| Message ID | 20230528055252.3869703-1-schitrod@cisco.com |
|---|---|
| State | Accepted, archived |
| Commit | cfc42fdabb3f12eb4ac5069a549ba5699385dfdc |
| Headers | show |
| Series | sqlite3: Whitelist CVE-2022-21227 | expand |
The patch author seems a bit mangled by ML, see: author schitrod=cisco.com@lists.openembedded.org <schitrod= cisco.com@lists.openembedded.org> 2023-05-27 22:52:52 -0700 https://git.openembedded.org/openembedded-core/commit/?h=master-next&id=5f15caa526bb57070b9abb9ba2f488ee1bfb5372 Is it correct? On Sun, May 28, 2023 at 7:53 AM Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco) via lists.openembedded.org <schitrod= cisco.com@lists.openembedded.org> wrote: > This CVE is applicable to "SQLite3 bindings for Node.js" only. > > References: > https://nvd.nist.gov/vuln/detail/CVE-2022-21227 > > Signed-off-by: Sanjay Chitroda <schitrod@cisco.com> > --- > meta/recipes-support/sqlite/sqlite3_3.41.2.bb | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/meta/recipes-support/sqlite/sqlite3_3.41.2.bb > b/meta/recipes-support/sqlite/sqlite3_3.41.2.bb > index b09e8e7f55..11bc8bb4c0 100644 > --- a/meta/recipes-support/sqlite/sqlite3_3.41.2.bb > +++ b/meta/recipes-support/sqlite/sqlite3_3.41.2.bb > @@ -12,3 +12,6 @@ CVE_CHECK_IGNORE += "CVE-2019-19242" > CVE_CHECK_IGNORE += "CVE-2015-3717" > # Issue in an experimental extension we don't have/use. Fixed by > https://sqlite.org/src/info/b1e0c22ec981cf5f > CVE_CHECK_IGNORE += "CVE-2021-36690" > +# As per https://nvd.nist.gov/vuln/detail/CVE-2022-21227 > +# this bug is applicable to SQLite3 Node.js > +CVE_CHECK_IGNORE += "CVE-2022-21227" > -- > 2.35.6 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#181812): > https://lists.openembedded.org/g/openembedded-core/message/181812 > Mute This Topic: https://lists.openembedded.org/mt/99178473/3617156 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [ > Martin.Jansa@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- > >
Hi, I have proposed second commit to revert Revert "sqlite3: update CVE_PRODUCT" - Patchwork (yoctoproject.org)<https://patchwork.yoctoproject.org/project/oe-core/patch/20230528064732.3890226-1-schitrod@cisco.com/>. Once above commit is added on master then we don’t require to add this commit. As CVE-2022-21227 is detected due to above commit only. Thanks, Sanjay From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Martin Jansa Sent: Monday, May 29, 2023 12:52 PM To: Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco) <schitrod@cisco.com> Cc: openembedded-core@lists.openembedded.org Subject: Re: [OE-core][PATCH] sqlite3: Whitelist CVE-2022-21227 The patch author seems a bit mangled by ML, see: author schitrod=cisco.com@lists.openembedded.org<mailto:cisco.com@lists.openembedded.org> <schitrod=cisco.com@lists.openembedded.org<mailto:cisco.com@lists.openembedded.org>> 2023-05-27 22:52:52 -0700 https://git.openembedded.org/openembedded-core/commit/?h=master-next&id=5f15caa526bb57070b9abb9ba2f488ee1bfb5372 Is it correct? On Sun, May 28, 2023 at 7:53 AM Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco) via lists.openembedded.org<http://lists.openembedded.org> <schitrod=cisco.com@lists.openembedded.org<mailto:cisco.com@lists.openembedded.org>> wrote: This CVE is applicable to "SQLite3 bindings for Node.js" only. References: https://nvd.nist.gov/vuln/detail/CVE-2022-21227 Signed-off-by: Sanjay Chitroda <schitrod@cisco.com<mailto:schitrod@cisco.com>> --- meta/recipes-support/sqlite/sqlite3_3.41.2.bb<http://sqlite3_3.41.2.bb> | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta/recipes-support/sqlite/sqlite3_3.41.2.bb<http://sqlite3_3.41.2.bb> b/meta/recipes-support/sqlite/sqlite3_3.41.2.bb<http://sqlite3_3.41.2.bb> index b09e8e7f55..11bc8bb4c0 100644 --- a/meta/recipes-support/sqlite/sqlite3_3.41.2.bb<http://sqlite3_3.41.2.bb> +++ b/meta/recipes-support/sqlite/sqlite3_3.41.2.bb<http://sqlite3_3.41.2.bb> @@ -12,3 +12,6 @@ CVE_CHECK_IGNORE += "CVE-2019-19242" CVE_CHECK_IGNORE += "CVE-2015-3717" # Issue in an experimental extension we don't have/use. Fixed by https://sqlite.org/src/info/b1e0c22ec981cf5f CVE_CHECK_IGNORE += "CVE-2021-36690" +# As per https://nvd.nist.gov/vuln/detail/CVE-2022-21227 +# this bug is applicable to SQLite3 Node.js +CVE_CHECK_IGNORE += "CVE-2022-21227" -- 2.35.6
