[Low] Patch reaper for CVE-2024-6484 #13636
Conversation
There was a problem hiding this comment.
Buddy build passes except in arm installation as package is exclusive for x86: spec file has ExclusiveArch: x86_64
clean up
+++ kill running container - 834914d328f955216dcc91a7481597497eb43ae37c35f433df841916ec7c6e5b
Error response from daemon: Cannot kill container: 834914d328f955216dcc91a7481597497eb43ae37c35f433df841916ec7c6e5b: Container 834914d328f955216dcc91a7481597497eb43ae37c35f433df841916ec7c6e5b is not running
which is killing a not running container which should be fine. Patch matches with reference except map files which are not part of CVE affected files. These two files
rm src/ui/bower_components/bootstrap/dist/js/bootstrap.min.js
rm src/ui/node_modules/bootstrap/dist/js/bootstrap.min.js
do not seem to be used as package compiles fine. LGTM.
SPECS/reaper/reaper.spec
Outdated
| @@ -49,6 +49,8 @@ Patch13: CVE-2024-52798.patch | |||
| Patch14: CVE-2020-24025.patch | |||
| Patch15: CVE-2024-28863.patch | |||
| Patch16: CVE-2024-12905.patch | |||
| # CVE-2024-6484 is fixed in bootstrap version 3.4.2 by https://github.com/odinserj/bootstrap/commit/0ea568be7ff0c1f72a693f5d782277a9e9872077 | |||
There was a problem hiding this comment.
No need to capture the upstream reference in the SPEC file
SPECS/reaper/CVE-2024-6484.patch
Outdated
| Subject: [PATCH] Fix CVE-2024-6484 vulnerability by disabling further event | ||
| handling | ||
|
|
||
| Link: https://github.com/odinserj/bootstrap/commit/0ea568be7ff0c1f72a693f5d782277a9e9872077 |
There was a problem hiding this comment.
Please use "Upstream" keyword to specify that it is the upstream reference of the backported patch
| @@ -114,7 +116,12 @@ popd | |||
| pushd $tmp_local_dir/n/versions/node/14.18.0/lib/node_modules/ | |||
| %autopatch -p1 15 | |||
| popd | |||
| %autopatch -p1 16 | |||
| %autopatch -p1 -m 16 | |||
|
I believe I have addressed all points raised, thank you for the feedback. |
|
@0xba1a Please let me know if there's something more I must do on this PR. |
|
Adding this PR changes to #13965 to avoid conflict. |
|
This work has been incorporated into #13965, so there's no need for this PR anymore. |
Merge Checklist
All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)
*-staticsubpackages, etc.) have had theirReleasetag incremented../cgmanifest.json,./toolkit/scripts/toolchain/cgmanifest.json,.github/workflows/cgmanifest.json)./SPECS/LICENSES-AND-NOTICES/data/licenses.json,./SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md,./SPECS/LICENSES-AND-NOTICES/LICENSE-EXCEPTIONS.PHOTON)*.signatures.jsonfilessudo make go-tidy-allandsudo make go-test-coveragepassSummary
Patch CVE-2024-6484 in
bootstrapdependency ofreaperChange Log
bootstrapdependency.Does this affect the toolchain?
NO
Links to CVEs
Test Methodology