linux/generate-cve-exclusions: fix mishandling of boundary values

affected_versions in kernel_cves.json does not mean "first affected version to last affected version" but actually "first affected version to fixed version". Therefore, the variable names, conditional expressions, and CVE_STATUS descriptions should be fixed. For example, when the script was run against v6.1, if affected_versions was "xxx to 6.1", the output was "cpe-stable-backport: Backported in 6.1", but this should be "fixed-version: Fixed from version 6.1". (From OE-Core rev: a0cafa6587acf2b41f0e832d06de884ffe62fd4b) Signed-off-by: Yuta Hayama <hayama@lineo.co.jp> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> (cherry picked from commit 2064b2f9b92e2dff45dab633598b5ed37145d0b6) Signed-off-by: Steve Sakoman <steve@sakoman.com>
2026-04-08 08:02:23 +02:00 · 2023-09-05 16:29:06 +09:00
parent 5e7d38bb7a
commit af312b14fa
1 changed files with 7 additions and 7 deletions
--- a/meta/recipes-kernel/linux/generate-cve-exclusions.py
+++ b/meta/recipes-kernel/linux/generate-cve-exclusions.py
@@ -62,18 +62,18 @@ do_cve_check[prefuncs] += "check_kernel_cve_status_version"
            continue

        affected = data["affected_versions"]
-        first_affected, last_affected = re.search(r"(.+) to (.+)", affected).groups()
+        first_affected, fixed = re.search(r"(.+) to (.+)", affected).groups()
        first_affected = parse_version(first_affected)
-        last_affected = parse_version(last_affected)
+        fixed = parse_version(fixed)

        handled = False
-        if not last_affected:
+        if not fixed:
            print(f"# {cve} has no known resolution")
        elif first_affected and version < first_affected:
            print(f"# fixed-version: only affects {first_affected} onwards")
            handled = True
-        elif last_affected < version:
-            print(f"# fixed-version: Fixed after version {last_affected}")
+        elif fixed <= version:
+            print(f"# fixed-version: Fixed from version {fixed}")
            handled = True
        else:
            if cve in stream_data:
@@ -87,9 +87,9 @@ do_cve_check[prefuncs] += "check_kernel_cve_status_version"
                        # TODO print a note that the kernel needs bumping
                        print(f"# {cve} needs backporting (fixed from {backport_ver})")
                else:
-                    print(f"# {cve} needs backporting (fixed from {last_affected})")
+                    print(f"# {cve} needs backporting (fixed from {fixed})")
            else:
-                print(f"# {cve} needs backporting (fixed from {last_affected})")
+                print(f"# {cve} needs backporting (fixed from {fixed})")

        if handled:
            print(f'CVE_CHECK_IGNORE += "{cve}"')