diff mbox series

cve-exclusion: review the last of the historical kernel CVEs

Message ID 20230905105420.3273603-1-ross.burton@arm.com
State Accepted, archived
Commit fe1c0b9725f88d15ba48b02b5fef01f2cf2e9d78
Headers show
Series cve-exclusion: review the last of the historical kernel CVEs | expand

Commit Message

Ross Burton Sept. 5, 2023, 10:54 a.m. UTC 
From: Ross Burton <ross.burton@arm.com>

Review the last of the historical kernel CVEs.  Issues which are
specific to other platforms or distributions are ignored in the kernel
recipe itself, whereas general security concerns like "ICMP leaks
information" and "USB has flaws" are ignored with more details in the
extra-exclusions file as before.

Signed-off-by: Ross Burton <ross.burton@arm.com>
---
 .../distro/include/cve-extra-exclusions.inc   | 21 +++++++------------
 meta/recipes-kernel/linux/cve-exclusion.inc   | 12 +++++++++++
 2 files changed, 19 insertions(+), 14 deletions(-)
diff mbox series

Patch

diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc
index cfee028e5ba..fcef6a14fb8 100644
--- a/meta/conf/distro/include/cve-extra-exclusions.inc
+++ b/meta/conf/distro/include/cve-extra-exclusions.inc
@@ -53,24 +53,17 @@  CVE-2016-0689 CVE-2016-0692 CVE-2016-0694 CVE-2016-3418 CVE-2020-2981"
 CVE_STATUS_DB[status] = "upstream-wontfix: Since Oracle relicensed bdb, the open source community is slowly but surely \
 replacing bdb with supported and open source friendly alternatives. As a result this CVE is unlikely to ever be fixed."
 
-#
-# Kernel CVEs, e.g. linux-yocto*
+# Kernel CVEs that are generic but can't be added to the kernel's hand-maintained cve-exclusion.inc
+# or machine-maintained cve-exclusion_VERSION.inc files, such as issues that describe TCP/IP design
+# flaws or processor-specific exploits that can't be mitigated.
 #
 # For OE-Core our policy is to stay as close to the kernel stable releases as we can. This should
 # ensure the bulk of the major kernel CVEs are fixed and we don't dive into each individual issue
 # as the stable maintainers are much more able to do that.
-#
-# We have a script (generate-cve-exclusions.py) to have correct CVE status for backported issues,
-# but the data on linuxkernelcves.com isn't 100% complete for the older CVEs.  These historical
-# CVEs need review and typically linuxkernelcves.com updated and then removed from here.
-#
-
-CVE_STATUS_GROUPS += "CVE_STATUS_KERNEL_HISTORIC"
-
-CVE_STATUS_KERNEL_HISTORIC = "CVE-1999-0524 CVE-1999-0656 CVE-2006-2932 CVE-2007-2764 CVE-2007-4998 \ 
-                              CVE-2008-2544 CVE-2008-4609 CVE-2010-0298 CVE-2010-4563 CVE-2011-0640"
-CVE_STATUS_KERNEL_HISTORIC[status] = "ignored"
-
+CVE_STATUS[CVE-1999-0524] = "ignored: issue is that ICMP exists, can be filewalled if required"
+CVE_STATUS[CVE-2008-4609] = "ignored: describes design flaws in TCP"
+CVE_STATUS[CVE-2010-4563] = "ignored: low impact, only enables detection of hosts which are sniffing network traffic"
+CVE_STATUS[CVE-2011-0640] = "ignored: requires physical access and any mitigation would mean USB is impractical to use"
 
 # qemu:qemu-native:qemu-system-native https://nvd.nist.gov/vuln/detail/CVE-2021-20255
 CVE_STATUS[CVE-2021-20255] = "upstream-wontfix: \
diff --git a/meta/recipes-kernel/linux/cve-exclusion.inc b/meta/recipes-kernel/linux/cve-exclusion.inc
index 28f9c8ff2b6..78576339432 100644
--- a/meta/recipes-kernel/linux/cve-exclusion.inc
+++ b/meta/recipes-kernel/linux/cve-exclusion.inc
@@ -1,3 +1,15 @@ 
+CVE_STATUS[CVE-1999-0656] = "not-applicable-config: specific to ugidd, part of the old user-mode NFS server"
+
+CVE_STATUS[CVE-2006-2932] = "not-applicable-platform: specific to RHEL"
+
+CVE_STATUS[CVE-2007-2764] = "not-applicable-platform: specific to Sun/Brocade SilkWorm switches"
+
+CVE_STATUS[CVE-2007-4998] = "cpe-incorrect: a historic cp bug, no longer an issue as per https://bugzilla.redhat.com/show_bug.cgi?id=356471#c5"
+
+CVE_STATUS[CVE-2008-2544] = "disputed: not an issue as per https://bugzilla.redhat.com/show_bug.cgi?id=449089#c22"
+
+CVE_STATUS[CVE-2010-0298] = "fixed-version: 2.6.34 (1871c6)"
+
 CVE_STATUS[CVE-2014-2648] = "cpe-incorrect: not Linux"
 
 CVE_STATUS[CVE-2016-0774] = "ignored: result of incomplete backport"