libyaml: Amend CVE status as 'upstream-wontfix'

Message ID	20240801101719.89910-1-niko.mauno@vaisala.com
State	Accepted, archived
Commit	c66d9a2a0d197498fa21ee8ca51a4afb59f75473
Headers	show Return-Path: <niko.mauno@vaisala.com> ip: 83.102.40.153, mailfrom: niko.mauno@vaisala.com) From: niko.mauno@vaisala.com To: openembedded-core@lists.openembedded.org Cc: Niko Mauno <niko.mauno@vaisala.com> Subject: [PATCH] libyaml: Amend CVE status as 'upstream-wontfix' Date: Thu, 1 Aug 2024 13:17:19 +0300 Message-Id: <20240801101719.89910-1-niko.mauno@vaisala.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable
Series	libyaml: Amend CVE status as 'upstream-wontfix' \| expand libyaml: Amend CVE status as 'upstream-wontfix'

Message ID

20240801101719.89910-1-niko.mauno@vaisala.com

State

Accepted, archived

Commit

c66d9a2a0d197498fa21ee8ca51a4afb59f75473

Headers

From: niko.mauno@vaisala.com
To: openembedded-core@lists.openembedded.org
Cc: Niko Mauno <niko.mauno@vaisala.com>
Subject: [PATCH] libyaml: Amend CVE status as 'upstream-wontfix'
Date: Thu,  1 Aug 2024 13:17:19 +0300
Message-Id: <20240801101719.89910-1-niko.mauno@vaisala.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Series

libyaml: Amend CVE status as 'upstream-wontfix' | expand

Commit Message

Niko Mauno Aug. 1, 2024, 10:17 a.m. UTC

From: Niko Mauno <niko.mauno@vaisala.com>

Use an existing defined CVE_CHECK_STATUSMAP key in
meta/lib/oe/cve_check.py in order to avoid following complaint from
BitBake:

  WARNING: libyaml-native-0.2.5-r0 do_create_spdx: Invalid detail "wontfix" for CVE_STATUS[CVE-2024-35328] = "wontfix: Upstream thinks there is no working code that is exploitable - https://github.com/yaml/libyaml/issues/302", fallback to Unpatched

Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
---
 meta/recipes-support/libyaml/libyaml_0.2.5.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Guðni Már Gilbert Aug. 2, 2024, 2:25 p.m. UTC | #1

I wonder if it would be good to backport this to Scarthgap. I'm getting the following warning for unpatched CVE on latest scarthgap:

WARNING: libyaml-0.2.5-r0 do_cve_check: Found unpatched CVE (CVE-2024-35328), for more information check /home/builder/yocto/build/tmp/work/cortexa9t2hf-neon-tdx-linux-gnueabi/libyaml/0.2.5/temp/cve.log

Would this patch silence it?

Niko Mauno Aug. 3, 2024, 10:55 a.m. UTC | #2

On 8/2/24 17:25, Guðni Már Gilbert wrote:
> I wonder if it would be good to backport this to Scarthgap. I'm getting 
> the following warning for unpatched CVE on latest scarthgap:
> WARNING: libyaml-0.2.5-r0 do_cve_check: Found unpatched CVE 
> (CVE-2024-35328), for more information check 
> /home/builder/yocto/build/tmp/work/cortexa9t2hf-neon-tdx-linux-gnueabi/libyaml/0.2.5/temp/cve.log
> Would this patch silence it?
> 

Thanks, I've submitted 
https://lists.openembedded.org/g/openembedded-core/message/202933 which 
should fix the issue if it gets incorporated.
-Niko

diff --git a/meta/recipes-support/libyaml/libyaml_0.2.5.bb b/meta/recipes-support/libyaml/libyaml_0.2.5.bb
index 2154910d0c..1c6a5fcb45 100644
--- a/meta/recipes-support/libyaml/libyaml_0.2.5.bb
+++ b/meta/recipes-support/libyaml/libyaml_0.2.5.bb
@@ -18,6 +18,6 @@  inherit autotools
 DISABLE_STATIC:class-nativesdk = ""
 DISABLE_STATIC:class-native = ""
 
-CVE_STATUS[CVE-2024-35328] = "wontfix: Upstream thinks there is no working code that is exploitable - https://github.com/yaml/libyaml/issues/302"
+CVE_STATUS[CVE-2024-35328] = "upstream-wontfix: Upstream thinks there is no working code that is exploitable - https://github.com/yaml/libyaml/issues/302"
 
 BBCLASSEXTEND = "native nativesdk"

libyaml: Amend CVE status as 'upstream-wontfix'

Commit Message

Comments

Patch