diff options
author | Geoffrey GIRY <geoffrey.giry@smile.fr> | 2023-04-05 12:34:54 +0200 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2023-04-05 17:26:11 +0100 |
commit | b8bfd3b01b660d0536a272fafa0157aac2aaab0b (patch) | |
tree | 7a4516ff900d89fbb0f6bc974595e0271623f7d4 | |
parent | 0e5bdb623b0f3ca4d71eba56b54915905acbc7d9 (diff) | |
download | poky-b8bfd3b01b660d0536a272fafa0157aac2aaab0b.tar.gz |
cve-extra-exclusions: ignore inapplicable linux-yocto CVEs
Multiple CVEs are patched in kernel but appear as active because the NVD
database is not up to date.
In common file cve-extra-exclusion.inc, CVEs are ignored if and only if
all versions of kernel used are patched.
In cve-exclusion_6.1.inc, only ignore CVEs that are patched in v6.1,
and not patched in v5.15.
Recipes of version 6.1 should include this file.
Reviewed-by: Yoann Congal <yoann.congal@smile.fr>
(From OE-Core rev: 5feb065f1b1aaf218f71cc9d31a9251b139b9442)
Signed-off-by: Geoffrey GIRY <geoffrey.giry@smile.fr>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/conf/distro/include/cve-extra-exclusions.inc | 53 | ||||
-rw-r--r-- | meta/recipes-kernel/linux/cve-exclusion_6.1.inc | 15 | ||||
-rw-r--r-- | meta/recipes-kernel/linux/linux-yocto-rt_6.1.bb | 3 | ||||
-rw-r--r-- | meta/recipes-kernel/linux/linux-yocto-tiny_6.1.bb | 3 | ||||
-rw-r--r-- | meta/recipes-kernel/linux/linux-yocto_6.1.bb | 3 |
5 files changed, 74 insertions, 3 deletions
diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc index 71e9714c6d..76992c5b46 100644 --- a/meta/conf/distro/include/cve-extra-exclusions.inc +++ b/meta/conf/distro/include/cve-extra-exclusions.inc | |||
@@ -136,6 +136,16 @@ CVE_CHECK_IGNORE += "CVE-2022-1184" | |||
136 | # Backported in version v5.15.58 b2d1e4cd558cffec6bfe318f5d74e6cffc374d29 | 136 | # Backported in version v5.15.58 b2d1e4cd558cffec6bfe318f5d74e6cffc374d29 |
137 | CVE_CHECK_IGNORE += "CVE-2022-1462" | 137 | CVE_CHECK_IGNORE += "CVE-2022-1462" |
138 | 138 | ||
139 | # https://nvd.nist.gov/vuln/detail/CVE-2022-2196 | ||
140 | # Introduced in version v5.8 5c911beff20aa8639e7a1f28988736c13e03ed54 | ||
141 | # Breaking commit backported in v5.4.47 64b8f33b2e1e687d465b5cb382e7bec495f1e026 | ||
142 | # Patched in kernel since v6.2 2e7eab81425ad6c875f2ed47c0ce01e78afc38a5 | ||
143 | # Backported in version v5.4.233 f93a1a5bdcdd122aae0a3eab7a52c15b71fb725b | ||
144 | # Backported in version v5.10.170 1b0cafaae8884726c597caded50af185ffc13349 | ||
145 | # Backported in version v5.15.96 6b539a7dbb49250f92515c2ba60aea239efc9e35 | ||
146 | # Backported in version v6.1.14 63fada296062e91ad9f871970d4e7f19e21a6a15 | ||
147 | CVE_CHECK_IGNORE += "CVE-2022-2196" | ||
148 | |||
139 | # https://nvd.nist.gov/vuln/detail/CVE-2022-2308 | 149 | # https://nvd.nist.gov/vuln/detail/CVE-2022-2308 |
140 | # Introduced in version v5.15 c8a6153b6c59d95c0e091f053f6f180952ade91e | 150 | # Introduced in version v5.15 c8a6153b6c59d95c0e091f053f6f180952ade91e |
141 | # Patched in kernel since v6.0 46f8a29272e51b6df7393d58fc5cb8967397ef2b | 151 | # Patched in kernel since v6.0 46f8a29272e51b6df7393d58fc5cb8967397ef2b |
@@ -169,6 +179,15 @@ CVE_CHECK_IGNORE += "CVE-2022-2785" | |||
169 | # Backported in version v5.15.65 e9d7ca0c4640cbebe6840ee3bac66a25a9bacaf5 | 179 | # Backported in version v5.15.65 e9d7ca0c4640cbebe6840ee3bac66a25a9bacaf5 |
170 | CVE_CHECK_IGNORE += "CVE-2022-3176" | 180 | CVE_CHECK_IGNORE += "CVE-2022-3176" |
171 | 181 | ||
182 | # https://nvd.nist.gov/vuln/detail/CVE-2022-3424 | ||
183 | # Introduced in version v2.6.33 55484c45dbeca2eec7642932ec3f60f8a2d4bdbf | ||
184 | # Patched in kernel since v6.2 643a16a0eb1d6ac23744bb6e90a00fc21148a9dc | ||
185 | # Backported in version v5.4.229 0078dd8758561540ed30b2c5daa1cb647e758977 | ||
186 | # Backported in version v5.10.163 0f67ed565f20ea2fdd98e3b0b0169d9e580bb83c | ||
187 | # Backported in version v5.15.86 d5c8f9003a289ee2a9b564d109e021fc4d05d106 | ||
188 | # Backported in version v6.1.2 4e947fc71bec7c7da791f8562d5da233b235ba5e | ||
189 | CVE_CHECK_IGNORE += "CVE-2022-3424" | ||
190 | |||
172 | # https://nvd.nist.gov/vuln/detail/CVE-2022-3435 | 191 | # https://nvd.nist.gov/vuln/detail/CVE-2022-3435 |
173 | # Introduced in version v5.18 6bf92d70e690b7ff12b24f4bfff5e5434d019b82 | 192 | # Introduced in version v5.18 6bf92d70e690b7ff12b24f4bfff5e5434d019b82 |
174 | # Breaking commit backported in v5.4.189 f5064531c23ad646da7be8b938292b00a7e61438 | 193 | # Breaking commit backported in v5.4.189 f5064531c23ad646da7be8b938292b00a7e61438 |
@@ -382,10 +401,12 @@ CVE_CHECK_IGNORE += "CVE-2023-0266" | |||
382 | CVE_CHECK_IGNORE += "CVE-2023-0394" | 401 | CVE_CHECK_IGNORE += "CVE-2023-0394" |
383 | 402 | ||
384 | # https://nvd.nist.gov/vuln/detail/CVE-2023-0461 | 403 | # https://nvd.nist.gov/vuln/detail/CVE-2023-0461 |
385 | # Introduced in version 4.13 734942cc4ea6478eed125af258da1bdbb4afe578 | 404 | # Introduced in version v4.13 734942cc4ea6478eed125af258da1bdbb4afe578 |
386 | # Patched in kernel v6.2 2c02d41d71f90a5168391b6a5f2954112ba2307c | 405 | # Patched in kernel since v6.2 2c02d41d71f90a5168391b6a5f2954112ba2307c |
387 | # Backported in version v6.1.5 7d242f4a0c8319821548c7176c09a6e0e71f223c | 406 | # Backported in version v5.4.229 c6d29a5ffdbc362314853462a0e24e63330a654d |
407 | # Backported in version v5.10.163 f8ed0a93b5d576bbaf01639ad816473bdfd1dcb0 | ||
388 | # Backported in version v5.15.88 dadd0dcaa67d27f550131de95c8e182643d2c9d6 | 408 | # Backported in version v5.15.88 dadd0dcaa67d27f550131de95c8e182643d2c9d6 |
409 | # Backported in version v6.1.5 7d242f4a0c8319821548c7176c09a6e0e71f223c | ||
389 | CVE_CHECK_IGNORE += "CVE-2023-0461" | 410 | CVE_CHECK_IGNORE += "CVE-2023-0461" |
390 | 411 | ||
391 | # https://nvd.nist.gov/vuln/detail/CVE-2023-0386 | 412 | # https://nvd.nist.gov/vuln/detail/CVE-2023-0386 |
@@ -421,6 +442,32 @@ CVE_CHECK_IGNORE += "CVE-2023-1077" | |||
421 | # Backported in version 6.1.12 1d52bbfd469af69fbcae88c67f160ce1b968e7f3 | 442 | # Backported in version 6.1.12 1d52bbfd469af69fbcae88c67f160ce1b968e7f3 |
422 | CVE_CHECK_IGNORE += "CVE-2023-1078" | 443 | CVE_CHECK_IGNORE += "CVE-2023-1078" |
423 | 444 | ||
445 | # https://nvd.nist.gov/vuln/detail/CVE-2023-1118 | ||
446 | # Introduced in version v2.6.36 9ea53b74df9c4681f5bb2da6b2e10e37d87ea6d6 | ||
447 | # Patched in kernel since v6.3-rc1 29b0589a865b6f66d141d79b2dd1373e4e50fe17 | ||
448 | # Backported in version v5.4.235 d120334278b370b6a1623a75ebe53b0c76cb247c | ||
449 | # Backported in version v5.10.173 78da5a378bdacd5bf68c3a6389bdc1dd0c0f5b3c | ||
450 | # Backported in version v5.15.99 29962c478e8b2e6a6154d8d84b8806dbe36f9c28 | ||
451 | # Backported in version v6.1.16 029c1410e345ce579db5c007276340d072aac54a | ||
452 | # Backported in version v6.2.3 182ea492aae5b64067277e60a4ea5995c4628555 | ||
453 | CVE_CHECK_IGNORE += "CVE-2023-1118" | ||
454 | |||
455 | # https://nvd.nist.gov/vuln/detail/CVE-2023-1281 | ||
456 | # Introduced in version v4.14 9b0d4446b56904b59ae3809913b0ac760fa941a6 | ||
457 | # Patched in kernel since v6.2 ee059170b1f7e94e55fa6cadee544e176a6e59c2 | ||
458 | # Backported in version v5.10.169 eb8e9d8572d1d9df17272783ad8a84843ce559d4 | ||
459 | # Backported in version v5.15.95 becf55394f6acb60dd60634a1c797e73c747f9da | ||
460 | # Backported in version v6.1.13 bd662ba56187b5ef8a62a3511371cd38299a507f | ||
461 | CVE_CHECK_IGNORE += "CVE-2023-1281" | ||
462 | |||
463 | # https://nvd.nist.gov/vuln/detail/CVE-2023-28466 | ||
464 | # Introduced in version v4.13 3c4d7559159bfe1e3b94df3a657b2cda3a34e218 | ||
465 | # Patched in kernel since v6.3-rc2 49c47cc21b5b7a3d8deb18fc57b0aa2ab1286962 | ||
466 | # Backported in version v5.15.105 0b54d75aa43a1edebc8a3770901f5c3557ee0daa | ||
467 | # Backported in version v6.1.20 14c17c673e1bba08032d245d5fb025d1cbfee123 | ||
468 | # Backported in version v6.2.7 5231fa057bb0e52095591b303cf95ebd17bc62ce | ||
469 | CVE_CHECK_IGNORE += "CVE-2023-28466" | ||
470 | |||
424 | # Wrong CPE in NVD database | 471 | # Wrong CPE in NVD database |
425 | # https://nvd.nist.gov/vuln/detail/CVE-2022-3563 | 472 | # https://nvd.nist.gov/vuln/detail/CVE-2022-3563 |
426 | # https://nvd.nist.gov/vuln/detail/CVE-2022-3637 | 473 | # https://nvd.nist.gov/vuln/detail/CVE-2022-3637 |
diff --git a/meta/recipes-kernel/linux/cve-exclusion_6.1.inc b/meta/recipes-kernel/linux/cve-exclusion_6.1.inc new file mode 100644 index 0000000000..ec7ff9c1a7 --- /dev/null +++ b/meta/recipes-kernel/linux/cve-exclusion_6.1.inc | |||
@@ -0,0 +1,15 @@ | |||
1 | # https://nvd.nist.gov/vuln/detail/CVE-2022-3523 | ||
2 | # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 | ||
3 | # Patched in kernel since v6.1 16ce101db85db694a91380aa4c89b25530871d33 | ||
4 | CVE_CHECK_IGNORE += "CVE-2022-3523" | ||
5 | |||
6 | # https://nvd.nist.gov/vuln/detail/CVE-2022-3566 | ||
7 | # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 | ||
