| Message ID | 20220408171711.2274694-1-ralph.siemsen@linaro.org |
|---|---|
| State | New |
| Headers | show |
| Series | [dunfell] arm-toolchain: ignore CVE-2019-15847 CVE-2021-37322 | expand |
On Fri, 8 Apr 2022 13:17:11 -0400, Ralph Siemsen wrote: > CVE-2019-15847 is a bug in gcc POWER9 back-end, which is not relevant > for ARM architecture. (It has been fixed in gcc 8.4, 9.3, and 10.1). > > CVE-2021-37322 is a bug in c++filt, which is part of binutils rather > than gcc. The issue was fixed in binutils 2.32 (poky has 2.34). > > These exclusions are needed only in the dunfell branch, as it is the > only one with affected gcc versions. Master branch has gcc 11.2, > hardknott has 10.2, and honister has 10.3. Applied, thanks! [1/1] arm-toolchain: ignore CVE-2019-15847 CVE-2021-37322 commit: 5c09684863be8e803e3e987a5ce4940721c3f39a Best regards,
diff --git a/meta-arm-toolchain/recipes-devtools/gcc/gcc-arm-8.2.inc b/meta-arm-toolchain/recipes-devtools/gcc/gcc-arm-8.2.inc index 65fbeff..6e18e2a 100644 --- a/meta-arm-toolchain/recipes-devtools/gcc/gcc-arm-8.2.inc +++ b/meta-arm-toolchain/recipes-devtools/gcc/gcc-arm-8.2.inc @@ -4,6 +4,12 @@ BASEPV = "8.2" PV = "arm-${BASEPV}" CVE_VERSION = "${BASEPV}" +# CVE-2019-15847 is only relevant to POWER9 architecture +CVE_CHECK_WHITELIST += "CVE-2019-15847" + +# CVE-2021-37322 is in binutils < 2.32, not in gcc +CVE_CHECK_WHITELIST += "CVE-2021-37322" + MMYY = "19.01" RELEASE = "20${MMYY}" PR = "r${RELEASE}" diff --git a/meta-arm-toolchain/recipes-devtools/gcc/gcc-arm-8.3.inc b/meta-arm-toolchain/recipes-devtools/gcc/gcc-arm-8.3.inc index 3fb87bb..c86467f 100644 --- a/meta-arm-toolchain/recipes-devtools/gcc/gcc-arm-8.3.inc +++ b/meta-arm-toolchain/recipes-devtools/gcc/gcc-arm-8.3.inc @@ -9,6 +9,12 @@ RELEASE = "20${MMYY}" PR = "r${RELEASE}" BINV = "${BASEPV}.0" +# CVE-2019-15847 is only relevant to POWER9 architecture +CVE_CHECK_WHITELIST += "CVE-2019-15847" + +# CVE-2021-37322 is in binutils < 2.32, not in gcc +CVE_CHECK_WHITELIST += "CVE-2021-37322" + FILESEXTRAPATHS =. "${FILE_DIRNAME}/gcc-${BASEPV}:${FILE_DIRNAME}/gcc-${BASEPV}/backport:" DEPENDS =+ "mpfr gmp libmpc zlib flex-native" diff --git a/meta-arm-toolchain/recipes-devtools/gcc/gcc-arm-9.2.inc b/meta-arm-toolchain/recipes-devtools/gcc/gcc-arm-9.2.inc index 6378ecf..ebbb5ed 100644 --- a/meta-arm-toolchain/recipes-devtools/gcc/gcc-arm-9.2.inc +++ b/meta-arm-toolchain/recipes-devtools/gcc/gcc-arm-9.2.inc @@ -5,6 +5,12 @@ require recipes-devtools/gcc/gcc-common.inc PV = "arm-9.2" CVE_VERSION = "9.2" +# CVE-2019-15847 is only relevant to POWER9 architecture +CVE_CHECK_WHITELIST += "CVE-2019-15847" + +# CVE-2021-37322 is in binutils < 2.32, not in gcc +CVE_CHECK_WHITELIST += "CVE-2021-37322" + # BINV should be incremented to a revision after a minor gcc release BINV = "9.2.1"
CVE-2019-15847 is a bug in gcc POWER9 back-end, which is not relevant for ARM architecture. (It has been fixed in gcc 8.4, 9.3, and 10.1). CVE-2021-37322 is a bug in c++filt, which is part of binutils rather than gcc. The issue was fixed in binutils 2.32 (poky has 2.34). These exclusions are needed only in the dunfell branch, as it is the only one with affected gcc versions. Master branch has gcc 11.2, hardknott has 10.2, and honister has 10.3. Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org> --- Duplication could be avoided by patching gcc-common.inc. However if we were to update to gcc 8.4 or 9.3 then we might want to remove the exclusion for that version. meta-arm-toolchain/recipes-devtools/gcc/gcc-arm-8.2.inc | 6 ++++++ meta-arm-toolchain/recipes-devtools/gcc/gcc-arm-8.3.inc | 6 ++++++ meta-arm-toolchain/recipes-devtools/gcc/gcc-arm-9.2.inc | 6 ++++++ 3 files changed, 18 insertions(+)