[poky][master][PATCH] glibc: Added and whitelisted CVE patches

[poky][master][PATCH] glibc: Added and whitelisted CVE patches

[saloni]

From: Saloni Jain <Saloni.Jain@kpit.com>

Below CVE patches are whitelisted as not considered
as security threats by Upstream Community:
1. CVE-2019-1010022
Link: https://security-tracker.debian.org/tracker/CVE-2019-1010022
2. CVE-2019-1010023
Link: https://security-tracker.debian.org/tracker/CVE-2019-1010023
3. CVE-2019-1010024
Link: https://security-tracker.debian.org/tracker/CVE-2019-1010024
4. CVE-2019-1010025
Link: https://security-tracker.debian.org/tracker/CVE-2019-1010025

Below CVE patches are whitelisted as the changes are
already present in the source-code:
1. CVE-2020-1751
Link: https://security-tracker.debian.org/tracker/CVE-2020-1751
2. CVE-2020-1752
Link: https://security-tracker.debian.org/tracker/CVE-2020-1752
3. CVE-2020-6096
Link: https://security-tracker.debian.org/tracker/CVE-2020-6096
Link: https://bugzilla.redhat.com/show_bug.cgi?id=1820331
4. CVE-2015-8985
Link: https://security-tracker.debian.org/tracker/CVE-2015-8985
Link: https://sourceware.org/git/?p=glibc.git;a=patch;h=eb04c21373e2a2885f3d52ff192b0499afe3c672
5. CVE-2016-10739
Link: https://security-tracker.debian.org/tracker/CVE-2016-10739
Link: https://sourceware.org/git/?p=glibc.git;a=patch;h=108bc4049f8ae82710aec26a92ffdb4b439c83fd
6. CVE-2020-10029
Link: https://security-tracker.debian.org/tracker/CVE-2020-10029
Link: https://sourceware.org/git/?p=glibc.git;a=patch;h=9333498794cde1d5cca518badf79533a24114b6f
7. CVE-2009-5155
Link: https://security-tracker.debian.org/tracker/CVE-2009-5155
Link: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=eb04c21373e2a2885f3d52ff192b0499afe3c672

Upstream-Status: Pending
Signed-off-by: Saloni.Jain <Saloni.Jain@kpit.com>
---
 meta/recipes-core/glibc/glibc_2.32.bb | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/meta/recipes-core/glibc/glibc_2.32.bb b/meta/recipes-core/glibc/glibc_2.32.bb
index 2a0e464..7c56f6b 100644
--- a/meta/recipes-core/glibc/glibc_2.32.bb
+++ b/meta/recipes-core/glibc/glibc_2.32.bb
@@ -1,7 +1,24 @@
 require glibc.inc
 require glibc-version.inc

-CVE_CHECK_WHITELIST += "CVE-2020-10029"
+#As confirmed by Upstream Community below patches are not considered security threats, hence whitelisted.
+CVE_CHECK_WHITELIST += "\
+    CVE-2019-1010022 \
+    CVE-2019-1010023 \
+    CVE-2019-1010024 \
+    CVE-2019-1010025 \
+"
+#Changes are already present in source-code, hence whitelisted.
+CVE_CHECK_WHITELIST += "\
+    CVE-2009-5155 \
+    CVE-2016-10739 \
+    CVE-2020-10029 \
+    CVE-2015-8985 \
+    CVE-2020-6096 \
+    CVE-2016-10228 \
+    CVE-2020-1751 \
+    CVE-2020-1752 \
+"

 DEPENDS += "gperf-native bison-native make-native"

--
2.7.4

This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.

Re: [poky][master][PATCH] glibc: Added and whitelisted CVE patches

[Khem Raj]

