diff options
| author | Peter Marko <peter.marko@siemens.com> | 2024-09-28 17:43:48 +0200 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2024-10-29 05:51:03 -0700 |
| commit | 1111dd3ba1d4af04c4a5ee5e4e032648eb523433 (patch) | |
| tree | b84639667ea3c91d0e94852e23eb265a4e857c37 /scripts/lib/devtool/__init__.py | |
| parent | 86bc5dca182a3fe774e17811a82177a68b27a6bb (diff) | |
| download | poky-1111dd3ba1d4af04c4a5ee5e4e032648eb523433.tar.gz | |
wpa-supplicant: Ignore CVE-2024-5290
NVD CVE report [1] links Ubuntu bug [2] which has a very good
description/discussion about this issue.
It applies only to distros patching wpa-supplicant to allow non-root
users (e.g. via netdev group) to load modules.
This is not the case of Yocto.
Quote:
So upstream isn't vulnerable as they only expose the dbus interface to
root. Downstreams like Ubuntu and Chromium added a patch that grants
access to the netdev group. The patch is the problem, not the upstream
code IMHO.
There is also a commit [3] associated with this CVE, however that only
provides build-time configuration to limit paths which can be accessed
but it acts only as a mitigation for distros which allow non-root users
to load crafted modules.
The patch is included in version 2.11, however NVD has this CVE
version-less, so explicit ignore is necessary.
[1] https://nvd.nist.gov/vuln/detail/CVE-2024-5290
[2] https://bugs.launchpad.net/ubuntu/+source/wpa/+bug/2067613
[3] https://w1.fi/cgit/hostap/commit/?id=c84388ee4c66bcd310db57489eac4a75fc600747
(From OE-Core rev: 617cf25b0f49b732f961f1fa4d1390e8e883f12b)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 6cb794d44a8624784ec0f76dca764616d81ffbf5)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'scripts/lib/devtool/__init__.py')
0 files changed, 0 insertions, 0 deletions