[PATCH 1/5] cve-check: show real PN/PV

[PATCH 1/5] cve-check: show real PN/PV

[Ross Burton]

The output currently shows the remapped product and version fields,
which may not be the actual recipe name/version. As this report is about
recipes, use the real values.

Signed-off-by: Ross Burton <ross.burton@arm.com>
---
 meta/classes/cve-check.bbclass | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 25cefda92eb..d843e7c4ace 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -208,6 +208,9 @@ def check_cves(d, patched_cves):
     """
     from distutils.version import LooseVersion
 
+    pn = d.getVar("PN")
+    real_pv = d.getVar("PV")
+
     cves_unpatched = []
     # CVE_PRODUCT can contain more than one product (eg. curl/libcurl)
     products = d.getVar("CVE_PRODUCT").split()
@@ -217,7 +220,7 @@ def check_cves(d, patched_cves):
     pv = d.getVar("CVE_VERSION").split("+git")[0]
 
     # If the recipe has been whitlisted we return empty lists
-    if d.getVar("PN") in d.getVar("CVE_CHECK_PN_WHITELIST").split():
+    if pn in d.getVar("CVE_CHECK_PN_WHITELIST").split():
         bb.note("Recipe has been whitelisted, skipping check")
         return ([], [], [])
 
@@ -286,12 +289,12 @@ def check_cves(d, patched_cves):
                         vulnerable = vulnerable_start or vulnerable_end
 
                 if vulnerable:
-                    bb.note("%s-%s is vulnerable to %s" % (product, pv, cve))
+                    bb.note("%s-%s is vulnerable to %s" % (pn, real_pv, cve))
                     cves_unpatched.append(cve)
                     break
 
             if not vulnerable:
-                bb.note("%s-%s is not vulnerable to %s" % (product, pv, cve))
+                bb.note("%s-%s is not vulnerable to %s" % (pn, real_pv, cve))
                 # TODO: not patched but not vulnerable
                 patched_cves.add(cve)
 
-- 
2.25.1

[PATCH 2/5] python3: add CVE-2007-4559 to whitelist

[Ross Burton]

This issue describes expected behaviour, do not use tarfile with
untrusted data.

Signed-off-by: Ross Burton <ross.burton@arm.com>
---
 meta/recipes-devtools/python/python3_3.9.0.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-devtools/python/python3_3.9.0.bb b/meta/recipes-devtools/python/python3_3.9.0.bb
index 8fe60ea0160..86077bb1ca8 100644
--- a/meta/recipes-devtools/python/python3_3.9.0.bb
+++ b/meta/recipes-devtools/python/python3_3.9.0.bb
@@ -45,6 +45,8 @@ UPSTREAM_CHECK_URI = "https://www.python.org/downloads/source/"
 
 CVE_PRODUCT = "python"
 
+# Upstream consider this expected behaviour
+CVE_CHECK_WHITELIST += "CVE-2007-4559"
 # This is not exploitable when glibc has CVE-2016-10739 fixed.
 CVE_CHECK_WHITELIST += "CVE-2019-18348"
 
-- 
2.25.1

[PATCH 3/5] sqlite3: add CVE-2015-3717 to whitelist

[Ross Burton]

As per https://groups.google.com/g/sqlite-dev/c/U7OjAbZO6LA this issue
is believed to be either iOS specific, or fixed in 3.8.9.

Signed-off-by: Ross Burton <ross.burton@arm.com>
---
 meta/recipes-support/sqlite/sqlite3_3.33.0.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-support/sqlite/sqlite3_3.33.0.bb b/meta/recipes-support/sqlite/sqlite3_3.33.0.bb
index 611a1bd923a..33f041a161d 100644
--- a/meta/recipes-support/sqlite/sqlite3_3.33.0.bb
+++ b/meta/recipes-support/sqlite/sqlite3_3.33.0.bb
@@ -8,3 +8,5 @@ SRC_URI[sha256sum] = "106a2c48c7f75a298a7557bcc0d5f4f454e5b43811cc738b7ca294d695
 
 # -19242 is only an issue in specific development branch commits
 CVE_CHECK_WHITELIST += "CVE-2019-19242"
+# This is believed to be iOS specific (https://groups.google.com/g/sqlite-dev/c/U7OjAbZO6LA)
+CVE_CHECK_WHITELIST += "CVE-2015-3717"
-- 
2.25.1

[PATCH 4/5] gstreamer1.0-rtsp-server: set CVE_PRODUCT

[Ross Burton]

There are CVEs with the 'gst-rtsp-server' product, so set that.

Signed-off-by: Ross Burton <ross.burton@arm.com>
---
 .../gstreamer/gstreamer1.0-rtsp-server_1.18.1.bb                | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.18.1.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.18.1.bb
index 2f00de1e56d..30534c97827 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.18.1.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.18.1.bb
@@ -27,3 +27,5 @@ GIR_MESON_DISABLE_FLAG = "disabled"
 
 # Starting with 1.8.0 gst-rtsp-server includes dependency-less plugins as well
 require gstreamer1.0-plugins-packaging.inc
+
+CVE_PRODUCT += "gst-rtsp-server"
-- 
2.25.1

[PATCH 5/5] gstreamer1.0-plugins-base: set CVE_PRODUCT

[Ross Burton]

There are CVEs with the 'gst-plugins-base' product, so set that.

Signed-off-by: Ross Burton <ross.burton@arm.com>
---
 .../gstreamer/gstreamer1.0-plugins-base_1.18.1.bb               | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.18.1.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.18.1.bb
index 8e3ff21c905..1b2bd4fe149 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.18.1.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.18.1.bb
@@ -90,3 +90,5 @@ def get_opengl_cmdline_list(switch_name, options, d):
         return '-D' + switch_name + '=' + ','.join(selected_options)
     else:
         return ''
+
+CVE_PRODUCT += "gst-plugins-base"
-- 
2.25.1

Re: [OE-core] [PATCH 2/5] python3: add CVE-2007-4559 to whitelist

[Steve Sakoman]

Is this also suitable for dunfell?

Steve

On Thu, Nov 19, 2020 at 12:38 AM Ross Burton <ross@burtonini.com> wrote:
>
> This issue describes expected behaviour, do not use tarfile with
> untrusted data.
>
> Signed-off-by: Ross Burton <ross.burton@arm.com>
> ---
>  meta/recipes-devtools/python/python3_3.9.0.bb | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/meta/recipes-devtools/python/python3_3.9.0.bb b/meta/recipes-devtools/python/python3_3.9.0.bb
> index 8fe60ea0160..86077bb1ca8 100644
> --- a/meta/recipes-devtools/python/python3_3.9.0.bb
> +++ b/meta/recipes-devtools/python/python3_3.9.0.bb
> @@ -45,6 +45,8 @@ UPSTREAM_CHECK_URI = "https://www.python.org/downloads/source/"
>
>  CVE_PRODUCT = "python"
>
> +# Upstream consider this expected behaviour
> +CVE_CHECK_WHITELIST += "CVE-2007-4559"
>  # This is not exploitable when glibc has CVE-2016-10739 fixed.
>  CVE_CHECK_WHITELIST += "CVE-2019-18348"
>
> --
> 2.25.1
>
>
> 
>

Re: [OE-core] [PATCH 3/5] sqlite3: add CVE-2015-3717 to whitelist

[Steve Sakoman]

Is this also suitable for dunfell?

Steve

On Thu, Nov 19, 2020 at 12:38 AM Ross Burton <ross@burtonini.com> wrote:
>
> As per https://groups.google.com/g/sqlite-dev/c/U7OjAbZO6LA this issue
> is believed to be either iOS specific, or fixed in 3.8.9.
>
> Signed-off-by: Ross Burton <ross.burton@arm.com>
> ---
>  meta/recipes-support/sqlite/sqlite3_3.33.0.bb | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/meta/recipes-support/sqlite/sqlite3_3.33.0.bb b/meta/recipes-support/sqlite/sqlite3_3.33.0.bb
> index 611a1bd923a..33f041a161d 100644
> --- a/meta/recipes-support/sqlite/sqlite3_3.33.0.bb
> +++ b/meta/recipes-support/sqlite/sqlite3_3.33.0.bb
> @@ -8,3 +8,5 @@ SRC_URI[sha256sum] = "106a2c48c7f75a298a7557bcc0d5f4f454e5b43811cc738b7ca294d695
>
>  # -19242 is only an issue in specific development branch commits
>  CVE_CHECK_WHITELIST += "CVE-2019-19242"
> +# This is believed to be iOS specific (https://groups.google.com/g/sqlite-dev/c/U7OjAbZO6LA)
> +CVE_CHECK_WHITELIST += "CVE-2015-3717"
> --
> 2.25.1
>
>
> 
>

Re: [OE-core] [PATCH 3/5] sqlite3: add CVE-2015-3717 to whitelist

[Mikko Rapeli]

Or is the problem here that sqlite version 3.33 is not listed correctly on
https://nvd.nist.gov/vuln/detail/CVE-2015-3717#match-3021743
as I don't see this reported even for older 3.22 version in by yocto CVE checker?

-Mikko

Re: [OE-core] [PATCH 2/5] python3: add CVE-2007-4559 to whitelist

[Ross Burton]

Yes.

Ross

On Thu, 19 Nov 2020 at 15:03, Steve Sakoman <steve@sakoman.com> wrote:
>
> Is this also suitable for dunfell?
>
> Steve
>
> On Thu, Nov 19, 2020 at 12:38 AM Ross Burton <ross@burtonini.com> wrote:
> >
> > This issue describes expected behaviour, do not use tarfile with
> > untrusted data.
> >
> > Signed-off-by: Ross Burton <ross.burton@arm.com>
> > ---
> >  meta/recipes-devtools/python/python3_3.9.0.bb | 2 ++
> >  1 file changed, 2 insertions(+)
> >
> > diff --git a/meta/recipes-devtools/python/python3_3.9.0.bb b/meta/recipes-devtools/python/python3_3.9.0.bb
> > index 8fe60ea0160..86077bb1ca8 100644
> > --- a/meta/recipes-devtools/python/python3_3.9.0.bb
> > +++ b/meta/recipes-devtools/python/python3_3.9.0.bb
> > @@ -45,6 +45,8 @@ UPSTREAM_CHECK_URI = "https://www.python.org/downloads/source/"
> >
> >  CVE_PRODUCT = "python"
> >
> > +# Upstream consider this expected behaviour
> > +CVE_CHECK_WHITELIST += "CVE-2007-4559"
> >  # This is not exploitable when glibc has CVE-2016-10739 fixed.
> >  CVE_CHECK_WHITELIST += "CVE-2019-18348"
> >
> > --
> > 2.25.1
> >
> >
> > 
> >

Re: [OE-core] [PATCH 3/5] sqlite3: add CVE-2015-3717 to whitelist

[Ross Burton]

On Thu, 19 Nov 2020 at 16:41, <Mikko.Rapeli@bmw.de> wrote:
> Or is the problem here that sqlite version 3.33 is not listed correctly on
> https://nvd.nist.gov/vuln/detail/CVE-2015-3717#match-3021743
> as I don't see this reported even for older 3.22 version in by yocto CVE checker?

So there's a bug in the CPE parsing that I have a local patch for,
which meant this and 38 other issues were not reported.  I have
reported the findings in that thread to NVD to see if they want to add
a version to the CVE, but considering it's not actually known what the
issue is I suspect they might not want to add it.

In an ideal world Apple would verify that the issue is iOS/macOS
specific, but that's not likely to happen.

Ross

Re: [OE-core] [PATCH 3/5] sqlite3: add CVE-2015-3717 to whitelist

[Ross Burton]

Yes, it is.

Ross

On Thu, 19 Nov 2020 at 15:04, Steve Sakoman <steve@sakoman.com> wrote:
>
> Is this also suitable for dunfell?
>
> Steve
>
> On Thu, Nov 19, 2020 at 12:38 AM Ross Burton <ross@burtonini.com> wrote:
> >
> > As per https://groups.google.com/g/sqlite-dev/c/U7OjAbZO6LA this issue
> > is believed to be either iOS specific, or fixed in 3.8.9.
> >
> > Signed-off-by: Ross Burton <ross.burton@arm.com>
> > ---
> >  meta/recipes-support/sqlite/sqlite3_3.33.0.bb | 2 ++
> >  1 file changed, 2 insertions(+)
> >
> > diff --git a/meta/recipes-support/sqlite/sqlite3_3.33.0.bb b/meta/recipes-support/sqlite/sqlite3_3.33.0.bb
> > index 611a1bd923a..33f041a161d 100644
> > --- a/meta/recipes-support/sqlite/sqlite3_3.33.0.bb
> > +++ b/meta/recipes-support/sqlite/sqlite3_3.33.0.bb
> > @@ -8,3 +8,5 @@ SRC_URI[sha256sum] = "106a2c48c7f75a298a7557bcc0d5f4f454e5b43811cc738b7ca294d695
> >
> >  # -19242 is only an issue in specific development branch commits
> >  CVE_CHECK_WHITELIST += "CVE-2019-19242"
> > +# This is believed to be iOS specific (https://groups.google.com/g/sqlite-dev/c/U7OjAbZO6LA)
> > +CVE_CHECK_WHITELIST += "CVE-2015-3717"
> > --
> > 2.25.1
> >
> >
> > 
> >