Re: [OE-core] gnupg CVE-2022-3515 #kirkstone

Tue, 18 Jun 2024 06:49:07 -0700 

On Fri, Jun 14, 2024 at 12:51 AM Clayton Casciato via lists.openembedded.org
<ccasciato=21sw...@lists.openembedded.org> wrote:

> Hello!
>
> "OE-core CVE metrics for kirkstone on Sun 09 Jun 2024 02:00:01 AM HST"
> reports CVE-2022-3515 <https://nvd.nist.gov/vuln/detail/CVE-2022-3515> as
> "unpatched", as do local builds with "cve-check".
>
> NIST lists GnuPG as vulnerable from 2.3.0 to 2.4.0, which is why this is
> reported as a CVE.
>
> This vulnerability was fixed in Libksba 1.6.2 (upstream issue
> <https://dev.gnupg.org/T6230>, upstream patch
> <https://dev.gnupg.org/rK4b7d9cd4a018898d7714ce06f3faf2626c14582b>).
>
> meta/recipes-support/gnupg/gnupg_2.3.7.bb
> <https://git.openembedded.org/openembedded-core/tree/meta/recipes-support/gnupg/gnupg_2.3.7.bb?h=kirkstone>
>  DEPENDS
> libksba
>
> meta/recipes-support/libksba/libksba_1.6.4.bb
> <https://git.openembedded.org/openembedded-core/tree/meta/recipes-support/libksba/libksba_1.6.4.bb?h=kirkstone>
>
> I manually verified the upstream patch exists in the fetched
> libksba-1.6.4.tar.bz2.
> $ sed -n '185,190p' libksba-1.6.4/src/ber-help.c
>
> Should this CVE be added to
> meta/conf/distro/include/cve-extra-exclusions.inc?
>
>
Hello,
>From what I see, this is the NVD entry that is wrong, as it mentions this
CVE for gnupg, while the original advisory
mentions libksba only. And so does the direct CVE entry.

For now, use CVE_STATUS, but only in your gnupg recipe. We do not need this
one to be visible globally,
and the NVD entry for the libksba is correct.

You can notify NVD that the entry is wrong by writing at the address that
is linked at https://nvd.nist.gov/vuln/detail/CVE-2022-3515
in the Are we missing a CPE here? Please let us know
<cpe_diction...@nist.gov>. part.

I've fixed in the overrides repo.

Kind regards,
Marta

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#200870): 
https://lists.openembedded.org/g/openembedded-core/message/200870
Mute This Topic: https://lists.openembedded.org/mt/106661542/21656
Mute 
#kirkstone:https://lists.openembedded.org/g/openembedded-core/mutehashtag/kirkstone
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to