From patchwork Mon Oct 23 17:38:19 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ross Burton X-Patchwork-Id: 32800 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3BFFBC25B45 for ; Mon, 23 Oct 2023 17:38:33 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web10.127369.1698082705884606113 for ; Mon, 23 Oct 2023 10:38:25 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: ross.burton@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 9AC0E2F4; Mon, 23 Oct 2023 10:39:06 -0700 (PDT) Received: from oss-tx204.lab.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 106AA3F762; Mon, 23 Oct 2023 10:38:24 -0700 (PDT) From: ross.burton@arm.com To: openembedded-core@lists.openembedded.org Cc: nd@arm.com Subject: [PATCH][master nanbield 1/4] libxml2: ignore disputed CVE-2023-45322 Date: Mon, 23 Oct 2023 18:38:19 +0100 Message-Id: <20231023173822.3476595-1-ross.burton@arm.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 23 Oct 2023 17:38:33 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/189626 From: Ross Burton This CVE is a use-after-free which theoretically can be an exploit vector, but this UAF only occurs when malloc() fails. As it's unlikely that the user can orchestrate malloc() failures at just the place to break on _this_ malloc and not others it is disputed that this is actually a security issue. The underlying bug has been fixed, and will be incorporated into the next release. Signed-off-by: Ross Burton --- meta/recipes-core/libxml/libxml2_2.11.5.bb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta/recipes-core/libxml/libxml2_2.11.5.bb b/meta/recipes-core/libxml/libxml2_2.11.5.bb index 4cf6dd09a9a..fc82912df25 100644 --- a/meta/recipes-core/libxml/libxml2_2.11.5.bb +++ b/meta/recipes-core/libxml/libxml2_2.11.5.bb @@ -21,6 +21,9 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20130923.tar;subdir=${BP};name=testt SRC_URI[archive.sha256sum] = "3727b078c360ec69fa869de14bd6f75d7ee8d36987b071e6928d4720a28df3a6" SRC_URI[testtar.sha256sum] = "c6b2d42ee50b8b236e711a97d68e6c4b5c8d83e69a2be4722379f08702ea7273" +# Disputed as a security issue, but fixed in d39f780 +CVE_STATUS[CVE-2023-45322] = "disputed: issue requires memory allocation to fail" + BINCONFIG = "${bindir}/xml2-config" PACKAGECONFIG ??= "python \ From patchwork Mon Oct 23 17:38:20 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ross Burton X-Patchwork-Id: 32799 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 582A8C25B46 for ; Mon, 23 Oct 2023 17:38:33 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web11.127611.1698082706546644282 for ; Mon, 23 Oct 2023 10:38:26 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: ross.burton@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 4F60BC15; Mon, 23 Oct 2023 10:39:07 -0700 (PDT) Received: from oss-tx204.lab.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id B124A3F762; Mon, 23 Oct 2023 10:38:25 -0700 (PDT) From: ross.burton@arm.com To: openembedded-core@lists.openembedded.org Cc: nd@arm.com Subject: [PATCH][master nanbield 2/4] zlib: ignore CVE-2023-45853 Date: Mon, 23 Oct 2023 18:38:20 +0100 Message-Id: <20231023173822.3476595-2-ross.burton@arm.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231023173822.3476595-1-ross.burton@arm.com> References: <20231023173822.3476595-1-ross.burton@arm.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 23 Oct 2023 17:38:33 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/189627 From: Ross Burton This CVE relates to a bug in the minizip tool, but we don't build that. Signed-off-by: Ross Burton --- meta/recipes-core/zlib/zlib_1.3.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-core/zlib/zlib_1.3.bb b/meta/recipes-core/zlib/zlib_1.3.bb index c8fd855ee67..1ed18172faa 100644 --- a/meta/recipes-core/zlib/zlib_1.3.bb +++ b/meta/recipes-core/zlib/zlib_1.3.bb @@ -45,3 +45,5 @@ do_install_ptest() { } BBCLASSEXTEND = "native nativesdk" + +CVE_STATUS[CVE-2023-45853] = "not-applicable-config: we don't build minizip" From patchwork Mon Oct 23 17:38:21 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ross Burton X-Patchwork-Id: 32801 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5F4ADC25B48 for ; Mon, 23 Oct 2023 17:38:33 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web10.127371.1698082707425674050 for ; Mon, 23 Oct 2023 10:38:27 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: ross.burton@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 04704FEC; Mon, 23 Oct 2023 10:39:08 -0700 (PDT) Received: from oss-tx204.lab.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 66C193F762; Mon, 23 Oct 2023 10:38:26 -0700 (PDT) From: ross.burton@arm.com To: openembedded-core@lists.openembedded.org Cc: nd@arm.com Subject: [PATCH][master nanbield 3/4] cve-check: sort the package list in the JSON report Date: Mon, 23 Oct 2023 18:38:21 +0100 Message-Id: <20231023173822.3476595-3-ross.burton@arm.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231023173822.3476595-1-ross.burton@arm.com> References: <20231023173822.3476595-1-ross.burton@arm.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 23 Oct 2023 17:38:33 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/189628 From: Ross Burton The JSON report generated by the cve-check class is basically a huge list of packages. This list of packages is, however, unsorted. To make things easier for people comparing the JSON, or more specifically for git when archiving the JSON over time in a git repository, we can sort the list by package name. Signed-off-by: Ross Burton --- meta/classes/cve-check.bbclass | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index b55f4299da3..5191d043030 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -138,6 +138,8 @@ def generate_json_report(d, out_path, link_path): cve_check_merge_jsons(summary, data) filename = f.readline() + summary["package"].sort(key=lambda d: d['name']) + with open(out_path, "w") as f: json.dump(summary, f, indent=2) From patchwork Mon Oct 23 17:38:22 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ross Burton X-Patchwork-Id: 32802 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6A59CC25B47 for ; Mon, 23 Oct 2023 17:38:33 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web10.127372.1698082707850629117 for ; Mon, 23 Oct 2023 10:38:27 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: ross.burton@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id AD6142F4; Mon, 23 Oct 2023 10:39:08 -0700 (PDT) Received: from oss-tx204.lab.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 1B7E33F762; Mon, 23 Oct 2023 10:38:27 -0700 (PDT) From: ross.burton@arm.com To: openembedded-core@lists.openembedded.org Cc: nd@arm.com Subject: [PATCH][master nanbield 4/4] cve-check: slightly more verbose warning when adding the same package twice Date: Mon, 23 Oct 2023 18:38:22 +0100 Message-Id: <20231023173822.3476595-4-ross.burton@arm.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231023173822.3476595-1-ross.burton@arm.com> References: <20231023173822.3476595-1-ross.burton@arm.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 23 Oct 2023 17:38:33 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/189629 From: Ross Burton Occasionally the cve-check tool will warn that it is adding the same package twice. Knowing what this package is might be the first step towards understanding where this message comes from. Signed-off-by: Ross Burton --- meta/lib/oe/cve_check.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py index 3979d521d10..c0ab22d25ea 100644 --- a/meta/lib/oe/cve_check.py +++ b/meta/lib/oe/cve_check.py @@ -172,7 +172,7 @@ def cve_check_merge_jsons(output, data): for product in output["package"]: if product["name"] == data["package"][0]["name"]: - bb.error("Error adding the same package twice") + bb.error("Error adding the same package %s twice" % product["name"]) return output["package"].append(data["package"][0])