RE: [yocto] CVE patch updates

RE: [yocto] CVE patch updates

[Monsees, Steven C (US)]

[-- Attachment #1: Type: text/plain, Size: 13491 bytes --]


So, my only change to my build is the INHERIT =+ “cve-check”…
No issue seen until this line added…

Can someone tell me why when I build from scratch, clean, I see the following error ?
Who’s certificate failure is being flagged ?

Initialising tasks: 100% |#######################################################################################| Time: 0:00:04
Checking sstate mirror object availability: 100% |###############################################################| Time: 0:00:00
Sstate summary: Wanted 2258 Found 2229 Missed 29 Current 0 (98% match, 0% complete)
NOTE: Executing Tasks
NOTE: Setscene tasks completed
ERROR: cve-update-db-native-1.0-r0 do_populate_cve_db: Error executing a python function in exec_python_func() autogenerated:

The stack trace of python calls that resulted in this exception/failure was:
File: 'exec_python_func() autogenerated', lineno: 2, function: <module>
     0001:
*** 0002:do_populate_cve_db(d)
     0003:
File: '/disk0/scratch/smonsees/yocto/workspace_1/poky/meta/recipes-core/meta/cve-update-db-native.bb', lineno: 69, function: do_populate_cve_db
     0065:        meta_url = year_url + ".meta"
     0066:        json_url = year_url + ".json.gz"
     0067:
     0068:        # Retrieve meta last modified date
*** 0069:        response = urllib.request.urlopen(meta_url)
     0070:        if response:
     0071:            for l in response.read().decode("utf-8").splitlines():
     0072:                key, value = l.split(":", 1)
     0073:                if key == "lastModifiedDate":
File: '/usr/lib64/python3.6/urllib/request.py', lineno: 223, function: urlopen
     0219:    elif _opener is None:
     0220:        _opener = opener = build_opener()
     0221:    else:
     0222:        opener = _opener
*** 0223:    return opener.open(url, data, timeout)
     0224:
     0225:def install_opener(opener):
     0226:    global _opener
     0227:    _opener = opener
File: '/usr/lib64/python3.6/urllib/request.py', lineno: 526, function: open
     0522:        for processor in self.process_request.get(protocol, []):
     0523:            meth = getattr(processor, meth_name)
     0524:            req = meth(req)
     0525:
*** 0526:        response = self._open(req, data)
     0527:
     0528:        # post-process response
     0529:        meth_name = protocol+"_response"
     0530:        for processor in self.process_response.get(protocol, []):
File: '/usr/lib64/python3.6/urllib/request.py', lineno: 544, function: _open
     0540:            return result
     0541:
     0542:        protocol = req.type
     0543:        result = self._call_chain(self.handle_open, protocol, protocol +
*** 0544:                                  '_open', req)
     0545:        if result:
     0546:            return result
     0547:
     0548:        return self._call_chain(self.handle_open, 'unknown',
File: '/usr/lib64/python3.6/urllib/request.py', lineno: 504, function: _call_chain
     0500:        # could.  Otherwise, they return the response.
     0501:        handlers = chain.get(kind, ())
     0502:        for handler in handlers:
     0503:            func = getattr(handler, meth_name)
*** 0504:            result = func(*args)
     0505:            if result is not None:
     0506:                return result
     0507:
     0508:    def open(self, fullurl, data=None, timeout=socket._GLOBAL_DEFAULT_TIMEOUT):
File: '/usr/lib64/python3.6/urllib/request.py', lineno: 1392, function: https_open
     1388:            self._check_hostname = check_hostname
     1389:
     1390:        def https_open(self, req):
     1391:            return self.do_open(http.client.HTTPSConnection, req,
*** 1392:                context=self._context, check_hostname=self._check_hostname)
     1393:
     1394:        https_request = AbstractHTTPHandler.do_request_
     1395:
     1396:    __all__.append('HTTPSHandler')
File: '/usr/lib64/python3.6/urllib/request.py', lineno: 1351, function: do_open
     1347:            try:
     1348:                h.request(req.get_method(), req.selector, req.data, headers,
     1349:                          encode_chunked=req.has_header('Transfer-encoding'))
     1350:            except OSError as err: # timeout error
*** 1351:                raise URLError(err)
     1352:            r = h.getresponse()
     1353:        except:
     1354:            h.close()
     1355:            raise
Exception: urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:877)>

