All of lore.kernel.org
 help / color / mirror / Atom feed
* [master][gatesgarth][dunfell][PATCH] bluez: Whitelist CVE-2020-12351 and CVE-2020-12352
@ 2021-01-17 21:14 Robert Joslyn
  2021-01-20 18:18 ` [OE-core] " Steve Sakoman
  0 siblings, 1 reply; 5+ messages in thread
From: Robert Joslyn @ 2021-01-17 21:14 UTC (permalink / raw)
  To: openembedded-core; +Cc: Robert Joslyn

According to the Intel security advisory [1], these CVEs are mitigated by
the following kernel commits:

eddb7732119d53400f48a02536a84c509692faa8 Bluetooth: A2MP: Fix not initializing all members
f19425641cb2572a33cb074d5e30283720bd4d22 Bluetooth: L2CAP: Fix calling sk_filter on non-socket based channel
b560a208cda0297fef6ff85bbfd58a8f0a52a543 Bluetooth: MGMT: Fix not checking if BT_HS is enabled
a2ec905d1e160a33b2e210e45ad30445ef26ce0e Bluetooth: fix kernel oops in store_pending_adv_report

The latest of these commits were backported from 5.10 to the stable kernel
tree in the 5.8.16 and 5.4.72 releases. Since the kernels provied by OE-core
contain these fixes, mark them as whitelisted.

[1]: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00435.html?wapkw=CVE-2020-12351

Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
---
 meta/recipes-connectivity/bluez5/bluez5_5.55.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-connectivity/bluez5/bluez5_5.55.bb b/meta/recipes-connectivity/bluez5/bluez5_5.55.bb
index 8190924562..051fdef8ce 100644
--- a/meta/recipes-connectivity/bluez5/bluez5_5.55.bb
+++ b/meta/recipes-connectivity/bluez5/bluez5_5.55.bb
@@ -3,6 +3,8 @@ require bluez5.inc
 SRC_URI[md5sum] = "94972b8bc7ade60c72b0ffa6ccff2c0a"
 SRC_URI[sha256sum] = "8863717113c4897e2ad3271fc808ea245319e6fd95eed2e934fae8e0894e9b88"
 
+CVE_CHECK_WHITELIST += "CVE-2020-12351 CVE-2020-12352"
+
 # noinst programs in Makefile.tools that are conditional on READLINE
 # support
 NOINST_TOOLS_READLINE ?= " \
-- 
2.26.2


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [OE-core] [master][gatesgarth][dunfell][PATCH] bluez: Whitelist CVE-2020-12351 and CVE-2020-12352
  2021-01-17 21:14 [master][gatesgarth][dunfell][PATCH] bluez: Whitelist CVE-2020-12351 and CVE-2020-12352 Robert Joslyn
@ 2021-01-20 18:18 ` Steve Sakoman
  2021-01-21  5:59   ` Robert Joslyn
  0 siblings, 1 reply; 5+ messages in thread
From: Steve Sakoman @ 2021-01-20 18:18 UTC (permalink / raw)
  To: Robert Joslyn; +Cc: Patches and discussions about the oe-core layer

On Sun, Jan 17, 2021 at 11:16 AM Robert Joslyn
<robert.joslyn@redrectangle.org> wrote:
>
> According to the Intel security advisory [1], these CVEs are mitigated by
> the following kernel commits:
>
> eddb7732119d53400f48a02536a84c509692faa8 Bluetooth: A2MP: Fix not initializing all members
> f19425641cb2572a33cb074d5e30283720bd4d22 Bluetooth: L2CAP: Fix calling sk_filter on non-socket based channel
> b560a208cda0297fef6ff85bbfd58a8f0a52a543 Bluetooth: MGMT: Fix not checking if BT_HS is enabled
> a2ec905d1e160a33b2e210e45ad30445ef26ce0e Bluetooth: fix kernel oops in store_pending_adv_report
>
> The latest of these commits were backported from 5.10 to the stable kernel
> tree in the 5.8.16 and 5.4.72 releases. Since the kernels provied by OE-core
> contain these fixes, mark them as whitelisted.

