* [PATCH 1/5] cve-check: show real PN/PV
@ 2020-11-19 10:38 Ross Burton
2020-11-19 10:38 ` [PATCH 2/5] python3: add CVE-2007-4559 to whitelist Ross Burton
` (3 more replies)
0 siblings, 4 replies; 11+ messages in thread
From: Ross Burton @ 2020-11-19 10:38 UTC (permalink / raw)
To: openembedded-core
The output currently shows the remapped product and version fields,
which may not be the actual recipe name/version. As this report is about
recipes, use the real values.
Signed-off-by: Ross Burton <ross.burton@arm.com>
---
meta/classes/cve-check.bbclass | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 25cefda92eb..d843e7c4ace 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -208,6 +208,9 @@ def check_cves(d, patched_cves):
"""
from distutils.version import LooseVersion
+ pn = d.getVar("PN")
+ real_pv = d.getVar("PV")
+
cves_unpatched = []
# CVE_PRODUCT can contain more than one product (eg. curl/libcurl)
products = d.getVar("CVE_PRODUCT").split()
@@ -217,7 +220,7 @@ def check_cves(d, patched_cves):
pv = d.getVar("CVE_VERSION").split("+git")[0]
# If the recipe has been whitlisted we return empty lists
- if d.getVar("PN") in d.getVar("CVE_CHECK_PN_WHITELIST").split():
+ if pn in d.getVar("CVE_CHECK_PN_WHITELIST").split():
bb.note("Recipe has been whitelisted, skipping check")
return ([], [], [])
@@ -286,12 +289,12 @@ def check_cves(d, patched_cves):
vulnerable = vulnerable_start or vulnerable_end
if vulnerable:
- bb.note("%s-%s is vulnerable to %s" % (product, pv, cve))
+ bb.note("%s-%s is vulnerable to %s" % (pn, real_pv, cve))
cves_unpatched.append(cve)
break
if not vulnerable:
- bb.note("%s-%s is not vulnerable to %s" % (product, pv, cve))
+ bb.note("%s-%s is not vulnerable to %s" % (pn, real_pv, cve))
# TODO: not patched but not vulnerable
patched_cves.add(cve)
--
2.25.1
^ permalink raw reply related [flat|nested] 11+ messages in thread* [PATCH 2/5] python3: add CVE-2007-4559 to whitelist
2020-11-19 10:38 [PATCH 1/5] cve-check: show real PN/PV Ross Burton
@ 2020-11-19 10:38 ` Ross Burton
2020-11-19 15:03 ` [OE-core] " Steve Sakoman
2020-11-19 10:38 ` [PATCH 3/5] sqlite3: add CVE-2015-3717 " Ross Burton
` (2 subsequent siblings)
3 siblings, 1 reply; 11+ messages in thread
From: Ross Burton @ 2020-11-19 10:38 UTC (permalink / raw)
To: openembedded-core
This issue describes expected behaviour, do not use tarfile with
untrusted data.
Signed-off-by: Ross Burton <ross.burton@arm.com>
---
meta/recipes-devtools/python/python3_3.9.0.bb | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta/recipes-devtools/python/python3_3.9.0.bb b/meta/recipes-devtools/python/python3_3.9.0.bb
index 8fe60ea0160..86077bb1ca8 100644
--- a/meta/recipes-devtools/python/python3_3.9.0.bb
+++ b/meta/recipes-devtools/python/python3_3.9.0.bb
@@ -45,6 +45,8 @@ UPSTREAM_CHECK_URI = "https://www.python.org/downloads/source/"
CVE_PRODUCT = "python"
+# Upstream consider this expected behaviour
+CVE_CHECK_WHITELIST += "CVE-2007-4559"
# This is not exploitable when glibc has CVE-2016-10739 fixed.
CVE_CHECK_WHITELIST += "CVE-2019-18348"
--
2.25.1
^ permalink raw reply related [flat|nested] 11+ messages in thread* Re: [OE-core] [PATCH 2/5] python3: add CVE-2007-4559 to whitelist
2020-11-19 10:38 ` [PATCH 2/5] python3: add CVE-2007-4559 to whitelist Ross Burton
@ 2020-11-19 15:03 ` Steve Sakoman
2020-11-20 11:10 ` Ross Burton
0 siblings, 1 reply; 11+ messages in thread
From: Steve Sakoman @ 2020-11-19 15:03 UTC (permalink / raw)
To: Ross Burton; +Cc: Patches and discussions about the oe-core layer
Is this also suitable for dunfell?
Steve
On Thu, Nov 19, 2020 at 12:38 AM Ross Burton <ross@burtonini.com> wrote:
>
> This issue describes expected behaviour, do not use tarfile with
> untrusted data.
>
> Signed-off-by: Ross Burton <ross.burton@arm.com>
> ---
> meta/recipes-devtools/python/python3_3.9.0.bb | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/meta/recipes-devtools/python/python3_3.9.0.bb b/meta/recipes-devtools/python/python3_3.9.0.bb
> index 8fe60ea0160..86077bb1ca8 100644
> --- a/meta/recipes-devtools/python/python3_3.9.0.bb
> +++ b/meta/recipes-devtools/python/python3_3.9.0.bb
> @@ -45,6 +45,8 @@ UPSTREAM_CHECK_URI = "https://www.python.org/downloads/source/"
>
> CVE_PRODUCT = "python"
>
> +# Upstream consider this expected behaviour
> +CVE_CHECK_WHITELIST += "CVE-2007-4559"
> # This is not exploitable when glibc has CVE-2016-10739 fixed.
> CVE_CHECK_WHITELIST += "CVE-2019-18348"
>
> --
> 2.25.1
>
>
>
>
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [OE-core] [PATCH 2/5] python3: add CVE-2007-4559 to whitelist
2020-11-19 15:03 ` [OE-core] " Steve Sakoman
@ 2020-11-20 11:10 ` Ross Burton
0 siblings, 0 replies; 11+ messages in thread
From: Ross Burton @ 2020-11-20 11:10 UTC (permalink / raw)
To: Steve Sakoman; +Cc: Patches and discussions about the oe-core layer
Yes.
Ross
On Thu, 19 Nov 2020 at 15:03, Steve Sakoman <steve@sakoman.com> wrote:
>
> Is this also suitable for dunfell?
>
> Steve
>
> On Thu, Nov 19, 2020 at 12:38 AM Ross Burton <ross@burtonini.com> wrote:
> >
> > This issue describes expected behaviour, do not use tarfile with
> > untrusted data.
> >
> > Signed-off-by: Ross Burton <ross.burton@arm.com>
> > ---
> > meta/recipes-devtools/python/python3_3.9.0.bb | 2 ++
> > 1 file changed, 2 insertions(+)
> >
> > diff --git a/meta/recipes-devtools/python/python3_3.9.0.bb b/meta/recipes-devtools/python/python3_3.9.0.bb
> > index 8fe60ea0160..86077bb1ca8 100644
> > --- a/meta/recipes-devtools/python/python3_3.9.0.bb
> > +++ b/meta/recipes-devtools/python/python3_3.9.0.bb
> > @@ -45,6 +45,8 @@ UPSTREAM_CHECK_URI = "https://www.python.org/downloads/source/"
> >
> > CVE_PRODUCT = "python"
> >
> > +# Upstream consider this expected behaviour
> > +CVE_CHECK_WHITELIST += "CVE-2007-4559"
> > # This is not exploitable when glibc has CVE-2016-10739 fixed.
> > CVE_CHECK_WHITELIST += "CVE-2019-18348"
> >
> > --
> > 2.25.1
> >
> >
> >
> >
^ permalink raw reply [flat|nested] 11+ messages in thread
* [PATCH 3/5] sqlite3: add CVE-2015-3717 to whitelist
2020-11-19 10:38 [PATCH 1/5] cve-check: show real PN/PV Ross Burton
2020-11-19 10:38 ` [PATCH 2/5] python3: add CVE-2007-4559 to whitelist Ross Burton
@ 2020-11-19 10:38 ` Ross Burton
2020-11-19 15:04 ` [OE-core] " Steve Sakoman
2020-11-19 10:38 ` [PATCH 4/5] gstreamer1.0-rtsp-server: set CVE_PRODUCT Ross Burton
2020-11-19 10:38 ` [PATCH 5/5] gstreamer1.0-plugins-base: " Ross Burton
3 siblings, 1 reply; 11+ messages in thread
From: Ross Burton @ 2020-11-19 10:38 UTC (permalink / raw)
To: openembedded-core
As per https://groups.google.com/g/sqlite-dev/c/U7OjAbZO6LA this issue
is believed to be either iOS specific, or fixed in 3.8.9.
Signed-off-by: Ross Burton <ross.burton@arm.com>
---
meta/recipes-support/sqlite/sqlite3_3.33.0.bb | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta/recipes-support/sqlite/sqlite3_3.33.0.bb b/meta/recipes-support/sqlite/sqlite3_3.33.0.bb
index 611a1bd923a..33f041a161d 100644
--- a/meta/recipes-support/sqlite/sqlite3_3.33.0.bb
+++ b/meta/recipes-support/sqlite/sqlite3_3.33.0.bb
@@ -8,3 +8,5 @@ SRC_URI[sha256sum] = "106a2c48c7f75a298a7557bcc0d5f4f454e5b43811cc738b7ca294d695
# -19242 is only an issue in specific development branch commits
CVE_CHECK_WHITELIST += "CVE-2019-19242"
+# This is believed to be iOS specific (https://groups.google.com/g/sqlite-dev/c/U7OjAbZO6LA)
+CVE_CHECK_WHITELIST += "CVE-2015-3717"
--
2.25.1
^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [OE-core] [PATCH 3/5] sqlite3: add CVE-2015-3717 to whitelist
2020-11-19 10:38 ` [PATCH 3/5] sqlite3: add CVE-2015-3717 " Ross Burton
@ 2020-11-19 15:04 ` Steve Sakoman
2020-11-19 16:41 ` Mikko Rapeli
2020-11-20 11:13 ` Ross Burton
0 siblings, 2 replies; 11+ messages in thread
From: Steve Sakoman @ 2020-11-19 15:04 UTC (permalink / raw)
To: Ross Burton; +Cc: Patches and discussions about the oe-core layer
Is this also suitable for dunfell?
Steve
On Thu, Nov 19, 2020 at 12:38 AM Ross Burton <ross@burtonini.com> wrote:
>
> As per https://groups.google.com/g/sqlite-dev/c/U7OjAbZO6LA this issue
> is believed to be either iOS specific, or fixed in 3.8.9.
>
> Signed-off-by: Ross Burton <ross.burton@arm.com>
> ---
> meta/recipes-support/sqlite/sqlite3_3.33.0.bb | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/meta/recipes-support/sqlite/sqlite3_3.33.0.bb b/meta/recipes-support/sqlite/sqlite3_3.33.0.bb
> index 611a1bd923a..33f041a161d 100644
> --- a/meta/recipes-support/sqlite/sqlite3_3.33.0.bb
> +++ b/meta/recipes-support/sqlite/sqlite3_3.33.0.bb
> @@ -8,3 +8,5 @@ SRC_URI[sha256sum] = "106a2c48c7f75a298a7557bcc0d5f4f454e5b43811cc738b7ca294d695
>
> # -19242 is only an issue in specific development branch commits
> CVE_CHECK_WHITELIST += "CVE-2019-19242"
> +# This is believed to be iOS specific (https://groups.google.com/g/sqlite-dev/c/U7OjAbZO6LA)
> +CVE_CHECK_WHITELIST += "CVE-2015-3717"
> --
> 2.25.1
>
>
>
>
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [OE-core] [PATCH 3/5] sqlite3: add CVE-2015-3717 to whitelist
2020-11-19 15:04 ` [OE-core] " Steve Sakoman
@ 2020-11-19 16:41 ` Mikko Rapeli
2020-11-20 11:13 ` Ross Burton
2020-11-20 11:13 ` Ross Burton
1 sibling, 1 reply; 11+ messages in thread
From: Mikko Rapeli @ 2020-11-19 16:41 UTC (permalink / raw)
To: steve; +Cc: ross, openembedded-core
Or is the problem here that sqlite version 3.33 is not listed correctly on
https://nvd.nist.gov/vuln/detail/CVE-2015-3717#match-3021743
as I don't see this reported even for older 3.22 version in by yocto CVE checker?
