct or include the CVE tag in the patch with format: "CVE: CVE-YYYY-XXXX" > (test_patch.TestPatch.test_cve_tag_format) > > PASS: pretest src uri left files > (test_metadata.TestMetadata.pretest_src_uri_left_files) > PASS: test CVE check ignore > (test_metadata.TestMetadata.test_cve_check_ignore) > PASS: test Signed-off-by presence > (test_mbox.TestMbox.test_signed_off_by_presence) > PASS: test Signed-off-by presence > (test_patch.TestPatch.test_signed_off_by_presence) > PASS: test Upstream-Status presence > (test_patch.TestPatch.test_upstream_status_presence_format) > PASS: test author valid (test_mbox.TestMbox.test_author_valid) > PASS: test commit message presence > (test_mbox.TestMbox.test_commit_message_presence) > PASS: test commit message user tags > (test_mbox.TestMbox.test_commit_message_user_tags) > PASS: test lic files chksum modified not mentioned > (test_metadata.TestMetadata.test_lic_files_chksum_modified_not_mentioned) > PASS: test max line length (test_metadata.TestMetadata.test_max_line_length) > PASS: test mbox format (test_mbox.TestMbox.test_mbox_format) > PASS: test non-AUH upgrade (test_mbox.TestMbox.test_non_auh_upgrade) > PASS: test shortlog format (test_mbox.TestMbox.test_shortlog_format) > PASS: test shortlog length (test_mbox.TestMbox.test_shortlog_length) > PASS: test src uri left files (test_metadata.TestMetadata.test_src_uri_left_files) > PASS: test target mailing list (test_mbox.TestMbox.test_target_mailing_list) > > SKIP: pretest pylint: No python related patches, skipping test > (test_python_pylint.PyLint.pretest_pylint) > SKIP: test bugzilla entry format: No bug ID found > (test_mbox.TestMbox.test_bugzilla_entry_format) > SKIP: test lic files chksum presence: No added recipes, skipping test > (test_metadata.TestMetadata.test_lic_files_chksum_presence) > SKIP: test license presence: No added recipes, skipping test > (test_metadata.TestMetadata.test_license_presence) > SKIP: test pylint: No python related patches, skipping test > (test_python_pylint.PyLint.test_pylint) > SKIP: test series merge on head: Merge test is disabled for now > (test_mbox.TestMbox.test_series_merge_on_head) > SKIP: test summary presence: No added recipes, skipping test > (test_metadata.TestMetadata.test_summary_presence) > > --- > > Please address the issues identified and > submit a new revision of the patch, or alternatively, reply to this > email with an explanation of why the patch should be accepted. If you > believe these results are due to an error in patchtest, please submit a > bug at https://bugzilla.yoctoproject.org/ (use the 'Patchtest' category > under 'Yocto Project Subprojects'). For more information on specific > failures, see: https://wiki.yoctoproject.org/wiki/Patchtest. Thank > you!
diff --git a/meta/recipes-core/glib-2.0/glib-2.0/0001-gvariant-serialiser-Convert-endianness-of-offsets.patch b/meta/recipes-core/glib-2.0/glib-2.0/0001-gvariant-serialiser-Convert-endianness-of-offsets.patch new file mode 100644 index 0000000000..86cce768ed --- /dev/null +++ b/meta/recipes-core/glib-2.0/glib-2.0/0001-gvariant-serialiser-Convert-endianness-of-offsets.patch @@ -0,0 +1,68 @@ +From dc16dffed0480d0c8cdd6a05ede68263fc8723a9 Mon Sep 17 00:00:00 2001 +From: Simon McVittie <smcv@collabora.com> +Date: Thu, 15 Dec 2022 12:51:37 +0000 +Subject: [PATCH] gvariant-serialiser: Convert endianness of offsets +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The array of offsets is little-endian, even on big-endian architectures +like s390x. + +Fixes: ade71fb5 "gvariant: Don’t allow child elements to overlap with each other" +Resolves: https://gitlab.gnome.org/GNOME/glib/-/issues/2839 +Signed-off-by: Simon McVittie <smcv@collabora.com> + +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/dc16dffed0480d0c8cdd6a05ede68263fc8723a9] +Signed-off-by: Peter Marko <peter.marko@siemens.com> +--- + glib/gvariant-serialiser.c | 19 +++++++++++-------- + 1 file changed, 11 insertions(+), 8 deletions(-) + +diff --git a/glib/gvariant-serialiser.c b/glib/gvariant-serialiser.c +index 25c85b30b..e9b0eab2b 100644 +--- a/glib/gvariant-serialiser.c ++++ b/glib/gvariant-serialiser.c +@@ -712,17 +712,19 @@ gvs_variable_sized_array_n_children (GVariantSerialised value) + /* Find the index of the first out-of-order element in @data, assuming that + * @data is an array of elements of given @type, starting at index @start and + * containing a further @len-@start elements. */ +-#define DEFINE_FIND_UNORDERED(type) \ ++#define DEFINE_FIND_UNORDERED(type, le_to_native) \ + static gsize \ + find_unordered_##type (const guint8 *data, gsize start, gsize len) \ + { \ + gsize off; \ +- type current, previous; \ ++ type current_le, previous_le, current, previous; \ + \ +- memcpy (&previous, data + start * sizeof (current), sizeof (current)); \ ++ memcpy (&previous_le, data + start * sizeof (current), sizeof (current)); \ ++ previous = le_to_native (previous_le); \ + for (off = (start + 1) * sizeof (current); off < len * sizeof (current); off += sizeof (current)) \ + { \ +- memcpy (¤t, data + off, sizeof (current)); \ ++ memcpy (¤t_le, data + off, sizeof (current)); \ ++ current = le_to_native (current_le); \ + if (current < previous) \ + break; \ + previous = current; \ +@@ -730,10 +732,11 @@ gvs_variable_sized_array_n_children (GVariantSerialised value) + return off / sizeof (current) - 1; \ + } + +-DEFINE_FIND_UNORDERED (guint8); +-DEFINE_FIND_UNORDERED (guint16); +-DEFINE_FIND_UNORDERED (guint32); +-DEFINE_FIND_UNORDERED (guint64); ++#define NO_CONVERSION(x) (x) ++DEFINE_FIND_UNORDERED (guint8, NO_CONVERSION); ++DEFINE_FIND_UNORDERED (guint16, GUINT16_FROM_LE); ++DEFINE_FIND_UNORDERED (guint32, GUINT32_FROM_LE); ++DEFINE_FIND_UNORDERED (guint64, GUINT64_FROM_LE); + + static GVariantSerialised + gvs_variable_sized_array_get_child (GVariantSerialised value, +-- +2.30.2 + diff --git a/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb b/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb index 35b51a3ec9..239099d568 100644 --- a/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb +++ b/meta/recipes-core/glib-2.0/glib-2.0_2.72.3.bb @@ -49,6 +49,7 @@ SRC_URI = "${GNOME_MIRROR}/glib/${SHRT_VER}/glib-${PV}.tar.xz \ file://CVE-2024-34397_16.patch \ file://CVE-2024-34397_17.patch \ file://CVE-2024-34397_18.patch \ + file://0001-gvariant-serialiser-Convert-endianness-of-offsets.patch \ " SRC_URI:append:class-native = " file://relocate-modules.patch"