diff mbox series

qemu: Set CVE_STATUS for wrong CVEs

Message ID 20240218165256.2804353-1-simone.p.weiss@posteo.com
State Accepted, archived
Commit a975960baffd341cd07cb093bef107c031c9b956
Headers show
Series qemu: Set CVE_STATUS for wrong CVEs | expand

Commit Message

Simone Weiß Feb. 18, 2024, 4:52 p.m. UTC
From: Simone Weiß <simone.p.weiss@posteo.com>

All are already fixed in 8.2.1, NVD was informed that cpes are wrong.

Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com>
---
 meta/recipes-devtools/qemu/qemu.inc | 6 ++++++
 1 file changed, 6 insertions(+)

Comments

Richard Purdie Feb. 18, 2024, 5:42 p.m. UTC | #1
On Sun, 2024-02-18 at 16:52 +0000, Simone Weiß wrote:
> From: Simone Weiß <simone.p.weiss@posteo.com>
> 
> All are already fixed in 8.2.1, NVD was informed that cpes are wrong.
> 
> Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com>
> ---
>  meta/recipes-devtools/qemu/qemu.inc | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
> index 5d953e5ef5..233652fc49 100644
> --- a/meta/recipes-devtools/qemu/qemu.inc
> +++ b/meta/recipes-devtools/qemu/qemu.inc
> @@ -68,6 +68,12 @@ CVE_STATUS[CVE-2023-0664] = "not-applicable-platform: Issue only applies on Wind
>  # As per https://bugzilla.redhat.com/show_bug.cgi?id=2203387
>  CVE_STATUS[CVE-2023-2680] = "not-applicable-platform: RHEL specific issue."
>  
> +CVE_STATUS[CVE-2023-3019] = "cpe-incorrect: Applies against versions > 8.2.0 only"
> +
> +CVE_STATUS[CVE-2023-5088] = "cpe-incorrect: Applies against versions >= 8.2.0 only"
> +
> +CVE_STATUS[CVE-2023-6693] = "cpe-incorrect: Applies against versions >= 8.2.0 only"
> +
>  COMPATIBLE_HOST:mipsarchn32 = "null"
>  COMPATIBLE_HOST:mipsarchn64 = "null"
>  COMPATIBLE_HOST:riscv32 = "null"
> 

Thanks for trying to resolve these.  

I'm struggling a little to read the above since to me that says the CVE
applies to versions greater than 8.2.0 so 8.2.1 would be affected?
Should the operators be the other way around, or should we spell it out
("applies to versions 8.2.0 and earlier")?

Cheers,

Richard
Simone Weiß Feb. 18, 2024, 6:37 p.m. UTC | #2
On Sun, 2024-02-18 at 17:42 +0000, Richard Purdie wrote:
> On Sun, 2024-02-18 at 16:52 +0000, Simone Weiß wrote:
> > From: Simone Weiß <simone.p.weiss@posteo.com>
> > 
> > All are already fixed in 8.2.1, NVD was informed that cpes are wrong.
> > 
> > Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com>
> > ---
> >  meta/recipes-devtools/qemu/qemu.inc | 6 ++++++
> >  1 file changed, 6 insertions(+)
> > 
> > diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-
> > devtools/qemu/qemu.inc
> > index 5d953e5ef5..233652fc49 100644
> > --- a/meta/recipes-devtools/qemu/qemu.inc
> > +++ b/meta/recipes-devtools/qemu/qemu.inc
> > @@ -68,6 +68,12 @@ CVE_STATUS[CVE-2023-0664] = "not-applicable-
> > platform: Issue only applies on Wind
> >  # As per https://bugzilla.redhat.com/show_bug.cgi?id=2203387
> >  CVE_STATUS[CVE-2023-2680] = "not-applicable-platform: RHEL specific
> > issue."
> >  
> > +CVE_STATUS[CVE-2023-3019] = "cpe-incorrect: Applies against versions
> > > 8.2.0 only"
> > +
> > +CVE_STATUS[CVE-2023-5088] = "cpe-incorrect: Applies against versions
> > >= 8.2.0 only"
> > +
> > +CVE_STATUS[CVE-2023-6693] = "cpe-incorrect: Applies against versions
> > >= 8.2.0 only"
> > +
> >  COMPATIBLE_HOST:mipsarchn32 = "null"
> >  COMPATIBLE_HOST:mipsarchn64 = "null"
> >  COMPATIBLE_HOST:riscv32 = "null"
> > 
> 
> Thanks for trying to resolve these.  
> 
> I'm struggling a little to read the above since to me that says the CVE
> applies to versions greater than 8.2.0 so 8.2.1 would be affected?
> Should the operators be the other way around, or should we spell it out
> ("applies to versions 8.2.0 and earlier")?
> 
> Cheers,
> 
> Richard
I'll spell it out 
> 
> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#195840):
> https://lists.openembedded.org/g/openembedded-core/message/195840
> Mute This Topic: https://lists.openembedded.org/mt/104430283/8052774
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe:
> https://lists.openembedded.org/g/openembedded-core/unsub [simone.p.weiss@posteo.com
> ]
> -=-=-=-=-=-=-=-=-=-=-=-
>
diff mbox series

Patch

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 5d953e5ef5..233652fc49 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -68,6 +68,12 @@  CVE_STATUS[CVE-2023-0664] = "not-applicable-platform: Issue only applies on Wind
 # As per https://bugzilla.redhat.com/show_bug.cgi?id=2203387
 CVE_STATUS[CVE-2023-2680] = "not-applicable-platform: RHEL specific issue."
 
+CVE_STATUS[CVE-2023-3019] = "cpe-incorrect: Applies against versions > 8.2.0 only"
+
+CVE_STATUS[CVE-2023-5088] = "cpe-incorrect: Applies against versions >= 8.2.0 only"
+
+CVE_STATUS[CVE-2023-6693] = "cpe-incorrect: Applies against versions >= 8.2.0 only"
+
 COMPATIBLE_HOST:mipsarchn32 = "null"
 COMPATIBLE_HOST:mipsarchn64 = "null"
 COMPATIBLE_HOST:riscv32 = "null"