Message ID | 20230404164400.403462-1-richard.purdie@linuxfoundation.org |
---|---|
State | New |
Headers | show |
Series | cve-extra-exclusions.inc: Exclude some issues not present in linux-yocto | expand |
Hi, On 4/4/23 18:44, Richard Purdie wrote: > Exclude some CVEs where the patches were backported to the stable series > kernels we have.> > https://www.linuxkernelcves.com/cves/CVE-XXXX-XXXX is useful to help > with this. > > Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> > --- > .../distro/include/cve-extra-exclusions.inc | 40 +++++++++++++++++++ > 1 file changed, 40 insertions(+) > > diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc > index a281a8ac65c..680f613c9f9 100644 > --- a/meta/conf/distro/include/cve-extra-exclusions.inc > +++ b/meta/conf/distro/include/cve-extra-exclusions.inc > @@ -381,6 +381,46 @@ CVE_CHECK_IGNORE += "CVE-2023-0266" > # Backported in version v6.1.7 0afa5f0736584411771299074bbeca8c1f9706d4 > CVE_CHECK_IGNORE += "CVE-2023-0394" > > +# https://nvd.nist.gov/vuln/detail/CVE-2023-0461 > +# Introduced in version 4.13 734942cc4ea6478eed125af258da1bdbb4afe578 > +# Patched in kernel v6.2 2c02d41d71f90a5168391b6a5f2954112ba2307c > +# Backported in version v6.1.5 7d242f4a0c8319821548c7176c09a6e0e71f223c > +# Backported in version v5.15.88 dadd0dcaa67d27f550131de95c8e182643d2c9d6 > +CVE_CHECK_IGNORE += "CVE-2023-0461" > + > +# https://nvd.nist.gov/vuln/detail/CVE-2023-0386 > +# Introduced in 5.11 459c7c565ac36ba09ffbf24231147f408fde4203 > +# Patched in kernel v6.2 4f11ada10d0ad3fd53e2bd67806351de63a4f9c3 > +# Backported in version 6.1.9 42fea1c35254c49cce07c600d026cbc00c6d3c81 > +# Backported in version 5.15.91 e91308e63710574c4b6a0cadda3e042a3699666e > +CVE_CHECK_IGNORE += "CVE-2023-0386" > + > +# https://nvd.nist.gov/vuln/detail/CVE-2023-1073 > +# Introduced in 1b15d2e5b8077670b1e6a33250a0d9577efff4a5 The earliest version containing this commit is v3.16 > +# Patched in kernel v6.2 b12fece4c64857e5fab4290bf01b2e0317a88456 > +# Backported in version 5.10.166 You are missing the SHA1 here : It is 5dc3469a1170dd1344d262a332b26994214eeb58 > +# Backported in version 5.15.91 2b49568254365c9c247beb0eabbaa15d0e279d64 > +# Backported in version 6.1.9 cdcdc0531a51659527fea4b4d064af343452062d > +CVE_CHECK_IGNORE += "CVE-2023-1073" > + > +# https://nvd.nist.gov/vuln/detail/CVE-2023-1074 > +# Patched in kernel v6.2 458e279f861d3f61796894cd158b780765a1569f > +# Backported in version 5.15.91 3391bd42351be0beb14f438c7556912b9f96cb32 > +# Backported in version 6.1.9 9f08bb650078dca24a13fea1c375358ed6292df3 > +CVE_CHECK_IGNORE += "CVE-2023-1074" > + > +# https://nvd.nist.gov/vuln/detail/CVE-2023-1077 > +# Patched in kernel 6.3rc1 7c4a5b89a0b5a57a64b601775b296abf77a9fe97 > +# Backported in version 5.15.99 2c36c390a74981d03f04f01fe7ee9c3ac3ea11f7 > +# Backported in version 6.1.16 6b4fcc4e8a3016e85766c161daf0732fca16c3a3 > +CVE_CHECK_IGNORE += "CVE-2023-1077" > + > +# https://nvd.nist.gov/vuln/detail/CVE-2023-1078 > +# Patched in kernel 6.2 f753a68980cf4b59a80fe677619da2b1804f526d > +# Backported in version 5.15.94 528e3f3a4b53df36dafd10cdf6b8c0fe2aa1c4ba > +# Backported in version 6.1.12 1d52bbfd469af69fbcae88c67f160ce1b968e7f3 > +CVE_CHECK_IGNORE += "CVE-2023-1078" > + > # Wrong CPE in NVD database > # https://nvd.nist.gov/vuln/detail/CVE-2022-3563 > # https://nvd.nist.gov/vuln/detail/CVE-2022-3637 Apart from these two comments: Reviewed-by: Yoann Congal <yoann.congal@smile.fr> Regards,
On Tue, 2023-04-04 at 21:48 +0200, Yoann Congal wrote: > Hi, > > On 4/4/23 18:44, Richard Purdie wrote: > > Exclude some CVEs where the patches were backported to the stable series > > kernels we have.> > > https://www.linuxkernelcves.com/cves/CVE-XXXX-XXXX is useful to help > > with this. > > > > Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> > > --- > > .../distro/include/cve-extra-exclusions.inc | 40 +++++++++++++++++++ > > 1 file changed, 40 insertions(+) > > > > diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc > > index a281a8ac65c..680f613c9f9 100644 > > --- a/meta/conf/distro/include/cve-extra-exclusions.inc > > +++ b/meta/conf/distro/include/cve-extra-exclusions.inc > > @@ -381,6 +381,46 @@ CVE_CHECK_IGNORE += "CVE-2023-0266" > > # Backported in version v6.1.7 0afa5f0736584411771299074bbeca8c1f9706d4 > > CVE_CHECK_IGNORE += "CVE-2023-0394" > > > > +# https://nvd.nist.gov/vuln/detail/CVE-2023-0461 > > +# Introduced in version 4.13 734942cc4ea6478eed125af258da1bdbb4afe578 > > +# Patched in kernel v6.2 2c02d41d71f90a5168391b6a5f2954112ba2307c > > +# Backported in version v6.1.5 7d242f4a0c8319821548c7176c09a6e0e71f223c > > +# Backported in version v5.15.88 dadd0dcaa67d27f550131de95c8e182643d2c9d6 > > +CVE_CHECK_IGNORE += "CVE-2023-0461" > > + > > +# https://nvd.nist.gov/vuln/detail/CVE-2023-0386 > > +# Introduced in 5.11 459c7c565ac36ba09ffbf24231147f408fde4203 > > +# Patched in kernel v6.2 4f11ada10d0ad3fd53e2bd67806351de63a4f9c3 > > +# Backported in version 6.1.9 42fea1c35254c49cce07c600d026cbc00c6d3c81 > > +# Backported in version 5.15.91 e91308e63710574c4b6a0cadda3e042a3699666e > > +CVE_CHECK_IGNORE += "CVE-2023-0386" > > + > > +# https://nvd.nist.gov/vuln/detail/CVE-2023-1073 > > +# Introduced in 1b15d2e5b8077670b1e6a33250a0d9577efff4a5 > > The earliest version containing this commit is v3.16 > > > +# Patched in kernel v6.2 b12fece4c64857e5fab4290bf01b2e0317a88456 > > +# Backported in version 5.10.166 > > You are missing the SHA1 here : It is 5dc3469a1170dd1344d262a332b26994214eeb58 > > > +# Backported in version 5.15.91 2b49568254365c9c247beb0eabbaa15d0e279d64 > > +# Backported in version 6.1.9 cdcdc0531a51659527fea4b4d064af343452062d > > +CVE_CHECK_IGNORE += "CVE-2023-1073" > > + > > +# https://nvd.nist.gov/vuln/detail/CVE-2023-1074 > > +# Patched in kernel v6.2 458e279f861d3f61796894cd158b780765a1569f > > +# Backported in version 5.15.91 3391bd42351be0beb14f438c7556912b9f96cb32 > > +# Backported in version 6.1.9 9f08bb650078dca24a13fea1c375358ed6292df3 > > +CVE_CHECK_IGNORE += "CVE-2023-1074" > > + > > +# https://nvd.nist.gov/vuln/detail/CVE-2023-1077 > > +# Patched in kernel 6.3rc1 7c4a5b89a0b5a57a64b601775b296abf77a9fe97 > > +# Backported in version 5.15.99 2c36c390a74981d03f04f01fe7ee9c3ac3ea11f7 > > +# Backported in version 6.1.16 6b4fcc4e8a3016e85766c161daf0732fca16c3a3 > > +CVE_CHECK_IGNORE += "CVE-2023-1077" > > + > > +# https://nvd.nist.gov/vuln/detail/CVE-2023-1078 > > +# Patched in kernel 6.2 f753a68980cf4b59a80fe677619da2b1804f526d > > +# Backported in version 5.15.94 528e3f3a4b53df36dafd10cdf6b8c0fe2aa1c4ba > > +# Backported in version 6.1.12 1d52bbfd469af69fbcae88c67f160ce1b968e7f3 > > +CVE_CHECK_IGNORE += "CVE-2023-1078" > > + > > # Wrong CPE in NVD database > > # https://nvd.nist.gov/vuln/detail/CVE-2022-3563 > > # https://nvd.nist.gov/vuln/detail/CVE-2022-3637 > > Apart from these two comments: > Reviewed-by: Yoann Congal <yoann.congal@smile.fr> Thanks, I tweaked those bits. I did a bit more research and the other easier looking linux-yocto ones to mark up are listed below along with the versions known to contain fixes. I'd still need to map out the revisions and so on for these but several look like they can be resolved for our versions if this data is correct. That left 13 linux-yocto CVEs that would need more work to track down and 5 non linux-yocto ones. CVE-2022-2196: linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-2196 * https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=2e7eab81425ad6c875f2ed47c0ce01e78afc38a5 5.10.170 5.15.96 6.1.14 CVE-2022-3424: linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3424 * https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=643a16a0eb1d6ac23744bb6e90a00fc21148a9dc 5.10.163 5.15.86 6.1.2 CVE-2022-3523: linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3523 * https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=16ce101db85db694a91380aa4c89b25530871d33 CVE-2022-3566: linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3566 * https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=f49cd2f4d6170d27a2c61f1fecb03d8a70c91f57 CVE-2022-3567: linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3567 * https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=364f997b5cfe1db0d63a390fe7c801fa2b3115f6 CVE-2022-38457: linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-38457 * https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=a309c7194e8a2f8bd4539b9449917913f6c2cd50 6.1.7 CVE-2022-40133: linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-40133 * https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=a309c7194e8a2f8bd4539b9449917913f6c2cd50 CVE-2023-0179: linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-0179 * https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=696e1a48b1a1b01edad542a1ef293665864a4dd0 5.10.164 5.15.89 6.1.7 CVE-2023-1079: linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1079 * Fixed in https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=4ab3a086d10eeec1424f2e8a968827a6336203df 5.10.173 5.15.99 6.1.16 CVE-2023-1118: linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1118 * https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=29b0589a865b6f66d141d79b2dd1373e4e50fe17 5.10.173 5.15.99 6.1.16 CVE-2023-1281: linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1281 * https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=ee059170b1f7e94e55fa6cadee544e176a6e59c2 5.10.169 5.15.95 6.1.13 CVE-2023-1513: linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1513 * https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=2c10b61421a28e95a46ab489fd56c0f442ff6952 5.10.169 5.15.95 6.1.13 CVE-2023-23005: linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-23005 * https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=4a625ceee8a0ab0273534cb6b432ce6b331db5ee Disputed? CVE-2023-28466: linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-28466 * https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=49c47cc21b5b7a3d8deb18fc57b0aa2ab1286962 5.15.105 6.1.20 CVE-2023-28866: linux-yocto https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-28866 * https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=bce56405201111807cc8e4f47c6de3e10b17c1ac 6.1.22 Cheers, Richard
Hi Richard, On 4/5/23 00:26, Richard Purdie wrote: > .../... > Thanks, I tweaked those bits. I did a bit more research and the other > easier looking linux-yocto ones to mark up are listed below along with > the versions known to contain fixes. I'd still need to map out the > revisions and so on for these but several look like they can be > resolved for our versions if this data is correct. > > That left 13 linux-yocto CVEs that would need more work to track down > and 5 non linux-yocto ones. Some of these will be part of a patch from Geoffrey (in cc) that he will send in an hour or 2. > > CVE-2022-2196: linux-yocto > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-2196 * > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=2e7eab81425ad6c875f2ed47c0ce01e78afc38a5 > 5.10.170 > 5.15.96 > 6.1.14> > CVE-2022-3424: linux-yocto > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3424 * > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=643a16a0eb1d6ac23744bb6e90a00fc21148a9dc > 5.10.163 > 5.15.86 > 6.1.2 > > CVE-2022-3523: linux-yocto > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3523 * > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=16ce101db85db694a91380aa4c89b25530871d33 > > CVE-2022-3566: linux-yocto > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3566 * > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=f49cd2f4d6170d27a2c61f1fecb03d8a70c91f57 > > CVE-2022-3567: linux-yocto > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3567 * > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=364f997b5cfe1db0d63a390fe7c801fa2b3115f6 All of the above will be included. > > CVE-2022-38457: linux-yocto > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-38457 * > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=a309c7194e8a2f8bd4539b9449917913f6c2cd50 > 6.1.7> > CVE-2022-40133: linux-yocto > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-40133 * > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=a309c7194e8a2f8bd4539b9449917913f6c2cd50 > > CVE-2023-0179: linux-yocto > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-0179 * > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=696e1a48b1a1b01edad542a1ef293665864a4dd0 > 5.10.164 > 5.15.89 > 6.1.7 > > CVE-2023-1079: linux-yocto > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1079 * > Fixed in > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=4ab3a086d10eeec1424f2e8a968827a6336203df > 5.10.173 > 5.15.99 > 6.1.16 Not these 4 above. > > CVE-2023-1118: linux-yocto > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1118 * > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=29b0589a865b6f66d141d79b2dd1373e4e50fe17 > 5.10.173 > 5.15.99 > 6.1.16 > > CVE-2023-1281: linux-yocto > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1281 * > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=ee059170b1f7e94e55fa6cadee544e176a6e59c2 > 5.10.169 > 5.15.95 > 6.1.13 These 2 above will be included. > CVE-2023-1513: linux-yocto > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1513 * > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=2c10b61421a28e95a46ab489fd56c0f442ff6952 > 5.10.169 > 5.15.95 > 6.1.13 > > CVE-2023-23005: linux-yocto > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-23005 * > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=4a625ceee8a0ab0273534cb6b432ce6b331db5ee > Disputed? These 2 above will not be included. > > CVE-2023-28466: linux-yocto > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-28466 * > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=49c47cc21b5b7a3d8deb18fc57b0aa2ab1286962 > 5.15.105 > 6.1.20 Included > > CVE-2023-28866: linux-yocto > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-28866 * > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=bce56405201111807cc8e4f47c6de3e10b17c1ac > 6.1.22 Not included. Should I write a patch including the missing CVEs from Geoffrey's patch or that will clash with your work-in-progress? > Cheers, > > Richard Regards,
On Wed, 2023-04-05 at 11:51 +0200, Yoann Congal wrote: > Hi Richard, > > On 4/5/23 00:26, Richard Purdie wrote: > > .../... > > Thanks, I tweaked those bits. I did a bit more research and the other > > easier looking linux-yocto ones to mark up are listed below along with > > the versions known to contain fixes. I'd still need to map out the > > revisions and so on for these but several look like they can be > > resolved for our versions if this data is correct. > > > > That left 13 linux-yocto CVEs that would need more work to track down > > and 5 non linux-yocto ones. > > Some of these will be part of a patch from Geoffrey (in cc) that he will send in an hour or 2. > > > > > CVE-2022-2196: linux-yocto > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-2196 * > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=2e7eab81425ad6c875f2ed47c0ce01e78afc38a5 > > 5.10.170 > > 5.15.96 > > 6.1.14> > > CVE-2022-3424: linux-yocto > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3424 * > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=643a16a0eb1d6ac23744bb6e90a00fc21148a9dc > > 5.10.163 > > 5.15.86 > > 6.1.2 > > > > CVE-2022-3523: linux-yocto > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3523 * > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=16ce101db85db694a91380aa4c89b25530871d33 > > > > CVE-2022-3566: linux-yocto > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3566 * > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=f49cd2f4d6170d27a2c61f1fecb03d8a70c91f57 > > > > CVE-2022-3567: linux-yocto > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3567 * > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=364f997b5cfe1db0d63a390fe7c801fa2b3115f6 > > All of the above will be included. > > > > > CVE-2022-38457: linux-yocto > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-38457 * > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=a309c7194e8a2f8bd4539b9449917913f6c2cd50 > > 6.1.7> > > CVE-2022-40133: linux-yocto > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-40133 * > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=a309c7194e8a2f8bd4539b9449917913f6c2cd50 > > > > CVE-2023-0179: linux-yocto > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-0179 * > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=696e1a48b1a1b01edad542a1ef293665864a4dd0 > > 5.10.164 > > 5.15.89 > > 6.1.7 > > > > CVE-2023-1079: linux-yocto > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1079 * > > Fixed in > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=4ab3a086d10eeec1424f2e8a968827a6336203df > > 5.10.173 > > 5.15.99 > > 6.1.16 > > Not these 4 above. > > > > > CVE-2023-1118: linux-yocto > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1118 * > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=29b0589a865b6f66d141d79b2dd1373e4e50fe17 > > 5.10.173 > > 5.15.99 > > 6.1.16 > > > > CVE-2023-1281: linux-yocto > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1281 * > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=ee059170b1f7e94e55fa6cadee544e176a6e59c2 > > 5.10.169 > > 5.15.95 > > 6.1.13 > > These 2 above will be included. > > > CVE-2023-1513: linux-yocto > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1513 * > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=2c10b61421a28e95a46ab489fd56c0f442ff6952 > > 5.10.169 > > 5.15.95 > > 6.1.13 > > > > CVE-2023-23005: linux-yocto > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-23005 * > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=4a625ceee8a0ab0273534cb6b432ce6b331db5ee > > Disputed? > > These 2 above will not be included. > > > > > CVE-2023-28466: linux-yocto > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-28466 * > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=49c47cc21b5b7a3d8deb18fc57b0aa2ab1286962 > > 5.15.105 > > 6.1.20 > Included > > > > CVE-2023-28866: linux-yocto > > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-28866 * > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=bce56405201111807cc8e4f47c6de3e10b17c1ac > > 6.1.22 > > Not included. > > Should I write a patch including the missing CVEs from Geoffrey's patch or that will clash with your work-in-progress? I haven't done anything yet with these so I'd happily take a patch! Cheers, Richard
