diff options
| author | Yuta Hayama <hayama@lineo.co.jp> | 2023-09-05 16:29:06 +0900 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2023-09-07 14:52:04 +0100 |
| commit | 3b9c48837fe80a3c25f596006f17ae75bcc62054 (patch) | |
| tree | 3f9d78ff81b7bec628b37c94b490b2ebeaee4322 | |
| parent | 7cf595a49b417bcdd0b22c84f66ebaaf9bd5db55 (diff) | |
| download | poky-3b9c48837fe80a3c25f596006f17ae75bcc62054.tar.gz | |
linux/generate-cve-exclusions: fix mishandling of boundary values
affected_versions in kernel_cves.json does not mean "first affected version
to last affected version" but actually "first affected version to fixed
version". Therefore, the variable names, conditional expressions, and
CVE_STATUS descriptions should be fixed.
For example, when the script was run against v6.1, if affected_versions was
"xxx to 6.1", the output was "cpe-stable-backport: Backported in 6.1", but
this should be "fixed-version: Fixed from version 6.1".
(From OE-Core rev: 2064b2f9b92e2dff45dab633598b5ed37145d0b6)
Signed-off-by: Yuta Hayama <hayama@lineo.co.jp>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
| -rwxr-xr-x | meta/recipes-kernel/linux/generate-cve-exclusions.py | 14 |
1 files changed, 7 insertions, 7 deletions
diff --git a/meta/recipes-kernel/linux/generate-cve-exclusions.py b/meta/recipes-kernel/linux/generate-cve-exclusions.py index 7e61abd202..aa9195aab4 100755 --- a/meta/recipes-kernel/linux/generate-cve-exclusions.py +++ b/meta/recipes-kernel/linux/generate-cve-exclusions.py | |||
| @@ -62,17 +62,17 @@ do_cve_check[prefuncs] += "check_kernel_cve_status_version" | |||
| 62 | continue | 62 | continue |
| 63 | 63 | ||
| 64 | affected = data["affected_versions"] | 64 | affected = data["affected_versions"] |
| 65 | first_affected, last_affected = re.search(r"(.+) to (.+)", affected).groups() | 65 | first_affected, fixed = re.search(r"(.+) to (.+)", affected).groups() |
| 66 | first_affected = parse_version(first_affected) | 66 | first_affected = parse_version(first_affected) |
| 67 | last_affected = parse_version(last_affected) | 67 | fixed = parse_version(fixed) |
| 68 | 68 | ||
| 69 | if not last_affected: | 69 | if not fixed: |
| 70 | print(f"# {cve} has no known resolution") | 70 | print(f"# {cve} has no known resolution") |
| 71 | elif first_affected and version < first_affected: | 71 | elif first_affected and version < first_affected: |
| 72 | print(f'CVE_STATUS[{cve}] = "fixed-version: only affects {first_affected} onwards"') | 72 | print(f'CVE_STATUS[{cve}] = "fixed-version: only affects {first_affected} onwards"') |
| 73 | elif last_affected < version: | 73 | elif fixed <= version: |
| 74 | print( | 74 | print( |
| 75 | f'CVE_STATUS[{cve}] = "fixed-version: Fixed after version {last_affected}"' | 75 | f'CVE_STATUS[{cve}] = "fixed-version: Fixed from version {fixed}"' |
| 76 | ) | 76 | ) |
| 77 | else: | 77 | else: |
| 78 | if cve in stream_data: | 78 | if cve in stream_data: |
| @@ -87,9 +87,9 @@ do_cve_check[prefuncs] += "check_kernel_cve_status_version" | |||
| 87 | # TODO print a note that the kernel needs bumping | 87 | # TODO print a note that the kernel needs bumping |
| 88 | print(f"# {cve} needs backporting (fixed from {backport_ver})") | 88 | print(f"# {cve} needs backporting (fixed from {backport_ver})") |
| 89 | else: | 89 | else: |
| 90 | print(f"# {cve} needs backporting (fixed from {last_affected})") | 90 | print(f"# {cve} needs backporting (fixed from {fixed})") |
| 91 | else: | 91 | else: |
| 92 | print(f"# {cve} needs backporting (fixed from {last_affected})") | 92 | print(f"# {cve} needs backporting (fixed from {fixed})") |
| 93 | 93 | ||
| 94 | print() | 94 | print() |
| 95 | 95 | ||