| Message ID | 20240410150453.12726-2-ninette@thehoodiefirm.com |
|---|---|
| State | Under Review |
| Headers | show |
| Series | exiv2: Update CVE-2007-6353 status | expand |
Hello, May I ask what are you trying to achieve? These entries fix incorrect CPE mapping so they are still needed. So by removing these 7 CVE_STATUS entries via your 7 contributions, you are marking the CVEs as relevant for the components. Basically direct opposite of what your commit messages are saying. Peter -----Original Message----- From: openembedded-devel@lists.openembedded.org <openembedded-devel@lists.openembedded.org> On Behalf Of Ninette Adhikari via lists.openembedded.org Sent: Wednesday, April 10, 2024 17:05 To: openembedded-devel@lists.openembedded.org Cc: Ninette Adhikari <ninette@thehoodiefirm.com> Subject: [oe] [PATCH 1/1] exiv2: Update CVE-2007-6353 status > Current version 0.28.0 is not affected by the issue. > Affected version: < 0.13-r1 > > Signed-off-by: Ninette Adhikari <ninette@thehoodiefirm.com> > --- > meta-oe/recipes-support/exiv2/exiv2_0.28.0.bb | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.28.0.bb b/meta-oe/recipes-support/exiv2/exiv2_0.28.0.bb > index 958810cf7..ad99d0bf4 100644 > --- a/meta-oe/recipes-support/exiv2/exiv2_0.28.0.bb > +++ b/meta-oe/recipes-support/exiv2/exiv2_0.28.0.bb > @@ -10,6 +10,8 @@ SRC_URI[sha256sum] = "89af3b5ef7277753ef7a7b5374ae017c6b9e304db3b688f1948e73e103 > # inherit dos2unix > S = "${WORKDIR}/${BP}-Source" > > +CVE_STATUS[CVE-2007-6353] = "cpe-incorrect: Current version 0.28.0 is not affected by the issue." > + > inherit cmake gettext > > do_install:append:class-target() { > -- > 2.44.0
Hi Peter, Thanks so much for your response. Many apologies for the confusion, I was trying to follow the example here <https://git.yoctoproject.org/poky/commit/?id=378bc2f8e3ac393d89a6d2e52094478fb3879ef7> to report a CVE issue but clearly I chose an incorrect classification. I meant to say that the 7 CVEs are invalid or not relevant any more. I can make new patches marking them as "cve-invalid" instead of "cpe-incorrect". Would that be okay? Let me know. Thanks again! Ninette On Wed, Apr 10, 2024 at 6:54 PM Marko, Peter <Peter.Marko@siemens.com> wrote: > Hello, > > May I ask what are you trying to achieve? > These entries fix incorrect CPE mapping so they are still needed. > So by removing these 7 CVE_STATUS entries via your 7 contributions, you > are marking the CVEs as relevant for the components. > Basically direct opposite of what your commit messages are saying. > > Peter > > -----Original Message----- > From: openembedded-devel@lists.openembedded.org < > openembedded-devel@lists.openembedded.org> On Behalf Of Ninette Adhikari > via lists.openembedded.org > Sent: Wednesday, April 10, 2024 17:05 > To: openembedded-devel@lists.openembedded.org > Cc: Ninette Adhikari <ninette@thehoodiefirm.com> > Subject: [oe] [PATCH 1/1] exiv2: Update CVE-2007-6353 status > > > Current version 0.28.0 is not affected by the issue. > > Affected version: < 0.13-r1 > > > > Signed-off-by: Ninette Adhikari <ninette@thehoodiefirm.com> > > --- > > meta-oe/recipes-support/exiv2/exiv2_0.28.0.bb | 2 ++ > > 1 file changed, 2 insertions(+) > > > > diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.28.0.bb > b/meta-oe/recipes-support/exiv2/exiv2_0.28.0.bb > > index 958810cf7..ad99d0bf4 100644 > > --- a/meta-oe/recipes-support/exiv2/exiv2_0.28.0.bb > > +++ b/meta-oe/recipes-support/exiv2/exiv2_0.28.0.bb > > @@ -10,6 +10,8 @@ SRC_URI[sha256sum] = > "89af3b5ef7277753ef7a7b5374ae017c6b9e304db3b688f1948e73e103 > > # inherit dos2unix > > S = "${WORKDIR}/${BP}-Source" > > > > +CVE_STATUS[CVE-2007-6353] = "cpe-incorrect: Current version 0.28.0 is > not affected by the issue." > > + > > inherit cmake gettext > > > > do_install:append:class-target() { > > -- > > 2.44.0 > >
Hello Ninette,
Yocto currently supports CVE statuses listed in this file
https://git.openembedded.org/openembedded-core/tree/meta/conf/cve-check-map.conf
In most cases you just want to add a status and description why the CVE is ignored.
If you want a different or more specialized status, you need to add it there first.
But imho cpe-incorrect is good enough as there is also description which gives more detail about it.
If you want to start working on open CVEs in meta-openembedded, here is a looong list to work on
and many of them are invalid, e.g. to be ignored for similar reasons you tried to fix:
https://autobuilder.yocto.io/pub/non-release/patchmetrics-meta-oe/cve-status-master.txt
Peter
From: Ninette Adhikari <ninette@neighbourhood.ie>
Sent: Thursday, April 11, 2024 18:19
To: Marko, Peter (ADV D EU SK BFS1) <Peter.Marko@siemens.com>
Cc: openembedded-devel@lists.openembedded.org
Subject: Re: [oe] [PATCH 1/1] exiv2: Update CVE-2007-6353 status
Hi Peter,
Thanks so much for your response. Many apologies for the confusion, I was trying to follow the example here<https://git.yoctoproject.org/poky/commit/?id=378bc2f8e3ac393d89a6d2e52094478fb3879ef7> to report a CVE issue but clearly I chose an incorrect classification.
I meant to say that the 7 CVEs are invalid or not relevant any more. I can make new patches marking them as "cve-invalid" instead of "cpe-incorrect". Would that be okay? Let me know.
Thanks again!
Ninette
Thanks Peter for sharing the details. Shall I leave the patches as is then? or do I need to update the commit details? I've been going through the CVE list and will post patches for any other invalid ones. It's a long clean up process but hopefully we'll get there:) Ninette On Thu, Apr 11, 2024 at 9:46 PM Marko, Peter <Peter.Marko@siemens.com> wrote: > Hello Ninette, > > > > Yocto currently supports CVE statuses listed in this file > > > https://git.openembedded.org/openembedded-core/tree/meta/conf/cve-check-map.conf > > In most cases you just want to add a status and description why the CVE is > ignored. > > If you want a different or more specialized status, you need to add it > there first. > > But imho cpe-incorrect is good enough as there is also description which > gives more detail about it. > > > > If you want to start working on open CVEs in meta-openembedded, here is a > looong list to work on > > and many of them are invalid, e.g. to be ignored for similar reasons you > tried to fix: > > > https://autobuilder.yocto.io/pub/non-release/patchmetrics-meta-oe/cve-status-master.txt > > > > Peter > > > > *From:* Ninette Adhikari <ninette@neighbourhood.ie> > *Sent:* Thursday, April 11, 2024 18:19 > *To:* Marko, Peter (ADV D EU SK BFS1) <Peter.Marko@siemens.com> > *Cc:* openembedded-devel@lists.openembedded.org > *Subject:* Re: [oe] [PATCH 1/1] exiv2: Update CVE-2007-6353 status > > > > Hi Peter, > > > > Thanks so much for your response. Many apologies for the confusion, I was > trying to follow the example here > <https://git.yoctoproject.org/poky/commit/?id=378bc2f8e3ac393d89a6d2e52094478fb3879ef7> > to report a CVE issue but clearly I chose an incorrect classification. > > > > I meant to say that the 7 CVEs are invalid or not relevant any more. I can > make new patches marking them as "cve-invalid" instead of "cpe-incorrect". > Would that be okay? Let me know. > > > > Thanks again! > > Ninette >
diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.28.0.bb b/meta-oe/recipes-support/exiv2/exiv2_0.28.0.bb index 958810cf7..ad99d0bf4 100644 --- a/meta-oe/recipes-support/exiv2/exiv2_0.28.0.bb +++ b/meta-oe/recipes-support/exiv2/exiv2_0.28.0.bb @@ -10,6 +10,8 @@ SRC_URI[sha256sum] = "89af3b5ef7277753ef7a7b5374ae017c6b9e304db3b688f1948e73e103 # inherit dos2unix S = "${WORKDIR}/${BP}-Source" +CVE_STATUS[CVE-2007-6353] = "cpe-incorrect: Current version 0.28.0 is not affected by the issue." + inherit cmake gettext do_install:append:class-target() {
Current version 0.28.0 is not affected by the issue. Affected version: < 0.13-r1 Signed-off-by: Ninette Adhikari <ninette@thehoodiefirm.com> --- meta-oe/recipes-support/exiv2/exiv2_0.28.0.bb | 2 ++ 1 file changed, 2 insertions(+)