Re: [OE-core] [poky][dunfell][PATCH] db: Whitelist CVEs

Steve Sakoman Mon, 13 Sep 2021 07:56:51 -0700

On Mon, Sep 13, 2021 at 2:45 AM Saloni Jain <jainsaloni0...@gmail.com> wrote:
>
> From: Saloni Jain <salo...@kpit.com>
>
> Below CVE affects only Oracle Berkeley DB as per upstream.
> Hence, whitelisted them.


I suspect that a cleaner solution might be to revert:

db: update CVE_PRODUCT
(https://git.openembedded.org/openembedded-core/commit/?id=ad799b109716ccd2f44dcf7a6a4cfcbd622ea661)

which adds berkeley_db to CVE_PRODUCT

I did a quick test and this eliminates all of the below CVE's. And of
course it makes sense to only check for oracle_berkeley_db since that
is the source code we are using.

Also, this same issue is present in master, so any fix would need to
go there first and I will cherry-pick.

Could you confirm that this approach works for you too?

Steve

>
> 1. CVE-2015-2583
> Link: https://security-tracker.debian.org/tracker/CVE-2015-2583
> 2. CVE-2015-2624
> Link: https://security-tracker.debian.org/tracker/CVE-2015-2624
> 3. CVE-2015-2626
> Link: https://security-tracker.debian.org/tracker/CVE-2015-2626
> 4. CVE-2015-2640
> Link: https://security-tracker.debian.org/tracker/CVE-2015-2640
> 5. CVE-2015-2654
> Link: https://security-tracker.debian.org/tracker/CVE-2015-2654
> 6. CVE-2015-2656
> Link: https://security-tracker.debian.org/tracker/CVE-2015-2656
> 7. CVE-2015-4754
> Link: https://security-tracker.debian.org/tracker/CVE-2015-4754
> 8. CVE-2015-4764
> Link: https://security-tracker.debian.org/tracker/CVE-2015-4764
> 9. CVE-2015-4774
> Link: https://security-tracker.debian.org/tracker/CVE-2015-4774
> 10. CVE-2015-4775
> Link: https://security-tracker.debian.org/tracker/CVE-2015-4775
> 11. CVE-2015-4776
> Link: https://security-tracker.debian.org/tracker/CVE-2015-4776
> 12. CVE-2015-4777
> Link: https://security-tracker.debian.org/tracker/CVE-2015-4777
> 13. CVE-2015-4778
> Link: https://security-tracker.debian.org/tracker/CVE-2015-4778
> 14. CVE-2015-4779
> Link: https://security-tracker.debian.org/tracker/CVE-2015-4779
> 15. CVE-2015-4780
> Link: https://security-tracker.debian.org/tracker/CVE-2015-4780
> 16. CVE-2015-4781
> Link: https://security-tracker.debian.org/tracker/CVE-2015-4781
> 17. CVE-2015-4782
> Link: https://security-tracker.debian.org/tracker/CVE-2015-4782
> 18. CVE-2015-4783
> Link: https://security-tracker.debian.org/tracker/CVE-2015-4783
> 19. CVE-2015-4784
> Link: https://security-tracker.debian.org/tracker/CVE-2015-4784
> 20. CVE-2015-4785
> Link: https://security-tracker.debian.org/tracker/CVE-2015-4785
> 21. CVE-2015-4786
> Link: https://security-tracker.debian.org/tracker/CVE-2015-4786
> 22. CVE-2015-4787
> Link: https://security-tracker.debian.org/tracker/CVE-2015-4787
> 23. CVE-2015-4788
> Link: https://security-tracker.debian.org/tracker/CVE-2015-4788
> 24. CVE-2015-4789
> Link: https://security-tracker.debian.org/tracker/CVE-2015-4789
> 25. CVE-2015-4790
> Link: https://security-tracker.debian.org/tracker/CVE-2015-4790
> 26. CVE-2016-0682
> Link: https://security-tracker.debian.org/tracker/CVE-2016-0682
> 27. CVE-2016-0689
> Link: https://security-tracker.debian.org/tracker/CVE-2016-0689
> 28. CVE-2016-0692
> Link: https://security-tracker.debian.org/tracker/CVE-2016-0692
> 29. CVE-2016-0694
> Link: https://security-tracker.debian.org/tracker/CVE-2016-0694
> 30. CVE-2016-3418
> Link: https://security-tracker.debian.org/tracker/CVE-2016-3418
> 31. CVE-2017-3604
> Link: https://security-tracker.debian.org/tracker/CVE-2017-3604
> 32. CVE-2017-3605
> Link: https://security-tracker.debian.org/tracker/CVE-2017-3605
> 33. CVE-2017-3606
> Link: https://security-tracker.debian.org/tracker/CVE-2017-3606
> 34. CVE-2017-3607
> Link: https://security-tracker.debian.org/tracker/CVE-2017-3607
> 35. CVE-2017-3608
> Link: https://security-tracker.debian.org/tracker/CVE-2017-3608
> 36. CVE-2017-3609
> Link: https://security-tracker.debian.org/tracker/CVE-2017-3609
> 37. CVE-2017-3610
> Link: https://security-tracker.debian.org/tracker/CVE-2017-3610
> 38. CVE-2017-3611
> Link: https://security-tracker.debian.org/tracker/CVE-2017-3611
> 39. CVE-2017-3612
> Link: https://security-tracker.debian.org/tracker/CVE-2017-3612
> 40. CVE-2017-3613
> Link: https://security-tracker.debian.org/tracker/CVE-2017-3613
> 41. CVE-2017-3614
> Link: https://security-tracker.debian.org/tracker/CVE-2017-3614
> 42. CVE-2017-3615
> Link: https://security-tracker.debian.org/tracker/CVE-2017-3615
> 43. CVE-2017-3616
> Link: https://security-tracker.debian.org/tracker/CVE-2017-3616
> 44. CVE-2017-3617
> Link: https://security-tracker.debian.org/tracker/CVE-2017-3617
> 45. CVE-2020-2981
> Link: https://security-tracker.debian.org/tracker/CVE-2020-2981
>
> Signed-off-by: Saloni <jainsaloni0...@gmail.com>
> ---
>  meta/recipes-support/db/db_5.3.28.bb | 92 ++++++++++++++++++++++++++++
>  1 file changed, 92 insertions(+)
>
> diff --git a/meta/recipes-support/db/db_5.3.28.bb 
> b/meta/recipes-support/db/db_5.3.28.bb
> index b2ae98f05c..000e9ef468 100644
> --- a/meta/recipes-support/db/db_5.3.28.bb
> +++ b/meta/recipes-support/db/db_5.3.28.bb
> @@ -39,6 +39,98 @@ SRC_URI[sha256sum] = 
> "e0a992d740709892e81f9d93f06daf305cf73fb81b545afe7247804317
>
>  LIC_FILES_CHKSUM = "file://LICENSE;md5=ed1158e31437f4f87cdd4ab2b8613955"
>
> +# Below CVEs affects only Oracle Berkeley DB as per upstream.
> +# https://security-tracker.debian.org/tracker/CVE-2015-2583
> +CVE_CHECK_WHITELIST += "CVE-2015-2583"
> +# https://security-tracker.debian.org/tracker/CVE-2015-2624
> +CVE_CHECK_WHITELIST += "CVE-2015-2624"
> +# https://security-tracker.debian.org/tracker/CVE-2015-2626
> +CVE_CHECK_WHITELIST += "CVE-2015-2626"
> +# https://security-tracker.debian.org/tracker/CVE-2015-2640
> +CVE_CHECK_WHITELIST += "CVE-2015-2640"
> +# https://security-tracker.debian.org/tracker/CVE-2015-2654
> +CVE_CHECK_WHITELIST += "CVE-2015-2654"
> +# https://security-tracker.debian.org/tracker/CVE-2015-2656
> +CVE_CHECK_WHITELIST += "CVE-2015-2656"
> +# https://security-tracker.debian.org/tracker/CVE-2015-4754
> +CVE_CHECK_WHITELIST += "CVE-2015-4754"
> +# https://security-tracker.debian.org/tracker/CVE-2015-4764
> +CVE_CHECK_WHITELIST += "CVE-2015-4764"
> +# https://security-tracker.debian.org/tracker/CVE-2015-4774
> +CVE_CHECK_WHITELIST += "CVE-2015-4774"
> +# https://security-tracker.debian.org/tracker/CVE-2015-4775
> +CVE_CHECK_WHITELIST += "CVE-2015-4775"
> +# https://security-tracker.debian.org/tracker/CVE-2015-4776
> +CVE_CHECK_WHITELIST += "CVE-2015-4776"
> +# https://security-tracker.debian.org/tracker/CVE-2015-4777
> +CVE_CHECK_WHITELIST += "CVE-2015-4777"
> +# https://security-tracker.debian.org/tracker/CVE-2015-4778
> +CVE_CHECK_WHITELIST += "CVE-2015-4778"
> +# https://security-tracker.debian.org/tracker/CVE-2015-4779
> +CVE_CHECK_WHITELIST += "CVE-2015-4779"
> +# https://security-tracker.debian.org/tracker/CVE-2015-4780
> +CVE_CHECK_WHITELIST += "CVE-2015-4780"
> +# https://security-tracker.debian.org/tracker/CVE-2015-4781