ERROR: Logfile of failure stored in: /disk0/scratch/smonsees/yocto/workspace_1/builds2/sbca-default/tmp/work/x86_64-linux/cve-update-db-native/1.0-r0/temp/log.do_populate_cve_db.4499
ERROR: Task (/disk0/scratch/smonsees/yocto/workspace_1/poky/meta/recipes-core/meta/cve-update-db-native.bb:do_populate_cve_db) failed with exit code '1'
NOTE: Tasks Summary: Attempted 5772 tasks of which 5228 didn't need to be rerun and 1 failed.

Summary: 1 task failed:
  /disk0/scratch/smonsees/yocto/workspace_1/poky/meta/recipes-core/meta/cve-update-db-native.bb:do_populate_cve_db
Summary: There was 1 ERROR message shown, returning a non-zero exit code.
14:41 smonsees@yix465383 /disk0/scratch/smonsees/yocto/workspace_1/builds2/sbca-default>find . -name '_ssl.c' -print
14:47 smonsees@yix465383 /disk0/scratch/smonsees/yocto/workspace_1/builds2/sbca-default>



From: yocto@lists.yoctoproject.org <yocto@lists.yoctoproject.org> On Behalf Of Monsees, Steven C (US) via lists.yoctoproject.org
Sent: Thursday, March 24, 2022 2:00 PM
To: yocto@lists.yoctoproject.org
Subject: Re: [yocto] CVE patch updates

External Email Alert

This email has been sent from an account outside of the BAE Systems network.
Please treat the email with caution, especially if you are requested to click on a link, decrypt/open an attachment, or enable macros.  For further information on how to spot phishing, access “Cybersecurity OneSpace Page” and report phishing by clicking the button “Report Phishing” on the Outlook toolbar.



When building in cve-check to see what is reported, it generated all blank/empty report files…
Can someone explain this ?, my local.conf does have the proper modification (INHERIT += “cve-check”).


10:55 smonsees@yix465383 /disk0/scratch/smonsees/yocto/workspace_1/builds2/sbca-default> bitbake -k sbca-defaultfs-full
Parsing recipes: 100% |#############################################################################################| Time: 0:01:07
Parsing of 2555 .bb files complete (0 cached, 2555 parsed). 3769 targets, 96 skipped, 0 masked, 0 errors.
NOTE: Resolving any missing task queue dependencies

Build Configuration:
BB_VERSION           = "1.44.0"
BUILD_SYS            = "x86_64-linux"
NATIVELSBSTRING      = "rhel-7.9"
TARGET_SYS           = "x86_64-poky-linux"
MACHINE              = "sbca-default"
DISTRO               = "limws"
DISTRO_VERSION       = "3.0.4"
TUNE_FEATURES        = "m64 corei7"
TARGET_FPU           = ""
meta
meta-poky            = "my_yocto_3.0.4:2f9bca440204f9e73158705a4ec04698b1f6ad42"
meta-perl
meta-python
meta-filesystems
meta-networking
meta-initramfs
meta-oe              = "zeus:2b5dd1eb81cd08bc065bc76125f2856e9383e98b"
meta-virtualization  = "zeus:7e5219669ff6f8e9c8c33ffd230e95a6b2b025f4"
meta                 = "master:a32ddd2b2a51b26c011fa50e441df39304651503"
meta-clang           = "zeus:f5355ca9b86fb5de5930132ffd95a9b352d694f9"
meta-intel           = "zeus:d9942d4c3a710406b051852de7232db03c297f4e"
meta-intel           = "LIMWSSWARE-682-oews-meta-bae-clean-up:99f116056452f1fefe83fe458f533b48f52fe4ba"

Initialising tasks: 100% |##########################################################################################| Time: 0:00:04
Checking sstate mirror object availability: 100% |##################################################################| Time: 0:00:02
Sstate summary: Wanted 2258 Found 15 Missed 2243 Current 0 (0% match, 0% complete)
NOTE: Executing Tasks
NOTE: Setscene tasks completed
Image CVE report stored in: /disk0/scratch/smonsees/yocto/workspace_1/builds2/sbca-default/tmp/deploy/images/sbca-default/core-image-minimal-initramfs-sbca-default-20220324145629.rootfs.cve
Image CVE report stored in: /disk0/scratch/smonsees/yocto/workspace_1/builds2/sbca-default/tmp/deploy/images/sbca-default/aiox_orange-sbca-default-20220324145629.rootfs.cve
NOTE: Tasks Summary: Attempted 6753 tasks of which 77 didn't need to be rerun and all succeeded.


13:33 smonsees@yix465383 /disk0/scratch/smonsees/yocto/workspace_1/builds2/sbca-default>ls -l /disk0/scratch/smonsees/yocto/workspace_1/builds2/sbca-default/tmp/deploy/images/sbca-default/core-image-minimal-initramfs-sbca-default-20220324145629.rootfs.cve
-rw-r--r--. 1 smonsees none 0 Mar 24 13:16 /disk0/scratch/smonsees/yocto/workspace_1/builds2/sbca-default/tmp/deploy/images/sbca-default/core-image-minimal-initramfs-sbca-default-20220324145629.rootfs.cve
13:33 smonsees@yix465383 /disk0/scratch/smonsees/yocto/workspace_1/builds2/sbca-default>ls -l /disk0/scratch/smonsees/yocto/workspace_1/builds2/sbca-default/tmp/deploy/images/sbca-default/aiox_orange-sbca-default-20220324145629.rootfs.cve
-rw-r--r--. 1 smonsees none 0 Mar 24 13:17 /disk0/scratch/smonsees/yocto/workspace_1/builds2/sbca-default/tmp/deploy/images/sbca-default/aiox_orange-sbca-default-20220324145629.rootfs.cve
13:33 smonsees@yix465383 /disk0/scratch/smonsees/yocto/workspace_1/builds2/sbca-default>


13:27 smonsees@yix465383 /disk0/scratch/smonsees/yocto/workspace_1/builds2/sbca-default/tmp/deploy/cve>ls -l
total 0
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:13 binutils
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:06 binutils-cross-x86_64
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:13 binutils-native
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:13 bluez5
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:12 boost
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:13 cairo
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:12 cairo-native
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:16 cpio-native
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:13 curl
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:05 curl-native
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:05 dbus
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:05 dbus-native
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:06 e2fsprogs
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:06 e2fsprogs-native
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:05 file-native
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:13 flex
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:06 flex-native
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:05 gcc-source-9.2.0
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:06 gettext-native
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:06 glib-2.0
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:05 glib-2.0-native
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:06 glibc
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:13 gnutls
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:13 go-cross-corei7-64
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:13 go-native
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:13 go-runtime
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:12 icu
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:12 icu-native
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:06 libarchive-native
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:13 libgcrypt
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:12 libjpeg-turbo
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:12 libjpeg-turbo-native
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:05 libpcre
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:12 libpcre2
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:05 libpcre-native
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:05 libxml2
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:05 libxml2-native
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:05 libxslt-native
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:13 mailx
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:13 nasm-native
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:06 ncurses
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:06 ncurses-native
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:14 nfs-utils
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:14 openssh
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:06 patch-native
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:06 perl
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:05 perl-native
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:06 python3
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:06 python3-native
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:06 qemu-native
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:14 rsync
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:06 sqlite3
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:06 sqlite3-native
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:13 sudo
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:13 sysstat
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:05 unzip
-rw-rw-r--. 1 smonsees none 0 Mar 24 13:05 unzip-native
13:27 smonsees@yix465383 /disk0/scratch/smonsees/yocto/workspace_1/builds2/sbca-default/tmp/deploy/cve>


From: Monsees, Steven C (US)
Sent: Thursday, March 24, 2022 12:56 PM
To: yocto@lists.yoctoproject.org<mailto:yocto@lists.yoctoproject.org>
Subject: CVE patch updates



I am currently building in cve-check to see what is reported, and I was curious if Yocto might provide any CVE based patch repositories ?

