Message ID | 20230901090208.3242013-1-changqing.li@windriver.com |
---|---|
State | Accepted, archived |
Commit | 34874433c1e6c9e21d45d9ba686e4bb15479659d |
Headers | show |
Series | sqlite3: set CVE_STATUS for CVE-2023-36191 | expand |
-----Original Message----- From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Changqing Li via lists.openembedded.org Sent: Friday, September 1, 2023 11:02 To: openembedded-core@lists.openembedded.org Subject: [OE-core] [PATCH] sqlite3: set CVE_STATUS for CVE-2023-36191 > From: Changqing Li <changqing.li@windriver.com> > > The error is a bug. It has been fixed upstream. But it is not a vulnerability. You may safely ignore the CVE. > > Refer: > [1] https://www.sqlite.org/forum/forumpost/19f55ef73b > > Signed-off-by: Changqing Li <changqing.li@windriver.com> > --- > meta/recipes-support/sqlite/sqlite3_3.42.0.bb | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/meta/recipes-support/sqlite/sqlite3_3.42.0.bb b/meta/recipes-support/sqlite/sqlite3_3.42.0.bb > index 8783f620f4..b37644580c 100644 > --- a/meta/recipes-support/sqlite/sqlite3_3.42.0.bb > +++ b/meta/recipes-support/sqlite/sqlite3_3.42.0.bb > @@ -6,3 +6,5 @@ LIC_FILES_CHKSUM = "file://sqlite3.h;endline=11;md5=786d3dc581eff03f4fd9e4a77ed0 > SRC_URI = "http://www.sqlite.org/2023/sqlite-autoconf-${SQLITE_PV}.tar.gz" > SRC_URI[sha256sum] = "7abcfd161c6e2742ca5c6c0895d1f853c940f203304a0b49da4e1eca5d088ca6" > > +CVE_STATUS[CVE-2023-36191] = "The error is a bug. It has been fixed upstream. But it is not a vulnerability" This is wrong format since it's missing CVE status map prefix. It needs to be something like: CVE_STATUS[CVE-2023-36191] = "disputed: The error is a bug. It has been fixed upstream. But it is not a vulnerability" Also since this CVE is reported in NVD DB for 3.40.1 only, this CVE exclusion is not needed for 3.42.0 recipe. > + > -- > 2.25.1
On 9/1/23 17:21, Marko, Peter wrote: > CAUTION: This email comes from a non Wind River email account! > Do not click links or open attachments unless you recognize the sender and know the content is safe. > > -----Original Message----- > From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Changqing Li via lists.openembedded.org > Sent: Friday, September 1, 2023 11:02 > To: openembedded-core@lists.openembedded.org > Subject: [OE-core] [PATCH] sqlite3: set CVE_STATUS for CVE-2023-36191 > >> From: Changqing Li <changqing.li@windriver.com> >> >> The error is a bug. It has been fixed upstream. But it is not a vulnerability. You may safely ignore the CVE. >> >> Refer: >> [1] https://www.sqlite.org/forum/forumpost/19f55ef73b >> >> Signed-off-by: Changqing Li <changqing.li@windriver.com> >> --- >> meta/recipes-support/sqlite/sqlite3_3.42.0.bb | 2 ++ >> 1 file changed, 2 insertions(+) >> >> diff --git a/meta/recipes-support/sqlite/sqlite3_3.42.0.bb b/meta/recipes-support/sqlite/sqlite3_3.42.0.bb >> index 8783f620f4..b37644580c 100644 >> --- a/meta/recipes-support/sqlite/sqlite3_3.42.0.bb >> +++ b/meta/recipes-support/sqlite/sqlite3_3.42.0.bb >> @@ -6,3 +6,5 @@ LIC_FILES_CHKSUM = "file://sqlite3.h;endline=11;md5=786d3dc581eff03f4fd9e4a77ed0 >> SRC_URI = "http://www.sqlite.org/2023/sqlite-autoconf-${SQLITE_PV}.tar.gz" >> SRC_URI[sha256sum] = "7abcfd161c6e2742ca5c6c0895d1f853c940f203304a0b49da4e1eca5d088ca6" >> >> +CVE_STATUS[CVE-2023-36191] = "The error is a bug. It has been fixed upstream. But it is not a vulnerability" > This is wrong format since it's missing CVE status map prefix. > It needs to be something like: > CVE_STATUS[CVE-2023-36191] = "disputed: The error is a bug. It has been fixed upstream. But it is not a vulnerability" Thanks for pointing out this. > > Also since this CVE is reported in NVD DB for 3.40.1 only, this CVE exclusion is not needed for 3.42.0 recipe. NVD DB is not 100% correct. The problematic code also exist in 3.42.0, if this is an real CVE, it will also influence 3.42.0. So I will send an V2 with fix of above comments. we can drop this setting after the sqlite3 is upgrade to the version with the bug fix. Regards Changqing > >> + >> -- >> 2.25.1
diff --git a/meta/recipes-support/sqlite/sqlite3_3.42.0.bb b/meta/recipes-support/sqlite/sqlite3_3.42.0.bb index 8783f620f4..b37644580c 100644 --- a/meta/recipes-support/sqlite/sqlite3_3.42.0.bb +++ b/meta/recipes-support/sqlite/sqlite3_3.42.0.bb @@ -6,3 +6,5 @@ LIC_FILES_CHKSUM = "file://sqlite3.h;endline=11;md5=786d3dc581eff03f4fd9e4a77ed0 SRC_URI = "http://www.sqlite.org/2023/sqlite-autoconf-${SQLITE_PV}.tar.gz" SRC_URI[sha256sum] = "7abcfd161c6e2742ca5c6c0895d1f853c940f203304a0b49da4e1eca5d088ca6" +CVE_STATUS[CVE-2023-36191] = "The error is a bug. It has been fixed upstream. But it is not a vulnerability" +