summaryrefslogtreecommitdiffstats
path: root/meta/conf
diff options
context:
space:
mode:
authorRichard Purdie <richard.purdie@linuxfoundation.org>2021-05-06 07:12:32 -1000
committerRichard Purdie <richard.purdie@linuxfoundation.org>2021-05-20 12:30:32 +0100
commit1376f226930eaa600dd635e59b9a654836f6e9c6 (patch)
treef9a4164711cbbd0bd4aa1357d54953e152f9eb67 /meta/conf
parentc124290d90040806103b8c273948c4863e7bc1b4 (diff)
downloadpoky-1376f226930eaa600dd635e59b9a654836f6e9c6.tar.gz
cve-extra-exclusions.inc: add exclusion list for intractable CVE's
The preferred methods for CVE resolution are: 1. Version upgrades where possible 2. Patches where not possible 3. Database updates where version info is incorrect 4. Exclusion from checking where it is determined that the CVE does not apply to our environment In some cases none of these methods are possible. For example the CVE may be decades old with no apparent resolution, and with broken links that make further research impractical. Some CVEs are vauge with no specific action the project can take too. This patch creates a mechanism for users to remove this type of CVE from the cve-check results via an optional include file. Based on an initial patch from Steve Sakoman <steve@sakoman.com> but extended heavily by RP. (From OE-Core rev: cf282ae03db3f09df42dcd110d7086c2d854642c) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/conf')
-rw-r--r--meta/conf/distro/include/cve-extra-exclusions.inc88
1 files changed, 88 insertions, 0 deletions
diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc
new file mode 100644
index 0000000000..565c8e04cc
--- /dev/null
+++ b/meta/conf/distro/include/cve-extra-exclusions.inc
@@ -0,0 +1,88 @@
1# This file contains a list of CVE's where resolution has proven to be impractical
2# or there is no reasonable action the Yocto Project can take to resovle the issue.
3# It contains all the information we are aware of about an issue and analysis about
4# why we believe it can't be fixed/handled. Additional information is welcome through
5# patches to the file.
6#
7# Include this file in your local.conf or distro.conf to exclude these CVE's
8# from the cve-check results or add to the bitbake command with:
9# -R meta/conf/distro/include/cve-extra-exclusions.inc
10#
11# The file is not included by default since users should review this data to ensure
12# it matches their expectations and ussage of the project.
13#
14# Wemay also include "in-flight" information about current/ongoing CVE work with
15# the aim of sharing that work and ensuring we don't duplicate it.
16#
17
18
19# strace https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0006
20# CVE is more than 20 years old with no resolution evident
21# broken links in CVE database references make resolution impractical
22CVE_CHECK_WHITELIST += "CVE-2000-0006"
23
24# epiphany https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0238
25# The issue here is spoofing of domain names using characters from other character sets.
26# There has been much discussion amongst the epiphany and webkit developers and
27# whilst there are improvements about how domains are handled and displayed to the user
28# there is unlikely ever to be a single fix to webkit or epiphany which addresses this
29# problem. Whitelisted as there isn't any mitigation or fix or way to progress this further
30# we can seem to take.
31CVE_CHECK_WHITELIST += "CVE-2005-0238"
32
33# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4756
34# Issue is memory exhaustion via glob() calls, e.g. from within an ftp server
35# Best discussion in https://bugzilla.redhat.com/show_bug.cgi?id=681681
36# Upstream don't see it as a security issue, ftp servers shouldn't be passing
37# this to libc glob. Exclude as upstream have no plans to add BSD's GLOB_LIMIT or similar
38CVE_CHECK_WHITELIST += "CVE-2010-4756"
39
40# go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29509
41# go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29511
42# The encoding/xml package in go can potentially be used for security exploits if not used correctly
43# CVE applies to a netapp product as well as flagging a general issue. We don't ship anything
44# exposing this interface in an exploitable way
45CVE_CHECK_WHITELIST += "CVE-2020-29509 CVE-2020-29511"
46
47
48
49#### CPE update pending ####
50
51# groff:groff-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0803
52# Appears it was fixed in https://git.savannah.gnu.org/cgit/groff.git/commit/?id=07f95f1674217275ed4612f1dcaa95a88435c6a7
53# so from 1.17 onwards. Reported to the database for update by RP 2021/5/9. Update accepted 2021/5/10.
54#CVE_CHECK_WHITELIST += "CVE-2000-0803"
55
56# grub:grub-efi:grub-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14865
57# Looks like grub-set-bootflag is patched in by Fedora/RHEL:
58# https://src.fedoraproject.org/rpms/grub2/blob/498ea7003b4dd8079fc075fad7e19e0b190d0f97/f/0133-Add-grub-set-bootflag-utility.patch
59# Does not exist in upstream grub2:
60# https://git.savannah.gnu.org/cgit/grub.git/tree/util
61# Reported to the database for update by RP 2021/5/9 Update accepted 2021/5/12
62#CVE_CHECK_WHITELIST += "CVE-2019-14865"
63
64# tar https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-4476 *
65# https://bugzilla.redhat.com/show_bug.cgi?id=280961 - issue affects paxutils included in tar
66# http://cvs.savannah.gnu.org/viewvc/paxutils/paxutils/paxlib/names.c?r1=1.2&r2=1.4 was the fix
67# included in tar 1.19 and later
68# CPE update sent, may or may not exclude for us
69#CVE_CHECK_WHITELIST += "CVE-2007-4476"
70
71
72
73#### Upstream still working on ####
74
75# qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20255
76# There was a proposed patch https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html
77# however qemu maintainers are sure the patch is incorrect and should not be applied.
78
79# flex:flex-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-6293
80# Upstream bug, still open: https://github.com/westes/flex/issues/414
81# Causes memory exhaustion so potential DoS but no buffer overflow, low priority
82
83# wget https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31879
84# https://mail.gnu.org/archive/html/bug-wget/2021-02/msg00002.html
85# No response upstream as of 2021/5/12
86
87
88