Mirror of git.yoctoproject.org/poky https://git.enea.com/cgit/linux/poky.git/atom?h=sumo-next 2019-11-07T19:47:27+00:00 2019-11-07T19:47:27+00:00 Ross Burton ross.burton@intel.com 2019-11-06T15:37:44+00:00 urn:sha1:e00981bb10e3717b96a4c4445767adf1b13be58a (From OE-Core rev: f6a456fed7286e1304cd776bb2f740c462c9b4b1) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-11-07T19:47:27+00:00 Ross Burton ross.burton@intel.com 2019-11-06T15:37:43+00:00 urn:sha1:09e2a518ecba0d3e783ca590150bc19c69de4fea CVEs that are whitelisted or were not vulnerable when there are version comparisons were not included in the report, so alter the logic to ensure that all relevant CVEs are in the report for completeness. (From OE-Core rev: 98256ff05fcfe9d5ccad360582c36eafb577c264) (From OE-Core rev: 301887fc4b726e1040e1ff2045c70562624dc961) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-11-07T19:47:26+00:00 Pierre Le Magourou pierre.lemagourou@softbankrobotics.com 2019-11-06T15:37:36+00:00 urn:sha1:731e27f75eb513a064d9b074ed14497b40ffc729 djb2 hash algorithm was found to do collisions, so the database was sometime missing data. Remove this hash mechanism, clear and populate elements from scratch in PRODUCTS table if the current year needs an update. (From OE-Core rev: 78de2cb39d74b030cd4ec811bf6f9a6daa003d19) (From OE-Core rev: e6541c6add1714938a81cca394886893cf24cdb0) Signed-off-by: Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-11-07T19:47:26+00:00 Pierre Le Magourou pierre.lemagourou@softbankrobotics.com 2019-11-06T15:37:33+00:00 urn:sha1:be0549c677e3be922476b1b43e54765957efff43 CVE_CHECK_WHITELIST does not contain version anymore, as it was not used. This variable should be set per recipe. (From OE-Core rev: 7069302a4ccbb5b72e1902f284cf078516fd7294) (From OE-Core rev: 8dd899679fc881d02e081d1e0814252d604dd479) Signed-off-by: Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-11-07T19:47:26+00:00 Ross Burton ross.burton@intel.com 2019-11-06T15:37:32+00:00 urn:sha1:67a89b3a42c2e0c2bbb8c443bef45de03411a44b Some product names are too vague to be searched without also matching the vendor, for example Flex could be the parser compiler we ship, or Adobe Flex, or Apache Flex, or IBM Flex. If entries in CVE_PRODUCT contain a colon then split it as vendor:product to improve the search. Also don't use .format() to construct SQL as that can lead to security issues. Instead, use ? placeholders and lets sqlite3 handle the escaping. (From OE-Core rev: e6bf90009877d00243417898700d2320fd87b39c) (From OE-Core rev: 0851d68b4679a7035029d28091d9a6b21d266c99) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-11-07T19:47:26+00:00 Mikko Rapeli mikko.rapeli@bmw.de 2019-11-06T15:37:31+00:00 urn:sha1:79c410fc2a4bba84320f6efd0fe31af9df26a919 Fixes build failure with core-image-minimal: Exception: UnboundLocalError: local variable 'to_append' referenced before assignment (From OE-Core rev: 270ac00cb43d0614dfe1c95f960c76e9e5fa20d4) (From OE-Core rev: 45758c900ff738e58fd37ff809960965867d79f8) Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-11-07T19:47:26+00:00 Ross Burton ross.burton@intel.com 2019-11-06T15:37:30+00:00 urn:sha1:7297cbd01ffe31a024b13a3ff2450f70df6aa7d1 As glibc will be scanned for CVEs, we don't need to scan glibc-locale, glibc-mtrace, and glibc-scripts which are all separate recipes for technical reasons. Exclude the recipes by setting CVE_PRODUCT in the recipe, instead of using the global whitelist. (From OE-Core rev: 1f9a963b9ff7ebe052ba54b9fcbdf7d09478dd17) (From OE-Core rev: 2b9f1b654c726e7c7b2fe8710d60ca10212295f5) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-11-07T19:47:26+00:00 Ross Burton ross.burton@intel.com 2019-11-06T15:37:28+00:00 urn:sha1:ee44763ef5922e6d5a4097327ced1b76d090b2a5 CVE-2014-2524 is a readline CVE that was fixed in 6.3patch3 onwards, but the tooling wasn't able to detect this version. As we now ship readline 8 we don't need to manually whitelist it, and if we did then the whitelisting should be in the readline recipe. (From OE-Core rev: 07bb8b25e172aa5c8ae96b6e8eb4ac901b835219) (From OE-Core rev: c7f23d4e53d039838536f71996ad896c977cf138) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-11-07T19:47:26+00:00 Pierre Le Magourou pierre.lemagourou@softbankrobotics.com 2019-11-06T15:37:27+00:00 urn:sha1:74b562e1cedc484cf417b98d67a5ee37a340dc3b Now that cve-update-db added CPE information to NVD database. We can check for unpatched versions with operators '<', '<=', '>', and '>='. (From OE-Core rev: bc0195be1b15bcffe60127bc5e8b7011a853c2ed) (From OE-Core rev: 48793a3b74bfaa5ffe6191d21f64aef3720433db) Signed-off-by: Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-11-07T19:47:26+00:00 Pierre Le Magourou pierre.lemagourou@softbankrobotics.com 2019-11-06T15:37:26+00:00 urn:sha1:470ea72f1cfdf3702e933cf4c73e63da756b3981 do_populate_cve_db is a native task. (From OE-Core rev: 4078da92b49946848cddebe1735f301af161e162) (From OE-Core rev: 5d6cbab419770eb556b57445fd5509339d3142b4) Signed-off-by: Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Conflicts: meta/conf/distro/include/maintainers.inc