[kirkstone,09/10] qemu: ignore CVE-2023-1386

Message ID	b6b026e8e1965f8902780b519aa60bb818f920a5.1744145328.git.steve@sakoman.com
State	RFC
Delegated to:	Steve Sakoman
Headers	show Return-Path: <steve@sakoman.com> ip: 209.85.214.179, mailfrom: steve@sakoman.com) From: Steve Sakoman <steve@sakoman.com> To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 09/10] qemu: ignore CVE-2023-1386 Date: Tue, 8 Apr 2025 13:51:05 -0700 Message-ID: <b6b026e8e1965f8902780b519aa60bb818f920a5.1744145328.git.steve@sakoman.com> In-Reply-To: <cover.1744145328.git.steve@sakoman.com> References: <cover.1744145328.git.steve@sakoman.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[kirkstone,01/10] curl: ignore CVE-2025-0725 \| expand [kirkstone,01/10] curl: ignore CVE-2025-0725 [kirkstone,02/10] ofono: patch CVE-2024-7537 [kirkstone,03/10] ghostscript: Fix CVE-2025-27830 [kirkstone,04/10] ghostscript: Fix CVE-2025-27831 [kirkstone,05/10] ghostscript: Fix CVE-2025-27832 [kirkstone,06/10] ghostscript: Fix CVE-2025-27834 [kirkstone,07/10] ghostscript: Fix CVE-2025-27835 [kirkstone,08/10] ghostscript: Fix CVE-2025-27836 [kirkstone,09/10] qemu: ignore CVE-2023-1386 [kirkstone,10/10] glibc: Add single-threaded fast path to rand()

Message ID

b6b026e8e1965f8902780b519aa60bb818f920a5.1744145328.git.steve@sakoman.com

State

RFC

Delegated to:

Steve Sakoman

Headers

From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 09/10] qemu: ignore CVE-2023-1386
Date: Tue,  8 Apr 2025 13:51:05 -0700
Message-ID: 
 <b6b026e8e1965f8902780b519aa60bb818f920a5.1744145328.git.steve@sakoman.com>
In-Reply-To: <cover.1744145328.git.steve@sakoman.com>
References: <cover.1744145328.git.steve@sakoman.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[kirkstone,01/10] curl: ignore CVE-2025-0725 | expand

Commit Message

Steve Sakoman April 8, 2025, 8:51 p.m. UTC

From: Peter Marko <peter.marko@siemens.com>

Upstream Repository: https://gitlab.com/qemu-project/qemu.git

Bug Details:  https://nvd.nist.gov/vuln/detail/CVE-2023-1386
Type: Security Advisory
CVE: CVE-2023-1386
Score: 3.3

Analysis:
- According to redhat[1] this CVE has closed as not a bug.

Reference:
[1] https://bugzilla.redhat.com/show_bug.cgi?id=2223985

(From OE-Core rev: 6a5d9e3821246c39ec57fa483802e1bb74fca724)

Signed-off-by: Madhu Marri <madmarri@cisco.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>

(Converted to old CVE_CHECK_IGNORE syntax)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-devtools/qemu/qemu.inc | 3 +++
 1 file changed, 3 insertions(+)

Comments

Richard Purdie April 10, 2025, 11:32 a.m. UTC | #1

On Tue, 2025-04-08 at 13:51 -0700, Steve Sakoman via
lists.openembedded.org wrote:
> From: Peter Marko <peter.marko@siemens.com>
> 
> Upstream Repository: https://gitlab.com/qemu-project/qemu.git
> 
> Bug Details:  https://nvd.nist.gov/vuln/detail/CVE-2023-1386
> Type: Security Advisory
> CVE: CVE-2023-1386
> Score: 3.3
> 
> Analysis:
> - According to redhat[1] this CVE has closed as not a bug.
> 
> Reference:
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=2223985
> 
> (From OE-Core rev: 6a5d9e3821246c39ec57fa483802e1bb74fca724)
> 
> Signed-off-by: Madhu Marri <madmarri@cisco.com>
> Signed-off-by: Steve Sakoman <steve@sakoman.com>
> 
> (Converted to old CVE_CHECK_IGNORE syntax)
> 
> Signed-off-by: Peter Marko <peter.marko@siemens.com>
> Signed-off-by: Steve Sakoman <steve@sakoman.com>
> ---
>  meta/recipes-devtools/qemu/qemu.inc | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-
> devtools/qemu/qemu.inc
> index bee30cd56f..cae33459e6 100644
> --- a/meta/recipes-devtools/qemu/qemu.inc
> +++ b/meta/recipes-devtools/qemu/qemu.inc
> @@ -161,6 +161,9 @@ CVE_CHECK_IGNORE += "CVE-2023-2680"
>  #       due to the rocker device not falling within the
> virtualization use case.
>  CVE_CHECK_IGNORE += "CVE-2022-36648"
>  
> +# disputed: not an issue as per
> https://bugzilla.redhat.com/show_bug.cgi?id=2223985
> +CVE_CHECK_IGNORE += "CVE-2023-1386"
> +
>  COMPATIBLE_HOST:mipsarchn32 = "null"
>  COMPATIBLE_HOST:mipsarchn64 = "null"
>  COMPATIBLE_HOST:riscv32 = "null"

This merged to master today. It isn't in walnascar though.

Cheers,

Richard

diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index bee30cd56f..cae33459e6 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -161,6 +161,9 @@  CVE_CHECK_IGNORE += "CVE-2023-2680"
 #       due to the rocker device not falling within the virtualization use case.
 CVE_CHECK_IGNORE += "CVE-2022-36648"
 
+# disputed: not an issue as per https://bugzilla.redhat.com/show_bug.cgi?id=2223985
+CVE_CHECK_IGNORE += "CVE-2023-1386"
+
 COMPATIBLE_HOST:mipsarchn32 = "null"
 COMPATIBLE_HOST:mipsarchn64 = "null"
 COMPATIBLE_HOST:riscv32 = "null"

[kirkstone,09/10] qemu: ignore CVE-2023-1386

Commit Message

Comments

Patch