linux/generate-cve-exclusions: fix mishandling of boundary values

affected_versions in kernel_cves.json does not mean "first affected version to last affected version" but actually "first affected version to fixed version". Therefore, the variable names, conditional expressions, and CVE_STATUS descriptions should be fixed. For example, when the script was run against v6.1, if affected_versions was "xxx to 6.1", the output was "cpe-stable-backport: Backported in 6.1", but this should be "fixed-version: Fixed from version 6.1". (From OE-Core rev: a0cafa6587acf2b41f0e832d06de884ffe62fd4b) Signed-off-by: Yuta Hayama <hayama@lineo.co.jp> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> (cherry picked from commit 2064b2f9b92e2dff45dab633598b5ed37145d0b6) Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Yuta Hayama <hayama@lineo.co.jp> 2023-09-05 16:29:06 +0900
committer: Steve Sakoman <steve@sakoman.com> 2023-10-13 04:31:04 -1000
commit: af312b14fae9215f1a992ff936b7eaa155dbe2eb (patch)
tree: f2dad26a4dc5392b01ba471409c81804cb0439f0
parent: 5e7d38bb7ad1ce674e41bf30f7c681bad00f65cb (diff)
download: poky-af312b14fae9215f1a992ff936b7eaa155dbe2eb.tar.gz
1 files changed, 7 insertions, 7 deletions
diff --git a/meta/recipes-kernel/linux/generate-cve-exclusions.py b/meta/recipes-kernel/linux/generate-cve-exclusions.py
index ef47f39c1b..b52c75c18c 100755
--- a/meta/recipes-kernel/linux/generate-cve-exclusions.py
+++ b/meta/recipes-kernel/linux/generate-cve-exclusions.py
@@ -62,18 +62,18 @@ do_cve_check[prefuncs] += "check_kernel_cve_status_version"
            continue
        affected = data["affected_versions"]
-        first_affected, last_affected = re.search(r"(.+) to (.+)", affected).groups()
+        first_affected, fixed = re.search(r"(.+) to (.+)", affected).groups()
        first_affected = parse_version(first_affected)
-        last_affected = parse_version(last_affected)
+        fixed = parse_version(fixed)
        handled = False
-        if not last_affected:
+        if not fixed:
            print(f"# {cve} has no known resolution")
        elif first_affected and version < first_affected:
            print(f"# fixed-version: only affects {first_affected} onwards")
            handled = True
-        elif last_affected < version:
+        elif fixed <= version:
-            print(f"# fixed-version: Fixed after version {last_affected}")
+            print(f"# fixed-version: Fixed from version {fixed}")
            handled = True
        else:
            if cve in stream_data:
@@ -87,9 +87,9 @@ do_cve_check[prefuncs] += "check_kernel_cve_status_version"
                        # TODO print a note that the kernel needs bumping
                        print(f"# {cve} needs backporting (fixed from {backport_ver})")
                else:
-                    print(f"# {cve} needs backporting (fixed from {last_affected})")
+                    print(f"# {cve} needs backporting (fixed from {fixed})")
            else:
-                print(f"# {cve} needs backporting (fixed from {last_affected})")
+                print(f"# {cve} needs backporting (fixed from {fixed})")
        if handled:
            print(f'CVE_CHECK_IGNORE += "{cve}"')
author	Yuta Hayama <hayama@lineo.co.jp>	2023-09-05 16:29:06 +0900
committer	Steve Sakoman <steve@sakoman.com>	2023-10-13 04:31:04 -1000
commit	af312b14fae9215f1a992ff936b7eaa155dbe2eb (patch)
tree	f2dad26a4dc5392b01ba471409c81804cb0439f0
parent	5e7d38bb7ad1ce674e41bf30f7c681bad00f65cb (diff)
download	poky-af312b14fae9215f1a992ff936b7eaa155dbe2eb.tar.gz

diff --git a/meta/recipes-kernel/linux/generate-cve-exclusions.py b/meta/recipes-kernel/linux/generate-cve-exclusions.py index ef47f39c1b..b52c75c18c 100755 --- a/meta/recipes-kernel/linux/generate-cve-exclusions.py +++ b/meta/recipes-kernel/linux/generate-cve-exclusions.py
@@ -62,18 +62,18 @@ do_cve_check[prefuncs] += "check_kernel_cve_status_version"
62	continue	62	continue
63		63
64	affected = data["affected_versions"]	64	affected = data["affected_versions"]
65	first_affected, last_affected = re.search(r"(.+) to (.+)", affected).groups()	65	first_affected, fixed = re.search(r"(.+) to (.+)", affected).groups()
66	first_affected = parse_version(first_affected)	66	first_affected = parse_version(first_affected)
67	last_affected = parse_version(last_affected)	67	fixed = parse_version(fixed)
68		68
69	handled = False	69	handled = False
70	if not last_affected:	70	if not fixed:
71	print(f"# {cve} has no known resolution")	71	print(f"# {cve} has no known resolution")
72	elif first_affected and version < first_affected:	72	elif first_affected and version < first_affected:
73	print(f"# fixed-version: only affects {first_affected} onwards")	73	print(f"# fixed-version: only affects {first_affected} onwards")
74	handled = True	74	handled = True
75	elif last_affected < version:	75	elif fixed <= version:
76	print(f"# fixed-version: Fixed after version {last_affected}")	76	print(f"# fixed-version: Fixed from version {fixed}")
77	handled = True	77	handled = True
78	else:	78	else:
79	if cve in stream_data:	79	if cve in stream_data:
@@ -87,9 +87,9 @@ do_cve_check[prefuncs] += "check_kernel_cve_status_version"
87	# TODO print a note that the kernel needs bumping	87	# TODO print a note that the kernel needs bumping
88	print(f"# {cve} needs backporting (fixed from {backport_ver})")	88	print(f"# {cve} needs backporting (fixed from {backport_ver})")
89	else:	89	else:
90	print(f"# {cve} needs backporting (fixed from {last_affected})")	90	print(f"# {cve} needs backporting (fixed from {fixed})")
91	else:	91	else:
92	print(f"# {cve} needs backporting (fixed from {last_affected})")	92	print(f"# {cve} needs backporting (fixed from {fixed})")
93		93
94	if handled:	94	if handled:
95	print(f'CVE_CHECK_IGNORE += "{cve}"')	95	print(f'CVE_CHECK_IGNORE += "{cve}"')