Hi On 4/5/23 11:55, Richard Purdie wrote: > On Wed, 2023-04-05 at 11:51 +0200, Yoann Congal wrote: >> Hi Richard, >> >> On 4/5/23 00:26, Richard Purdie wrote: >>> .../... >>> Thanks, I tweaked those bits. I did a bit more research and the other >>> easier looking linux-yocto ones to mark up are listed below along with >>> the versions known to contain fixes. I'd still need to map out the >>> revisions and so on for these but several look like they can be >>> resolved for our versions if this data is correct. >>> >>> That left 13 linux-yocto CVEs that would need more work to track down >>> and 5 non linux-yocto ones. >> >> Some of these will be part of a patch from Geoffrey (in cc) that he will send in an hour or 2. >> >>> >>> CVE-2022-2196: linux-yocto >>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-2196 * >>> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=2e7eab81425ad6c875f2ed47c0ce01e78afc38a5 >>> 5.10.170 >>> 5.15.96 >>> 6.1.14> >>> CVE-2022-3424: linux-yocto >>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3424 * >>> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=643a16a0eb1d6ac23744bb6e90a00fc21148a9dc >>> 5.10.163 >>> 5.15.86 >>> 6.1.2 >>> >>> CVE-2022-3523: linux-yocto >>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3523 * >>> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=16ce101db85db694a91380aa4c89b25530871d33 >>> >>> CVE-2022-3566: linux-yocto >>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3566 * >>> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=f49cd2f4d6170d27a2c61f1fecb03d8a70c91f57 >>> >>> CVE-2022-3567: linux-yocto >>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3567 * >>> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=364f997b5cfe1db0d63a390fe7c801fa2b3115f6 >> >> All of the above will be included. >> >>> >>> CVE-2022-38457: linux-yocto >>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-38457 * >>> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=a309c7194e8a2f8bd4539b9449917913f6c2cd50 >>> 6.1.7> >>> CVE-2022-40133: linux-yocto >>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-40133 * >>> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=a309c7194e8a2f8bd4539b9449917913f6c2cd50 >>> >>> CVE-2023-0179: linux-yocto >>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-0179 * >>> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=696e1a48b1a1b01edad542a1ef293665864a4dd0 >>> 5.10.164 >>> 5.15.89 >>> 6.1.7 >>> >>> CVE-2023-1079: linux-yocto >>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1079 * >>> Fixed in >>> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=4ab3a086d10eeec1424f2e8a968827a6336203df >>> 5.10.173 >>> 5.15.99 >>> 6.1.16 >> >> Not these 4 above. >> >>> >>> CVE-2023-1118: linux-yocto >>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1118 * >>> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=29b0589a865b6f66d141d79b2dd1373e4e50fe17 >>> 5.10.173 >>> 5.15.99 >>> 6.1.16 >>> >>> CVE-2023-1281: linux-yocto >>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1281 * >>> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=ee059170b1f7e94e55fa6cadee544e176a6e59c2 >>> 5.10.169 >>> 5.15.95 >>> 6.1.13 >> >> These 2 above will be included. >> >>> CVE-2023-1513: linux-yocto >>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1513 * >>> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=2c10b61421a28e95a46ab489fd56c0f442ff6952 >>> 5.10.169 >>> 5.15.95 >>> 6.1.13 >>> >>> CVE-2023-23005: linux-yocto >>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-23005 * >>> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=4a625ceee8a0ab0273534cb6b432ce6b331db5ee >>> Disputed? >> >> These 2 above will not be included. >> >>> >>> CVE-2023-28466: linux-yocto >>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-28466 * >>> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=49c47cc21b5b7a3d8deb18fc57b0aa2ab1286962 >>> 5.15.105 >>> 6.1.20 >> Included >>> >>> CVE-2023-28866: linux-yocto >>> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-28866 * >>> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=bce56405201111807cc8e4f47c6de3e10b17c1ac >>> 6.1.22 >> >> Not included. >> >> Should I write a patch including the missing CVEs from Geoffrey's patch or that will clash with your work-in-progress? > > I haven't done anything yet with these so I'd happily take a patch! I'll send a patch later today for CVE-2023-0179, CVE-2023-1079 and CVE-2023-1513 (currently in internal review). For CVE-2022-38457 and CVE-2022-40133, I can't track the commit properly. Yes, linuxkernelcves.com gives commits for these CVEs but is this safe enough to ignore? Until now, we have only ignored CVE from commits present in the NVD database. CVE-2023-23005 is disputed (as you noted), I'll look into it but at a quick glance, the dispute has good arguments and we might ignore this one safely. We are vulnerable to CVE-2023-28866 : It was introduced in 5.17 (bce56405201111807cc8e4f47c6de3e10b17c1ac from Fixes: tag). On the 6.1 branch, this is fixed in 6.1.22 and we are at 6.1.20. Regards,
On Thu, 2023-04-06 at 10:23 +0200, Yoann Congal wrote: > > > > > > Should I write a patch including the missing CVEs from Geoffrey's patch or that will clash with your work-in-progress? > > > > I haven't done anything yet with these so I'd happily take a patch! > > I'll send a patch later today for CVE-2023-0179, CVE-2023-1079 and CVE-2023-1513 (currently in internal review). > > For CVE-2022-38457 and CVE-2022-40133 This one appears to be fixed for 6.1 only with this change: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=a309c7194e8a2f8bd4539b9449917913f6c2cd50 coming into 6.1 stable here: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-6.1.y&id=7ac9578e45b20e3f3c0c8eb71f5417a499a7226a The fix seems to cover both CVEs. > I can't track the commit properly. > Yes, linuxkernelcves.com gives commits for these CVEs but is this safe enough to ignore? > Until now, we have only ignored CVE from commits present in the NVD database. I think if we have good reason to believe these commits address the CVE, we can document that. There does seem to be a strong connection here but I've not gone into the details. > CVE-2023-23005 is disputed (as you noted), I'll look into it but at a > quick glance, the dispute has good arguments and we might ignore this > one safely. Agreed. If there are strong arguments from the maintainers, this does give us a good case for ignoring it as long as we document it as such. > We are vulnerable to CVE-2023-28866 : It was introduced in 5.17 (bce56405201111807cc8e4f47c6de3e10b17c1ac from Fixes: tag). > On the 6.1 branch, this is fixed in 6.1.22 and we are at 6.1.20. Hopefully we'll update soon then! :) Thanks for the help with these. It does make a difference and is much appreciated. You can see the downtick in master here: https://autobuilder.yocto.io/pub/non-release/patchmetrics/ :) This should then mean we'll soon get a list of "real" issues instead of noise. Cheers, Richard
On 4/6/23 10:36, Richard Purdie wrote: > On Thu, 2023-04-06 at 10:23 +0200, Yoann Congal wrote: >> >> For CVE-2022-38457 and CVE-2022-40133 > > This one appears to be fixed for 6.1 only with this change: > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=a309c7194e8a2f8bd4539b9449917913f6c2cd50 > > coming into 6.1 stable here: > > https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-6.1.y&id=7ac9578e45b20e3f3c0c8eb71f5417a499a7226a > > > The fix seems to cover both CVEs. > >> I can't track the commit properly. >> Yes, linuxkernelcves.com gives commits for these CVEs but is this safe enough to ignore? >> Until now, we have only ignored CVE from commits present in the NVD database. > > I think if we have good reason to believe these commits address the > CVE, we can document that. There does seem to be a strong connection > here but I've not gone into the details. Ok, I'm now convinced the commit fixes these CVEs. I'll send a patch to ignore these. >> CVE-2023-23005 is