From patchwork Fri Nov 3 13:28:05 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ross Burton X-Patchwork-Id: 33561 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B6D2CC4332F for ; Fri, 3 Nov 2023 13:28:15 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web10.51798.1699018093823674747 for ; Fri, 03 Nov 2023 06:28:13 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: ross.burton@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id D920D2F4; Fri, 3 Nov 2023 06:28:55 -0700 (PDT) Received: from oss-tx204.lab.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id AD0903F703; Fri, 3 Nov 2023 06:28:12 -0700 (PDT) From: ross.burton@arm.com To: openembedded-core@lists.openembedded.org Cc: nd@arm.com Subject: [PATCH][nanbield 1/7] linux-yocto: update CVE exclusions Date: Fri, 3 Nov 2023 13:28:05 +0000 Message-Id: <20231103132811.2074247-1-ross.burton@arm.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 03 Nov 2023 13:28:15 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/190154 From: Ross Burton Signed-off-by: Ross Burton --- .../linux/cve-exclusion_6.1.inc | 64 ++++++++++++++++--- .../linux/cve-exclusion_6.5.inc | 58 +++++++++++++++-- 2 files changed, 107 insertions(+), 15 deletions(-) diff --git a/meta/recipes-kernel/linux/cve-exclusion_6.1.inc b/meta/recipes-kernel/linux/cve-exclusion_6.1.inc index 6af53b0d750..a8df51f321a 100644 --- a/meta/recipes-kernel/linux/cve-exclusion_6.1.inc +++ b/meta/recipes-kernel/linux/cve-exclusion_6.1.inc @@ -1,6 +1,6 @@ # Auto-generated CVE metadata, DO NOT EDIT BY HAND. -# Generated at 2023-10-14 12:24:32.747058+00:00 for version 6.1.57 +# Generated at 2023-11-03 13:24:16.070181+00:00 for version 6.1.57 python check_kernel_cve_status_version() { this_version = "6.1.57" @@ -3354,7 +3354,7 @@ CVE_STATUS[CVE-2020-27194] = "fixed-version: Fixed from version 5.9" CVE_STATUS[CVE-2020-2732] = "fixed-version: Fixed from version 5.6rc4" -# CVE-2020-27418 has no known resolution +CVE_STATUS[CVE-2020-27418] = "fixed-version: Fixed from version 5.6rc5" CVE_STATUS[CVE-2020-27673] = "fixed-version: Fixed from version 5.10rc1" @@ -4644,7 +4644,7 @@ CVE_STATUS[CVE-2023-1118] = "cpe-stable-backport: Backported in 6.1.16" CVE_STATUS[CVE-2023-1192] = "cpe-stable-backport: Backported in 6.1.33" -# CVE-2023-1193 has no known resolution +# CVE-2023-1193 needs backporting (fixed from 6.3rc6) CVE_STATUS[CVE-2023-1194] = "cpe-stable-backport: Backported in 6.1.34" @@ -4856,7 +4856,7 @@ CVE_STATUS[CVE-2023-3106] = "fixed-version: Fixed from version 4.8rc7" # CVE-2023-31084 needs backporting (fixed from 6.4rc3) -# CVE-2023-31085 has no known resolution +CVE_STATUS[CVE-2023-31085] = "cpe-stable-backport: Backported in 6.1.57" CVE_STATUS[CVE-2023-3111] = "fixed-version: Fixed from version 6.0rc2" @@ -4936,6 +4936,8 @@ CVE_STATUS[CVE-2023-34256] = "cpe-stable-backport: Backported in 6.1.29" CVE_STATUS[CVE-2023-34319] = "cpe-stable-backport: Backported in 6.1.44" +CVE_STATUS[CVE-2023-34324] = "cpe-stable-backport: Backported in 6.1.57" + CVE_STATUS[CVE-2023-3439] = "fixed-version: Fixed from version 5.18rc5" CVE_STATUS[CVE-2023-35001] = "cpe-stable-backport: Backported in 6.1.39" @@ -4952,7 +4954,7 @@ CVE_STATUS[CVE-2023-35824] = "cpe-stable-backport: Backported in 6.1.28" CVE_STATUS[CVE-2023-35826] = "cpe-stable-backport: Backported in 6.1.28" -# CVE-2023-35827 has no known resolution +# CVE-2023-35827 needs backporting (fixed from 6.1.59) CVE_STATUS[CVE-2023-35828] = "cpe-stable-backport: Backported in 6.1.28" @@ -5004,6 +5006,16 @@ CVE_STATUS[CVE-2023-3866] = "cpe-stable-backport: Backported in 6.1.36" CVE_STATUS[CVE-2023-3867] = "cpe-stable-backport: Backported in 6.1.40" +CVE_STATUS[CVE-2023-39189] = "cpe-stable-backport: Backported in 6.1.54" + +# CVE-2023-39191 needs backporting (fixed from 6.3rc1) + +CVE_STATUS[CVE-2023-39192] = "cpe-stable-backport: Backported in 6.1.53" + +CVE_STATUS[CVE-2023-39193] = "cpe-stable-backport: Backported in 6.1.53" + +CVE_STATUS[CVE-2023-39194] = "cpe-stable-backport: Backported in 6.1.47" + CVE_STATUS[CVE-2023-4004] = "cpe-stable-backport: Backported in 6.1.42" # CVE-2023-4010 has no known resolution @@ -5012,6 +5024,8 @@ CVE_STATUS[CVE-2023-4015] = "cpe-stable-backport: Backported in 6.1.43" CVE_STATUS[CVE-2023-40283] = "cpe-stable-backport: Backported in 6.1.45" +# CVE-2023-40791 needs backporting (fixed from 6.5rc6) + CVE_STATUS[CVE-2023-4128] = "cpe-stable-backport: Backported in 6.1.45" CVE_STATUS[CVE-2023-4132] = "cpe-stable-backport: Backported in 6.1.39" @@ -5032,7 +5046,7 @@ CVE_STATUS[CVE-2023-4207] = "cpe-stable-backport: Backported in 6.1.45" CVE_STATUS[CVE-2023-4208] = "cpe-stable-backport: Backported in 6.1.45" -# CVE-2023-4244 needs backporting (fixed from 6.5rc7) +CVE_STATUS[CVE-2023-4244] = "cpe-stable-backport: Backported in 6.1.56" CVE_STATUS[CVE-2023-4273] = "cpe-stable-backport: Backported in 6.1.45" @@ -5040,8 +5054,12 @@ CVE_STATUS[CVE-2023-42752] = "cpe-stable-backport: Backported in 6.1.53" CVE_STATUS[CVE-2023-42753] = "cpe-stable-backport: Backported in 6.1.53" +CVE_STATUS[CVE-2023-42754] = "cpe-stable-backport: Backported in 6.1.56" + CVE_STATUS[CVE-2023-42755] = "cpe-stable-backport: Backported in 6.1.55" +CVE_STATUS[CVE-2023-42756] = "fixed-version: only affects 6.4rc6 onwards" + CVE_STATUS[CVE-2023-4385] = "fixed-version: Fixed from version 5.19rc1" CVE_STATUS[CVE-2023-4387] = "fixed-version: Fixed from version 5.18" @@ -5050,23 +5068,51 @@ CVE_STATUS[CVE-2023-4389] = "fixed-version: Fixed from version 5.18rc3" CVE_STATUS[CVE-2023-4394] = "fixed-version: Fixed from version 6.0rc3" +CVE_STATUS[CVE-2023-44466] = "cpe-stable-backport: Backported in 6.1.40" + CVE_STATUS[CVE-2023-4459] = "fixed-version: Fixed from version 5.18" -# CVE-2023-4563 needs backporting (fixed from 6.5rc6) +CVE_STATUS[CVE-2023-4563] = "cpe-stable-backport: Backported in 6.1.56" CVE_STATUS[CVE-2023-4569] = "cpe-stable-backport: Backported in 6.1.47" +CVE_STATUS[CVE-2023-45862] = "cpe-stable-backport: Backported in 6.1.18" + +CVE_STATUS[CVE-2023-45863] = "cpe-stable-backport: Backported in 6.1.16" + +CVE_STATUS[CVE-2023-45871] = "cpe-stable-backport: Backported in 6.1.53" + +CVE_STATUS[CVE-2023-45898] = "fixed-version: only affects 6.5rc1 onwards" + +# CVE-2023-4610 needs backporting (fixed from 6.4) + CVE_STATUS[CVE-2023-4611] = "fixed-version: only affects 6.4rc1 onwards" # CVE-2023-4622 needs backporting (fixed from 6.5rc1) CVE_STATUS[CVE-2023-4623] = "cpe-stable-backport: Backported in 6.1.53" +# CVE-2023-46813 needs backporting (fixed from 6.1.60) + +# CVE-2023-46862 needs backporting (fixed from 6.6) + +CVE_STATUS[CVE-2023-4732] = "fixed-version: Fixed from version 5.14rc1" + CVE_STATUS[CVE-2023-4881] = "cpe-stable-backport: Backported in 6.1.54" CVE_STATUS[CVE-2023-4921] = "cpe-stable-backport: Backported in 6.1.54" -# CVE-2023-5158 has no known resolution +# CVE-2023-5090 needs backporting (fixed from 6.6rc7) + +CVE_STATUS[CVE-2023-5158] = "cpe-stable-backport: Backported in 6.1.57" + +# CVE-2023-5178 needs backporting (fixed from 6.1.60) + +CVE_STATUS[CVE-2023-5197] = "cpe-stable-backport: Backported in 6.1.56" + +CVE_STATUS[CVE-2023-5345] = "cpe-stable-backport: Backported in 6.1.56" + +# CVE-2023-5633 needs backporting (fixed from 6.6rc6) -# CVE-2023-5197 needs backporting (fixed