[kirkstone][PATCH] cargo : non vulnerable cve-2022-46176 added to excluded list

public inbox for openembedded-core@lists.openembedded.org
 help / color / mirror / Atom feed

* [kirkstone][PATCH] cargo : non vulnerable cve-2022-46176 added to excluded list
@ 2023-04-02 15:28 Sundeep KOKKONDA
  2023-04-03 10:46 ` [OE-core] " Richard Purdie
  2023-04-18 11:46 ` Kokkonda, Sundeep
  0 siblings, 2 replies; 4+ messages in thread
From: Sundeep KOKKONDA @ 2023-04-02 15:28 UTC (permalink / raw)
  To: openembedded-core; +Cc: rwmacleod, umesh.kalappa0, pgowda.cve, shivams

This cve (https://nvd.nist.gov/vuln/detail/CVE-2022-46176) is a security vulnirability when using cargo ssh.
Kirkstone doesn't support rust on-target images and the bitbake using the 'wget' (which uses 'https') for fetching the sources instead of ssh.
So, cargo-native also not vulnerable to this cve and so added to excluded list.

Signed-off-by: Sundeep KOKKONDA <sundeep.kokkonda@windriver.com>
---
 meta/conf/distro/include/cve-extra-exclusions.inc | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc
index 8b5f8d49b8..cb2d920441 100644
--- a/meta/conf/distro/include/cve-extra-exclusions.inc
+++ b/meta/conf/distro/include/cve-extra-exclusions.inc
@@ -15,6 +15,11 @@
 # the aim of sharing that work and ensuring we don't duplicate it.
 #
 
+#cargo https://nvd.nist.gov/vuln/detail/CVE-2022-46176
+#cargo security advisor https://blog.rust-lang.org/2023/01/10/cve-2022-46176.html
+#This CVE is a security issue when using cargo ssh. In kirkstone, rust 1.59.0 is used and the rust on-target is not supported, so the target images are not vulnerable to the cve.
+#The bitbake using the 'wget' (which uses 'https') for fetching the sources instead of ssh. So, the cargo-native are also not vulnerable to this cve and so added to excluded list.
+CVE_CHECK_IGNORE += "CVE-2022-46176"
 
 # strace https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0006
 # CVE is more than 20 years old with no resolution evident
-- 
2.34.1



^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [OE-core] [kirkstone][PATCH] cargo : non vulnerable cve-2022-46176 added to excluded list
  2023-04-02 15:28 [kirkstone][PATCH] cargo : non vulnerable cve-2022-46176 added to excluded list Sundeep KOKKONDA
@ 2023-04-03 10:46 ` Richard Purdie
  2023-04-18 11:46 ` Kokkonda, Sundeep
  1 sibling, 0 replies; 4+ messages in thread
From: Richard Purdie @ 2023-04-03 10:46 UTC (permalink / raw)
  To: Sundeep KOKKONDA, openembedded-core
  Cc: rwmacleod, umesh.kalappa0, pgowda.cve, shivams

On Sun, 2023-04-02 at 20:58 +0530, Sundeep KOKKONDA wrote:
> This cve (https://nvd.nist.gov/vuln/detail/CVE-2022-46176) is a security vulnirability when using cargo ssh.
> Kirkstone doesn't support rust on-target images and the bitbake using the 'wget' (which uses 'https') for fetching the sources instead of ssh.
> So, cargo-native also not vulnerable to this cve and so added to excluded list.
> 
> Signed-off-by: Sundeep KOKKONDA <sundeep.kokkonda@windriver.com>
> ---
>  meta/conf/distro/include/cve-extra-exclusions.inc | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc
> index 8b5f8d49b8..cb2d920441 100644
> --- a/meta/conf/distro/include/cve-extra-exclusions.inc
> +++ b/meta/conf/distro/include/cve-extra-exclusions.inc
> @@ -15,6 +15,11 @@
>  # the aim of sharing that work and ensuring we don't duplicate it.
>  #
>  
> +#cargo https://nvd.nist.gov/vuln/detail/CVE-2022-46176
> +#cargo security advisor https://blog.rust-lang.org/2023/01/10/cve-2022-46176.html
> +#This CVE is a security issue when using cargo ssh. In kirkstone, rust 1.59.0 is used and the rust on-target is not supported, so the target images are not vulnerable to the cve.
> +#The bitbake using the 'wget' (which uses 'https') for fetching the sources instead of ssh. So, the cargo-native are also not vulnerable to this cve and so added to excluded list.
> +CVE_CHECK_IGNORE += "CVE-2022-46176"
>  
>  # strace https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0006
>  # CVE is more than 20 years old with no resolution evident

Since I've been following the discussion on this one:

Acked-by: Richard Purdie <richard.purdie@linuxfoundation.org>

Cheers,

Richard




^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [OE-core] [kirkstone][PATCH] cargo : non vulnerable cve-2022-46176 added to excluded list
  2023-04-02 15:28 [kirkstone][PATCH] cargo : non vulnerable cve-2022-46176 added to excluded list Sundeep KOKKONDA
  2023-04-03 10:46 ` [OE-core] " Richard Purdie
@ 2023-04-18 11:46 ` Kokkonda, Sundeep
  2023-04-18 13:59   ` Steve Sakoman
  1 sibling, 1 reply; 4+ messages in thread
From: Kokkonda, Sundeep @ 2023-04-18 11:46 UTC (permalink / raw)
  To: steve@sakoman.com; +Cc: OE-core

[-- Attachment #1: Type: text/plain, Size: 2461 bytes --]

Hello Steve,

When this patch is planned to take into Kirkstone?

