[yocto] [meta-security][kirkstone][PATCH] sssd: ignore CVE-2018-16838

[Davide Gardenal]

CVE-2018-16838 is patched in our version of sssd but it doesn't have
a vulnerable version range in the NVD database,
that's why it needs to be ignored.

Signed-off-by: Davide Gardenal 
---
 recipes-security/sssd/sssd_2.5.2.bb | 4 
 1 file changed, 4 insertions(+)

diff --git a/recipes-security/sssd/sssd_2.5.2.bb 
b/recipes-security/sssd/sssd_2.5.2.bb
index 9f1d627..4c75e0a 100644
--- a/recipes-security/sssd/sssd_2.5.2.bb
+++ b/recipes-security/sssd/sssd_2.5.2.bb
@@ -28,6 +28,10 @@ SRC_URI = 
"https://github.com/SSSD/sssd/releases/download/${PV}/sssd-${PV}.tar.g
 
 SRC_URI[sha256sum] = 
"5e21b3c7b4a2f1063d0fbdd3216d29886b6eaba153b44fb5961698367f399a0f"
 
+CVE_CHECK_IGNORE += "\
+CVE-2018-16838 \
+"
+
 inherit autotools pkgconfig gettext python3-dir features_check systemd
 
 REQUIRED_DISTRO_FEATURES = "pam"
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#57558): https://lists.yoctoproject.org/g/yocto/message/57558
Mute This Topic: https://lists.yoctoproject.org/mt/92456105/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [yocto] [meta-security][PATCH v2] meta-integrity: kernel-modsign: prevents splitting out debug symbols

[Jose Quaresma]

Hi Armin,

Can this patch be backported to kirkstone?

Jose

Jose Quaresma via lists.yoctoproject.org  escreveu no dia segunda, 27/06/2022 à(s)
13:02:

> Starting with [1] kernel modules symbols is being slipped in OE-core
> and this breaks the kernel modules sign, so disable it.
>
> [1]
> https://git.openembedded.org/openembedded-core/commit/?id=e09a8fa931fe617afc05bd5e00dca5dd3fe386e8
>
> Signed-off-by: Jose Quaresma 
> ---
>  meta-integrity/classes/kernel-modsign.bbclass | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/meta-integrity/classes/kernel-modsign.bbclass
> b/meta-integrity/classes/kernel-modsign.bbclass
> index 093c358..d3aa7fb 100644
> --- a/meta-integrity/classes/kernel-modsign.bbclass
> +++ b/meta-integrity/classes/kernel-modsign.bbclass
> @@ -13,7 +13,9 @@ MODSIGN_PRIVKEY ?=
> "${MODSIGN_KEY_DIR}/privkey_modsign.pem"
>  MODSIGN_X509 ?= "${MODSIGN_KEY_DIR}/x509_modsign.crt"
>
>  # If this class is enabled, disable stripping signatures from modules
> +# as well disable the debug symbols split
>  INHIBIT_PACKAGE_STRIP = "1"
> +INHIBIT_PACKAGE_DEBUG_SPLIT = "1"
>
>  kernel_do_configure:prepend() {
>  if [ -f "${MODSIGN_PRIVKEY}" -a -f "${MODSIGN_X509}" ]; then
> --
> 2.36.1
>
>
> 
>
>

-- 
Best regards,

José Quaresma

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#57559): https://lists.yoctoproject.org/g/yocto/message/57559
Mute This Topic: https://lists.yoctoproject.org/mt/92018870/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [yocto] [PATCHv2 1/2] image-without-static-linkage: add class

[Schilling, Johannes via lists.yoctoproject.org]

From b56b89881a6c68f316cd381ddae67e0484ff116b Mon Sep 17 00:00:00 2001
From: Johannes Schilling 
Date: Fri, 24 Jun 2022 12:26:57 +0200
Subject: [PATCH 1/2] image-without-static-linkage: add class

This class provides a new image QA check that tries to detect static
linkage of a set of well-known libraries, leveraging the detectors from
cve-bin-tool[0].

To use in your project, provide a config file as described in the header
comment of the class, and inherit image-without-static-linkage in your
image recipe.

