On Fri, 2021-01-15 at 16:58 +0000, [email protected] wrote: > On Fri, Jan 15, 2021 at 04:48:13PM +0000, Richard Purdie wrote: > > On Fri, 2021-01-15 at 12:48 +0200, Mikko Rapeli wrote: > > > https://nvd.nist.gov/vuln/detail/CVE-2018-13410 is disputed and > > > also Debian considers it not a vulnerability: > > > > > > https://security-tracker.debian.org/tracker/CVE-2018-13410 > > > > > > http://seclists.org/fulldisclosure/2018/Jul/24 > > > "Negligible security impact, would involve that a untrusted party > > > controls the -TT value." > > > > > > https://nvd.nist.gov/vuln/detail/CVE-2018-13684 is not for zip, also > > > Debian concludes this: > > > > > > https://security-tracker.debian.org/tracker/CVE-2018-13684 > > > > > > "NOT-FOR-US: smart contract implementation for ZIP" > > > > > > Signed-off-by: Mikko Rapeli <[email protected]> > > > --- > > > meta/recipes-extended/zip/zip_3.0.bb | 3 +++ > > > 1 file changed, 3 insertions(+) > > > > > > diff --git a/meta/recipes-extended/zip/zip_3.0.bb > > > b/meta/recipes-extended/zip/zip_3.0.bb > > > index c00a932763..47e6fc5278 100644 > > > --- a/meta/recipes-extended/zip/zip_3.0.bb > > > +++ b/meta/recipes-extended/zip/zip_3.0.bb > > > @@ -19,6 +19,9 @@ UPSTREAM_VERSION_UNKNOWN = "1" > > > SRC_URI[md5sum] = "7b74551e63f8ee6aab6fbc86676c0d37" > > > SRC_URI[sha256sum] = > > > "f0e8bb1f9b7eb0b01285495a2699df3a4b766784c1765a8f1aeedf63c0806369" > > > > > > > > > +CVE_CHECK_WHITELIST += "CVE-2018-13410" > > > +CVE_CHECK_WHITELIST += "CVE-2018-13684" > > > + > > > > Where we're adding these can we put a small comment in as well just > > saying why we're whitelisting it? > > Sure, but lets try to be consistent then.
I am trying to be, I did add comments with the recently whitelist entries I added! :) There are probably some older ones which don't have it but we should probably try and improve that over time if we can too. > > > I appreciate the info is in the commit but I think its important enough > > to list in the recipe as a comment too. > > I agree. > > Though it's not clear if these should be removed when updating recipe > versions. > Sometimes NVD data is good, sometimes bad, sometimes it's not clear howto > fix... > Doing local builds with > > INHERIT += "cve-check" > > is the only way to find out, I guess. Yes, if upstream are no longer listing it as being relevant, we could drop the WHITELIST entry but in general I think they'll be in cases where the upstream entry can't be changed. That means for recipe upgrading, we probably end up keeping them. Cheers, Richard
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#146841): https://lists.openembedded.org/g/openembedded-core/message/146841 Mute This Topic: https://lists.openembedded.org/mt/79698852/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
