Re: [OE-core][PATCH] sqlite3: Whitelist CVE-2022-21227
2023-05-29
Thread
Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco) via lists.openembedded.org
Hi Richard, Please find below information on specific SQLite3. NVD has CVEs reported for sqlite against two different products: 1. sqlite:sqlite - Ref: https://nvd.nist.gov/vuln/detail/CVE-2020-13435 - This product is applicable to our sqlite3 SDK source 2. ghost:sqlite3 - Ref: https://nvd.nist.gov/vuln/detail/CVE-2022-21227 - This product is applicable to Node.js SQLite which don't applicable to our SDK Conclusion: - To report CVEs of SQLite3 source available in SDK, require CVE_PRODUCT is sqlite. - we don't require to report CVEs where CVE_PRODUCT is sqlite3. - In Yocto SDK sqlite3 recipe should have: CVE_PRODUCT= "sqlite" Thanks, Sanjay -Original Message- From: Richard Purdie Sent: Monday, May 29, 2023 3:11 PM To: Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco) ; Martin Jansa Cc: openembedded-core@lists.openembedded.org; Marta Rybczynska Subject: Re: [OE-core][PATCH] sqlite3: Whitelist CVE-2022-21227 On Mon, 2023-05-29 at 08:39 +, Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco) wrote: > Hi, > > I have proposed second commit to revertRevert "sqlite3: update > CVE_PRODUCT" - Patchwork (yoctoproject.org). > > Once above commit is added on master then we don’t require to add this > commit. > As CVE-2022-21227 is detected due to above commit only. My worry is that we keep going around in circles on this. Are we sure the CVE database won't list things that are applicable under sqlite3? Cheers, Richard -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#181861): https://lists.openembedded.org/g/openembedded-core/message/181861 Mute This Topic: https://lists.openembedded.org/mt/99178473/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core][PATCH] sqlite3: Whitelist CVE-2022-21227
2023-05-29
Thread
Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco) via lists.openembedded.org
Hi Richard, Please find below information on specific SQLite3. NVD has CVEs reported for sqlite against two different products: 1. sqlite:sqlite - Ref: https://nvd.nist.gov/vuln/detail/CVE-2020-13435 - This product is applicable to our sqlite3 SDK source 2. ghost:sqlite3 - Ref: https://nvd.nist.gov/vuln/detail/CVE-2022-21227 - This product is applicable to Node.js SQLite which don't applicable to our SDK Conclusion: - To report CVEs of SQLite3 source available in SDK, require CVE_PRODUCT is sqlite. - we don't require to report CVEs where CVE_PRODUCT is sqlite3. - In Yocto SDK sqlite3 recipe should have: CVE_PRODUCT= "sqlite" Thanks, Sanjay -Original Message- From: Richard Purdie Sent: Monday, May 29, 2023 3:11 PM To: Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco) ; Martin Jansa Cc: openembedded-core@lists.openembedded.org; Marta Rybczynska Subject: Re: [OE-core][PATCH] sqlite3: Whitelist CVE-2022-21227 On Mon, 2023-05-29 at 08:39 +, Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco) wrote: > Hi, > > I have proposed second commit to revertRevert "sqlite3: update > CVE_PRODUCT" - Patchwork (yoctoproject.org). > > Once above commit is added on master then we don’t require to add this > commit. > As CVE-2022-21227 is detected due to above commit only. My worry is that we keep going around in circles on this. Are we sure the CVE database won't list things that are applicable under sqlite3? Cheers, Richard -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#181860): https://lists.openembedded.org/g/openembedded-core/message/181860 Mute This Topic: https://lists.openembedded.org/mt/99178473/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core][PATCH] sqlite3: Whitelist CVE-2022-21227
On Mon, 2023-05-29 at 08:39 +, Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco) wrote: > Hi, > > I have proposed second commit to revertRevert "sqlite3: update > CVE_PRODUCT" - Patchwork (yoctoproject.org). > > Once above commit is added on master then we don’t require to add > this commit. > As CVE-2022-21227 is detected due to above commit only. My worry is that we keep going around in circles on this. Are we sure the CVE database won't list things that are applicable under sqlite3? Cheers, Richard -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#181858): https://lists.openembedded.org/g/openembedded-core/message/181858 Mute This Topic: https://lists.openembedded.org/mt/99178473/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core][PATCH] sqlite3: Whitelist CVE-2022-21227
2023-05-29
Thread
Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco) via lists.openembedded.org
Hi, I have proposed second commit to revert Revert "sqlite3: update CVE_PRODUCT" - Patchwork (yoctoproject.org)<https://patchwork.yoctoproject.org/project/oe-core/patch/20230528064732.3890226-1-schit...@cisco.com/>. Once above commit is added on master then we don’t require to add this commit. As CVE-2022-21227 is detected due to above commit only. Thanks, Sanjay From: openembedded-core@lists.openembedded.org On Behalf Of Martin Jansa Sent: Monday, May 29, 2023 12:52 PM To: Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco) Cc: openembedded-core@lists.openembedded.org Subject: Re: [OE-core][PATCH] sqlite3: Whitelist CVE-2022-21227 The patch author seems a bit mangled by ML, see: author schitrod=cisco@lists.openembedded.org<mailto:cisco@lists.openembedded.org> mailto:cisco@lists.openembedded.org>> 2023-05-27 22:52:52 -0700 https://git.openembedded.org/openembedded-core/commit/?h=master-next=5f15caa526bb57070b9abb9ba2f488ee1bfb5372 Is it correct? On Sun, May 28, 2023 at 7:53 AM Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco) via lists.openembedded.org<http://lists.openembedded.org> mailto:cisco@lists.openembedded.org>> wrote: This CVE is applicable to "SQLite3 bindings for Node.js" only. References: https://nvd.nist.gov/vuln/detail/CVE-2022-21227 Signed-off-by: Sanjay Chitroda mailto:schit...@cisco.com>> --- meta/recipes-support/sqlite/sqlite3_3.41.2.bb<http://sqlite3_3.41.2.bb> | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta/recipes-support/sqlite/sqlite3_3.41.2.bb<http://sqlite3_3.41.2.bb> b/meta/recipes-support/sqlite/sqlite3_3.41.2.bb<http://sqlite3_3.41.2.bb> index b09e8e7f55..11bc8bb4c0 100644 --- a/meta/recipes-support/sqlite/sqlite3_3.41.2.bb<http://sqlite3_3.41.2.bb> +++ b/meta/recipes-support/sqlite/sqlite3_3.41.2.bb<http://sqlite3_3.41.2.bb> @@ -12,3 +12,6 @@ CVE_CHECK_IGNORE += "CVE-2019-19242" CVE_CHECK_IGNORE += "CVE-2015-3717" # Issue in an experimental extension we don't have/use. Fixed by https://sqlite.org/src/info/b1e0c22ec981cf5f CVE_CHECK_IGNORE += "CVE-2021-36690" +# As per https://nvd.nist.gov/vuln/detail/CVE-2022-21227 +# this bug is applicable to SQLite3 Node.js +CVE_CHECK_IGNORE += "CVE-2022-21227" -- 2.35.6 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#181856): https://lists.openembedded.org/g/openembedded-core/message/181856 Mute This Topic: https://lists.openembedded.org/mt/99178473/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core][PATCH] sqlite3: Whitelist CVE-2022-21227
The patch author seems a bit mangled by ML, see: author schitrod=cisco@lists.openembedded.org 2023-05-27 22:52:52 -0700 https://git.openembedded.org/openembedded-core/commit/?h=master-next=5f15caa526bb57070b9abb9ba2f488ee1bfb5372 Is it correct? On Sun, May 28, 2023 at 7:53 AM Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco) via lists.openembedded.org wrote: > This CVE is applicable to "SQLite3 bindings for Node.js" only. > > References: > https://nvd.nist.gov/vuln/detail/CVE-2022-21227 > > Signed-off-by: Sanjay Chitroda > --- > meta/recipes-support/sqlite/sqlite3_3.41.2.bb | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/meta/recipes-support/sqlite/sqlite3_3.41.2.bb > b/meta/recipes-support/sqlite/sqlite3_3.41.2.bb > index b09e8e7f55..11bc8bb4c0 100644 > --- a/meta/recipes-support/sqlite/sqlite3_3.41.2.bb > +++ b/meta/recipes-support/sqlite/sqlite3_3.41.2.bb > @@ -12,3 +12,6 @@ CVE_CHECK_IGNORE += "CVE-2019-19242" > CVE_CHECK_IGNORE += "CVE-2015-3717" > # Issue in an experimental extension we don't have/use. Fixed by > https://sqlite.org/src/info/b1e0c22ec981cf5f > CVE_CHECK_IGNORE += "CVE-2021-36690" > +# As per https://nvd.nist.gov/vuln/detail/CVE-2022-21227 > +# this bug is applicable to SQLite3 Node.js > +CVE_CHECK_IGNORE += "CVE-2022-21227" > -- > 2.35.6 > > > > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#181852): https://lists.openembedded.org/g/openembedded-core/message/181852 Mute This Topic: https://lists.openembedded.org/mt/99178473/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-