diff --git a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb index fcd3182931..1f906ee0a4 100644 --- a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb +++ b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb @@ -10,6 +10,7 @@ SRC_URI = "https://github.com/ikeydoherty/${BPN}/releases/download/v${PV}/${BP}. file://check-for-malloc_trim-before-using-it.patch \ file://0001-print-progress-in-percent-when-downloading-CVE-db.patch \ file://0001-curl-allow-overriding-default-CA-certificate-file.patch \ + file://0001-update-Compare-computed-vs-expected-sha256-digit-str.patch \ " SRC_URI[md5sum] = "c5f4247140fc9be3bf41491d31a34155" diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch b/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch new file mode 100644 index 0000000000..458c0cc84e --- /dev/null +++ b/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch @@ -0,0 +1,52 @@ +From b0426e63c9ac61657e029f689bcb8dd051e752c6 Mon Sep 17 00:00:00 2001 +From: Sergey Popovich +Date: Fri, 21 Apr 2017 07:32:23 -0700 +Subject: [PATCH] update: Compare computed vs expected sha256 digit string + ignoring case + +We produce sha256 digest string using %x snprintf() +qualifier for each byte of digest which uses alphabetic +characters from "a" to "f" in lower case to represent +integer values from 10 to 15. + +Previously all of the NVD META files supply sha256 +digest string for corresponding XML file in lower case. + +However due to some reason this changed recently to +provide digest digits in upper case causing fetched +data consistency checks to fail. This prevents database +from being updated periodically. + +While commit c4f6e94 (update: Do not treat sha256 failure +as fatal if requested) adds useful option to skip +digest validation at all and thus provides workaround for +this situation, it might be unacceptable for some +deployments where we need to ensure that downloaded +data is consistent before start parsing it and update +SQLite database. + +Use strcasecmp() to compare two digest strings case +insensitively and addressing this case. + +Upstream-Status: Backport +Signed-off-by: Sergey Popovich +--- + src/update.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/update.c b/src/update.c +index 8588f38..3cc6b67 100644 +--- a/src/update.c ++++ b/src/update.c +@@ -187,7 +187,7 @@ static bool nvdcve_data_ok(const char *meta, const char *data) + snprintf(&csum_data[idx], len, "%02hhx", digest[i]); + } + +- ret = streq(csum_meta, csum_data); ++ ret = !strcasecmp(csum_meta, csum_data); + + err_unmap: + munmap(buffer, length); +-- +2.11.0 +