From patchwork Tue Sep 5 10:54:20 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ross Burton X-Patchwork-Id: 29968 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0DFF5C83F33 for ; Tue, 5 Sep 2023 10:54:32 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web10.18441.1693911263352821081 for ; Tue, 05 Sep 2023 03:54:23 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: ross.burton@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 6EB6811FB; Tue, 5 Sep 2023 03:55:00 -0700 (PDT) Received: from oss-tx204.lab.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id EF96D3F64C; Tue, 5 Sep 2023 03:54:21 -0700 (PDT) From: ross.burton@arm.com To: openembedded-core@lists.openembedded.org Cc: nd@arm.com Subject: [PATCH] cve-exclusion: review the last of the historical kernel CVEs Date: Tue, 5 Sep 2023 11:54:20 +0100 Message-Id: <20230905105420.3273603-1-ross.burton@arm.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 05 Sep 2023 10:54:32 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/187204 From: Ross Burton Review the last of the historical kernel CVEs. Issues which are specific to other platforms or distributions are ignored in the kernel recipe itself, whereas general security concerns like "ICMP leaks information" and "USB has flaws" are ignored with more details in the extra-exclusions file as before. Signed-off-by: Ross Burton --- .../distro/include/cve-extra-exclusions.inc | 21 +++++++------------ meta/recipes-kernel/linux/cve-exclusion.inc | 12 +++++++++++ 2 files changed, 19 insertions(+), 14 deletions(-) diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc index cfee028e5ba..fcef6a14fb8 100644 --- a/meta/conf/distro/include/cve-extra-exclusions.inc +++ b/meta/conf/distro/include/cve-extra-exclusions.inc @@ -53,24 +53,17 @@ CVE-2016-0689 CVE-2016-0692 CVE-2016-0694 CVE-2016-3418 CVE-2020-2981" CVE_STATUS_DB[status] = "upstream-wontfix: Since Oracle relicensed bdb, the open source community is slowly but surely \ replacing bdb with supported and open source friendly alternatives. As a result this CVE is unlikely to ever be fixed." -# -# Kernel CVEs, e.g. linux-yocto* +# Kernel CVEs that are generic but can't be added to the kernel's hand-maintained cve-exclusion.inc +# or machine-maintained cve-exclusion_VERSION.inc files, such as issues that describe TCP/IP design +# flaws or processor-specific exploits that can't be mitigated. # # For OE-Core our policy is to stay as close to the kernel stable releases as we can. This should # ensure the bulk of the major kernel CVEs are fixed and we don't dive into each individual issue # as the stable maintainers are much more able to do that. -# -# We have a script (generate-cve-exclusions.py) to have correct CVE status for backported issues, -# but the data on linuxkernelcves.com isn't 100% complete for the older CVEs. These historical -# CVEs need review and typically linuxkernelcves.com updated and then removed from here. -# - -CVE_STATUS_GROUPS += "CVE_STATUS_KERNEL_HISTORIC" - -CVE_STATUS_KERNEL_HISTORIC = "CVE-1999-0524 CVE-1999-0656 CVE-2006-2932 CVE-2007-2764 CVE-2007-4998 \ - CVE-2008-2544 CVE-2008-4609 CVE-2010-0298 CVE-2010-4563 CVE-2011-0640" -CVE_STATUS_KERNEL_HISTORIC[status] = "ignored" - +CVE_STATUS[CVE-1999-0524] = "ignored: issue is that ICMP exists, can be filewalled if required" +CVE_STATUS[CVE-2008-4609] = "ignored: describes design flaws in TCP" +CVE_STATUS[CVE-2010-4563] = "ignored: low impact, only enables detection of hosts which are sniffing network traffic" +CVE_STATUS[CVE-2011-0640] = "ignored: requires physical access and any mitigation would mean USB is impractical to use" # qemu:qemu-native:qemu-system-native https://nvd.nist.gov/vuln/detail/CVE-2021-20255 CVE_STATUS[CVE-2021-20255] = "upstream-wontfix: \ diff --git a/meta/recipes-kernel/linux/cve-exclusion.inc b/meta/recipes-kernel/linux/cve-exclusion.inc index 28f9c8ff2b6..78576339432 100644 --- a/meta/recipes-kernel/linux/cve-exclusion.inc +++ b/meta/recipes-kernel/linux/cve-exclusion.inc @@ -1,3 +1,15 @@ +CVE_STATUS[CVE-1999-0656] = "not-applicable-config: specific to ugidd, part of the old user-mode NFS server" + +CVE_STATUS[CVE-2006-2932] = "not-applicable-platform: specific to RHEL" + +CVE_STATUS[CVE-2007-2764] = "not-applicable-platform: specific to Sun/Brocade SilkWorm switches" + +CVE_STATUS[CVE-2007-4998] = "cpe-incorrect: a historic cp bug, no longer an issue as per https://bugzilla.redhat.com/show_bug.cgi?id=356471#c5" + +CVE_STATUS[CVE-2008-2544] = "disputed: not an issue as per https://bugzilla.redhat.com/show_bug.cgi?id=449089#c22" + +CVE_STATUS[CVE-2010-0298] = "fixed-version: 2.6.34 (1871c6)" + CVE_STATUS[CVE-2014-2648] = "cpe-incorrect: not Linux" CVE_STATUS[CVE-2016-0774] = "ignored: result of incomplete backport"