diff options
| author | Roland Hieber <rhi@pengutronix.de> | 2023-09-22 12:00:03 +0200 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2023-09-25 14:37:26 +0100 |
| commit | 975e974eb1b67e93d5c36492af373c0aa46d206f (patch) | |
| tree | 1cd45e40fd96140788947ac6878bcc74849a1048 /documentation | |
| parent | 653ac666c430c37c32df1b9e633c68214003e85c (diff) | |
| download | poky-975e974eb1b67e93d5c36492af373c0aa46d206f.tar.gz | |
contributor-guide: recipe-style-guide: add section about CVE patches
This was previously included in the OpenEmbedded wiki page [1], but was
not ported along with the rest in commit 95c9a1e1e78bbfb82ade
(2023-09-12, Michael Opdenacker: "contributor-guide: recipe-style-guide:
add Upstream-Status").
[1]: https://www.openembedded.org/index.php?title=Commit_Patch_Message_Guidelines&oldid=10935
Group the examples in their own sections (but name it differently from
any other section in this document so that sphinx doesn't generate a
warning about duplicate labels).
(From yocto-docs rev: 3022caa35efc28d16dea81bc81ecb48998c8f3b8)
Signed-off-by: Roland Hieber <rhi@pengutronix.de>
Reviewed-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'documentation')
| -rw-r--r-- | documentation/contributor-guide/recipe-style-guide.rst | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/documentation/contributor-guide/recipe-style-guide.rst b/documentation/contributor-guide/recipe-style-guide.rst index 7906e5e5d9..5cbcb23b3a 100644 --- a/documentation/contributor-guide/recipe-style-guide.rst +++ b/documentation/contributor-guide/recipe-style-guide.rst | |||
| @@ -370,3 +370,28 @@ Here's a patch that has been backported from an upstream commit:: | |||
| 370 | include missing sys/file.h for LOCK_EX | 370 | include missing sys/file.h for LOCK_EX |
| 371 | 371 | ||
| 372 | Upstream-Status: Backport [https://github.com/systemd/systemd/commit/ac8db36cbc26694ee94beecc8dca208ec4b5fd45] | 372 | Upstream-Status: Backport [https://github.com/systemd/systemd/commit/ac8db36cbc26694ee94beecc8dca208ec4b5fd45] |
| 373 | |||
| 374 | CVE patches | ||
| 375 | =========== | ||
| 376 | |||
| 377 | In order to have a better control of vulnerabilities, patches that fix CVEs must | ||
| 378 | contain a ``CVE:`` tag. This tag list all CVEs fixed by the patch. If more than | ||
| 379 | one CVE is fixed, separate them using spaces. | ||
| 380 | |||
| 381 | CVE Examples | ||
| 382 | ------------ | ||
| 383 | |||
| 384 | This should be the header of patch that fixes :cve:`2015-8370` in GRUB2:: | ||
| 385 | |||
| 386 | grub2: Fix CVE-2015-8370 | ||
| 387 | |||
| 388 | [No upstream tracking] -- https://bugzilla.redhat.com/show_bug.cgi?id=1286966 | ||
| 389 | |||
| 390 | Back to 28; Grub2 Authentication | ||
| 391 | |||
| 392 | Two functions suffer from integer underflow fault; the grub_username_get() and grub_password_get()located in | ||
| 393 | grub-core/normal/auth.c and lib/crypto.c respectively. This can be exploited to obtain a Grub rescue shell. | ||
| 394 | |||
| 395 | Upstream-Status: Backport [http://git.savannah.gnu.org/cgit/grub.git/commit/?id=451d80e52d851432e109771bb8febafca7a5f1f2] | ||
| 396 | CVE: CVE-2015-8370 | ||
| 397 | Signed-off-by: Joe Developer <joe.developer@example.com> | ||