[master] db 5.3.28: Ignore multiple CVEs

Message ID	20250115110857.1372278-1-mmeerasa@cisco.com
State	New
Headers	show Return-Path: <philip@balister.org> ip: 173.37.86.73, mailfrom: mmeerasa@cisco.com) IronPort-Data: A9a23:7TcRN6xYCDXbxHARezl6t+dmxyrEfRIJ4+MujC+fZmUNrF6WrkVWn 2oaDzvSbP+MYjbyKY8gOoy+ph4EvZbTn9VqTQJq+FhgHilAwSbn6Xt1DatR0we6dJCroJdPt p1GAjX4BJlqCCea/lH1b+CJQUBUjcmgXqD7BPPPJhd/TAplTDZJoR94kobVuKYw6TSCK13L4 ImaT/H3Ygf/hmYtaz9MsMpvlTs21BjMkGJA1rABTagjUG/2zxE9EJ8ZLKetGHr0KqE8NvK6X evK0Iai9Wrf+Ro3Yvv9+losWhRXKlJ6FVHmZkt+A8BOsDAbzsAB+vpT2M4nVKtio27hc+adZ zl6ncfYpQ8BZsUgkQmGOvVSO3kW0aZuoNcrLZUj2CCe5xWuTpfi/xlhJHsqFNc30+pVPUVH7 6UfJWw8cxSjju3jldpXSsE07igiBNPgMIVavjRryivUSK98B5vCWK7No9Rf2V/chOgXQq2YP JVfM2cyKk2cMnWjOX9PYH46tOKti3TleiZRgFmUvqEwpWPUyWSd1ZC3YYCJI4PQHpU9ckCwg kLL31/8Ow0hLoax8BeEr3/9nLbfknauMG4VPPjinhJwu3WU3mEVBRgcWFe3rPX8gUmkVvpbK lcI4WwptaU0+UmhQ9XxUhH+p2SL1iPwQPJKGOE8rQXIwa3O7kPAXC4PTyVKb5ots8peqSEW6 2JlVujBXVRH2IB5g1rEnltIhVte4RQoEFI= IronPort-HdrOrdr: A9a23:doBoNaELp+lCXiy1pLqE48eALOsnbusQ8zAXPo5KJiC9Ffbo8v xG88576faZslsssRIb6LK90cu7IU80nKQdieJ6AV7IZmfbUQWTQL2KlbGSoAEJ30bFh4lgPW AKSdkbNOHN From: Mohamed Meera Sahib <mmeerasa@cisco.com> To: openembedded-core@lists.openembedded.org Cc: Mohamed Meera Sahib <mmeerasa@cisco.com> Subject: [OE-core] [master] [PATCH] db 5.3.28: Ignore multiple CVEs Date: Wed, 15 Jan 2025 03:08:56 -0800 Message-ID: <20250115110857.1372278-1-mmeerasa@cisco.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[master] db 5.3.28: Ignore multiple CVEs \| expand [master] db 5.3.28: Ignore multiple CVEs

Message ID

20250115110857.1372278-1-mmeerasa@cisco.com

State

New

Headers

IronPort-Data: A9a23:7TcRN6xYCDXbxHARezl6t+dmxyrEfRIJ4+MujC+fZmUNrF6WrkVWn
 2oaDzvSbP+MYjbyKY8gOoy+ph4EvZbTn9VqTQJq+FhgHilAwSbn6Xt1DatR0we6dJCroJdPt
 p1GAjX4BJlqCCea/lH1b+CJQUBUjcmgXqD7BPPPJhd/TAplTDZJoR94kobVuKYw6TSCK13L4
 ImaT/H3Ygf/hmYtaz9MsMpvlTs21BjMkGJA1rABTagjUG/2zxE9EJ8ZLKetGHr0KqE8NvK6X
 evK0Iai9Wrf+Ro3Yvv9+losWhRXKlJ6FVHmZkt+A8BOsDAbzsAB+vpT2M4nVKtio27hc+adZ
 zl6ncfYpQ8BZsUgkQmGOvVSO3kW0aZuoNcrLZUj2CCe5xWuTpfi/xlhJHsqFNc30+pVPUVH7
 6UfJWw8cxSjju3jldpXSsE07igiBNPgMIVavjRryivUSK98B5vCWK7No9Rf2V/chOgXQq2YP
 JVfM2cyKk2cMnWjOX9PYH46tOKti3TleiZRgFmUvqEwpWPUyWSd1ZC3YYCJI4PQHpU9ckCwg
 kLL31/8Ow0hLoax8BeEr3/9nLbfknauMG4VPPjinhJwu3WU3mEVBRgcWFe3rPX8gUmkVvpbK
 lcI4WwptaU0+UmhQ9XxUhH+p2SL1iPwQPJKGOE8rQXIwa3O7kPAXC4PTyVKb5ots8peqSEW6
 2JlVujBXVRH2IB5g1rEnltIhVte4RQoEFI=
IronPort-HdrOrdr: A9a23:doBoNaELp+lCXiy1pLqE48eALOsnbusQ8zAXPo5KJiC9Ffbo8v
 xG88576faZslsssRIb6LK90cu7IU80nKQdieJ6AV7IZmfbUQWTQL2KlbGSoAEJ30bFh4lgPW
 AKSdkbNOHN
From: Mohamed Meera Sahib <mmeerasa@cisco.com>
To: openembedded-core@lists.openembedded.org
Cc: Mohamed Meera Sahib <mmeerasa@cisco.com>
Subject: [OE-core] [master] [PATCH] db 5.3.28: Ignore multiple CVEs
Date: Wed, 15 Jan 2025 03:08:56 -0800
Message-ID: <20250115110857.1372278-1-mmeerasa@cisco.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[master] db 5.3.28: Ignore multiple CVEs | expand

Commit Message

Mohamed Meera Sahib Jan. 15, 2025, 11:08 a.m. UTC

Analysis:
- Unspecified vulnerability in the various components of Oracle
  Berkeley Db was identified as potentially exploitable without
  authentication. Later these were closed by the Critical Patch
  Update (CPU).

Reference:
[1] https://www.oracle.com/security-alerts/cpujul2015.html
[2] https://www.oracle.com/security-alerts/cpuapr2016v3.html
[3] https://www.oracle.com/security-alerts/cpujul2020.html

Signed-off-by: Mohamed Meera Sahib <mmeerasa@cisco.com>
---
 meta/recipes-support/db/db_5.3.28.bb | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

Comments

Peter Marko Jan. 15, 2025, 12:35 p.m. UTC | #1

Fact that the vulnerability is not exploitable remotely without authentication
does not mean that the vulnerability is not real or that it cannot be exploited.
Local vulnerabilities are food for LOTL attacks.

Also note that if you want to get these from your cve reports,
you can simply include oe-core cve-extra-exclusions.inc which lists all of these.
Maybe we could enhance comments in cve-extra-exclusions.inc for future reference instead?

Peter

> -----Original Message-----
> From: openembedded-core@lists.openembedded.org <openembedded-
> core@lists.openembedded.org> On Behalf Of Mohamed Meera Sahib via
> lists.openembedded.org
> Sent: Wednesday, January 15, 2025 12:09
> To: openembedded-core@lists.openembedded.org
> Cc: Mohamed Meera Sahib <mmeerasa@cisco.com>
> Subject: [OE-core] [master] [PATCH] db 5.3.28: Ignore multiple CVEs
> 
> Analysis:
> - Unspecified vulnerability in the various components of Oracle
>   Berkeley Db was identified as potentially exploitable without
>   authentication. Later these were closed by the Critical Patch
>   Update (CPU).
> 
> Reference:
> [1] https://www.oracle.com/security-alerts/cpujul2015.html
> [2] https://www.oracle.com/security-alerts/cpuapr2016v3.html
> [3] https://www.oracle.com/security-alerts/cpujul2020.html
> 
> Signed-off-by: Mohamed Meera Sahib <mmeerasa@cisco.com>
> ---
>  meta/recipes-support/db/db_5.3.28.bb | 17 +++++++++++++++++
>  1 file changed, 17 insertions(+)
> 
> diff --git a/meta/recipes-support/db/db_5.3.28.bb b/meta/recipes-
> support/db/db_5.3.28.bb
> index a7d061e0da..d93e77a1ee 100644
> --- a/meta/recipes-support/db/db_5.3.28.bb
> +++ b/meta/recipes-support/db/db_5.3.28.bb
> @@ -120,3 +120,20 @@ BBCLASSEXTEND = "native nativesdk"
>  # many configure tests are failing with gcc-14
>  CFLAGS += "-Wno-error=implicit-int -Wno-error=implicit-function-
> declaration"
>  BUILD_CFLAGS += "-Wno-error=implicit-int -Wno-error=implicit-function-
> declaration"
> +
> +# The risk matrix of Oracle Berkeley Db was published in July 2015 by which
> many vulnerabilities
> +# in different Oracle products were identified.
> +# https://www.oracle.com/security-alerts/cpujul2015verbose.html#DB
> +# The Oracle Berkeley Db issued the Critical Patch Update Advisory in July
> 2015
> +# which determined the status of the vulnerability whether applicable or not.
> +# https://www.oracle.com/security-alerts/cpujul2015.html#AppendixDB
> +# Apart from this, different CPUs change status of the vulnerabilities e.g.
> +# CVE-2020-2981: https://www.oracle.com/security-alerts/cpujul2020.html
> +# CVE-2016-0682, CVE-2016-0689, CVE-2016-0692, CVE-2016-0694, CVE-
> 2016-3418: https://www.oracle.com/security-alerts/cpuapr2016v3.html
> +
> +CVE_STATUS_GROUPS = "CVE_STATUS_INGR"
> +CVE_STATUS_INGR = "CVE-2015-2583 CVE-2015-2624 CVE-2015-2626
> CVE-2015-2640 CVE-2015-2654 CVE-2015-2656 CVE-2015-4754 CVE-2015-
> 4764 \
> +CVE-2015-4774 CVE-2015-4775 CVE-2015-4776 CVE-2015-4777 CVE-
> 2015-4778 CVE-2015-4779 CVE-2015-4780 CVE-2015-4781 CVE-2015-
> 4782 \
> +CVE-2015-4783 CVE-2015-4784 CVE-2015-4785 CVE-2015-4786 CVE-
> 2015-4787 CVE-2015-4788 CVE-2015-4789 CVE-2015-4790 CVE-2020-
> 2981 \
> +CVE-2016-0682 CVE-2016-0689 CVE-2016-0692 CVE-2016-0694 CVE-
> 2016-3418"
> +CVE_STATUS_INGR[status] = "fixed-version: The Critical Patch Update of
> Oracle Berkeley DB discovers these vulnerabilities may not be remotely
> exploitable without authentication."
> --
> 2.44.1

Alexander Kanavin Jan. 15, 2025, 12:40 p.m. UTC | #2

On Wed, 15 Jan 2025 at 13:36, Peter Marko via lists.openembedded.org
<peter.marko=siemens.com@lists.openembedded.org> wrote:
> Fact that the vulnerability is not exploitable remotely without authentication
> does not mean that the vulnerability is not real or that it cannot be exploited.
> Local vulnerabilities are food for LOTL attacks.
>
> Also note that if you want to get these from your cve reports,
> you can simply include oe-core cve-extra-exclusions.inc which lists all of these.
> Maybe we could enhance comments in cve-extra-exclusions.inc for future reference instead?

I'd also appreciate efforts to completely remove berkeley db from
yocto, for reasons explained in [1]. Last I checked, apt-ftparchive
still had a hard dependency on it.

[1] https://lwn.net/Articles/557820/

Alex

diff --git a/meta/recipes-support/db/db_5.3.28.bb b/meta/recipes-support/db/db_5.3.28.bb
index a7d061e0da..d93e77a1ee 100644
--- a/meta/recipes-support/db/db_5.3.28.bb
+++ b/meta/recipes-support/db/db_5.3.28.bb
@@ -120,3 +120,20 @@  BBCLASSEXTEND = "native nativesdk"
 # many configure tests are failing with gcc-14
 CFLAGS += "-Wno-error=implicit-int -Wno-error=implicit-function-declaration"
 BUILD_CFLAGS += "-Wno-error=implicit-int -Wno-error=implicit-function-declaration"
+
+# The risk matrix of Oracle Berkeley Db was published in July 2015 by which many vulnerabilities
+# in different Oracle products were identified.
+# https://www.oracle.com/security-alerts/cpujul2015verbose.html#DB
+# The Oracle Berkeley Db issued the Critical Patch Update Advisory in July 2015
+# which determined the status of the vulnerability whether applicable or not.
+# https://www.oracle.com/security-alerts/cpujul2015.html#AppendixDB
+# Apart from this, different CPUs change status of the vulnerabilities e.g.
+# CVE-2020-2981: https://www.oracle.com/security-alerts/cpujul2020.html
+# CVE-2016-0682, CVE-2016-0689, CVE-2016-0692, CVE-2016-0694, CVE-2016-3418: https://www.oracle.com/security-alerts/cpuapr2016v3.html
+
+CVE_STATUS_GROUPS = "CVE_STATUS_INGR"
+CVE_STATUS_INGR = "CVE-2015-2583 CVE-2015-2624 CVE-2015-2626 CVE-2015-2640 CVE-2015-2654 CVE-2015-2656 CVE-2015-4754 CVE-2015-4764 \
+CVE-2015-4774 CVE-2015-4775 CVE-2015-4776 CVE-2015-4777 CVE-2015-4778 CVE-2015-4779 CVE-2015-4780 CVE-2015-4781 CVE-2015-4782 \
+CVE-2015-4783 CVE-2015-4784 CVE-2015-4785 CVE-2015-4786 CVE-2015-4787 CVE-2015-4788 CVE-2015-4789 CVE-2015-4790 CVE-2020-2981 \
+CVE-2016-0682 CVE-2016-0689 CVE-2016-0692 CVE-2016-0694 CVE-2016-3418"
+CVE_STATUS_INGR[status] = "fixed-version: The Critical Patch Update of Oracle Berkeley DB discovers these vulnerabilities may not be remotely exploitable without authentication."