cve-extra-exclusions: ignore inapplicable linux-yocto CVEs

Multiple CVEs are patched in kernel but appear as active because the NVD
database is not up to date.

In common file cve-extra-exclusion.inc, CVEs are ignored if and only if
all versions of kernel used are patched.

In cve-exclusion_6.1.inc, only ignore CVEs that are patched in v6.1,
and not patched in v5.15.
Recipes of version 6.1 should include this file.

Reviewed-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Geoffrey GIRY <geoffrey.giry@smile.fr>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc
index 71e9714c6d1af6d413e08cbb7cc4e345757fdc13..76992c5b46e6cb79da221aec465037368526f976 100644 (file)
--- a/meta/conf/distro/include/cve-extra-exclusions.inc
+++ b/meta/conf/distro/include/cve-extra-exclusions.inc
@@ -136,6 +136,16 @@ CVE_CHECK_IGNORE += "CVE-2022-1184"
 # Backported in version v5.15.58 b2d1e4cd558cffec6bfe318f5d74e6cffc374d29
 CVE_CHECK_IGNORE += "CVE-2022-1462"
 
+# https://nvd.nist.gov/vuln/detail/CVE-2022-2196
+# Introduced in version v5.8 5c911beff20aa8639e7a1f28988736c13e03ed54
+# Breaking commit backported in v5.4.47 64b8f33b2e1e687d465b5cb382e7bec495f1e026
+# Patched in kernel since v6.2 2e7eab81425ad6c875f2ed47c0ce01e78afc38a5
+# Backported in version v5.4.233 f93a1a5bdcdd122aae0a3eab7a52c15b71fb725b
+# Backported in version v5.10.170 1b0cafaae8884726c597caded50af185ffc13349
+# Backported in version v5.15.96 6b539a7dbb49250f92515c2ba60aea239efc9e35
+# Backported in version v6.1.14 63fada296062e91ad9f871970d4e7f19e21a6a15
+CVE_CHECK_IGNORE += "CVE-2022-2196"
+
 # https://nvd.nist.gov/vuln/detail/CVE-2022-2308
 # Introduced in version v5.15 c8a6153b6c59d95c0e091f053f6f180952ade91e
 # Patched in kernel since v6.0 46f8a29272e51b6df7393d58fc5cb8967397ef2b
@@ -169,6 +179,15 @@ CVE_CHECK_IGNORE += "CVE-2022-2785"
 # Backported in version v5.15.65 e9d7ca0c4640cbebe6840ee3bac66a25a9bacaf5
 CVE_CHECK_IGNORE += "CVE-2022-3176"
 
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3424
+# Introduced in version v2.6.33 55484c45dbeca2eec7642932ec3f60f8a2d4bdbf
+# Patched in kernel since v6.2 643a16a0eb1d6ac23744bb6e90a00fc21148a9dc
+# Backported in version v5.4.229 0078dd8758561540ed30b2c5daa1cb647e758977
+# Backported in version v5.10.163 0f67ed565f20ea2fdd98e3b0b0169d9e580bb83c
+# Backported in version v5.15.86 d5c8f9003a289ee2a9b564d109e021fc4d05d106
+# Backported in version v6.1.2 4e947fc71bec7c7da791f8562d5da233b235ba5e
+CVE_CHECK_IGNORE += "CVE-2022-3424"
+
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3435
 # Introduced in version v5.18 6bf92d70e690b7ff12b24f4bfff5e5434d019b82
 # Breaking commit backported in v5.4.189 f5064531c23ad646da7be8b938292b00a7e61438
@@ -382,10 +401,12 @@ CVE_CHECK_IGNORE += "CVE-2023-0266"
 CVE_CHECK_IGNORE += "CVE-2023-0394"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-0461
-# Introduced in version 4.13 734942cc4ea6478eed125af258da1bdbb4afe578
-# Patched in kernel v6.2 2c02d41d71f90a5168391b6a5f2954112ba2307c
-# Backported in version v6.1.5 7d242f4a0c8319821548c7176c09a6e0e71f223c
+# Introduced in version v4.13 734942cc4ea6478eed125af258da1bdbb4afe578
+# Patched in kernel since v6.2 2c02d41d71f90a5168391b6a5f2954112ba2307c
+# Backported in version v5.4.229 c6d29a5ffdbc362314853462a0e24e63330a654d
+# Backported in version v5.10.163 f8ed0a93b5d576bbaf01639ad816473bdfd1dcb0
 # Backported in version v5.15.88 dadd0dcaa67d27f550131de95c8e182643d2c9d6
+# Backported in version v6.1.5 7d242f4a0c8319821548c7176c09a6e0e71f223c
 CVE_CHECK_IGNORE += "CVE-2023-0461"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-0386
@@ -421,6 +442,32 @@ CVE_CHECK_IGNORE += "CVE-2023-1077"
 # Backported in version 6.1.12 1d52bbfd469af69fbcae88c67f160ce1b968e7f3
 CVE_CHECK_IGNORE += "CVE-2023-1078"
 
+# https://nvd.nist.gov/vuln/detail/CVE-2023-1118
+# Introduced in version v2.6.36 9ea53b74df9c4681f5bb2da6b2e10e37d87ea6d6
+# Patched in kernel since v6.3-rc1 29b0589a865b6f66d141d79b2dd1373e4e50fe17
+# Backported in version v5.4.235 d120334278b370b6a1623a75ebe53b0c76cb247c
+# Backported in version v5.10.173 78da5a378bdacd5bf68c3a6389bdc1dd0c0f5b3c
+# Backported in version v5.15.99 29962c478e8b2e6a6154d8d84b8806dbe36f9c28
+# Backported in version v6.1.16 029c1410e345ce579db5c007276340d072aac54a
+# Backported in version v6.2.3 182ea492aae5b64067277e60a4ea5995c4628555
+CVE_CHECK_IGNORE += "CVE-2023-1118"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-1281
+# Introduced in version v4.14 9b0d4446b56904b59ae3809913b0ac760fa941a6
+# Patched in kernel since v6.2 ee059170b1f7e94e55fa6cadee544e176a6e59c2
+# Backported in version v5.10.169 eb8e9d8572d1d9df17272783ad8a84843ce559d4
+# Backported in version v5.15.95 becf55394f6acb60dd60634a1c797e73c747f9da
+# Backported in version v6.1.13 bd662ba56187b5ef8a62a3511371cd38299a507f
+CVE_CHECK_IGNORE += "CVE-2023-1281"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-28466
+# Introduced in version v4.13 3c4d7559159bfe1e3b94df3a657b2cda3a34e218
+# Patched in kernel since v6.3-rc2 49c47cc21b5b7a3d8deb18fc57b0aa2ab1286962
+# Backported in version v5.15.105 0b54d75aa43a1edebc8a3770901f5c3557ee0daa
+# Backported in version v6.1.20 14c17c673e1bba08032d245d5fb025d1cbfee123
+# Backported in version v6.2.7 5231fa057bb0e52095591b303cf95ebd17bc62ce
+CVE_CHECK_IGNORE += "CVE-2023-28466"
+
 # Wrong CPE in NVD database
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3563
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3637

diff --git a/meta/recipes-kernel/linux/cve-exclusion_6.1.inc b/meta/recipes-kernel/linux/cve-exclusion_6.1.inc
new file mode 100644 (file)
index 0000000..ec7ff9c
--- /dev/null
+++ b/meta/recipes-kernel/linux/cve-exclusion_6.1.inc
@@ -0,0 +1,15 @@
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3523
+# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
+# Patched in kernel since v6.1 16ce101db85db694a91380aa4c89b25530871d33
+CVE_CHECK_IGNORE += "CVE-2022-3523"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3566
+# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
+# Patched in kernel since v6.1 f49cd2f4d6170d27a2c61f1fecb03d8a70c91f57
+CVE_CHECK_IGNORE += "CVE-2022-3566"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3567
+# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
+# Patched in kernel since v6.1 364f997b5cfe1db0d63a390fe7c801fa2b3115f6
+CVE_CHECK_IGNORE += "CVE-2022-3567"
+

diff --git a/meta/recipes-kernel/linux/linux-yocto-rt_6.1.bb b/meta/recipes-kernel/linux/linux-yocto-rt_6.1.bb
index 5f79bc617b367098f58150e4ec16bedeb650bb08..2cf1b048c9062929c92345c548a702d5d4755112 100644 (file)
--- a/meta/recipes-kernel/linux/linux-yocto-rt_6.1.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-rt_6.1.bb
@@ -2,6 +2,9 @@ KBRANCH ?= "v6.1/standard/preempt-rt/base"
 
 require recipes-kernel/linux/linux-yocto.inc
 
+# CVE exclusions
+include recipes-kernel/linux/cve-exclusion_6.1.inc
+
 # Skip processing of this recipe if it is not explicitly specified as the
 # PREFERRED_PROVIDER for virtual/kernel. This avoids errors when trying
 # to build multiple virtual/kernel providers, e.g. as dependency of

diff --git a/meta/recipes-kernel/linux/linux-yocto-tiny_6.1.bb b/meta/recipes-kernel/linux/linux-yocto-tiny_6.1.bb
index 58357d00c7f6b833e453dc6361de9b3f4ec9501f..ff3bcad5db8f4fc558a774cea99b3d6b58aa9473 100644 (file)
--- a/meta/recipes-kernel/linux/linux-yocto-tiny_6.1.bb
+++ b/meta/recipes-kernel/linux/linux-yocto-tiny_6.1.bb
@@ -5,6 +5,9 @@ KCONFIG_MODE = "--allnoconfig"
 
 require recipes-kernel/linux/linux-yocto.inc
 
+# CVE exclusions
+include recipes-kernel/linux/cve-exclusion_6.1.inc
+
 LINUX_VERSION ?= "6.1.20"
 LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"
 

diff --git a/meta/recipes-kernel/linux/linux-yocto_6.1.bb b/meta/recipes-kernel/linux/linux-yocto_6.1.bb
index 6f33032c0001101485168882d7f9c7e89c6f0593..033bc10e55583fb10dd7ff5bfffbb6141ed12f2f 100644 (file)
--- a/meta/recipes-kernel/linux/linux-yocto_6.1.bb
+++ b/meta/recipes-kernel/linux/linux-yocto_6.1.bb
@@ -2,6 +2,9 @@ KBRANCH ?= "v6.1/standard/base"
 
 require recipes-kernel/linux/linux-yocto.inc
 
+# CVE exclusions
+include recipes-kernel/linux/cve-exclusion_6.1.inc
+
 # board specific branches
 KBRANCH:qemuarm  ?= "v6.1/standard/arm-versatile-926ejs"
 KBRANCH:qemuarm64 ?= "v6.1/standard/qemuarm64"