[dunfell,05/11] git: Ignore CVE-2022-24975

Message ID	f35500a442d6a4564d52e23f9602a3f90a4ceee5.1650131192.git.steve@sakoman.com
State	Accepted, archived
Commit	f35500a442d6a4564d52e23f9602a3f90a4ceee5
Headers	show Return-Path: <steve@sakoman.com> ip: 209.85.215.178, mailfrom: steve@sakoman.com) From: Steve Sakoman <steve@sakoman.com> To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 05/11] git: Ignore CVE-2022-24975 Date: Sat, 16 Apr 2022 09:14:23 -1000 Message-Id: <f35500a442d6a4564d52e23f9602a3f90a4ceee5.1650131192.git.steve@sakoman.com> In-Reply-To: <cover.1650131192.git.steve@sakoman.com> References: <cover.1650131192.git.steve@sakoman.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[dunfell,01/11] vim: Upgrade 8.2.4524 -> 8.2.4681 \| expand [dunfell,01/11] vim: Upgrade 8.2.4524 -> 8.2.4681 [dunfell,02/11] gzip: fix CVE-2022-1271 [dunfell,03/11] zlib: backport the fix for CVE-2018-25032 [dunfell,04/11] xz: fix CVE-2022-1271 [dunfell,05/11] git: Ignore CVE-2022-24975 [dunfell,06/11] pseudo: Add patch to workaround paths with crazy lengths [dunfell,07/11] pseudo: Fix handling of absolute links [dunfell,08/11] license_image.bbclass: close package.manifest file [dunfell,09/11] apt: add -fno-strict-aliasing to CXXFLAGS to fix SHA256 bug [dunfell,10/11] metadata_scm.bbclass: Use immediate expansion for the METADATA_* variables [dunfell,11/11] libxshmfence: Correct LICENSE to HPND

Message ID

f35500a442d6a4564d52e23f9602a3f90a4ceee5.1650131192.git.steve@sakoman.com

State

Accepted, archived

Commit

f35500a442d6a4564d52e23f9602a3f90a4ceee5

Headers

From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][dunfell 05/11] git: Ignore CVE-2022-24975
Date: Sat, 16 Apr 2022 09:14:23 -1000
Message-Id: 
 <f35500a442d6a4564d52e23f9602a3f90a4ceee5.1650131192.git.steve@sakoman.com>
In-Reply-To: <cover.1650131192.git.steve@sakoman.com>
References: <cover.1650131192.git.steve@sakoman.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[dunfell,01/11] vim: Upgrade 8.2.4524 -> 8.2.4681 | expand

Commit Message

Steve Sakoman April 16, 2022, 7:14 p.m. UTC

From: Richard Purdie <richard.purdie@linuxfoundation.org>

Everyone I've talked to doesn't see this as a major issue. The CVE
asks for a documentation improvement on the --mirror option to
git clone as deleted content could be leaked into a mirror. For OE's
general users/use cases, we wouldn't build or ship docs so this wouldn't
affect us.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 5dfe2dd5482c9a446f8e722fe51903d205e6770d)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-devtools/git/git.inc | 5 +++++
 1 file changed, 5 insertions(+)

Comments

Ranjitsinh Rathod May 17, 2022, 11:09 a.m. UTC | #1

On Sat, Apr 16, 2022 at 12:15 PM, Steve Sakoman wrote:

> 
> CVE_CHECK_IGNORE

Hi Steve,

Is this variable CVE_CHECK_IGNORE valid in dunfell branch too?
Because when I check with "bitbake -c cve_check git" it is still showing as Unpatched only.

Thanks, Ranjitsinh Rathod

Steve Sakoman May 17, 2022, 2:11 p.m. UTC | #2

On Tue, May 17, 2022 at 1:09 AM Ranjitsinh Rathod
<ranjitsinhrathod1991@gmail.com> wrote:
>
> On Sat, Apr 16, 2022 at 12:15 PM, Steve Sakoman wrote:
>
> CVE_CHECK_IGNORE
>
> Is this variable CVE_CHECK_IGNORE valid in dunfell branch too?
> Because when I check with "bitbake -c cve_check git" it is still showing as Unpatched only.

Arghh!  I'm so sorry I missed this.  Thanks for the "fix it" patch!

Steve

diff --git a/meta/recipes-devtools/git/git.inc b/meta/recipes-devtools/git/git.inc
index a89dd42e8b..ffbae145cf 100644
--- a/meta/recipes-devtools/git/git.inc
+++ b/meta/recipes-devtools/git/git.inc
@@ -20,6 +20,11 @@  LIC_FILES_CHKSUM = "file://COPYING;md5=7c0d7ef03a7eb04ce795b0f60e68e7e1"
 
 CVE_PRODUCT = "git-scm:git"
 
+# This is about a manpage not mentioning --mirror may "leak" information
+# in mirrored git repos. Most OE users wouldn't build the docs and
+# we don't see this as a major issue for our general users/usecases.
+CVE_CHECK_IGNORE += "CVE-2022-24975"
+
 PACKAGECONFIG ??= ""
 PACKAGECONFIG[cvsserver] = ""
 PACKAGECONFIG[svn] = ""

[dunfell,05/11] git: Ignore CVE-2022-24975

Commit Message

Comments

Patch