| Message ID | 20230402152836.9157-1-sundeep.kokkonda@gmail.com |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [kirkstone] cargo : non vulnerable cve-2022-46176 added to excluded list | expand |
On Sun, 2023-04-02 at 20:58 +0530, Sundeep KOKKONDA wrote: > This cve (https://nvd.nist.gov/vuln/detail/CVE-2022-46176) is a security vulnirability when using cargo ssh. > Kirkstone doesn't support rust on-target images and the bitbake using the 'wget' (which uses 'https') for fetching the sources instead of ssh. > So, cargo-native also not vulnerable to this cve and so added to excluded list. > > Signed-off-by: Sundeep KOKKONDA <sundeep.kokkonda@windriver.com> > --- > meta/conf/distro/include/cve-extra-exclusions.inc | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc > index 8b5f8d49b8..cb2d920441 100644 > --- a/meta/conf/distro/include/cve-extra-exclusions.inc > +++ b/meta/conf/distro/include/cve-extra-exclusions.inc > @@ -15,6 +15,11 @@ > # the aim of sharing that work and ensuring we don't duplicate it. > # > > +#cargo https://nvd.nist.gov/vuln/detail/CVE-2022-46176 > +#cargo security advisor https://blog.rust-lang.org/2023/01/10/cve-2022-46176.html > +#This CVE is a security issue when using cargo ssh. In kirkstone, rust 1.59.0 is used and the rust on-target is not supported, so the target images are not vulnerable to the cve. > +#The bitbake using the 'wget' (which uses 'https') for fetching the sources instead of ssh. So, the cargo-native are also not vulnerable to this cve and so added to excluded list. > +CVE_CHECK_IGNORE += "CVE-2022-46176" > > # strace https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0006 > # CVE is more than 20 years old with no resolution evident Since I've been following the discussion on this one: Acked-by: Richard Purdie <richard.purdie@linuxfoundation.org> Cheers, Richard
Hello Steve, When this patch is planned to take into Kirkstone? Thanks, Sundeep K.
On Tue, Apr 18, 2023 at 1:46 AM Kokkonda, Sundeep <Sundeep.Kokkonda@windriver.com> wrote: > > Hello Steve, > > When this patch is planned to take into Kirkstone? It is in the set of patches being tested today. So if all goes well it should hit the kirkstone branch later this week. Steve > ________________________________ > From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> on behalf of Sundeep KOKKONDA via lists.openembedded.org <sundeep.kokkonda=gmail.com@lists.openembedded.org> > Sent: 02 April 2023 20:58 > To: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> > Cc: rwmacleod@gmail.com <rwmacleod@gmail.com>; umesh.kalappa0@gmail.com <umesh.kalappa0@gmail.com>; pgowda.cve@gmail.com <pgowda.cve@gmail.com>; shivams@gmail.com <shivams@gmail.com> > Subject: [OE-core] [kirkstone][PATCH] cargo : non vulnerable cve-2022-46176 added to excluded list > > CAUTION: This email comes from a non Wind River email account! > Do not click links or open attachments unless you recognize the sender and know the content is safe. > > This cve (https://nvd.nist.gov/vuln/detail/CVE-2022-46176) is a security vulnirability when using cargo ssh. > Kirkstone doesn't support rust on-target images and the bitbake using the 'wget' (which uses 'https') for fetching the sources instead of ssh. > So, cargo-native also not vulnerable to this cve and so added to excluded list. > > Signed-off-by: Sundeep KOKKONDA <sundeep.kokkonda@windriver.com> > --- > meta/conf/distro/include/cve-extra-exclusions.inc | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc > index 8b5f8d49b8..cb2d920441 100644 > --- a/meta/conf/distro/include/cve-extra-exclusions.inc > +++ b/meta/conf/distro/include/cve-extra-exclusions.inc > @@ -15,6 +15,11 @@ > # the aim of sharing that work and ensuring we don't duplicate it. > # > > +#cargo https://nvd.nist.gov/vuln/detail/CVE-2022-46176 > +#cargo security advisor https://blog.rust-lang.org/2023/01/10/cve-2022-46176.html > +#This CVE is a security issue when using cargo ssh. In kirkstone, rust 1.59.0 is used and the rust on-target is not supported, so the target images are not vulnerable to the cve. > +#The bitbake using the 'wget' (which uses 'https') for fetching the sources instead of ssh. So, the cargo-native are also not vulnerable to this cve and so added to excluded list. > +CVE_CHECK_IGNORE += "CVE-2022-46176" > > # strace https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0006 > # CVE is more than 20 years old with no resolution evident > -- > 2.34.1 >
diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc index 8b5f8d49b8..cb2d920441 100644 --- a/meta/conf/distro/include/cve-extra-exclusions.inc +++ b/meta/conf/distro/include/cve-extra-exclusions.inc @@ -15,6 +15,11 @@ # the aim of sharing that work and ensuring we don't duplicate it. # +#cargo https://nvd.nist.gov/vuln/detail/CVE-2022-46176 +#cargo security advisor https://blog.rust-lang.org/2023/01/10/cve-2022-46176.html +#This CVE is a security issue when using cargo ssh. In kirkstone, rust 1.59.0 is used and the rust on-target is not supported, so the target images are not vulnerable to the cve. +#The bitbake using the 'wget' (which uses 'https') for fetching the sources instead of ssh. So, the cargo-native are also not vulnerable to this cve and so added to excluded list. +CVE_CHECK_IGNORE += "CVE-2022-46176" # strace https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0006 # CVE is more than 20 years old with no resolution evident
This cve (https://nvd.nist.gov/vuln/detail/CVE-2022-46176) is a security vulnirability when using cargo ssh. Kirkstone doesn't support rust on-target images and the bitbake using the 'wget' (which uses 'https') for fetching the sources instead of ssh. So, cargo-native also not vulnerable to this cve and so added to excluded list. Signed-off-by: Sundeep KOKKONDA <sundeep.kokkonda@windriver.com> --- meta/conf/distro/include/cve-extra-exclusions.inc | 5 +++++ 1 file changed, 5 insertions(+)