'Re: [OE-core] [PATCH] tiff: Add jbig PACKAGECONFIG and clarify CVE-2022-1210'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openembedded-core
Subject:    Re: [OE-core] [PATCH] tiff: Add jbig PACKAGECONFIG and clarify CVE-2022-1210
From:       "Richard Purdie" <richard.purdie () linuxfoundation ! org>
Date:       2022-05-31 14:27:37
Message-ID: c8bf274fe7b9abc3754b5be5b2b6b5cfe92b2603.camel () linuxfoundation ! org
[Download RAW message or body]

On Tue, 2022-05-31 at 07:10 -0700, akuster wrote:
> 
> On 5/28/22 12:43, richard.purdie@linuxfoundation.org wrote:
> > On Sat, 2022-05-28 at 11:07 -0700, akuster wrote:
> > > On 5/28/22 03:05, Richard Purdie wrote:
> > > > We never depended upon libjbig so this was never present. Add the
> > > > PACKAGECONFIG to make this explict.
> > > > 
> > > > CVE-2022-1210 is an issue in libjbig so we don't have a problem there,
> > > > mark as such.
> > > But what if I am a user or have a customer that needs that enabled? Now
> > > that issue is masked if I run the CVE checking tools , I will have a
> > > false sense of security.
> > > 
> > > I understand that Redhat or Suse can make statements like that   as they
> > > provide install-able   binaries but for a Project that starts from build
> > > your own DISTRO, should the community take on this responsibility?
> > This is the same as any of the other decisions we make for
> > CVE_CHECK_IGNORE. If you bbappend and/or change the configs of recipes,
> > you need to do some further due diligence.
> > 
> > The fact there isn't a PACKAGECONFIG for it at least suggests it isn't
> > being used.
> Maybe.

I did check and there is no recipe for jbig2-kit in the layer index
which is what tiff would use. 

> > What is the alternative? We just list this as unpatched for OE-Core and
> > let everyone have to look it up for themselves?
> 
> The first two ideas that come to mind are:
> 1) Make the PACKAGECONFIG = CVE # and a note in the recipe to provide a 
> clue.
> 2) Create some sort of frame work to warn if that pkg config is enabled.

I did document it in the recipe. The recipe name on the dependency the
PACKAGECONFIG would add will break as things stand too so I'd hope
someone would notice if they were trying to enable it.

Cheers,

Richard




-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#166315): https://lists.openembedded.org/g/openembedded-core/message/166315
Mute This Topic: https://lists.openembedded.org/mt/91392790/4454766
Group Owner: openembedded-core+owner@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [openembedded-core@marc.info]
-=-=-=-=-=-=-=-=-=-=-=-



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic