diff options
author | Marta Rybczynska <rybczynska@gmail.com> | 2023-11-01 07:26:14 +0100 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2023-11-06 22:52:27 +0000 |
commit | 1081a2617afc34d0d864125109517b04de20e200 (patch) | |
tree | 23b3f12727c20d6ee6e7359ecc720cc3f41bbff3 /documentation/dev-manual | |
parent | 7d6a77ce379a9ec19170045a39c4451b39615fb3 (diff) | |
download | poky-1081a2617afc34d0d864125109517b04de20e200.tar.gz |
dev-manual: extend the description of CVE patch preparation
Extend the description on how to prepare a patch for a CVE issue.
Add a more illustrative and current example of how to modify
the patch file. Add an example of how to use CVE_STATUS.
(From yocto-docs rev: f982f6be6b52ba0915b2e6f712270dec5dde64fc)
Signed-off-by: Marta Rybczynska <marta.rybczynska@syslinbit.com>
Reviewed-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'documentation/dev-manual')
-rw-r--r-- | documentation/dev-manual/vulnerabilities.rst | 111 |
1 files changed, 91 insertions, 20 deletions
diff --git a/documentation/dev-manual/vulnerabilities.rst b/documentation/dev-manual/vulnerabilities.rst index c492b62ffd..1bc2a85929 100644 --- a/documentation/dev-manual/vulnerabilities.rst +++ b/documentation/dev-manual/vulnerabilities.rst | |||
@@ -129,31 +129,97 @@ NVD about CVE entries can be provided through the `NVD contact form <https://nvd | |||
129 | Fixing vulnerabilities in recipes | 129 | Fixing vulnerabilities in recipes |
130 | ================================= | 130 | ================================= |
131 | 131 | ||
132 | If a CVE security issue impacts a software component, it can be fixed by updating to a newer | 132 | Suppose a CVE security issue impacts a software component. In that case, it can |
133 | version of the software component, by applying a patch or by marking it as patched via | 133 | be fixed by updating to a newer version, by applying a patch, or by marking it |
134 | :term:`CVE_STATUS` variable flag. For Poky and OE-Core master branches, updating | 134 | as patched via :term:`CVE_STATUS` variable flag. For Poky and OE-Core master |
135 | to a newer software component release with fixes is the best option, but patches can be applied | 135 | branches, updating to a more recent software component release with fixes is |
136 | if releases are not yet available. | 136 | the best option, but patches can be applied if releases are not yet available. |
137 | 137 | ||
138 | For stable branches, it is preferred to apply patches for the issues. For some software | 138 | For stable branches, we want to avoid API (Application Programming Interface) |
139 | components minor version updates can also be applied if they are backwards compatible. | 139 | or ABI (Application Binary Interface) breakages. When submitting an update, |
140 | a minor version update of a component is preferred if the version is | ||
141 | backward-compatible. Many software components have backward-compatible stable | ||
142 | versions, with a notable example of the Linux kernel. However, if the new | ||
143 | version does or likely might introduce incompatibilities, extracting and | ||
144 | backporting patches is preferred. | ||
140 | 145 | ||
141 | Here is an example of fixing CVE security issues with patch files, | 146 | Here is an example of fixing CVE security issues with patch files, |
142 | an example from the :oe_layerindex:`ffmpeg recipe</layerindex/recipe/47350>`:: | 147 | an example from the :oe_layerindex:`ffmpeg recipe for dunfell </layerindex/recipe/122174>`:: |
143 | 148 | ||
144 | SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ | 149 | SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ |
150 | file://mips64_cpu_detection.patch \ | ||
151 | file://CVE-2020-12284.patch \ | ||
145 | file://0001-libavutil-include-assembly-with-full-path-from-sourc.patch \ | 152 | file://0001-libavutil-include-assembly-with-full-path-from-sourc.patch \ |
146 | file://fix-CVE-2020-20446.patch \ | 153 | file://CVE-2021-3566.patch \ |
147 | file://fix-CVE-2020-20453.patch \ | 154 | file://CVE-2021-38291.patch \ |
148 | file://fix-CVE-2020-22015.patch \ | 155 | file://CVE-2022-1475.patch \ |
149 | file://fix-CVE-2020-22021.patch \ | 156 | file://CVE-2022-3109.patch \ |
150 | file://fix-CVE-2020-22033-CVE-2020-22019.patch \ | 157 | file://CVE-2022-3341.patch \ |
151 | file://fix-CVE-2021-33815.patch \ | 158 | file://CVE-2022-48434.patch \ |
159 | " | ||
160 | |||
161 | The recipe has both generic and security-related fixes. The CVE patch files are named | ||
162 | according to the CVE they fix. | ||
163 | |||
164 | When preparing the patch file, take the original patch from the upstream repository. | ||
165 | Do not use patches from different distributions, except if it is the only available source. | ||
166 | |||
167 | Modify the patch adding OE-related metadata. We will follow the example of the | ||
168 | ``CVE-2022-3341.patch``. | ||
169 | |||
170 | The original `commit message <https://github.com/FFmpeg/FFmpeg/commit/9cf652cef49d74afe3d454f27d49eb1a1394951e.patch/>`__ | ||
171 | is:: | ||
172 | |||
173 | From 9cf652cef49d74afe3d454f27d49eb1a1394951e Mon Sep 17 00:00:00 2001 | ||
174 | From: Jiasheng Jiang <jiasheng@iscas.ac.cn> | ||
175 | Date: Wed, 23 Feb 2022 10:31:59 +0800 | ||
176 | Subject: [PATCH] avformat/nutdec: Add check for avformat_new_stream | ||
177 | |||
178 | Check for failure of avformat_new_stream() and propagate | ||
179 | the error code. | ||
180 | |||
181 | Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> | ||
182 | --- | ||
183 | libavformat/nutdec.c | 16 ++++++++++++---- | ||
184 | 1 file changed, 12 insertions(+), 4 deletions(-) | ||
185 | |||
186 | |||
187 | For the correct operations of the ``cve-check``, it requires the CVE | ||
188 | identification in a ``CVE:`` tag of the patch file commit message using | ||
189 | the format:: | ||
152 | 190 | ||
153 | A good practice is to include the CVE identifier in both the patch file name | 191 | CVE: CVE-2022-3341 |
154 | and inside the patch file commit message using the format:: | ||
155 | 192 | ||
156 | CVE: CVE-2020-22033 | 193 | It is also recommended to add the ``Upstream-Status:`` tag with a link |
194 | to the original patch and sign-off by people working on the backport. | ||
195 | If there are any modifications to the original patch, note them in | ||
196 | the ``Comments:`` tag. | ||
197 | |||
198 | With the additional information, the header of the patch file in OE-core becomes:: | ||
199 | |||
200 | From 9cf652cef49d74afe3d454f27d49eb1a1394951e Mon Sep 17 00:00:00 2001 | ||
201 | From: Jiasheng Jiang <jiasheng@iscas.ac.cn> | ||
202 | Date: Wed, 23 Feb 2022 10:31:59 +0800 | ||
203 | Subject: [PATCH] avformat/nutdec: Add check for avformat_new_stream | ||
204 | |||
205 | Check for failure of avformat_new_stream() and propagate | ||
206 | the error code. | ||
207 | |||
208 | Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> | ||
209 | |||
210 | CVE: CVE-2022-3341 | ||
211 | |||
212 | Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/9cf652cef49d74afe3d454f27d49eb1a1394951e] | ||
213 | |||
214 | Comments: Refreshed Hunk | ||
215 | Signed-off-by: Narpat Mali <narpat.mali@windriver.com> | ||
216 | Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> | ||
217 | --- | ||
218 | libavformat/nutdec.c | 16 ++++++++++++---- | ||
219 | 1 file changed, 12 insertions(+), 4 deletions(-) | ||
220 | |||
221 | A good practice is to include the CVE identifier in the patch file name, the patch file | ||
222 | commit message and optionally in the recipe commit message. | ||
157 | 223 | ||
158 | CVE checker will then capture this information and change the CVE status to ``Patched`` | 224 | CVE checker will then capture this information and change the CVE status to ``Patched`` |
159 | in the generated reports. | 225 | in the generated reports. |
@@ -161,8 +227,13 @@ in the generated reports. | |||
161 | If analysis shows that the CVE issue does not impact the recipe due to configuration, platform, | 227 | If analysis shows that the CVE issue does not impact the recipe due to configuration, platform, |
162 | version or other reasons, the CVE can be marked as ``Ignored`` by using | 228 | version or other reasons, the CVE can be marked as ``Ignored`` by using |
163 | the :term:`CVE_STATUS` variable flag with appropriate reason which is mapped to ``Ignored``. | 229 | the :term:`CVE_STATUS` variable flag with appropriate reason which is mapped to ``Ignored``. |
164 | As mentioned previously, if data in the CVE database is wrong, it is recommend to fix those | 230 | The entry should have the format like:: |
165 | issues in the CVE database directly. | 231 | |
232 | CVE_STATUS[CVE-2016-10642] = "cpe-incorrect: This is specific to the npm package that installs cmake, so isn't relevant to OpenEmbedded" | ||
233 | |||
234 | As mentioned previously, if data in the CVE database is wrong, it is recommended | ||
235 | to fix those issues in the CVE database (NVD in the case of OE-core and Poky) | ||
236 | directly. | ||
166 | 237 | ||
167 | Note that if there are many CVEs with the same status and reason, those can be | 238 | Note that if there are many CVEs with the same status and reason, those can be |
168 | shared by using the :term:`CVE_STATUS_GROUPS` variable. | 239 | shared by using the :term:`CVE_STATUS_GROUPS` variable. |