disputed (as you noted), I'll look into it but at a >> quick glance, the dispute has good arguments and we might ignore this >> one safely. > > Agreed. If there are strong arguments from the maintainers, this does > give us a good case for ignoring it as long as we document it as such. Same, I'll send a patch to ignore this one also. >> We are vulnerable to CVE-2023-28866 : It was introduced in 5.17 (bce56405201111807cc8e4f47c6de3e10b17c1ac from Fixes: tag). >> On the 6.1 branch, this is fixed in 6.1.22 and we are at 6.1.20. > > Hopefully we'll update soon then! :) > > Thanks for the help with these. It does make a difference and is much > appreciated. You can see the downtick in master here: > > https://autobuilder.yocto.io/pub/non-release/patchmetrics/ > > :) Happy to see this :) > This should then mean we'll soon get a list of "real" issues instead of > noise. I really hope we'll get to that point! Regards,
diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc index a281a8ac65c..680f613c9f9 100644 --- a/meta/conf/distro/include/cve-extra-exclusions.inc +++ b/meta/conf/distro/include/cve-extra-exclusions.inc @@ -381,6 +381,46 @@ CVE_CHECK_IGNORE += "CVE-2023-0266" # Backported in version v6.1.7 0afa5f0736584411771299074bbeca8c1f9706d4 CVE_CHECK_IGNORE += "CVE-2023-0394" +# https://nvd.nist.gov/vuln/detail/CVE-2023-0461 +# Introduced in version 4.13 734942cc4ea6478eed125af258da1bdbb4afe578 +# Patched in kernel v6.2 2c02d41d71f90a5168391b6a5f2954112ba2307c +# Backported in version v6.1.5 7d242f4a0c8319821548c7176c09a6e0e71f223c +# Backported in version v5.15.88 dadd0dcaa67d27f550131de95c8e182643d2c9d6 +CVE_CHECK_IGNORE += "CVE-2023-0461" + +# https://nvd.nist.gov/vuln/detail/CVE-2023-0386 +# Introduced in 5.11 459c7c565ac36ba09ffbf24231147f408fde4203 +# Patched in kernel v6.2 4f11ada10d0ad3fd53e2bd67806351de63a4f9c3 +# Backported in version 6.1.9 42fea1c35254c49cce07c600d026cbc00c6d3c81 +# Backported in version 5.15.91 e91308e63710574c4b6a0cadda3e042a3699666e +CVE_CHECK_IGNORE += "CVE-2023-0386" + +# https://nvd.nist.gov/vuln/detail/CVE-2023-1073 +# Introduced in 1b15d2e5b8077670b1e6a33250a0d9577efff4a5 +# Patched in kernel v6.2 b12fece4c64857e5fab4290bf01b2e0317a88456 +# Backported in version 5.10.166 +# Backported in version 5.15.91 2b49568254365c9c247beb0eabbaa15d0e279d64 +# Backported in version 6.1.9 cdcdc0531a51659527fea4b4d064af343452062d +CVE_CHECK_IGNORE += "CVE-2023-1073" + +# https://nvd.nist.gov/vuln/detail/CVE-2023-1074 +# Patched in kernel v6.2 458e279f861d3f61796894cd158b780765a1569f +# Backported in version 5.15.91 3391bd42351be0beb14f438c7556912b9f96cb32 +# Backported in version 6.1.9 9f08bb650078dca24a13fea1c375358ed6292df3 +CVE_CHECK_IGNORE += "CVE-2023-1074" + +# https://nvd.nist.gov/vuln/detail/CVE-2023-1077 +# Patched in kernel 6.3rc1 7c4a5b89a0b5a57a64b601775b296abf77a9fe97 +# Backported in version 5.15.99 2c36c390a74981d03f04f01fe7ee9c3ac3ea11f7 +# Backported in version 6.1.16 6b4fcc4e8a3016e85766c161daf0732fca16c3a3 +CVE_CHECK_IGNORE += "CVE-2023-1077" + +# https://nvd.nist.gov/vuln/detail/CVE-2023-1078 +# Patched in kernel 6.2 f753a68980cf4b59a80fe677619da2b1804f526d +# Backported in version 5.15.94 528e3f3a4b53df36dafd10cdf6b8c0fe2aa1c4ba +# Backported in version 6.1.12 1d52bbfd469af69fbcae88c67f160ce1b968e7f3 +CVE_CHECK_IGNORE += "CVE-2023-1078" + # Wrong CPE in NVD database # https://nvd.nist.gov/vuln/detail/CVE-2022-3563 # https://nvd.nist.gov/vuln/detail/CVE-2022-3637
Exclude some CVEs where the patches were backported to the stable series kernels we have. https://www.linuxkernelcves.com/cves/CVE-XXXX-XXXX is useful to help with this. Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> --- .../distro/include/cve-extra-exclusions.inc | 40 +++++++++++++++++++ 1 file changed, 40 insertions(+)