| Message ID | 20240122140406.3837333-3-ross.burton@arm.com |
|---|---|
| State | Accepted, archived |
| Commit | 9f953a1cd832f03f0b3666168addf45fd4fc8d14 |
| Headers | show |
| Series | [1/5] cve_check: handle CVE_STATUS being set to the empty string | expand |
Hi Ross, I think this one is better - https://lists.openembedded.org/g/openembedded-core/message/193603 I'm not sure why it was not picked up yet after 9 days, but It's CPE which is not matching, not our configuration options... Peter -----Original Message----- From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Ross Burton via lists.openembedded.org Sent: Monday, January 22, 2024 15:04 To: openembedded-core@lists.openembedded.org Subject: [OE-core] [PATCH 3/5] zlib: ignore CVE-2023-6992 > From: Ross Burton <ross.burton@arm.com> > > This issue is specific to the Cloudflare fork of zlib. > > Signed-off-by: Ross Burton <ross.burton@arm.com> > --- > meta/recipes-core/zlib/zlib_1.3.bb | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/meta/recipes-core/zlib/zlib_1.3.bb b/meta/recipes-core/zlib/zlib_1.3.bb > index 1ed18172faa..9db5588d66a 100644 > --- a/meta/recipes-core/zlib/zlib_1.3.bb > +++ b/meta/recipes-core/zlib/zlib_1.3.bb > @@ -47,3 +47,4 @@ do_install_ptest() { > BBCLASSEXTEND = "native nativesdk" > > CVE_STATUS[CVE-2023-45853] = "not-applicable-config: we don't build minizip" > +CVE_STATUS[CVE-2023-6992] = "not-applicable-config: specific to the Cloudflare fork" > -- > 2.34.1
On 22 Jan 2024, at 14:16, Marko, Peter <Peter.Marko@siemens.com> wrote: > > Hi Ross, > > I think this one is better - https://lists.openembedded.org/g/openembedded-core/message/193603 > I'm not sure why it was not picked up yet after 9 days, but It's CPE which is not matching, not our configuration options… Ah I didn’t see that. However the CPE _is_ correct, its our matching which is not. I assumed there wasn’t enough consistency in the zlib CPEs that we could set one with a vendor. Ross
-----Original Message----- From: Ross Burton <Ross.Burton@arm.com> Sent: Monday, January 22, 2024 15:27 To: Marko, Peter (ADV D EU SK BFS1) <Peter.Marko@siemens.com> Cc: openembedded-core@lists.openembedded.org Subject: Re: [OE-core] [PATCH 3/5] zlib: ignore CVE-2023-6992 > On 22 Jan 2024, at 14:16, Marko, Peter <Peter.Marko@siemens.com> wrote: > > > > Hi Ross, > > > > I think this one is better - https://lists.openembedded.org/g/openembedded-core/message/193603 > > I'm not sure why it was not picked up yet after 9 days, but It's CPE which is not matching, not our configuration options… > > Ah I didn’t see that. > > However the CPE _is_ correct, its our matching which is not. I assumed there wasn’t enough consistency in the zlib CPEs that we could set one with a vendor. Yes, it’s inconsistency on our side but still in CPE field. Current CVE status option do not offer better selection. My commit message explains why I have chosen the way to ignore it although it will be in the recipe forever (as version 2023-11-16 will be always higher than PV) But I can also resubmit with changing CVE_PRODUCT to "gnu:zlib zlib:zlib" if that is the preferred option to go forward. Peter > > Ross
diff --git a/meta/recipes-core/zlib/zlib_1.3.bb b/meta/recipes-core/zlib/zlib_1.3.bb index 1ed18172faa..9db5588d66a 100644 --- a/meta/recipes-core/zlib/zlib_1.3.bb +++ b/meta/recipes-core/zlib/zlib_1.3.bb @@ -47,3 +47,4 @@ do_install_ptest() { BBCLASSEXTEND = "native nativesdk" CVE_STATUS[CVE-2023-45853] = "not-applicable-config: we don't build minizip" +CVE_STATUS[CVE-2023-6992] = "not-applicable-config: specific to the Cloudflare fork"