From: Richard Purdie <richard.purdie@linuxfoundation.org>
To: Sundeep KOKKONDA <sundeep.kokkonda@gmail.com>,
openembedded-core@lists.openembedded.org
Cc: rwmacleod@gmail.com, umesh.kalappa0@gmail.com,
pgowda.cve@gmail.com, shivams@gmail.com
Subject: Re: [OE-core] [kirkstone][PATCH] cargo : non vulnerable cve-2022-46176 added to excluded list
Date: Mon, 03 Apr 2023 11:46:31 +0100 [thread overview]
Message-ID: <62ee9047a3d7ed89e44fc7d5e2c9c1d3e2c80595.camel@linuxfoundation.org> (raw)
In-Reply-To: <20230402152836.9157-1-sundeep.kokkonda@gmail.com>
On Sun, 2023-04-02 at 20:58 +0530, Sundeep KOKKONDA wrote:
> This cve (https://nvd.nist.gov/vuln/detail/CVE-2022-46176) is a security vulnirability when using cargo ssh.
> Kirkstone doesn't support rust on-target images and the bitbake using the 'wget' (which uses 'https') for fetching the sources instead of ssh.
> So, cargo-native also not vulnerable to this cve and so added to excluded list.
>
> Signed-off-by: Sundeep KOKKONDA <sundeep.kokkonda@windriver.com>
> ---
> meta/conf/distro/include/cve-extra-exclusions.inc | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc
> index 8b5f8d49b8..cb2d920441 100644
> --- a/meta/conf/distro/include/cve-extra-exclusions.inc
> +++ b/meta/conf/distro/include/cve-extra-exclusions.inc
> @@ -15,6 +15,11 @@
> # the aim of sharing that work and ensuring we don't duplicate it.
> #
>
> +#cargo https://nvd.nist.gov/vuln/detail/CVE-2022-46176
> +#cargo security advisor https://blog.rust-lang.org/2023/01/10/cve-2022-46176.html
> +#This CVE is a security issue when using cargo ssh. In kirkstone, rust 1.59.0 is used and the rust on-target is not supported, so the target images are not vulnerable to the cve.
> +#The bitbake using the 'wget' (which uses 'https') for fetching the sources instead of ssh. So, the cargo-native are also not vulnerable to this cve and so added to excluded list.
> +CVE_CHECK_IGNORE += "CVE-2022-46176"
>
> # strace https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0006
> # CVE is more than 20 years old with no resolution evident
Since I've been following the discussion on this one:
Acked-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Cheers,
Richard
next prev parent reply other threads:[~2023-04-03 10:46 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-02 15:28 [kirkstone][PATCH] cargo : non vulnerable cve-2022-46176 added to excluded list Sundeep KOKKONDA
2023-04-03 10:46 ` Richard Purdie [this message]
2023-04-18 11:46 ` [OE-core] " Kokkonda, Sundeep
2023-04-18 13:59 ` Steve Sakoman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=62ee9047a3d7ed89e44fc7d5e2c9c1d3e2c80595.camel@linuxfoundation.org \
--to=richard.purdie@linuxfoundation.org \
--cc=openembedded-core@lists.openembedded.org \
--cc=pgowda.cve@gmail.com \
--cc=rwmacleod@gmail.com \
--cc=shivams@gmail.com \
--cc=sundeep.kokkonda@gmail.com \
--cc=umesh.kalappa0@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox