wpa-supplicant: Ignore CVE-2024-5290 - linux/poky.git - Mirror of git.yoctoproject.org/poky

diff options

author	Peter Marko <peter.marko@siemens.com>	2024-09-28 17:43:48 +0200
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2024-10-01 12:40:48 +0100
commit	0d410d56bf66d88f5b8176a7adab14d3a2f1941d (patch)
tree	58199f152671eb842cd840dc81c081c96d4c2832 /scripts/lib/devtool/build.py
parent	96814b5d06da46d7b787d7c8044597b8dd7f42e5 (diff)
download	poky-0d410d56bf66d88f5b8176a7adab14d3a2f1941d.tar.gz

wpa-supplicant: Ignore CVE-2024-5290

NVD CVE report [1] links Ubuntu bug [2] which has a very good description/discussion about this issue. It applies only to distros patching wpa-supplicant to allow non-root users (e.g. via netdev group) to load modules. This is not the case of Yocto. Quote: So upstream isn't vulnerable as they only expose the dbus interface to root. Downstreams like Ubuntu and Chromium added a patch that grants access to the netdev group. The patch is the problem, not the upstream code IMHO. There is also a commit [3] associated with this CVE, however that only provides build-time configuration to limit paths which can be accessed but it acts only as a mitigation for distros which allow non-root users to load crafted modules. The patch is included in version 2.11, however NVD has this CVE version-less, so explicit ignore is necessary. [1] https://nvd.nist.gov/vuln/detail/CVE-2024-5290 [2] https://bugs.launchpad.net/ubuntu/+source/wpa/+bug/2067613 [3] https://w1.fi/cgit/hostap/commit/?id=c84388ee4c66bcd310db57489eac4a75fc600747 (From OE-Core rev: 6cb794d44a8624784ec0f76dca764616d81ffbf5) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

Diffstat (limited to 'scripts/lib/devtool/build.py')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: