diff mbox series

[dunfell] gcc: Add CVE-2021-37322 to the list of CVEs to ignore

Message ID 20211209065335.2999735-1-timothy.t.orling@intel.com
State Accepted, archived
Commit 71a6d3c31775c6b2db38e194992e0ffce637c827
Headers show
Series [dunfell] gcc: Add CVE-2021-37322 to the list of CVEs to ignore | expand

Commit Message

Tim Orling Dec. 9, 2021, 6:53 a.m. UTC 
From: Richard Purdie <richard.purdie@linuxfoundation.org>

The CVE applies to binutils 2.26 and not to gcc so ignore there.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Tim Orling <tim.orling@konsulko.com>
---
 meta/recipes-devtools/gcc/gcc-9.3.inc | 3 +++
 1 file changed, 3 insertions(+)

Comments

Marta Rybczynska Dec. 9, 2021, 12:12 p.m. UTC | #1 
On Thu, Dec 9, 2021 at 7:53 AM Tim Orling <ticotimo@gmail.com> wrote:
>
> From: Richard Purdie <richard.purdie@linuxfoundation.org>
>
> The CVE applies to binutils 2.26 and not to gcc so ignore there.
>

Tim,
Have you requested a NVD database change on this one? Or you prefer me to do it?

Kind regards,
Marta
Steve Sakoman Dec. 9, 2021, 2:43 p.m. UTC | #2 
On Thu, Dec 9, 2021 at 4:36 AM Tim Orling <tim.orling@konsulko.com> wrote:
>
>
>
> On Thu, Dec 9, 2021 at 4:12 AM Marta Rybczynska <rybczynska@gmail.com> wrote:
>>
>> On Thu, Dec 9, 2021 at 7:53 AM Tim Orling <ticotimo@gmail.com> wrote:
>> >
>> > From: Richard Purdie <richard.purdie@linuxfoundation.org>
>> >
>> > The CVE applies to binutils 2.26 and not to gcc so ignore there.
>> >
>>
>> Tim,
>> Have you requested a NVD database change on this one? Or you prefer me to do it?
>>
> I have not. I was simply back-porting the patch from Richard.

It's always preferable to request a change to the database when it is
wrong.  They are usually pretty responsive.

I'll take the patch for now, and if/when they accept the update we can
remove the exception in master/dunfell.

Steve
Richard Purdie Dec. 9, 2021, 2:49 p.m. UTC | #3 
On Thu, 2021-12-09 at 04:43 -1000, Steve Sakoman wrote:
> On Thu, Dec 9, 2021 at 4:36 AM Tim Orling <tim.orling@konsulko.com> wrote:
> > 
> > 
> > 
> > On Thu, Dec 9, 2021 at 4:12 AM Marta Rybczynska <rybczynska@gmail.com> wrote:
> > > 
> > > On Thu, Dec 9, 2021 at 7:53 AM Tim Orling <ticotimo@gmail.com> wrote:
> > > > 
> > > > From: Richard Purdie <richard.purdie@linuxfoundation.org>
> > > > 
> > > > The CVE applies to binutils 2.26 and not to gcc so ignore there.
> > > > 
> > > 
> > > Tim,
> > > Have you requested a NVD database change on this one? Or you prefer me to do it?
> > > 
> > I have not. I was simply back-porting the patch from Richard.
> 
> It's always preferable to request a change to the database when it is
> wrong.  They are usually pretty responsive.
> 
> I'll take the patch for now, and if/when they accept the update we can
> remove the exception in master/dunfell.

This one is a little fuzzy. There is an entry for binutils there too and I
didn't understand why there was an unversioned gcc entry there with it. It could
be our CPE parsing isn't quite right. I may also be referring to gcc the project
rather than the component. Regardless, I wanted it off our CVE list! 

Cheers,

Richard
diff mbox series

Patch

diff --git a/meta/recipes-devtools/gcc/gcc-9.3.inc b/meta/recipes-devtools/gcc/gcc-9.3.inc
index 1c8e3df51d9..a1b442de8a6 100644
--- a/meta/recipes-devtools/gcc/gcc-9.3.inc
+++ b/meta/recipes-devtools/gcc/gcc-9.3.inc
@@ -123,3 +123,6 @@  EXTRA_OECONF_PATHS = "\
     --with-sysroot=/not/exist \
     --with-build-sysroot=${STAGING_DIR_TARGET} \
 "
+
+# Is a binutils 2.26 issue, not gcc
+CVE_CHECK_WHITELIST += "CVE-2021-37322"