> On Jan 17, 2021, at 1:14 PM, Robert Joslyn <[email protected]> > wrote: > > According to the Intel security advisory [1], these CVEs are mitigated by > the following kernel commits: > > eddb7732119d53400f48a02536a84c509692faa8 Bluetooth: A2MP: Fix not > initializing all members > f19425641cb2572a33cb074d5e30283720bd4d22 Bluetooth: L2CAP: Fix calling > sk_filter on non-socket based channel > b560a208cda0297fef6ff85bbfd58a8f0a52a543 Bluetooth: MGMT: Fix not checking if > BT_HS is enabled > a2ec905d1e160a33b2e210e45ad30445ef26ce0e Bluetooth: fix kernel oops in > store_pending_adv_report > > The latest of these commits were backported from 5.10 to the stable kernel > tree in the 5.8.16 and 5.4.72 releases. Since the kernels provied by OE-core > contain these fixes, mark them as whitelisted. > > [1]: > https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00435.html?wapkw=CVE-2020-12351 > > Signed-off-by: Robert Joslyn <[email protected]> > --- > meta/recipes-connectivity/bluez5/bluez5_5.55.bb | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/meta/recipes-connectivity/bluez5/bluez5_5.55.bb > b/meta/recipes-connectivity/bluez5/bluez5_5.55.bb > index 8190924562..051fdef8ce 100644 > --- a/meta/recipes-connectivity/bluez5/bluez5_5.55.bb > +++ b/meta/recipes-connectivity/bluez5/bluez5_5.55.bb > @@ -3,6 +3,8 @@ require bluez5.inc > SRC_URI[md5sum] = "94972b8bc7ade60c72b0ffa6ccff2c0a" > SRC_URI[sha256sum] = > "8863717113c4897e2ad3271fc808ea245319e6fd95eed2e934fae8e0894e9b88" > > +CVE_CHECK_WHITELIST += "CVE-2020-12351 CVE-2020-12352" > + > # noinst programs in Makefile.tools that are conditional on READLINE > # support > NOINST_TOOLS_READLINE ?= " \ > -- > 2.26.2
I’m not sure if this is the best solution, but figured I’d send the patch and see what others think. The CVEs call out bluez running on the Linux kernel in the vulnerable CPE names, but no versions are listed. It seems to me like the CPE names associated with the CVE should really just be against the kernel, with appropriate version numbers added. Is this something likely to be updated in the CVE database, or is whitelisting them here the best option? Does cve-check.bbclass handle the “bluez running on/with linux_kernel” case described in the CVE? Thanks, Robert
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#146898): https://lists.openembedded.org/g/openembedded-core/message/146898 Mute This Topic: https://lists.openembedded.org/mt/79760997/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
