Message ID | 20250115152909.2368573-1-madmarri@cisco.com |
---|---|
State | New |
Headers | show |
Series | [master] strace: add vendor to CVE_PRODUCT to exclude false positives | expand |
On 15 Jan 2025, at 15:29, Madhu Marri via lists.openembedded.org <madmarri=cisco.com@lists.openembedded.org> wrote: > > - To avoid false positives such as CVE-2000-0006, add the CVE_PRODUCT > value with the vendor. But CVE-2000-0006 is specific to this strace, not another strace. Quoting from the original reference (https://web.archive.org/web/20030710214947/http://www.securityfocus.com/archive/1/39831): “”” When you see snippet from strace, that says: open("/etc/passwd", O_RDONLY) = 3 Do you trust it? You should not. “”” You may disagree with the premise of the CVE and mark it as not an issue, but it _is_ a strace CVE. Ross
diff --git a/meta/recipes-devtools/strace/strace_6.12.bb b/meta/recipes-devtools/strace/strace_6.12.bb index c16e5dc478..0cbaead216 100644 --- a/meta/recipes-devtools/strace/strace_6.12.bb +++ b/meta/recipes-devtools/strace/strace_6.12.bb @@ -53,3 +53,6 @@ do_install_ptest() { RDEPENDS:${PN}-ptest += "make coreutils grep gawk sed locale-base-en-us" BBCLASSEXTEND = "native" + +# adding 'CVE_PRODUCT' to avoid false detection of CVEs +CVE_PRODUCT = "strace:strace"
- To avoid false positives such as CVE-2000-0006, add the CVE_PRODUCT value with the vendor. - The CVE-2000-0006 has the vendor paul_kranenburg:strace. - This change has been verified by running do_cve_check task for strace package. Signed-off-by: Madhu Marri <madmarri@cisco.com> --- meta/recipes-devtools/strace/strace_6.12.bb | 3 +++ 1 file changed, 3 insertions(+)