Re: CVE patch updates


Monsees, Steven C (US)
 

 

So, my only change to my build is the INHERIT =+ “cve-check”…

No issue seen until this line added…

 

Can someone tell me why when I build from scratch, clean, I see the following error ?

Who’s certificate failure is being flagged ?

 

Initialising tasks: 100% |#######################################################################################| Time: 0:00:04

Checking sstate mirror object availability: 100% |###############################################################| Time: 0:00:00

Sstate summary: Wanted 2258 Found 2229 Missed 29 Current 0 (98% match, 0% complete)

NOTE: Executing Tasks

NOTE: Setscene tasks completed

ERROR: cve-update-db-native-1.0-r0 do_populate_cve_db: Error executing a python function in exec_python_func() autogenerated:

 

The stack trace of python calls that resulted in this exception/failure was:

File: 'exec_python_func() autogenerated', lineno: 2, function: <module>

     0001:

*** 0002:do_populate_cve_db(d)

     0003:

File: '/disk0/scratch/smonsees/yocto/workspace_1/poky/meta/recipes-core/meta/cve-update-db-native.bb', lineno: 69, function: do_populate_cve_db

     0065:        meta_url = year_url + ".meta"

     0066:        json_url = year_url + ".json.gz"

     0067:

     0068:        # Retrieve meta last modified date

*** 0069:        response = urllib.request.urlopen(meta_url)

     0070:        if response:

     0071:            for l in response.read().decode("utf-8").splitlines():

     0072:                key, value = l.split(":", 1)

     0073:                if key == "lastModifiedDate":

File: '/usr/lib64/python3.6/urllib/request.py', lineno: 223, function: urlopen

     0219:    elif _opener is None:

     0220:        _opener = opener = build_opener()

     0221:    else:

     0222:        opener = _opener

*** 0223:    return opener.open(url, data, timeout)

     0224:

     0225:def install_opener(opener):

     0226:    global _opener

     0227:    _opener = opener

File: '/usr/lib64/python3.6/urllib/request.py', lineno: 526, function: open

     0522:        for processor in self.process_request.get(protocol, []):

     0523:            meth = getattr(processor, meth_name)

     0524:            req = meth(req)

     0525:

*** 0526:        response = self._open(req, data)

     0527:

     0528:        # post-process response

     0529:        meth_name = protocol+"_response"

     0530:        for processor in self.process_response.get(protocol, []):

File: '/usr/lib64/python3.6/urllib/request.py', lineno: 544, function: _open

     0540:            return result

     0541:

     0542:        protocol = req.type

     0543:        result = self._call_chain(self.handle_open, protocol, protocol +

*** 0544:                                  '_open', req)

     0545:        if result:

     0546:            return result

     0547:

     0548:        return self._call_chain(self.handle_open, 'unknown',

File: '/usr/lib64/python3.6/urllib/request.py', lineno: 504, function: _call_chain

     0500:        # could.  Otherwise, they return the response.

     0501:        handlers = chain.get(kind, ())

     0502:        for handler in handlers:

     0503:            func = getattr(handler, meth_name)

*** 0504:            result = func(*args)

     0505:            if result is not None:

     0506:                return result

     0507:

     0508:    def open(self, fullurl, data=None, timeout=socket._GLOBAL_DEFAULT_TIMEOUT):

File: '/usr/lib64/python3.6/urllib/request.py', lineno: 1392, function: https_open

     1388:            self._check_hostname = check_hostname

     1389:

     1390:        def https_open(self, req):

     1391:            return self.do_open(http.client.HTTPSConnection, req,

*** 1392:                context=self._context, check_hostname=self._check_hostname)

     1393:

     1394:        https_request = AbstractHTTPHandler.do_request_

     1395:

     1396:    __all__.append('HTTPSHandler')

File: '/usr/lib64/python3.6/urllib/request.py', lineno: 1351, function: do_open

     1347:            try:

     1348:                h.request(req.get_method(), req.selector, req.data, headers,

     1349:                          encode_chunked=req.has_header('Transfer-encoding'))

     1350:            except OSError as err: # timeout error

*** 1351:                raise URLError(err)

     1352:            r = h.getresponse()

     1353:        except:

     1354:            h.close()

     1355:            raise

Exception: urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:877)>

 

ERROR: Logfile of failure stored in: /disk0/scratch/smonsees/yocto/workspace_1/builds2/sbca-default/tmp/work/x86_64-linux/cve-update-db-native/1.0-r0/temp/log.do_populate_cve_db.4499

ERROR: Task (/disk0/scratch/smonsees/yocto/workspace_1/poky/meta/recipes-core/meta/cve-update-db-native.bb:do_populate_cve_db) failed with exit code '1'

NOTE: Tasks Summary: Attempted 5772 tasks of which 5228 didn't need to be rerun and 1 failed.

 

Summary: 1 task failed:

  /disk0/scratch/smonsees/yocto/workspace_1/poky/meta/recipes-core/meta/cve-update-db-native.bb:do_populate_cve_db

Summary: There was 1 ERROR message shown, returning a non-zero exit code.

14:41 smonsees@yix465383 /disk0/scratch/smonsees/yocto/workspace_1/builds2/sbca-default>find . -name '_ssl.c' -print

14:47 smonsees@yix465383 /disk0/scratch/smonsees/yocto/workspace_1/builds2/sbca-default>

 

 

 

From: yocto@... <yocto@...> On Behalf Of Monsees, Steven C (US) via lists.yoctoproject.org
Sent: Thursday, March 24, 2022 2:00 PM
To: yocto@...
Subject: Re: [yocto] CVE patch updates

 

External Email Alert

This email has been sent from an account outside of the BAE Systems network.

Please treat the email with caution, especially if you are requested to click on a link, decrypt/open an attachment, or enable macros.  For further information on how to spot phishing, access “Cybersecurity OneSpace Page” and report phishing by clicking the button “Report Phishing” on the Outlook toolbar.

 

 

When building in cve-check to see what is reported, it generated all blank/empty report files…

Can someone explain this ?, my local.conf does have the proper modification (INHERIT += “cve-check”).

 

 

10:55 smonsees@yix465383 /disk0/scratch/smonsees/yocto/workspace_1/builds2/sbca-default> bitbake -k sbca-defaultfs-full

Parsing recipes: 100% |#############################################################################################| Time: 0:01:07

Parsing of 2555 .bb files complete (0 cached, 2555 parsed). 3769 targets, 96 skipped, 0 masked, 0 errors.

NOTE: Resolving any missing task queue dependencies

 

Build Configuration:

BB_VERSION           = "1.44.0"

BUILD_SYS            = "x86_64-linux"

NATIVELSBSTRING      = "rhel-7.9"

TARGET_SYS           = "x86_64-poky-linux"

MACHINE              = "sbca-default"

DISTRO               = "limws"

DISTRO_VERSION       = "3.0.4"

TUNE_FEATURES        = "m64 corei7"

TARGET_FPU           = ""

meta                

meta-poky            = "my_yocto_3.0.4:2f9bca440204f9e73158705a4ec04698b1f6ad42"

meta-perl           

meta-python         

meta-filesystems    

meta-networking     

meta-initramfs      

meta-oe              = "zeus:2b5dd1eb81cd08bc065bc76125f2856e9383e98b"

meta-virtualization  = "zeus:7e5219669ff6f8e9c8c33ffd230e95a6b2b025f4"

meta                 = "master:a32ddd2b2a51b26c011fa50e441df39304651503"

meta-clang           = "zeus:f5355ca9b86fb5de5930132ffd95a9b352d694f9"

meta-intel           = "zeus:d9942d4c3a710406b051852de7232db03c297f4e"

meta-intel           = "LIMWSSWARE-682-oews-meta-bae-clean-up:99f116056452f1fefe83fe458f533b48f52fe4ba"

 

Initialising tasks: 100% |##########################################################################################| Time: 0:00:04

Checking sstate mirror object availability: 100% |##################################################################| Time: 0:00:02

Sstate summary: Wanted 2258 Found 15 Missed 2243 Current 0 (0% match, 0% complete)

NOTE: Executing Tasks

NOTE: Setscene tasks completed

Image CVE report stored in: /disk0/scratch/smonsees/yocto/workspace_1/builds2/sbca-default/tmp/deploy/images/sbca-default/core-image-minimal-initramfs-sbca-default-20220324145629.rootfs.cve

Image CVE report stored in: /disk0/scratch/smonsees/yocto/workspace_1/builds2/sbca-default/tmp/deploy/images/sbca-default/aiox_orange-sbca-default-20220324145629.rootfs.cve

NOTE: Tasks Summary: Attempted 6753 tasks of which 77 didn't need to be rerun and all succeeded.

 

 

13:33 smonsees@yix465383 /disk0/scratch/smonsees/yocto/workspace_1/builds2/sbca-default>ls -l /disk0/scratch/smonsees/yocto/workspace_1/builds2/sbca-default/tmp/deploy/images/sbca-default/core-image-minimal-initramfs-sbca-default-20220324145629.rootfs.cve

-rw-r--r--. 1 smonsees none 0 Mar 24 13:16 /disk0/scratch/smonsees/yocto/workspace_1/builds2/sbca-default/tmp/deploy/images/sbca-default/core-image-minimal-initramfs-sbca-default-20220324145629.rootfs.cve

13:33 smonsees@yix465383 /disk0/scratch/smonsees/yocto/workspace_1/builds2/sbca-default>ls -l /disk0/scratch/smonsees/yocto/workspace_1/builds2/sbca-default/tmp/deploy/images/sbca-default/aiox_orange-sbca-default-20220324145629.rootfs.cve

-rw-r--r--. 1 smonsees none 0 Mar 24 13:17 /disk0/scratch/smonsees/yocto/workspace_1/builds2/sbca-default/tmp/deploy/images/sbca-default/aiox_orange-sbca-default-20220324145629.rootfs.cve

13:33 smonsees@yix465383 /disk0/scratch/smonsees/yocto/workspace_1/builds2/sbca-default>

 

 

13:27 smonsees@yix465383 /disk0/scratch/smonsees/yocto/workspace_1/builds2/sbca-default/tmp/deploy/cve>ls -l

total 0

-rw-rw-r--. 1 smonsees none 0 Mar 24 13:13 binutils

-rw-rw-r--. 1 smonsees none 0 Mar 24 13:06 binutils-cross-x86_64

-rw-rw-r--. 1 smonsees none 0 Mar 24 13:13 binutils-native

-rw-rw-r--. 1 smonsees none 0 Mar 24 13:13 bluez5

-rw-rw-r--. 1 smonsees none 0 Mar 24 13:12 boost

-rw-rw-r--. 1 smonsees none 0 Mar 24 13:13 cairo

-rw-rw-r--. 1 smonsees none 0 Mar 24 13:12 cairo-native

-rw-rw-r--. 1 smonsees none 0 Mar 24 13:16 cpio-native

-rw-rw-r--. 1 smonsees none 0 Mar 24 13:13 curl

-rw-rw-r--. 1 smonsees none 0 Mar 24 13:05 curl-native

-rw-rw-r--. 1 smonsees none 0 Mar 24 13:05 dbus

-rw-rw-r--. 1 smonsees none 0 Mar 24 13:05 dbus-native

-rw-rw-r--. 1 smonsees none 0 Mar 24 13:06 e2fsprogs

-rw-rw-r--. 1 smonsees none 0 Mar 24 13:06 e2fsprogs-native

-rw-rw-r--. 1 smonsees none 0 Mar 24 13:05 file-native

-rw-rw-r--. 1 smonsees none 0 Mar 24 13:13 flex

-rw-rw-r--. 1 smonsees none 0 Mar 24 13:06 flex-native

-rw-rw-r--. 1 smonsees none 0 Mar 24 13:05 gcc-source-9.2.0

-rw-rw-r--. 1 smonsees none 0 Mar 24 13:06 gettext-native

-rw-rw-r--. 1 smonsees none 0 Mar 24 13:06 glib-2.0

-rw-rw-r--. 1 smonsees none 0 Mar 24 13:05 glib-2.0-native

-rw-rw-r--. 1 smonsees none 0 Mar 24 13:06 glibc

-rw-rw-r--. 1 smonsees none 0 Mar 24 13:13 gnutls

-rw-rw-r--. 1 smonsees none 0 Mar 24 13:13 go-cross-corei7-64

-rw-rw-r--. 1 smonsees none 0 Mar 24 13:13 go-native

-rw-rw-r--. 1 smonsees none 0 Mar 24 13:13 go-runtime

-rw-rw-r--. 1 smonsees none 0 Mar 24 13:12 icu

-rw-rw-r--. 1 smonsees none 0 Mar 24 13:12 icu-native

-rw-rw-r--. 1 smonsees none 0 Mar 24 13:06 libarchive-native

-rw-rw-r--. 1 smonsees none 0 Mar 24 13:13 libgcrypt

-rw-rw-r--. 1 smonsees none 0 Mar 24 13:12 libjpeg-turbo

-rw-rw-r--. 1 smonsees none 0 Mar 24 13:12 libjpeg-turbo-native

-rw-rw-r--. 1 smonsees none 0 Mar 24 13:05 libpcre

-rw-rw-r--. 1 smonsees none 0 Mar 24 13:12 libpcre2

-rw-rw-r--. 1 smonsees none 0 Mar 24 13:05 libpcre-native

-rw-rw-r--. 1 smonsees none 0 Mar 24 13:05 libxml2

-rw-rw-r--. 1 smonsees none 0 Mar 24 13:05 libxml2-native

-rw-rw-r--. 1 smonsees none 0 Mar 24 13:05 libxslt-native

-rw-rw-r--. 1 smonsees none 0 Mar 24 13:13 mailx

-rw-rw-r--. 1 smonsees none 0 Mar 24 13:13 nasm-native

-rw-rw-r--. 1 smonsees none 0 Mar 24 13:06 ncurses

-rw-rw-r--. 1 smonsees none 0 Mar 24 13:06 ncurses-native

-rw-rw-r--. 1 smonsees none 0 Mar 24 13:14 nfs-utils

-rw-rw-r--. 1 smonsees none 0 Mar 24 13:14 openssh

-rw-rw-r--. 1 smonsees none 0 Mar 24 13:06 patch-native

-rw-rw-r--. 1 smonsees none 0 Mar 24 13:06 perl

-rw-rw-r--. 1 smonsees none 0 Mar 24 13:05 perl-native

-rw-rw-r--. 1 smonsees none 0 Mar 24 13:06 python3

-rw-rw-r--. 1 smonsees none 0 Mar 24 13:06 python3-native

-rw-rw-r--. 1 smonsees none 0 Mar 24 13:06 qemu-native

-rw-rw-r--. 1 smonsees none 0 Mar 24 13:14 rsync

-rw-rw-r--. 1 smonsees none 0 Mar 24 13:06 sqlite3

-rw-rw-r--. 1 smonsees none 0 Mar 24 13:06 sqlite3-native

-rw-rw-r--. 1 smonsees none 0 Mar 24 13:13 sudo

-rw-rw-r--. 1 smonsees none 0 Mar 24 13:13 sysstat

-rw-rw-r--. 1 smonsees none 0 Mar 24 13:05 unzip

-rw-rw-r--. 1 smonsees none 0 Mar 24 13:05 unzip-native

13:27 smonsees@yix465383 /disk0/scratch/smonsees/yocto/workspace_1/builds2/sbca-default/tmp/deploy/cve>

 

 

From: Monsees, Steven C (US)
Sent: Thursday, March 24, 2022 12:56 PM
To: yocto@...
Subject: CVE patch updates

 

 

 

I am currently building in cve-check to see what is reported, and I was curious if Yocto might provide any CVE based patch repositories ?

 

Is there a yocto page somewhere that goes over this side of things ?,

I did not see much in the mega-manual… I am running on zeus based platforms (for both armarch64 and x86_64).

 

Thanks,

Steve

Join yocto@lists.yoctoproject.org to automatically receive all group messages.