> +CVE_CHECK_WHITELIST += "CVE-2015-4781"
> +# https://security-tracker.debian.org/tracker/CVE-2015-4782
> +CVE_CHECK_WHITELIST += "CVE-2015-4782"
> +# https://security-tracker.debian.org/tracker/CVE-2015-4783
> +CVE_CHECK_WHITELIST += "CVE-2015-4783"
> +# https://security-tracker.debian.org/tracker/CVE-2015-4784
> +CVE_CHECK_WHITELIST += "CVE-2015-4784"
> +# https://security-tracker.debian.org/tracker/CVE-2015-4785
> +CVE_CHECK_WHITELIST += "CVE-2015-4785"
> +# https://security-tracker.debian.org/tracker/CVE-2015-4786
> +CVE_CHECK_WHITELIST += "CVE-2015-4786"
> +# https://security-tracker.debian.org/tracker/CVE-2015-4787
> +CVE_CHECK_WHITELIST += "CVE-2015-4787"
> +# https://security-tracker.debian.org/tracker/CVE-2015-4788
> +CVE_CHECK_WHITELIST += "CVE-2015-4788"
> +# https://security-tracker.debian.org/tracker/CVE-2015-4789
> +CVE_CHECK_WHITELIST += "CVE-2015-4789"
> +# https://security-tracker.debian.org/tracker/CVE-2015-4790
> +CVE_CHECK_WHITELIST += "CVE-2015-4790"
> +# https://security-tracker.debian.org/tracker/CVE-2016-0682
> +CVE_CHECK_WHITELIST += "CVE-2016-0682"
> +# https://security-tracker.debian.org/tracker/CVE-2016-0689
> +CVE_CHECK_WHITELIST += "CVE-2016-0689"
> +# https://security-tracker.debian.org/tracker/CVE-2016-0692
> +CVE_CHECK_WHITELIST += "CVE-2016-0692"
> +# https://security-tracker.debian.org/tracker/CVE-2016-0694
> +CVE_CHECK_WHITELIST += "CVE-2016-0694"
> +# https://security-tracker.debian.org/tracker/CVE-2016-3418
> +CVE_CHECK_WHITELIST += "CVE-2016-3418"
> +# https://security-tracker.debian.org/tracker/CVE-2017-3604
> +CVE_CHECK_WHITELIST += "CVE-2017-3604"
> +# https://security-tracker.debian.org/tracker/CVE-2017-3605
> +CVE_CHECK_WHITELIST += "CVE-2017-3605"
> +# https://security-tracker.debian.org/tracker/CVE-2017-3606
> +CVE_CHECK_WHITELIST += "CVE-2017-3606"
> +# https://security-tracker.debian.org/tracker/CVE-2017-3607
> +CVE_CHECK_WHITELIST += "CVE-2017-3607"
> +# https://security-tracker.debian.org/tracker/CVE-2017-3608
> +CVE_CHECK_WHITELIST += "CVE-2017-3608"
> +# https://security-tracker.debian.org/tracker/CVE-2017-3609
> +CVE_CHECK_WHITELIST += "CVE-2017-3609"
> +# https://security-tracker.debian.org/tracker/CVE-2017-3610
> +CVE_CHECK_WHITELIST += "CVE-2017-3610"
> +# https://security-tracker.debian.org/tracker/CVE-2017-3611
> +CVE_CHECK_WHITELIST += "CVE-2017-3611"
> +# https://security-tracker.debian.org/tracker/CVE-2017-3612
> +CVE_CHECK_WHITELIST += "CVE-2017-3612"
> +# https://security-tracker.debian.org/tracker/CVE-2017-3613
> +CVE_CHECK_WHITELIST += "CVE-2017-3613"
> +# https://security-tracker.debian.org/tracker/CVE-2017-3614
> +CVE_CHECK_WHITELIST += "CVE-2017-3614"
> +# https://security-tracker.debian.org/tracker/CVE-2017-3615
> +CVE_CHECK_WHITELIST += "CVE-2017-3615"
> +# https://security-tracker.debian.org/tracker/CVE-2017-3616
> +CVE_CHECK_WHITELIST += "CVE-2017-3616"
> +# https://security-tracker.debian.org/tracker/CVE-2017-3617
> +CVE_CHECK_WHITELIST += "CVE-2017-3617"
> +# https://security-tracker.debian.org/tracker/CVE-2020-2981
> +CVE_CHECK_WHITELIST += "CVE-2020-2981"
> +
>  inherit autotools
>
>  # The executables go in a separate package - typically there
> --
> 2.17.1
>
>
> 
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#155978): 
https://lists.openembedded.org/g/openembedded-core/message/155978
Mute This Topic: https://lists.openembedded.org/mt/85573913/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [poky][dunfell][PATCH] db: Whitelist CVEs

Reply via email to