| Message ID | 20221004062843.2541778-1-mbriand@witekio.com |
|---|---|
| State | New |
| Headers | show |
| Series | [meta-networking,dunfell,1/4] mbedtls: Fix CVE product name | expand |
Hi, Fixing the CVE product name from mbedtls uncover a lot of CVEs. Some of these are fixed in the last 2.16 version, but some remain. Here is what I found: - CVE-2020-36477 and CVE-2022-35409: I added patches in this PR, but they did NOT apply cleanly when cherry-picking them. Original commits: https://github.com/Mbed-TLS/mbedtls/commit/f3e4bd8632b71dc491e52e6df87dc3e409d2b869 https://github.com/Mbed-TLS/mbedtls/commit/e5af9fabf7d68e3807b6ea78792794b8352dbba2 - CVE-2021-43666: Patch is merged in 2.16.12 but CPE do not exclude 2.16.12, so I added it to whitelist. - CVE-2021-45450 and CVE-2021-45451: I believed the CPE are completely wrong here, as PSA was introduced in mbedtls-2.22.0. I may add it to the whitelist, but I believe the CPE has to be modified. - CVE-2021-24119: Fixed in master and has to be backported, but it's not clear which commits exactly fixed the issue. Seems to be be165bd32b87 and some parents (from https://github.com/Mbed-TLS/mbedtls/pull/4305). Best regards, Mathieu
On Tue, Oct 04, 2022 at 08:28:43AM +0200, Mathieu Dubois-Briand via lists.openembedded.org wrote: > Signed-off-by: Mathieu Dubois-Briand <mbriand@witekio.com> > --- > .../recipes-connectivity/mbedtls/mbedtls_2.16.12.bb | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.16.12.bb b/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.16.12.bb > index 264e8abc15fc..7c61b1bfa7cf 100644 > --- a/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.16.12.bb > +++ b/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.16.12.bb > @@ -49,3 +49,6 @@ FILES_${PN}-programs = "${bindir}/" > BBCLASSEXTEND = "native nativesdk" > > CVE_PRODUCT = "mbed_tls" > + > +# Fix merged upstream https://github.com/Mbed-TLS/mbedtls/pull/5311 > +CVE_CHECK_WHITELIST += "CVE-2021-43666" > -- > 2.34.1 > On the equivalent patch set against master branch, Ross Burton suggested to not add the CVE to the white list but instead get the CPE modified. We might want to do the same thing here. Best regards, Mathieu
diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.16.6.bb b/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.16.6.bb index 12ad39761e9f..0ad1e02630a8 100644 --- a/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.16.6.bb +++ b/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.16.6.bb @@ -41,3 +41,5 @@ PACKAGES =+ "${PN}-programs" FILES_${PN}-programs = "${bindir}/" BBCLASSEXTEND = "native nativesdk" + +CVE_PRODUCT = "mbed_tls"
Signed-off-by: Mathieu Dubois-Briand <mbriand@witekio.com> --- meta-networking/recipes-connectivity/mbedtls/mbedtls_2.16.6.bb | 2 ++ 1 file changed, 2 insertions(+)