On Wed, Jan 20, 2021 at 7:59 PM Robert Joslyn <[email protected]> wrote: > > > > > On Jan 20, 2021, at 10:18 AM, Steve Sakoman <[email protected]> wrote: > > > > On Sun, Jan 17, 2021 at 11:16 AM Robert Joslyn > > <[email protected]> wrote: > >> > >> According to the Intel security advisory [1], these CVEs are mitigated by > >> the following kernel commits: > >> > >> eddb7732119d53400f48a02536a84c509692faa8 Bluetooth: A2MP: Fix not > >> initializing all members > >> f19425641cb2572a33cb074d5e30283720bd4d22 Bluetooth: L2CAP: Fix calling > >> sk_filter on non-socket based channel > >> b560a208cda0297fef6ff85bbfd58a8f0a52a543 Bluetooth: MGMT: Fix not checking > >> if BT_HS is enabled > >> a2ec905d1e160a33b2e210e45ad30445ef26ce0e Bluetooth: fix kernel oops in > >> store_pending_adv_report > >> > >> The latest of these commits were backported from 5.10 to the stable kernel > >> tree in the 5.8.16 and 5.4.72 releases. Since the kernels provied by > >> OE-core > >> contain these fixes, mark them as whitelisted. > > > > This seems to be a good candidate for having the cpe database updated. > > Currently it is flagging all versions of bluez and Linux. > > > > I sent a request to have the entry updated. If they accept the > > request then we won't need this patch. If they deny it we can merge > > the patch. > > Sounds good, thanks!
After a bit of back and forth the CPE entry for this issue has been updated to reflect that it is a kernel issue and the affected kernel versions have also been added to the entry. So we won't need this patch. Thanks again for doing the initial research on this issue! Steve > >> [1]: > >> https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00435.html?wapkw=CVE-2020-12351 > >> > >> Signed-off-by: Robert Joslyn <[email protected]> > >> --- > >> meta/recipes-connectivity/bluez5/bluez5_5.55.bb | 2 ++ > >> 1 file changed, 2 insertions(+) > >> > >> diff --git a/meta/recipes-connectivity/bluez5/bluez5_5.55.bb > >> b/meta/recipes-connectivity/bluez5/bluez5_5.55.bb > >> index 8190924562..051fdef8ce 100644 > >> --- a/meta/recipes-connectivity/bluez5/bluez5_5.55.bb > >> +++ b/meta/recipes-connectivity/bluez5/bluez5_5.55.bb > >> @@ -3,6 +3,8 @@ require bluez5.inc > >> SRC_URI[md5sum] = "94972b8bc7ade60c72b0ffa6ccff2c0a" > >> SRC_URI[sha256sum] = > >> "8863717113c4897e2ad3271fc808ea245319e6fd95eed2e934fae8e0894e9b88" > >> > >> +CVE_CHECK_WHITELIST += "CVE-2020-12351 CVE-2020-12352" > >> + > >> # noinst programs in Makefile.tools that are conditional on READLINE > >> # support > >> NOINST_TOOLS_READLINE ?= " \ > >> -- > >> 2.26.2 > >> > >> > >> > >> > > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#147303): https://lists.openembedded.org/g/openembedded-core/message/147303 Mute This Topic: https://lists.openembedded.org/mt/79760997/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
