* [poky][master][PATCH] gnutls: Whitelisted CVE patches
@ 2020-10-28 17:17 saloni
2020-10-28 18:26 ` [OE-core] " Steve Sakoman
2020-10-29 14:01 ` Ross Burton
0 siblings, 2 replies; 4+ messages in thread
From: saloni @ 2020-10-28 17:17 UTC (permalink / raw)
To: openembedded-core, raj.khem; +Cc: nisha.parrakat, anuj.chougule, Saloni Jain
From: Saloni Jain <Saloni.Jain@kpit.com>
Below CVE patches are whitelisted as changes
are already present in source code:
1. CVE-2018-10844
Link: https://security-tracker.debian.org/tracker/CVE-2018-10844
Link: https://gitlab.com/gnutls/gnutls/commit/c32a8690f9f9b05994078fe9d2e7a41b18da5b09
2. CVE-2018-10845
Link: https://security-tracker.debian.org/tracker/CVE-2018-10845
Link: https://gitlab.com/gnutls/gnutls/commit/cc14ec5ece856cb083d64e6a5a8657323da661cb
3. CVE-2018-10846
Link: https://security-tracker.debian.org/tracker/CVE-2018-10846
Link: https://gitlab.com/gnutls/gnutls/commit/ce671a6db9e47006cff152d485091141b1569f39
4. CVE-2018-16868
Link: https://gitlab.com/gnutls/gnutls/-/merge_requests/832
Link: https://gitlab.com/gnutls/gnutls/-/commit/4804febddc2ed958e5ae774de2a8f85edeeff538
Signed-off-by: Saloni.Jain <Saloni.Jain@kpit.com>
---
meta/recipes-support/gnutls/gnutls_3.6.14.bb | 3 +++
1 file changed, 3 insertions(+)
diff --git a/meta/recipes-support/gnutls/gnutls_3.6.14.bb b/meta/recipes-support/gnutls/gnutls_3.6.14.bb
index 51578b4..727a12f 100644
--- a/meta/recipes-support/gnutls/gnutls_3.6.14.bb
+++ b/meta/recipes-support/gnutls/gnutls_3.6.14.bb
@@ -17,6 +17,9 @@ DEPENDS_append_libc-musl = " argp-standalone"
SHRT_VER = "${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}"
+#Changes are already present in source-code, hence whitelisted.
+CVE_CHECK_WHITELIST += "CVE-2018-16868 CVE-2018-10844 CVE-2018-10845 CVE-2018-10845"
+
SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar.xz \
file://arm_eabi.patch \
file://0001-Modied-the-license-to-GPLv2.1-to-keep-with-LICENSE-f.patch \
--
2.7.4
This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [OE-core] [poky][master][PATCH] gnutls: Whitelisted CVE patches
2020-10-28 17:17 [poky][master][PATCH] gnutls: Whitelisted CVE patches saloni
@ 2020-10-28 18:26 ` Steve Sakoman
2020-10-29 14:01 ` Ross Burton
1 sibling, 0 replies; 4+ messages in thread
From: Steve Sakoman @ 2020-10-28 18:26 UTC (permalink / raw)
To: saloni
Cc: Patches and discussions about the oe-core layer, Khem Raj,
nisha.parrakat, anuj.chougule
Note that the first three CVE's no longer appear in a CVE scan for
master or dunfell:
https://lists.yoctoproject.org/g/yocto-security/topic/oe_core_cve_metrics_for/77795960?p=,,,20,0,0,0::recentpostdate%2Fsticky,,,20,2,0,77795960
https://lists.yoctoproject.org/g/yocto-security/topic/oe_core_cve_metrics_for/77796289?p=,,,20,0,0,0::recentpostdate%2Fsticky,,,20,2,0,77796289
You'll see them in the "removed this week" since I sent in database
updates last week. I still need to deal with getting CVE-2018-16868
updated, but hopefully will get that done later this week.
So there should be no need for this patch in either master or dunfell.
In general I'd prefer to get the CVE database updated rather than add
whitelist entries.
If you'd like to help me with this CVE reduction program let's
coordinate off list!
Steve
On Wed, Oct 28, 2020 at 7:17 AM saloni <saloni.jain@kpit.com> wrote:
>
> From: Saloni Jain <Saloni.Jain@kpit.com>
>
> Below CVE patches are whitelisted as changes
> are already present in source code:
> 1. CVE-2018-10844
> Link: https://security-tracker.debian.org/tracker/CVE-2018-10844
> Link: https://gitlab.com/gnutls/gnutls/commit/c32a8690f9f9b05994078fe9d2e7a41b18da5b09
> 2. CVE-2018-10845
> Link: https://security-tracker.debian.org/tracker/CVE-2018-10845
> Link: https://gitlab.com/gnutls/gnutls/commit/cc14ec5ece856cb083d64e6a5a8657323da661cb
> 3. CVE-2018-10846
> Link: https://security-tracker.debian.org/tracker/CVE-2018-10846
> Link: https://gitlab.com/gnutls/gnutls/commit/ce671a6db9e47006cff152d485091141b1569f39
> 4. CVE-2018-16868
> Link: https://gitlab.com/gnutls/gnutls/-/merge_requests/832
> Link: https://gitlab.com/gnutls/gnutls/-/commit/4804febddc2ed958e5ae774de2a8f85edeeff538
>
> Signed-off-by: Saloni.Jain <Saloni.Jain@kpit.com>
> ---
> meta/recipes-support/gnutls/gnutls_3.6.14.bb | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/meta/recipes-support/gnutls/gnutls_3.6.14.bb b/meta/recipes-support/gnutls/gnutls_3.6.14.bb
> index 51578b4..727a12f 100644
> --- a/meta/recipes-support/gnutls/gnutls_3.6.14.bb
> +++ b/meta/recipes-support/gnutls/gnutls_3.6.14.bb
> @@ -17,6 +17,9 @@ DEPENDS_append_libc-musl = " argp-standalone"
>
> SHRT_VER = "${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}"
>
> +#Changes are already present in source-code, hence whitelisted.
> +CVE_CHECK_WHITELIST += "CVE-2018-16868 CVE-2018-10844 CVE-2018-10845 CVE-2018-10845"
> +
> SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar.xz \
> file://arm_eabi.patch \
> file://0001-Modied-the-license-to-GPLv2.1-to-keep-with-LICENSE-f.patch \
> --
> 2.7.4
>
> This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
>
>
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [OE-core] [poky][master][PATCH] gnutls: Whitelisted CVE patches
2020-10-28 17:17 [poky][master][PATCH] gnutls: Whitelisted CVE patches saloni
2020-10-28 18:26 ` [OE-core] " Steve Sakoman
@ 2020-10-29 14:01 ` Ross Burton
2020-10-30 5:37 ` saloni
1 sibling, 1 reply; 4+ messages in thread
From: Ross Burton @ 2020-10-29 14:01 UTC (permalink / raw)
To: saloni; +Cc: OE-core, Khem Raj, nisha.parrakat, anuj.chougule
Echoing what Steve says: where this is due to incorrect information in
the CVE database we should definitely fix the CVE database instead of
working around this in the recipes. The only reason to whitelist in
the recipe is if the vulnerability is based on the build configuration
or we've decided that it's not relevant.
Ross
On Wed, 28 Oct 2020 at 17:17, saloni <saloni.jain@kpit.com> wrote:
>
> From: Saloni Jain <Saloni.Jain@kpit.com>
>
> Below CVE patches are whitelisted as changes
> are already present in source code:
> 1. CVE-2018-10844
> Link: https://security-tracker.debian.org/tracker/CVE-2018-10844
> Link: https://gitlab.com/gnutls/gnutls/commit/c32a8690f9f9b05994078fe9d2e7a41b18da5b09
> 2. CVE-2018-10845
> Link: https://security-tracker.debian.org/tracker/CVE-2018-10845
> Link: https://gitlab.com/gnutls/gnutls/commit/cc14ec5ece856cb083d64e6a5a8657323da661cb
> 3. CVE-2018-10846
> Link: https://security-tracker.debian.org/tracker/CVE-2018-10846
> Link: https://gitlab.com/gnutls/gnutls/commit/ce671a6db9e47006cff152d485091141b1569f39
> 4. CVE-2018-16868
> Link: https://gitlab.com/gnutls/gnutls/-/merge_requests/832
> Link: https://gitlab.com/gnutls/gnutls/-/commit/4804febddc2ed958e5ae774de2a8f85edeeff538
>
> Signed-off-by: Saloni.Jain <Saloni.Jain@kpit.com>
> ---
> meta/recipes-support/gnutls/gnutls_3.6.14.bb | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/meta/recipes-support/gnutls/gnutls_3.6.14.bb b/meta/recipes-support/gnutls/gnutls_3.6.14.bb
> index 51578b4..727a12f 100644
> --- a/meta/recipes-support/gnutls/gnutls_3.6.14.bb
> +++ b/meta/recipes-support/gnutls/gnutls_3.6.14.bb
> @@ -17,6 +17,9 @@ DEPENDS_append_libc-musl = " argp-standalone"
>
> SHRT_VER = "${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}"
>
> +#Changes are already present in source-code, hence whitelisted.
> +CVE_CHECK_WHITELIST += "CVE-2018-16868 CVE-2018-10844 CVE-2018-10845 CVE-2018-10845"
> +
> SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar.xz \
> file://arm_eabi.patch \
> file://0001-Modied-the-license-to-GPLv2.1-to-keep-with-LICENSE-f.patch \
> --
> 2.7.4
>
> This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
>
>
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [OE-core] [poky][master][PATCH] gnutls: Whitelisted CVE patches
2020-10-29 14:01 ` Ross Burton
@ 2020-10-30 5:37 ` saloni
0 siblings, 0 replies; 4+ messages in thread
From: saloni @ 2020-10-30 5:37 UTC (permalink / raw)
To: Ross Burton; +Cc: OE-core, Khem Raj, Nisha Parrakat, Anuj Chougule
[-- Attachment #1: Type: text/plain, Size: 7341 bytes --]
Hello Ross,
Understood, I also had a discussion with Steve and doing a complete check for all the reported CVEs, and after gathering all the relevant information, will send request for Database Update.
Thanks & Regards,
Saloni
________________________________
From: Ross Burton <ross@burtonini.com>
Sent: Thursday, October 29, 2020 7:31 PM
To: Saloni Jain <Saloni.Jain@kpit.com>
Cc: OE-core <openembedded-core@lists.openembedded.org>; Khem Raj <raj.khem@gmail.com>; Nisha Parrakat <Nisha.Parrakat@kpit.com>; Anuj Chougule <Anuj.Chougule@kpit.com>
Subject: Re: [OE-core] [poky][master][PATCH] gnutls: Whitelisted CVE patches
Echoing what Steve says: where this is due to incorrect information in
the CVE database we should definitely fix the CVE database instead of
working around this in the recipes. The only reason to whitelist in
the recipe is if the vulnerability is based on the build configuration
or we've decided that it's not relevant.
Ross
On Wed, 28 Oct 2020 at 17:17, saloni <saloni.jain@kpit.com> wrote:
>
> From: Saloni Jain <Saloni.Jain@kpit.com>
>
> Below CVE patches are whitelisted as changes
> are already present in source code:
> 1. CVE-2018-10844
> Link: https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsecurity-tracker.debian.org%2Ftracker%2FCVE-2018-10844&data=04%7C01%7Csaloni.jain%40kpit.com%7C78f127dc11024eb064e708d87c132472%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637395768956828223%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=IUHjGTABdWyfm21S2JYnDcBJ1JVhDBWIYOL8%2BHqOJLo%3D&reserved=0
> Link: https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgitlab.com%2Fgnutls%2Fgnutls%2Fcommit%2Fc32a8690f9f9b05994078fe9d2e7a41b18da5b09&data=04%7C01%7Csaloni.jain%40kpit.com%7C78f127dc11024eb064e708d87c132472%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637395768956828223%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=bczWLVL1zm%2FnJKurrv50LqIbWhg3F%2FKIRzVEf5DUKcE%3D&reserved=0
> 2. CVE-2018-10845
> Link: https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsecurity-tracker.debian.org%2Ftracker%2FCVE-2018-10845&data=04%7C01%7Csaloni.jain%40kpit.com%7C78f127dc11024eb064e708d87c132472%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637395768956828223%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Mfb7lzixlhq2StFfp3jWUzyP6Kf6%2BmYmzE5e7iGyskQ%3D&reserved=0
> Link: https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgitlab.com%2Fgnutls%2Fgnutls%2Fcommit%2Fcc14ec5ece856cb083d64e6a5a8657323da661cb&data=04%7C01%7Csaloni.jain%40kpit.com%7C78f127dc11024eb064e708d87c132472%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637395768956828223%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=19eJZsU4QHOmrXYRRTHRs1SYMD3n3VBk9wIQDlykTI0%3D&reserved=0
> 3. CVE-2018-10846
> Link: https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsecurity-tracker.debian.org%2Ftracker%2FCVE-2018-10846&data=04%7C01%7Csaloni.jain%40kpit.com%7C78f127dc11024eb064e708d87c132472%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637395768956828223%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=eKamkR%2BOMPhaZmHERj4PbQDeAwjX2ePXPUvw%2FwxDgcE%3D&reserved=0
> Link: https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgitlab.com%2Fgnutls%2Fgnutls%2Fcommit%2Fce671a6db9e47006cff152d485091141b1569f39&data=04%7C01%7Csaloni.jain%40kpit.com%7C78f127dc11024eb064e708d87c132472%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637395768956828223%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=yivTKPgkmU1yzUYE4llzyiBt935ittt3uufrAOmH3G4%3D&reserved=0
> 4. CVE-2018-16868
> Link: https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgitlab.com%2Fgnutls%2Fgnutls%2F-%2Fmerge_requests%2F832&data=04%7C01%7Csaloni.jain%40kpit.com%7C78f127dc11024eb064e708d87c132472%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637395768956828223%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Q5RNFxjmUTFIvcIVFidJvArRKVGv271QDlNyINu7rA4%3D&reserved=0
> Link: https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgitlab.com%2Fgnutls%2Fgnutls%2F-%2Fcommit%2F4804febddc2ed958e5ae774de2a8f85edeeff538&data=04%7C01%7Csaloni.jain%40kpit.com%7C78f127dc11024eb064e708d87c132472%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637395768956828223%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=39gGszLFMIbOCtI5V47gbThBh5sGSt%2FeF79PSpIYG9M%3D&reserved=0
>
> Signed-off-by: Saloni.Jain <Saloni.Jain@kpit.com>
> ---
> meta/recipes-support/gnutls/gnutls_3.6.14.bb | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/meta/recipes-support/gnutls/gnutls_3.6.14.bb b/meta/recipes-support/gnutls/gnutls_3.6.14.bb
> index 51578b4..727a12f 100644
> --- a/meta/recipes-support/gnutls/gnutls_3.6.14.bb
> +++ b/meta/recipes-support/gnutls/gnutls_3.6.14.bb
> @@ -17,6 +17,9 @@ DEPENDS_append_libc-musl = " argp-standalone"
>
> SHRT_VER = "${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}"
>
> +#Changes are already present in source-code, hence whitelisted.
> +CVE_CHECK_WHITELIST += "CVE-2018-16868 CVE-2018-10844 CVE-2018-10845 CVE-2018-10845"
> +
> SRC_URI = "https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.gnupg.org%2Fftp%2Fgcrypt%2Fgnutls%2Fv%24&data=04%7C01%7Csaloni.jain%40kpit.com%7C78f127dc11024eb064e708d87c132472%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637395768956838179%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=%2BX0mUSC%2BOoWUD3TS4YNXDQrU6thiS642N1jHs3sOBQc%3D&reserved=0{SHRT_VER}/gnutls-${PV}.tar.xz \
> file://arm_eabi.patch \
> file://0001-Modied-the-license-to-GPLv2.1-to-keep-with-LICENSE-f.patch \
> --
> 2.7.4
>
> This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
>
>
>
This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
[-- Attachment #2: Type: text/html, Size: 12832 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-10-30 5:37 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-10-28 17:17 [poky][master][PATCH] gnutls: Whitelisted CVE patches saloni
2020-10-28 18:26 ` [OE-core] " Steve Sakoman
2020-10-29 14:01 ` Ross Burton
2020-10-30 5:37 ` saloni
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.