-Mikko
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [OE-core] [PATCH 3/5] sqlite3: add CVE-2015-3717 to whitelist
2020-11-19 16:41 ` Mikko Rapeli
@ 2020-11-20 11:13 ` Ross Burton
0 siblings, 0 replies; 11+ messages in thread
From: Ross Burton @ 2020-11-20 11:13 UTC (permalink / raw)
To: Mikko.Rapeli; +Cc: Steve Sakoman, OE-core
On Thu, 19 Nov 2020 at 16:41, <Mikko.Rapeli@bmw.de> wrote:
> Or is the problem here that sqlite version 3.33 is not listed correctly on
> https://nvd.nist.gov/vuln/detail/CVE-2015-3717#match-3021743
> as I don't see this reported even for older 3.22 version in by yocto CVE checker?
So there's a bug in the CPE parsing that I have a local patch for,
which meant this and 38 other issues were not reported. I have
reported the findings in that thread to NVD to see if they want to add
a version to the CVE, but considering it's not actually known what the
issue is I suspect they might not want to add it.
In an ideal world Apple would verify that the issue is iOS/macOS
specific, but that's not likely to happen.
Ross
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [OE-core] [PATCH 3/5] sqlite3: add CVE-2015-3717 to whitelist
2020-11-19 15:04 ` [OE-core] " Steve Sakoman
2020-11-19 16:41 ` Mikko Rapeli
@ 2020-11-20 11:13 ` Ross Burton
1 sibling, 0 replies; 11+ messages in thread
From: Ross Burton @ 2020-11-20 11:13 UTC (permalink / raw)
To: Steve Sakoman; +Cc: Patches and discussions about the oe-core layer
Yes, it is.
Ross
On Thu, 19 Nov 2020 at 15:04, Steve Sakoman <steve@sakoman.com> wrote:
>
> Is this also suitable for dunfell?
>
> Steve
>
> On Thu, Nov 19, 2020 at 12:38 AM Ross Burton <ross@burtonini.com> wrote:
> >
> > As per https://groups.google.com/g/sqlite-dev/c/U7OjAbZO6LA this issue
> > is believed to be either iOS specific, or fixed in 3.8.9.
> >
> > Signed-off-by: Ross Burton <ross.burton@arm.com>
> > ---
> > meta/recipes-support/sqlite/sqlite3_3.33.0.bb | 2 ++
> > 1 file changed, 2 insertions(+)
> >
> > diff --git a/meta/recipes-support/sqlite/sqlite3_3.33.0.bb b/meta/recipes-support/sqlite/sqlite3_3.33.0.bb
> > index 611a1bd923a..33f041a161d 100644
> > --- a/meta/recipes-support/sqlite/sqlite3_3.33.0.bb
> > +++ b/meta/recipes-support/sqlite/sqlite3_3.33.0.bb
> > @@ -8,3 +8,5 @@ SRC_URI[sha256sum] = "106a2c48c7f75a298a7557bcc0d5f4f454e5b43811cc738b7ca294d695
> >
> > # -19242 is only an issue in specific development branch commits
> > CVE_CHECK_WHITELIST += "CVE-2019-19242"
> > +# This is believed to be iOS specific (https://groups.google.com/g/sqlite-dev/c/U7OjAbZO6LA)
> > +CVE_CHECK_WHITELIST += "CVE-2015-3717"
> > --
> > 2.25.1
> >
> >
> >
> >
^ permalink raw reply [flat|nested] 11+ messages in thread
* [PATCH 4/5] gstreamer1.0-rtsp-server: set CVE_PRODUCT
2020-11-19 10:38 [PATCH 1/5] cve-check: show real PN/PV Ross Burton
2020-11-19 10:38 ` [PATCH 2/5] python3: add CVE-2007-4559 to whitelist Ross Burton
2020-11-19 10:38 ` [PATCH 3/5] sqlite3: add CVE-2015-3717 " Ross Burton
@ 2020-11-19 10:38 ` Ross Burton
2020-11-19 10:38 ` [PATCH 5/5] gstreamer1.0-plugins-base: " Ross Burton
3 siblings, 0 replies; 11+ messages in thread
From: Ross Burton @ 2020-11-19 10:38 UTC (permalink / raw)
To: openembedded-core
There are CVEs with the 'gst-rtsp-server' product, so set that.
Signed-off-by: Ross Burton <ross.burton@arm.com>
---
.../gstreamer/gstreamer1.0-rtsp-server_1.18.1.bb | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.18.1.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.18.1.bb
index 2f00de1e56d..30534c97827 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.18.1.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-rtsp-server_1.18.1.bb
@@ -27,3 +27,5 @@ GIR_MESON_DISABLE_FLAG = "disabled"
# Starting with 1.8.0 gst-rtsp-server includes dependency-less plugins as well
require gstreamer1.0-plugins-packaging.inc
+
+CVE_PRODUCT += "gst-rtsp-server"
--
2.25.1
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH 5/5] gstreamer1.0-plugins-base: set CVE_PRODUCT
2020-11-19 10:38 [PATCH 1/5] cve-check: show real PN/PV Ross Burton
` (2 preceding siblings ...)
2020-11-19 10:38 ` [PATCH 4/5] gstreamer1.0-rtsp-server: set CVE_PRODUCT Ross Burton
@ 2020-11-19 10:38 ` Ross Burton
3 siblings, 0 replies; 11+ messages in thread
From: Ross Burton @ 2020-11-19 10:38 UTC (permalink / raw)
To: openembedded-core
There are CVEs with the 'gst-plugins-base' product, so set that.
Signed-off-by: Ross Burton <ross.burton@arm.com>
---
.../gstreamer/gstreamer1.0-plugins-base_1.18.1.bb | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.18.1.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.18.1.bb
index 8e3ff21c905..1b2bd4fe149 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.18.1.bb
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-base_1.18.1.bb
@@ -90,3 +90,5 @@ def get_opengl_cmdline_list(switch_name, options, d):
return '-D' + switch_name + '=' + ','.join(selected_options)
else:
return ''
+
+CVE_PRODUCT += "gst-plugins-base"
--
2.25.1
^ permalink raw reply related [flat|nested] 11+ messages in thread
end of thread, other threads:[~2020-11-20 11:14 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-11-19 10:38 [PATCH 1/5] cve-check: show real PN/PV Ross Burton
2020-11-19 10:38 ` [PATCH 2/5] python3: add CVE-2007-4559 to whitelist Ross Burton
2020-11-19 15:03 ` [OE-core] " Steve Sakoman
2020-11-20 11:10 ` Ross Burton
2020-11-19 10:38 ` [PATCH 3/5] sqlite3: add CVE-2015-3717 " Ross Burton
2020-11-19 15:04 ` [OE-core] " Steve Sakoman
2020-11-19 16:41 ` Mikko Rapeli
2020-11-20 11:13 ` Ross Burton
2020-11-20 11:13 ` Ross Burton
2020-11-19 10:38 ` [PATCH 4/5] gstreamer1.0-rtsp-server: set CVE_PRODUCT Ross Burton
2020-11-19 10:38 ` [PATCH 5/5] gstreamer1.0-plugins-base: " Ross Burton
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.