Is there a yocto page somewhere that goes over this side of things ?,
I did not see much in the mega-manual… I am running on zeus based platforms (for both armarch64 and x86_64).

Thanks,
Steve

[-- Attachment #2: Type: text/html, Size: 38194 bytes --]

Re: [yocto] CVE patch updates

[Tim Orling]

[-- Attachment #1: Type: text/plain, Size: 1829 bytes --]

On Thu, Mar 24, 2022 at 2:45 PM Richard Purdie <
richard.purdie@linuxfoundation.org> wrote:

> On Thu, 2022-03-24 at 16:56 +0000, Monsees, Steven C (US) via
> lists.yoctoproject.org wrote:
> >
> > I am currently building in cve-check to see what is reported, and I was
> curious
> > if Yocto might provide any CVE based patch repositories ?
> >
> > Is there a yocto page somewhere that goes over this side of things ?,
> > I did not see much in the mega-manual… I am running on zeus based
> platforms (for
> > both armarch64 and x86_64).
> >
>
> You'll see output of cve-check on the yocto-security list for layers that
> are
> still in maintenance:
>
> https://lists.yoctoproject.org/g/yocto-security/messages
>
> although zeus is out of maintenance.
>
> We merge CVE fixes to the branches that are in maintenance.
>
> A graph showing the data over time:
>
>
> https://docs.google.com/spreadsheets/d/e/2PACX-1vRgNISmH0Ditf0bRtSezeR2XsgKIiSFJKF6KJUHpnzocNGzvKZbuSDKfmV3n64BFXDRqElBSJnhHtG4/pubchart?oid=1993375488&format=interactive
>

Steven, if you haven’t already, you should subscribe to
https://lists.yoctoproject.org/g/yocto-security

Emails are sent out, usually on Sunday. If you see a CVE that interests
you… grab it and fix it.

This is mostly a community effort. There is no special dedicated squad of
security champions.


> Cheers,
>
> Richard
>
>
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#56555):
> https://lists.yoctoproject.org/g/yocto/message/56555
> Mute This Topic: https://lists.yoctoproject.org/mt/90004034/924729
> Group Owner: yocto+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [
> ticotimo@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>

[-- Attachment #2: Type: text/html, Size: 3501 bytes --]

RE: [yocto] CVE patch updates

[Monsees, Steven C (US)]

[-- Attachment #1: Type: text/plain, Size: 2604 bytes --]


Thanks Richard, will do…

From: Tim Orling <ticotimo@gmail.com>
Sent: Thursday, March 24, 2022 9:03 PM
To: Richard Purdie <richard.purdie@linuxfoundation.org>
Cc: Monsees, Steven C (US) <steven.monsees@baesystems.com>; yocto@lists.yoctoproject.org
Subject: Re: [yocto] CVE patch updates

External Email Alert

This email has been sent from an account outside of the BAE Systems network.
Please treat the email with caution, especially if you are requested to click on a link, decrypt/open an attachment, or enable macros.  For further information on how to spot phishing, access “Cybersecurity OneSpace Page” and report phishing by clicking the button “Report Phishing” on the Outlook toolbar.




On Thu, Mar 24, 2022 at 2:45 PM Richard Purdie <richard.purdie@linuxfoundation.org<mailto:richard.purdie@linuxfoundation.org>> wrote:
On Thu, 2022-03-24 at 16:56 +0000, Monsees, Steven C (US) via
lists.yoctoproject.org<http://lists.yoctoproject.org> wrote:
>
> I am currently building in cve-check to see what is reported, and I was curious
> if Yocto might provide any CVE based patch repositories ?
>
> Is there a yocto page somewhere that goes over this side of things ?,
> I did not see much in the mega-manual… I am running on zeus based platforms (for
> both armarch64 and x86_64).
>

You'll see output of cve-check on the yocto-security list for layers that are
still in maintenance:

https://lists.yoctoproject.org/g/yocto-security/messages

although zeus is out of maintenance.

We merge CVE fixes to the branches that are in maintenance.

A graph showing the data over time:

https://docs.google.com/spreadsheets/d/e/2PACX-1vRgNISmH0Ditf0bRtSezeR2XsgKIiSFJKF6KJUHpnzocNGzvKZbuSDKfmV3n64BFXDRqElBSJnhHtG4/pubchart?oid=1993375488&format=interactive

Steven, if you haven’t already, you should subscribe to
https://lists.yoctoproject.org/g/yocto-security

Emails are sent out, usually on Sunday. If you see a CVE that interests you… grab it and fix it.

This is mostly a community effort. There is no special dedicated squad of security champions.


Cheers,

Richard




-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#56555): https://lists.yoctoproject.org/g/yocto/message/56555
Mute This Topic: https://lists.yoctoproject.org/mt/90004034/924729
Group Owner: yocto+owner@lists.yoctoproject.org<mailto:yocto%2Bowner@lists.yoctoproject.org>
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [ticotimo@gmail.com<mailto:ticotimo@gmail.com>]
-=-=-=-=-=-=-=-=-=-=-=-

[-- Attachment #2: Type: text/html, Size: 8342 bytes --]

RE: [yocto] CVE patch updates

[Monsees, Steven C (US)]

[-- Attachment #1: Type: text/plain, Size: 2604 bytes --]


Thanks Tim,  subscribed…

From: Tim Orling <ticotimo@gmail.com>
Sent: Thursday, March 24, 2022 9:03 PM
To: Richard Purdie <richard.purdie@linuxfoundation.org>
Cc: Monsees, Steven C (US) <steven.monsees@baesystems.com>; yocto@lists.yoctoproject.org
Subject: Re: [yocto] CVE patch updates

External Email Alert

This email has been sent from an account outside of the BAE Systems network.
Please treat the email with caution, especially if you are requested to click on a link, decrypt/open an attachment, or enable macros.  For further information on how to spot phishing, access “Cybersecurity OneSpace Page” and report phishing by clicking the button “Report Phishing” on the Outlook toolbar.




On Thu, Mar 24, 2022 at 2:45 PM Richard Purdie <richard.purdie@linuxfoundation.org<mailto:richard.purdie@linuxfoundation.org>> wrote:
On Thu, 2022-03-24 at 16:56 +0000, Monsees, Steven C (US) via
lists.yoctoproject.org<http://lists.yoctoproject.org> wrote:
>
> I am currently building in cve-check to see what is reported, and I was curious
> if Yocto might provide any CVE based patch repositories ?
>
> Is there a yocto page somewhere that goes over this side of things ?,
> I did not see much in the mega-manual… I am running on zeus based platforms (for
> both armarch64 and x86_64).
>

You'll see output of cve-check on the yocto-security list for layers that are
still in maintenance:

https://lists.yoctoproject.org/g/yocto-security/messages

although zeus is out of maintenance.

We merge CVE fixes to the branches that are in maintenance.

A graph showing the data over time:

https://docs.google.com/spreadsheets/d/e/2PACX-1vRgNISmH0Ditf0bRtSezeR2XsgKIiSFJKF6KJUHpnzocNGzvKZbuSDKfmV3n64BFXDRqElBSJnhHtG4/pubchart?oid=1993375488&format=interactive

Steven, if you haven’t already, you should subscribe to
https://lists.yoctoproject.org/g/yocto-security

Emails are sent out, usually on Sunday. If you see a CVE that interests you… grab it and fix it.

This is mostly a community effort. There is no special dedicated squad of security champions.


Cheers,

Richard




-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#56555): https://lists.yoctoproject.org/g/yocto/message/56555
Mute This Topic: https://lists.yoctoproject.org/mt/90004034/924729
Group Owner: yocto+owner@lists.yoctoproject.org<mailto:yocto%2Bowner@lists.yoctoproject.org>
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [ticotimo@gmail.com<mailto:ticotimo@gmail.com>]
-=-=-=-=-=-=-=-=-=-=-=-

[-- Attachment #2: Type: text/html, Size: 8347 bytes --]