From patchwork Sat Sep 28 17:42:21 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peter Marko <peter.marko@siemens.com>
X-Patchwork-Id: 49715
Return-Path: <peter.marko@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 5E001CF6496
	for <webhook@archiver.kernel.org>; Sat, 28 Sep 2024 17:43:56 +0000 (UTC)
Received: from mta-64-227.siemens.flowmailer.net
 (mta-64-227.siemens.flowmailer.net [185.136.64.227])
 by mx.groups.io with SMTP id smtpd.web11.17948.1727545428175265203
 for <openembedded-core@lists.openembedded.org>;
 Sat, 28 Sep 2024 10:43:49 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=peter.marko@siemens.com header.s=fm2 header.b=oA/F9Y/s;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227,
 mailfrom:
 fm-256628-20240928174343e3cd1a00bad232c37d-o_3yos@rts-flowmailer.siemens.com)
Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id
 20240928174343e3cd1a00bad232c37d
        for <openembedded-core@lists.openembedded.org>;
        Sat, 28 Sep 2024 19:43:44 +0200
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2;
 d=siemens.com; i=peter.marko@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc;
 bh=pGf7T1YlLqOQTWS/EK1K9dAMtdYP1S0la3/u3H0lvL0=;
 b=oA/F9Y/s4W7hZ7Wg6/0JzcXmRWRqxT2I3jkBK33p8iXf9E6mxvtidSS6mtTdHjOpKXZctN
 coKx3vpQ3lkw6NRoLgrQtKraz6hjNfToyw6P94xI0drdYuroaDVGvNoFOqI+DsOxcbhAiiBg
 h+H8YwYJZkMyQIVMy/UWod247JxHec9WWIMq2o+eom7+Ikxe457UL+/VGZ2+v6LQaWPjkNEJ
 oqVtin4ga+zkAajujRSnHRIDUTejltw/E+n73GaxJPm3KBEwsXwhkGf4kgCcLmVRHHLIrrhR
 87oosByZPjRRdrZOoHW/uAt6cWaQOdfxaXxFJCKwrrfd2JHhhhAtE1zA==;
From: Peter Marko <peter.marko@siemens.com>
To: openembedded-core@lists.openembedded.org
Cc: Khem Raj <raj.khem@gmail.com>,
	Alexandre Belloni <alexandre.belloni@bootlin.com>,
	Richard Purdie <richard.purdie@linuxfoundation.org>,
	Peter Marko <peter.marko@siemens.com>
Subject: [OE-core][scarthgap][PATCH 1/3] gnupg: Document CVE-2022-3219 and
 mark wontfix
Date: Sat, 28 Sep 2024 19:42:21 +0200
Message-Id: <20240928174223.3749001-1-peter.marko@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-256628:519-21489:flowmailer
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Sat, 28 Sep 2024 17:43:56 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/205045

From: Khem Raj <raj.khem@gmail.com>

(From OE-Core rev: f10f9c3a8d2c17d5a6c3f0b00749e5b34a66e090)

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta/recipes-support/gnupg/gnupg_2.4.4.bb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta/recipes-support/gnupg/gnupg_2.4.4.bb b/meta/recipes-support/gnupg/gnupg_2.4.4.bb
index fff7d8c6da..ec75960235 100644
--- a/meta/recipes-support/gnupg/gnupg_2.4.4.bb
+++ b/meta/recipes-support/gnupg/gnupg_2.4.4.bb
@@ -88,3 +88,4 @@ BBCLASSEXTEND = "native nativesdk"
 
 lcl_maybe_fortify:mipsarch = ""
 
+CVE_STATUS[CVE-2022-3219] = "upstream-wontfix: Upstream doesn't seem to be keen on merging the proposed commit - https://dev.gnupg.org/T5993"

From patchwork Sat Sep 28 17:42:22 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peter Marko <peter.marko@siemens.com>
X-Patchwork-Id: 49714
Return-Path: <peter.marko@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 5D220CF6491
	for <webhook@archiver.kernel.org>; Sat, 28 Sep 2024 17:43:56 +0000 (UTC)
Received: from mta-65-228.siemens.flowmailer.net
 (mta-65-228.siemens.flowmailer.net [185.136.65.228])
 by mx.groups.io with SMTP id smtpd.web11.17951.1727545435777720173
 for <openembedded-core@lists.openembedded.org>;
 Sat, 28 Sep 2024 10:43:56 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=peter.marko@siemens.com header.s=fm2 header.b=k0oC3TzK;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.228,
 mailfrom:
 fm-256628-202409281743538091d5248c3c81b7a3-9nxrt6@rts-flowmailer.siemens.com)
Received: by mta-65-228.siemens.flowmailer.net with ESMTPSA id
 202409281743538091d5248c3c81b7a3
        for <openembedded-core@lists.openembedded.org>;
        Sat, 28 Sep 2024 19:43:53 +0200
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2;
 d=siemens.com; i=peter.marko@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To;
 bh=6slffxLjfErprCvV81eoVJXl4z6Fkmmw8i1SC0Ye5fY=;
 b=k0oC3TzK0PDS1hy/jZocntBmVfrE/pMs8SPbzq1k642bJ93906vrFFq58mxC/m6g8Z6hPu
 LR835dOlxETXgqvWU3l7K8F3lpwHMh7fZr9+iZ7y7Q6Dq28SfYvsp+Kihlp1eR+4OVdvk1eB
 XkSVBhwjlEjmMBnmsW72FoWoEwZq4cZcEz1PeLpChOubYS9GB/OrdVksgAxKsdUnpPXIoQM7
 x/ZxqPScyB8+hcoHaGA+e4RzMvDWbyIBeOPuuFyY6VXEaVhV4o/C2/9ovux8Cvtrphl6vItd
 TO03SlUxzFzwKRXqVDfNj2PwEW0qziaCyXN4FoYy8OmZRxBYTc5fcFKw==;
From: Peter Marko <peter.marko@siemens.com>
To: openembedded-core@lists.openembedded.org
Cc: Khem Raj <raj.khem@gmail.com>,
	Alexandre Belloni <alexandre.belloni@bootlin.com>,
	Richard Purdie <richard.purdie@linuxfoundation.org>,
	Peter Marko <peter.marko@siemens.com>
Subject: [OE-core][scarthgap][PATCH 2/3] openssh: Mark CVE-2023-51767 as
 wont-fix
Date: Sat, 28 Sep 2024 19:42:22 +0200
Message-Id: <20240928174223.3749001-2-peter.marko@siemens.com>
In-Reply-To: <20240928174223.3749001-1-peter.marko@siemens.com>
References: <20240928174223.3749001-1-peter.marko@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-256628:519-21489:flowmailer
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Sat, 28 Sep 2024 17:43:56 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/205046

From: Khem Raj <raj.khem@gmail.com>

(From OE-Core rev: 1b4bada6c003ef743df09283e45953e6d9ea4c5a)

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta/recipes-connectivity/openssh/openssh_9.6p1.bb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb
index 3c507cf911..a8ba67e360 100644
--- a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb
@@ -40,6 +40,7 @@ CVE_STATUS[CVE-2014-9278] = "not-applicable-platform: This CVE is specific to Op
 Red Hat Enterprise Linux 7 and when running in a Kerberos environment"
 
 CVE_STATUS[CVE-2008-3844] = "not-applicable-platform: Only applies to some distributed RHEL binaries."
+CVE_STATUS[CVE-2023-51767] = "upstream-wontfix: It was demonstrated on modified sshd and does not exist in upstream openssh https://bugzilla.mindrot.org/show_bug.cgi?id=3656#c1."
 
 PAM_SRC_URI = "file://sshd"
 

From patchwork Sat Sep 28 17:42:23 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peter Marko <peter.marko@siemens.com>
X-Patchwork-Id: 49716
Return-Path: <peter.marko@siemens.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 377EDCF6491
	for <webhook@archiver.kernel.org>; Sat, 28 Sep 2024 17:44:16 +0000 (UTC)
Received: from mta-65-227.siemens.flowmailer.net
 (mta-65-227.siemens.flowmailer.net [185.136.65.227])
 by mx.groups.io with SMTP id smtpd.web10.17882.1727545446699082845
 for <openembedded-core@lists.openembedded.org>;
 Sat, 28 Sep 2024 10:44:07 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=peter.marko@siemens.com header.s=fm2 header.b=Kq22Wdif;
 spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.227,
 mailfrom:
 fm-256628-20240928174404c6d920b3740f9fc805-8rr4wv@rts-flowmailer.siemens.com)
Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id
 20240928174404c6d920b3740f9fc805
        for <openembedded-core@lists.openembedded.org>;
        Sat, 28 Sep 2024 19:44:04 +0200
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2;
 d=siemens.com; i=peter.marko@siemens.com;
 h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To;
 bh=fdpGvjcLsTj8pY/FFsPCyVf0Ad52yz0X77OIxlInhf8=;
 b=Kq22WdiflQFttKm993paFZu1Adf/GHafIR9P9gG+bnCkYbo2Y7pNswU5PCoFfFith+Q1fr
 P/0spUUxDkLQNf1bVn6tbUAbl/lYjPu2qVqw6Wjy6o3JaaiIiOUIKSUwndsgVPs8nuDtjtIc
 5HiYXVJ7gliGt3SUrS8CiYdCxSWYKNhIhMuGmaalOD3Bu0Zj1A6zougW/MXdm8bF8JAahgbJ
 kUMkXybhGeayIxwRFnPV/Js1iqqv0+hkHMbxd6CORKyww0S/8OSfZD6ASfWiWOGD/VtI6OOH
 yxUP8s/ZnMYo0d2nlhyxdQyPCzulJ2xhj/bDf6DZwrBHTc9MXudgr7aw==;
From: Peter Marko <peter.marko@siemens.com>
To: openembedded-core@lists.openembedded.org
Cc: Peter Marko <peter.marko@siemens.com>
Subject: [OE-core][scarthgap][PATCH 3/3] wpa-supplicant: Ignore CVE-2024-5290
Date: Sat, 28 Sep 2024 19:42:23 +0200
Message-Id: <20240928174223.3749001-3-peter.marko@siemens.com>
In-Reply-To: <20240928174223.3749001-1-peter.marko@siemens.com>
References: <20240928174223.3749001-1-peter.marko@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-256628:519-21489:flowmailer
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Sat, 28 Sep 2024 17:44:16 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/205047

From: Peter Marko <peter.marko@siemens.com>

NVD CVE report [1] links Ubuntu bug [2] which has a very good
description/discussion about this issue.
It applies only to distros patching wpa-supplicant to allow non-root
users (e.g. via netdev group) to load modules.
This is not the case of Yocto.

Quote:
So upstream isn't vulnerable as they only expose the dbus interface to
root. Downstreams like Ubuntu and Chromium added a patch that grants
access to the netdev group. The patch is the problem, not the upstream
code IMHO.

There is also a commit [3] associated with this CVE, however that only
provides build-time configuration to limit paths which can be accessed
but it acts only as a mitigation for distros which allow non-root users
to load crafted modules.

[1] https://nvd.nist.gov/vuln/detail/CVE-2024-5290
[2] https://bugs.launchpad.net/ubuntu/+source/wpa/+bug/2067613
[3] https://w1.fi/cgit/hostap/commit/?id=c84388ee4c66bcd310db57489eac4a75fc600747

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb
index 22028ce957..01dc72b385 100644
--- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb
@@ -32,6 +32,8 @@ PACKAGECONFIG[openssl] = ",,openssl"
 
 CVE_PRODUCT = "wpa_supplicant"
 
+CVE_STATUS[CVE-2024-5290] = "not-applicable-platform: this only affects Ubuntu and other platforms patching wpa-supplicant"
+
 EXTRA_OEMAKE = "'LIBDIR=${libdir}' 'INCDIR=${includedir}' 'BINDIR=${sbindir}'"
 
 do_configure () {