Re: [OE-core] [PATCH] sqlite3: set CVE_STATUS for CVE-2023-36191

Sun, 03 Sep 2023 18:44:22 -0700 


On 9/1/23 17:21, Marko, Peter wrote:

CAUTION: This email comes from a non Wind River email account!
Do not click links or open attachments unless you recognize the sender and know 
the content is safe.

-----Original Message-----
From: [email protected] 
<[email protected]> On Behalf Of Changqing Li via 
lists.openembedded.org
Sent: Friday, September 1, 2023 11:02
To: [email protected]
Subject: [OE-core] [PATCH] sqlite3: set CVE_STATUS for CVE-2023-36191


From: Changqing Li <[email protected]>

The error is a bug. It has been fixed upstream. But it is not a vulnerability. 
You may safely ignore the CVE.

Refer:
[1] https://www.sqlite.org/forum/forumpost/19f55ef73b

Signed-off-by: Changqing Li <[email protected]>
---
  meta/recipes-support/sqlite/sqlite3_3.42.0.bb | 2 ++
  1 file changed, 2 insertions(+)

diff --git a/meta/recipes-support/sqlite/sqlite3_3.42.0.bb 
b/meta/recipes-support/sqlite/sqlite3_3.42.0.bb
index 8783f620f4..b37644580c 100644
--- a/meta/recipes-support/sqlite/sqlite3_3.42.0.bb
+++ b/meta/recipes-support/sqlite/sqlite3_3.42.0.bb
@@ -6,3 +6,5 @@ LIC_FILES_CHKSUM = 
"file://sqlite3.h;endline=11;md5=786d3dc581eff03f4fd9e4a77ed0
  SRC_URI = "http://www.sqlite.org/2023/sqlite-autoconf-${SQLITE_PV}.tar.gz";
  SRC_URI[sha256sum] = 
"7abcfd161c6e2742ca5c6c0895d1f853c940f203304a0b49da4e1eca5d088ca6"

+CVE_STATUS[CVE-2023-36191] = "The error is a bug. It has been fixed upstream. But 
it is not a vulnerability"

This is wrong format since it's missing CVE status map prefix.
It needs to be something like:
CVE_STATUS[CVE-2023-36191] = "disputed: The error is a bug. It has been fixed 
upstream. But it is not a vulnerability"

Thanks for pointing out this.


Also since this CVE is reported in NVD DB for 3.40.1 only, this CVE exclusion 
is not needed for 3.42.0 recipe.
NVD DB is not 100% correct. The problematic code also exist in 3.42.0, if this is an real CVE, it will also influence 3.42.0.
So I will  send an V2 with fix of above comments.  we can drop this setting after the sqlite3 is upgrade to the version with 

the bug fix.


Regards

Changqing




+
--
2.25.1

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#187158): 
https://lists.openembedded.org/g/openembedded-core/message/187158
Mute This Topic: https://lists.openembedded.org/mt/101090960/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to