diff options
author | Geoffrey GIRY <geoffrey.giry@smile.fr> | 2023-04-05 12:34:54 +0200 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2023-04-05 17:26:11 +0100 |
commit | b8bfd3b01b660d0536a272fafa0157aac2aaab0b (patch) | |
tree | 7a4516ff900d89fbb0f6bc974595e0271623f7d4 /meta/recipes-kernel/linux | |
parent | 0e5bdb623b0f3ca4d71eba56b54915905acbc7d9 (diff) | |
download | poky-b8bfd3b01b660d0536a272fafa0157aac2aaab0b.tar.gz |
cve-extra-exclusions: ignore inapplicable linux-yocto CVEs
Multiple CVEs are patched in kernel but appear as active because the NVD
database is not up to date.
In common file cve-extra-exclusion.inc, CVEs are ignored if and only if
all versions of kernel used are patched.
In cve-exclusion_6.1.inc, only ignore CVEs that are patched in v6.1,
and not patched in v5.15.
Recipes of version 6.1 should include this file.
Reviewed-by: Yoann Congal <yoann.congal@smile.fr>
(From OE-Core rev: 5feb065f1b1aaf218f71cc9d31a9251b139b9442)
Signed-off-by: Geoffrey GIRY <geoffrey.giry@smile.fr>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-kernel/linux')
-rw-r--r-- | meta/recipes-kernel/linux/cve-exclusion_6.1.inc | 15 | ||||
-rw-r--r-- | meta/recipes-kernel/linux/linux-yocto-rt_6.1.bb | 3 | ||||
-rw-r--r-- | meta/recipes-kernel/linux/linux-yocto-tiny_6.1.bb | 3 | ||||
-rw-r--r-- | meta/recipes-kernel/linux/linux-yocto_6.1.bb | 3 |
4 files changed, 24 insertions, 0 deletions
diff --git a/meta/recipes-kernel/linux/cve-exclusion_6.1.inc b/meta/recipes-kernel/linux/cve-exclusion_6.1.inc new file mode 100644 index 0000000000..ec7ff9c1a7 --- /dev/null +++ b/meta/recipes-kernel/linux/cve-exclusion_6.1.inc | |||
@@ -0,0 +1,15 @@ | |||
1 | # https://nvd.nist.gov/vuln/detail/CVE-2022-3523 | ||
2 | # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 | ||
3 | # Patched in kernel since v6.1 16ce101db85db694a91380aa4c89b25530871d33 | ||
4 | CVE_CHECK_IGNORE += "CVE-2022-3523" | ||
5 | |||
6 | # https://nvd.nist.gov/vuln/detail/CVE-2022-3566 | ||
7 | # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 | ||
8 | # Patched in kernel since v6.1 f49cd2f4d6170d27a2c61f1fecb03d8a70c91f57 | ||
9 | CVE_CHECK_IGNORE += "CVE-2022-3566" | ||
10 | |||
11 | # https://nvd.nist.gov/vuln/detail/CVE-2022-3567 | ||
12 | # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 | ||
13 | # Patched in kernel since v6.1 364f997b5cfe1db0d63a390fe7c801fa2b3115f6 | ||
14 | CVE_CHECK_IGNORE += "CVE-2022-3567" | ||
15 | |||
diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_6.1.bb b/meta/recipes-kernel/linux/linux-yocto-rt_6.1.bb index 5f79bc617b..2cf1b048c9 100644 --- a/meta/recipes-kernel/linux/linux-yocto-rt_6.1.bb +++ b/meta/recipes-kernel/linux/linux-yocto-rt_6.1.bb | |||
@@ -2,6 +2,9 @@ KBRANCH ?= "v6.1/standard/preempt-rt/base" | |||
2 | 2 | ||
3 | require recipes-kernel/linux/linux-yocto.inc | 3 | require recipes-kernel/linux/linux-yocto.inc |
4 | 4 | ||
5 | # CVE exclusions | ||
6 | include recipes-kernel/linux/cve-exclusion_6.1.inc | ||
7 | |||
5 | # Skip processing of this recipe if it is not explicitly specified as the | 8 | # Skip processing of this recipe if it is not explicitly specified as the |
6 | # PREFERRED_PROVIDER for virtual/kernel. This avoids errors when trying | 9 | # PREFERRED_PROVIDER for virtual/kernel. This avoids errors when trying |
7 | # to build multiple virtual/kernel providers, e.g. as dependency of | 10 | # to build multiple virtual/kernel providers, e.g. as dependency of |
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_6.1.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_6.1.bb index 58357d00c7..ff3bcad5db 100644 --- a/meta/recipes-kernel/linux/linux-yocto-tiny_6.1.bb +++ b/meta/recipes-kernel/linux/linux-yocto-tiny_6.1.bb | |||
@@ -5,6 +5,9 @@ KCONFIG_MODE = "--allnoconfig" | |||
5 | 5 | ||
6 | require recipes-kernel/linux/linux-yocto.inc | 6 | require recipes-kernel/linux/linux-yocto.inc |
7 | 7 | ||
8 | # CVE exclusions | ||
9 | include recipes-kernel/linux/cve-exclusion_6.1.inc | ||
10 | |||
8 | LINUX_VERSION ?= "6.1.20" | 11 | LINUX_VERSION ?= "6.1.20" |
9 | LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" | 12 | LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46" |
10 | 13 | ||
diff --git a/meta/recipes-kernel/linux/linux-yocto_6.1.bb b/meta/recipes-kernel/linux/linux-yocto_6.1.bb index 6f33032c00..033bc10e55 100644 --- a/meta/recipes-kernel/linux/linux-yocto_6.1.bb +++ b/meta/recipes-kernel/linux/linux-yocto_6.1.bb | |||
@@ -2,6 +2,9 @@ KBRANCH ?= "v6.1/standard/base" | |||
2 | 2 | ||
3 | require recipes-kernel/linux/linux-yocto.inc | 3 | require recipes-kernel/linux/linux-yocto.inc |
4 | 4 | ||
5 | # CVE exclusions | ||
6 | include recipes-kernel/linux/cve-exclusion_6.1.inc | ||
7 | |||
5 | # board specific branches | 8 | # board specific branches |
6 | KBRANCH:qemuarm ?= "v6.1/standard/arm-versatile-926ejs" | 9 | KBRANCH:qemuarm ?= "v6.1/standard/arm-versatile-926ejs" |
7 | KBRANCH:qemuarm64 ?= "v6.1/standard/qemuarm64" | 10 | KBRANCH:qemuarm64 ?= "v6.1/standard/qemuarm64" |