[dunfell,1/9] python3: ignore CVE-2015-20107

Message ID	1ed7bb74d35f08af3babf73c68ee01af5f28a50b.1651531749.git.steve@sakoman.com
State	Accepted, archived
Commit	1ed7bb74d35f08af3babf73c68ee01af5f28a50b
Headers	show Return-Path: <steve@sakoman.com> ip: 209.85.210.176, mailfrom: steve@sakoman.com) From: Steve Sakoman <steve@sakoman.com> To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 1/9] python3: ignore CVE-2015-20107 Date: Mon, 2 May 2022 13:02:46 -1000 Message-Id: <1ed7bb74d35f08af3babf73c68ee01af5f28a50b.1651531749.git.steve@sakoman.com> In-Reply-To: <cover.1651531749.git.steve@sakoman.com> References: <cover.1651531749.git.steve@sakoman.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[dunfell,1/9] python3: ignore CVE-2015-20107 \| expand [dunfell,1/9] python3: ignore CVE-2015-20107 [dunfell,2/9] busybox: Use base_bindir instead of hardcoding /bin path [dunfell,3/9] devshell.bbclass: Allow devshell & pydevshell to use the network [dunfell,4/9] cases/buildepoxy.py: fix typo [dunfell,5/9] install/devshell: Introduce git intercept script due to fakeroot issues [dunfell,6/9] base: Drop git intercept [dunfell,7/9] bitbake.conf: mark all directories as safe for git to read [dunfell,8/9] neard: Switch SRC_URI to git repo [dunfell,9/9] uninative: Upgrade to 3.6 with gcc 12 support

Message ID

1ed7bb74d35f08af3babf73c68ee01af5f28a50b.1651531749.git.steve@sakoman.com

State

Accepted, archived

Commit

1ed7bb74d35f08af3babf73c68ee01af5f28a50b

Headers

From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][dunfell 1/9] python3: ignore CVE-2015-20107
Date: Mon,  2 May 2022 13:02:46 -1000
Message-Id: 
 <1ed7bb74d35f08af3babf73c68ee01af5f28a50b.1651531749.git.steve@sakoman.com>
In-Reply-To: <cover.1651531749.git.steve@sakoman.com>
References: <cover.1651531749.git.steve@sakoman.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[dunfell,1/9] python3: ignore CVE-2015-20107 | expand

Commit Message

Steve Sakoman May 2, 2022, 11:02 p.m. UTC

From: Ross Burton <ross.burton@arm.com>

CVE-2015-20107 describes an arbitrary command execution in the mailcap
module, but this is by design in mailcap and needs to be worked around
by the calling application.

Upstream Python will be documenting this flaw in the library reference,
and it is likely that the mailcap module will be deprecated and removed
in the future.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 85fac8408baf92d8b71946f5bfea92952b7eab01)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-devtools/python/python3_3.8.13.bb | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/meta/recipes-devtools/python/python3_3.8.13.bb b/meta/recipes-devtools/python/python3_3.8.13.bb
index d7f6e9155d..040bacf97c 100644
--- a/meta/recipes-devtools/python/python3_3.8.13.bb
+++ b/meta/recipes-devtools/python/python3_3.8.13.bb
@@ -57,6 +57,9 @@  CVE_CHECK_WHITELIST += "CVE-2019-18348"
 
 # This is windows only issue.
 CVE_CHECK_WHITELIST += "CVE-2020-15523 CVE-2022-26488"
+# The mailcap module is insecure by design, so this can't be fixed in a meaningful way.
+# The module will be removed in the future and flaws documented.
+CVE_CHECK_WHITELIST += "CVE-2015-20107"
 
 PYTHON_MAJMIN = "3.8"

[dunfell,1/9] python3: ignore CVE-2015-20107

Commit Message

Patch