Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
How can I see, which patches are applied by an ebuild?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
GhostTyper
Tux's lil' helper
Tux's lil' helper


Joined: 03 Apr 2004
Posts: 79
Location: Germany; BW

PostPosted: Mon May 13, 2019 8:34 am    Post subject: How can I see, which patches are applied by an ebuild? Reply with quote

For instance, I have installed lighttpd-1.4.51 on my box. But there is also CVE-2019-11072.

How can I check explicitly if the ebuild contains a patch for this or not?
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 44961
Location: 56N 3W

PostPosted: Mon May 13, 2019 8:56 am    Post subject: Reply with quote

GhostTyper,

The easy answer is that you can't. Patches can be applied anywhere in the food chain.
From, the sources to the ebuild.

If lighttpd-1.4.51 predates CVE-2019-11072 and the lighttpd team do proper releases, they probably do or users would be complaining of cheksum failures, you can tell by comparing dates if the fix is in the source tarball.
Then you can check the ebuild to see if Gentoo applies patches. There are no calls to epatch*, so there are no Gentoo patches.

CVE-2019-11072 says Up to (including) 1.4.53 are affected.
Gentoo has
Code:
lighttpd-1.4.51.ebuild  lighttpd-1.4.53.ebuild  lighttpd-9999.ebuild


The good news is that the ebuild is EAPI 7, so if you can find a patch that applies to lighttpd-1.4.51, you can put it into the right place in /etc/portage/patches and portage will apply it.
Right now you are affected ... or are you CVE-2019-11072 is disputed.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
GhostTyper
Tux's lil' helper
Tux's lil' helper


Joined: 03 Apr 2004
Posts: 79
Location: Germany; BW

PostPosted: Mon May 13, 2019 9:40 am    Post subject: Reply with quote

Thank you.

Well, I'm not, because I didn't enable the config entry which leads to this problem.

However, it was more like a general question to understand, if there is a general way of saying, which patches are included and which are not.
Back to top
View user's profile Send private message
fedeliallalinea
Bodhisattva
Bodhisattva


Joined: 08 Mar 2003
Posts: 23569
Location: here

PostPosted: Mon May 13, 2019 9:46 am    Post subject: Reply with quote

For patches applied by gentoo developers you can see in /usr/portage/<category>/<packages>/files, but this is valid for small package because others like gcc, kernel, firefox,... ebuild download a patchset created by developers.
In example for firefox:
firefox-66.0.5.ebuild:
...
PATCH="${PN}-66.0-patches-09"
...
PATCH_URIS=( https://dev.gentoo.org/~{anarchy,axs,polynomial-c,whissi}/mozilla/patchsets/${PATCH}.tar.xz )
SRC_URI="${SRC_URI}
        ${MOZ_SRC_URI}
        ${PATCH_URIS[@]}"
...

_________________
Questions are guaranteed in life; Answers aren't.
Back to top
View user's profile Send private message
krinn
Watchman
Watchman


Joined: 02 May 2003
Posts: 7368

PostPosted: Mon May 13, 2019 11:39 am    Post subject: Reply with quote

the log head gives you name of patches that are applied, just after FEATURES.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 44961
Location: 56N 3W

PostPosted: Mon May 13, 2019 1:34 pm    Post subject: Reply with quote

GhostTyper,

For patches applied by Gentoo run
Code:
ebuild /path/to/ebuild prepare

Portage will unpack the sources and apply any Gentoo provided patches.
The list of patches will be on screen and in the build log.

This process will clutter up /var/tmp/portage
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
russK
l33t
l33t


Joined: 27 Jun 2006
Posts: 645

PostPosted: Tue May 14, 2019 4:12 am    Post subject: Reply with quote

GhostTyper,

Another suggestion, if you can't find a patch or a release with a fix, the CVE and associated reports indicate you can mitigate by keeping the option, url-path-2f-decode, disabled.

https://redmine.lighttpd.net/issues/2945


Regards
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum