cve-extra-exclusions: ignore inapplicable linux-yocto CVEs

Multiple CVEs are patched in kernel but appear as active because the NVD database is not up to date. In common file cve-extra-exclusion.inc, CVEs are ignored if and only if all versions of kernel used are patched. In cve-exclusion_6.1.inc, only ignore CVEs that are patched in v6.1, and not patched in v5.15. Recipes of version 6.1 should include this file. Reviewed-by: Yoann Congal <yoann.congal@smile.fr> (From OE-Core rev: 5feb065f1b1aaf218f71cc9d31a9251b139b9442) Signed-off-by: Geoffrey GIRY <geoffrey.giry@smile.fr> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Geoffrey GIRY <geoffrey.giry@smile.fr> 2023-04-05 12:34:54 +0200
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2023-04-05 17:26:11 +0100
commit: b8bfd3b01b660d0536a272fafa0157aac2aaab0b (patch)
tree: 7a4516ff900d89fbb0f6bc974595e0271623f7d4 /meta/recipes-kernel/linux
parent: 0e5bdb623b0f3ca4d71eba56b54915905acbc7d9 (diff)
download: poky-b8bfd3b01b660d0536a272fafa0157aac2aaab0b.tar.gz
4 files changed, 24 insertions, 0 deletions
diff --git a/meta/recipes-kernel/linux/cve-exclusion_6.1.inc b/meta/recipes-kernel/linux/cve-exclusion_6.1.inc
new file mode 100644
index 0000000000..ec7ff9c1a7
--- /dev/null
+++ b/meta/recipes-kernel/linux/cve-exclusion_6.1.inc
@@ -0,0 +1,15 @@
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3523
+# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
+# Patched in kernel since v6.1 16ce101db85db694a91380aa4c89b25530871d33
+CVE_CHECK_IGNORE += "CVE-2022-3523"
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3566
+# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
+# Patched in kernel since v6.1 f49cd2f4d6170d27a2c61f1fecb03d8a70c91f57
+CVE_CHECK_IGNORE += "CVE-2022-3566"
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3567
+# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
+# Patched in kernel since v6.1 364f997b5cfe1db0d63a390fe7c801fa2b3115f6
+CVE_CHECK_IGNORE += "CVE-2022-3567"
diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_6.1.bb b/meta/recipes-kernel/linux/linux-yocto-rt_6.1.bb
index 5f79bc617b..2cf1b048c9 100644
--- a/meta/recipes-kernel/linux/linux-yocto-rt_6.1.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_6.1.bb
@@ -2,6 +2,9 @@ KBRANCH ?= "v6.1/standard/preempt-rt/base"
 require recipes-kernel/linux/linux-yocto.inc
+# CVE exclusions
+include recipes-kernel/linux/cve-exclusion_6.1.inc
 # Skip processing of this recipe if it is not explicitly specified as the
 # PREFERRED_PROVIDER for virtual/kernel. This avoids errors when trying
 # to build multiple virtual/kernel providers, e.g. as dependency of
diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_6.1.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_6.1.bb
index 58357d00c7..ff3bcad5db 100644
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_6.1.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_6.1.bb
@@ -5,6 +5,9 @@ KCONFIG_MODE = "--allnoconfig"
 require recipes-kernel/linux/linux-yocto.inc
+# CVE exclusions
+include recipes-kernel/linux/cve-exclusion_6.1.inc
 LINUX_VERSION ?= "6.1.20"
 LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
diff --git a/meta/recipes-kernel/linux/linux-yocto_6.1.bb b/meta/recipes-kernel/linux/linux-yocto_6.1.bb
index 6f33032c00..033bc10e55 100644
--- a/meta/recipes-kernel/linux/linux-yocto_6.1.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_6.1.bb
@@ -2,6 +2,9 @@ KBRANCH ?= "v6.1/standard/base"
 require recipes-kernel/linux/linux-yocto.inc
+# CVE exclusions
+include recipes-kernel/linux/cve-exclusion_6.1.inc
 # board specific branches
 KBRANCH:qemuarm  ?= "v6.1/standard/arm-versatile-926ejs"
 KBRANCH:qemuarm64 ?= "v6.1/standard/qemuarm64"
author	Geoffrey GIRY <geoffrey.giry@smile.fr>	2023-04-05 12:34:54 +0200
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2023-04-05 17:26:11 +0100
commit	b8bfd3b01b660d0536a272fafa0157aac2aaab0b (patch)
tree	7a4516ff900d89fbb0f6bc974595e0271623f7d4 /meta/recipes-kernel/linux
parent	0e5bdb623b0f3ca4d71eba56b54915905acbc7d9 (diff)
download	poky-b8bfd3b01b660d0536a272fafa0157aac2aaab0b.tar.gz

diff --git a/meta/recipes-kernel/linux/cve-exclusion_6.1.inc b/meta/recipes-kernel/linux/cve-exclusion_6.1.inc new file mode 100644 index 0000000000..ec7ff9c1a7 --- /dev/null +++ b/meta/recipes-kernel/linux/cve-exclusion_6.1.inc
@@ -0,0 +1,15 @@
		1	# https://nvd.nist.gov/vuln/detail/CVE-2022-3523
		2	# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
		3	# Patched in kernel since v6.1 16ce101db85db694a91380aa4c89b25530871d33
		4	CVE_CHECK_IGNORE += "CVE-2022-3523"
		5
		6	# https://nvd.nist.gov/vuln/detail/CVE-2022-3566
		7	# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
		8	# Patched in kernel since v6.1 f49cd2f4d6170d27a2c61f1fecb03d8a70c91f57
		9	CVE_CHECK_IGNORE += "CVE-2022-3566"
		10
		11	# https://nvd.nist.gov/vuln/detail/CVE-2022-3567
		12	# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
		13	# Patched in kernel since v6.1 364f997b5cfe1db0d63a390fe7c801fa2b3115f6
		14	CVE_CHECK_IGNORE += "CVE-2022-3567"
		15


diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_6.1.bb b/meta/recipes-kernel/linux/linux-yocto-rt_6.1.bb index 5f79bc617b..2cf1b048c9 100644 --- a/meta/recipes-kernel/linux/linux-yocto-rt_6.1.bb +++ b/meta/recipes-kernel/linux/linux-yocto-rt_6.1.bb
@@ -2,6 +2,9 @@ KBRANCH ?= "v6.1/standard/preempt-rt/base"
2		2
3	require recipes-kernel/linux/linux-yocto.inc	3	require recipes-kernel/linux/linux-yocto.inc
4		4
		5	# CVE exclusions
		6	include recipes-kernel/linux/cve-exclusion_6.1.inc
		7
5	# Skip processing of this recipe if it is not explicitly specified as the	8	# Skip processing of this recipe if it is not explicitly specified as the
6	# PREFERRED_PROVIDER for virtual/kernel. This avoids errors when trying	9	# PREFERRED_PROVIDER for virtual/kernel. This avoids errors when trying
7	# to build multiple virtual/kernel providers, e.g. as dependency of	10	# to build multiple virtual/kernel providers, e.g. as dependency of


diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_6.1.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_6.1.bb index 58357d00c7..ff3bcad5db 100644 --- a/meta/recipes-kernel/linux/linux-yocto-tiny_6.1.bb +++ b/meta/recipes-kernel/linux/linux-yocto-tiny_6.1.bb
@@ -5,6 +5,9 @@ KCONFIG_MODE = "--allnoconfig"
5		5
6	require recipes-kernel/linux/linux-yocto.inc	6	require recipes-kernel/linux/linux-yocto.inc
7		7
		8	# CVE exclusions
		9	include recipes-kernel/linux/cve-exclusion_6.1.inc
		10
8	LINUX_VERSION ?= "6.1.20"	11	LINUX_VERSION ?= "6.1.20"
9	LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"	12	LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
10		13


diff --git a/meta/recipes-kernel/linux/linux-yocto_6.1.bb b/meta/recipes-kernel/linux/linux-yocto_6.1.bb index 6f33032c00..033bc10e55 100644 --- a/meta/recipes-kernel/linux/linux-yocto_6.1.bb +++ b/meta/recipes-kernel/linux/linux-yocto_6.1.bb
@@ -2,6 +2,9 @@ KBRANCH ?= "v6.1/standard/base"
2		2
3	require recipes-kernel/linux/linux-yocto.inc	3	require recipes-kernel/linux/linux-yocto.inc
4		4
		5	# CVE exclusions
		6	include recipes-kernel/linux/cve-exclusion_6.1.inc
		7
5	# board specific branches	8	# board specific branches
6	KBRANCH:qemuarm ?= "v6.1/standard/arm-versatile-926ejs"	9	KBRANCH:qemuarm ?= "v6.1/standard/arm-versatile-926ejs"
7	KBRANCH:qemuarm64 ?= "v6.1/standard/qemuarm64"	10	KBRANCH:qemuarm64 ?= "v6.1/standard/qemuarm64"