[0] https://github.com/intel/cve-bin-tool/tree/main/cve_bin_tool/checkers

Signed-Off-By: Johannes Schilling 
---
 classes/image-without-static-linkage.bbclass  |  65 +
 .../cve-bin-tool/cve-bin-tool-native_3.1.bb   |  32 +
 .../files/cve-bin-tool-static-linkage-checker | 127 ++
 4 files changed, 225 insertions(+)
 create mode 100644 classes/image-without-static-linkage.bbclass
 create mode 100644 recipes-security/cve-bin-tool/cve-bin-tool-native_3.1.bb
 create mode 100644 
recipes-security/cve-bin-tool/files/cve-bin-tool-static-linkage-checker

diff --git a/classes/image-without-static-linkage.bbclass 
b/classes/image-without-static-linkage.bbclass
new file mode 100644
index 000..c6f2013
--- /dev/null
+++ b/classes/image-without-static-linkage.bbclass
@@ -0,0 +1,65 @@
+# Provide a QA check for statically linked copies of libraries.
+#
+# You need to provide a config file in TOML format and point the
+# variable `STATIC_LINKAGE_CHECK_CONFIG_FILE` to it.
+#
+# The file format is as follows
+# ```
+# [checkers]
+# modules = [
+#   # list of checker module names of cve-bin-tool checkers lib to
+#   # enable, i.e. file names in the cve_bin_tool/checkers subfolder.
+#   # https://github.com/intel/cve-bin-tool/tree/main/cve_bin_tool/checkers
+#   "librsvg",
+#   "zlib",
+# ]
+#
+# [exceptions]
+# ignore_dirs = [
+#   # list of directories, everything under these is completely ignored
+#   "/var/lib/opkg",
+# ]
+#
+# [exceptions.ignore_checks]
+#   # for each binary path, a list of checkers from the global list to
+#   # ignore for this binary (allowlist)
+#   "/bin/ary/name" = [ "zlib" ],
+# ```
+
+IMAGE_QA_COMMANDS += "image_check_static_linkage"
+
+DEPENDS += "cve-bin-tool-native"
+
+inherit python3native
+
+
+STATIC_LINKAGE_CUSTOM_ERROR_MESSAGE ??= ""
+
+python image_check_static_linkage() {
+import json
+from pathlib import Path
+import subprocess
+
+from oe.utils import ImageQAFailed
+
+check_result = 
subprocess.check_output(["cve-bin-tool-static-linkage-checker",
+"--config", d.getVar("STATIC_LINKAGE_CHECK_CONFIG_FILE"),
+d.getVar("IMAGE_ROOTFS"),
+])
+check_result = json.loads(check_result)
+
+deploy_dir = Path(d.getVar("DEPLOYDIR"))
+deploy_dir.mkdir(parents=True, exist_ok=True)
+image_basename = d.getVar("IMAGE_BASENAME")
+stats_filename = "static_linkage_stats-" + image_basename + ".json"
+with open(deploy_dir / stats_filename, "w") as stats_out:
+json.dump(check_result, stats_out)
+
+binaries_with_violations = {k: v for k, v in check_result.items() if v}
+if binaries_with_violations:
+msg = "Static linkage check: found {} 
violations".format(len(binaries_with_violations))
+for violator, violations in binaries_with_violations.items():
+msg += "\n{}: {}".format(violator, violations)
+
+raise ImageQAFailed(msg, image_check_static_linkage)
+}
diff --git a/recipes-security/cve-bin-tool/cve-bin-tool-native_3.1.bb 
b/recipes-security/cve-bin-tool/cve-bin-tool-native_3.1.bb
new file mode 100644
index 000..64a3d01
--- /dev/null
+++ b/recipes-security/cve-bin-tool/cve-bin-tool-native_3.1.bb
@@ -0,0 +1,32 @@
+SUMMARY = "Scanner for statically linked library copies"
+HOMEPAGE = "https://github.com/intel/cve-bin-tool";
+
+LICENSE = "GPL-3.0"
+LIC_FILES_CHKSUM = "file://LICENSE.md;md5=97a733ff40c50b4bfc74471e1f6ca88b"
+
+
+SRC_URI = "\
+https://github.com/intel/cve-bin-tool/archive/refs/tags/v${PV}.tar.gz \
+file://cve-bin-tool-static-linkage-checker \
+"
+
+SRC_URI[sha256sum] = 
"c4faaa401a2605a0d3f3c947deaf01cb56b4da927bfc29b5e959cde243bf5daf"
+
+inherit setuptools3 native
+
+S = "${WORKDIR}/${BPN}-${PV}"
+
+RDEPENDS:${PN} = "\
+  python3-rich-native \
+  python3-packaging-native \
+  python3-toml-native \
+"
+
+do_install:append() {
+  install -m 0755 "${WORKDIR}/cve-bin-tool-static-linkage-checker" 
"${D}${bindir}"
+}
+
+FILES:${PN} += "${bindir}/cve-bin-tool-static-linkage-checker"
+
+do_configure[noexec] = "1"
+do_compile[noexec] = "1"
diff --git 
a/recipes-security/cve-bin-tool/files/cve-bin-tool-static-linkage-checker 
b/recipes-security/cve-bin-tool/files/cve-bin-tool-static-linkage-checker
new file mode 100644
index 000..16ba86d
--- /dev/null
+++ b/recipes-security/cve-bin-tool/files/cve-bin-tool-static-linkage-checker
@@ -0,0 +1,127 @@
+#!/usr/bin/env python3
+# SPDX-License-Identifier: GPL-3.0
+
+from importlib import import_module
+fro

Re: [yocto] [PATCHv2 2/2] image-without-static-linkage: add selftest

[Schilling, Johannes via lists.yoctoproject.org]

From 87c3c8cc4f3e67b2bc06af53705f18c0a9de5dd7 Mon Sep 17 00:00:00 2001
From: Johannes Schilling 
Date: Mon, 27 Jun 2022 16:12:25 +0200
Subject: [PATCH 2/2] image-without-static-linkage: add selftest

The selftest runs the static linkage check QA test on a small rootfs,
expecting no static linkage against the two checkers "zlib" and
"librsvg". This tests that the class and the config are correctly pulled
in, the checkers are found an run, and will fail if yocto's core image
ever does ship statically linked copies of one of these.

Signed-Off-By: Johannes Schilling 
---
 .../selftest/cases/static_linkage_checker.py  | 39 +++
 1 file changed, 39 insertions(+)
 create mode 100644 lib/oeqa/selftest/cases/static_linkage_checker.py

diff --git a/lib/oeqa/selftest/cases/static_linkage_checker.py 
b/lib/oeqa/selftest/cases/static_linkage_checker.py
new file mode 100644
index 000..a5fdf6b
--- /dev/null
+++ b/lib/oeqa/selftest/cases/static_linkage_checker.py
@@ -0,0 +1,39 @@
+import os
+import re
+
+from oeqa.selftest.case import OESelftestTestCase
+from oeqa.utils.commands import bitbake
+
+class StaticLinkageCheck(OESelftestTestCase):
+def test_static_linkage_check(self):
+self.write_recipeinc('emptytest', """
+SUMMARY = "A small image just capable of allowing a device to boot."
+
+IMAGE_INSTALL = "packagegroup-core-boot ${CORE_IMAGE_EXTRA_INSTALL}"
+
+CORE_IMAGE_EXTRA_INSTALL ?= ""
+
+LICENSE = "MIT"
+
+inherit image
+
+IMAGE_ROOTFS_SIZE ?= "8192"
+
+inherit image-without-static-linkage
+
+STATIC_LINKAGE_CHECK_CONFIG = "${WORKDIR}/static-linkage-check-config.toml"
+
+do_write_config() {
+echo "[checkers]\nmodules = [ "zlib", "librsvg" ]\n" > 
"${STATIC_LINKAGE_CHECK_CONFIG}"
+echo "[exceptions]" >> "${STATIC_LINKAGE_CHECK_CONFIG}"
+echo "ignore_dirs = []" >> "${STATIC_LINKAGE_CHECK_CONFIG}"
+echo "ignore_checks = {}" >> "${STATIC_LINKAGE_CHECK_CONFIG}"
+}
+
+addtask do_write_config before do_image_qa
+""")
+
+result = bitbake("-c image_qa emptytest", ignore_status=True)
+if result.status != 0:
+self.logger.warn(result.output)
+raise self.failureException("build failed, something went 
wrong...")


This e-mail may contain privileged or confidential information. If you are not 
the intended recipient: (1) you may not disclose, use, distribute, copy or rely 
upon this message or attachment(s); and (2) please notify the sender by reply 
e-mail, and then delete this message and its attachment(s). Underwriters 
Laboratories Inc. and its affiliates disclaim all liability for any errors, 
omissions, corruption or virus in this message or any attachments.

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#57561): https://lists.yoctoproject.org/g/yocto/message/57561
Mute This Topic: https://lists.yoctoproject.org/mt/92458626/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[yocto] Yocto Project Newcomer & Unassigned Bugs - Help Needed

[Stephen Jolley]

All,

 

The triage team is starting to try and collect up and classify bugs which a
newcomer to the project would be able to work on in a way which means people
can find them. They're being listed on the triage page under the appropriate
heading:

https://wiki.yoctoproject.org/wiki/Bug_Triage#Newcomer_Bugs  Also please
review:
https://www.openembedded.org/wiki/How_to_submit_a_patch_to_OpenEmbedded and
how to create a bugzilla account at:

https://bugzilla.yoctoproject.org/createaccount.cgi

The idea is these bugs should be straight forward for a person to help work
on who doesn't have deep experience with the project.  If anyone can help,
please take ownership of the bug and send patches!  If anyone needs
help/advice there are people on irc who can likely do so, or some of the
more experienced contributors will likely be happy to help too.

 

Also, the triage team meets weekly and does its best to handle the bugs
reported into the Bugzilla. The number of people attending that meeting has
fallen, as have the number of people available to help fix bugs. One of the
things we hear users report is they don't know how to help. We (the triage
team) are therefore going to start reporting out the currently 412
unassigned or newcomer bugs.

 

We're hoping people may be able to spare some time now and again to help out
with these.  Bugs are split into two types, "true bugs" where things don't
work as they should and "enhancements" which are features we'd want to add
to the system.  There are also roughly four different "priority" classes
right now,  "4.1", "4.2", "4.99" and "Future", the more pressing/urgent
issues being in "4.1" and then "4.2".

 

Please review this link and if a bug is something you would be able to help
with either take ownership of the bug, or send me (sjolley.yp...@gmail.com
 ) an e-mail with the bug number you would
like and I will assign it to you (please make sure you have a Bugzilla
account).  The list is at:
https://wiki.yoctoproject.org/wiki/Bug_Triage_Archive#Unassigned_or_Newcomer
_Bugs

 

Thanks,

 

Stephen K. Jolley

Yocto Project Program Manager

*Cell:(208) 244-4460

* Email:  sjolley.yp...@gmail.com
 

 


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#57562): https://lists.yoctoproject.org/g/yocto/message/57562
Mute This Topic: https://lists.yoctoproject.org/mt/92467609/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[yocto] Current high bug count owners for Yocto Project 4.1

[Stephen Jolley]

All,

Below is the list as of top 37 bug owners as of the end of WW29 of who have
open medium or higher bugs and enhancements against YP 4.1.   There are 72
possible work days left until the final release candidates for YP 4.1 needs
to be released.


Who

Count


michael.opdenac...@bootlin.com

36


ross.bur...@arm.com

24


david.re...@windriver.com

23


bruce.ashfi...@gmail.com

21


randy.macl...@windriver.com

16


richard.pur...@linuxfoundation.org

11


saul.w...@windriver.com

10


sakib.sa...@windriver.com

9


jpewhac...@gmail.com

9


aryaman.gu...@windriver.com

7


tim.orl...@konsulko.com

6


mhalst...@linuxfoundation.org

5


jon.ma...@arm.com

4


akuster...@gmail.com

3


pgowda@gmail.com

2


tvgamb...@gmail.com

2


pa...@zhukoff.net

2


sundeep.kokko...@gmail.com

2


qi.c...@windriver.com

2


hongxu@windriver.com

2


ahmed.hos...@opensynergy.com

1


aeh...@gmail.com

1


beh...@converseincode.com

1


martin.ja...@gmail.com

1


luca.ceres...@bootlin.com

1


mostthings...@gmail.com

1


raj.k...@gmail.com

1


alexandre.bell...@bootlin.com

1


martin.bee...@online.de

1


nicolas.deche...@linaro.org

1


ola.x.nils...@axis.com

1


thomas.per...@bootlin.com

1


shac...@vdoo.com

1


alejan...@enedino.org

1


yogesh.ty...@intel.com

1


open.sou...@oleksandr-kravchuk.com

1


s...@bigsur.com

1


Grand Total

213

Thanks,

 

Stephen K. Jolley

Yocto Project Program Manager

*Cell:(208) 244-4460

* Email:  sjolley.yp...@gmail.com
 

 


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#57563): https://lists.yoctoproject.org/g/yocto/message/57563
Mute This Topic: https://lists.yoctoproject.org/mt/92467631/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[yocto] Enhancements/Bugs closed WW29!

[Stephen Jolley]

All,

The below were the owners of enhancements or bugs closed during the last
week!


Who

Count


randy.macl...@windriver.com

4


ross.bur...@arm.com

1


Grand Total

5

Thanks,

 

Stephen K. Jolley

Yocto Project Program Manager

*Cell:(208) 244-4460

* Email:  sjolley.yp...@gmail.com
 

 


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#57564): https://lists.yoctoproject.org/g/yocto/message/57564
Mute This Topic: https://lists.yoctoproject.org/mt/92467740/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-