mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-06-01 13:09:50 +00:00
Code Issues Projects Releases Wiki Activity

cve-update-db-native: add timeout to urlopen() calls

Browse Source 
The urlopen() call can block indefinitely under some circumstances.
This can result in the bitbake process to run endlessly because of
the 'do_fetch' task of cve-update-bb-native to remain active.

This adds a default timeout of 60 seconds to avoid this hang, while
being large enough to minimize the risk of unwanted timeouts.

(From OE-Core rev: 28497b96346a669ba0ed3873cc40bc3ade611251)

Signed-off-by: Frank de Brabander <debrabander@gmail.com>
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit e5f6652854f544106b40d860de2946954de642f3)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Frank de Brabander
2022-10-18 18:37:51 +02:00
committed by Richard Purdie
parent 94d9172199
commit 1e35d3a86b
1 changed files with 7 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta/recipes-core/meta/cve-update-db-native.bb
+7 -2
View File
@@ -18,6 +18,9 @@ NVDCVE_URL ?= "https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-"
# Use a negative value to skip the update # Use a negative value to skip the update
CVE_DB_UPDATE_INTERVAL ?= "86400" CVE_DB_UPDATE_INTERVAL ?= "86400"
# Timeout for blocking socket operations, such as the connection attempt.
CVE_SOCKET_TIMEOUT ?= "60"
python () { python () {
if not bb.data.inherits_class("cve-check", d): if not bb.data.inherits_class("cve-check", d):
raise bb.parse.SkipRecipe("Skip recipe when cve-check class is not loaded.") raise bb.parse.SkipRecipe("Skip recipe when cve-check class is not loaded.")
@@ -39,6 +42,8 @@ python do_fetch() {
db_file = d.getVar("CVE_CHECK_DB_FILE") db_file = d.getVar("CVE_CHECK_DB_FILE")
db_dir = os.path.dirname(db_file) db_dir = os.path.dirname(db_file)
cve_socket_timeout = int(d.getVar("CVE_SOCKET_TIMEOUT"))
if os.path.exists("{0}-journal".format(db_file)): if os.path.exists("{0}-journal".format(db_file)):
# If a journal is present the last update might have been interrupted. In that case, # If a journal is present the last update might have been interrupted. In that case,
# just wipe any leftovers and force the DB to be recreated. # just wipe any leftovers and force the DB to be recreated.
@@ -79,7 +84,7 @@ python do_fetch() {
# Retrieve meta last modified date # Retrieve meta last modified date
try: try:
response = urllib.request.urlopen(meta_url) response = urllib.request.urlopen(meta_url, timeout=cve_socket_timeout)
except urllib.error.URLError as e: except urllib.error.URLError as e:
cve_f.write('Warning: CVE db update error, Unable to fetch CVE data.\n\n') cve_f.write('Warning: CVE db update error, Unable to fetch CVE data.\n\n')
bb.warn("Failed to fetch CVE data (%s)" % e.reason) bb.warn("Failed to fetch CVE data (%s)" % e.reason)
@@ -107,7 +112,7 @@ python do_fetch() {
# Update db with current year json file # Update db with current year json file
try: try:
response = urllib.request.urlopen(json_url) response = urllib.request.urlopen(json_url, timeout=cve_socket_timeout)
if response: if response:
update_db(conn, gzip.decompress(response.read()).decode('utf-8')) update_db(conn, gzip.decompress(response.read()).decode('utf-8'))
conn.execute("insert or replace into META values (?, ?)", [year, last_modified]).close() conn.execute("insert or replace into META values (?, ?)", [year, last_modified]).close()