On Mon, 2023-05-29 at 08:39 +0000, Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco) wrote: > Hi, > > I have proposed second commit to revertRevert "sqlite3: update > CVE_PRODUCT" - Patchwork (yoctoproject.org). > > Once above commit is added on master then we don’t require to add > this commit. > As CVE-2022-21227 is detected due to above commit only. My worry is that we keep going around in circles on this. Are we sure the CVE database won't list things that are applicable under sqlite3? Cheers, Richard
Hi Richard, Please find below information on specific SQLite3. NVD has CVEs reported for sqlite against two different products: 1. sqlite:sqlite - Ref: https://nvd.nist.gov/vuln/detail/CVE-2020-13435 - This product is applicable to our sqlite3 SDK source 2. ghost:sqlite3 - Ref: https://nvd.nist.gov/vuln/detail/CVE-2022-21227 - This product is applicable to Node.js SQLite which don't applicable to our SDK Conclusion: - To report CVEs of SQLite3 source available in SDK, require CVE_PRODUCT is sqlite. - we don't require to report CVEs where CVE_PRODUCT is sqlite3. - In Yocto SDK sqlite3 recipe should have: CVE_PRODUCT= "sqlite" Thanks, Sanjay -----Original Message----- From: Richard Purdie <richard.purdie@linuxfoundation.org> Sent: Monday, May 29, 2023 3:11 PM To: Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco) <schitrod@cisco.com>; Martin Jansa <Martin.Jansa@gmail.com> Cc: openembedded-core@lists.openembedded.org; Marta Rybczynska <rybczynska@gmail.com> Subject: Re: [OE-core][PATCH] sqlite3: Whitelist CVE-2022-21227 On Mon, 2023-05-29 at 08:39 +0000, Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco) wrote: > Hi, > > I have proposed second commit to revertRevert "sqlite3: update > CVE_PRODUCT" - Patchwork (yoctoproject.org). > > Once above commit is added on master then we don’t require to add this > commit. > As CVE-2022-21227 is detected due to above commit only. My worry is that we keep going around in circles on this. Are we sure the CVE database won't list things that are applicable under sqlite3? Cheers, Richard
Hi Richard, Please find below information on specific SQLite3. NVD has CVEs reported for sqlite against two different products: 1. sqlite:sqlite - Ref: https://nvd.nist.gov/vuln/detail/CVE-2020-13435 - This product is applicable to our sqlite3 SDK source 2. ghost:sqlite3 - Ref: https://nvd.nist.gov/vuln/detail/CVE-2022-21227 - This product is applicable to Node.js SQLite which don't applicable to our SDK Conclusion: - To report CVEs of SQLite3 source available in SDK, require CVE_PRODUCT is sqlite. - we don't require to report CVEs where CVE_PRODUCT is sqlite3. - In Yocto SDK sqlite3 recipe should have: CVE_PRODUCT= "sqlite" Thanks, Sanjay -----Original Message----- From: Richard Purdie <richard.purdie@linuxfoundation.org> Sent: Monday, May 29, 2023 3:11 PM To: Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco) <schitrod@cisco.com>; Martin Jansa <Martin.Jansa@gmail.com> Cc: openembedded-core@lists.openembedded.org; Marta Rybczynska <rybczynska@gmail.com> Subject: Re: [OE-core][PATCH] sqlite3: Whitelist CVE-2022-21227 On Mon, 2023-05-29 at 08:39 +0000, Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco) wrote: > Hi, > > I have proposed second commit to revertRevert "sqlite3: update > CVE_PRODUCT" - Patchwork (yoctoproject.org). > > Once above commit is added on master then we don’t require to add this > commit. > As CVE-2022-21227 is detected due to above commit only. My worry is that we keep going around in circles on this. Are we sure the CVE database won't list things that are applicable under sqlite3? Cheers, Richard
diff --git a/meta/recipes-support/sqlite/sqlite3_3.41.2.bb b/meta/recipes-support/sqlite/sqlite3_3.41.2.bb index b09e8e7f55..11bc8bb4c0 100644 --- a/meta/recipes-support/sqlite/sqlite3_3.41.2.bb +++ b/meta/recipes-support/sqlite/sqlite3_3.41.2.bb @@ -12,3 +12,6 @@ CVE_CHECK_IGNORE += "CVE-2019-19242" CVE_CHECK_IGNORE += "CVE-2015-3717" # Issue in an experimental extension we don't have/use. Fixed by https://sqlite.org/src/info/b1e0c22ec981cf5f CVE_CHECK_IGNORE += "CVE-2021-36690" +# As per https://nvd.nist.gov/vuln/detail/CVE-2022-21227 +# this bug is applicable to SQLite3 Node.js +CVE_CHECK_IGNORE += "CVE-2022-21227"
This CVE is applicable to "SQLite3 bindings for Node.js" only. References: https://nvd.nist.gov/vuln/detail/CVE-2022-21227 Signed-off-by: Sanjay Chitroda <schitrod@cisco.com> --- meta/recipes-support/sqlite/sqlite3_3.41.2.bb | 3 +++ 1 file changed, 3 insertions(+)