diff options
| author | Peter Marko <peter.marko@siemens.com> | 2024-09-28 19:57:41 +0200 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2024-10-07 05:43:22 -0700 |
| commit | 808700d130d0055add82c0a5d47e48ab20e99547 (patch) | |
| tree | abf6302c2641aaa7bf645427600bf1307036add5 | |
| parent | 3a172a5aa568d51c9a16cdecf63df67317c4d9d1 (diff) | |
| download | poky-808700d130d0055add82c0a5d47e48ab20e99547.tar.gz | |
wpa-supplicant: Ignore CVE-2024-5290
NVD CVE report [1] links Ubuntu bug [2] which has a very good
description/discussion about this issue.
It applies only to distros patching wpa-supplicant to allow non-root
users (e.g. via netdev group) to load modules.
This is not the case of Yocto.
Quote:
So upstream isn't vulnerable as they only expose the dbus interface to
root. Downstreams like Ubuntu and Chromium added a patch that grants
access to the netdev group. The patch is the problem, not the upstream
code IMHO.
There is also a commit [3] associated with this CVE, however that only
provides build-time configuration to limit paths which can be accessed
but it acts only as a mitigation for distros which allow non-root users
to load crafted modules.
[1] https://nvd.nist.gov/vuln/detail/CVE-2024-5290
[2] https://bugs.launchpad.net/ubuntu/+source/wpa/+bug/2067613
[3] https://w1.fi/cgit/hostap/commit/?id=c84388ee4c66bcd310db57489eac4a75fc600747
(From OE-Core rev: 603047ab3c85009c384793cdbdd8e6ae1aebd737)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
| -rw-r--r-- | meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb index 70f1fd6fc9..696176907c 100644 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb | |||
| @@ -31,6 +31,9 @@ SRC_URI[sha256sum] = "20df7ae5154b3830355f8ab4269123a87affdea59fe74fe9292a91d0d7 | |||
| 31 | 31 | ||
| 32 | CVE_PRODUCT = "wpa_supplicant" | 32 | CVE_PRODUCT = "wpa_supplicant" |
| 33 | 33 | ||
| 34 | # not-applicable-platform: this only affects Ubuntu and other platforms patching wpa-supplicant | ||
| 35 | CVE_CHECK_IGNORE += "CVE-2024-5290" | ||
| 36 | |||
| 34 | S = "${WORKDIR}/wpa_supplicant-${PV}" | 37 | S = "${WORKDIR}/wpa_supplicant-${PV}" |
| 35 | 38 | ||
| 36 | PACKAGES:prepend = "wpa-supplicant-passphrase wpa-supplicant-cli " | 39 | PACKAGES:prepend = "wpa-supplicant-passphrase wpa-supplicant-cli " |