This seems to be a good candidate for having the cpe database updated.
Currently it is flagging all versions of bluez and Linux.

I sent a request to have the entry updated.  If they accept the
request then we won't need this patch.  If they deny it we can merge
the patch.

Thanks for doing the research on this one!

Steve

> [1]: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00435.html?wapkw=CVE-2020-12351
>
> Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
> ---
>  meta/recipes-connectivity/bluez5/bluez5_5.55.bb | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/meta/recipes-connectivity/bluez5/bluez5_5.55.bb b/meta/recipes-connectivity/bluez5/bluez5_5.55.bb
> index 8190924562..051fdef8ce 100644
> --- a/meta/recipes-connectivity/bluez5/bluez5_5.55.bb
> +++ b/meta/recipes-connectivity/bluez5/bluez5_5.55.bb
> @@ -3,6 +3,8 @@ require bluez5.inc
>  SRC_URI[md5sum] = "94972b8bc7ade60c72b0ffa6ccff2c0a"
>  SRC_URI[sha256sum] = "8863717113c4897e2ad3271fc808ea245319e6fd95eed2e934fae8e0894e9b88"
>
> +CVE_CHECK_WHITELIST += "CVE-2020-12351 CVE-2020-12352"
> +
>  # noinst programs in Makefile.tools that are conditional on READLINE
>  # support
>  NOINST_TOOLS_READLINE ?= " \
> --
> 2.26.2
>
>
> 
>

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [OE-core] [master][gatesgarth][dunfell][PATCH] bluez: Whitelist CVE-2020-12351 and CVE-2020-12352
  2021-01-20 18:18 ` [OE-core] " Steve Sakoman
@ 2021-01-21  5:59   ` Robert Joslyn
  2021-01-26 14:50     ` Steve Sakoman
  0 siblings, 1 reply; 5+ messages in thread
From: Robert Joslyn @ 2021-01-21  5:59 UTC (permalink / raw)
  To: Steve Sakoman; +Cc: Patches and discussions about the oe-core layer



> On Jan 20, 2021, at 10:18 AM, Steve Sakoman <steve@sakoman.com> wrote:
> 
> On Sun, Jan 17, 2021 at 11:16 AM Robert Joslyn
> <robert.joslyn@redrectangle.org> wrote:
>> 
>> According to the Intel security advisory [1], these CVEs are mitigated by
>> the following kernel commits:
>> 
>> eddb7732119d53400f48a02536a84c509692faa8 Bluetooth: A2MP: Fix not initializing all members
>> f19425641cb2572a33cb074d5e30283720bd4d22 Bluetooth: L2CAP: Fix calling sk_filter on non-socket based channel
>> b560a208cda0297fef6ff85bbfd58a8f0a52a543 Bluetooth: MGMT: Fix not checking if BT_HS is enabled
>> a2ec905d1e160a33b2e210e45ad30445ef26ce0e Bluetooth: fix kernel oops in store_pending_adv_report
>> 
>> The latest of these commits were backported from 5.10 to the stable kernel
>> tree in the 5.8.16 and 5.4.72 releases. Since the kernels provied by OE-core
>> contain these fixes, mark them as whitelisted.
> 
> This seems to be a good candidate for having the cpe database updated.
> Currently it is flagging all versions of bluez and Linux.
> 
> I sent a request to have the entry updated.  If they accept the
> request then we won't need this patch.  If they deny it we can merge
> the patch.

Sounds good, thanks!

Robert

> 
> Thanks for doing the research on this one!
> 
> Steve
> 
>> [1]: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00435.html?wapkw=CVE-2020-12351
>> 
>> Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
>> ---
>> meta/recipes-connectivity/bluez5/bluez5_5.55.bb | 2 ++
>> 1 file changed, 2 insertions(+)
>> 
>> diff --git a/meta/recipes-connectivity/bluez5/bluez5_5.55.bb b/meta/recipes-connectivity/bluez5/bluez5_5.55.bb
>> index 8190924562..051fdef8ce 100644
>> --- a/meta/recipes-connectivity/bluez5/bluez5_5.55.bb
>> +++ b/meta/recipes-connectivity/bluez5/bluez5_5.55.bb
>> @@ -3,6 +3,8 @@ require bluez5.inc
>> SRC_URI[md5sum] = "94972b8bc7ade60c72b0ffa6ccff2c0a"
>> SRC_URI[sha256sum] = "8863717113c4897e2ad3271fc808ea245319e6fd95eed2e934fae8e0894e9b88"
>> 
>> +CVE_CHECK_WHITELIST += "CVE-2020-12351 CVE-2020-12352"
>> +
>> # noinst programs in Makefile.tools that are conditional on READLINE
>> # support
>> NOINST_TOOLS_READLINE ?= " \
>> --
>> 2.26.2
>> 
>> 
>> 
>> 
> 
> 


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [OE-core] [master][gatesgarth][dunfell][PATCH] bluez: Whitelist CVE-2020-12351 and CVE-2020-12352
  2021-01-21  5:59   ` Robert Joslyn
@ 2021-01-26 14:50     ` Steve Sakoman
  0 siblings, 0 replies; 5+ messages in thread
From: Steve Sakoman @ 2021-01-26 14:50 UTC (permalink / raw)
  To: Robert Joslyn; +Cc: Patches and discussions about the oe-core layer

On Wed, Jan 20, 2021 at 7:59 PM Robert Joslyn
<robert.joslyn@redrectangle.org> wrote:
>
>
>
> > On Jan 20, 2021, at 10:18 AM, Steve Sakoman <steve@sakoman.com> wrote:
> >
> > On Sun, Jan 17, 2021 at 11:16 AM Robert Joslyn
> > <robert.joslyn@redrectangle.org> wrote:
> >>
> >> According to the Intel security advisory [1], these CVEs are mitigated by
> >> the following kernel commits:
> >>
> >> eddb7732119d53400f48a02536a84c509692faa8 Bluetooth: A2MP: Fix not initializing all members
> >> f19425641cb2572a33cb074d5e30283720bd4d22 Bluetooth: L2CAP: Fix calling sk_filter on non-socket based channel
> >> b560a208cda0297fef6ff85bbfd58a8f0a52a543 Bluetooth: MGMT: Fix not checking if BT_HS is enabled
> >> a2ec905d1e160a33b2e210e45ad30445ef26ce0e Bluetooth: fix kernel oops in store_pending_adv_report
> >>
> >> The latest of these commits were backported from 5.10 to the stable kernel
> >> tree in the 5.8.16 and 5.4.72 releases. Since the kernels provied by OE-core
> >> contain these fixes, mark them as whitelisted.
> >
> > This seems to be a good candidate for having the cpe database updated.
> > Currently it is flagging all versions of bluez and Linux.
> >
> > I sent a request to have the entry updated.  If they accept the
> > request then we won't need this patch.  If they deny it we can merge
> > the patch.
>
> Sounds good, thanks!

After a bit of back and forth the CPE entry for this issue has been
updated to reflect that it is a kernel issue and the affected kernel
versions have also been added to the entry.

So we won't need this patch.  Thanks again for doing the initial
research on this issue!

Steve

> >> [1]: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00435.html?wapkw=CVE-2020-12351
> >>
> >> Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
> >> ---
> >> meta/recipes-connectivity/bluez5/bluez5_5.55.bb | 2 ++
> >> 1 file changed, 2 insertions(+)
> >>
> >> diff --git a/meta/recipes-connectivity/bluez5/bluez5_5.55.bb b/meta/recipes-connectivity/bluez5/bluez5_5.55.bb
> >> index 8190924562..051fdef8ce 100644
> >> --- a/meta/recipes-connectivity/bluez5/bluez5_5.55.bb
> >> +++ b/meta/recipes-connectivity/bluez5/bluez5_5.55.bb
> >> @@ -3,6 +3,8 @@ require bluez5.inc
> >> SRC_URI[md5sum] = "94972b8bc7ade60c72b0ffa6ccff2c0a"
> >> SRC_URI[sha256sum] = "8863717113c4897e2ad3271fc808ea245319e6fd95eed2e934fae8e0894e9b88"
> >>
> >> +CVE_CHECK_WHITELIST += "CVE-2020-12351 CVE-2020-12352"
> >> +
> >> # noinst programs in Makefile.tools that are conditional on READLINE
> >> # support
> >> NOINST_TOOLS_READLINE ?= " \
> >> --
> >> 2.26.2
> >>
> >>
> >>
> >>
> >
> > 
>

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [OE-core] [master][gatesgarth][dunfell][PATCH] bluez: Whitelist CVE-2020-12351 and CVE-2020-12352
       [not found] <165B2189DDB58CAA.8629@lists.openembedded.org>
@ 2021-01-17 21:25 ` Robert Joslyn
  0 siblings, 0 replies; 5+ messages in thread
From: Robert Joslyn @ 2021-01-17 21:25 UTC (permalink / raw)
  To: openembedded-core

[-- Attachment #1: Type: text/plain, Size: 2352 bytes --]


> On Jan 17, 2021, at 1:14 PM, Robert Joslyn <robert.joslyn@redrectangle.org> wrote:
> 
> According to the Intel security advisory [1], these CVEs are mitigated by
> the following kernel commits:
> 
> eddb7732119d53400f48a02536a84c509692faa8 Bluetooth: A2MP: Fix not initializing all members
> f19425641cb2572a33cb074d5e30283720bd4d22 Bluetooth: L2CAP: Fix calling sk_filter on non-socket based channel
> b560a208cda0297fef6ff85bbfd58a8f0a52a543 Bluetooth: MGMT: Fix not checking if BT_HS is enabled
> a2ec905d1e160a33b2e210e45ad30445ef26ce0e Bluetooth: fix kernel oops in store_pending_adv_report
> 
> The latest of these commits were backported from 5.10 to the stable kernel
> tree in the 5.8.16 and 5.4.72 releases. Since the kernels provied by OE-core
> contain these fixes, mark them as whitelisted.
> 
> [1]: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00435.html?wapkw=CVE-2020-12351
> 
> Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
> ---
> meta/recipes-connectivity/bluez5/bluez5_5.55.bb | 2 ++
> 1 file changed, 2 insertions(+)
> 
> diff --git a/meta/recipes-connectivity/bluez5/bluez5_5.55.bb b/meta/recipes-connectivity/bluez5/bluez5_5.55.bb
> index 8190924562..051fdef8ce 100644
> --- a/meta/recipes-connectivity/bluez5/bluez5_5.55.bb
> +++ b/meta/recipes-connectivity/bluez5/bluez5_5.55.bb
> @@ -3,6 +3,8 @@ require bluez5.inc
> SRC_URI[md5sum] = "94972b8bc7ade60c72b0ffa6ccff2c0a"
> SRC_URI[sha256sum] = "8863717113c4897e2ad3271fc808ea245319e6fd95eed2e934fae8e0894e9b88"
> 
> +CVE_CHECK_WHITELIST += "CVE-2020-12351 CVE-2020-12352"
> +
> # noinst programs in Makefile.tools that are conditional on READLINE
> # support
> NOINST_TOOLS_READLINE ?= " \
> -- 
> 2.26.2

I’m not sure if this is the best solution, but figured I’d send the patch and see what others think. The CVEs call out bluez running on the Linux kernel in the vulnerable CPE names, but no versions are listed. It seems to me like the CPE names associated with the CVE should really just be against the kernel, with appropriate version numbers added. Is this something likely to be updated in the CVE database, or is whitelisting them here the best option? Does cve-check.bbclass handle the “bluez running on/with linux_kernel” case described in the CVE?

Thanks,
Robert


[-- Attachment #2: Type: text/html, Size: 3553 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2021-01-26 14:50 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-01-17 21:14 [master][gatesgarth][dunfell][PATCH] bluez: Whitelist CVE-2020-12351 and CVE-2020-12352 Robert Joslyn
2021-01-20 18:18 ` [OE-core] " Steve Sakoman
2021-01-21  5:59   ` Robert Joslyn
2021-01-26 14:50     ` Steve Sakoman
     [not found] <165B2189DDB58CAA.8629@lists.openembedded.org>
2021-01-17 21:25 ` Robert Joslyn

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.