Hi, I have been trying Linux Kernel CVEs for a while now and found a weird part in generate-cve-exclusions.py.
https://git.openembedded.org/openembedded-core/tree/meta/recipes-kernel/linux/generate-cve-exclusions.py#n64 > affected = data["affected_versions"] > first_affected, last_affected = re.search(r"(.+) to (.+)", > affected).groups() > first_affected = parse_version(first_affected) > last_affected = parse_version(last_affected) > > if not last_affected: > print(f"# {cve} has no known resolution") > elif first_affected and version < first_affected: > print(f'CVE_STATUS[{cve}] = "fixed-version: only affects > {first_affected} onwards"') > elif last_affected < version: > print( > f'CVE_STATUS[{cve}] = "fixed-version: Fixed after version > {last_affected}"' generate-cve-exclusions.py interprets "affected_versions" in kernel_cves.json literally as "first affected version" to "last affected version". However, "affected_versions" may actually mean "first affected version" to "fixed version". I honestly don't know what's going on here, as I can't find any documentation for Linux Kernel CVEs. But, picking up a random CVE and checking it in detail, I think the second element in "affected_versions" is actually a "fixed version". Some examples. [CVE-2023-28327] * In kernel_cves.json, "affected_versions" is described as "v5.3-rc1 to v6.1" * the patch is https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b3abe42e94900bdd045c472f9c9be620ba5ce553 * v6.1-rc8 source is https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/unix/diag.c?h=v6.1-rc8#n117 * v6.1 source is https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/unix/diag.c?h=v6.1#n117 * It seems to be fixed in 6.1 (not after 6.1). [CVE-2021-3772] * In kernel_cves.json, "affected_versions" is described as "v2.6.12-rc2 to v5.15" * the patch is https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4f7019c7eb33967eb87766e0e4602b5576873680 * v5.15-rc7 source is https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/sctp/sm_statefuns.c?h=v5.15-rc7#n6350 * v5.15 source is https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/sctp/sm_statefuns.c?h=v5.15#n6380 * It seems to be fixed in 5.15 (not after 5.15). [CVE-2022-39190] * In kernel_cves.json, "affected_versions" is described as "v5.9-rc1 to v6.0-rc3" * the patch is https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e02f0d3970404bfea385b6edb86f2d936db0ea2b * v6.0-rc2 source is https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/netfilter/nf_tables_api.c?h=v6.0-rc2#n9708 * v6.0-rc3 source is https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/netfilter/nf_tables_api.c?h=v6.0-rc3#n9712 * It seems to be fixed in v6.0-rc3 (not after v6.0-rc3). If the assumption is correct, I will try to write a patch. Note that in reality, I think there are very few cases of error. > elif last_affected < version: > print( > f'CVE_STATUS[{cve}] = "fixed-version: Fixed after version > {last_affected}"' The last_affected here is the major version (in short, the last_affected is x.y, not x.y.z), so there is a possibility of error only if version is the major version. But actually, in most cases, version is x.y.z. Regards, Yuta Hayama
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#186994): https://lists.openembedded.org/g/openembedded-core/message/186994 Mute This Topic: https://lists.openembedded.org/mt/101089426/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
