The preferred methods for CVE resolution are:
1. Version upgrades where possible
2. Patches where not possible
3. Database updates where version info is incorrect
4. Exclusion from checking where it is determined that the CVE
does not apply to our environment
In some cases none of these methods are possible. For example the
CVE may be decades old with no apparent resolution, and with broken
links that make further research impractical. Some CVEs are vauge
with no specific action the project can take too.
This patch creates a mechanism for users to remove this type of
CVE from the cve-check results via an optional include file.
Based on an initial patch from Steve Sakoman <steve@sakoman.com>
but extended heavily by RP.
(From OE-Core rev: c93d541a84ce4f9ed52b7aee0a59857957ea0380)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit cf282ae03db3f09df42dcd110d7086c2d854642c)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Upstream database uses both "expat" and "libexpat" to report CVEs
(From OE-Core rev: f89b497800fb3a3ecd77b7a868a02800b6c86d92)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 706bdcaec5fd7c59d7877bbefa5ed4ce5b4f3da1)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This CVE relates to bad ownership of /var/log/cups, which we don't have.
(From OE-Core rev: 68ee8fd1ec0f09c6477578de40e1adfc7ba35027)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 0792312f3637ec160d2ef90781a8cb1f75b84940)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Under certain build patterns, warnings about missing manifests can appear. These
are real issues where the manifest was removed and shouldn't have been.
Martin Jansa was able to find a reproducer of:
MACHINE=qemux86 bitbake zlib-native
echo 'PR = "r1"' >> meta/recipes-core/zlib/zlib_1.2.11.bb
MACHINE=qemux86-64 bitbake zlib-native
MACHINE=qemux86 bitbake zlib-native
<the zlib-native manifest is now removed along with the sysroot-components contents>
The code maintains a per machine list of stamps but a per PACAGE_ARCH list of
stamp/manifest/workdir mappings. The latter is only appended to for speed with
the assumption that once stamps are gone, the code wouldn't trigger.
The code only ever appends to the mapping list (for speed/efficency under lock)
meaning that multiple entries can result where the stamp/workdir differs due to
version changes but the manifest remains the same.
By switching MACHINE part way through the build, the older stamp is referenced
and the manifest is incorrectly removed as it matches an now obsolete entry in
the mapping file.
There are two possible fixes, one is to rewrite the mapping file every time
which means adding regexs, iterating and generally complicating that code. The
second option is to only use the last mapping entry in the file for a given
manifest and ignore any earlier ones. This patch implments the latter.
Also drop the stale entries if we are rewriting it.
(From OE-Core rev: 9039dd25e5d419dd1c60e1b27ff5f9d96c5b0fb5)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 63da9a4f889c5b0e41bc8ec08abe0acea1546479)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This reverts commit dee41e92f0.
This patch breaks cases where some config files make changes to earlier ones,
ordering is important. The reproducibility issue in busybox was elsewhere.
(From OE-Core rev: 37d71a7a290a24ee9f57a76725e27769588de0ca)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ab0a296607b58775e91948ba40956c666dbb1244)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
If the selected version if not available, bitbake will happily attempt
to build something else. This should be a loud warning not a small note.
(Bitbake rev: 078f3164dcb1de7a141bec3a8fd52631d0362631)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 78cd63285713fde59506eb2e71a7b7ee59a594ff)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
runtest return an error due to missing expect on the target.
Add expect as runtime dependency.
(From OE-Core rev: 381a5f3e409504b2a31710d971eef58346339ae4)
Signed-off-by: Romain Naour <romain.naour@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit d9a3a08edc1efcbe7b02e80be98370792d3c6cc2)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Integrating the following commit(s) to linux-yocto/5.4:
qemuppc32: reduce serial issues seen on shutdown
Richard reported:
We've been seeing a lot of the qemuppc shutdown issue and I decided to
look into it. The really worrying thing looking at the logs locally is the
serial ports are showing irq issues and becoming disabled as nobody would
handle them.
Errors like:
[ 9.194886] irq 36: nobody cared (try booting with the "irqpoll" option)
[ 9.198712] CPU: 0 PID: 127 Comm: bootlogd Not tainted
[ 9.202283] Call Trace:
[ 9.205611] [d1005f00] [c00a0da8] __report_bad_irq+0x50/0x138 (unreliable)
[ 9.209347] [d1005f30] [c00a0cc0] note_interrupt+0x324/0x378
[ 9.212855] [d1005f70] [c009d138] handle_irq_event+0xe8/0x104
[ 9.216353] [d1005fa0] [c00a1d9c] handle_fasteoi_irq+0xc0/0x29c
[ 9.219960] [d1005fc0] [c009b798] generic_handle_irq+0x40/0x5c
[ 9.223496] [d1005fd0] [c00075d0] __do_irq+0x58/0x188
[ 9.226948] [d1005ff0] [c0010040] call_do_irq+0x20/0x38
[ 9.230391] [d29eda60] [c0007788] do_IRQ+0x88/0xfc
[ 9.233860] [d29eda90] [c0016454] ret_from_except+0x0/0x14
[ 9.237288] --- interrupt: 501 at __setup_irq+0x3c4/0x838
[ 9.237288] LR = __setup_irq+0x790/0x838
[ 9.244155] [d29edb88] [c009f0a4] request_threaded_irq+0x114/0x1c8
[ 9.247672] [d29edbb8] [c07a5a18] pmz_startup+0x17c/0x32c
[ 9.251203] [d29edbd8] [c07a1140] uart_port_startup+0x184/0x2f8
[ 9.254651] [d29edc08] [c07a1974] uart_port_activate+0x78/0xf4
[ 9.258141] [d29edc28] [c07839f8] tty_port_open+0xd4/0x170
[ 9.261579] [d29edc58] [c079db74] uart_open+0x2c/0x48
[ 9.265116] [d29edc68] [c077a288] tty_open+0x168/0x640
[ 9.268574] [d29edcd8] [c0280be8] chrdev_open+0x138/0x2a4
[ 9.272123] [d29edd18] [c027421c] do_dentry_open+0x228/0x410
[ 9.275643] [d29edd48] [c028e9f4] path_openat+0xb04/0xf28
[ 9.279184] [d29eddd8] [c02917e4] do_filp_open+0x120/0x164
[ 9.282535] [d29ede98] [c0276238] do_sys_openat2+0xd8/0x19c
[ 9.285790] [d29edee8] [c0276574] sys_openat+0x88/0xdc
[ 9.289096] [d29edf38] [c00160d8] ret_from_syscall+0x0/0x34
[ 9.292620] --- interrupt: c01 at 0xfec3738
[ 9.292620] LR = 0xfec36e0
[ 9.299035] handlers:
[ 9.302312] [<7f7f7da8>] pmz_interrupt
[ 9.305541] Disabling IRQ #36
(and the irqpoll option does not help)
This is problematic as the shutdown test uses the serial interface to
shut down the system. If the serial interface fails to login or run the command,
game over for the test.
CONFIG_SERIAL_PMACZILOG_CONSOLE complicates that handling, but doesn't provide
any output or capabilities that we need. So we disable it here, and
reduce the chances of issues during shutdown.
(From OE-Core rev: 9ee0f43414a121487fc3310f4d5635b09aa3e117)
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 42355cb73049ee7a4af0f539a2a5b7d4ee1abc65)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This currently catches the .clb_blob and .vamrs,rock960.txt, and other
.txt files may come in future upstream releases.
(From OE-Core rev: 501cd3063af388dabd3329d2e69ac218ffd62a9e)
Signed-off-by: Yann Dirson <yann@blade-group.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit e332738a8aae0914c58b40faae8b9d7a82fd6a95)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Update CVE_PRODUCT to also include 'berkeley_db'. For example,
CVE-2020-2981 uses 'berkeley_db'.
(From OE-Core rev: 753e6510df01fb4d71f46639bef06e1361f87170)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ad799b109716ccd2f44dcf7a6a4cfcbd622ea661)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
When running a shutdown command, the serial port can close without the
command returning. This is seen as the socket being readable but having
no data. Change the way this case is handled in the code to avoid
tracebacks.
(From OE-Core rev: 9c0b242856de519c58be179f82441a35fc635ad9)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 396a3ba884820d040c91f7592daf20ac28c49b5d)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The recent logging changes for qemurunner showed up as errors on the
autobuilder where decode couldn't be called on the returned string.
Since the code returns binary data, return b'' instead of '' to match
to avoid tracebacks.
One of these cases was newly added, copied from the other which has
been there for a long time, always broken.
(From OE-Core rev: 8f24a7b35861b6aec39bc8d589e090ea9816732c)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit b8995b27db265b0a0b2d2ca595915f70f9f96e07)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Rather than totally disabling the logging, inform it we're about to exit
so we can log messages over the exit cleanly too. This aids debugging. It
also avoids a race where the logging handler could still error whilst
shutting down.
Also remove a race window by notificing the handler of the shutdown
first, before triggering it. This removes a race window I watched in
local testing.
(From OE-Core rev: 57249316b6c66c5e17804e1b04f2d5cf0db92683)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 0e19f31a1005f94105e1cef252abfffcef2aafad)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Issue only affects Debian and SUSE.
(From OE-Core rev: 760cc905fda18ee73ff3698a117f8841d3823b65)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 72522fa1a5f3b9b2855043fe6b421886d641385f)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Issue only affects windows.
(From OE-Core rev: 9b214d503f3237fa7cd96c20686e610b09994823)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit a90d3b056992346003d96765fc8639f5235cca55)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Some fix upstream addresses the issue, it isn't clear which change this was. Our
current version doesn't have issues with the test image though so we can exclude.
(From OE-Core rev: 256f6be93eed82c7db8a76b1038e105331c0009f)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 3874da694ae1d9de06dd003bd80705205e2b033b)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
These CVEs are fixed with kernel changes and don't affect the bluez recipe.
(From OE-Core rev: d7779a9d58b088ce078956af4fdc0325d8c03c35)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 658902477840ea34d414083c4c79616bf5e999a2)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The CVE is in the jpeg sources included with ghostscript. We use our own
external jpeg library so this doesn't affect us.
(From OE-Core rev: 829296767ecfbd443d738367b7146a91506e25f2)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 8556d6a6722f21af5e6f97589bec3cbd31da206c)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Issue applies to use of cpio in SUSE/OBS, doesn't apply to us.
(From OE-Core rev: 0f759992b7713e9664a4276a068a65f5e638fe33)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 915b38c54a7932744a9f56713d1c6bd00a789331)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The patch mentioned as the fix for the CVE is applied to the 6.0 source
code. Zip versioning makes CPE entry changes hard.
(From OE-Core rev: 4ff9d2c57d9cade1faa3916f171e5ad96ee32487)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 8917e5ae2bb44d017fc0155f16632c5decadb0bd)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
CVE only applies to some distributed RHEL binaries so irrelavent to us.
(From OE-Core rev: 44d477b1cadc3e48c0a902123736fdf3bf2b412c)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 5d8b3ddf91050f6745a99a8abb1c3b03c35247af)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We don't build/use the OPIE PAM module, exclude the CVE from this recipe.
(From OE-Core rev: d55474025a4518c674d9781c4c3b1ce5d6389466)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 3670be602f2ace24dc49e196407efec577164050)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
These CVEs apply to the way logrotate was installed on Gentoo, Debian
and SUSE, exclude from cve-check as they don't apply to OE.
(From OE-Core rev: 99cb9534902717e637f1460c1d1c10d290bbebf2)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 23643016f3b8794db772e333ff0b8f598571b628)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The CVE is non-specific and depends on the users of jquery, doesn't
make sense to have this flagged against jquery as there is nothing we can
do about it.
(From OE-Core rev: d18ba3735ff3438ebd60b680e6bae5227c85bccb)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 1f82843584f6d2843c5bbd2fe5dcbc654a0fbcfb)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The issues were investigated and found not to be an issue therefore
exclude from checks.
(From OE-Core rev: 05f39301ab19a968916163b2d8f65beda7c09852)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit ee6ee9bd489c126b99d15c1011560df2f840a6e9)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The CVE applies to the built-in VNC server but we don't enable this by default.
(From OE-Core rev: f0e0787265d9d8bd01629f2b56a0eb57d950c037)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit d62b9974a5f3a0f462434ce2763c28a4b4bbcfc6)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The CVE applies to virglrender before 0.6.0 which we don't have.
(From OE-Core rev: 559ed3e62e542b7a4456a9a4eef8742ce8521dfb)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 9b5355375d028577de0b98e05992de6a088cb972)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
These CVEs are disputed by upstream and there is no plan to fix/address them. No
other distros are carrying patches for them. There is a patch for 1010025
however it isn't merged upstream and probably carries more risk of other bugs
than not having it.
(From OE-Core rev: 2afbfc1eb6bc7613da4a7f06ac267ea561b5470e)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit b238db678083cc15313b98d2e33f83cccab03fc6)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
We no longer have a recipe for 5.0% in dunfell (and never did).
(From meta-yocto rev: d8bdb69e6bd7b52cf047cd6be406bf632a600a58)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