Thanks,
Sundeep K.
________________________________
From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> on behalf of Sundeep KOKKONDA via lists.openembedded.org <sundeep.kokkonda=gmail.com@lists.openembedded.org>
Sent: 02 April 2023 20:58
To: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org>
Cc: rwmacleod@gmail.com <rwmacleod@gmail.com>; umesh.kalappa0@gmail.com <umesh.kalappa0@gmail.com>; pgowda.cve@gmail.com <pgowda.cve@gmail.com>; shivams@gmail.com <shivams@gmail.com>
Subject: [OE-core] [kirkstone][PATCH] cargo : non vulnerable cve-2022-46176 added to excluded list

CAUTION: This email comes from a non Wind River email account!
Do not click links or open attachments unless you recognize the sender and know the content is safe.

This cve (https://nvd.nist.gov/vuln/detail/CVE-2022-46176) is a security vulnirability when using cargo ssh.
Kirkstone doesn't support rust on-target images and the bitbake using the 'wget' (which uses 'https') for fetching the sources instead of ssh.
So, cargo-native also not vulnerable to this cve and so added to excluded list.

Signed-off-by: Sundeep KOKKONDA <sundeep.kokkonda@windriver.com>
---
 meta/conf/distro/include/cve-extra-exclusions.inc | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc
index 8b5f8d49b8..cb2d920441 100644
--- a/meta/conf/distro/include/cve-extra-exclusions.inc
+++ b/meta/conf/distro/include/cve-extra-exclusions.inc
@@ -15,6 +15,11 @@
 # the aim of sharing that work and ensuring we don't duplicate it.
 #

+#cargo https://nvd.nist.gov/vuln/detail/CVE-2022-46176
+#cargo security advisor https://blog.rust-lang.org/2023/01/10/cve-2022-46176.html
+#This CVE is a security issue when using cargo ssh. In kirkstone, rust 1.59.0 is used and the rust on-target is not supported, so the target images are not vulnerable to the cve.
+#The bitbake using the 'wget' (which uses 'https') for fetching the sources instead of ssh. So, the cargo-native are also not vulnerable to this cve and so added to excluded list.
+CVE_CHECK_IGNORE += "CVE-2022-46176"

 # strace https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0006
 # CVE is more than 20 years old with no resolution evident
--
2.34.1

[-- Attachment #2: Type: text/html, Size: 4946 bytes --]

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [OE-core] [kirkstone][PATCH] cargo : non vulnerable cve-2022-46176 added to excluded list
  2023-04-18 11:46 ` Kokkonda, Sundeep
@ 2023-04-18 13:59   ` Steve Sakoman
  0 siblings, 0 replies; 4+ messages in thread
From: Steve Sakoman @ 2023-04-18 13:59 UTC (permalink / raw)
  To: Kokkonda, Sundeep; +Cc: OE-core

On Tue, Apr 18, 2023 at 1:46 AM Kokkonda, Sundeep
<Sundeep.Kokkonda@windriver.com> wrote:
>
> Hello Steve,
>
> When this patch is planned to take into Kirkstone?

It is in the set of patches being tested today.  So if all goes well
it should hit the kirkstone branch later this week.

Steve

> ________________________________
> From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> on behalf of Sundeep KOKKONDA via lists.openembedded.org <sundeep.kokkonda=gmail.com@lists.openembedded.org>
> Sent: 02 April 2023 20:58
> To: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org>
> Cc: rwmacleod@gmail.com <rwmacleod@gmail.com>; umesh.kalappa0@gmail.com <umesh.kalappa0@gmail.com>; pgowda.cve@gmail.com <pgowda.cve@gmail.com>; shivams@gmail.com <shivams@gmail.com>
> Subject: [OE-core] [kirkstone][PATCH] cargo : non vulnerable cve-2022-46176 added to excluded list
>
> CAUTION: This email comes from a non Wind River email account!
> Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
> This cve (https://nvd.nist.gov/vuln/detail/CVE-2022-46176) is a security vulnirability when using cargo ssh.
> Kirkstone doesn't support rust on-target images and the bitbake using the 'wget' (which uses 'https') for fetching the sources instead of ssh.
> So, cargo-native also not vulnerable to this cve and so added to excluded list.
>
> Signed-off-by: Sundeep KOKKONDA <sundeep.kokkonda@windriver.com>
> ---
>  meta/conf/distro/include/cve-extra-exclusions.inc | 5 +++++
>  1 file changed, 5 insertions(+)
>
> diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc
> index 8b5f8d49b8..cb2d920441 100644
> --- a/meta/conf/distro/include/cve-extra-exclusions.inc
> +++ b/meta/conf/distro/include/cve-extra-exclusions.inc
> @@ -15,6 +15,11 @@
>  # the aim of sharing that work and ensuring we don't duplicate it.
>  #
>
> +#cargo https://nvd.nist.gov/vuln/detail/CVE-2022-46176
> +#cargo security advisor https://blog.rust-lang.org/2023/01/10/cve-2022-46176.html
> +#This CVE is a security issue when using cargo ssh. In kirkstone, rust 1.59.0 is used and the rust on-target is not supported, so the target images are not vulnerable to the cve.
> +#The bitbake using the 'wget' (which uses 'https') for fetching the sources instead of ssh. So, the cargo-native are also not vulnerable to this cve and so added to excluded list.
> +CVE_CHECK_IGNORE += "CVE-2022-46176"
>
>  # strace https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0006
>  # CVE is more than 20 years old with no resolution evident
> --
> 2.34.1
>


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2023-04-18 13:59 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-04-02 15:28 [kirkstone][PATCH] cargo : non vulnerable cve-2022-46176 added to excluded list Sundeep KOKKONDA
2023-04-03 10:46 ` [OE-core] " Richard Purdie
2023-04-18 11:46 ` Kokkonda, Sundeep
2023-04-18 13:59   ` Steve Sakoman

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox