diff options
| author | Marta Rybczynska <rybczynska@gmail.com> | 2023-11-01 07:26:14 +0100 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2023-11-06 22:52:27 +0000 |
| commit | 1081a2617afc34d0d864125109517b04de20e200 (patch) | |
| tree | 23b3f12727c20d6ee6e7359ecc720cc3f41bbff3 /documentation/dev-manual | |
| parent | 7d6a77ce379a9ec19170045a39c4451b39615fb3 (diff) | |
| download | poky-1081a2617afc34d0d864125109517b04de20e200.tar.gz | |
dev-manual: extend the description of CVE patch preparation
Extend the description on how to prepare a patch for a CVE issue.
Add a more illustrative and current example of how to modify
the patch file. Add an example of how to use CVE_STATUS.
(From yocto-docs rev: f982f6be6b52ba0915b2e6f712270dec5dde64fc)
Signed-off-by: Marta Rybczynska <marta.rybczynska@syslinbit.com>
Reviewed-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'documentation/dev-manual')
| -rw-r--r-- | documentation/dev-manual/vulnerabilities.rst | 111 |
1 files changed, 91 insertions, 20 deletions
diff --git a/documentation/dev-manual/vulnerabilities.rst b/documentation/dev-manual/vulnerabilities.rst index c492b62ffd..1bc2a85929 100644 --- a/documentation/dev-manual/vulnerabilities.rst +++ b/documentation/dev-manual/vulnerabilities.rst | |||
| @@ -129,31 +129,97 @@ NVD about CVE entries can be provided through the `NVD contact form <https://nvd | |||
| 129 | Fixing vulnerabilities in recipes | 129 | Fixing vulnerabilities in recipes |
| 130 | ================================= | 130 | ================================= |
| 131 | 131 | ||
| 132 | If a CVE security issue impacts a software component, it can be fixed by updating to a newer | 132 | Suppose a CVE security issue impacts a software component. In that case, it can |
| 133 | version of the software component, by applying a patch or by marking it as patched via | 133 | be fixed by updating to a newer version, by applying a patch, or by marking it |
| 134 | :term:`CVE_STATUS` variable flag. For Poky and OE-Core master branches, updating | 134 | as patched via :term:`CVE_STATUS` variable flag. For Poky and OE-Core master |
| 135 | to a newer software component release with fixes is the best option, but patches can be applied | 135 | branches, updating to a more recent software component release with fixes is |
| 136 | if releases are not yet available. | 136 | the best option, but patches can be applied if releases are not yet available. |
| 137 | 137 | ||
| 138 | For stable branches, it is preferred to apply patches for the issues. For some software | 138 | For stable branches, we want to avoid API (Application Programming Interface) |
| 139 | components minor version updates can also be applied if they are backwards compatible. | 139 | or ABI (Application Binary Interface) breakages. When submitting an update, |
| 140 | a minor version update of a component is preferred if the version is | ||
| 141 | backward-compatible. Many software components have backward-compatible stable | ||
| 142 | versions, with a notable example of the Linux kernel. However, if the new | ||
| 143 | version does or likely might introduce incompatibilities, extracting and | ||
| 144 | backporting patches is preferred. | ||
| 140 | 145 | ||
| 141 | Here is an example of fixing CVE security issues with patch files, | 146 | Here is an example of fixing CVE security issues with patch files, |
| 142 | an example from the :oe_layerindex:`ffmpeg recipe</layerindex/recipe/47350>`:: | 147 | an example from the :oe_layerindex:`ffmpeg recipe for dunfell </layerindex/recipe/122174>`:: |
| 143 | 148 | ||
| 144 | SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ | 149 | SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ |
| 150 | file://mips64_cpu_detection.patch \ | ||
| 151 | file://CVE-2020-12284.patch \ | ||
| 145 | file://0001-libavutil-include-assembly-with-full-path-from-sourc.patch \ | 152 | file://0001-libavutil-include-assembly-with-full-path-from-sourc.patch \ |
| 146 | file://fix-CVE-2020-20446.patch \ | 153 | file://CVE-2021-3566.patch \ |
| 147 | file://fix-CVE-2020-20453.patch \ | 154 | file://CVE-2021-38291.patch \ |
| 148 | file://fix-CVE-2020-22015.patch \ | 155 | file://CVE-2022-1475.patch \ |
| 149 | file://fix-CVE-2020-22021.patch \ | 156 | file://CVE-2022-3109.patch \ |
| 150 | file://fix-CVE-2020-22033-CVE-2020-22019.patch \ | 157 | file://CVE-2022-3341.patch \ |
| 151 | file://fix-CVE-2021-33815.patch \ | 158 | file://CVE-2022-48434.patch \ |
| 159 | " | ||
| 160 | |||
| 161 | The recipe has both generic and security-related fixes. The CVE patch files are named | ||
| 162 | according to the CVE they fix. | ||
| 163 | |||
| 164 | When preparing the patch file, take the original patch from the upstream repository. | ||
| 165 | Do not use patches from different distributions, except if it is the only available source. | ||
| 166 | |||
| 167 | Modify the patch adding OE-related metadata. We will follow the example of the | ||
| 168 | ``CVE-2022-3341.patch``. | ||
| 169 | |||
| 170 | The original `commit message <https://github.com/FFmpeg/FFmpeg/commit/9cf652cef49d74afe3d454f27d49eb1a1394951e.patch/>`__ | ||
| 171 | is:: | ||
| 172 | |||
| 173 | From 9cf652cef49d74afe3d454f27d49eb1a1394951e Mon Sep 17 00:00:00 2001 | ||
| 174 | From: Jiasheng Jiang <jiasheng@iscas.ac.cn> | ||
| 175 | Date: Wed, 23 Feb 2022 10:31:59 +0800 | ||
| 176 | Subject: [PATCH] avformat/nutdec: Add check for avformat_new_stream | ||
| 177 | |||
| 178 | Check for failure of avformat_new_stream() and propagate | ||
| 179 | the error code. | ||
| 180 | |||
| 181 | Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> | ||
| 182 | --- | ||
| 183 | libavformat/nutdec.c | 16 ++++++++++++---- | ||
| 184 | 1 file changed, 12 insertions(+), 4 deletions(-) | ||
| 185 | |||
| 186 | |||
| 187 | For the correct operations of the ``cve-check``, it requires the CVE | ||
| 188 | identification in a ``CVE:`` tag of the patch file commit message using | ||
| 189 | the format:: | ||
| 152 | 190 | ||
| 153 | A good practice is to include the CVE identifier in both the patch file name | 191 | CVE: CVE-2022-3341 |
| 154 | and inside the patch file commit message using the format:: | ||
| 155 | 192 | ||
| 156 | CVE: CVE-2020-22033 | 193 | It is also recommended to add the ``Upstream-Status:`` tag with a link |
| 194 | to the original patch and sign-off by people working on the backport. | ||
| 195 | If there are any modifications to the original patch, note them in | ||
| 196 | the ``Comments:`` tag. | ||
| 197 | |||
| 198 | With the additional information, the header of the patch file in OE-core becomes:: | ||
| 199 | |||
| 200 | From 9cf652cef49d74afe3d454f27d49eb1a1394951e Mon Sep 17 00:00:00 2001 | ||
| 201 | From: Jiasheng Jiang <jiasheng@iscas.ac.cn> | ||
| 202 | Date: Wed, 23 Feb 2022 10:31:59 +0800 | ||
| 203 | Subject: [PATCH] avformat/nutdec: Add check for avformat_new_stream | ||
| 204 | |||
| 205 | Check for failure of avformat_new_stream() and propagate | ||
| 206 | the error code. | ||
| 207 | |||
| 208 | Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> | ||
| 209 | |||
| 210 | CVE: CVE-2022-3341 | ||
| 211 | |||
| 212 | Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/9cf652cef49d74afe3d454f27d49eb1a1394951e] | ||
| 213 | |||
| 214 | Comments: Refreshed Hunk | ||
| 215 | Signed-off-by: Narpat Mali <narpat.mali@windriver.com> | ||
| 216 | Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> | ||
| 217 | --- | ||
| 218 | libavformat/nutdec.c | 16 ++++++++++++---- | ||
| 219 | 1 file changed, 12 insertions(+), 4 deletions(-) | ||
| 220 | |||
| 221 | A good practice is to include the CVE identifier in the patch file name, the patch file | ||
| 222 | commit message and optionally in the recipe commit message. | ||
| 157 | 223 | ||
| 158 | CVE checker will then capture this information and change the CVE status to ``Patched`` | 224 | CVE checker will then capture this information and change the CVE status to ``Patched`` |
| 159 | in the generated reports. | 225 | in the generated reports. |
| @@ -161,8 +227,13 @@ in the generated reports. | |||
| 161 | If analysis shows that the CVE issue does not impact the recipe due to configuration, platform, | 227 | If analysis shows that the CVE issue does not impact the recipe due to configuration, platform, |
| 162 | version or other reasons, the CVE can be marked as ``Ignored`` by using | 228 | version or other reasons, the CVE can be marked as ``Ignored`` by using |
| 163 | the :term:`CVE_STATUS` variable flag with appropriate reason which is mapped to ``Ignored``. | 229 | the :term:`CVE_STATUS` variable flag with appropriate reason which is mapped to ``Ignored``. |
| 164 | As mentioned previously, if data in the CVE database is wrong, it is recommend to fix those | 230 | The entry should have the format like:: |
| 165 | issues in the CVE database directly. | 231 | |
| 232 | CVE_STATUS[CVE-2016-10642] = "cpe-incorrect: This is specific to the npm package that installs cmake, so isn't relevant to OpenEmbedded" | ||
| 233 | |||
| 234 | As mentioned previously, if data in the CVE database is wrong, it is recommended | ||
| 235 | to fix those issues in the CVE database (NVD in the case of OE-core and Poky) | ||
| 236 | directly. | ||
| 166 | 237 | ||
| 167 | Note that if there are many CVEs with the same status and reason, those can be | 238 | Note that if there are many CVEs with the same status and reason, those can be |
| 168 | shared by using the :term:`CVE_STATUS_GROUPS` variable. | 239 | shared by using the :term:`CVE_STATUS_GROUPS` variable. |