Message ID | 20220322111402.21283-1-sanakazisk19@gmail.com |
---|---|
State | New, archived |
Headers | show |
Series | [poky,dunfell] binutils: Whitelist CVEs | expand |
On Tue, Mar 22, 2022 at 1:14 AM sana kazi <sanakazisk19@gmail.com> wrote: > > CVE-2020-16590 CVE-2020-16591 CVE-2020-16599 CVE-2021-20294 does > not affect binutils_2.34 and the contents of the patch are not > present in the source code. Therefore, whitelist it. In this case there are errors in the upstream cve database, so the proper way to deal with this is to contact the database admin and request fixes. We only whitelist if they don't make the change for some reason and we are 100% sure our usage is not affected. Fortunately I've already contacted them on these issues, so hopefully database corrections will be made soon! Thanks for helping out on CVEs! Steve > > Links: > https://nvd.nist.gov/vuln/detail/CVE-2020-16590 > https://nvd.nist.gov/vuln/detail/CVE-2020-16591 > https://nvd.nist.gov/vuln/detail/CVE-2020-16599 > https://nvd.nist.gov/vuln/detail/CVE-2021-20294 > > Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com> > Signed-off-by: Sana Kazi <sanakazisk19@gmail.com> > --- > meta/recipes-devtools/binutils/binutils-2.34.inc | 15 +++++++++++++++ > 1 file changed, 15 insertions(+) > > diff --git a/meta/recipes-devtools/binutils/binutils-2.34.inc b/meta/recipes-devtools/binutils/binutils-2.34.inc > index 6a55de2d45..990c5fa8f1 100644 > --- a/meta/recipes-devtools/binutils/binutils-2.34.inc > +++ b/meta/recipes-devtools/binutils/binutils-2.34.inc > @@ -54,3 +54,18 @@ SRC_URI = "\ > file://0001-CVE-2021-45078.patch \ > " > S = "${WORKDIR}/git" > + > +# CVE-2020-16590 CVE-2020-16591 CVE-2020-16599 CVE-2021-20294 does not affect > +# binutils_2.34 and the contents of the patch are not > +# present in the source code. Therefore, whitelist it. > +# https://nvd.nist.gov/vuln/detail/CVE-2020-16590 > +# https://nvd.nist.gov/vuln/detail/CVE-2020-16591 > +# https://nvd.nist.gov/vuln/detail/CVE-2020-16599 > +# https://nvd.nist.gov/vuln/detail/CVE-2021-20294 > + > +CVE_CHECK_WHITELIST += " \ > + CVE-2020-16590 \ > + CVE-2020-16591 \ > + CVE-2020-16599 \ > + CVE-2021-20294 \ > +" > -- > 2.17.1 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#163545): https://lists.openembedded.org/g/openembedded-core/message/163545 > Mute This Topic: https://lists.openembedded.org/mt/89949489/3620601 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com] > -=-=-=-=-=-=-=-=-=-=-=- >
diff --git a/meta/recipes-devtools/binutils/binutils-2.34.inc b/meta/recipes-devtools/binutils/binutils-2.34.inc index 6a55de2d45..990c5fa8f1 100644 --- a/meta/recipes-devtools/binutils/binutils-2.34.inc +++ b/meta/recipes-devtools/binutils/binutils-2.34.inc @@ -54,3 +54,18 @@ SRC_URI = "\ file://0001-CVE-2021-45078.patch \ " S = "${WORKDIR}/git" + +# CVE-2020-16590 CVE-2020-16591 CVE-2020-16599 CVE-2021-20294 does not affect +# binutils_2.34 and the contents of the patch are not +# present in the source code. Therefore, whitelist it. +# https://nvd.nist.gov/vuln/detail/CVE-2020-16590 +# https://nvd.nist.gov/vuln/detail/CVE-2020-16591 +# https://nvd.nist.gov/vuln/detail/CVE-2020-16599 +# https://nvd.nist.gov/vuln/detail/CVE-2021-20294 + +CVE_CHECK_WHITELIST += " \ + CVE-2020-16590 \ + CVE-2020-16591 \ + CVE-2020-16599 \ + CVE-2021-20294 \ +"