[meta-virtualization] [scarthgap] [PATCH] grpc-go 1.59.0+git: Ignore CVE-2024-7246

[meta-virtualization] [scarthgap] [PATCH] grpc-go 1.59.0+git: Ignore CVE-2024-7246

[Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco)]

From: Anil Dongare <adongare@cisco.com>

Upstream Repository: https://github.com/grpc/grpc-go

Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2024-7246
Type: Security Fix
CVE: CVE-2024-7246
Score: 6.3 (Medium)
Patch: https://github.com/grpc/grpc/issues/36245

Analysis:
-CVE-2024-7246 describes an HTTP/2 HPACK header table poisoning
 issue found in the gRPC C-core implementation (grpc/grpc).
-The vulnerability does not apply to the pure Go implementation
 (grpc-go) used in Yocto (meta-virtualization layer).
-Marking as not-applicable-config (implementation difference).
-The affected code path is not present in grpc-go.Hence ignoring the
  CVE for grpc-go.

Reference:
[1] https://nvd.nist.gov/vuln/detail/CVE-2024-7246
[2] https://github.com/grpc/grpc/issues/36245
[3] Upstream gRPC release notes confirming fixed versions for gRPC
    C-core (not grpc-go).

Signed-off-by: Anil Dongare <adongare@cisco.com>
---
 recipes-devtools/go/grpc-go_git.bb | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/recipes-devtools/go/grpc-go_git.bb b/recipes-devtools/go/grpc-go_git.bb
index 7989c02f..fdfc2307 100644
--- a/recipes-devtools/go/grpc-go_git.bb
+++ b/recipes-devtools/go/grpc-go_git.bb
@@ -43,3 +43,8 @@ FILES:${PN} += " \
 # some CVEs are reported with "cpe:2.3:a:grpc:grpc:*:*:*:*:*:go:*:*"
 # it's better to have false positives than false negatives
 CVE_PRODUCT += "grpc"
+# CVE-2024-7246 is an HTTP/2 HPACK poisoning issue in gRPC C-core
+# (C/C++ implementation, meta-openembedded).
+# grpc-go (Go implementation in meta-virtualization) does not
+# contain the affected HPACK code path.
+CVE_STATUS[CVE-2024-7246] = "not-applicable-config: CVE is for grpc (C-core), not grpc-go."
-- 
2.43.5

Re: [meta-virtualization] [scarthgap] [PATCH] grpc-go 1.59.0+git: Ignore CVE-2024-7246

[Bruce Ashfield]

In message: [meta-virtualization] [scarthgap] [PATCH] grpc-go 1.59.0+git: Ignore CVE-2024-7246
on 28/08/2025 Anil Dongare -X (adongare - E INFOCHIPS PRIVATE LIMITED at Cisco) wrote:

> From: Anil Dongare <adongare@cisco.com>
> 
> Upstream Repository: https://github.com/grpc/grpc-go
> 
> Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2024-7246
> Type: Security Fix
> CVE: CVE-2024-7246
> Score: 6.3 (Medium)
> Patch: https://github.com/grpc/grpc/issues/36245
> 
> Analysis:
> -CVE-2024-7246 describes an HTTP/2 HPACK header table poisoning
>  issue found in the gRPC C-core implementation (grpc/grpc).
> -The vulnerability does not apply to the pure Go implementation
>  (grpc-go) used in Yocto (meta-virtualization layer).
> -Marking as not-applicable-config (implementation difference).
> -The affected code path is not present in grpc-go.Hence ignoring the
>   CVE for grpc-go.

merged.

Bruce

> 
> Reference:
> [1] https://nvd.nist.gov/vuln/detail/CVE-2024-7246
> [2] https://github.com/grpc/grpc/issues/36245
> [3] Upstream gRPC release notes confirming fixed versions for gRPC
>     C-core (not grpc-go).
> 
> Signed-off-by: Anil Dongare <adongare@cisco.com>
> ---
>  recipes-devtools/go/grpc-go_git.bb | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/recipes-devtools/go/grpc-go_git.bb b/recipes-devtools/go/grpc-go_git.bb
> index 7989c02f..fdfc2307 100644
> --- a/recipes-devtools/go/grpc-go_git.bb
> +++ b/recipes-devtools/go/grpc-go_git.bb
> @@ -43,3 +43,8 @@ FILES:${PN} += " \
>  # some CVEs are reported with "cpe:2.3:a:grpc:grpc:*:*:*:*:*:go:*:*"
>  # it's better to have false positives than false negatives
>  CVE_PRODUCT += "grpc"
> +# CVE-2024-7246 is an HTTP/2 HPACK poisoning issue in gRPC C-core
> +# (C/C++ implementation, meta-openembedded).
> +# grpc-go (Go implementation in meta-virtualization) does not
> +# contain the affected HPACK code path.
> +CVE_STATUS[CVE-2024-7246] = "not-applicable-config: CVE is for grpc (C-core), not grpc-go."
> -- 
> 2.43.5
>