1 files changed, 91 insertions, 20 deletions
diff --git a/documentation/dev-manual/vulnerabilities.rst b/documentation/dev-manual/vulnerabilities.rst
index c492b62ffd..1bc2a85929 100644
--- a/documentation/dev-manual/vulnerabilities.rst
+++ b/documentation/dev-manual/vulnerabilities.rst
@@ -129,31 +129,97 @@ NVD about CVE entries can be provided through the `NVD contact form <https://nvd
 Fixing vulnerabilities in recipes
 =================================
-If a CVE security issue impacts a software component, it can be fixed by updating to a newer
+Suppose a CVE security issue impacts a software component. In that case, it can
-version of the software component, by applying a patch or by marking it as patched via
+be fixed by updating to a newer version, by applying a patch, or by marking it
-:term:`CVE_STATUS` variable flag. For Poky and OE-Core master branches, updating
+as patched via :term:`CVE_STATUS` variable flag. For Poky and OE-Core master
-to a newer software component release with fixes is the best option, but patches can be applied
+branches, updating to a more recent software component release with fixes is
-if releases are not yet available.
+the best option, but patches can be applied if releases are not yet available.
-For stable branches, it is preferred to apply patches for the issues. For some software
+For stable branches, we want to avoid API (Application Programming Interface)
-components minor version updates can also be applied if they are backwards compatible.
+or ABI (Application Binary Interface) breakages. When submitting an update,
+a minor version update of a component is preferred if the version is
+backward-compatible. Many software components have backward-compatible stable
+versions, with a notable example of the Linux kernel. However, if the new
+version does or likely might introduce incompatibilities, extracting and
+backporting patches is preferred.
 Here is an example of fixing CVE security issues with patch files,
-an example from the :oe_layerindex:`ffmpeg recipe</layerindex/recipe/47350>`::
+an example from the :oe_layerindex:`ffmpeg recipe for dunfell </layerindex/recipe/122174>`::
   SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
+              file://mips64_cpu_detection.patch \
+              file://CVE-2020-12284.patch \
              file://0001-libavutil-include-assembly-with-full-path-from-sourc.patch \
-              file://fix-CVE-2020-20446.patch \
+              file://CVE-2021-3566.patch \
-              file://fix-CVE-2020-20453.patch \
+              file://CVE-2021-38291.patch \
-              file://fix-CVE-2020-22015.patch \
+              file://CVE-2022-1475.patch \
-              file://fix-CVE-2020-22021.patch \
+              file://CVE-2022-3109.patch \
-              file://fix-CVE-2020-22033-CVE-2020-22019.patch \
+              file://CVE-2022-3341.patch \
-              file://fix-CVE-2021-33815.patch \
+              file://CVE-2022-48434.patch \
+          "
+The recipe has both generic and security-related fixes. The CVE patch files are named
+according to the CVE they fix.
+When preparing the patch file, take the original patch from the upstream repository.
+Do not use patches from different distributions, except if it is the only available source.
+Modify the patch adding OE-related metadata. We will follow the example of the
+``CVE-2022-3341.patch``.
+The original `commit message <https://github.com/FFmpeg/FFmpeg/commit/9cf652cef49d74afe3d454f27d49eb1a1394951e.patch/>`__
+is::
+   From 9cf652cef49d74afe3d454f27d49eb1a1394951e Mon Sep 17 00:00:00 2001
+   From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+   Date: Wed, 23 Feb 2022 10:31:59 +0800
+   Subject: [PATCH] avformat/nutdec: Add check for avformat_new_stream
+   Check for failure of avformat_new_stream() and propagate
+   the error code.
+   Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+   ---
+    libavformat/nutdec.c | 16 ++++++++++++----
+    1 file changed, 12 insertions(+), 4 deletions(-)
+For the correct operations of the ``cve-check``, it requires the CVE
+identification in a ``CVE:`` tag of the patch file commit message using
+the format::
-A good practice is to include the CVE identifier in both the patch file name
+   CVE: CVE-2022-3341
-and inside the patch file commit message using the format::
-   CVE: CVE-2020-22033
+It is also recommended to add the ``Upstream-Status:`` tag with a link
+to the original patch and sign-off by people working on the backport.
+If there are any modifications to the original patch, note them in
+the ``Comments:`` tag.
+With the additional information, the header of the patch file in OE-core becomes::
+   From 9cf652cef49d74afe3d454f27d49eb1a1394951e Mon Sep 17 00:00:00 2001
+   From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+   Date: Wed, 23 Feb 2022 10:31:59 +0800
+   Subject: [PATCH] avformat/nutdec: Add check for avformat_new_stream
+   Check for failure of avformat_new_stream() and propagate
+   the error code.
+   Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
+   CVE: CVE-2022-3341
+   Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/9cf652cef49d74afe3d454f27d49eb1a1394951e]
+   Comments: Refreshed Hunk
+   Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
+   Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
+   ---
+    libavformat/nutdec.c | 16 ++++++++++++----
+    1 file changed, 12 insertions(+), 4 deletions(-)
+A good practice is to include the CVE identifier in the patch file name, the patch file
+commit message and optionally in the recipe commit message.
 CVE checker will then capture this information and change the CVE status to ``Patched``
 in the generated reports.
@@ -161,8 +227,13 @@ in the generated reports.
 If analysis shows that the CVE issue does not impact the recipe due to configuration, platform,
 version or other reasons, the CVE can be marked as ``Ignored`` by using
 the :term:`CVE_STATUS` variable flag with appropriate reason which is mapped to ``Ignored``.
-As mentioned previously, if data in the CVE database is wrong, it is recommend to fix those
+The entry should have the format like::
-issues in the CVE database directly.
+   CVE_STATUS[CVE-2016-10642] = "cpe-incorrect: This is specific to the npm package that installs cmake, so isn't relevant to OpenEmbedded"
+As mentioned previously, if data in the CVE database is wrong, it is recommended
+to fix those issues in the CVE database (NVD in the case of OE-core and Poky)
+directly.
 Note that if there are many CVEs with the same status and reason, those can be
 shared by using the :term:`CVE_STATUS_GROUPS` variable.

diff --git a/documentation/dev-manual/vulnerabilities.rst b/documentation/dev-manual/vulnerabilities.rst index c492b62ffd..1bc2a85929 100644 --- a/documentation/dev-manual/vulnerabilities.rst +++ b/documentation/dev-manual/vulnerabilities.rst
@@ -129,31 +129,97 @@ NVD about CVE entries can be provided through the `NVD contact form <https://nvd
129	Fixing vulnerabilities in recipes	129	Fixing vulnerabilities in recipes
130	=================================	130	=================================
131		131
132	If a CVE security issue impacts a software component, it can be fixed by updating to a newer	132	Suppose a CVE security issue impacts a software component. In that case, it can
133	version of the software component, by applying a patch or by marking it as patched via	133	be fixed by updating to a newer version, by applying a patch, or by marking it
134	:term:`CVE_STATUS` variable flag. For Poky and OE-Core master branches, updating	134	as patched via :term:`CVE_STATUS` variable flag. For Poky and OE-Core master
135	to a newer software component release with fixes is the best option, but patches can be applied	135	branches, updating to a more recent software component release with fixes is
136	if releases are not yet available.	136	the best option, but patches can be applied if releases are not yet available.
137		137
138	For stable branches, it is preferred to apply patches for the issues. For some software	138	For stable branches, we want to avoid API (Application Programming Interface)
139	components minor version updates can also be applied if they are backwards compatible.	139	or ABI (Application Binary Interface) breakages. When submitting an update,
		140	a minor version update of a component is preferred if the version is
		141	backward-compatible. Many software components have backward-compatible stable
		142	versions, with a notable example of the Linux kernel. However, if the new
		143	version does or likely might introduce incompatibilities, extracting and
		144	backporting patches is preferred.
140		145
141	Here is an example of fixing CVE security issues with patch files,	146	Here is an example of fixing CVE security issues with patch files,
142	an example from the :oe_layerindex:`ffmpeg recipe</layerindex/recipe/47350>`::	147	an example from the :oe_layerindex:`ffmpeg recipe for dunfell </layerindex/recipe/122174>`::
143		148
144	SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \	149	SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
		150	file://mips64_cpu_detection.patch \
		151	file://CVE-2020-12284.patch \
145	file://0001-libavutil-include-assembly-with-full-path-from-sourc.patch \	152	file://0001-libavutil-include-assembly-with-full-path-from-sourc.patch \
146	file://fix-CVE-2020-20446.patch \	153	file://CVE-2021-3566.patch \
147	file://fix-CVE-2020-20453.patch \	154	file://CVE-2021-38291.patch \
148	file://fix-CVE-2020-22015.patch \	155	file://CVE-2022-1475.patch \
149	file://fix-CVE-2020-22021.patch \	156	file://CVE-2022-3109.patch \
150	file://fix-CVE-2020-22033-CVE-2020-22019.patch \	157	file://CVE-2022-3341.patch \
151	file://fix-CVE-2021-33815.patch \	158	file://CVE-2022-48434.patch \
		159	"
		160
		161	The recipe has both generic and security-related fixes. The CVE patch files are named
		162	according to the CVE they fix.
		163
		164	When preparing the patch file, take the original patch from the upstream repository.
		165	Do not use patches from different distributions, except if it is the only available source.
		166
		167	Modify the patch adding OE-related metadata. We will follow the example of the
		168	``CVE-2022-3341.patch``.
		169
		170	The original `commit message <https://github.com/FFmpeg/FFmpeg/commit/9cf652cef49d74afe3d454f27d49eb1a1394951e.patch/>`__
		171	is::
		172
		173	From 9cf652cef49d74afe3d454f27d49eb1a1394951e Mon Sep 17 00:00:00 2001
		174	From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
		175	Date: Wed, 23 Feb 2022 10:31:59 +0800
		176	Subject: [PATCH] avformat/nutdec: Add check for avformat_new_stream
		177
		178	Check for failure of avformat_new_stream() and propagate
		179	the error code.
		180
		181	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
		182	---
		183	libavformat/nutdec.c \| 16 ++++++++++++----
		184	1 file changed, 12 insertions(+), 4 deletions(-)
		185
		186
		187	For the correct operations of the ``cve-check``, it requires the CVE
		188	identification in a ``CVE:`` tag of the patch file commit message using
		189	the format::
152		190
153	A good practice is to include the CVE identifier in both the patch file name	191	CVE: CVE-2022-3341
154	and inside the patch file commit message using the format::
155		192
156	CVE: CVE-2020-22033	193	It is also recommended to add the ``Upstream-Status:`` tag with a link
		194	to the original patch and sign-off by people working on the backport.
		195	If there are any modifications to the original patch, note them in
		196	the ``Comments:`` tag.
		197
		198	With the additional information, the header of the patch file in OE-core becomes::
		199
		200	From 9cf652cef49d74afe3d454f27d49eb1a1394951e Mon Sep 17 00:00:00 2001
		201	From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
		202	Date: Wed, 23 Feb 2022 10:31:59 +0800
		203	Subject: [PATCH] avformat/nutdec: Add check for avformat_new_stream
		204
		205	Check for failure of avformat_new_stream() and propagate
		206	the error code.
		207
		208	Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
		209
		210	CVE: CVE-2022-3341
		211
		212	Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/9cf652cef49d74afe3d454f27d49eb1a1394951e]
		213
		214	Comments: Refreshed Hunk
		215	Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
		216	Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
		217	---
		218	libavformat/nutdec.c \| 16 ++++++++++++----
		219	1 file changed, 12 insertions(+), 4 deletions(-)
		220
		221	A good practice is to include the CVE identifier in the patch file name, the patch file
		222	commit message and optionally in the recipe commit message.
157		223
158	CVE checker will then capture this information and change the CVE status to ``Patched``	224	CVE checker will then capture this information and change the CVE status to ``Patched``
159	in the generated reports.	225	in the generated reports.
@@ -161,8 +227,13 @@ in the generated reports.
161	If analysis shows that the CVE issue does not impact the recipe due to configuration, platform,	227	If analysis shows that the CVE issue does not impact the recipe due to configuration, platform,
162	version or other reasons, the CVE can be marked as ``Ignored`` by using	228	version or other reasons, the CVE can be marked as ``Ignored`` by using
163	the :term:`CVE_STATUS` variable flag with appropriate reason which is mapped to ``Ignored``.	229	the :term:`CVE_STATUS` variable flag with appropriate reason which is mapped to ``Ignored``.
164	As mentioned previously, if data in the CVE database is wrong, it is recommend to fix those	230	The entry should have the format like::
165	issues in the CVE database directly.	231
		232	CVE_STATUS[CVE-2016-10642] = "cpe-incorrect: This is specific to the npm package that installs cmake, so isn't relevant to OpenEmbedded"
		233
		234	As mentioned previously, if data in the CVE database is wrong, it is recommended
		235	to fix those issues in the CVE database (NVD in the case of OE-core and Poky)
		236	directly.
166		237
167	Note that if there are many CVEs with the same status and reason, those can be	238	Note that if there are many CVEs with the same status and reason, those can be
168	shared by using the :term:`CVE_STATUS_GROUPS` variable.	239	shared by using the :term:`CVE_STATUS_GROUPS` variable.