diff options
author | Andrej Valek <andrej.valek@siemens.com> | 2023-07-20 09:19:50 +0200 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2023-07-21 11:52:26 +0100 |
commit | c15e506a4674e558922c5a75512ca2b5c296cd44 (patch) | |
tree | a0cc1ebf9daca61304185ed901596e31f4029658 /meta/recipes-core | |
parent | 7e18a90d35a62cd6894385a9dab549a594d5f11e (diff) | |
download | poky-c15e506a4674e558922c5a75512ca2b5c296cd44.tar.gz |
cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS
- Try to add convert and apply statuses for old CVEs
- Drop some obsolete ignores, while they are not relevant for current
version
(From OE-Core rev: 1634ed4048cf56788cd5c2c1bdc979b70afcdcd7)
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Reviewed-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-core')
-rw-r--r-- | meta/recipes-core/coreutils/coreutils_9.3.bb | 4 | ||||
-rw-r--r-- | meta/recipes-core/glibc/glibc_2.37.bb | 17 | ||||
-rw-r--r-- | meta/recipes-core/libxml/libxml2_2.11.4.bb | 4 | ||||
-rw-r--r-- | meta/recipes-core/systemd/systemd_253.3.bb | 3 |
4 files changed, 11 insertions, 17 deletions
diff --git a/meta/recipes-core/coreutils/coreutils_9.3.bb b/meta/recipes-core/coreutils/coreutils_9.3.bb index 25da988f50..ba38169f05 100644 --- a/meta/recipes-core/coreutils/coreutils_9.3.bb +++ b/meta/recipes-core/coreutils/coreutils_9.3.bb | |||
@@ -23,8 +23,8 @@ SRC_URI = "${GNU_MIRROR}/coreutils/${BP}.tar.xz \ | |||
23 | SRC_URI[sha256sum] = "adbcfcfe899235b71e8768dcf07cd532520b7f54f9a8064843f8d199a904bbaa" | 23 | SRC_URI[sha256sum] = "adbcfcfe899235b71e8768dcf07cd532520b7f54f9a8064843f8d199a904bbaa" |
24 | 24 | ||
25 | # http://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=v8.27-101-gf5d7c0842 | 25 | # http://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=v8.27-101-gf5d7c0842 |
26 | # runcon is not really a sandbox command, use `runcon ... setsid ...` to avoid this particular issue. | 26 | # |
27 | CVE_CHECK_IGNORE += "CVE-2016-2781" | 27 | CVE_STATUS[CVE-2016-2781] = "disputed: runcon is not really a sandbox command, use `runcon ... setsid ...` to avoid this particular issue." |
28 | 28 | ||
29 | EXTRA_OECONF:class-target = "--enable-install-program=arch,hostname --libexecdir=${libdir}" | 29 | EXTRA_OECONF:class-target = "--enable-install-program=arch,hostname --libexecdir=${libdir}" |
30 | EXTRA_OECONF:class-nativesdk = "--enable-install-program=arch,hostname" | 30 | EXTRA_OECONF:class-nativesdk = "--enable-install-program=arch,hostname" |
diff --git a/meta/recipes-core/glibc/glibc_2.37.bb b/meta/recipes-core/glibc/glibc_2.37.bb index 3387441cad..851aa612b1 100644 --- a/meta/recipes-core/glibc/glibc_2.37.bb +++ b/meta/recipes-core/glibc/glibc_2.37.bb | |||
@@ -4,18 +4,19 @@ require glibc-version.inc | |||
4 | # glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010022 | 4 | # glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010022 |
5 | # glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010023 | 5 | # glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010023 |
6 | # glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010024 | 6 | # glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010024 |
7 | # Upstream glibc maintainers dispute there is any issue and have no plans to address it further. | 7 | CVE_STATUS_GROUPS = "CVE_STATUS_RECIPE" |
8 | # "this is being treated as a non-security bug and no real threat." | 8 | CVE_STATUS_RECIPE = "CVE-2019-1010022 CVE-2019-1010023 CVE-2019-1010024" |
9 | CVE_CHECK_IGNORE += "CVE-2019-1010022 CVE-2019-1010023 CVE-2019-1010024" | 9 | CVE_STATUS_RECIPE[status] = "disputed: \ |
10 | Upstream glibc maintainers dispute there is any issue and have no plans to address it further. \ | ||
11 | this is being treated as a non-security bug and no real threat." | ||
10 | 12 | ||
11 | # glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010025 | 13 | # glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010025 |
12 | # Allows for ASLR bypass so can bypass some hardening, not an exploit in itself, may allow | ||
13 | # easier access for another. "ASLR bypass itself is not a vulnerability." | ||
14 | # Potential patch at https://sourceware.org/bugzilla/show_bug.cgi?id=22853 | 14 | # Potential patch at https://sourceware.org/bugzilla/show_bug.cgi?id=22853 |
15 | CVE_CHECK_IGNORE += "CVE-2019-1010025" | 15 | CVE_STATUS[CVE-2019-1010025] = "disputed: \ |
16 | Allows for ASLR bypass so can bypass some hardening, not an exploit in itself, may allow \ | ||
17 | easier access for another. 'ASLR bypass itself is not a vulnerability.'" | ||
16 | 18 | ||
17 | # This is integrated into the 2.37 branch as of 07b9521fc6 | 19 | CVE_STATUS[CVE-2023-25139] = "cpe-stable-backport: This is integrated into the 2.37 branch as of 07b9521fc6" |
18 | CVE_CHECK_IGNORE += "CVE-2023-25139" | ||
19 | 20 | ||
20 | DEPENDS += "gperf-native bison-native" | 21 | DEPENDS += "gperf-native bison-native" |
21 | 22 | ||
diff --git a/meta/recipes-core/libxml/libxml2_2.11.4.bb b/meta/recipes-core/libxml/libxml2_2.11.4.bb index 713d0baf6c..cbf20504f8 100644 --- a/meta/recipes-core/libxml/libxml2_2.11.4.bb +++ b/meta/recipes-core/libxml/libxml2_2.11.4.bb | |||
@@ -23,10 +23,6 @@ SRC_URI[testtar.sha256sum] = "c6b2d42ee50b8b236e711a97d68e6c4b5c8d83e69a2be47223 | |||
23 | 23 | ||
24 | BINCONFIG = "${bindir}/xml2-config" | 24 | BINCONFIG = "${bindir}/xml2-config" |
25 | 25 | ||
26 | # Fixed since 2.9.11 via | ||
27 | # https://gitlab.gnome.org/GNOME/libxml2/-/commit/c1ba6f54d32b707ca6d91cb3257ce9de82876b6f | ||
28 | CVE_CHECK_IGNORE += "CVE-2016-3709" | ||
29 | |||
30 | PACKAGECONFIG ??= "python \ | 26 | PACKAGECONFIG ??= "python \ |
31 | ${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} \ | 27 | ${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} \ |
32 | " | 28 | " |
diff --git a/meta/recipes-core/systemd/systemd_253.3.bb b/meta/recipes-core/systemd/systemd_253.3.bb index 87fbf6f785..cf0e17ff00 100644 --- a/meta/recipes-core/systemd/systemd_253.3.bb +++ b/meta/recipes-core/systemd/systemd_253.3.bb | |||
@@ -834,6 +834,3 @@ pkg_postinst:udev-hwdb () { | |||
834 | pkg_prerm:udev-hwdb () { | 834 | pkg_prerm:udev-hwdb () { |
835 | rm -f $D${sysconfdir}/udev/hwdb.bin | 835 | rm -f $D${sysconfdir}/udev/hwdb.bin |
836 | } | 836 | } |
837 | |||
838 | # This was also fixed in 252.4 with 9b75a3d0 | ||
839 | CVE_CHECK_IGNORE += "CVE-2022-4415" | ||