[1/2] linux-yocto: extract generic kernel CVE_STATUS

Message ID	20230807162807.4037215-1-ross.burton@arm.com
State	Accepted, archived
Commit	d8656d9d4dfcaef6b492f5bf4cb003f16d7a3a4b
Headers	show Return-Path: <ross.burton@arm.com> ip: 217.140.110.172, mailfrom: ross.burton@arm.com) From: ross.burton@arm.com To: openembedded-core@lists.openembedded.org Cc: rybczynska@gmail.com Subject: [PATCH 1/2] linux-yocto: extract generic kernel CVE_STATUS Date: Mon, 7 Aug 2023 17:28:06 +0100 Message-Id: <20230807162807.4037215-1-ross.burton@arm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable
Series	[1/2] linux-yocto: extract generic kernel CVE_STATUS \| expand [1/2] linux-yocto: extract generic kernel CVE_STATUS [2/2] linux-yocto: add script to generate kernel CVE_STATUS entries

Message ID

20230807162807.4037215-1-ross.burton@arm.com

State

Accepted, archived

Commit

d8656d9d4dfcaef6b492f5bf4cb003f16d7a3a4b

Headers

From: ross.burton@arm.com
To: openembedded-core@lists.openembedded.org
Cc: rybczynska@gmail.com
Subject: [PATCH 1/2] linux-yocto: extract generic kernel CVE_STATUS
Date: Mon,  7 Aug 2023 17:28:06 +0100
Message-Id: <20230807162807.4037215-1-ross.burton@arm.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Series

[1/2] linux-yocto: extract generic kernel CVE_STATUS | expand

Commit Message

Ross Burton Aug. 7, 2023, 4:28 p.m. UTC

From: Ross Burton <ross.burton@arm.com>

Some of the CVE_STATUS assignments are not specific to the version, so
move them to an unversioned file and include it in the recipes.

For example: some CVEs are disputed, or are specific to other
distributions.

Signed-off-by: Ross Burton <ross.burton@arm.com>
---
 meta/recipes-kernel/linux/cve-exclusion.inc  | 10 ++++++++++
 meta/recipes-kernel/linux/linux-yocto_6.1.bb |  1 +
 meta/recipes-kernel/linux/linux-yocto_6.4.bb |  1 +
 3 files changed, 12 insertions(+)
 create mode 100644 meta/recipes-kernel/linux/cve-exclusion.inc

diff --git a/meta/recipes-kernel/linux/cve-exclusion.inc b/meta/recipes-kernel/linux/cve-exclusion.inc
new file mode 100644
index 00000000000..42f1c195c9a
--- /dev/null
+++ b/meta/recipes-kernel/linux/cve-exclusion.inc
@@ -0,0 +1,10 @@ 
+CVE_STATUS[CVE-2018-6559] = "not-applicable-platform: Issue only affects Ubuntu"
+
+CVE_STATUS[CVE-2020-11935] = "not-applicable-config: Issue only affects aufs, which is not in linux-yocto"
+
+# Introduced in version v6.1 7b88bda3761b95856cf97822efe8281c8100067b
+# Patched in kernel since v6.2 4a625ceee8a0ab0273534cb6b432ce6b331db5ee
+# But, the CVE is disputed:
+CVE_STATUS[CVE-2023-23005] = "disputed: There are no realistic cases \
+in which a user can cause the alloc_memory_type error case to be reached. \
+See: https://bugzilla.suse.com/show_bug.cgi?id=1208844#c2"
diff --git a/meta/recipes-kernel/linux/linux-yocto_6.1.bb b/meta/recipes-kernel/linux/linux-yocto_6.1.bb
index a76d2dc4047..820475a9cf0 100644
--- a/meta/recipes-kernel/linux/linux-yocto_6.1.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_6.1.bb
@@ -3,6 +3,7 @@  KBRANCH ?= "v6.1/standard/base"
 require recipes-kernel/linux/linux-yocto.inc
 
 # CVE exclusions
+include recipes-kernel/linux/cve-exclusion.inc
 include recipes-kernel/linux/cve-exclusion_6.1.inc
 
 # board specific branches
diff --git a/meta/recipes-kernel/linux/linux-yocto_6.4.bb b/meta/recipes-kernel/linux/linux-yocto_6.4.bb
index 443a89cc1ef..3a510fd168b 100644
--- a/meta/recipes-kernel/linux/linux-yocto_6.4.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_6.4.bb
@@ -3,6 +3,7 @@  KBRANCH ?= "v6.4/standard/base"
 require recipes-kernel/linux/linux-yocto.inc
 
 # CVE exclusions
+include recipes-kernel/linux/cve-exclusion.inc
 include recipes-kernel/linux/cve-exclusion_6.4.inc
 
 # board specific branches