mirror of
https://git.yoctoproject.org/poky
synced 2026-03-16 12:19:40 +01:00
Compare commits
2 Commits
walnascar-
...
walnascar-
| Author | SHA1 | Date | |
|---|---|---|---|
|
167f714a72 | ||
|
|
13f4119ccf |
@@ -32,3 +32,121 @@ CVE_STATUS[CVE-2020-11935] = "not-applicable-config: Issue only affects aufs, wh
|
||||
CVE_STATUS[CVE-2023-23005] = "disputed: There are no realistic cases \
|
||||
in which a user can cause the alloc_memory_type error case to be reached. \
|
||||
See: https://bugzilla.suse.com/show_bug.cgi?id=1208844#c2"
|
||||
|
||||
# Old CVES taken before using new data from kernel CNA
|
||||
|
||||
CVE_STATUS[CVE-2014-8171] = "fixed-version: Fixed from version 3.12rc1"
|
||||
|
||||
CVE_STATUS[CVE-2017-1000255] = "fixed-version: Fixed from version 4.14rc5"
|
||||
|
||||
CVE_STATUS[CVE-2018-10840] = "fixed-version: Fixed from version 4.18rc1"
|
||||
|
||||
CVE_STATUS[CVE-2018-10876] = "fixed-version: Fixed from version 4.18rc4"
|
||||
|
||||
CVE_STATUS[CVE-2018-10882] = "fixed-version: Fixed from version 4.18rc4"
|
||||
|
||||
CVE_STATUS[CVE-2018-10902] = "fixed-version: Fixed from version 4.18rc6"
|
||||
|
||||
CVE_STATUS[CVE-2018-14625] = "fixed-version: Fixed from version 4.20rc6"
|
||||
|
||||
CVE_STATUS[CVE-2019-3016] = "fixed-version: Fixed from version 5.6rc1"
|
||||
|
||||
CVE_STATUS[CVE-2019-3819] = "fixed-version: Fixed from version 5.0rc6"
|
||||
|
||||
CVE_STATUS[CVE-2019-3887] = "fixed-version: Fixed from version 5.1rc4"
|
||||
|
||||
CVE_STATUS[CVE-2020-10742] = "fixed-version: Fixed from version 3.16rc1"
|
||||
|
||||
CVE_STATUS[CVE-2020-16119] = "fixed-version: Fixed from version 5.15rc2"
|
||||
|
||||
CVE_STATUS[CVE-2020-1749] = "fixed-version: Fixed from version 5.5rc1"
|
||||
|
||||
CVE_STATUS[CVE-2020-25672] = "fixed-version: Fixed from version 5.12rc7"
|
||||
|
||||
CVE_STATUS[CVE-2020-27815] = "fixed-version: Fixed from version 5.11rc1"
|
||||
|
||||
CVE_STATUS[CVE-2020-8834] = "fixed-version: Fixed from version 4.18rc1"
|
||||
|
||||
CVE_STATUS[CVE-2021-20194] = "fixed-version: Fixed from version 5.10rc1"
|
||||
|
||||
CVE_STATUS[CVE-2021-20265] = "fixed-version: Fixed from version 4.5rc3"
|
||||
|
||||
CVE_STATUS[CVE-2021-3564] = "fixed-version: Fixed from version 5.13rc5"
|
||||
|
||||
CVE_STATUS[CVE-2021-3669] = "fixed-version: Fixed from version 5.15rc1"
|
||||
|
||||
CVE_STATUS[CVE-2021-3759] = "fixed-version: Fixed from version 5.15rc1"
|
||||
|
||||
CVE_STATUS[CVE-2021-4218] = "fixed-version: Fixed from version 5.8rc1"
|
||||
|
||||
CVE_STATUS[CVE-2022-0286] = "fixed-version: Fixed from version 5.14rc2"
|
||||
|
||||
CVE_STATUS[CVE-2022-1462] = "fixed-version: Fixed from version 5.19rc7"
|
||||
|
||||
CVE_STATUS[CVE-2022-2308] = "fixed-version: Fixed from version 6.0"
|
||||
|
||||
CVE_STATUS[CVE-2022-2327] = "fixed-version: Fixed from version 5.12rc1"
|
||||
|
||||
CVE_STATUS[CVE-2022-2663] = "fixed-version: Fixed from version 6.0rc5"
|
||||
|
||||
CVE_STATUS[CVE-2022-2785] = "fixed-version: Fixed from version 6.0rc1"
|
||||
|
||||
CVE_STATUS[CVE-2022-3435] = "fixed-version: Fixed from version 6.1rc1"
|
||||
|
||||
CVE_STATUS[CVE-2022-3523] = "fixed-version: Fixed from version 6.1rc1"
|
||||
|
||||
CVE_STATUS[CVE-2022-3534] = "fixed-version: Fixed from version 6.2rc1"
|
||||
|
||||
CVE_STATUS[CVE-2022-3566] = "fixed-version: Fixed from version 6.1rc1"
|
||||
|
||||
CVE_STATUS[CVE-2022-3567] = "fixed-version: Fixed from version 6.1rc1"
|
||||
|
||||
CVE_STATUS[CVE-2022-3619] = "fixed-version: Fixed from version 6.1rc4"
|
||||
|
||||
CVE_STATUS[CVE-2022-3621] = "fixed-version: Fixed from version 6.1rc1"
|
||||
|
||||
CVE_STATUS[CVE-2022-3624] = "fixed-version: Fixed from version 6.0rc1"
|
||||
|
||||
CVE_STATUS[CVE-2022-3629] = "fixed-version: Fixed from version 6.0rc1"
|
||||
|
||||
CVE_STATUS[CVE-2022-3630] = "fixed-version: Fixed from version 6.0rc1"
|
||||
|
||||
CVE_STATUS[CVE-2022-3633] = "fixed-version: Fixed from version 6.0rc1"
|
||||
|
||||
CVE_STATUS[CVE-2022-3636] = "fixed-version: Fixed from version 5.19rc1"
|
||||
|
||||
CVE_STATUS[CVE-2022-36402] = "fixed-version: Fixed from version 6.5"
|
||||
|
||||
CVE_STATUS[CVE-2022-3646] = "fixed-version: Fixed from version 6.1rc1"
|
||||
|
||||
CVE_STATUS[CVE-2022-42895] = "fixed-version: Fixed from version 6.1rc4"
|
||||
|
||||
CVE_STATUS[CVE-2022-4382] = "fixed-version: Fixed from version 6.2rc5"
|
||||
|
||||
CVE_STATUS[CVE-2023-1073] = "fixed-version: Fixed from version 6.2rc5"
|
||||
|
||||
CVE_STATUS[CVE-2023-1074] = "fixed-version: Fixed from version 6.2rc6"
|
||||
|
||||
CVE_STATUS[CVE-2023-1075] = "fixed-version: Fixed from version 6.2rc7"
|
||||
|
||||
CVE_STATUS[CVE-2023-1076] = "fixed-version: Fixed from version 6.3rc1"
|
||||
|
||||
CVE_STATUS[CVE-2023-2898] = "fixed-version: Fixed from version 6.5rc1"
|
||||
|
||||
CVE_STATUS[CVE-2023-3772] = "fixed-version: Fixed from version 6.5rc7"
|
||||
|
||||
CVE_STATUS[CVE-2023-3773] = "fixed-version: Fixed from version 6.5rc7"
|
||||
|
||||
CVE_STATUS[CVE-2023-4155] = "fixed-version: Fixed from version 6.5rc6"
|
||||
|
||||
CVE_STATUS[CVE-2023-6176] = "fixed-version: Fixed from version 6.6rc2"
|
||||
|
||||
CVE_STATUS[CVE-2023-6270] = "cpe-stable-backport: Backported in 6.6.23"
|
||||
|
||||
CVE_STATUS[CVE-2023-6610] = "cpe-stable-backport: Backported in 6.6.13"
|
||||
|
||||
CVE_STATUS[CVE-2023-6679] = "fixed-version: only affects 6.7rc1 onwards"
|
||||
|
||||
CVE_STATUS[CVE-2023-7042] = "cpe-stable-backport: Backported in 6.6.23"
|
||||
|
||||
CVE_STATUS[CVE-2024-0193] = "cpe-stable-backport: Backported in 6.6.10"
