From 975e974eb1b67e93d5c36492af373c0aa46d206f Mon Sep 17 00:00:00 2001 From: Roland Hieber Date: Fri, 22 Sep 2023 12:00:03 +0200 Subject: [PATCH] contributor-guide: recipe-style-guide: add section about CVE patches This was previously included in the OpenEmbedded wiki page [1], but was not ported along with the rest in commit 95c9a1e1e78bbfb82ade (2023-09-12, Michael Opdenacker: "contributor-guide: recipe-style-guide: add Upstream-Status"). [1]: https://www.openembedded.org/index.php?title=Commit_Patch_Message_Guidelines&oldid=10935 Group the examples in their own sections (but name it differently from any other section in this document so that sphinx doesn't generate a warning about duplicate labels). (From yocto-docs rev: 3022caa35efc28d16dea81bc81ecb48998c8f3b8) Signed-off-by: Roland Hieber Reviewed-by: Michael Opdenacker Signed-off-by: Richard Purdie --- .../contributor-guide/recipe-style-guide.rst | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/documentation/contributor-guide/recipe-style-guide.rst b/documentation/contributor-guide/recipe-style-guide.rst index 7906e5e5d9..5cbcb23b3a 100644 --- a/documentation/contributor-guide/recipe-style-guide.rst +++ b/documentation/contributor-guide/recipe-style-guide.rst @@ -370,3 +370,28 @@ Here's a patch that has been backported from an upstream commit:: include missing sys/file.h for LOCK_EX Upstream-Status: Backport [https://github.com/systemd/systemd/commit/ac8db36cbc26694ee94beecc8dca208ec4b5fd45] + +CVE patches +=========== + +In order to have a better control of vulnerabilities, patches that fix CVEs must +contain a ``CVE:`` tag. This tag list all CVEs fixed by the patch. If more than +one CVE is fixed, separate them using spaces. + +CVE Examples +------------ + +This should be the header of patch that fixes :cve:`2015-8370` in GRUB2:: + + grub2: Fix CVE-2015-8370 + + [No upstream tracking] -- https://bugzilla.redhat.com/show_bug.cgi?id=1286966 + + Back to 28; Grub2 Authentication + + Two functions suffer from integer underflow fault; the grub_username_get() and grub_password_get()located in + grub-core/normal/auth.c and lib/crypto.c respectively. This can be exploited to obtain a Grub rescue shell. + + Upstream-Status: Backport [http://git.savannah.gnu.org/cgit/grub.git/commit/?id=451d80e52d851432e109771bb8febafca7a5f1f2] + CVE: CVE-2015-8370 + Signed-off-by: Joe Developer