Sorry, I thought that a fixed CVE would be incorrectly marked as "has no known
resolution" if (last_affected == version) unless the following patch is applied,
but this was a misunderstanding.
--- a/meta/recipes-kernel/linux/generate-cve-exclusions.py
+++ b/meta/recipes-kernel/linux/generate-cve-exclusions.py
@@ -70,7 +70,7 @@ do_cve_check[prefuncs] += "check_kernel_cve_status_version"
print(f"# {cve} has no known resolution")
elif first_affected and version < first_affected:
print(f'CVE_STATUS[{cve}] = "fixed-version: only affects
{first_affected} onwards"')
- elif last_affected < version:
+ elif last_affected <= version:
print(
f'CVE_STATUS[{cve}] = "fixed-version: Fixed after version
{last_affected}"'
)
Comparing the output for version 6.1 before and after applying above patch, the
following results were obtained:
--- 6.1.0_unpatched.inc 2023-09-05 09:59:54.166291339 +0900
+++ 6.1.0_patched.inc 2023-09-05 09:58:28.179817233 +0900
(... snip ...)
@@ -4422,7 +4422,7 @@
# CVE-2022-3642 has no known resolution
-CVE_STATUS[CVE-2022-3643] = "cpe-stable-backport: Backported in 6.1"
+CVE_STATUS[CVE-2022-3643] = "fixed-version: Fixed after version 6.1"
CVE_STATUS[CVE-2022-3646] = "fixed-version: Fixed after version 6.1rc1"
If the range check for affected_versions is not hit, the script checks for
backports to the stable version, so the result is not "has no known resolution".
Since I didn't read the last part of the script properly, I missed it...
On the other hand, there still seems to be an issue that the meaning of
CVE_STATUS seems to be incorrect, so I will try to write a patch.
* I think "fixed-version: Fixed after version {last_affected}" is exactly
"fixed-version: Fixed *from* version {last_affected}".
(i.e., {last_affected} should have already be fixed)
* Since the backported patches are not included in version X.Y,
"cpe-stable-backport: Backported in X.Y" should be
"fixed-version: Fixed from version X.Y".
Regards,
Yuta Hayama
On 2023/09/01 15:03, Yuta Hayama via lists.openembedded.org wrote:
> Hi,
>
> I have been trying Linux Kernel CVEs for a while now and found a weird part in
> generate-cve-exclusions.py.
>
> https://git.openembedded.org/openembedded-core/tree/meta/recipes-kernel/linux/generate-cve-exclusions.py#n64
>
>> affected = data["affected_versions"]
>> first_affected, last_affected = re.search(r"(.+) to (.+)",
>> affected).groups()
>> first_affected = parse_version(first_affected)
>> last_affected = parse_version(last_affected)
>>
>> if not last_affected:
>> print(f"# {cve} has no known resolution")
>> elif first_affected and version < first_affected:
>> print(f'CVE_STATUS[{cve}] = "fixed-version: only affects
>> {first_affected} onwards"')
>> elif last_affected < version:
>> print(
>> f'CVE_STATUS[{cve}] = "fixed-version: Fixed after version
>> {last_affected}"'
>
> generate-cve-exclusions.py interprets "affected_versions" in kernel_cves.json
> literally as "first affected version" to "last affected version". However,
> "affected_versions" may actually mean "first affected version" to "fixed
> version".
>
> I honestly don't know what's going on here, as I can't find any documentation
> for Linux Kernel CVEs. But, picking up a random CVE and checking it in detail,
> I think the second element in "affected_versions" is actually a "fixed
> version".
>
> Some examples.
>
> [CVE-2023-28327]
> * In kernel_cves.json, "affected_versions" is described as "v5.3-rc1 to v6.1"
> * the patch is
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b3abe42e94900bdd045c472f9c9be620ba5ce553
> * v6.1-rc8 source is
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/unix/diag.c?h=v6.1-rc8#n117
> * v6.1 source is
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/unix/diag.c?h=v6.1#n117
> * It seems to be fixed in 6.1 (not after 6.1).
>
> [CVE-2021-3772]
> * In kernel_cves.json, "affected_versions" is described as "v2.6.12-rc2 to
> v5.15"
> * the patch is
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4f7019c7eb33967eb87766e0e4602b5576873680
> * v5.15-rc7 source is
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/sctp/sm_statefuns.c?h=v5.15-rc7#n6350
> * v5.15 source is
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/sctp/sm_statefuns.c?h=v5.15#n6380
> * It seems to be fixed in 5.15 (not after 5.15).
>
> [CVE-2022-39190]
> * In kernel_cves.json, "affected_versions" is described as "v5.9-rc1 to
> v6.0-rc3"
> * the patch is
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e02f0d3970404bfea385b6edb86f2d936db0ea2b
> * v6.0-rc2 source is
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/netfilter/nf_tables_api.c?h=v6.0-rc2#n9708
> * v6.0-rc3 source is
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/netfilter/nf_tables_api.c?h=v6.0-rc3#n9712
> * It seems to be fixed in v6.0-rc3 (not after v6.0-rc3).
>
> If the assumption is correct, I will try to write a patch.
>
> Note that in reality, I think there are very few cases of error.
>
>> elif last_affected < version:
>> print(
>> f'CVE_STATUS[{cve}] = "fixed-version: Fixed after version
>> {last_affected}"'
>
> The last_affected here is the major version (in short, the last_affected is
> x.y,
> not x.y.z), so there is a possibility of error only if version is the major
> version. But actually, in most cases, version is x.y.z.
>
> Regards,
>
> Yuta Hayama
>
>
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#187196):
https://lists.openembedded.org/g/openembedded-core/message/187196
Mute This Topic: https://lists.openembedded.org/mt/101089426/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