from 6.6rc3) +# CVE-2023-5717 needs backporting (fixed from 6.1.60) diff --git a/meta/recipes-kernel/linux/cve-exclusion_6.5.inc b/meta/recipes-kernel/linux/cve-exclusion_6.5.inc index dbcfdcd31c7..d48b0e14935 100644 --- a/meta/recipes-kernel/linux/cve-exclusion_6.5.inc +++ b/meta/recipes-kernel/linux/cve-exclusion_6.5.inc @@ -1,6 +1,6 @@ # Auto-generated CVE metadata, DO NOT EDIT BY HAND. -# Generated at 2023-10-14 12:24:32.683888+00:00 for version 6.5.7 +# Generated at 2023-11-03 13:24:25.010946+00:00 for version 6.5.7 python check_kernel_cve_status_version() { this_version = "6.5.7" @@ -3354,7 +3354,7 @@ CVE_STATUS[CVE-2020-27194] = "fixed-version: Fixed from version 5.9" CVE_STATUS[CVE-2020-2732] = "fixed-version: Fixed from version 5.6rc4" -# CVE-2020-27418 has no known resolution +CVE_STATUS[CVE-2020-27418] = "fixed-version: Fixed from version 5.6rc5" CVE_STATUS[CVE-2020-27673] = "fixed-version: Fixed from version 5.10rc1" @@ -4644,7 +4644,7 @@ CVE_STATUS[CVE-2023-1118] = "fixed-version: Fixed from version 6.3rc1" CVE_STATUS[CVE-2023-1192] = "fixed-version: Fixed from version 6.4rc1" -# CVE-2023-1193 has no known resolution +CVE_STATUS[CVE-2023-1193] = "fixed-version: Fixed from version 6.3rc6" CVE_STATUS[CVE-2023-1194] = "fixed-version: Fixed from version 6.4rc6" @@ -4856,7 +4856,7 @@ CVE_STATUS[CVE-2023-3106] = "fixed-version: Fixed from version 4.8rc7" CVE_STATUS[CVE-2023-31084] = "fixed-version: Fixed from version 6.4rc3" -# CVE-2023-31085 has no known resolution +# CVE-2023-31085 needs backporting (fixed from 6.6rc5) CVE_STATUS[CVE-2023-3111] = "fixed-version: Fixed from version 6.0rc2" @@ -4936,6 +4936,8 @@ CVE_STATUS[CVE-2023-34256] = "fixed-version: Fixed from version 6.4rc2" CVE_STATUS[CVE-2023-34319] = "fixed-version: Fixed from version 6.5rc6" +# CVE-2023-34324 needs backporting (fixed from 6.6rc6) + CVE_STATUS[CVE-2023-3439] = "fixed-version: Fixed from version 5.18rc5" CVE_STATUS[CVE-2023-35001] = "fixed-version: Fixed from version 6.5rc2" @@ -4952,7 +4954,7 @@ CVE_STATUS[CVE-2023-35824] = "fixed-version: Fixed from version 6.4rc1" CVE_STATUS[CVE-2023-35826] = "fixed-version: Fixed from version 6.4rc1" -# CVE-2023-35827 has no known resolution +# CVE-2023-35827 needs backporting (fixed from 6.6rc6) CVE_STATUS[CVE-2023-35828] = "fixed-version: Fixed from version 6.4rc1" @@ -5004,6 +5006,16 @@ CVE_STATUS[CVE-2023-3866] = "fixed-version: Fixed from version 6.4" CVE_STATUS[CVE-2023-3867] = "fixed-version: Fixed from version 6.5rc1" +# CVE-2023-39189 needs backporting (fixed from 6.6rc1) + +CVE_STATUS[CVE-2023-39191] = "fixed-version: Fixed from version 6.3rc1" + +# CVE-2023-39192 needs backporting (fixed from 6.6rc1) + +# CVE-2023-39193 needs backporting (fixed from 6.6rc1) + +CVE_STATUS[CVE-2023-39194] = "fixed-version: Fixed from version 6.5rc7" + CVE_STATUS[CVE-2023-4004] = "fixed-version: Fixed from version 6.5rc3" # CVE-2023-4010 has no known resolution @@ -5012,6 +5024,8 @@ CVE_STATUS[CVE-2023-4015] = "fixed-version: Fixed from version 6.5rc4" CVE_STATUS[CVE-2023-40283] = "fixed-version: Fixed from version 6.5rc1" +CVE_STATUS[CVE-2023-40791] = "fixed-version: Fixed from version 6.5rc6" + CVE_STATUS[CVE-2023-4128] = "fixed-version: Fixed from version 6.5rc5" CVE_STATUS[CVE-2023-4132] = "fixed-version: Fixed from version 6.5rc1" @@ -5040,8 +5054,12 @@ CVE_STATUS[CVE-2023-4273] = "fixed-version: Fixed from version 6.5rc5" # CVE-2023-42753 needs backporting (fixed from 6.6rc1) +# CVE-2023-42754 needs backporting (fixed from 6.6rc3) + CVE_STATUS[CVE-2023-42755] = "fixed-version: Fixed from version 6.3rc1" +# CVE-2023-42756 needs backporting (fixed from 6.6rc3) + CVE_STATUS[CVE-2023-4385] = "fixed-version: Fixed from version 5.19rc1" CVE_STATUS[CVE-2023-4387] = "fixed-version: Fixed from version 5.18" @@ -5050,23 +5068,51 @@ CVE_STATUS[CVE-2023-4389] = "fixed-version: Fixed from version 5.18rc3" CVE_STATUS[CVE-2023-4394] = "fixed-version: Fixed from version 6.0rc3" +CVE_STATUS[CVE-2023-44466] = "fixed-version: Fixed from version 6.5rc2" + CVE_STATUS[CVE-2023-4459] = "fixed-version: Fixed from version 5.18" CVE_STATUS[CVE-2023-4563] = "fixed-version: Fixed from version 6.5rc6" CVE_STATUS[CVE-2023-4569] = "fixed-version: Fixed from version 6.5rc7" +CVE_STATUS[CVE-2023-45862] = "fixed-version: Fixed from version 6.3rc1" + +CVE_STATUS[CVE-2023-45863] = "fixed-version: Fixed from version 6.3rc1" + +# CVE-2023-45871 needs backporting (fixed from 6.6rc1) + +# CVE-2023-45898 needs backporting (fixed from 6.6rc1) + +CVE_STATUS[CVE-2023-4610] = "fixed-version: Fixed from version 6.4" + CVE_STATUS[CVE-2023-4611] = "fixed-version: Fixed from version 6.5rc4" CVE_STATUS[CVE-2023-4622] = "fixed-version: Fixed from version 6.5rc1" # CVE-2023-4623 needs backporting (fixed from 6.6rc1) +# CVE-2023-46813 needs backporting (fixed from 6.6rc7) + +# CVE-2023-46862 needs backporting (fixed from 6.6) + +CVE_STATUS[CVE-2023-4732] = "fixed-version: Fixed from version 5.14rc1" + # CVE-2023-4881 needs backporting (fixed from 6.6rc1) # CVE-2023-4921 needs backporting (fixed from 6.6rc1) -# CVE-2023-5158 has no known resolution +# CVE-2023-5090 needs backporting (fixed from 6.6rc7) + +# CVE-2023-5158 needs backporting (fixed from 6.6rc5) + +# CVE-2023-5178 needs backporting (fixed from 6.6rc7) # CVE-2023-5197 needs backporting (fixed from 6.6rc3) +# CVE-2023-5345 needs backporting (fixed from 6.6rc4) + +# CVE-2023-5633 needs backporting (fixed from 6.6rc6) + +# CVE-2023-5717 needs backporting (fixed from 6.6rc7) + From patchwork Fri Nov 3 13:28:06 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ross Burton X-Patchwork-Id: 33560 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B8B77C4167B for ; Fri, 3 Nov 2023 13:28:15 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web10.51799.1699018094161925348 for ; Fri, 03 Nov 2023 06:28:14 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: ross.burton@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 80AF9C15; Fri, 3 Nov 2023 06:28:56 -0700 (PDT) Received: from oss-tx204.lab.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 565F73F703; Fri, 3 Nov 2023 06:28:13 -0700 (PDT) From: ross.burton@arm.com To: openembedded-core@lists.openembedded.org Cc: nd@arm.com Subject: [PATCH][nanbield 2/7] libxml2: ignore disputed CVE-2023-45322 Date: Fri, 3 Nov 2023 13:28:06 +0000 Message-Id: <20231103132811.2074247-2-ross.burton@arm.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231103132811.2074247-1-ross.burton@arm.com> References: <20231103132811.2074247-1-ross.burton@arm.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 03 Nov 2023 13:28:15 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/190155 From: Ross Burton This CVE is a use-after-free which theoretically can be an exploit vector, but this UAF only occurs when malloc() fails. As it's unlikely that the user can orchestrate malloc() failures at just the place to break on _this_ malloc and not others it is disputed that this is actually a security issue. The underlying bug has been fixed, and will be incorporated into the next release. Signed-off-by: Ross Burton --- meta/recipes-core/libxml/libxml2_2.11.5.bb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta/recipes-core/libxml/libxml2_2.11.5.bb b/meta/recipes-core/libxml/libxml2_2.11.5.bb index 4cf6dd09a9a..fc82912df25 100644 --- a/meta/recipes-core/libxml/libxml2_2.11.5.bb +++ b/meta/recipes-core/libxml/libxml2_2.11.5.bb @@ -21,6 +21,9 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20130923.tar;subdir=${BP};name=testt SRC_URI[archive.sha256sum] = "3727b078c360ec69fa869de14bd6f75d7ee8d36987b071e6928d4720a28df3a6" SRC_URI[testtar.sha256sum] = "c6b2d42ee50b8b236e711a97d68e6c4b5c8d83e69a2be4722379f08702ea7273" +# Disputed as a security issue, but fixed in d39f780 +CVE_STATUS[CVE-2023-45322] = "disputed: issue requires memory allocation to fail" + BINCONFIG = "${bindir}/xml2-config" PACKAGECONFIG ??= "python \ From patchwork Fri Nov 3 13:28:07 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ross Burton X-Patchwork-Id: 33563 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C5AA2C4167D for ; Fri, 3 Nov 2023 13:28:15 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web10.51800.1699018094813395211 for ; Fri, 03 Nov 2023 06:28:14 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: ross.burton@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 34CD41063; Fri, 3 Nov 2023 06:28:57 -0700 (PDT) Received: from oss-tx204.lab.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id F369E3F703; Fri, 3 Nov 2023 06:28:13 -0700 (PDT) From: ross.burton@arm.com To: openembedded-core@lists.openembedded.org Cc: nd@arm.com Subject: [PATCH][nanbield 3/7] zlib: ignore CVE-2023-45853 Date: Fri, 3 Nov 2023 13:28:07 +0000 Message-Id: <20231103132811.2074247-3-ross.burton@arm.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231103132811.2074247-1-ross.burton@arm.com> References: <20231103132811.2074247-1-ross.burton@arm.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 03 Nov 2023 13:28:15 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/190156 From: Ross Burton This CVE relates to a bug in the minizip tool, but we don't build that. Signed-off-by: Ross Burton --- meta/recipes-core/zlib/zlib_1.3.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-core/zlib/zlib_1.3.bb b/meta/recipes-core/zlib/zlib_1.3.bb index c8fd855ee67..1ed18172faa 100644 --- a/meta/recipes-core/zlib/zlib_1.3.bb +++ b/meta/recipes-core/zlib/zlib_1.3.bb @@ -45,3 +45,5 @@ do_install_ptest() { } BBCLASSEXTEND = "native nativesdk" + +CVE_STATUS[CVE-2023-45853] = "not-applicable-config: we don't build minizip" From patchwork Fri Nov 3 13:28:08 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ross Burton X-Patchwork-Id: 33562 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id CAAA3C4708E for ; Fri, 3 Nov 2023 13:28:15 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web11.50983.1699018095542574755 for ; Fri, 03 Nov 2023 06:28:15 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: ross.burton@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id E09042F4; Fri, 3 Nov 2023 06:28:57 -0700 (PDT) Received: from oss-tx204.lab.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id AD1293F703; Fri, 3 Nov 2023 06:28:14 -0700 (PDT) From: ross.burton@arm.com To: openembedded-core@lists.openembedded.org Cc: nd@arm.com Subject: [PATCH][nanbield 4/7] pixman: ignore CVE-2023-37769 Date: Fri, 3 Nov 2023 13:28:08 +0000 Message-Id: <20231103132811.2074247-4-ross.burton@arm.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231103132811.2074247-1-ross.burton@arm.com> References: <20231103132811.2074247-1-ross.burton@arm.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 03 Nov 2023 13:28:15 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/190157 From: Ross Burton This issue relates to a floating point exception in stress-test, which is an unlikely security exploit at the best of times, but the test is not installed so isn't relevant. Signed-off-by: Ross Burton --- meta/recipes-graphics/xorg-lib/pixman_0.42.2.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-graphics/xorg-lib/pixman_0.42.2.bb b/meta/recipes-graphics/xorg-lib/pixman_0.42.2.bb index 98df6dab217..8a93f8c0fe3 100644 --- a/meta/recipes-graphics/xorg-lib/pixman_0.42.2.bb +++ b/meta/recipes-graphics/xorg-lib/pixman_0.42.2.bb @@ -41,3 +41,5 @@ EXTRA_OEMESON:append:armv7a = "${@bb.utils.contains("TUNE_FEATURES","neon",""," EXTRA_OEMESON:append:armv7ve = "${@bb.utils.contains("TUNE_FEATURES","neon",""," -Dneon=disabled",d)}" BBCLASSEXTEND = "native nativesdk" + +CVE_STATUS[CVE-2023-37769] = "not-applicable-config: stress-test is an uninstalled test" From patchwork Fri Nov 3 13:28:09 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ross Burton X-Patchwork-Id: 33564 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C5F59C4332F for ; Fri, 3 Nov 2023 13:28:25 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web10.51801.1699018096152442817 for ; Fri, 03 Nov 2023 06:28:16 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: ross.burton@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 9277EC15; Fri, 3 Nov 2023 06:28:58 -0700 (PDT) Received: from oss-tx204.lab.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 5F2F33F703; Fri, 3 Nov 2023 06:28:15 -0700 (PDT) From: ross.burton@arm.com To: openembedded-core@lists.openembedded.org Cc: nd@arm.com Subject: [PATCH][nanbield 5/7] cve-check: sort the package list in the JSON report Date: Fri, 3 Nov 2023 13:28:09 +0000 Message-Id: <20231103132811.2074247-5-ross.burton@arm.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231103132811.2074247-1-ross.burton@arm.com> References: <20231103132811.2074247-1-ross.burton@arm.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 03 Nov 2023 13:28:25 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/190158 From: Ross Burton The JSON report generated by the cve-check class is basically a huge list of packages. This list of packages is, however, unsorted. To make things easier for people comparing the JSON, or more specifically for git when archiving the JSON over time in a git repository, we can sort the list by package name. Signed-off-by: Ross Burton --- meta/classes/cve-check.bbclass | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index b55f4299da3..5191d043030 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -138,6 +138,8 @@ def generate_json_report(d, out_path, link_path): cve_check_merge_jsons(summary, data) filename = f.readline() + summary["package"].sort(key=lambda d: d['name']) + with open(out_path, "w") as f: json.dump(summary, f, indent=2) From patchwork Fri Nov 3 13:28:10 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ross Burton X-Patchwork-Id: 33565 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id CC6C3C0018A for ; Fri, 3 Nov 2023 13:28:25 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web11.50985.1699018096873388531 for ; Fri, 03 Nov 2023 06:28:16 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: ross.burton@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 4441F1063; Fri, 3 Nov 2023 06:28:59 -0700 (PDT) Received: from oss-tx204.lab.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 110833F703; Fri, 3 Nov 2023 06:28:15 -0700 (PDT) From: ross.burton@arm.com To: openembedded-core@lists.openembedded.org Cc: nd@arm.com Subject: [PATCH][nanbield 6/7] cve-check: slightly more verbose warning when adding the same package twice Date: Fri, 3 Nov 2023 13:28:10 +0000 Message-Id: <20231103132811.2074247-6-ross.burton@arm.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231103132811.2074247-1-ross.burton@arm.com> References: <20231103132811.2074247-1-ross.burton@arm.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 03 Nov 2023 13:28:25 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/190159 From: Ross Burton Occasionally the cve-check tool will warn that it is adding the same package twice. Knowing what this package is might be the first step towards understanding where this message comes from. Signed-off-by: Ross Burton --- meta/lib/oe/cve_check.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py index 3979d521d10..c0ab22d25ea 100644 --- a/meta/lib/oe/cve_check.py +++ b/meta/lib/oe/cve_check.py @@ -172,7 +172,7 @@ def cve_check_merge_jsons(output, data): for product in output["package"]: if product["name"] == data["package"][0]["name"]: - bb.error("Error adding the same package twice") + bb.error("Error adding the same package %s twice" % product["name"]) return output["package"].append(data["package"][0]) From patchwork Fri Nov 3 13:28:11 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ross Burton X-Patchwork-Id: 33566 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id D4AA5C41535 for ; Fri, 3 Nov 2023 13:28:25 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web10.51803.1699018097545597793 for ; Fri, 03 Nov 2023 06:28:17 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: ross.burton@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id E18FE2F4; Fri, 3 Nov 2023 06:28:59 -0700 (PDT) Received: from oss-tx204.lab.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id B714C3F703; Fri, 3 Nov 2023 06:28:16 -0700 (PDT) From: ross.burton@arm.com To: openembedded-core@lists.openembedded.org Cc: nd@arm.com Subject: [PATCH][nanbield 7/7] cve-check: don't warn if a patch is remote Date: Fri, 3 Nov 2023 13:28:11 +0000 Message-Id: <20231103132811.2074247-7-ross.burton@arm.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231103132811.2074247-1-ross.burton@arm.com> References: <20231103132811.2074247-1-ross.burton@arm.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 03 Nov 2023 13:28:25 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/190160 From: Ross Burton We don't make do_cve_check depend on do_unpack because that would be a waste of time 99% of the time. The compromise here is that we can't scan remote patches for issues, but this isn't a problem so downgrade the warning to a note. Also move the check for CVEs in the filename before the local file check so that even with remote patches, we still check for CVE references in the name. Signed-off-by: Ross Burton --- meta/lib/oe/cve_check.py | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py index c0ab22d25ea..3fa77bf9a71 100644 --- a/meta/lib/oe/cve_check.py +++ b/meta/lib/oe/cve_check.py @@ -95,11 +95,6 @@ def get_patched_cves(d): for url in oe.patch.src_patches(d): patch_file = bb.fetch.decodeurl(url)[2] - # Remote compressed patches may not be unpacked, so silently ignore them - if not os.path.isfile(patch_file): - bb.warn("%s does not exist, cannot extract CVE list" % patch_file) - continue - # Check patch file name for CVE ID fname_match = cve_file_name_match.search(patch_file) if fname_match: @@ -107,6 +102,12 @@ def get_patched_cves(d): patched_cves.add(cve) bb.debug(2, "Found CVE %s from patch file name %s" % (cve, patch_file)) + # Remote patches won't be present and compressed patches won't be + # unpacked, so say we're not scanning them + if not os.path.isfile(patch_file): + bb.note("%s is remote or compressed, not scanning content" % patch_file) + continue + with open(patch_file, "r", encoding="utf-8") as f: try: patch_text = f.read()