From: Richard Purdie <richard.purdie@linuxfoundation.org>
To: openembedded-architecture
<openembedded-architecture@lists.openembedded.org>,
openembedded-core <openembedded-core@lists.openembedded.org>
Subject: OE-Core/Yocto Project's first CVE (CVE-2017-9731)
Date: Mon, 19 Jun 2017 11:38:58 +0100 [thread overview]
Message-ID: <1497868738.24449.41.camel@linuxfoundation.org> (raw)
I suspect this has been missed by some people so I want to spell it
out. We have our first CVE in OE-Core itself.
The issue is limited to binary ipks potentially exposing sensitive
information through the "Source:" field which contained the full
SRC_URI. Those urls could potentially contain sensitive information
about servers and credentials.
After discussion, I ended up changing the field to contain the recipe
filename (no path). There was talk of filtering the urls however if you
try, it becomes clear that sensitive elements can remain and no
solution is likely 100% effective. The other package backends don't do
this at all so this brings ipk more into line with them. Simply
clearing the field doesn't work with the current opkg-utils. It can be
changed but the change becomes more invasive.
This fix has been merged to master.
I also did take the decision to backport this change back to
pyro/morty/krogoth too. I appreciate this can cause some disruption to
people who rely on SRC_URI being in the Source: field however I
couldn't see any other realistic way forward.
Cheers,
Richard
next reply other threads:[~2017-06-19 10:38 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-19 10:38 Richard Purdie [this message]
2017-06-19 13:20 ` [Openembedded-architecture] OE-Core/Yocto Project's first CVE (CVE-2017-9731) Philip Balister
2017-06-19 13:29 ` Burton, Ross
2017-06-19 13:32 ` Philip Balister
2017-06-19 14:05 ` Mark Hatle
2017-06-19 15:31 ` Sean Hudson
2017-06-20 9:30 ` Paul Eggleton
2017-06-20 13:27 ` Sean Hudson
2017-06-20 13:43 ` Paul Eggleton
2017-06-22 9:21 ` Richard Purdie
2017-06-19 14:06 ` Mark Hatle
2017-06-27 7:11 ` Sona Sarmadi
2017-06-28 17:38 ` [Openembedded-architecture] " Scott Murray
2017-06-29 22:08 ` Richard Purdie
2017-06-30 20:17 ` Scott Murray
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1497868738.24449.41.camel@linuxfoundation.org \
--to=richard.purdie@linuxfoundation.org \
--cc=openembedded-architecture@lists.openembedded.org \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox