[PATCH 1/8] bind: Exclude CVE-2019-6470 from cve-check

[PATCH 1/8] bind: Exclude CVE-2019-6470 from cve-check

[Richard Purdie]

Issue only affects dhcpd with recent bind versions. We don't ship dhcpd anymore
so the issue doesn't affect us.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 meta/recipes-connectivity/bind/bind_9.16.13.bb | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/meta/recipes-connectivity/bind/bind_9.16.13.bb b/meta/recipes-connectivity/bind/bind_9.16.13.bb
index 6127b13e8dc..38825f1cf77 100644
--- a/meta/recipes-connectivity/bind/bind_9.16.13.bb
+++ b/meta/recipes-connectivity/bind/bind_9.16.13.bb
@@ -26,6 +26,10 @@ UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/"
 # stay at 9.16 follow the ESV versions divisible by 4
 UPSTREAM_CHECK_REGEX = "(?P<pver>9.(16|20|24|28)(\.\d+)+(-P\d+)*)/"
 
+# Issue only affects dhcpd with recent bind versions. We don't ship dhcpd anymore
+# so the issue doesn't affect us.
+CVE_CHECK_WHITELIST += "CVE-2019-6470"
+
 inherit autotools update-rc.d systemd useradd pkgconfig multilib_header update-alternatives
 
 # PACKAGECONFIGs readline and libedit should NOT be set at same time
-- 
2.30.2

[PATCH 2/8] openssh: Exclude CVE-2008-3844 from cve-check

[Richard Purdie]

CVE only applies to some distributed RHEL binaries so irrelavent to us.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 meta/recipes-connectivity/openssh/openssh_8.6p1.bb | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/meta/recipes-connectivity/openssh/openssh_8.6p1.bb b/meta/recipes-connectivity/openssh/openssh_8.6p1.bb
index 57ad5e841ca..e8f041c58c1 100644
--- a/meta/recipes-connectivity/openssh/openssh_8.6p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_8.6p1.bb
@@ -34,6 +34,9 @@ CVE_CHECK_WHITELIST += "CVE-2007-2768"
 # and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded
 CVE_CHECK_WHITELIST += "CVE-2014-9278"
 
+# CVE only applies to some distributed RHEL binaries
+CVE_CHECK_WHITELIST += "CVE-2008-3844"
+
 PAM_SRC_URI = "file://sshd"
 
 inherit manpages useradd update-rc.d update-alternatives systemd
-- 
2.30.2

[PATCH 3/8] unzip: Exclude CVE-2008-0888 from cve-check

[Richard Purdie]

The patch mentioned as the fix for the CVE is applied to the 6.0 source
code. Zip versioning makes CPE entry changes hard.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 meta/recipes-extended/unzip/unzip_6.0.bb | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb
index ec69508eea8..40f0346f8d3 100644
--- a/meta/recipes-extended/unzip/unzip_6.0.bb
+++ b/meta/recipes-extended/unzip/unzip_6.0.bb
@@ -33,6 +33,9 @@ UPSTREAM_VERSION_UNKNOWN = "1"
 SRC_URI[md5sum] = "62b490407489521db863b523a7f86375"
 SRC_URI[sha256sum] = "036d96991646d0449ed0aa952e4fbe21b476ce994abc276e49d30e686708bd37"
 
+# Patch from https://bugzilla.redhat.com/attachment.cgi?id=293893&action=diff applied to 6.0 source
+CVE_CHECK_WHITELIST += "CVE-2008-0888"
+
 # exclude version 5.5.2 which triggers a false positive
 UPSTREAM_CHECK_REGEX = "unzip(?P<pver>(?!552).+)\.tgz"
 
-- 
2.30.2

[PATCH 4/8] tar: Exclude CVE-2007-4476 from cve-check

[Richard Purdie]

CPE lists only SUSE for all versions of tar.

https://bugzilla.redhat.com/show_bug.cgi?id=280961 shows issue affects paxutils
included in tar or cpio
http://cvs.savannah.gnu.org/viewvc/paxutils/paxutils/paxlib/names.c?r1=1.2&r2=1.4 was the fix
which included in tar 1.19 and later.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 meta/recipes-extended/tar/tar_1.34.bb | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/meta/recipes-extended/tar/tar_1.34.bb b/meta/recipes-extended/tar/tar_1.34.bb
index af04919c414..8dd0af2566f 100644
--- a/meta/recipes-extended/tar/tar_1.34.bb
+++ b/meta/recipes-extended/tar/tar_1.34.bb
@@ -10,6 +10,11 @@ SRC_URI = "${GNU_MIRROR}/tar/tar-${PV}.tar.bz2"
 
 SRC_URI[sha256sum] = "b44cc67f8a1f6b0250b7c860e952b37e8ed932a90bd9b1862a511079255646ff"
 
+# https://bugzilla.redhat.com/show_bug.cgi?id=280961 - issue affects paxutils included in tar
+# http://cvs.savannah.gnu.org/viewvc/paxutils/paxutils/paxlib/names.c?r1=1.2&r2=1.4 was the fix
+# included in tar 1.19 and later
+CVE_CHECK_WHITELIST += "CVE-2007-4476"
+
 inherit autotools gettext texinfo
 
 PACKAGECONFIG ??= ""
-- 
2.30.2

[PATCH 5/8] cpio: Exclude CVE-2010-4226 from cve-check

[Richard Purdie]

Issue applies to use of cpio in SUSE/OBS, doesn't apply to us.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 meta/recipes-extended/cpio/cpio_2.13.bb | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/meta/recipes-extended/cpio/cpio_2.13.bb b/meta/recipes-extended/cpio/cpio_2.13.bb
index 94d86100c74..f4df826ed9c 100644
--- a/meta/recipes-extended/cpio/cpio_2.13.bb
+++ b/meta/recipes-extended/cpio/cpio_2.13.bb
@@ -16,6 +16,9 @@ SRC_URI[sha256sum] = "e87470d9c984317f658567c03bfefb6b0c829ff17dbf6b0de48d71a4c8
 
 inherit autotools gettext texinfo
 
+# Issue applies to use of cpio in SUSE/OBS, doesn't apply to us
+CVE_CHECK_WHITELIST += "CVE-2010-4226"
+
 EXTRA_OECONF += "DEFAULT_RMT_DIR=${sbindir}"
 
 do_install () {
-- 
2.30.2

[PATCH 6/8] xinetd: Exclude CVE-2013-4342 from cve-check

[Richard Purdie]

We use the SUSE mirror of xinetd. The CVE fix was added to the main repo
after the latest release but is included in the version from the SUSE repo.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb b/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb
index 2787b270fac..69d5b2f83b7 100644
--- a/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb
+++ b/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb
@@ -19,6 +19,9 @@ SRCREV = "6a4af7786630ce48747d9687e2f18f45ea6684c4"
 
 S = "${WORKDIR}/git"
 
+# https://github.com/xinetd-org/xinetd/pull/10 is merged into this git tree revision
+CVE_CHECK_WHITELIST += "CVE-2013-4342"
+
 inherit autotools update-rc.d systemd pkgconfig
 
 SYSTEMD_SERVICE_${PN} = "xinetd.service"
-- 
2.30.2

[PATCH 7/8] ghostscript: Exclude CVE-2013-6629 from cve-check

[Richard Purdie]

The CVE is in the jpeg sources included with ghostscript. We use our own
external jpeg library so this doesn't affect us.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 meta/recipes-extended/ghostscript/ghostscript_9.54.0.bb | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.54.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.54.0.bb
index 9ace037aa95..81f8d615aed 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.54.0.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.54.0.bb
@@ -19,6 +19,10 @@ DEPENDS_class-native = "libpng-native"
 UPSTREAM_CHECK_URI = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases"
 UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)\.tar"
 
+# As of ghostscript 9.54.0 the jpeg issue in the CVE is present in the gs jpeg sources
+# however we use an external jpeg which doesn't have the issue.
+CVE_CHECK_WHITELIST += "CVE-2013-6629"
+
 def gs_verdir(v):
     return "".join(v.split("."))
 
-- 
2.30.2

[PATCH 8/8] bluez: Exclude CVE-2020-12352 CVE-2020-24490 from cve-check

[Richard Purdie]

These CVEs are fixed with kernel changes and don't affect the bluez recipe.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 meta/recipes-connectivity/bluez5/bluez5_5.58.bb | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/meta/recipes-connectivity/bluez5/bluez5_5.58.bb b/meta/recipes-connectivity/bluez5/bluez5_5.58.bb
index 186a621c445..eb8475ec1e2 100644
--- a/meta/recipes-connectivity/bluez5/bluez5_5.58.bb
+++ b/meta/recipes-connectivity/bluez5/bluez5_5.58.bb
@@ -2,6 +2,9 @@ require bluez5.inc
 
 SRC_URI[sha256sum] = "c8065e75a5eb67236849ef68a354b1700540305a8c88ef0a0fd6288f19daf1f1"
 
+# These issues have kernel fixes rather than bluez fixes so exclude here
+CVE_CHECK_WHITELIST += "CVE-2020-12352 CVE-2020-24490"
+
 # noinst programs in Makefile.tools that are conditional on READLINE
 # support
 NOINST_TOOLS_READLINE ?= " \
-- 
2.30.2