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
@@ -1,7 +1,7 @@
|
||||
#! /usr/bin/env python3
|
||||
|
||||
# Generate granular CVE status metadata for a specific version of the kernel
|
||||
# using data from linuxkernelcves.com.
|
||||
# using json data from cvelistV5 or vulns repository
|
||||
#
|
||||
# SPDX-License-Identifier: GPL-2.0-only
|
||||
|
||||
@@ -9,7 +9,8 @@ import argparse
|
||||
import datetime
|
||||
import json
|
||||
import pathlib
|
||||
import re
|
||||
import os
|
||||
import glob
|
||||
|
||||
from packaging.version import Version
|
||||
|
||||
@@ -25,22 +26,75 @@ def parse_version(s):
|
||||
return Version(s)
|
||||
return None
|
||||
|
||||
def get_fixed_versions(cve_info, base_version):
|
||||
'''
|
||||
Get fixed versionss
|
||||
'''
|
||||
first_affected = None
|
||||
fixed = None
|
||||
fixed_backport = None
|
||||
next_version = Version(str(base_version) + ".5000")
|
||||
for affected in cve_info["containers"]["cna"]["affected"]:
|
||||
# In case the CVE info is not complete, it might not have default status and therefore
|
||||
# we don't know the status of this CVE.
|
||||
if not "defaultStatus" in affected:
|
||||
return first_affected, fixed, fixed_backport
|
||||
if affected["defaultStatus"] == "affected":
|
||||
for version in affected["versions"]:
|
||||
v = Version(version["version"])
|
||||
if v == 0:
|
||||
#Skiping non-affected
|
||||
continue
|
||||
if version["status"] == "affected" and not first_affected:
|
||||
first_affected = v
|
||||
elif (version["status"] == "unaffected" and
|
||||
version['versionType'] == "original_commit_for_fix"):
|
||||
fixed = v
|
||||
elif base_version < v and v < next_version:
|
||||
fixed_backport = v
|
||||
elif affected["defaultStatus"] == "unaffected":
|
||||
# Only specific versions are affected. We care only about our base version
|
||||
if "versions" not in affected:
|
||||
continue
|
||||
for version in affected["versions"]:
|
||||
if "versionType" not in version:
|
||||
continue
|
||||
if version["versionType"] == "git":
|
||||
continue
|
||||
v = Version(version["version"])
|
||||
# in case it is not in our base version
|
||||
less_than = Version(version["lessThan"])
|
||||
|
||||
if not first_affected:
|
||||
first_affected = v
|
||||
fixed = less_than
|
||||
if base_version < v and v < next_version:
|
||||
first_affected = v
|
||||
fixed = less_than
|
||||
fixed_backport = less_than
|
||||
|
||||
return first_affected, fixed, fixed_backport
|
||||
|
||||
def is_linux_cve(cve_info):
|
||||
'''Return true is the CVE belongs to Linux'''
|
||||
if not "affected" in cve_info["containers"]["cna"]:
|
||||
return False
|
||||
for affected in cve_info["containers"]["cna"]["affected"]:
|
||||
if not "product" in affected:
|
||||
return False
|
||||
if affected["product"] == "Linux" and affected["vendor"] == "Linux":
|
||||
return True
|
||||
return False
|
||||
|
||||
def main(argp=None):
|
||||
parser = argparse.ArgumentParser()
|
||||
parser.add_argument("datadir", type=pathlib.Path, help="Path to a clone of https://github.com/nluedtke/linux_kernel_cves")
|
||||
parser.add_argument("datadir", type=pathlib.Path, help="Path to a clone of https://github.com/CVEProject/cvelistV5 or https://git.kernel.org/pub/scm/linux/security/vulns.git")
|
||||
parser.add_argument("version", type=Version, help="Kernel version number to generate data for, such as 6.1.38")
|
||||
|
||||
args = parser.parse_args(argp)
|
||||
datadir = args.datadir
|
||||
version = args.version
|
||||
base_version = f"{version.major}.{version.minor}"
|
||||
|
||||
with open(datadir / "data" / "kernel_cves.json", "r") as f:
|
||||
cve_data = json.load(f)
|
||||
|
||||
with open(datadir / "data" / "stream_fixes.json", "r") as f:
|
||||
stream_data = json.load(f)
|
||||
base_version = Version(f"{version.major}.{version.minor}")
|
||||
|
||||
print(f"""
|
||||
# Auto-generated CVE metadata, DO NOT EDIT BY HAND.
|
||||
@@ -55,17 +109,23 @@ python check_kernel_cve_status_version() {{
|
||||
do_cve_check[prefuncs] += "check_kernel_cve_status_version"
|
||||
""")
|
||||
|
||||
for cve, data in cve_data.items():
|
||||
if "affected_versions" not in data:
|
||||
print(f"# Skipping {cve}, no affected_versions")
|
||||
print()
|
||||
# Loop though all CVES and check if they are kernel related, newer than 2015
|
||||
pattern = os.path.join(datadir, '**', "CVE-20*.json")
|
||||
|
||||
files = glob.glob(pattern, recursive=True)
|
||||
for cve_file in sorted(files):
|
||||
# Get CVE Id
|
||||
cve = cve_file[cve_file.rfind("/")+1:cve_file.rfind(".json")]
|
||||
# We process from 2015 data, old request are not properly formated
|
||||
year = cve.split("-")[1]
|
||||
if int(year) < 2015:
|
||||
continue
|
||||
with open(cve_file, 'r', encoding='utf-8') as json_file:
|
||||
cve_info = json.load(json_file)
|
||||
|
||||
affected = data["affected_versions"]
|
||||
first_affected, fixed = re.search(r"(.+) to (.+)", affected).groups()
|
||||
first_affected = parse_version(first_affected)
|
||||
fixed = parse_version(fixed)
|
||||
|
||||
if not is_linux_cve(cve_info):
|
||||
continue
|
||||
first_affected, fixed, backport_ver = get_fixed_versions(cve_info, base_version)
|
||||
if not fixed:
|
||||
print(f"# {cve} has no known resolution")
|
||||
elif first_affected and version < first_affected:
|
||||
@@ -75,19 +135,13 @@ do_cve_check[prefuncs] += "check_kernel_cve_status_version"
|
||||
f'CVE_STATUS[{cve}] = "fixed-version: Fixed from version {fixed}"'
|
||||
)
|
||||
else:
|
||||
if cve in stream_data:
|
||||
backport_data = stream_data[cve]
|
||||
if base_version in backport_data:
|
||||
backport_ver = Version(backport_data[base_version]["fixed_version"])
|
||||
if backport_ver <= version:
|
||||
print(
|
||||
f'CVE_STATUS[{cve}] = "cpe-stable-backport: Backported in {backport_ver}"'
|
||||
)
|
||||
else:
|
||||
# TODO print a note that the kernel needs bumping
|
||||
print(f"# {cve} needs backporting (fixed from {backport_ver})")
|
||||
if backport_ver:
|
||||
if backport_ver <= version:
|
||||
print(
|
||||
f'CVE_STATUS[{cve}] = "cpe-stable-backport: Backported in {backport_ver}"'
|
||||
)
|
||||
else:
|
||||
print(f"# {cve} needs backporting (fixed from {fixed})")
|
||||
print(f"# {cve} needs backporting (fixed from {backport_ver})")
|
||||
else:
|
||||
print(f"# {cve} needs backporting (fixed from {fixed})")
|
||||
|
||||
|
||||
Reference in New Issue
Block a user