summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRichard Purdie <richard.purdie@linuxfoundation.org>2022-06-30 13:30:12 +0100
committerRichard Purdie <richard.purdie@linuxfoundation.org>2022-06-30 16:34:36 +0100
commitb10ba003c828856bd7778e73a9b8d9600891cae2 (patch)
tree1c3cddb896ef7ecd5c71f686a588539bf5dbaa2c
parent4678581ea054b1eef305ff5bc4bd40d8b74374ca (diff)
downloadpoky-b10ba003c828856bd7778e73a9b8d9600891cae2.tar.gz
cve-extra-exclusions: Clean up and ignore three CVEs (2xqemu and nasm)
Remove obsolete comments/data from the file. Add in three CVEs to ignore. Two are qemu CVEs which upstream aren't particularly intersted in and aren't serious issues. Also ignore the nasm CVE found from fuzzing as this isn't a issue we'd expose from OE. (From OE-Core rev: 68291026aab2fa6ee1260ca95198dd1d568521e5) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/conf/distro/include/cve-extra-exclusions.inc30
1 files changed, 15 insertions, 15 deletions
diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc
index 993ee2811a..8b5f8d49b8 100644
--- a/meta/conf/distro/include/cve-extra-exclusions.inc
+++ b/meta/conf/distro/include/cve-extra-exclusions.inc
@@ -90,24 +90,24 @@ CVE_CHECK_IGNORE += "CVE-2022-0185 CVE-2022-0264 CVE-2022-0286 CVE-2022-0330 CVE
90 CVE-2022-28356 CVE-2022-28388 CVE-2022-28389 CVE-2022-28390 CVE-2022-28796 CVE-2022-28893 CVE-2022-29156 \ 90 CVE-2022-28356 CVE-2022-28388 CVE-2022-28389 CVE-2022-28390 CVE-2022-28796 CVE-2022-28893 CVE-2022-29156 \
91 CVE-2022-29582 CVE-2022-29968" 91 CVE-2022-29582 CVE-2022-29968"
92 92
93#### CPE update pending ####
94
95# groff:groff-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0803
96# Appears it was fixed in https://git.savannah.gnu.org/cgit/groff.git/commit/?id=07f95f1674217275ed4612f1dcaa95a88435c6a7
97# so from 1.17 onwards. Reported to the database for update by RP 2021/5/9. Update accepted 2021/5/10.
98#CVE_CHECK_IGNORE += "CVE-2000-0803"
99
100
101
102#### Upstream still working on ####
103 93
104# qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20255 94# qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20255
105# There was a proposed patch https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html 95# There was a proposed patch https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html
106# however qemu maintainers are sure the patch is incorrect and should not be applied. 96# qemu maintainers say the patch is incorrect and should not be applied
107 97# Ignore from OE's perspectivee as the issue is of low impact, at worst sitting in an infinite loop rather than exploitable
108# wget https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31879 98CVE_CHECK_IGNORE += "CVE-2021-20255"
109# https://mail.gnu.org/archive/html/bug-wget/2021-02/msg00002.html 99
110# No response upstream as of 2021/5/12 100# qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-12067
101# There was a proposed patch but rejected by upstream qemu. It is unclear if the issue can
102# still be reproduced or where exactly any bug is.
103# Ignore from OE's perspective as we'll pick up any fix when upstream accepts one.
104CVE_CHECK_IGNORE += "CVE-2019-12067"
105
106# nasm:nasm-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-18974
107# It is a fuzzing related buffer overflow. It is of low impact since most devices
108# wouldn't expose an assembler. The upstream is inactive and there is little to be
109# done about the bug, ignore from an OE perspective.
110CVE_CHECK_IGNORE += "CVE-2020-18974"
111 111
112 112
113 113