RE: Clarifying CVEs for NVD (Was: Re: [OE-core] [PATCH] cve-extra-exclusions: ignore inapplicable linux-yocto CVEs)

["Marko, Peter" <Peter.Marko@siemens.com>]

Hi,

> From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Marta Rybczynska via lists.openembedded.org
> Sent: Tuesday, June 6, 2023 7:34
> To: Geoffrey GIRY mailto:geoffrey.giry@smile.fr; Richard Purdie mailto:richard.purdie@linuxfoundation.org
> Cc: OE-core mailto:openembedded-core@lists.openembedded.org; Yoann Congal <yoann.congal@smile.fr>
> Subject: Clarifying CVEs for NVD (Was: Re: [OE-core] [PATCH] cve-extra-exclusions: ignore inapplicable linux-yocto CVEs)
>
> Hello all,
> I'm in process of clarifying entries for NVD to have them fixed in the sources. The comments in the patch linked do not include all the needed information, however.
>
> Let's take this one:
>
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-1462
> +# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
> +# Patched in kernel since v5.19 a501ab75e7624d133a5a3c7ec010687c8b961d23
> +# Backported in version v5.4.208 f7785092cb7f022f59ebdaa181651f7c877df132
> +# Backported in version v5.10.134 08afa87f58d83dfe040572ed591b47e8cb9e225c
> +# Backported in version v5.15.58 b2d1e4cd558cffec6bfe318f5d74e6cffc374d29
> +CVE_CHECK_IGNORE += "CVE-2022-1462"
>
> We need to write a set of rules on which versions are vulnerable, like this:
> [v2.6.12 - v5.4.208]
> [v5.5.0 ??? -  v5.10.134]
> [v5.11.0 ??? - v5.15.58]
> [v5.16.0 ??? - v5.19.0]

New kernel branches start with tag vX.Y-rc1, so it should be v5.5-rc1, v5.11-rc1, v5.16.0-rc1.
In NVD DB 1.1 format: 5.5_rc1, 5.1_rc1, 5.16_rc1, ...

>
> The values with ??? are uncertain. Geoffrey, Yann, as it was scripted out according to one of the discussions, are you able to confirm those "starting" versions ?
>
> Kind regards,
> Marta