* [OE-core][PATCH V2 1/2] ovmf: set CVE_PRODUCT and CVE_VERSION
@ 2024-04-06 4:41 Qi.Chen
2024-04-06 4:41 ` [OE-core][PATCH V2 2/2] ovmf: set CVE_STATUS for CVE-2014-8271 Qi.Chen
2024-04-08 9:59 ` [OE-core][PATCH V2 1/2] ovmf: set CVE_PRODUCT and CVE_VERSION Alexandre Belloni
0 siblings, 2 replies; 4+ messages in thread
From: Qi.Chen @ 2024-04-06 4:41 UTC (permalink / raw)
To: openembedded-core
From: Chen Qi <Qi.Chen@windriver.com>
Set CVE_PRODUCT and CVE_VERSION for ovmf. NVD uses 'edk2' and the
version should be the date only. Here's an example:
https://nvd.nist.gov/vuln/detail/CVE-2023-45232
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
meta/recipes-core/ovmf/ovmf_git.bb | 3 +++
1 file changed, 3 insertions(+)
diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb
index 3dc031d3b6..5b1353b8e8 100644
--- a/meta/recipes-core/ovmf/ovmf_git.bb
+++ b/meta/recipes-core/ovmf/ovmf_git.bb
@@ -30,6 +30,9 @@ PV = "edk2-stable202308"
SRCREV = "819cfc6b42a68790a23509e4fcc58ceb70e1965e"
UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>edk2-stable.*)"
+CVE_PRODUCT = "edk2"
+CVE_VERSION = "${@d.getVar('PV').split('stable')[1]}"
+
inherit deploy
PARALLEL_MAKE = ""
--
2.34.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [OE-core][PATCH V2 2/2] ovmf: set CVE_STATUS for CVE-2014-8271
2024-04-06 4:41 [OE-core][PATCH V2 1/2] ovmf: set CVE_PRODUCT and CVE_VERSION Qi.Chen
@ 2024-04-06 4:41 ` Qi.Chen
2024-04-08 9:59 ` [OE-core][PATCH V2 1/2] ovmf: set CVE_PRODUCT and CVE_VERSION Alexandre Belloni
1 sibling, 0 replies; 4+ messages in thread
From: Qi.Chen @ 2024-04-06 4:41 UTC (permalink / raw)
To: openembedded-core
From: Chen Qi <Qi.Chen@windriver.com>
CVE-2014-8271 has an unusual versioning, svn_16280, which breaks
the version comparison and gives us warning like below:
Failed to compare 202308 < svn_16280 for CVE-2014-8271
The fix has been there since 2014, our current version has included
the fix.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
meta/recipes-core/ovmf/ovmf_git.bb | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb
index 5b1353b8e8..f98cec8035 100644
--- a/meta/recipes-core/ovmf/ovmf_git.bb
+++ b/meta/recipes-core/ovmf/ovmf_git.bb
@@ -33,6 +33,8 @@ UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>edk2-stable.*)"
CVE_PRODUCT = "edk2"
CVE_VERSION = "${@d.getVar('PV').split('stable')[1]}"
+CVE_STATUS[CVE-2014-8271] = "fixed-version: Fixed in svn_16280, which is an unusual versioning breaking version comparison."
+
inherit deploy
PARALLEL_MAKE = ""
--
2.34.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [OE-core][PATCH V2 1/2] ovmf: set CVE_PRODUCT and CVE_VERSION
2024-04-06 4:41 [OE-core][PATCH V2 1/2] ovmf: set CVE_PRODUCT and CVE_VERSION Qi.Chen
2024-04-06 4:41 ` [OE-core][PATCH V2 2/2] ovmf: set CVE_STATUS for CVE-2014-8271 Qi.Chen
@ 2024-04-08 9:59 ` Alexandre Belloni
2024-04-08 9:59 ` Alexandre Belloni
1 sibling, 1 reply; 4+ messages in thread
From: Alexandre Belloni @ 2024-04-08 9:59 UTC (permalink / raw)
To: Qi.Chen; +Cc: openembedded-core
Since this merged, we have:
WARNING: ovmf-native-edk2-stable202308-r0 do_cve_check: edk2: Failed to compare 202308 < svn_16280 for CVE-2014-8271
On 06/04/2024 12:41:28+0800, Chen Qi via lists.openembedded.org wrote:
> From: Chen Qi <Qi.Chen@windriver.com>
>
> Set CVE_PRODUCT and CVE_VERSION for ovmf. NVD uses 'edk2' and the
> version should be the date only. Here's an example:
> https://nvd.nist.gov/vuln/detail/CVE-2023-45232
>
> Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
> ---
> meta/recipes-core/ovmf/ovmf_git.bb | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb
> index 3dc031d3b6..5b1353b8e8 100644
> --- a/meta/recipes-core/ovmf/ovmf_git.bb
> +++ b/meta/recipes-core/ovmf/ovmf_git.bb
> @@ -30,6 +30,9 @@ PV = "edk2-stable202308"
> SRCREV = "819cfc6b42a68790a23509e4fcc58ceb70e1965e"
> UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>edk2-stable.*)"
>
> +CVE_PRODUCT = "edk2"
> +CVE_VERSION = "${@d.getVar('PV').split('stable')[1]}"
> +
> inherit deploy
>
> PARALLEL_MAKE = ""
> --
> 2.34.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#197989): https://lists.openembedded.org/g/openembedded-core/message/197989
> Mute This Topic: https://lists.openembedded.org/mt/105362148/3617179
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alexandre.belloni@bootlin.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
--
Alexandre Belloni, co-owner and COO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [OE-core][PATCH V2 1/2] ovmf: set CVE_PRODUCT and CVE_VERSION
2024-04-08 9:59 ` [OE-core][PATCH V2 1/2] ovmf: set CVE_PRODUCT and CVE_VERSION Alexandre Belloni
@ 2024-04-08 9:59 ` Alexandre Belloni
0 siblings, 0 replies; 4+ messages in thread
From: Alexandre Belloni @ 2024-04-08 9:59 UTC (permalink / raw)
To: Qi.Chen; +Cc: openembedded-core
On 08/04/2024 11:59:04+0200, Alexandre Belloni wrote:
> Since this merged, we have:
>
> WARNING: ovmf-native-edk2-stable202308-r0 do_cve_check: edk2: Failed to compare 202308 < svn_16280 for CVE-2014-8271
This is because the second patch wasn't merged
>
> On 06/04/2024 12:41:28+0800, Chen Qi via lists.openembedded.org wrote:
> > From: Chen Qi <Qi.Chen@windriver.com>
> >
> > Set CVE_PRODUCT and CVE_VERSION for ovmf. NVD uses 'edk2' and the
> > version should be the date only. Here's an example:
> > https://nvd.nist.gov/vuln/detail/CVE-2023-45232
> >
> > Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
> > ---
> > meta/recipes-core/ovmf/ovmf_git.bb | 3 +++
> > 1 file changed, 3 insertions(+)
> >
> > diff --git a/meta/recipes-core/ovmf/ovmf_git.bb b/meta/recipes-core/ovmf/ovmf_git.bb
> > index 3dc031d3b6..5b1353b8e8 100644
> > --- a/meta/recipes-core/ovmf/ovmf_git.bb
> > +++ b/meta/recipes-core/ovmf/ovmf_git.bb
> > @@ -30,6 +30,9 @@ PV = "edk2-stable202308"
> > SRCREV = "819cfc6b42a68790a23509e4fcc58ceb70e1965e"
> > UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>edk2-stable.*)"
> >
> > +CVE_PRODUCT = "edk2"
> > +CVE_VERSION = "${@d.getVar('PV').split('stable')[1]}"
> > +
> > inherit deploy
> >
> > PARALLEL_MAKE = ""
> > --
> > 2.34.1
> >
>
> >
> > -=-=-=-=-=-=-=-=-=-=-=-
> > Links: You receive all messages sent to this group.
> > View/Reply Online (#197989): https://lists.openembedded.org/g/openembedded-core/message/197989
> > Mute This Topic: https://lists.openembedded.org/mt/105362148/3617179
> > Group Owner: openembedded-core+owner@lists.openembedded.org
> > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alexandre.belloni@bootlin.com]
> > -=-=-=-=-=-=-=-=-=-=-=-
> >
>
>
> --
> Alexandre Belloni, co-owner and COO, Bootlin
> Embedded Linux and Kernel engineering
> https://bootlin.com
--
Alexandre Belloni, co-owner and COO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-04-08 9:59 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-04-06 4:41 [OE-core][PATCH V2 1/2] ovmf: set CVE_PRODUCT and CVE_VERSION Qi.Chen
2024-04-06 4:41 ` [OE-core][PATCH V2 2/2] ovmf: set CVE_STATUS for CVE-2014-8271 Qi.Chen
2024-04-08 9:59 ` [OE-core][PATCH V2 1/2] ovmf: set CVE_PRODUCT and CVE_VERSION Alexandre Belloni
2024-04-08 9:59 ` Alexandre Belloni
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox