On Mon, 2024-12-30 at 19:22 +0000, Colin McAllister via lists.openembedded.org wrote: > The cve_check functionality to parse CVE IDs from the patch filename and > patch contents have been reworked to improve parsing and also utilize > tests. This ensures that the parsing works as intended. > > Additionally, the new patched_cves dict has a few issues I tried to fix > as well. If multiple patch files exist for a single CVE ID, only the > last one will show up with the "resource" key. The value for the > "resource" key has been updated to hold a list and return all patch > files associated with a given CVE ID. Also, at the end of > get_patch_cves, CVE_STATUS can overwrite an existing entry in the dict. > This could cause an issue, for example, if a CVE has been addressed via > a patch, but a CVE_STATUS line also exists that ignores the given CVE > ID. A warning has been added if this ever happens. > > Signed-off-by: Colin McAllister <[email protected]> > --- > > I noticed that there are some patches, especially in older verisons of > Yocto, where the "CVE: " tag was used with multiple CVE IDs in different > formats, like "CVE-YYYY-XXXX & CVE-YYYY-XXXX" or > "CVE-YYYY-XXXX, CVE-YYYY-XXXX". Currently, only space-delimited CVE > IDs will be parsed, but documentation doesn't indicate that is the only > supported format. I figured it'd be nice to update the code to be able > to support multiple formats, that way this patch could be backported to > fix those patches. I also wanted to add unit tests to ensure the patch > parsing behavior is preserved. > > I'd also like to update the patch filename parsing to parse multiple CVE > IDs from the filename, but based on the comments, it seems like there > was a reason why only the last CVE ID is extracted from the filename. > I'd be happy to submit a V2 patch or an additional patch to update the > function if that sounds good for the maintainers.
I think this resulted in a few issues. The weekly CVE report gained 32 new entries this week and many of them are clearly patched. New this week: 32 CVEs CVE-2014-8139 (CVSS3: 7.8 HIGH): unzip:unzip-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8139 * CVE-2014-8140 (CVSS3: 7.8 HIGH): unzip:unzip-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8140 * CVE-2014-8141 (CVSS3: 7.8 HIGH): unzip:unzip-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8141 * CVE-2014-9636 (CVSS3: N/A): unzip:unzip-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9636 * CVE-2014-9913 (CVSS3: 4.0 MEDIUM): unzip:unzip-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9913 * CVE-2015-7696 (CVSS3: N/A): unzip:unzip-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7696 * CVE-2015-7697 (CVSS3: N/A): unzip:unzip-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7697 * CVE-2016-9844 (CVSS3: 4.0 MEDIUM): unzip:unzip-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9844 * CVE-2018-1000035 (CVSS3: 7.8 HIGH): unzip:unzip-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000035 * CVE-2018-1000156 (CVSS3: 7.8 HIGH): patch:patch-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000156 * CVE-2018-10195 (CVSS3: 7.1 HIGH): lrzsz https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10195 * CVE-2018-18384 (CVSS3: 5.5 MEDIUM): unzip:unzip-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-18384 * CVE-2018-20969 (CVSS3: 7.8 HIGH): patch:patch-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-20969 * CVE-2018-6951 (CVSS3: 7.5 HIGH): patch:patch-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-6951 * CVE-2018-6952 (CVSS3: 7.5 HIGH): patch:patch-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-6952 * CVE-2019-13232 (CVSS3: 3.3 LOW): unzip:unzip-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-13232 * CVE-2019-13636 (CVSS3: 5.9 MEDIUM): patch:patch-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-13636 * CVE-2019-13638 (CVSS3: 7.8 HIGH): patch:patch-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-13638 * CVE-2019-20633 (CVSS3: 5.5 MEDIUM): patch:patch-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20633 * CVE-2020-27748 (CVSS3: 6.5 MEDIUM): xdg-utils https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27748 * CVE-2021-3468 (CVSS3: 5.5 MEDIUM): avahi https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3468 * CVE-2021-4217 (CVSS3: 3.3 LOW): unzip:unzip-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-4217 * CVE-2022-0529 (CVSS3: 5.5 MEDIUM): unzip:unzip-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0529 * CVE-2022-0530 (CVSS3: 5.5 MEDIUM): unzip:unzip-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0530 * CVE-2022-33065 (CVSS3: 7.8 HIGH): libsndfile1 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-33065 * CVE-2022-4055 (CVSS3: 7.4 HIGH): xdg-utils https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-4055 * CVE-2023-38469 (CVSS3: 5.5 MEDIUM): avahi https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-38469 * CVE-2023-38470 (CVSS3: 5.5 MEDIUM): avahi https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-38470 * CVE-2023-38471 (CVSS3: 5.5 MEDIUM): avahi https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-38471 * CVE-2023-38472 (CVSS3: 5.5 MEDIUM): avahi https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-38472 * CVE-2023-38473 (CVSS3: 5.5 MEDIUM): avahi https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-38473 * CVE-2024-50612 (CVSS3: 5.5 MEDIUM): libsndfile1 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-50612 * meta/recipes-extended/unzip/unzip has: 0001-unzip-fix-CVE-2018-1000035.patch 09-cve-2014-8139-crc-overflow.patch 10-cve-2014-8140-test-compr-eb.patch 11-cve-2014-8141-getzip64data.patch 18-cve-2014-9913-unzip-buffer-overflow.patch 19-cve-2016-9844-zipinfo-buffer-overflow.patch cve-2014-9636.patch CVE-2015-7696.patch CVE-2015-7697.patch CVE-2018-18384.patch CVE-2019-13232_p1.patch CVE-2019-13232_p2.patch CVE-2019-13232_p3.patch CVE-2021-4217.patch CVE-2022-0529.patch CVE-2022-0530.patch which cover some of the above. Cheers, Richard
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#209679): https://lists.openembedded.org/g/openembedded-core/message/209679 Mute This Topic: https://lists.openembedded.org/mt/110347357/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
