From: Yoann Congal <yoann.congal@smile.fr>
Date: Thu, 6 Apr 2023 14:19:22 +0000 (+0200)
Subject: cve-exclusions_6.1: ignore patched CVE-2022-38457 & CVE-2022-40133
X-Git-Tag: 2023-04-mickledore~15
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=990d1cbb1628577bd159e8266fa15976f1f17062;p=thirdparty%2Fopenembedded%2Fopenembedded-core.git

cve-exclusions_6.1: ignore patched CVE-2022-38457 & CVE-2022-40133

Ignore CVE-2022-38457 & CVE-2022-40133 as they looks patched in our 6.1
branch.

I've asked the NVD to add the commit as the patch for these CVEs, but in
the meantime, other sources seem to agree that the commit fixes these
CVEs (and I concur).

Signed-off-by: Yoann Congal <yoann.congal@smile.fr>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---

diff --git a/meta/recipes-kernel/linux/cve-exclusion_6.1.inc b/meta/recipes-kernel/linux/cve-exclusion_6.1.inc
index ec7ff9c1a7b..8b32c2b2dfb 100644
--- a/meta/recipes-kernel/linux/cve-exclusion_6.1.inc
+++ b/meta/recipes-kernel/linux/cve-exclusion_6.1.inc
@@ -13,3 +13,17 @@ CVE_CHECK_IGNORE += "CVE-2022-3566"
 # Patched in kernel since v6.1 364f997b5cfe1db0d63a390fe7c801fa2b3115f6
 CVE_CHECK_IGNORE += "CVE-2022-3567"
 
+
+# 2023
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-38457
+# https://nvd.nist.gov/vuln/detail/CVE-2022-40133
+# Both CVE-2022-38457 & CVE-2022-40133 are fixed by the same commit:
+# Introduced in version v4.20 e14c02e6b6990e9f6ee18a214a22ac26bae1b25e
+# Patched in kernel since v6.2 a309c7194e8a2f8bd4539b9449917913f6c2cd50
+# Backported in version v6.1.7 7ac9578e45b20e3f3c0c8eb71f5417a499a7226a
+# See:
+#  * https://www.linuxkernelcves.com/cves/CVE-2022-38457
+#  * https://www.linuxkernelcves.com/cves/CVE-2022-40133
+#  * https://lore.kernel.org/all/CAODzB9q3OBD0k6W2bcWrSZo2jC3EvV0PrLyWmO07rxR4nQgkJA@mail.gmail.com/T/
+CVE_CHECK_IGNORE += "CVE-2022-38457 CVE-2022-40133"