8 | # Patched in kernel since v6.1 f49cd2f4d6170d27a2c61f1fecb03d8a70c91f57 | ||
9 | CVE_CHECK_IGNORE += "CVE-2022-3566" | ||
10 | |||
11 | # https://nvd.nist.gov/vuln/detail/CVE-2022-3567 | ||
12 | # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 | ||
13 | # Patched in kernel since v6.1 364f997b5cfe1db0d63a390fe7c801fa2b3115f6 | ||
14 | CVE_CHECK_IGNORE += "CVE-2022-3567" | ||
15 | |||
diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_6.1.bb b/meta/recipes-kernel/linux/linux-yocto-rt_6.1.bb index 5f79bc617b..2cf1b048c9 100644 --- a/meta/recipes-kernel/linux/linux-yocto-rt_6.1.bb +++ b/meta/recipes-kernel/linux/linux-yocto-rt_6.1.bb | |||
@@ -2,6 +2,9 @@ KBRANCH ?= "v6.1/standard/preempt-rt/base" | |||
2 | 2 | ||
3 | require recipes-kernel/linux/linux-yocto.inc | 3 | require recipes-kernel/linux/linux-yocto.inc |
4 | 4 | ||
5 | # CVE exclusions | ||
6 | include recipes-kernel/linux/cve-exclusion_6.1.inc | ||
7 | |||
5 | # Skip processing of this recipe if it is not explicitly specified as the | 8 | # Skip processing of this recipe if it is not explicitly specified as the |
6 | # PREFERRED_PROVIDER for virtual/kernel. This avoids errors when trying | 9 | # PREFERRED_PROVIDER for virtual/kernel. This avoids errors when trying |
7 | # to build multiple virtual/kernel providers, e.g. as dependency of | 10 | # to build multiple virtual/kernel providers, e.g. as dependency of |
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_6.1.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_6.1.bb index 58357d00c7..ff3bcad5db 100644 --- a/meta/recipes-kernel/linux/linux-yocto-tiny_6.1.bb +++ b/meta/recipes-kernel/linux/linux-yocto-tiny_6.1.bb | |||
@@ -5,6 +5,9 @@ KCONFIG_MODE = "--allnoconfig" | |||
5 | 5 | ||
6 | require recipes-kernel/linux/linux-yocto.inc | 6 | require recipes-kernel/linux/linux-yocto.inc |
7 | 7 | ||
8 | # CVE exclusions | ||
9 | include recipes-kernel/linux/cve-exclusion_6.1.inc | ||
10 | |||
8 | LINUX_VERSION ?= "6.1.20" | 11 | LINUX_VERSION ?= "6.1.20" |
9 | LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" | 12 | LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" |
10 | 13 | ||
diff --git a/meta/recipes-kernel/linux/linux-yocto_6.1.bb b/meta/recipes-kernel/linux/linux-yocto_6.1.bb index 6f33032c00..033bc10e55 100644 --- a/meta/recipes-kernel/linux/linux-yocto_6.1.bb +++ b/meta/recipes-kernel/linux/linux-yocto_6.1.bb | |||
@@ -2,6 +2,9 @@ KBRANCH ?= "v6.1/standard/base" | |||
2 | 2 | ||
3 | require recipes-kernel/linux/linux-yocto.inc | 3 | require recipes-kernel/linux/linux-yocto.inc |
4 | 4 | ||
5 | # CVE exclusions | ||
6 | include recipes-kernel/linux/cve-exclusion_6.1.inc | ||
7 | |||
5 | # board specific branches | 8 | # board specific branches |
6 | KBRANCH:qemuarm ?= "v6.1/standard/arm-versatile-926ejs" | 9 | KBRANCH:qemuarm ?= "v6.1/standard/arm-versatile-926ejs" |
7 | KBRANCH:qemuarm64 ?= "v6.1/standard/qemuarm64" | 10 | KBRANCH:qemuarm64 ?= "v6.1/standard/qemuarm64" |