Message ID | 20211209065335.2999735-1-timothy.t.orling@intel.com |
---|---|
State | Accepted, archived |
Commit | 71a6d3c31775c6b2db38e194992e0ffce637c827 |
Headers | show |
Series | [dunfell] gcc: Add CVE-2021-37322 to the list of CVEs to ignore | expand |
On Thu, Dec 9, 2021 at 7:53 AM Tim Orling <ticotimo@gmail.com> wrote: > > From: Richard Purdie <richard.purdie@linuxfoundation.org> > > The CVE applies to binutils 2.26 and not to gcc so ignore there. > Tim, Have you requested a NVD database change on this one? Or you prefer me to do it? Kind regards, Marta
On Thu, Dec 9, 2021 at 4:36 AM Tim Orling <tim.orling@konsulko.com> wrote: > > > > On Thu, Dec 9, 2021 at 4:12 AM Marta Rybczynska <rybczynska@gmail.com> wrote: >> >> On Thu, Dec 9, 2021 at 7:53 AM Tim Orling <ticotimo@gmail.com> wrote: >> > >> > From: Richard Purdie <richard.purdie@linuxfoundation.org> >> > >> > The CVE applies to binutils 2.26 and not to gcc so ignore there. >> > >> >> Tim, >> Have you requested a NVD database change on this one? Or you prefer me to do it? >> > I have not. I was simply back-porting the patch from Richard. It's always preferable to request a change to the database when it is wrong. They are usually pretty responsive. I'll take the patch for now, and if/when they accept the update we can remove the exception in master/dunfell. Steve
On Thu, 2021-12-09 at 04:43 -1000, Steve Sakoman wrote: > On Thu, Dec 9, 2021 at 4:36 AM Tim Orling <tim.orling@konsulko.com> wrote: > > > > > > > > On Thu, Dec 9, 2021 at 4:12 AM Marta Rybczynska <rybczynska@gmail.com> wrote: > > > > > > On Thu, Dec 9, 2021 at 7:53 AM Tim Orling <ticotimo@gmail.com> wrote: > > > > > > > > From: Richard Purdie <richard.purdie@linuxfoundation.org> > > > > > > > > The CVE applies to binutils 2.26 and not to gcc so ignore there. > > > > > > > > > > Tim, > > > Have you requested a NVD database change on this one? Or you prefer me to do it? > > > > > I have not. I was simply back-porting the patch from Richard. > > It's always preferable to request a change to the database when it is > wrong. They are usually pretty responsive. > > I'll take the patch for now, and if/when they accept the update we can > remove the exception in master/dunfell. This one is a little fuzzy. There is an entry for binutils there too and I didn't understand why there was an unversioned gcc entry there with it. It could be our CPE parsing isn't quite right. I may also be referring to gcc the project rather than the component. Regardless, I wanted it off our CVE list! Cheers, Richard
diff --git a/meta/recipes-devtools/gcc/gcc-9.3.inc b/meta/recipes-devtools/gcc/gcc-9.3.inc index 1c8e3df51d9..a1b442de8a6 100644 --- a/meta/recipes-devtools/gcc/gcc-9.3.inc +++ b/meta/recipes-devtools/gcc/gcc-9.3.inc @@ -123,3 +123,6 @@ EXTRA_OECONF_PATHS = "\ --with-sysroot=/not/exist \ --with-build-sysroot=${STAGING_DIR_TARGET} \ " + +# Is a binutils 2.26 issue, not gcc +CVE_CHECK_WHITELIST += "CVE-2021-37322"