From: Beniamin Sandu <beniaminsandu@gmail.com>
To: Khem Raj <raj.khem@gmail.com>
Cc: "Marko, Peter" <Peter.Marko@siemens.com>,
"openembedded-devel@lists.openembedded.org"
<openembedded-devel@lists.openembedded.org>
Subject: Re: [oe] [meta-oe][PATCH] libtorrent: remove CVE mention
Date: Wed, 10 Apr 2024 23:33:13 +0100 [thread overview]
Message-ID: <CABQJdOG1uqi54Mi9UDfJg+WDpYjM0nbiqDKk0nH8nreC14Vcqw@mail.gmail.com> (raw)
In-Reply-To: <CABQJdOEvqMyUyaFCbV7pf1B3b1bVxn95LQs-WOAfkS-GQHAXbQ@mail.gmail.com>
On Wed, 10 Apr 2024 at 19:36, Beniamin Sandu <beniaminsandu@gmail.com> wrote:
>
> On Wed, 10 Apr 2024 at 19:11, Khem Raj <raj.khem@gmail.com> wrote:
> >
> > On Wed, Apr 10, 2024 at 10:26 AM Beniamin Sandu <beniaminsandu@gmail.com> wrote:
> > >
> > > I don't know how that CVE tool is doing the checks, but it's doing
> > > something wrong.
> > > Both the CVEs that are mentioned in the list, have nothing to do with
> > > the current library that is built with the recipe. I am actually
> > > curious as to who is using this library anyway, because it seems to be
> > > some random implementation with a very similar name.
> >
> > Its not random infact, pretty old implementation.
> >
> > > The widely used library is the one at:
> > > https://github.com/arvidn/libtorrent (this is the one used in stuff
> > > like Deluge, and other torrent software).
> > >
> > > CVE-2016-5301 was fixed in: https://github.com/arvidn/libtorrent/pull/782.
> > > CVE-2009-1760 was fixed in:
> > > https://github.com/arvidn/libtorrent/commit/eb2203abf51e63b1d5ba0c3e5d972936df96c31a
> > >
> > > Maybe we should replace the current recipe or add a separate one to
> > > build the other library.
> >
> > Existing libtorrent in meta-oe is used by rotorrent recipe and I dont
> > see more users of it
> > so question is
> >
> > 1. Can rtorrent use the arvidn implementation ? if so then we can use
> > it for libtorrent systemwide
> > 2. Merge libtorrent into rtorrent recipe since its the only user of it
> > and libtorrent recipe uses arvidn fork
> > 3. Create a separate recipe for arvidn implementation
>
> I have started working on a separate recipe a couple of days ago,
> called libtorrent-rasterbar(which seems it was the original name of
> the arvidn library, also mentioned it one of the CVEs), but it
> currently fails to build the python3 bindings for 32-bit arches, and I
> did not have time to investigate yet.
> If you feel like taking a look, I can send it right now with python3
> bindings disabled and you could add a patch on top, or I can send it
> sometimes in the future when I get back to it and fix it myself.
I fixed the build and sent a patch to add this recipe. At the moment,
I don't know what needs to be done to map those CVEs to the new
recipe, so please adjust if needed.
>
> >
> > >
> > > On Wed, 10 Apr 2024 at 18:12, Khem Raj <raj.khem@gmail.com> wrote:
> > > >
> > > > Beniamin what is the resolution based on ? before we revert we should find
> > > >
> > > > On Wed, Apr 10, 2024 at 10:02 AM Marko, Peter <Peter.Marko@siemens.com> wrote:
> > > > >
> > > > > This CVE reappeared in https://autobuilder.yocto.io/pub/non-release/patchmetrics-meta-oe/cve-status-master.txt
> > > > > So it should not have been applied.
> > > > >
> > > > > Peter
> > > > >
> > > > > -----Original Message-----
> > > > > From: openembedded-devel@lists.openembedded.org <openembedded-devel@lists.openembedded.org> On Behalf Of Khem Raj via lists.openembedded.org
> > > > > Sent: Sunday, April 7, 2024 17:43
> > > > > To: openembedded-devel@lists.openembedded.org; Beniamin Sandu <beniaminsandu@gmail.com>
> > > > > Cc: Khem Raj <raj.khem@gmail.com>
> > > > > Subject: Re: [oe] [meta-oe][PATCH] libtorrent: remove CVE mention
> > > > >
> > > > >
> > > > > On Fri, 05 Apr 2024 16:13:35 +0100, Beniamin Sandu wrote:
> > > > > > The CVE mentioned in the recipe applies to a different libtorrent
> > > > > > library, from:
> > > > > > https://github.com/arvidn/libtorrent
> > > > > >
> > > > > >
> > > > >
> > > > > Applied, thanks!
> > > > >
> > > > > [1/1] libtorrent: remove CVE mention
> > > > > commit: 0597c931ffbadf2a2242d8ed9cccb8567953d489
> > > > >
> > > > > Best regards,
> > > > > --
> > > > > Khem Raj <raj.khem@gmail.com>
prev parent reply other threads:[~2024-04-10 22:33 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-05 15:13 [meta-oe][PATCH] libtorrent: remove CVE mention Beniamin Sandu
2024-04-07 15:42 ` Khem Raj
2024-04-10 17:02 ` [oe] " Marko, Peter
2024-04-10 17:12 ` Khem Raj
2024-04-10 17:26 ` Beniamin Sandu
2024-04-10 18:10 ` Khem Raj
2024-04-10 18:36 ` Beniamin Sandu
2024-04-10 22:33 ` Beniamin Sandu [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CABQJdOG1uqi54Mi9UDfJg+WDpYjM0nbiqDKk0nH8nreC14Vcqw@mail.gmail.com \
--to=beniaminsandu@gmail.com \
--cc=Peter.Marko@siemens.com \
--cc=openembedded-devel@lists.openembedded.org \
--cc=raj.khem@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).