Hi Richard,
Please find below information on specific SQLite3.
NVD has CVEs reported for sqlite against two different products:
1. sqlite:sqlite
- Ref: https://nvd.nist.gov/vuln/detail/CVE-2020-13435
- This product is applicable to our sqlite3 SDK source
2. ghost:sqlite3
- Ref: https://nvd.nist.gov/vuln/detail/CVE-2022-21227
- This product is applicable to Node.js SQLite which don't applicable
to our SDK
Conclusion:
- To report CVEs of SQLite3 source available in SDK, require CVE_PRODUCT is
sqlite.
- we don't require to report CVEs where CVE_PRODUCT is sqlite3.
- In Yocto SDK sqlite3 recipe should have: CVE_PRODUCT= "sqlite"
Thanks,
Sanjay
-----Original Message-----
From: Richard Purdie <[email protected]>
Sent: Monday, May 29, 2023 3:11 PM
To: Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco)
<[email protected]>; Martin Jansa <[email protected]>
Cc: [email protected]; Marta Rybczynska
<[email protected]>
Subject: Re: [OE-core][PATCH] sqlite3: Whitelist CVE-2022-21227
On Mon, 2023-05-29 at 08:39 +0000, Sanjaykumar kantibhai Chitroda -X (schitrod
- E-INFO CHIPS INC at Cisco) wrote:
> Hi,
>
> I have proposed second commit to revertRevert "sqlite3: update
> CVE_PRODUCT" - Patchwork (yoctoproject.org).
>
> Once above commit is added on master then we don’t require to add this
> commit.
> As CVE-2022-21227 is detected due to above commit only.
My worry is that we keep going around in circles on this. Are we sure the CVE
database won't list things that are applicable under sqlite3?
Cheers,
Richard
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#181860):
https://lists.openembedded.org/g/openembedded-core/message/181860
Mute This Topic: https://lists.openembedded.org/mt/99178473/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
