[scarthgap,03/10] wpa-supplicant: Ignore CVE-2024-5290

Message ID	33548479f66164f486efdb6aeba2de7da2b5b0c9.1728266000.git.steve@sakoman.com
State	Accepted
Delegated to:	Steve Sakoman
Headers	show Return-Path: <steve@sakoman.com> ip: 209.85.215.181, mailfrom: steve@sakoman.com) From: Steve Sakoman <steve@sakoman.com> To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 03/10] wpa-supplicant: Ignore CVE-2024-5290 Date: Sun, 6 Oct 2024 18:54:56 -0700 Message-Id: <33548479f66164f486efdb6aeba2de7da2b5b0c9.1728266000.git.steve@sakoman.com> In-Reply-To: <cover.1728266000.git.steve@sakoman.com> References: <cover.1728266000.git.steve@sakoman.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[scarthgap,01/10] gnupg: Document CVE-2022-3219 and mark wontfix \| expand [scarthgap,01/10] gnupg: Document CVE-2022-3219 and mark wontfix [scarthgap,02/10] openssh: Mark CVE-2023-51767 as wont-fix [scarthgap,03/10] wpa-supplicant: Ignore CVE-2024-5290 [scarthgap,04/10] wpa-supplicant: Patch CVE-2024-3596 [scarthgap,05/10] wpa-supplicant: Patch security advisory 2024-2 [scarthgap,06/10] glibc: stable 2.39 branch updates. [scarthgap,07/10] webkitgtk: upgrade 2.44.1 -> 2.44.3 [scarthgap,08/10] cryptodev: upgrade 1.13 -> 1.14 [scarthgap,09/10] populate_sdk_base: inherit nopackages [scarthgap,10/10] meta-world-pkgdata: Inherit nopackages

Message ID

33548479f66164f486efdb6aeba2de7da2b5b0c9.1728266000.git.steve@sakoman.com

State

Accepted

Delegated to:

Steve Sakoman

Headers

From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 03/10] wpa-supplicant: Ignore CVE-2024-5290
Date: Sun,  6 Oct 2024 18:54:56 -0700
Message-Id: 
 <33548479f66164f486efdb6aeba2de7da2b5b0c9.1728266000.git.steve@sakoman.com>
In-Reply-To: <cover.1728266000.git.steve@sakoman.com>
References: <cover.1728266000.git.steve@sakoman.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[scarthgap,01/10] gnupg: Document CVE-2022-3219 and mark wontfix | expand

Commit Message

Steve Sakoman Oct. 7, 2024, 1:54 a.m. UTC

From: Peter Marko <peter.marko@siemens.com>

NVD CVE report [1] links Ubuntu bug [2] which has a very good
description/discussion about this issue.
It applies only to distros patching wpa-supplicant to allow non-root
users (e.g. via netdev group) to load modules.
This is not the case of Yocto.

Quote:
So upstream isn't vulnerable as they only expose the dbus interface to
root. Downstreams like Ubuntu and Chromium added a patch that grants
access to the netdev group. The patch is the problem, not the upstream
code IMHO.

There is also a commit [3] associated with this CVE, however that only
provides build-time configuration to limit paths which can be accessed
but it acts only as a mitigation for distros which allow non-root users
to load crafted modules.

[1] https://nvd.nist.gov/vuln/detail/CVE-2024-5290
[2] https://bugs.launchpad.net/ubuntu/+source/wpa/+bug/2067613
[3] https://w1.fi/cgit/hostap/commit/?id=c84388ee4c66bcd310db57489eac4a75fc600747

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb
index 22028ce957..01dc72b385 100644
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb
@@ -32,6 +32,8 @@  PACKAGECONFIG[openssl] = ",,openssl"
 
 CVE_PRODUCT = "wpa_supplicant"
 
+CVE_STATUS[CVE-2024-5290] = "not-applicable-platform: this only affects Ubuntu and other platforms patching wpa-supplicant"
+
 EXTRA_OEMAKE = "'LIBDIR=${libdir}' 'INCDIR=${includedir}' 'BINDIR=${sbindir}'"
 
 do_configure () {

[scarthgap,03/10] wpa-supplicant: Ignore CVE-2024-5290

Commit Message

Patch