[OE-core][PATCH] sqlite3: Whitelist CVE-2022-21227

[OE-core][PATCH] sqlite3: Whitelist CVE-2022-21227

[Sanjay Chitroda]

This CVE is applicable to "SQLite3 bindings for Node.js" only.

References:
https://nvd.nist.gov/vuln/detail/CVE-2022-21227

Signed-off-by: Sanjay Chitroda <schitrod@cisco.com>
---
 meta/recipes-support/sqlite/sqlite3_3.41.2.bb | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/meta/recipes-support/sqlite/sqlite3_3.41.2.bb b/meta/recipes-support/sqlite/sqlite3_3.41.2.bb
index b09e8e7f55..11bc8bb4c0 100644
--- a/meta/recipes-support/sqlite/sqlite3_3.41.2.bb
+++ b/meta/recipes-support/sqlite/sqlite3_3.41.2.bb
@@ -12,3 +12,6 @@ CVE_CHECK_IGNORE += "CVE-2019-19242"
 CVE_CHECK_IGNORE += "CVE-2015-3717"
 # Issue in an experimental extension we don't have/use. Fixed by https://sqlite.org/src/info/b1e0c22ec981cf5f
 CVE_CHECK_IGNORE += "CVE-2021-36690"
+# As per https://nvd.nist.gov/vuln/detail/CVE-2022-21227
+# this bug is applicable to SQLite3 Node.js
+CVE_CHECK_IGNORE += "CVE-2022-21227"
-- 
2.35.6

Re: [OE-core][PATCH] sqlite3: Whitelist CVE-2022-21227

[Martin Jansa]

[-- Attachment #1: Type: text/plain, Size: 1936 bytes --]

The patch author seems a bit mangled by ML, see:
author schitrod=cisco.com@lists.openembedded.org <schitrod=
cisco.com@lists.openembedded.org> 2023-05-27 22:52:52 -0700
https://git.openembedded.org/openembedded-core/commit/?h=master-next&id=5f15caa526bb57070b9abb9ba2f488ee1bfb5372

Is it correct?

On Sun, May 28, 2023 at 7:53 AM Sanjaykumar kantibhai Chitroda -X (schitrod
- E-INFO CHIPS INC at Cisco) via lists.openembedded.org <schitrod=
cisco.com@lists.openembedded.org> wrote:

> This CVE is applicable to "SQLite3 bindings for Node.js" only.
>
> References:
> https://nvd.nist.gov/vuln/detail/CVE-2022-21227
>
> Signed-off-by: Sanjay Chitroda <schitrod@cisco.com>
> ---
>  meta/recipes-support/sqlite/sqlite3_3.41.2.bb | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/meta/recipes-support/sqlite/sqlite3_3.41.2.bb
> b/meta/recipes-support/sqlite/sqlite3_3.41.2.bb
> index b09e8e7f55..11bc8bb4c0 100644
> --- a/meta/recipes-support/sqlite/sqlite3_3.41.2.bb
> +++ b/meta/recipes-support/sqlite/sqlite3_3.41.2.bb
> @@ -12,3 +12,6 @@ CVE_CHECK_IGNORE += "CVE-2019-19242"
>  CVE_CHECK_IGNORE += "CVE-2015-3717"
>  # Issue in an experimental extension we don't have/use. Fixed by
> https://sqlite.org/src/info/b1e0c22ec981cf5f
>  CVE_CHECK_IGNORE += "CVE-2021-36690"
> +# As per https://nvd.nist.gov/vuln/detail/CVE-2022-21227
> +# this bug is applicable to SQLite3 Node.js
> +CVE_CHECK_IGNORE += "CVE-2022-21227"
> --
> 2.35.6
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#181812):
> https://lists.openembedded.org/g/openembedded-core/message/181812
> Mute This Topic: https://lists.openembedded.org/mt/99178473/3617156
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [
> Martin.Jansa@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>

[-- Attachment #2: Type: text/html, Size: 3841 bytes --]

RE: [OE-core][PATCH] sqlite3: Whitelist CVE-2022-21227

[Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco)]

[-- Attachment #1: Type: text/plain, Size: 2489 bytes --]

Hi,

I have proposed second commit to revert Revert "sqlite3: update CVE_PRODUCT" - Patchwork (yoctoproject.org)<https://patchwork.yoctoproject.org/project/oe-core/patch/20230528064732.3890226-1-schitrod@cisco.com/>.

Once above commit is added on master then we don’t require to add this commit.
As CVE-2022-21227 is detected due to above commit only.

Thanks,
Sanjay


From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Martin Jansa
Sent: Monday, May 29, 2023 12:52 PM
To: Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco) <schitrod@cisco.com>
Cc: openembedded-core@lists.openembedded.org
Subject: Re: [OE-core][PATCH] sqlite3: Whitelist CVE-2022-21227

The patch author seems a bit mangled by ML, see:
author schitrod=cisco.com@lists.openembedded.org<mailto:cisco.com@lists.openembedded.org> <schitrod=cisco.com@lists.openembedded.org<mailto:cisco.com@lists.openembedded.org>> 2023-05-27 22:52:52 -0700
https://git.openembedded.org/openembedded-core/commit/?h=master-next&id=5f15caa526bb57070b9abb9ba2f488ee1bfb5372

Is it correct?

On Sun, May 28, 2023 at 7:53 AM Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco) via lists.openembedded.org<http://lists.openembedded.org> <schitrod=cisco.com@lists.openembedded.org<mailto:cisco.com@lists.openembedded.org>> wrote:
This CVE is applicable to "SQLite3 bindings for Node.js" only.

References:
https://nvd.nist.gov/vuln/detail/CVE-2022-21227

Signed-off-by: Sanjay Chitroda <schitrod@cisco.com<mailto:schitrod@cisco.com>>
---
 meta/recipes-support/sqlite/sqlite3_3.41.2.bb<http://sqlite3_3.41.2.bb> | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/meta/recipes-support/sqlite/sqlite3_3.41.2.bb<http://sqlite3_3.41.2.bb> b/meta/recipes-support/sqlite/sqlite3_3.41.2.bb<http://sqlite3_3.41.2.bb>
index b09e8e7f55..11bc8bb4c0 100644
--- a/meta/recipes-support/sqlite/sqlite3_3.41.2.bb<http://sqlite3_3.41.2.bb>
+++ b/meta/recipes-support/sqlite/sqlite3_3.41.2.bb<http://sqlite3_3.41.2.bb>
@@ -12,3 +12,6 @@ CVE_CHECK_IGNORE += "CVE-2019-19242"
 CVE_CHECK_IGNORE += "CVE-2015-3717"
 # Issue in an experimental extension we don't have/use. Fixed by https://sqlite.org/src/info/b1e0c22ec981cf5f
 CVE_CHECK_IGNORE += "CVE-2021-36690"
+# As per https://nvd.nist.gov/vuln/detail/CVE-2022-21227
+# this bug is applicable to SQLite3 Node.js
+CVE_CHECK_IGNORE += "CVE-2022-21227"
--
2.35.6




[-- Attachment #2: Type: text/html, Size: 6461 bytes --]

Re: [OE-core][PATCH] sqlite3: Whitelist CVE-2022-21227

[Richard Purdie]

On Mon, 2023-05-29 at 08:39 +0000, Sanjaykumar kantibhai Chitroda -X
(schitrod - E-INFO CHIPS INC at Cisco) wrote:
> Hi,
>  
> I have proposed second commit to revertRevert "sqlite3: update
> CVE_PRODUCT" - Patchwork (yoctoproject.org).
>  
> Once above commit is added on master then we don’t require to add
> this commit.
> As CVE-2022-21227 is detected due to above commit only.

My worry is that we keep going around in circles on this. Are we sure
the CVE database won't list things that are applicable under sqlite3?

Cheers,

Richard

RE: [OE-core][PATCH] sqlite3: Whitelist CVE-2022-21227

[Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco)]

Hi Richard,

Please find below information on specific SQLite3.

NVD has CVEs reported for sqlite against two different products:
1. sqlite:sqlite
	- Ref: https://nvd.nist.gov/vuln/detail/CVE-2020-13435
	- This product is applicable to our sqlite3 SDK source
2.  ghost:sqlite3
	- Ref: https://nvd.nist.gov/vuln/detail/CVE-2022-21227
	- This product is applicable to Node.js SQLite which don't applicable to our SDK

Conclusion:
- To report CVEs of SQLite3 source available in SDK, require CVE_PRODUCT is sqlite.
- we don't require to report CVEs where CVE_PRODUCT is sqlite3.
- In Yocto SDK sqlite3 recipe should have: CVE_PRODUCT= "sqlite"

Thanks,
Sanjay

-----Original Message-----
From: Richard Purdie <richard.purdie@linuxfoundation.org> 
Sent: Monday, May 29, 2023 3:11 PM
To: Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco) <schitrod@cisco.com>; Martin Jansa <Martin.Jansa@gmail.com>
Cc: openembedded-core@lists.openembedded.org; Marta Rybczynska <rybczynska@gmail.com>
Subject: Re: [OE-core][PATCH] sqlite3: Whitelist CVE-2022-21227

On Mon, 2023-05-29 at 08:39 +0000, Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco) wrote:
> Hi,
>  
> I have proposed second commit to revertRevert "sqlite3: update 
> CVE_PRODUCT" - Patchwork (yoctoproject.org).
>  
> Once above commit is added on master then we don’t require to add this 
> commit.
> As CVE-2022-21227 is detected due to above commit only.

My worry is that we keep going around in circles on this. Are we sure the CVE database won't list things that are applicable under sqlite3?

Cheers,

Richard

RE: [OE-core][PATCH] sqlite3: Whitelist CVE-2022-21227

[Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco)]

Hi Richard,

Please find below information on specific SQLite3.

NVD has CVEs reported for sqlite against two different products:
1. sqlite:sqlite
	- Ref: https://nvd.nist.gov/vuln/detail/CVE-2020-13435
	- This product is applicable to our sqlite3 SDK source

2.  ghost:sqlite3
	- Ref: https://nvd.nist.gov/vuln/detail/CVE-2022-21227
	- This product is applicable to Node.js SQLite which don't applicable to our SDK

Conclusion:
- To report CVEs of SQLite3 source available in SDK, require CVE_PRODUCT is sqlite.
- we don't require to report CVEs where CVE_PRODUCT is sqlite3.
- In Yocto SDK sqlite3 recipe should have: CVE_PRODUCT= "sqlite"

Thanks,
Sanjay
-----Original Message-----
From: Richard Purdie <richard.purdie@linuxfoundation.org>
Sent: Monday, May 29, 2023 3:11 PM
To: Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco) <schitrod@cisco.com>; Martin Jansa <Martin.Jansa@gmail.com>
Cc: openembedded-core@lists.openembedded.org; Marta Rybczynska <rybczynska@gmail.com>
Subject: Re: [OE-core][PATCH] sqlite3: Whitelist CVE-2022-21227

On Mon, 2023-05-29 at 08:39 +0000, Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco) wrote:
> Hi,
>  
> I have proposed second commit to revertRevert "sqlite3: update 
> CVE_PRODUCT" - Patchwork (yoctoproject.org).
>  
> Once above commit is added on master then we don’t require to add this 
> commit.
> As CVE-2022-21227 is detected due to above commit only.

My worry is that we keep going around in circles on this. Are we sure the CVE database won't list things that are applicable under sqlite3?

Cheers,

Richard