diff mbox series

sqlite3: set CVE_STATUS for CVE-2023-36191

Message ID 20230901090208.3242013-1-changqing.li@windriver.com
State Accepted, archived
Commit 34874433c1e6c9e21d45d9ba686e4bb15479659d
Headers show
Series sqlite3: set CVE_STATUS for CVE-2023-36191 | expand

Commit Message

Changqing Li Sept. 1, 2023, 9:02 a.m. UTC 
From: Changqing Li <changqing.li@windriver.com>

The error is a bug. It has been fixed upstream. But it is not a
vulnerability. You may safely ignore the CVE.

Refer:
[1] https://www.sqlite.org/forum/forumpost/19f55ef73b

Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
 meta/recipes-support/sqlite/sqlite3_3.42.0.bb | 2 ++
 1 file changed, 2 insertions(+)

Comments

Marko, Peter Sept. 1, 2023, 9:21 a.m. UTC | #1 
-----Original Message-----
From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Changqing Li via lists.openembedded.org
Sent: Friday, September 1, 2023 11:02
To: openembedded-core@lists.openembedded.org
Subject: [OE-core] [PATCH] sqlite3: set CVE_STATUS for CVE-2023-36191

> From: Changqing Li <changqing.li@windriver.com>
>
> The error is a bug. It has been fixed upstream. But it is not a vulnerability. You may safely ignore the CVE.
>
> Refer:
> [1] https://www.sqlite.org/forum/forumpost/19f55ef73b
>
> Signed-off-by: Changqing Li <changqing.li@windriver.com>
> ---
>  meta/recipes-support/sqlite/sqlite3_3.42.0.bb | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/meta/recipes-support/sqlite/sqlite3_3.42.0.bb b/meta/recipes-support/sqlite/sqlite3_3.42.0.bb
> index 8783f620f4..b37644580c 100644
> --- a/meta/recipes-support/sqlite/sqlite3_3.42.0.bb
> +++ b/meta/recipes-support/sqlite/sqlite3_3.42.0.bb
> @@ -6,3 +6,5 @@ LIC_FILES_CHKSUM = "file://sqlite3.h;endline=11;md5=786d3dc581eff03f4fd9e4a77ed0
>  SRC_URI = "http://www.sqlite.org/2023/sqlite-autoconf-${SQLITE_PV}.tar.gz"
>  SRC_URI[sha256sum] = "7abcfd161c6e2742ca5c6c0895d1f853c940f203304a0b49da4e1eca5d088ca6"
>  
> +CVE_STATUS[CVE-2023-36191] = "The error is a bug. It has been fixed upstream. But it is not a vulnerability"

This is wrong format since it's missing CVE status map prefix.
It needs to be something like:
CVE_STATUS[CVE-2023-36191] = "disputed: The error is a bug. It has been fixed upstream. But it is not a vulnerability"

Also since this CVE is reported in NVD DB for 3.40.1 only, this CVE exclusion is not needed for 3.42.0 recipe.

> +
> --
> 2.25.1
Changqing Li Sept. 4, 2023, 1:44 a.m. UTC | #2 
On 9/1/23 17:21, Marko, Peter wrote:
> CAUTION: This email comes from a non Wind River email account!
> Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
> -----Original Message-----
> From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Changqing Li via lists.openembedded.org
> Sent: Friday, September 1, 2023 11:02
> To: openembedded-core@lists.openembedded.org
> Subject: [OE-core] [PATCH] sqlite3: set CVE_STATUS for CVE-2023-36191
>
>> From: Changqing Li <changqing.li@windriver.com>
>>
>> The error is a bug. It has been fixed upstream. But it is not a vulnerability. You may safely ignore the CVE.
>>
>> Refer:
>> [1] https://www.sqlite.org/forum/forumpost/19f55ef73b
>>
>> Signed-off-by: Changqing Li <changqing.li@windriver.com>
>> ---
>>   meta/recipes-support/sqlite/sqlite3_3.42.0.bb | 2 ++
>>   1 file changed, 2 insertions(+)
>>
>> diff --git a/meta/recipes-support/sqlite/sqlite3_3.42.0.bb b/meta/recipes-support/sqlite/sqlite3_3.42.0.bb
>> index 8783f620f4..b37644580c 100644
>> --- a/meta/recipes-support/sqlite/sqlite3_3.42.0.bb
>> +++ b/meta/recipes-support/sqlite/sqlite3_3.42.0.bb
>> @@ -6,3 +6,5 @@ LIC_FILES_CHKSUM = "file://sqlite3.h;endline=11;md5=786d3dc581eff03f4fd9e4a77ed0
>>   SRC_URI = "http://www.sqlite.org/2023/sqlite-autoconf-${SQLITE_PV}.tar.gz"
>>   SRC_URI[sha256sum] = "7abcfd161c6e2742ca5c6c0895d1f853c940f203304a0b49da4e1eca5d088ca6"
>>
>> +CVE_STATUS[CVE-2023-36191] = "The error is a bug. It has been fixed upstream. But it is not a vulnerability"
> This is wrong format since it's missing CVE status map prefix.
> It needs to be something like:
> CVE_STATUS[CVE-2023-36191] = "disputed: The error is a bug. It has been fixed upstream. But it is not a vulnerability"
Thanks for pointing out this.
>
> Also since this CVE is reported in NVD DB for 3.40.1 only, this CVE exclusion is not needed for 3.42.0 recipe.

NVD DB is not 100% correct. The problematic code also exist in 3.42.0, 
if this is an real CVE, it will also influence 3.42.0.

So I will  send an V2 with fix of above comments.  we can drop this 
setting after the sqlite3 is upgrade to the version with

the bug fix.


Regards

Changqing

>
>> +
>> --
>> 2.25.1
diff mbox series

Patch

diff --git a/meta/recipes-support/sqlite/sqlite3_3.42.0.bb b/meta/recipes-support/sqlite/sqlite3_3.42.0.bb
index 8783f620f4..b37644580c 100644
--- a/meta/recipes-support/sqlite/sqlite3_3.42.0.bb
+++ b/meta/recipes-support/sqlite/sqlite3_3.42.0.bb
@@ -6,3 +6,5 @@  LIC_FILES_CHKSUM = "file://sqlite3.h;endline=11;md5=786d3dc581eff03f4fd9e4a77ed0
 SRC_URI = "http://www.sqlite.org/2023/sqlite-autoconf-${SQLITE_PV}.tar.gz"
 SRC_URI[sha256sum] = "7abcfd161c6e2742ca5c6c0895d1f853c940f203304a0b49da4e1eca5d088ca6"
 
+CVE_STATUS[CVE-2023-36191] = "The error is a bug. It has been fixed upstream. But it is not a vulnerability"
+