From: Sundeep KOKKONDA <sundeep.kokkonda@gmail.com>
To: openembedded-core@lists.openembedded.org
Cc: rwmacleod@gmail.com, umesh.kalappa0@gmail.com,
pgowda.cve@gmail.com, shivams@gmail.com
Subject: [kirkstone][PATCH] cargo : non vulnerable cve-2022-46176 added to excluded list
Date: Sun, 2 Apr 2023 20:58:36 +0530 [thread overview]
Message-ID: <20230402152836.9157-1-sundeep.kokkonda@gmail.com> (raw)
This cve (https://nvd.nist.gov/vuln/detail/CVE-2022-46176) is a security vulnirability when using cargo ssh.
Kirkstone doesn't support rust on-target images and the bitbake using the 'wget' (which uses 'https') for fetching the sources instead of ssh.
So, cargo-native also not vulnerable to this cve and so added to excluded list.
Signed-off-by: Sundeep KOKKONDA <sundeep.kokkonda@windriver.com>
---
| 5 +++++
1 file changed, 5 insertions(+)
--git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc
index 8b5f8d49b8..cb2d920441 100644
--- a/meta/conf/distro/include/cve-extra-exclusions.inc
+++ b/meta/conf/distro/include/cve-extra-exclusions.inc
@@ -15,6 +15,11 @@
# the aim of sharing that work and ensuring we don't duplicate it.
#
+#cargo https://nvd.nist.gov/vuln/detail/CVE-2022-46176
+#cargo security advisor https://blog.rust-lang.org/2023/01/10/cve-2022-46176.html
+#This CVE is a security issue when using cargo ssh. In kirkstone, rust 1.59.0 is used and the rust on-target is not supported, so the target images are not vulnerable to the cve.
+#The bitbake using the 'wget' (which uses 'https') for fetching the sources instead of ssh. So, the cargo-native are also not vulnerable to this cve and so added to excluded list.
+CVE_CHECK_IGNORE += "CVE-2022-46176"
# strace https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0006
# CVE is more than 20 years old with no resolution evident
--
2.34.1
next reply other threads:[~2023-04-02 15:29 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-02 15:28 Sundeep KOKKONDA [this message]
2023-04-03 10:46 ` [OE-core] [kirkstone][PATCH] cargo : non vulnerable cve-2022-46176 added to excluded list Richard Purdie
2023-04-18 11:46 ` Kokkonda, Sundeep
2023-04-18 13:59 ` Steve Sakoman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230402152836.9157-1-sundeep.kokkonda@gmail.com \
--to=sundeep.kokkonda@gmail.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=pgowda.cve@gmail.com \
--cc=rwmacleod@gmail.com \
--cc=shivams@gmail.com \
--cc=umesh.kalappa0@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox