From: Peter Marko Date: Sat, 28 Sep 2024 15:43:48 +0000 (+0200) Subject: wpa-supplicant: Ignore CVE-2024-5290 X-Git-Tag: uninative-4.7~1254 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6cb794d44a8624784ec0f76dca764616d81ffbf5;p=thirdparty%2Fopenembedded%2Fopenembedded-core.git wpa-supplicant: Ignore CVE-2024-5290 NVD CVE report [1] links Ubuntu bug [2] which has a very good description/discussion about this issue. It applies only to distros patching wpa-supplicant to allow non-root users (e.g. via netdev group) to load modules. This is not the case of Yocto. Quote: So upstream isn't vulnerable as they only expose the dbus interface to root. Downstreams like Ubuntu and Chromium added a patch that grants access to the netdev group. The patch is the problem, not the upstream code IMHO. There is also a commit [3] associated with this CVE, however that only provides build-time configuration to limit paths which can be accessed but it acts only as a mitigation for distros which allow non-root users to load crafted modules. The patch is included in version 2.11, however NVD has this CVE version-less, so explicit ignore is necessary. [1] https://nvd.nist.gov/vuln/detail/CVE-2024-5290 [2] https://bugs.launchpad.net/ubuntu/+source/wpa/+bug/2067613 [3] https://w1.fi/cgit/hostap/commit/?id=c84388ee4c66bcd310db57489eac4a75fc600747 Signed-off-by: Peter Marko Signed-off-by: Richard Purdie --- diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.11.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.11.bb index 257ef43b6e5..ac99d0db498 100644 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.11.bb +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.11.bb @@ -29,6 +29,8 @@ PACKAGECONFIG[openssl] = ",,openssl" CVE_PRODUCT = "wpa_supplicant" +CVE_STATUS[CVE-2024-5290] = "not-applicable-platform: this only affects Ubuntu and other platforms patching wpa-supplicant" + EXTRA_OEMAKE = "'LIBDIR=${libdir}' 'INCDIR=${includedir}' 'BINDIR=${sbindir}'" do_configure () {