All of lore.kernel.org
 help / color / mirror / Atom feed
* [poky][dunfell][PATCH] libgcrypt: Whitelisted CVEs
@ 2021-02-02 18:09 saloni
  2021-02-03 14:45 ` [OE-core] " Steve Sakoman
  0 siblings, 1 reply; 3+ messages in thread
From: saloni @ 2021-02-02 18:09 UTC (permalink / raw)
  To: openembedded-core, raj.khem; +Cc: nisha.parrakat, anuj.chougule

Whitelisted below CVEs as their status is disputed
and ignored and not affecting the Ubuntu and Debian
environments. Hence, marked them whitelisted.

1. CVE-2018-12433
Link: https://security-tracker.debian.org/tracker/CVE-2018-12433

2. CVE-2018-12438
Link: https://security-tracker.debian.org/tracker/CVE-2018-12438

Signed-off-by: Saloni Jain <Saloni.Jain@kpit.com>
---
 meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb b/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb
index 4e0eb0a..ba3666f 100644
--- a/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb
+++ b/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb
@@ -29,6 +29,9 @@ SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \
 SRC_URI[md5sum] = "348cc4601ca34307fc6cd6c945467743"
 SRC_URI[sha256sum] = "3b4a2a94cb637eff5bdebbcaf46f4d95c4f25206f459809339cdada0eb577ac3"

+# Below whitelisted CVEs are disputed and not affecting Ubuntu and Debian environments.
+CVE_CHECK_WHITELIST += "CVE-2018-12433 CVE-2018-12438"
+
 BINCONFIG = "${bindir}/libgcrypt-config"

 inherit autotools texinfo binconfig-disabled pkgconfig
--
2.7.4

This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [OE-core] [poky][dunfell][PATCH] libgcrypt: Whitelisted CVEs
  2021-02-02 18:09 [poky][dunfell][PATCH] libgcrypt: Whitelisted CVEs saloni
@ 2021-02-03 14:45 ` Steve Sakoman
  2021-02-05 14:08   ` saloni
  0 siblings, 1 reply; 3+ messages in thread
From: Steve Sakoman @ 2021-02-03 14:45 UTC (permalink / raw)
  To: saloni
  Cc: Patches and discussions about the oe-core layer, Khem Raj,
	nisha.parrakat, Anuj Chougule

On Tue, Feb 2, 2021 at 8:09 AM saloni <saloni.jain@kpit.com> wrote:
>
> Whitelisted below CVEs as their status is disputed
> and ignored and not affecting the Ubuntu and Debian
> environments. Hence, marked them whitelisted.

I'm not sure why you are referencing Ubuntu and Debian environments.
We care about whether it is affecting the Yocto implementation.

Could you explain your reasoning a bit more?  Are you saying that
Ubuntu and Debian maintainers don't consider these CVE's to be a
serious enough issue to mitigate and thus it is safe for us to do the
same?

Thanks!

Steve

> 1. CVE-2018-12433
> Link: https://security-tracker.debian.org/tracker/CVE-2018-12433
>
> 2. CVE-2018-12438
> Link: https://security-tracker.debian.org/tracker/CVE-2018-12438
>
> Signed-off-by: Saloni Jain <Saloni.Jain@kpit.com>
> ---
>  meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb b/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb
> index 4e0eb0a..ba3666f 100644
> --- a/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb
> +++ b/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb
> @@ -29,6 +29,9 @@ SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \
>  SRC_URI[md5sum] = "348cc4601ca34307fc6cd6c945467743"
>  SRC_URI[sha256sum] = "3b4a2a94cb637eff5bdebbcaf46f4d95c4f25206f459809339cdada0eb577ac3"
>
> +# Below whitelisted CVEs are disputed and not affecting Ubuntu and Debian environments.
> +CVE_CHECK_WHITELIST += "CVE-2018-12433 CVE-2018-12438"
> +
>  BINCONFIG = "${bindir}/libgcrypt-config"
>
>  inherit autotools texinfo binconfig-disabled pkgconfig
> --
> 2.7.4
>
> This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
>
> 
>

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [OE-core] [poky][dunfell][PATCH] libgcrypt: Whitelisted CVEs
  2021-02-03 14:45 ` [OE-core] " Steve Sakoman
@ 2021-02-05 14:08   ` saloni
  0 siblings, 0 replies; 3+ messages in thread
From: saloni @ 2021-02-05 14:08 UTC (permalink / raw)
  To: Steve Sakoman
  Cc: Patches and discussions about the oe-core layer, Khem Raj,
	Nisha Parrakat, Anuj Chougule

[-- Attachment #1: Type: text/plain, Size: 4310 bytes --]

Hello Steve,

The patches are generic to all Yocto implementations and are not reported for any particular distros.

I have re-sent another patch version mentioning in detail why these CVEs can be safely whitelisted. Please review and let me know for any change.

Thanks & Regards,
Saloni
________________________________
From: Steve Sakoman <sakoman@gmail.com>
Sent: Wednesday, February 3, 2021 8:15 PM
To: Saloni Jain <Saloni.Jain@kpit.com>
Cc: Patches and discussions about the oe-core layer <openembedded-core@lists.openembedded.org>; Khem Raj <raj.khem@gmail.com>; Nisha Parrakat <Nisha.Parrakat@kpit.com>; Anuj Chougule <Anuj.Chougule@kpit.com>
Subject: Re: [OE-core] [poky][dunfell][PATCH] libgcrypt: Whitelisted CVEs

On Tue, Feb 2, 2021 at 8:09 AM saloni <saloni.jain@kpit.com> wrote:
>
> Whitelisted below CVEs as their status is disputed
> and ignored and not affecting the Ubuntu and Debian
> environments. Hence, marked them whitelisted.

I'm not sure why you are referencing Ubuntu and Debian environments.
We care about whether it is affecting the Yocto implementation.

Could you explain your reasoning a bit more?  Are you saying that
Ubuntu and Debian maintainers don't consider these CVE's to be a
serious enough issue to mitigate and thus it is safe for us to do the
same?

Thanks!

Steve

> 1. CVE-2018-12433
> Link: https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsecurity-tracker.debian.org%2Ftracker%2FCVE-2018-12433&amp;data=04%7C01%7Csaloni.jain%40kpit.com%7C552396efe6014cdf8dbb08d8c8526011%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637479603466304421%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=NBbGFes6ahGsJLIXXcmqnQ%2Fi95ziKHMHnGzD%2F%2FPFEBM%3D&amp;reserved=0
>
> 2. CVE-2018-12438
> Link: https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsecurity-tracker.debian.org%2Ftracker%2FCVE-2018-12438&amp;data=04%7C01%7Csaloni.jain%40kpit.com%7C552396efe6014cdf8dbb08d8c8526011%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637479603466304421%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=uBYKEgLQ3vY8%2FH0QuBxS2znVtRPJANKv%2FWF0nOGpkI8%3D&amp;reserved=0
>
> Signed-off-by: Saloni Jain <Saloni.Jain@kpit.com>
> ---
>  meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb b/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb
> index 4e0eb0a..ba3666f 100644
> --- a/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb
> +++ b/meta/recipes-support/libgcrypt/libgcrypt_1.8.5.bb
> @@ -29,6 +29,9 @@ SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \
>  SRC_URI[md5sum] = "348cc4601ca34307fc6cd6c945467743"
>  SRC_URI[sha256sum] = "3b4a2a94cb637eff5bdebbcaf46f4d95c4f25206f459809339cdada0eb577ac3"
>
> +# Below whitelisted CVEs are disputed and not affecting Ubuntu and Debian environments.
> +CVE_CHECK_WHITELIST += "CVE-2018-12433 CVE-2018-12438"
> +
>  BINCONFIG = "${bindir}/libgcrypt-config"
>
>  inherit autotools texinfo binconfig-disabled pkgconfig
> --
> 2.7.4
>
> This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
>
> 
>
This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.

[-- Attachment #2: Type: text/html, Size: 6547 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-02-05 14:08 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-02-02 18:09 [poky][dunfell][PATCH] libgcrypt: Whitelisted CVEs saloni
2021-02-03 14:45 ` [OE-core] " Steve Sakoman
2021-02-05 14:08   ` saloni

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.