| Message ID | 20240128165358.657852-1-peter.marko@siemens.com |
|---|---|
| State | Superseded |
| Delegated to: | Steve Sakoman |
| Headers | show |
| Series | [dunfell] sqlite3: ignore CVE-2024-0232 | expand |
On Sun, Jan 28, 2024 at 6:54 AM Peter Marko via lists.openembedded.org <peter.marko=siemens.com@lists.openembedded.org> wrote: > > From: Peter Marko <peter.marko@siemens.com> > > This CVE reports bug which was fixed in 3.43.2 by [1]. > Code analysis shows that it is fixing caching issue > and this cache was introduced by [2]. > This landed only in 3.43.0 so 3.85.5 is not affected. I think you meant 3.31.1, not 3.85.5 In cases like this where the database is in error it is best to send an email to cpe_dictionary@nist.gov providing the above data and asking them to fix the issue. They are usually quite responsive. Steve > > [1] https://sqlite.org/src/info/5b09212ac05615fc > [2] https://sqlite.org/src/info/2dbb22c75e86f2e3 > > Signed-off-by: Peter Marko <peter.marko@siemens.com> > --- > meta/recipes-support/sqlite/sqlite3_3.31.1.bb | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/meta/recipes-support/sqlite/sqlite3_3.31.1.bb b/meta/recipes-support/sqlite/sqlite3_3.31.1.bb > index ef12ef0db2..b2d8f9f1dd 100644 > --- a/meta/recipes-support/sqlite/sqlite3_3.31.1.bb > +++ b/meta/recipes-support/sqlite/sqlite3_3.31.1.bb > @@ -25,3 +25,5 @@ SRC_URI[sha256sum] = "62284efebc05a76f909c580ffa5c008a7d22a1287285d68b7825a2b6b5 > CVE_CHECK_WHITELIST += "CVE-2019-19242" > # This is believed to be iOS specific (https://groups.google.com/g/sqlite-dev/c/U7OjAbZO6LA) > CVE_CHECK_WHITELIST += "CVE-2015-3717" > +# This was introduced in 3.43.0, 3.31.1 is not yet affected > +CVE_CHECK_WHITELIST += "CVE-2024-0232" > -- > 2.30.2 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#194444): https://lists.openembedded.org/g/openembedded-core/message/194444 > Mute This Topic: https://lists.openembedded.org/mt/104014792/3620601 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com] > -=-=-=-=-=-=-=-=-=-=-=- >
-----Original Message----- From: Steve Sakoman <steve@sakoman.com> Sent: Monday, January 29, 2024 15:19 To: Marko, Peter (ADV D EU SK BFS1) <Peter.Marko@siemens.com> Cc: openembedded-core@lists.openembedded.org Subject: Re: [OE-core][dunfell][PATCH] sqlite3: ignore CVE-2024-0232 > On Sun, Jan 28, 2024 at 6:54 AM Peter Marko via lists.openembedded.org <peter.marko=siemens.com@lists.openembedded.org> wrote: > > > > From: Peter Marko <peter.marko@siemens.com> > > > > This CVE reports bug which was fixed in 3.43.2 by [1]. > > Code analysis shows that it is fixing caching issue and this cache was > > introduced by [2]. > > This landed only in 3.43.0 so 3.85.5 is not affected. > > I think you meant 3.31.1, not 3.85.5 > > In cases like this where the database is in error it is best to send an email to cpe_dictionary@nist.gov providing the above data and asking them to fix the issue. They are usually quite responsive. > > Steve Hi Steve, I have sent v2's with corrected comments. I'm sorry, but I'll leave discussions with nist.gov to others... Peter > > > > > [1] https://sqlite.org/src/info/5b09212ac05615fc > > [2] https://sqlite.org/src/info/2dbb22c75e86f2e3 > > > > Signed-off-by: Peter Marko <peter.marko@siemens.com> > > --- > > meta/recipes-support/sqlite/sqlite3_3.31.1.bb | 2 ++ > > 1 file changed, 2 insertions(+) > > > > diff --git a/meta/recipes-support/sqlite/sqlite3_3.31.1.bb > > b/meta/recipes-support/sqlite/sqlite3_3.31.1.bb > > index ef12ef0db2..b2d8f9f1dd 100644 > > --- a/meta/recipes-support/sqlite/sqlite3_3.31.1.bb > > +++ b/meta/recipes-support/sqlite/sqlite3_3.31.1.bb > > @@ -25,3 +25,5 @@ SRC_URI[sha256sum] = > > "62284efebc05a76f909c580ffa5c008a7d22a1287285d68b7825a2b6b5 > > CVE_CHECK_WHITELIST += "CVE-2019-19242" > > # This is believed to be iOS specific > > (https://groups.google.com/g/sqlite-dev/c/U7OjAbZO6LA) > > CVE_CHECK_WHITELIST += "CVE-2015-3717" > > +# This was introduced in 3.43.0, 3.31.1 is not yet affected > > +CVE_CHECK_WHITELIST += "CVE-2024-0232" > > -- > > 2.30.2 > > > > > > -=-=-=-=-=-=-=-=-=-=-=- > > Links: You receive all messages sent to this group. > > View/Reply Online (#194444): > > https://lists.openembedded.org/g/openembedded-core/message/194444 > > Mute This Topic: https://lists.openembedded.org/mt/104014792/3620601 > > Group Owner: openembedded-core+owner@lists.openembedded.org > > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub > > [steve@sakoman.com] > > -=-=-=-=-=-=-=-=-=-=-=- > >
On Wed, Jan 31, 2024 at 12:56 PM Marko, Peter <Peter.Marko@siemens.com> wrote: > > -----Original Message----- > From: Steve Sakoman <steve@sakoman.com> > Sent: Monday, January 29, 2024 15:19 > To: Marko, Peter (ADV D EU SK BFS1) <Peter.Marko@siemens.com> > Cc: openembedded-core@lists.openembedded.org > Subject: Re: [OE-core][dunfell][PATCH] sqlite3: ignore CVE-2024-0232 > > > On Sun, Jan 28, 2024 at 6:54 AM Peter Marko via lists.openembedded.org <peter.marko=siemens.com@lists.openembedded.org> wrote: > > > > > > From: Peter Marko <peter.marko@siemens.com> > > > > > > This CVE reports bug which was fixed in 3.43.2 by [1]. > > > Code analysis shows that it is fixing caching issue and this cache was > > > introduced by [2]. > > > This landed only in 3.43.0 so 3.85.5 is not affected. > > > > I think you meant 3.31.1, not 3.85.5 > > > > In cases like this where the database is in error it is best to send an email to cpe_dictionary@nist.gov providing the above data and asking them to fix the issue. They are usually quite responsive. > > > > Steve > > Hi Steve, > > I have sent v2's with corrected comments. > I'm sorry, but I'll leave discussions with nist.gov to others... I've sent a database correction request to cpe_dictionary@nist.gov. These patches will be held pending the result of the request. Steve > > Peter > > > > > > > > > [1] https://sqlite.org/src/info/5b09212ac05615fc > > > [2] https://sqlite.org/src/info/2dbb22c75e86f2e3 > > > > > > Signed-off-by: Peter Marko <peter.marko@siemens.com> > > > --- > > > meta/recipes-support/sqlite/sqlite3_3.31.1.bb | 2 ++ > > > 1 file changed, 2 insertions(+) > > > > > > diff --git a/meta/recipes-support/sqlite/sqlite3_3.31.1.bb > > > b/meta/recipes-support/sqlite/sqlite3_3.31.1.bb > > > index ef12ef0db2..b2d8f9f1dd 100644 > > > --- a/meta/recipes-support/sqlite/sqlite3_3.31.1.bb > > > +++ b/meta/recipes-support/sqlite/sqlite3_3.31.1.bb > > > @@ -25,3 +25,5 @@ SRC_URI[sha256sum] = > > > "62284efebc05a76f909c580ffa5c008a7d22a1287285d68b7825a2b6b5 > > > CVE_CHECK_WHITELIST += "CVE-2019-19242" > > > # This is believed to be iOS specific > > > (https://groups.google.com/g/sqlite-dev/c/U7OjAbZO6LA) > > > CVE_CHECK_WHITELIST += "CVE-2015-3717" > > > +# This was introduced in 3.43.0, 3.31.1 is not yet affected > > > +CVE_CHECK_WHITELIST += "CVE-2024-0232" > > > -- > > > 2.30.2 > > > > > > > > > -=-=-=-=-=-=-=-=-=-=-=- > > > Links: You receive all messages sent to this group. > > > View/Reply Online (#194444): > > > https://lists.openembedded.org/g/openembedded-core/message/194444 > > > Mute This Topic: https://lists.openembedded.org/mt/104014792/3620601 > > > Group Owner: openembedded-core+owner@lists.openembedded.org > > > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub > > > [steve@sakoman.com] > > > -=-=-=-=-=-=-=-=-=-=-=- > > >
diff --git a/meta/recipes-support/sqlite/sqlite3_3.31.1.bb b/meta/recipes-support/sqlite/sqlite3_3.31.1.bb index ef12ef0db2..b2d8f9f1dd 100644 --- a/meta/recipes-support/sqlite/sqlite3_3.31.1.bb +++ b/meta/recipes-support/sqlite/sqlite3_3.31.1.bb @@ -25,3 +25,5 @@ SRC_URI[sha256sum] = "62284efebc05a76f909c580ffa5c008a7d22a1287285d68b7825a2b6b5 CVE_CHECK_WHITELIST += "CVE-2019-19242" # This is believed to be iOS specific (https://groups.google.com/g/sqlite-dev/c/U7OjAbZO6LA) CVE_CHECK_WHITELIST += "CVE-2015-3717" +# This was introduced in 3.43.0, 3.31.1 is not yet affected +CVE_CHECK_WHITELIST += "CVE-2024-0232"