linux - 对于 Nvidia Jetson Nano 的 CVE-2019-12900，无法将 Bzip2 的 Yocto Bitbake 配方从 1.0.6 更新到 1.0.7

Question

在 Ubuntu 18.04 上，我正在尝试使用“meta-tegra”层为 Nvidia Jetson Nano 构建 Yocto SD 卡镜像。我遇到了最近的 bzip2 问题，该问题需要最新的 bzip2 ( 1.0.7 ) 来修复，详见这些论坛帖子:

• https://devtalk.nvidia.com/default/topic/1056301/b/t/post/5355418/
• https://devtalk.nvidia.com/default/topic/1056381/jetson-agx-xavier/jetpack-4-2-xavier-install-failed/1

我在这里找到了最新的 bzip2 源代码:

• https://www.sourceware.org/bzip2/downloads.html

我尝试使用 ${WORKDIR}、${S}、do_compile_append 和 do_install_append，但是我不断收到与错误源目录相关的错误。我基本上采用了 OE Bzip2 1.0.6 配方并更改了版本源和校验和。

请帮我用 yocto 解决这个构建问题 - 谢谢!

Bitbake 失败:

Initialising tasks: 100% |##########################################################################| Time: 0:00:00
Sstate summary: Wanted 382 Found 0 Missed 382 Current 45 (0% match, 10% complete)
NOTE: Executing SetScene Tasks
NOTE: Executing RunQueue Tasks
ERROR: bzip2-native-1.0.7-r5 do_compile: oe_runmake failed
ERROR: bzip2-native-1.0.7-r5 do_compile: Function failed: do_compile (log file is located at /home/ubuntu/Desktop/mts-jetson-yocto/build/tmp/work/x86_64-linux/bzip2-native/1.0.7-r5/temp/log.do_compile.115964)
ERROR: Logfile of failure stored in: /home/ubuntu/Desktop/mts-jetson-yocto/build/tmp/work/x86_64-linux/bzip2-native/1.0.7-r5/temp/log.do_compile.115964
Log data follows:
| DEBUG: Executing shell function do_compile
| NOTE: make -j 128
| make: *** No targets specified and no makefile found.  Stop.
| ERROR: oe_runmake failed
| WARNING: exit code 1 from a shell command.
| ERROR: Function failed: do_compile (log file is located at /home/ubuntu/Desktop/mts-jetson-yocto/build/tmp/work/x86_64-linux/bzip2-native/1.0.7-r5/temp/log.do_compile.115964)
ERROR: Task (virtual:native:/home/ubuntu/Desktop/mts-jetson-yocto/layers/meta-mts/recipes-extended/bzip2/bzip2_1.0.7.bb:do_compile) failed with exit code '1'

Second Keyboard Interrupt, stopping...


Summary: 1 task failed:
  virtual:native:/home/ubuntu/Desktop/mts-jetson-yocto/layers/meta-mts/recipes-extended/bzip2/bzip2_1.0.7.bb:do_compile
Summary: There were 2 ERROR messages shown, returning a non-zero exit code.

当前的 Broken Bitbake 配方:

SECTION = "console/utils"
LICENSE = "bzip2"
LIC_FILES_CHKSUM = "file://LICENSE;beginline=4;endline=37;md5=39406315f540c69bd05b1531daedd2ae"
PR = "r5"

SRC_URI = "https://www.sourceware.org/pub/bzip2/bzip2-1.0.7.tar.gz \
           "

#WORKDIR = "${WORKDIR}/bzip-1.0.7"
#WORKDIR = "${BASE_WORKDIR}/${MULTIMACH_TARGET_SYS}/${PN}/${EXTENDPE}${PV}-${PR}/bzip2-1.0.7"
#S = "${WORKDIR}/bzip2-1.0.7"

#do_compile_prepend() {
#       cd ../
#}

#do_install_prepend() {
#       cd ../
#}

SRC_URI[md5sum] = "1a6a61cc867be4f3d6549037a09bf13e"
SRC_URI[sha256sum] = "e768a87c5b1a79511499beb41500bcc4caf203726fff46a6f5f9ad27fe08ab2b"

UPSTREAM_CHECK_URI = "https://www.sourceware.org/bzip2/"
UPSTREAM_VERSION_UNKNOWN = "1"

PACKAGES =+ "libbz2"

CFLAGS_append = " -fPIC -fpic -Winline -fno-strength-reduce -D_FILE_OFFSET_BITS=64"

inherit autotools update-alternatives ptest relative_symlinks

ALTERNATIVE_PRIORITY = "100"
ALTERNATIVE_${PN} = "bunzip2 bzcat bzip2"

#install binaries to bzip2-native under sysroot for replacement-native
EXTRA_OECONF_append_class-native = " --bindir=${STAGING_BINDIR_NATIVE}/${PN}"

do_install_ptest () {
        sed -i -e "s|^Makefile:|_Makefile:|" ${D}${PTEST_PATH}/Makefile
}

FILES_libbz2 = "${libdir}/lib*${SOLIBS}"

PROVIDES_append_class-native = " bzip2-replacement-native"
BBCLASSEXTEND = "native nativesdk"

#addtask fix_path before do_compile

Answer 1

两个想法:

1. 只需为安全问题应用补丁，就容易多了。这个补丁是 already on the oe-core list .
2. 获取升级补丁that is also on the list