From: Mark Hatle <mark.hatle@windriver.com>
To: Richard Purdie <richard.purdie@linuxfoundation.org>,
openembedded-architecture
<openembedded-architecture@lists.openembedded.org>,
openembedded-core <openembedded-core@lists.openembedded.org>
Subject: Re: [Openembedded-architecture] OE-Core/Yocto Project's first CVE (CVE-2017-9731)
Date: Mon, 19 Jun 2017 09:06:04 -0500 [thread overview]
Message-ID: <84e28d41-e2b9-0ba5-2bf3-49ee408da465@windriver.com> (raw)
In-Reply-To: <1497868738.24449.41.camel@linuxfoundation.org>
On 6/19/17 5:38 AM, Richard Purdie wrote:
> I suspect this has been missed by some people so I want to spell it
> out. We have our first CVE in OE-Core itself.
>
> The issue is limited to binary ipks potentially exposing sensitive
> information through the "Source:" field which contained the full
> SRC_URI. Those urls could potentially contain sensitive information
> about servers and credentials.
Does any of the 'archiver' output include copies/versions of the full SRC_URI?
Same with the license management parts... (I don't think either do) but these
would be the places I'd think the SRC_URI might also be.
--Mark
> After discussion, I ended up changing the field to contain the recipe
> filename (no path). There was talk of filtering the urls however if you
> try, it becomes clear that sensitive elements can remain and no
> solution is likely 100% effective. The other package backends don't do
> this at all so this brings ipk more into line with them. Simply
> clearing the field doesn't work with the current opkg-utils. It can be
> changed but the change becomes more invasive.
>
> This fix has been merged to master.
>
> I also did take the decision to backport this change back to
> pyro/morty/krogoth too. I appreciate this can cause some disruption to
> people who rely on SRC_URI being in the Source: field however I
> couldn't see any other realistic way forward.
>
> Cheers,
>
> Richard
> _______________________________________________
> Openembedded-architecture mailing list
> Openembedded-architecture@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-architecture
>
next prev parent reply other threads:[~2017-06-19 14:05 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-19 10:38 OE-Core/Yocto Project's first CVE (CVE-2017-9731) Richard Purdie
2017-06-19 13:20 ` [Openembedded-architecture] " Philip Balister
2017-06-19 13:29 ` Burton, Ross
2017-06-19 13:32 ` Philip Balister
2017-06-19 14:05 ` Mark Hatle
2017-06-19 15:31 ` Sean Hudson
2017-06-20 9:30 ` Paul Eggleton
2017-06-20 13:27 ` Sean Hudson
2017-06-20 13:43 ` Paul Eggleton
2017-06-22 9:21 ` Richard Purdie
2017-06-19 14:06 ` Mark Hatle [this message]
2017-06-27 7:11 ` Sona Sarmadi
2017-06-28 17:38 ` [Openembedded-architecture] " Scott Murray
2017-06-29 22:08 ` Richard Purdie
2017-06-30 20:17 ` Scott Murray
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=84e28d41-e2b9-0ba5-2bf3-49ee408da465@windriver.com \
--to=mark.hatle@windriver.com \
--cc=openembedded-architecture@lists.openembedded.org \
--cc=openembedded-core@lists.openembedded.org \
--cc=richard.purdie@linuxfoundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox