From: Richard Purdie <richard.purdie@linuxfoundation.org>
To: Scott Murray <scott.murray@konsulko.com>
Cc: openembedded-architecture
<openembedded-architecture@lists.openembedded.org>,
openembedded-core <openembedded-core@lists.openembedded.org>
Subject: Re: [Openembedded-architecture] OE-Core/Yocto Project's first CVE (CVE-2017-9731)
Date: Thu, 29 Jun 2017 23:08:43 +0100 [thread overview]
Message-ID: <1498774123.9571.5.camel@linuxfoundation.org> (raw)
In-Reply-To: <alpine.LFD.2.20.1706281335150.8288@godzilla.spiteful.org>
On Wed, 2017-06-28 at 13:38 -0400, Scott Murray wrote:
> On Mon, 19 Jun 2017, Richard Purdie wrote:
>
> >
> > I suspect this has been missed by some people so I want to spell it
> > out. We have our first CVE in OE-Core itself.
> >
> > The issue is limited to binary ipks potentially exposing sensitive
> > information through the "Source:" field which contained the full
> > SRC_URI. Those urls could potentially contain sensitive information
> > about servers and credentials.
> >
> > After discussion, I ended up changing the field to contain the
> > recipe
> > filename (no path). There was talk of filtering the urls however if
> > you
> > try, it becomes clear that sensitive elements can remain and no
> > solution is likely 100% effective. The other package backends don't
> > do
> > this at all so this brings ipk more into line with them. Simply
> > clearing the field doesn't work with the current opkg-utils. It can
> > be
> > changed but the change becomes more invasive.
> >
> > This fix has been merged to master.
> >
> > I also did take the decision to backport this change back to
> > pyro/morty/krogoth too. I appreciate this can cause some disruption
> > to
> > people who rely on SRC_URI being in the Source: field however I
> > couldn't see any other realistic way forward.
> I noticed that this wasn't CC'ed to the yocto-security mailing list.
> Was that just an oversight, or should that mailing list be considered
> defunct at this point?
Sorry, it was oversight...
Cheers,
Richard
next prev parent reply other threads:[~2017-06-29 22:08 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-19 10:38 OE-Core/Yocto Project's first CVE (CVE-2017-9731) Richard Purdie
2017-06-19 13:20 ` [Openembedded-architecture] " Philip Balister
2017-06-19 13:29 ` Burton, Ross
2017-06-19 13:32 ` Philip Balister
2017-06-19 14:05 ` Mark Hatle
2017-06-19 15:31 ` Sean Hudson
2017-06-20 9:30 ` Paul Eggleton
2017-06-20 13:27 ` Sean Hudson
2017-06-20 13:43 ` Paul Eggleton
2017-06-22 9:21 ` Richard Purdie
2017-06-19 14:06 ` Mark Hatle
2017-06-27 7:11 ` Sona Sarmadi
2017-06-28 17:38 ` [Openembedded-architecture] " Scott Murray
2017-06-29 22:08 ` Richard Purdie [this message]
2017-06-30 20:17 ` Scott Murray
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1498774123.9571.5.camel@linuxfoundation.org \
--to=richard.purdie@linuxfoundation.org \
--cc=openembedded-architecture@lists.openembedded.org \
--cc=openembedded-core@lists.openembedded.org \
--cc=scott.murray@konsulko.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.