Re: [yocto] cve check report package version mismatch #yocto

Tue, 05 Jul 2022 07:24:41 -0700 


> On 5 Jul 2022, at 13:31, gauravsuman007 via lists.yoctoproject.org 
> <gauravsuman007=gmail....@lists.yoctoproject.org> wrote:
>
> I used the cve check class by including it in the local.conf and then ran the 
> bitbake build process for my image. I got a log of all the detected CVEs in 
> the packages used in the build. However, on closer inspection, I noticed that 
> the packages used in the build are already higher version than when the CVE 
> was patched. Here is an example:
>       • LAYER: meta
>       • PACKAGE NAME: libksba
>       • PACKAGE VERSION: 1.6.0
>       • CVE: CVE-2016-4355
>       • CVE STATUS: Patched
>       • CVE SUMMARY: Multiple integer overflows in ber-decoder.c in Libksba 
> before 1.3.3 allow remote attackers to cause a denial of service (crash) via 
> crafted BER data, which leads to a buffer overflow.
>       • CVSS v2 BASE SCORE: 5.0
>       • CVSS v3 BASE SCORE: 7.5
>       • VECTOR: NETWORK
>       • MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4355
> As can be seen, the CVE was patched in version 1.3.3 of the libksba while the 
> build is using the version 1.6.0.
>
> Is there something wrong with what the cve-check is reporting or is it not 
> bothering to match the version numbers before reporting a CVE? Or maybe my 
> understanding of the report is incorrect?

I’m not sure I understand what your concern is.  We have version 1.6.0, the CVE 
was fixed in 1.3.3, so the security issue has been patched.

The status is “patched” even if there’s not a literal patch in the recipe, it 
should be “mitigated” but we’d need to move to a new format to change the 
values.

Ross
IMPORTANT NOTICE: The contents of this email and any attachments are 
confidential and may also be privileged. If you are not the intended recipient, 
please notify the sender immediately and do not disclose the contents to any 
other person, use it for any purpose, or store or copy the information in any 
medium. Thank you.

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#57454): https://lists.yoctoproject.org/g/yocto/message/57454
Mute This Topic: https://lists.yoctoproject.org/mt/92183457/21656
Mute #yocto:https://lists.yoctoproject.org/g/yocto/mutehashtag/yocto
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to