From: Ross Burton Date: Tue, 5 Sep 2023 10:54:20 +0000 (+0100) Subject: cve-exclusion: review the last of the historical kernel CVEs X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fe1c0b9725f88d15ba48b02b5fef01f2cf2e9d78;p=thirdparty%2Fopenembedded%2Fopenembedded-core-contrib.git cve-exclusion: review the last of the historical kernel CVEs Review the last of the historical kernel CVEs. Issues which are specific to other platforms or distributions are ignored in the kernel recipe itself, whereas general security concerns like "ICMP leaks information" and "USB has flaws" are ignored with more details in the extra-exclusions file as before. Signed-off-by: Ross Burton Signed-off-by: Alexandre Belloni Signed-off-by: Richard Purdie --- diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc index cfee028e5ba..fcef6a14fb8 100644 --- a/meta/conf/distro/include/cve-extra-exclusions.inc +++ b/meta/conf/distro/include/cve-extra-exclusions.inc @@ -53,24 +53,17 @@ CVE-2016-0689 CVE-2016-0692 CVE-2016-0694 CVE-2016-3418 CVE-2020-2981" CVE_STATUS_DB[status] = "upstream-wontfix: Since Oracle relicensed bdb, the open source community is slowly but surely \ replacing bdb with supported and open source friendly alternatives. As a result this CVE is unlikely to ever be fixed." -# -# Kernel CVEs, e.g. linux-yocto* +# Kernel CVEs that are generic but can't be added to the kernel's hand-maintained cve-exclusion.inc +# or machine-maintained cve-exclusion_VERSION.inc files, such as issues that describe TCP/IP design +# flaws or processor-specific exploits that can't be mitigated. # # For OE-Core our policy is to stay as close to the kernel stable releases as we can. This should # ensure the bulk of the major kernel CVEs are fixed and we don't dive into each individual issue # as the stable maintainers are much more able to do that. -# -# We have a script (generate-cve-exclusions.py) to have correct CVE status for backported issues, -# but the data on linuxkernelcves.com isn't 100% complete for the older CVEs. These historical -# CVEs need review and typically linuxkernelcves.com updated and then removed from here. -# - -CVE_STATUS_GROUPS += "CVE_STATUS_KERNEL_HISTORIC" - -CVE_STATUS_KERNEL_HISTORIC = "CVE-1999-0524 CVE-1999-0656 CVE-2006-2932 CVE-2007-2764 CVE-2007-4998 \ - CVE-2008-2544 CVE-2008-4609 CVE-2010-0298 CVE-2010-4563 CVE-2011-0640" -CVE_STATUS_KERNEL_HISTORIC[status] = "ignored" - +CVE_STATUS[CVE-1999-0524] = "ignored: issue is that ICMP exists, can be filewalled if required" +CVE_STATUS[CVE-2008-4609] = "ignored: describes design flaws in TCP" +CVE_STATUS[CVE-2010-4563] = "ignored: low impact, only enables detection of hosts which are sniffing network traffic" +CVE_STATUS[CVE-2011-0640] = "ignored: requires physical access and any mitigation would mean USB is impractical to use" # qemu:qemu-native:qemu-system-native https://nvd.nist.gov/vuln/detail/CVE-2021-20255 CVE_STATUS[CVE-2021-20255] = "upstream-wontfix: \ diff --git a/meta/recipes-kernel/linux/cve-exclusion.inc b/meta/recipes-kernel/linux/cve-exclusion.inc index 28f9c8ff2b6..78576339432 100644 --- a/meta/recipes-kernel/linux/cve-exclusion.inc +++ b/meta/recipes-kernel/linux/cve-exclusion.inc @@ -1,3 +1,15 @@ +CVE_STATUS[CVE-1999-0656] = "not-applicable-config: specific to ugidd, part of the old user-mode NFS server" + +CVE_STATUS[CVE-2006-2932] = "not-applicable-platform: specific to RHEL" + +CVE_STATUS[CVE-2007-2764] = "not-applicable-platform: specific to Sun/Brocade SilkWorm switches" + +CVE_STATUS[CVE-2007-4998] = "cpe-incorrect: a historic cp bug, no longer an issue as per https://bugzilla.redhat.com/show_bug.cgi?id=356471#c5" + +CVE_STATUS[CVE-2008-2544] = "disputed: not an issue as per https://bugzilla.redhat.com/show_bug.cgi?id=449089#c22" + +CVE_STATUS[CVE-2010-0298] = "fixed-version: 2.6.34 (1871c6)" + CVE_STATUS[CVE-2014-2648] = "cpe-incorrect: not Linux" CVE_STATUS[CVE-2016-0774] = "ignored: result of incomplete backport"