* [poky][dunfell][PATCH] binutils: Whitelist CVEs
@ 2022-03-22 11:14 Sana Kazi
2022-03-22 14:59 ` [OE-core] " Steve Sakoman
0 siblings, 1 reply; 2+ messages in thread
From: Sana Kazi @ 2022-03-22 11:14 UTC (permalink / raw)
To: openembedded-core; +Cc: ranjitsinh.rathod, Sana Kazi
CVE-2020-16590 CVE-2020-16591 CVE-2020-16599 CVE-2021-20294 does
not affect binutils_2.34 and the contents of the patch are not
present in the source code. Therefore, whitelist it.
Links:
https://nvd.nist.gov/vuln/detail/CVE-2020-16590
https://nvd.nist.gov/vuln/detail/CVE-2020-16591
https://nvd.nist.gov/vuln/detail/CVE-2020-16599
https://nvd.nist.gov/vuln/detail/CVE-2021-20294
Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
Signed-off-by: Sana Kazi <sanakazisk19@gmail.com>
---
meta/recipes-devtools/binutils/binutils-2.34.inc | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/meta/recipes-devtools/binutils/binutils-2.34.inc b/meta/recipes-devtools/binutils/binutils-2.34.inc
index 6a55de2d45..990c5fa8f1 100644
--- a/meta/recipes-devtools/binutils/binutils-2.34.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.34.inc
@@ -54,3 +54,18 @@ SRC_URI = "\
file://0001-CVE-2021-45078.patch \
"
S = "${WORKDIR}/git"
+
+# CVE-2020-16590 CVE-2020-16591 CVE-2020-16599 CVE-2021-20294 does not affect
+# binutils_2.34 and the contents of the patch are not
+# present in the source code. Therefore, whitelist it.
+# https://nvd.nist.gov/vuln/detail/CVE-2020-16590
+# https://nvd.nist.gov/vuln/detail/CVE-2020-16591
+# https://nvd.nist.gov/vuln/detail/CVE-2020-16599
+# https://nvd.nist.gov/vuln/detail/CVE-2021-20294
+
+CVE_CHECK_WHITELIST += " \
+ CVE-2020-16590 \
+ CVE-2020-16591 \
+ CVE-2020-16599 \
+ CVE-2021-20294 \
+"
--
2.17.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [OE-core] [poky][dunfell][PATCH] binutils: Whitelist CVEs
2022-03-22 11:14 [poky][dunfell][PATCH] binutils: Whitelist CVEs Sana Kazi
@ 2022-03-22 14:59 ` Steve Sakoman
0 siblings, 0 replies; 2+ messages in thread
From: Steve Sakoman @ 2022-03-22 14:59 UTC (permalink / raw)
To: sana kazi; +Cc: openembedded-core, ranjitsinh.rathod
On Tue, Mar 22, 2022 at 1:14 AM sana kazi <sanakazisk19@gmail.com> wrote:
>
> CVE-2020-16590 CVE-2020-16591 CVE-2020-16599 CVE-2021-20294 does
> not affect binutils_2.34 and the contents of the patch are not
> present in the source code. Therefore, whitelist it.
In this case there are errors in the upstream cve database, so the
proper way to deal with this is to contact the database admin and
request fixes. We only whitelist if they don't make the change for
some reason and we are 100% sure our usage is not affected.
Fortunately I've already contacted them on these issues, so hopefully
database corrections will be made soon!
Thanks for helping out on CVEs!
Steve
>
> Links:
> https://nvd.nist.gov/vuln/detail/CVE-2020-16590
> https://nvd.nist.gov/vuln/detail/CVE-2020-16591
> https://nvd.nist.gov/vuln/detail/CVE-2020-16599
> https://nvd.nist.gov/vuln/detail/CVE-2021-20294
>
> Signed-off-by: Sana Kazi <Sana.Kazi@kpit.com>
> Signed-off-by: Sana Kazi <sanakazisk19@gmail.com>
> ---
> meta/recipes-devtools/binutils/binutils-2.34.inc | 15 +++++++++++++++
> 1 file changed, 15 insertions(+)
>
> diff --git a/meta/recipes-devtools/binutils/binutils-2.34.inc b/meta/recipes-devtools/binutils/binutils-2.34.inc
> index 6a55de2d45..990c5fa8f1 100644
> --- a/meta/recipes-devtools/binutils/binutils-2.34.inc
> +++ b/meta/recipes-devtools/binutils/binutils-2.34.inc
> @@ -54,3 +54,18 @@ SRC_URI = "\
> file://0001-CVE-2021-45078.patch \
> "
> S = "${WORKDIR}/git"
> +
> +# CVE-2020-16590 CVE-2020-16591 CVE-2020-16599 CVE-2021-20294 does not affect
> +# binutils_2.34 and the contents of the patch are not
> +# present in the source code. Therefore, whitelist it.
> +# https://nvd.nist.gov/vuln/detail/CVE-2020-16590
> +# https://nvd.nist.gov/vuln/detail/CVE-2020-16591
> +# https://nvd.nist.gov/vuln/detail/CVE-2020-16599
> +# https://nvd.nist.gov/vuln/detail/CVE-2021-20294
> +
> +CVE_CHECK_WHITELIST += " \
> + CVE-2020-16590 \
> + CVE-2020-16591 \
> + CVE-2020-16599 \
> + CVE-2021-20294 \
> +"
> --
> 2.17.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#163545): https://lists.openembedded.org/g/openembedded-core/message/163545
> Mute This Topic: https://lists.openembedded.org/mt/89949489/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-03-22 14:59 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-03-22 11:14 [poky][dunfell][PATCH] binutils: Whitelist CVEs Sana Kazi
2022-03-22 14:59 ` [OE-core] " Steve Sakoman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox