From: Randy MacLeod <randy.macleod@windriver.com>
To: Steve Sakoman <steve@sakoman.com>
Cc: openembedded-core@lists.openembedded.org,
Yogita.Urade@windriver.com, Kang Kai <kai.kang@windriver.com>
Subject: Re: [OE-core][mickledore 02/26] dmidecode: fix CVE-2023-30630
Date: Thu, 20 Jul 2023 19:28:45 -0400 [thread overview]
Message-ID: <4d240a0a-1697-d96c-0272-5a465d693e02@windriver.com> (raw)
In-Reply-To: <CAOSpxdapbZZQgtt8JKJUr9qhSWT3Z0h4tFG9TCpx4RK+FFL3pA@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 2944 bytes --]
On 2023-07-18 18:32, Steve Sakoman wrote:
> On Tue, Jul 18, 2023 at 11:49 AM Randy MacLeod
> <randy.macleod@windriver.com> wrote:
>> Add Kai,
>>
>> On 2023-07-14 18:32, Steve Sakoman via lists.openembedded.org wrote:
>>
>> From: Yogita Urade<yogita.urade@windriver.com>
>>
>> Dmidecode before 3.5 allows -dump-bin to overwrite a local file.
>> This has security relevance because, for example, execution of
>> Dmidecode via Sudo is plausible.
>>
>> References:
>> https://nvd.nist.gov/vuln/detail/CVE-2023-30630
>> https://lists.nongnu.org/archive/html/dmidecode-devel/2023-04/msg00016.html
>> https://lists.nongnu.org/archive/html/dmidecode-devel/2023-04/msg00017.html
>>
>> Signed-off-by: Yogita Urade<yogita.urade@windriver.com>
>> Signed-off-by: Steve Sakoman<steve@sakoman.com>
>> ---
>> .../dmidecode/CVE-2023-30630_1.patch | 237 ++++++++++++++++++
>> .../dmidecode/CVE-2023-30630_2.patch | 81 ++++++
>> .../dmidecode/CVE-2023-30630_3.patch | 69 +++++
>> .../dmidecode/CVE-2023-30630_4.patch | 137 ++++++++++
>>
>>
>> Summary:
>>
>> I think this can merge but we should agree on how to handle dmidecode.
>>
>>
>> Details:
>>
>> These changes work but it's bringing back 4 patches rather than bumping the version to 3.5
>> and picking up 2 patches. My conclusion is that it's okay but we should probably talk
>> about how to maintain dmidecode since it just produces a bunch of programs for dumping
>> HW DMI/SMBIOS info and doesn't provide a runtime ABI, we can probably update to 3.5
>> ( or even 3.6 when that's out).
>>
>> Do you agree Steve?
> You'll always get the same answer from me: no version bumps that
> implement new features/apis. Bug/security fixes only.
>
> If there is a strong case to be made for something outside this
> policy, it should go to the TSC for consideration.
>
> I don't want our stable branches to start resembling the kernel
> "stable" branches ...
>
> So, yes, I think we should merge this patch rather than version bump :-)
>
> Steve
Fine with me!
<snip>
There is no change to this commit and it will be merged so
read on only if you are interested in dmidecode maintenance and
my motivations in causing this bit of noise on the list. ;-)
I checked with the dmidecode upstream (1) about their versioning scheme
and if they
have considered having a structured release numbering scheme and even a
stable branch.
They said they increment versions at will and don't have a stable branch
other than latest release.
As Richard and Steve have said, we should be more conservative and if we
find that anyone needs
the additional hardware support that I was hoping to pick up, we can
back port patches.
Sorry for the noise,
../Randy
1)
https://lists.nongnu.org/archive/html/dmidecode-devel/2023-07/msg00006.html
--
# Randy MacLeod
# Wind River Linux
[-- Attachment #2: Type: text/html, Size: 4435 bytes --]
next prev parent reply other threads:[~2023-07-20 23:29 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-14 22:32 [OE-core][mickledore 00/26] Patch review Steve Sakoman
2023-07-14 22:32 ` [OE-core][mickledore 01/26] python3-requests: fix CVE-2023-32681 Steve Sakoman
2023-07-14 22:32 ` [OE-core][mickledore 02/26] dmidecode: fix CVE-2023-30630 Steve Sakoman
2023-07-18 21:48 ` Randy MacLeod
2023-07-18 22:18 ` Richard Purdie
2023-07-18 22:32 ` Steve Sakoman
2023-07-19 0:06 ` Randy MacLeod
2023-07-20 23:28 ` Randy MacLeod [this message]
2023-07-14 22:32 ` [OE-core][mickledore 03/26] ghostscript: fix CVE-2023-36664 Steve Sakoman
2023-07-14 22:32 ` [OE-core][mickledore 04/26] erofs-utils: fix CVE-2023-33551/CVE-2023-33552 Steve Sakoman
2023-07-14 22:32 ` [OE-core][mickledore 05/26] diffutils: update 3.9 -> 3.10 Steve Sakoman
2023-07-14 22:32 ` [OE-core][mickledore 06/26] freetype: upgrade 2.13.0 -> 2.13.1 Steve Sakoman
2023-07-14 22:32 ` [OE-core][mickledore 07/26] gstreamer1.0: upgrade 1.22.3 -> 1.22.4 Steve Sakoman
2023-07-14 22:32 ` [OE-core][mickledore 08/26] libassuan: upgrade 2.5.5 -> 2.5.6 Steve Sakoman
2023-07-14 22:32 ` [OE-core][mickledore 09/26] libksba: upgrade 1.6.3 -> 1.6.4 Steve Sakoman
2023-07-14 22:32 ` [OE-core][mickledore 10/26] libx11: upgrade 1.8.5 -> 1.8.6 Steve Sakoman
2023-07-14 22:32 ` [OE-core][mickledore 11/26] lttng-ust: upgrade 2.13.5 -> 2.13.6 Steve Sakoman
2023-07-14 22:32 ` [OE-core][mickledore 12/26] libproxy: fetch from git Steve Sakoman
2023-07-14 22:32 ` [OE-core][mickledore 13/26] weston: Cleanup and fix x11 and xwayland dependencies Steve Sakoman
2023-07-14 22:32 ` [OE-core][mickledore 14/26] baremetal-helloworld: Fix race condition Steve Sakoman
2023-07-14 22:32 ` [OE-core][mickledore 15/26] cargo.bbclass: set up cargo environment in common do_compile Steve Sakoman
2023-07-14 22:32 ` [OE-core][mickledore 16/26] rust-common.bbclass: move musl-specific linking fix from rust-source.inc Steve Sakoman
2023-07-14 22:32 ` [OE-core][mickledore 17/26] libxcrypt: fix hard-coded ".so" extension Steve Sakoman
2023-07-14 22:32 ` [OE-core][mickledore 18/26] ifupdown: install missing directories Steve Sakoman
2023-07-14 22:32 ` [OE-core][mickledore 19/26] recipetool: Fix inherit in created -native* recipes Steve Sakoman
2023-07-14 22:32 ` [OE-core][mickledore 20/26] kernel: config modules directories are handled by kernel-module-split Steve Sakoman
2023-07-14 22:32 ` [OE-core][mickledore 21/26] kernel-module-split: install config modules directories only when they are needed Steve Sakoman
2023-07-14 22:32 ` [OE-core][mickledore 22/26] kernel-module-split: use context manager to open files Steve Sakoman
2023-07-14 22:32 ` [OE-core][mickledore 23/26] kernel-module-split: make autoload and probeconf distribution specific Steve Sakoman
2023-07-14 22:32 ` [OE-core][mickledore 24/26] testimage/oeqa: Drop testimage_dump_host functionality Steve Sakoman
2023-07-14 22:32 ` [OE-core][mickledore 25/26] selftest: multiconfig-image-packager: try to respect IMAGE_LINK_NAME Steve Sakoman
2023-07-14 22:33 ` [OE-core][mickledore 26/26] image-artifact-names: include ${IMAGE_NAME_SUFFIX} directly in both ${IMAGE_NAME} and ${IMAGE_LINK_NAME} Steve Sakoman
2023-07-17 8:38 ` Martin Jansa
2023-07-17 9:23 ` Richard Purdie
2023-07-17 14:26 ` Steve Sakoman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4d240a0a-1697-d96c-0272-5a465d693e02@windriver.com \
--to=randy.macleod@windriver.com \
--cc=Yogita.Urade@windriver.com \
--cc=kai.kang@windriver.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=steve@sakoman.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox