diff mbox series

[v2,2/5] contributor-guide: recipe-style-guide: add section about CVE patches

Message ID 20230922100006.756477-2-rhi@pengutronix.de
State New
Headers show
Series [v2,1/5] contributor-guide: recipe-style-guide: add more patch tagging examples | expand

Commit Message

Roland Hieber Sept. 22, 2023, 10 a.m. UTC 
This was previously included in the OpenEmbedded wiki page [1], but was
not ported along with the rest in commit 95c9a1e1e78bbfb82ade
(2023-09-12, Michael Opdenacker: "contributor-guide: recipe-style-guide:
add Upstream-Status").

  [1]: https://www.openembedded.org/index.php?title=Commit_Patch_Message_Guidelines&oldid=10935

Group the examples in their own sections (but name it differently from
any other section in this document so that sphinx doesn't generate a
warning about duplicate labels).

Signed-off-by: Roland Hieber <rhi@pengutronix.de>
---
PATCH v2:
 * reorder after the patch adding the general patch examples
 * put CVE examples into their own subsection
 * propagate CVE section one section level higher
 * use ``literal`` instead of *emphasized* formatting for CVE tag

PATCH v1: https://lore.kernel.org/yocto-docs/20230920100647.1038583-1-rhi@pengutronix.de/
---
 .../contributor-guide/recipe-style-guide.rst  | 25 +++++++++++++++++++
 1 file changed, 25 insertions(+)
diff mbox series

Patch

diff --git a/documentation/contributor-guide/recipe-style-guide.rst b/documentation/contributor-guide/recipe-style-guide.rst
index 0a2a3581a77e..b574e6cb53a1 100644
--- a/documentation/contributor-guide/recipe-style-guide.rst
+++ b/documentation/contributor-guide/recipe-style-guide.rst
@@ -355,3 +355,28 @@  Here's a patch that has been backported from an upstream commit::
    include missing sys/file.h for LOCK_EX
 
    Upstream-Status: Backport [https://github.com/systemd/systemd/commit/ac8db36cbc26694ee94beecc8dca208ec4b5fd45]
+
+CVE patches
+===========
+
+In order to have a better control of vulnerabilities, patches that fix CVEs must
+contain a ``CVE:`` tag. This tag list all CVEs fixed by the patch. If more than
+one CVE is fixed, separate them using spaces.
+
+CVE Examples
+------------
+
+This should be the header of patch that fixes CVE-2015-8370 in GRUB2::
+
+   grub2: Fix CVE-2015-8370
+
+   [No upstream tracking] -- https://bugzilla.redhat.com/show_bug.cgi?id=1286966
+
+   Back to 28; Grub2 Authentication
+
+   Two functions suffer from integer underflow fault; the grub_username_get() and grub_password_get()located in
+   grub-core/normal/auth.c and lib/crypto.c respectively. This can be exploited to obtain a Grub rescue shell.
+
+   Upstream-Status: Backport [http://git.savannah.gnu.org/cgit/grub.git/commit/?id=451d80e52d851432e109771bb8febafca7a5f1f2]
+   CVE: CVE-2015-8370
+   Signed-off-by: Joe Developer <joe.developer@example.com>