On Wed, Oct 28, 2020 at 8:24 AM Saloni.Jain <Saloni.Jain@kpit.com> wrote:
>
> From: Saloni Jain <Saloni.Jain@kpit.com>
>
> Below CVE patches are whitelisted as not considered
> as security threats by Upstream Community:
> 1. CVE-2019-1010022
> Link: https://security-tracker.debian.org/tracker/CVE-2019-1010022
> 2. CVE-2019-1010023
> Link: https://security-tracker.debian.org/tracker/CVE-2019-1010023
> 3. CVE-2019-1010024
> Link: https://security-tracker.debian.org/tracker/CVE-2019-1010024
> 4. CVE-2019-1010025
> Link: https://security-tracker.debian.org/tracker/CVE-2019-1010025
>
> Below CVE patches are whitelisted as the changes are
> already present in the source-code:
> 1. CVE-2020-1751
> Link: https://security-tracker.debian.org/tracker/CVE-2020-1751
> 2. CVE-2020-1752
> Link: https://security-tracker.debian.org/tracker/CVE-2020-1752
> 3. CVE-2020-6096
> Link: https://security-tracker.debian.org/tracker/CVE-2020-6096
> Link: https://bugzilla.redhat.com/show_bug.cgi?id=1820331
> 4. CVE-2015-8985
> Link: https://security-tracker.debian.org/tracker/CVE-2015-8985
> Link: https://sourceware.org/git/?p=glibc.git;a=patch;h=eb04c21373e2a2885f3d52ff192b0499afe3c672
> 5. CVE-2016-10739
> Link: https://security-tracker.debian.org/tracker/CVE-2016-10739
> Link: https://sourceware.org/git/?p=glibc.git;a=patch;h=108bc4049f8ae82710aec26a92ffdb4b439c83fd
> 6. CVE-2020-10029
> Link: https://security-tracker.debian.org/tracker/CVE-2020-10029
> Link: https://sourceware.org/git/?p=glibc.git;a=patch;h=9333498794cde1d5cca518badf79533a24114b6f
> 7. CVE-2009-5155
> Link: https://security-tracker.debian.org/tracker/CVE-2009-5155
> Link: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=eb04c21373e2a2885f3d52ff192b0499afe3c672
>

Thanks for doing this. Looks ok to me.

> Upstream-Status: Pending

we do not need upstream status to metadata patches but to actual
components which needs to be tracked for upstream submission etc.
so please remove it here.

> Signed-off-by: Saloni.Jain <Saloni.Jain@kpit.com>
> ---
>  meta/recipes-core/glibc/glibc_2.32.bb | 19 ++++++++++++++++++-
>  1 file changed, 18 insertions(+), 1 deletion(-)
>
> diff --git a/meta/recipes-core/glibc/glibc_2.32.bb b/meta/recipes-core/glibc/glibc_2.32.bb
> index 2a0e464..7c56f6b 100644
> --- a/meta/recipes-core/glibc/glibc_2.32.bb
> +++ b/meta/recipes-core/glibc/glibc_2.32.bb
> @@ -1,7 +1,24 @@
>  require glibc.inc
>  require glibc-version.inc
>
> -CVE_CHECK_WHITELIST += "CVE-2020-10029"
> +#As confirmed by Upstream Community below patches are not considered security threats, hence whitelisted.
> +CVE_CHECK_WHITELIST += "\
> +    CVE-2019-1010022 \
> +    CVE-2019-1010023 \
> +    CVE-2019-1010024 \
> +    CVE-2019-1010025 \
> +"
> +#Changes are already present in source-code, hence whitelisted.
> +CVE_CHECK_WHITELIST += "\
> +    CVE-2009-5155 \
> +    CVE-2016-10739 \
> +    CVE-2020-10029 \
> +    CVE-2015-8985 \
> +    CVE-2020-6096 \
> +    CVE-2016-10228 \
> +    CVE-2020-1751 \
> +    CVE-2020-1752 \
> +"
>
>  DEPENDS += "gperf-native bison-native make-native"
>
> --
> 2.7.4
>
> This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.

[poky][master][PATCH] glibc: Added and whitelisted CVE patches

[saloni]

From: Saloni Jain <Saloni.Jain@kpit.com>

Below CVE patches are whitelisted as not considered
as security threats by Upstream Community:
1. CVE-2019-1010022
Link: https://security-tracker.debian.org/tracker/CVE-2019-1010022
2. CVE-2019-1010023
Link: https://security-tracker.debian.org/tracker/CVE-2019-1010023
3. CVE-2019-1010024
Link: https://security-tracker.debian.org/tracker/CVE-2019-1010024
4. CVE-2019-1010025
Link: https://security-tracker.debian.org/tracker/CVE-2019-1010025

Below CVE patches are whitelisted as the changes are
already present in the source-code:
1. CVE-2020-1751
Link: https://security-tracker.debian.org/tracker/CVE-2020-1751
2. CVE-2020-1752
Link: https://security-tracker.debian.org/tracker/CVE-2020-1752
3. CVE-2020-6096
Link: https://security-tracker.debian.org/tracker/CVE-2020-6096
Link: https://bugzilla.redhat.com/show_bug.cgi?id=1820331
4. CVE-2015-8985
Link: https://security-tracker.debian.org/tracker/CVE-2015-8985
Link: https://sourceware.org/git/?p=glibc.git;a=patch;h=eb04c21373e2a2885f3d52ff192b0499afe3c672
5. CVE-2016-10739
Link: https://security-tracker.debian.org/tracker/CVE-2016-10739
Link: https://sourceware.org/git/?p=glibc.git;a=patch;h=108bc4049f8ae82710aec26a92ffdb4b439c83fd
6. CVE-2020-10029
Link: https://security-tracker.debian.org/tracker/CVE-2020-10029
Link: https://sourceware.org/git/?p=glibc.git;a=patch;h=9333498794cde1d5cca518badf79533a24114b6f
7. CVE-2009-5155
Link: https://security-tracker.debian.org/tracker/CVE-2009-5155
Link: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=eb04c21373e2a2885f3d52ff192b0499afe3c672

Signed-off-by: Saloni.Jain <Saloni.Jain@kpit.com>
---
 meta/recipes-core/glibc/glibc_2.32.bb | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/meta/recipes-core/glibc/glibc_2.32.bb b/meta/recipes-core/glibc/glibc_2.32.bb
index 2a0e464..d5c18ce 100644
--- a/meta/recipes-core/glibc/glibc_2.32.bb
+++ b/meta/recipes-core/glibc/glibc_2.32.bb
@@ -1,7 +1,25 @@
 require glibc.inc
 require glibc-version.inc

-CVE_CHECK_WHITELIST += "CVE-2020-10029"
+#As confirmed by Upstream Community below patches are not considered security threats, hence whitelisted.
+CVE_CHECK_WHITELIST += "\
+    CVE-2019-1010022 \
+    CVE-2019-1010023 \
+    CVE-2019-1010024 \
+    CVE-2019-1010025 \
+"
+
+#Changes are already present in source-code, hence whitelisted.
+CVE_CHECK_WHITELIST += "\
+    CVE-2009-5155 \
+    CVE-2016-10739 \
+    CVE-2020-10029 \
+    CVE-2015-8985 \
+    CVE-2020-6096 \
+    CVE-2016-10228 \
+    CVE-2020-1751 \
+    CVE-2020-1752 \
+"

 DEPENDS += "gperf-native bison-native make-native"

--
2.7.4

This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.

Re: [poky][master][PATCH] glibc: Added and whitelisted CVE patches

[saloni]

[-- Attachment #1: Type: text/plain, Size: 10824 bytes --]

Hello Khem Raj,

Thankyou for the feedback! I have removed the line and resent the patch again.

Thanks & Regards,
Saloni
________________________________
From: Khem Raj <raj.khem@gmail.com>
Sent: Wednesday, October 28, 2020 9:23 PM
To: Saloni Jain <Saloni.Jain@kpit.com>
Cc: Patches and discussions about the oe-core layer <openembedded-core@lists.openembedded.org>; Nisha Parrakat <Nisha.Parrakat@kpit.com>; Anuj Chougule <Anuj.Chougule@kpit.com>
Subject: Re: [poky][master][PATCH] glibc: Added and whitelisted CVE patches

On Wed, Oct 28, 2020 at 8:24 AM Saloni.Jain <Saloni.Jain@kpit.com> wrote:
>
> From: Saloni Jain <Saloni.Jain@kpit.com>
>
> Below CVE patches are whitelisted as not considered
> as security threats by Upstream Community:
> 1. CVE-2019-1010022
> Link: https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsecurity-tracker.debian.org%2Ftracker%2FCVE-2019-1010022&amp;data=04%7C01%7CSaloni.Jain%40kpit.com%7Cc0eb760c9294406e526908d87b59bc9e%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637394972685069290%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=GZrfiAc1LbOzRBhzHSF71pISmLVQMDPsVNbOKNwFU2I%3D&amp;reserved=0
> 2. CVE-2019-1010023
> Link: https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsecurity-tracker.debian.org%2Ftracker%2FCVE-2019-1010023&amp;data=04%7C01%7CSaloni.Jain%40kpit.com%7Cc0eb760c9294406e526908d87b59bc9e%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637394972685069290%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=%2BPOMtxzlSMSjRcWkyeUu1DDRNpbdCFVDHi2Oii9O0KE%3D&amp;reserved=0
> 3. CVE-2019-1010024
> Link: https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsecurity-tracker.debian.org%2Ftracker%2FCVE-2019-1010024&amp;data=04%7C01%7CSaloni.Jain%40kpit.com%7Cc0eb760c9294406e526908d87b59bc9e%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637394972685069290%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=fxoI1KYiNprzTwp0Vxk52pj4iogBnVELj6FnwZ7%2Fk8I%3D&amp;reserved=0
> 4. CVE-2019-1010025
> Link: https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsecurity-tracker.debian.org%2Ftracker%2FCVE-2019-1010025&amp;data=04%7C01%7CSaloni.Jain%40kpit.com%7Cc0eb760c9294406e526908d87b59bc9e%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637394972685069290%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=BIbL1ikyInBgRszvevPWGrd%2BSOBfn5F12SggpyRPli8%3D&amp;reserved=0
>
> Below CVE patches are whitelisted as the changes are
> already present in the source-code:
> 1. CVE-2020-1751
> Link: https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsecurity-tracker.debian.org%2Ftracker%2FCVE-2020-1751&amp;data=04%7C01%7CSaloni.Jain%40kpit.com%7Cc0eb760c9294406e526908d87b59bc9e%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637394972685069290%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=YmyZ99RzofIHU5W9tNWv2suNJbaRKApRFEFKx9Ti%2FPU%3D&amp;reserved=0
> 2. CVE-2020-1752
> Link: https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsecurity-tracker.debian.org%2Ftracker%2FCVE-2020-1752&amp;data=04%7C01%7CSaloni.Jain%40kpit.com%7Cc0eb760c9294406e526908d87b59bc9e%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637394972685069290%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=PENgTh%2BpLaH1AjJlE5egqVUJBE5USv0WUnbe2QwF0fc%3D&amp;reserved=0
> 3. CVE-2020-6096
> Link: https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsecurity-tracker.debian.org%2Ftracker%2FCVE-2020-6096&amp;data=04%7C01%7CSaloni.Jain%40kpit.com%7Cc0eb760c9294406e526908d87b59bc9e%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637394972685079284%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=eBPUmapGobfXsK%2BzzwLVXYye8BUdkNauhyjrMXEx4Xc%3D&amp;reserved=0
> Link: https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.redhat.com%2Fshow_bug.cgi%3Fid%3D1820331&amp;data=04%7C01%7CSaloni.Jain%40kpit.com%7Cc0eb760c9294406e526908d87b59bc9e%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637394972685079284%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=Pxa8ikANO59wq50c8drqvxv2lBraBpgzxPdAT3UMm7w%3D&amp;reserved=0
> 4. CVE-2015-8985
> Link: https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsecurity-tracker.debian.org%2Ftracker%2FCVE-2015-8985&amp;data=04%7C01%7CSaloni.Jain%40kpit.com%7Cc0eb760c9294406e526908d87b59bc9e%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637394972685079284%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=qgjqafPVHgLephuiU1W6LPeFj9W6aAQIN09tmRCBZTo%3D&amp;reserved=0
> Link: https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsourceware.org%2Fgit%2F%3Fp%3Dglibc.git%3Ba%3Dpatch%3Bh%3Deb04c21373e2a2885f3d52ff192b0499afe3c672&amp;data=04%7C01%7CSaloni.Jain%40kpit.com%7Cc0eb760c9294406e526908d87b59bc9e%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637394972685079284%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=wlG6FyH%2FyJmFCsbXlPBn4t2uS3XWeTWwow83Mm4T5AU%3D&amp;reserved=0
> 5. CVE-2016-10739
> Link: https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsecurity-tracker.debian.org%2Ftracker%2FCVE-2016-10739&amp;data=04%7C01%7CSaloni.Jain%40kpit.com%7Cc0eb760c9294406e526908d87b59bc9e%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637394972685079284%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=Ro4S9ljtCEB36VKsEHQuSw541C%2FNhmidMiH6b%2F4qlM0%3D&amp;reserved=0
> Link: https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsourceware.org%2Fgit%2F%3Fp%3Dglibc.git%3Ba%3Dpatch%3Bh%3D108bc4049f8ae82710aec26a92ffdb4b439c83fd&amp;data=04%7C01%7CSaloni.Jain%40kpit.com%7Cc0eb760c9294406e526908d87b59bc9e%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637394972685079284%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=lvArutjOovXOBM39WQ95p0ACzP5c0Gg9UeVFznprzyc%3D&amp;reserved=0
> 6. CVE-2020-10029
> Link: https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsecurity-tracker.debian.org%2Ftracker%2FCVE-2020-10029&amp;data=04%7C01%7CSaloni.Jain%40kpit.com%7Cc0eb760c9294406e526908d87b59bc9e%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637394972685079284%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=Za74swln8zQMEK64ei3wq71UUBCp1B94FXxMJJlxoZw%3D&amp;reserved=0
> Link: https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsourceware.org%2Fgit%2F%3Fp%3Dglibc.git%3Ba%3Dpatch%3Bh%3D9333498794cde1d5cca518badf79533a24114b6f&amp;data=04%7C01%7CSaloni.Jain%40kpit.com%7Cc0eb760c9294406e526908d87b59bc9e%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637394972685079284%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=5q%2Fn7v%2FX3qWC1nJ0S71bw2Gup0i%2BvXc5mE137Da1h3c%3D&amp;reserved=0
> 7. CVE-2009-5155
> Link: https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsecurity-tracker.debian.org%2Ftracker%2FCVE-2009-5155&amp;data=04%7C01%7CSaloni.Jain%40kpit.com%7Cc0eb760c9294406e526908d87b59bc9e%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637394972685079284%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=d1P%2FaygR2vwPB6EGEL8sbS6oGgdo%2B%2FSpX8c8bg4V%2Fwk%3D&amp;reserved=0
> Link: https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsourceware.org%2Fgit%2Fgitweb.cgi%3Fp%3Dglibc.git%3Bh%3Deb04c21373e2a2885f3d52ff192b0499afe3c672&amp;data=04%7C01%7CSaloni.Jain%40kpit.com%7Cc0eb760c9294406e526908d87b59bc9e%7C3539451eb46e4a26a242ff61502855c7%7C0%7C0%7C637394972685079284%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=JtL75iWYZPIs1B%2FPK5hqM7RDeTNf1YI7Yg6tvK4Gv%2F0%3D&amp;reserved=0
>

Thanks for doing this. Looks ok to me.

> Upstream-Status: Pending

we do not need upstream status to metadata patches but to actual
components which needs to be tracked for upstream submission etc.
so please remove it here.

> Signed-off-by: Saloni.Jain <Saloni.Jain@kpit.com>
> ---
>  meta/recipes-core/glibc/glibc_2.32.bb | 19 ++++++++++++++++++-
>  1 file changed, 18 insertions(+), 1 deletion(-)
>
> diff --git a/meta/recipes-core/glibc/glibc_2.32.bb b/meta/recipes-core/glibc/glibc_2.32.bb
> index 2a0e464..7c56f6b 100644
> --- a/meta/recipes-core/glibc/glibc_2.32.bb
> +++ b/meta/recipes-core/glibc/glibc_2.32.bb
> @@ -1,7 +1,24 @@
>  require glibc.inc
>  require glibc-version.inc
>
> -CVE_CHECK_WHITELIST += "CVE-2020-10029"
> +#As confirmed by Upstream Community below patches are not considered security threats, hence whitelisted.
> +CVE_CHECK_WHITELIST += "\
> +    CVE-2019-1010022 \
> +    CVE-2019-1010023 \
> +    CVE-2019-1010024 \
> +    CVE-2019-1010025 \
> +"
> +#Changes are already present in source-code, hence whitelisted.
> +CVE_CHECK_WHITELIST += "\
> +    CVE-2009-5155 \
> +    CVE-2016-10739 \
> +    CVE-2020-10029 \
> +    CVE-2015-8985 \
> +    CVE-2020-6096 \
> +    CVE-2016-10228 \
> +    CVE-2020-1751 \
> +    CVE-2020-1752 \
> +"
>
>  DEPENDS += "gperf-native bison-native make-native"
>
> --
> 2.7.4
>
> This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.

[-- Attachment #2: Type: text/html, Size: 20284 bytes --]

Re: [OE-core] [poky][master][PATCH] glibc: Added and whitelisted CVE patches

[Steve Sakoman]

On Wed, Oct 28, 2020 at 5:24 AM saloni <saloni.jain@kpit.com> wrote:
>
> From: Saloni Jain <Saloni.Jain@kpit.com>
>
> Below CVE patches are whitelisted as not considered
> as security threats by Upstream Community:
> 1. CVE-2019-1010022
> Link: https://security-tracker.debian.org/tracker/CVE-2019-1010022
> 2. CVE-2019-1010023
> Link: https://security-tracker.debian.org/tracker/CVE-2019-1010023
> 3. CVE-2019-1010024
> Link: https://security-tracker.debian.org/tracker/CVE-2019-1010024
> 4. CVE-2019-1010025
> Link: https://security-tracker.debian.org/tracker/CVE-2019-1010025

The above looks good to me.

> Below CVE patches are whitelisted as the changes are
> already present in the source-code:
> 1. CVE-2020-1751
> Link: https://security-tracker.debian.org/tracker/CVE-2020-1751
> 2. CVE-2020-1752
> Link: https://security-tracker.debian.org/tracker/CVE-2020-1752
> 3. CVE-2020-6096
> Link: https://security-tracker.debian.org/tracker/CVE-2020-6096
> Link: https://bugzilla.redhat.com/show_bug.cgi?id=1820331
> 4. CVE-2015-8985
> Link: https://security-tracker.debian.org/tracker/CVE-2015-8985
> Link: https://sourceware.org/git/?p=glibc.git;a=patch;h=eb04c21373e2a2885f3d52ff192b0499afe3c672
> 5. CVE-2016-10739
> Link: https://security-tracker.debian.org/tracker/CVE-2016-10739
> Link: https://sourceware.org/git/?p=glibc.git;a=patch;h=108bc4049f8ae82710aec26a92ffdb4b439c83fd
> 6. CVE-2020-10029
> Link: https://security-tracker.debian.org/tracker/CVE-2020-10029
> Link: https://sourceware.org/git/?p=glibc.git;a=patch;h=9333498794cde1d5cca518badf79533a24114b6f
> 7. CVE-2009-5155
> Link: https://security-tracker.debian.org/tracker/CVE-2009-5155
> Link: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=eb04c21373e2a2885f3d52ff192b0499afe3c672

There is no need for this second category, these CVE's do not show up
in a CVE check for master:

https://lists.yoctoproject.org/g/yocto-security/topic/oe_core_cve_metrics_for/76221269?p=,,,20,0,0,0::recentpostdate%2Fsticky,,,20,2,0,76221269

Please send a v2 with the above CVE's removed.

> Upstream-Status: Pending

You can remove the above in v2 also

Thanks for helping with CVE's!

Steve

> Signed-off-by: Saloni.Jain <Saloni.Jain@kpit.com>
> ---
>  meta/recipes-core/glibc/glibc_2.32.bb | 19 ++++++++++++++++++-
>  1 file changed, 18 insertions(+), 1 deletion(-)
>
> diff --git a/meta/recipes-core/glibc/glibc_2.32.bb b/meta/recipes-core/glibc/glibc_2.32.bb
> index 2a0e464..7c56f6b 100644
> --- a/meta/recipes-core/glibc/glibc_2.32.bb
> +++ b/meta/recipes-core/glibc/glibc_2.32.bb
> @@ -1,7 +1,24 @@
>  require glibc.inc
>  require glibc-version.inc
>
> -CVE_CHECK_WHITELIST += "CVE-2020-10029"
> +#As confirmed by Upstream Community below patches are not considered security threats, hence whitelisted.
> +CVE_CHECK_WHITELIST += "\
> +    CVE-2019-1010022 \
> +    CVE-2019-1010023 \
> +    CVE-2019-1010024 \
> +    CVE-2019-1010025 \
> +"
> +#Changes are already present in source-code, hence whitelisted.
> +CVE_CHECK_WHITELIST += "\
> +    CVE-2009-5155 \
> +    CVE-2016-10739 \
> +    CVE-2020-10029 \
> +    CVE-2015-8985 \
> +    CVE-2020-6096 \
> +    CVE-2016-10228 \
> +    CVE-2020-1751 \
> +    CVE-2020-1752 \
> +"
>
>  DEPENDS += "gperf-native bison-native make-native"
>
> --
> 2.7.4
>
> This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
>
> 
>