cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS

- Try to add convert and apply statuses for old CVEs - Drop some obsolete ignores, while they are not relevant for current version (From OE-Core rev: 1634ed4048cf56788cd5c2c1bdc979b70afcdcd7) Signed-off-by: Andrej Valek <andrej.valek@siemens.com> Reviewed-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Andrej Valek <andrej.valek@siemens.com> 2023-07-20 09:19:50 +0200
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2023-07-21 11:52:26 +0100
commit: c15e506a4674e558922c5a75512ca2b5c296cd44 (patch)
tree: a0cc1ebf9daca61304185ed901596e31f4029658 /meta/recipes-graphics
parent: 7e18a90d35a62cd6894385a9dab549a594d5f11e (diff)
download: poky-c15e506a4674e558922c5a75512ca2b5c296cd44.tar.gz
2 files changed, 10 insertions, 12 deletions
diff --git a/meta/recipes-graphics/builder/builder_0.1.bb b/meta/recipes-graphics/builder/builder_0.1.bb
index 39be3bd63f..1700015ded 100644
--- a/meta/recipes-graphics/builder/builder_0.1.bb
+++ b/meta/recipes-graphics/builder/builder_0.1.bb
@@ -29,5 +29,4 @@ do_install () {
        chown  builder.builder ${D}${sysconfdir}/mini_x/session.d/builder_session.sh
 }
-# -4178 is an unrelated 'builder'
+CVE_STATUS[CVE-2008-4178] = "cpe-incorrect: This CVE is for an unrelated builder"
-CVE_CHECK_IGNORE = "CVE-2008-4178"
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc b/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
index ecb164ddf7..085fcaf87a 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
@@ -20,16 +20,15 @@ SRC_URI = "${XORG_MIRROR}/individual/xserver/${XORG_PN}-${PV}.tar.xz"
 UPSTREAM_CHECK_REGEX = "xorg-server-(?P<pver>\d+(\.(?!99)\d+)+)\.tar"
 CVE_PRODUCT = "xorg-server x_server"
-# This is specific to Debian's xserver-wrapper.c
-CVE_CHECK_IGNORE += "CVE-2011-4613"
+CVE_STATUS[CVE-2011-4613] = "not-applicable-platform: This is specific to Debian's xserver-wrapper.c"
-# As per upstream, exploiting this flaw is non-trivial and it requires exact
+CVE_STATUS[CVE-2020-25697] = "upstream-wontfix: \
-# timing on the behalf of the attacker. Many graphical applications exit if their
+As per upstream, exploiting this flaw is non-trivial and it requires exact \
-# connection to the X server is lost, so a typical desktop session is either
+timing on the behalf of the attacker. Many graphical applications exit if their \
-# impossible or difficult to exploit. There is currently no upstream patch
+connection to the X server is lost, so a typical desktop session is either \
-# available for this flaw.
+impossible or difficult to exploit. There is currently no upstream patch \
-CVE_CHECK_IGNORE += "CVE-2020-25697"
+available for this flaw."
-# This is specific to XQuartz, which is the macOS X server port
+CVE_STATUS[CVE-2022-3553] = "cpe-incorrect: This is specific to XQuartz, which is the macOS X server port"
-CVE_CHECK_IGNORE += "CVE-2022-3553"
 S = "${WORKDIR}/${XORG_PN}-${PV}"
author	Andrej Valek <andrej.valek@siemens.com>	2023-07-20 09:19:50 +0200
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2023-07-21 11:52:26 +0100
commit	c15e506a4674e558922c5a75512ca2b5c296cd44 (patch)
tree	a0cc1ebf9daca61304185ed901596e31f4029658 /meta/recipes-graphics
parent	7e18a90d35a62cd6894385a9dab549a594d5f11e (diff)
download	poky-c15e506a4674e558922c5a75512ca2b5c296cd44.tar.gz

diff --git a/meta/recipes-graphics/builder/builder_0.1.bb b/meta/recipes-graphics/builder/builder_0.1.bb index 39be3bd63f..1700015ded 100644 --- a/meta/recipes-graphics/builder/builder_0.1.bb +++ b/meta/recipes-graphics/builder/builder_0.1.bb
@@ -29,5 +29,4 @@ do_install () {
29	chown builder.builder ${D}${sysconfdir}/mini_x/session.d/builder_session.sh	29	chown builder.builder ${D}${sysconfdir}/mini_x/session.d/builder_session.sh
30	}	30	}
31		31
32	# -4178 is an unrelated 'builder'	32	CVE_STATUS[CVE-2008-4178] = "cpe-incorrect: This CVE is for an unrelated builder"
33	CVE_CHECK_IGNORE = "CVE-2008-4178"


diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc b/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc index ecb164ddf7..085fcaf87a 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
@@ -20,16 +20,15 @@ SRC_URI = "${XORG_MIRROR}/individual/xserver/${XORG_PN}-${PV}.tar.xz"
20	UPSTREAM_CHECK_REGEX = "xorg-server-(?P<pver>\d+(\.(?!99)\d+)+)\.tar"	20	UPSTREAM_CHECK_REGEX = "xorg-server-(?P<pver>\d+(\.(?!99)\d+)+)\.tar"
21		21
22	CVE_PRODUCT = "xorg-server x_server"	22	CVE_PRODUCT = "xorg-server x_server"
23	# This is specific to Debian's xserver-wrapper.c	23
24	CVE_CHECK_IGNORE += "CVE-2011-4613"	24	CVE_STATUS[CVE-2011-4613] = "not-applicable-platform: This is specific to Debian's xserver-wrapper.c"
25	# As per upstream, exploiting this flaw is non-trivial and it requires exact	25	CVE_STATUS[CVE-2020-25697] = "upstream-wontfix: \
26	# timing on the behalf of the attacker. Many graphical applications exit if their	26	As per upstream, exploiting this flaw is non-trivial and it requires exact \
27	# connection to the X server is lost, so a typical desktop session is either	27	timing on the behalf of the attacker. Many graphical applications exit if their \
28	# impossible or difficult to exploit. There is currently no upstream patch	28	connection to the X server is lost, so a typical desktop session is either \
29	# available for this flaw.	29	impossible or difficult to exploit. There is currently no upstream patch \
30	CVE_CHECK_IGNORE += "CVE-2020-25697"	30	available for this flaw."
31	# This is specific to XQuartz, which is the macOS X server port	31	CVE_STATUS[CVE-2022-3553] = "cpe-incorrect: This is specific to XQuartz, which is the macOS X server port"
32	CVE_CHECK_IGNORE += "CVE-2022-3553"
33		32
34	S = "${WORKDIR}/${XORG_PN}-${PV}"	33	S = "${WORKDIR}/${XORG_PN}-${PV}"
35		34