[prev in list] [next in list] [prev in thread] [next in thread]
List: openembedded-core
Subject: [OE-core] [PATCH] cve-extra-exclusions: Clean up and ignore three CVEs (2xqemu and nasm)
From: "Richard Purdie" <richard.purdie () linuxfoundation ! org>
Date: 2022-06-30 12:32:09
Message-ID: 20220630123209.650284-1-richard.purdie () linuxfoundation ! org
[Download RAW message or body]
Content-Transfer-Encoding: 8bit
Remove obsolete comments/data from the file. Add in three CVEs to ignore.
Two are qemu CVEs which upstream aren't particularly intersted in and aren't
serious issues. Also ignore the nasm CVE found from fuzzing as this isn't
a issue we'd expose from OE.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
.../distro/include/cve-extra-exclusions.inc | 30 +++++++++----------
1 file changed, 15 insertions(+), 15 deletions(-)
diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc \
b/meta/conf/distro/include/cve-extra-exclusions.inc index 993ee2811a3..8b5f8d49b80 \
100644
--- a/meta/conf/distro/include/cve-extra-exclusions.inc
+++ b/meta/conf/distro/include/cve-extra-exclusions.inc
@@ -90,24 +90,24 @@ CVE_CHECK_IGNORE += "CVE-2022-0185 CVE-2022-0264 CVE-2022-0286 \
CVE-2022-0330 CVE
CVE-2022-28356 CVE-2022-28388 CVE-2022-28389 CVE-2022-28390 \
CVE-2022-28796 CVE-2022-28893 CVE-2022-29156 \ CVE-2022-29582 CVE-2022-29968"
-#### CPE update pending ####
-
-# groff:groff-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0803
-# Appears it was fixed in \
https://git.savannah.gnu.org/cgit/groff.git/commit/?id=07f95f1674217275ed4612f1dcaa95a88435c6a7
-# so from 1.17 onwards. Reported to the database for update by RP 2021/5/9. Update \
accepted 2021/5/10.
-#CVE_CHECK_IGNORE += "CVE-2000-0803"
-
-
-
-#### Upstream still working on ####
# qemu:qemu-native:qemu-system-native \
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20255 # There was a \
proposed patch \
https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html
-# however qemu maintainers are sure the patch is incorrect and should not be \
applied.
-
-# wget https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31879
-# https://mail.gnu.org/archive/html/bug-wget/2021-02/msg00002.html
-# No response upstream as of 2021/5/12
+# qemu maintainers say the patch is incorrect and should not be applied
+# Ignore from OE's perspectivee as the issue is of low impact, at worst sitting in \
an infinite loop rather than exploitable +CVE_CHECK_IGNORE += "CVE-2021-20255"
+
+# qemu:qemu-native:qemu-system-native \
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-12067 +# There was a \
proposed patch but rejected by upstream qemu. It is unclear if the issue can +# still \
be reproduced or where exactly any bug is. +# Ignore from OE's perspective as we'll \
pick up any fix when upstream accepts one. +CVE_CHECK_IGNORE += "CVE-2019-12067"
+
+# nasm:nasm-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-18974
+# It is a fuzzing related buffer overflow. It is of low impact since most devices
+# wouldn't expose an assembler. The upstream is inactive and there is little to be
+# done about the bug, ignore from an OE perspective.
+CVE_CHECK_IGNORE += "CVE-2020-18974"
--
2.34.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#167411): https://lists.openembedded.org/g/openembedded-core/message/167411
Mute This Topic: https://lists.openembedded.org/mt/92085151/4454766
Group Owner: openembedded-core+owner@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [openembedded-core@marc.info]
-=-=-=-=-=-=-=-=-=-=-=-
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic