[kirkstone][PATCH] cargo : non vulnerable cve-2022-46176 added to excluded list

[kirkstone][PATCH] cargo : non vulnerable cve-2022-46176 added to excluded list

[Sundeep KOKKONDA]

This cve (https://nvd.nist.gov/vuln/detail/CVE-2022-46176) is a security vulnirability when using cargo ssh.
Kirkstone doesn't support rust on-target images and the bitbake using the 'wget' (which uses 'https') for fetching the sources instead of ssh.
So, cargo-native also not vulnerable to this cve and so added to excluded list.

Signed-off-by: Sundeep KOKKONDA <sundeep.kokkonda@windriver.com>
---
 meta/conf/distro/include/cve-extra-exclusions.inc | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc
index 8b5f8d49b8..cb2d920441 100644
--- a/meta/conf/distro/include/cve-extra-exclusions.inc
+++ b/meta/conf/distro/include/cve-extra-exclusions.inc
@@ -15,6 +15,11 @@
 # the aim of sharing that work and ensuring we don't duplicate it.
 #
 
+#cargo https://nvd.nist.gov/vuln/detail/CVE-2022-46176
+#cargo security advisor https://blog.rust-lang.org/2023/01/10/cve-2022-46176.html
+#This CVE is a security issue when using cargo ssh. In kirkstone, rust 1.59.0 is used and the rust on-target is not supported, so the target images are not vulnerable to the cve.
+#The bitbake using the 'wget' (which uses 'https') for fetching the sources instead of ssh. So, the cargo-native are also not vulnerable to this cve and so added to excluded list.
+CVE_CHECK_IGNORE += "CVE-2022-46176"
 
 # strace https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0006
 # CVE is more than 20 years old with no resolution evident
-- 
2.34.1

Re: [OE-core] [kirkstone][PATCH] cargo : non vulnerable cve-2022-46176 added to excluded list

[Richard Purdie]

On Sun, 2023-04-02 at 20:58 +0530, Sundeep KOKKONDA wrote:
> This cve (https://nvd.nist.gov/vuln/detail/CVE-2022-46176) is a security vulnirability when using cargo ssh.
> Kirkstone doesn't support rust on-target images and the bitbake using the 'wget' (which uses 'https') for fetching the sources instead of ssh.
> So, cargo-native also not vulnerable to this cve and so added to excluded list.
> 
> Signed-off-by: Sundeep KOKKONDA <sundeep.kokkonda@windriver.com>
> ---
>  meta/conf/distro/include/cve-extra-exclusions.inc | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc
> index 8b5f8d49b8..cb2d920441 100644
> --- a/meta/conf/distro/include/cve-extra-exclusions.inc
> +++ b/meta/conf/distro/include/cve-extra-exclusions.inc
> @@ -15,6 +15,11 @@
>  # the aim of sharing that work and ensuring we don't duplicate it.
>  #
>  
> +#cargo https://nvd.nist.gov/vuln/detail/CVE-2022-46176
> +#cargo security advisor https://blog.rust-lang.org/2023/01/10/cve-2022-46176.html
> +#This CVE is a security issue when using cargo ssh. In kirkstone, rust 1.59.0 is used and the rust on-target is not supported, so the target images are not vulnerable to the cve.
> +#The bitbake using the 'wget' (which uses 'https') for fetching the sources instead of ssh. So, the cargo-native are also not vulnerable to this cve and so added to excluded list.
> +CVE_CHECK_IGNORE += "CVE-2022-46176"
>  
>  # strace https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0006
>  # CVE is more than 20 years old with no resolution evident

Since I've been following the discussion on this one:

Acked-by: Richard Purdie <richard.purdie@linuxfoundation.org>

Cheers,

Richard

Re: [OE-core] [kirkstone][PATCH] cargo : non vulnerable cve-2022-46176 added to excluded list

[Kokkonda, Sundeep]

[-- Attachment #1: Type: text/plain, Size: 2461 bytes --]

Hello Steve,

When this patch is planned to take into Kirkstone?



Thanks,
Sundeep K.
________________________________
From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> on behalf of Sundeep KOKKONDA via lists.openembedded.org <sundeep.kokkonda=gmail.com@lists.openembedded.org>
Sent: 02 April 2023 20:58
To: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org>
Cc: rwmacleod@gmail.com <rwmacleod@gmail.com>; umesh.kalappa0@gmail.com <umesh.kalappa0@gmail.com>; pgowda.cve@gmail.com <pgowda.cve@gmail.com>; shivams@gmail.com <shivams@gmail.com>
Subject: [OE-core] [kirkstone][PATCH] cargo : non vulnerable cve-2022-46176 added to excluded list

CAUTION: This email comes from a non Wind River email account!
Do not click links or open attachments unless you recognize the sender and know the content is safe.

