diff options
Diffstat (limited to 'documentation/dev-manual/vulnerabilities.rst')
-rw-r--r-- | documentation/dev-manual/vulnerabilities.rst | 293 |
1 files changed, 293 insertions, 0 deletions
diff --git a/documentation/dev-manual/vulnerabilities.rst b/documentation/dev-manual/vulnerabilities.rst new file mode 100644 index 0000000000..1bc2a85929 --- /dev/null +++ b/documentation/dev-manual/vulnerabilities.rst | |||
@@ -0,0 +1,293 @@ | |||
1 | .. SPDX-License-Identifier: CC-BY-SA-2.0-UK | ||
2 | |||
3 | Checking for Vulnerabilities | ||
4 | **************************** | ||
5 | |||
6 | Vulnerabilities in Poky and OE-Core | ||
7 | =================================== | ||
8 | |||
9 | The Yocto Project has an infrastructure to track and address unfixed | ||
10 | known security vulnerabilities, as tracked by the public | ||
11 | :wikipedia:`Common Vulnerabilities and Exposures (CVE) <Common_Vulnerabilities_and_Exposures>` | ||
12 | database. | ||
13 | |||
14 | The Yocto Project maintains a `list of known vulnerabilities | ||
15 | <https://autobuilder.yocto.io/pub/non-release/patchmetrics/>`__ | ||
16 | for packages in Poky and OE-Core, tracking the evolution of the number of | ||
17 | unpatched CVEs and the status of patches. Such information is available for | ||
18 | the current development version and for each supported release. | ||
19 | |||
20 | Security is a process, not a product, and thus at any time, a number of security | ||
21 | issues may be impacting Poky and OE-Core. It is up to the maintainers, users, | ||
22 | contributors and anyone interested in the issues to investigate and possibly fix them by | ||
23 | updating software components to newer versions or by applying patches to address them. | ||
24 | It is recommended to work with Poky and OE-Core upstream maintainers and submit | ||
25 | patches to fix them, see ":doc:`../contributor-guide/submit-changes`" for details. | ||
26 | |||
27 | Vulnerability check at build time | ||
28 | ================================= | ||
29 | |||
30 | To enable a check for CVE security vulnerabilities using | ||
31 | :ref:`ref-classes-cve-check` in the specific image or target you are building, | ||
32 | add the following setting to your configuration:: | ||
33 | |||
34 | INHERIT += "cve-check" | ||
35 | |||
36 | The CVE database contains some old incomplete entries which have been | ||
37 | deemed not to impact Poky or OE-Core. These CVE entries can be excluded from the | ||
38 | check using build configuration:: | ||
39 | |||
40 | include conf/distro/include/cve-extra-exclusions.inc | ||
41 | |||
42 | With this CVE check enabled, BitBake build will try to map each compiled software component | ||
43 | recipe name and version information to the CVE database and generate recipe and | ||
44 | image specific reports. These reports will contain: | ||
45 | |||
46 | - metadata about the software component like names and versions | ||
47 | |||
48 | - metadata about the CVE issue such as description and NVD link | ||
49 | |||
50 | - for each software component, a list of CVEs which are possibly impacting this version | ||
51 | |||
52 | - status of each CVE: ``Patched``, ``Unpatched`` or ``Ignored`` | ||
53 | |||
54 | The status ``Patched`` means that a patch file to address the security issue has been | ||
55 | applied. ``Unpatched`` status means that no patches to address the issue have been | ||
56 | applied and that the issue needs to be investigated. ``Ignored`` means that after | ||
57 | analysis, it has been deemed to ignore the issue as it for example affects | ||
58 | the software component on a different operating system platform. | ||
59 | |||
60 | After a build with CVE check enabled, reports for each compiled source recipe will be | ||
61 | found in ``build/tmp/deploy/cve``. | ||
62 | |||
63 | For example the CVE check report for the ``flex-native`` recipe looks like:: | ||
64 | |||
65 | $ cat poky/build/tmp/deploy/cve/flex-native | ||
66 | LAYER: meta | ||
67 | PACKAGE NAME: flex-native | ||
68 | PACKAGE VERSION: 2.6.4 | ||
69 | CVE: CVE-2016-6354 | ||
70 | CVE STATUS: Patched | ||
71 | CVE SUMMARY: Heap-based buffer overflow in the yy_get_next_buffer function in Flex before 2.6.1 might allow context-dependent attackers to cause a denial of service or possibly execute arbitrary code via vectors involving num_to_read. | ||
72 | CVSS v2 BASE SCORE: 7.5 | ||
73 | CVSS v3 BASE SCORE: 9.8 | ||
74 | VECTOR: NETWORK | ||
75 | MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6354 | ||
76 | |||
77 | LAYER: meta | ||
78 | PACKAGE NAME: flex-native | ||
79 | PACKAGE VERSION: 2.6.4 | ||
80 | CVE: CVE-2019-6293 | ||
81 | CVE STATUS: Ignored | ||
82 | CVE SUMMARY: An issue was discovered in the function mark_beginning_as_normal in nfa.c in flex 2.6.4. There is a stack exhaustion problem caused by the mark_beginning_as_normal function making recursive calls to itself in certain scenarios involving lots of '*' characters. Remote attackers could leverage this vulnerability to cause a denial-of-service. | ||
83 | CVSS v2 BASE SCORE: 4.3 | ||
84 | CVSS v3 BASE SCORE: 5.5 | ||
85 | VECTOR: NETWORK | ||
86 | MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-6293 | ||
87 | |||
88 | For images, a summary of all recipes included in the image and their CVEs is also | ||
89 | generated in textual and JSON formats. These ``.cve`` and ``.json`` reports can be found | ||
90 | in the ``tmp/deploy/images`` directory for each compiled image. | ||
91 | |||
92 | At build time CVE check will also throw warnings about ``Unpatched`` CVEs:: | ||
93 | |||
94 | WARNING: flex-2.6.4-r0 do_cve_check: Found unpatched CVE (CVE-2019-6293), for more information check /poky/build/tmp/work/core2-64-poky-linux/flex/2.6.4-r0/temp/cve.log | ||
95 | WARNING: libarchive-3.5.1-r0 do_cve_check: Found unpatched CVE (CVE-2021-36976), for more information check /poky/build/tmp/work/core2-64-poky-linux/libarchive/3.5.1-r0/temp/cve.log | ||
96 | |||
97 | It is also possible to check the CVE status of individual packages as follows:: | ||
98 | |||
99 | bitbake -c cve_check flex libarchive | ||
100 | |||
101 | Fixing CVE product name and version mappings | ||
102 | ============================================ | ||
103 | |||
104 | By default, :ref:`ref-classes-cve-check` uses the recipe name :term:`BPN` as CVE | ||
105 | product name when querying the CVE database. If this mapping contains false positives, e.g. | ||
106 | some reported CVEs are not for the software component in question, or false negatives like | ||
107 | some CVEs are not found to impact the recipe when they should, then the problems can be | ||
108 | in the recipe name to CVE product mapping. These mapping issues can be fixed by setting | ||
109 | the :term:`CVE_PRODUCT` variable inside the recipe. This defines the name of the software component in the | ||
110 | upstream `NIST CVE database <https://nvd.nist.gov/>`__. | ||
111 | |||
112 | The variable supports using vendor and product names like this:: | ||
113 | |||
114 | CVE_PRODUCT = "flex_project:flex" | ||
115 | |||
116 | In this example the vendor name used in the CVE database is ``flex_project`` and the | ||
117 | product is ``flex``. With this setting the ``flex`` recipe only maps to this specific | ||
118 | product and not products from other vendors with same name ``flex``. | ||
119 | |||
120 | Similarly, when the recipe version :term:`PV` is not compatible with software versions used by | ||
121 | the upstream software component releases and the CVE database, these can be fixed using | ||
122 | the :term:`CVE_VERSION` variable. | ||
123 | |||
124 | Note that if the CVE entries in the NVD database contain bugs or have missing or incomplete | ||
125 | information, it is recommended to fix the information there directly instead of working | ||
126 | around the issues possibly for a long time in Poky and OE-Core side recipes. Feedback to | ||
127 | NVD about CVE entries can be provided through the `NVD contact form <https://nvd.nist.gov/info/contact-form>`__. | ||
128 | |||
129 | Fixing vulnerabilities in recipes | ||
130 | ================================= | ||
131 | |||
132 | Suppose a CVE security issue impacts a software component. In that case, it can | ||
133 | be fixed by updating to a newer version, by applying a patch, or by marking it | ||
134 | as patched via :term:`CVE_STATUS` variable flag. For Poky and OE-Core master | ||
135 | branches, updating to a more recent software component release with fixes is | ||
136 | the best option, but patches can be applied if releases are not yet available. | ||
137 | |||
138 | For stable branches, we want to avoid API (Application Programming Interface) | ||
139 | or ABI (Application Binary Interface) breakages. When submitting an update, | ||
140 | a minor version update of a component is preferred if the version is | ||
141 | backward-compatible. Many software components have backward-compatible stable | ||
142 | versions, with a notable example of the Linux kernel. However, if the new | ||
143 | version does or likely might introduce incompatibilities, extracting and | ||
144 | backporting patches is preferred. | ||
145 | |||
146 | Here is an example of fixing CVE security issues with patch files, | ||
147 | an example from the :oe_layerindex:`ffmpeg recipe for dunfell </layerindex/recipe/122174>`:: | ||
148 | |||
149 | SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ | ||
150 | file://mips64_cpu_detection.patch \ | ||
151 | file://CVE-2020-12284.patch \ | ||
152 | file://0001-libavutil-include-assembly-with-full-path-from-sourc.patch \ | ||
153 | file://CVE-2021-3566.patch \ | ||
154 | file://CVE-2021-38291.patch \ | ||
155 | file://CVE-2022-1475.patch \ | ||
156 | file://CVE-2022-3109.patch \ | ||
157 | file://CVE-2022-3341.patch \ | ||
158 | file://CVE-2022-48434.patch \ | ||
159 | " | ||
160 | |||
161 | The recipe has both generic and security-related fixes. The CVE patch files are named | ||
162 | according to the CVE they fix. | ||
163 | |||
164 | When preparing the patch file, take the original patch from the upstream repository. | ||
165 | Do not use patches from different distributions, except if it is the only available source. | ||
166 | |||
167 | Modify the patch adding OE-related metadata. We will follow the example of the | ||
168 | ``CVE-2022-3341.patch``. | ||
169 | |||
170 | The original `commit message <https://github.com/FFmpeg/FFmpeg/commit/9cf652cef49d74afe3d454f27d49eb1a1394951e.patch/>`__ | ||
171 | is:: | ||
172 | |||
173 | From 9cf652cef49d74afe3d454f27d49eb1a1394951e Mon Sep 17 00:00:00 2001 | ||
174 | From: Jiasheng Jiang <jiasheng@iscas.ac.cn> | ||
175 | Date: Wed, 23 Feb 2022 10:31:59 +0800 | ||
176 | Subject: [PATCH] avformat/nutdec: Add check for avformat_new_stream | ||
177 | |||
178 | Check for failure of avformat_new_stream() and propagate | ||
179 | the error code. | ||
180 | |||
181 | Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> | ||
182 | --- | ||
183 | libavformat/nutdec.c | 16 ++++++++++++---- | ||
184 | 1 file changed, 12 insertions(+), 4 deletions(-) | ||
185 | |||
186 | |||
187 | For the correct operations of the ``cve-check``, it requires the CVE | ||
188 | identification in a ``CVE:`` tag of the patch file commit message using | ||
189 | the format:: | ||
190 | |||
191 | CVE: CVE-2022-3341 | ||
192 | |||
193 | It is also recommended to add the ``Upstream-Status:`` tag with a link | ||
194 | to the original patch and sign-off by people working on the backport. | ||
195 | If there are any modifications to the original patch, note them in | ||
196 | the ``Comments:`` tag. | ||
197 | |||
198 | With the additional information, the header of the patch file in OE-core becomes:: | ||
199 | |||
200 | From 9cf652cef49d74afe3d454f27d49eb1a1394951e Mon Sep 17 00:00:00 2001 | ||
201 | From: Jiasheng Jiang <jiasheng@iscas.ac.cn> | ||
202 | Date: Wed, 23 Feb 2022 10:31:59 +0800 | ||
203 | Subject: [PATCH] avformat/nutdec: Add check for avformat_new_stream | ||
204 | |||
205 | Check for failure of avformat_new_stream() and propagate | ||
206 | the error code. | ||
207 | |||
208 | Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> | ||
209 | |||
210 | CVE: CVE-2022-3341 | ||
211 | |||
212 | Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/9cf652cef49d74afe3d454f27d49eb1a1394951e] | ||
213 | |||
214 | Comments: Refreshed Hunk | ||
215 | Signed-off-by: Narpat Mali <narpat.mali@windriver.com> | ||
216 | Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> | ||
217 | --- | ||
218 | libavformat/nutdec.c | 16 ++++++++++++---- | ||
219 | 1 file changed, 12 insertions(+), 4 deletions(-) | ||
220 | |||
221 | A good practice is to include the CVE identifier in the patch file name, the patch file | ||
222 | commit message and optionally in the recipe commit message. | ||
223 | |||
224 | CVE checker will then capture this information and change the CVE status to ``Patched`` | ||
225 | in the generated reports. | ||
226 | |||
227 | If analysis shows that the CVE issue does not impact the recipe due to configuration, platform, | ||
228 | version or other reasons, the CVE can be marked as ``Ignored`` by using | ||
229 | the :term:`CVE_STATUS` variable flag with appropriate reason which is mapped to ``Ignored``. | ||
230 | The entry should have the format like:: | ||
231 | |||
232 | CVE_STATUS[CVE-2016-10642] = "cpe-incorrect: This is specific to the npm package that installs cmake, so isn't relevant to OpenEmbedded" | ||
233 | |||
234 | As mentioned previously, if data in the CVE database is wrong, it is recommended | ||
235 | to fix those issues in the CVE database (NVD in the case of OE-core and Poky) | ||
236 | directly. | ||
237 | |||
238 | Note that if there are many CVEs with the same status and reason, those can be | ||
239 | shared by using the :term:`CVE_STATUS_GROUPS` variable. | ||
240 | |||
241 | Recipes can be completely skipped by CVE check by including the recipe name in | ||
242 | the :term:`CVE_CHECK_SKIP_RECIPE` variable. | ||
243 | |||
244 | Implementation details | ||
245 | ====================== | ||
246 | |||
247 | Here's what the :ref:`ref-classes-cve-check` class does to find unpatched CVE IDs. | ||
248 | |||
249 | First the code goes through each patch file provided by a recipe. If a valid CVE ID | ||
250 | is found in the name of the file, the corresponding CVE is considered as patched. | ||
251 | Don't forget that if multiple CVE IDs are found in the filename, only the last | ||
252 | one is considered. Then, the code looks for ``CVE: CVE-ID`` lines in the patch | ||
253 | file. The found CVE IDs are also considered as patched. | ||
254 | Additionally ``CVE_STATUS`` variable flags are parsed for reasons mapped to ``Patched`` | ||
255 | and these are also considered as patched. | ||
256 | |||
257 | Then, the code looks up all the CVE IDs in the NIST database for all the | ||
258 | products defined in :term:`CVE_PRODUCT`. Then, for each found CVE: | ||
259 | |||
260 | - If the package name (:term:`PN`) is part of | ||
261 | :term:`CVE_CHECK_SKIP_RECIPE`, it is considered as ``Patched``. | ||
262 | |||
263 | - If the CVE ID has status ``CVE_STATUS[<CVE ID>] = "ignored"`` or if it's set to | ||
264 | any reason which is mapped to status ``Ignored`` via ``CVE_CHECK_STATUSMAP``, | ||
265 | it is set as ``Ignored``. | ||
266 | |||
267 | - If the CVE ID is part of the patched CVE for the recipe, it is | ||
268 | already considered as ``Patched``. | ||
269 | |||
270 | - Otherwise, the code checks whether the recipe version (:term:`PV`) | ||
271 | is within the range of versions impacted by the CVE. If so, the CVE | ||
272 | is considered as ``Unpatched``. | ||
273 | |||
274 | The CVE database is stored in :term:`DL_DIR` and can be inspected using | ||
275 | ``sqlite3`` command as follows:: | ||
276 | |||
277 | sqlite3 downloads/CVE_CHECK/nvdcve_1.1.db .dump | grep CVE-2021-37462 | ||
278 | |||
279 | When analyzing CVEs, it is recommended to: | ||
280 | |||
281 | - study the latest information in `CVE database <https://nvd.nist.gov/vuln/search>`__. | ||
282 | |||
283 | - check how upstream developers of the software component addressed the issue, e.g. | ||
284 | what patch was applied, which upstream release contains the fix. | ||
285 | |||
286 | - check what other Linux distributions like `Debian <https://security-tracker.debian.org/tracker/>`__ | ||
287 | did to analyze and address the issue. | ||
288 | |||
289 | - follow security notices from other Linux distributions. | ||
290 | |||
291 | - follow public `open source security mailing lists <https://oss-security.openwall.org/wiki/mailing-lists>`__ for | ||
292 | discussions and advance notifications of CVE bugs and software releases with fixes. | ||
293 | |||