This cve (https://nvd.nist.gov/vuln/detail/CVE-2022-46176) is a security vulnirability when using cargo ssh.
Kirkstone doesn't support rust on-target images and the bitbake using the 'wget' (which uses 'https') for fetching the sources instead of ssh.
So, cargo-native also not vulnerable to this cve and so added to excluded list.

Signed-off-by: Sundeep KOKKONDA <sundeep.kokkonda@windriver.com>
---
 meta/conf/distro/include/cve-extra-exclusions.inc | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc
index 8b5f8d49b8..cb2d920441 100644
--- a/meta/conf/distro/include/cve-extra-exclusions.inc
+++ b/meta/conf/distro/include/cve-extra-exclusions.inc
@@ -15,6 +15,11 @@
 # the aim of sharing that work and ensuring we don't duplicate it.
 #

+#cargo https://nvd.nist.gov/vuln/detail/CVE-2022-46176
+#cargo security advisor https://blog.rust-lang.org/2023/01/10/cve-2022-46176.html
+#This CVE is a security issue when using cargo ssh. In kirkstone, rust 1.59.0 is used and the rust on-target is not supported, so the target images are not vulnerable to the cve.
+#The bitbake using the 'wget' (which uses 'https') for fetching the sources instead of ssh. So, the cargo-native are also not vulnerable to this cve and so added to excluded list.
+CVE_CHECK_IGNORE += "CVE-2022-46176"

 # strace https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0006
 # CVE is more than 20 years old with no resolution evident
--
2.34.1


[-- Attachment #2: Type: text/html, Size: 4946 bytes --]

Re: [OE-core] [kirkstone][PATCH] cargo : non vulnerable cve-2022-46176 added to excluded list

[Steve Sakoman]

On Tue, Apr 18, 2023 at 1:46 AM Kokkonda, Sundeep
<Sundeep.Kokkonda@windriver.com> wrote:
>
> Hello Steve,
>
> When this patch is planned to take into Kirkstone?

It is in the set of patches being tested today.  So if all goes well
it should hit the kirkstone branch later this week.

Steve

> ________________________________
> From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> on behalf of Sundeep KOKKONDA via lists.openembedded.org <sundeep.kokkonda=gmail.com@lists.openembedded.org>
> Sent: 02 April 2023 20:58
> To: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org>
> Cc: rwmacleod@gmail.com <rwmacleod@gmail.com>; umesh.kalappa0@gmail.com <umesh.kalappa0@gmail.com>; pgowda.cve@gmail.com <pgowda.cve@gmail.com>; shivams@gmail.com <shivams@gmail.com>
> Subject: [OE-core] [kirkstone][PATCH] cargo : non vulnerable cve-2022-46176 added to excluded list
>
> CAUTION: This email comes from a non Wind River email account!
> Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
> This cve (https://nvd.nist.gov/vuln/detail/CVE-2022-46176) is a security vulnirability when using cargo ssh.
> Kirkstone doesn't support rust on-target images and the bitbake using the 'wget' (which uses 'https') for fetching the sources instead of ssh.
> So, cargo-native also not vulnerable to this cve and so added to excluded list.
>
> Signed-off-by: Sundeep KOKKONDA <sundeep.kokkonda@windriver.com>
> ---
>  meta/conf/distro/include/cve-extra-exclusions.inc | 5 +++++
>  1 file changed, 5 insertions(+)
>
> diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc
> index 8b5f8d49b8..cb2d920441 100644
> --- a/meta/conf/distro/include/cve-extra-exclusions.inc
> +++ b/meta/conf/distro/include/cve-extra-exclusions.inc
> @@ -15,6 +15,11 @@
>  # the aim of sharing that work and ensuring we don't duplicate it.
>  #
>
> +#cargo https://nvd.nist.gov/vuln/detail/CVE-2022-46176
> +#cargo security advisor https://blog.rust-lang.org/2023/01/10/cve-2022-46176.html
> +#This CVE is a security issue when using cargo ssh. In kirkstone, rust 1.59.0 is used and the rust on-target is not supported, so the target images are not vulnerable to the cve.
> +#The bitbake using the 'wget' (which uses 'https') for fetching the sources instead of ssh. So, the cargo-native are also not vulnerable to this cve and so added to excluded list.
> +CVE_CHECK_IGNORE += "CVE-2022-46176"
>
>  # strace https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0006
>  # CVE is more than 20 years old with no resolution evident
> --
> 2.34.1
>