[yocto] cve-checker tool
Sona Sarmadi
sona.sarmadi at enea.com
Tue Dec 6 06:41:41 PST 2016
Another qustion:
We don't have recipes for libcurl, I guess both curl and libcurl CVEs are patched in the curl recipes, right?
I think curl uses libcurl, and libcurl is built when building curl.
Those CVEs which are listed in the nvd.xml file under "cpe:/a:haxx:libcurl: are not detected and reported by cve-check tool.
//Sona
-----Original Message-----
From: Sona Sarmadi
Sent: den 6 december 2016 15:28
To: Mariano Lopez <mariano.lopez at linux.intel.com>; mariano.lopez at intel.com; yocto at yoctoproject.org
Subject: RE: [yocto] cve-checker tool
Hi Mariano, all,
> If there is a version affected by a CVE it will look for a patch that
> solves that particular CVE using the the metadata in the patch format.
> For example, the current bind version is affected by CVE-2016-1285,
> but there is patch for that, so the cve-check class will find this and
> will generate a log file saying the vulnerability has been addressed.
It seems that this tool does not detect all CVEs, e.g. bind has some CVE patches but it is not reported, I tried all options below nothing is reported (no cve.log file):
bitbake -c cve_check bind
bitbake -k -c cve_check universe
bitbake -k -c cve_check world
There are some CVEs in bind (reported in nvd.xml file for our version cpe:/a:isc:bind:9.10.3"/> ) but cve.check-tool does not report them ex: (CVE-2016-2776). Do you know why?
CVEs are reported for the following packages using e.g. "bitbake -k -c cve_check universe"
or "bitbake -c cve_check perl"
tmp/work/i586-poky-linux/perl/5.22.1-r0/cve/cve.log
tmp/work/i586-poky-linux/foomatic-filters/4.0.17-r1/cve/cve.log
tmp/work/i586-poky-linux/flex/2.6.0-r0/cve/cve.log
tmp/work/i586-poky-linux/glibc/2.24-r0/cve/cve.log
tmp/work/i586-poky-linux/unzip/1_6.0-r5/cve/cve.log
tmp/work/i586-poky-linux/expat/2.2.0-r0/cve/cve.log
tmp/work/i586-poky-linux/gnutls/3.5.3-r0/cve/cve.log
tmp/work/i586-poky-linux/glibc-initial/2.24-r0/cve/cve.log
tmp/work/i586-poky-linux/libxml2/2.9.4-r0/cve/cve.log
tmp/work/i586-poky-linux/bzip2/1.0.6-r5/cve/cve.log
We have more recipes which have CVE patches but they are not reported.
I have analyzed these; some of these CVEs are still marked as reserved on Mitre and are not present in the nvd.xml files (although they are public (e.g. Busybox:
https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2147).
I don't understand why for instance bind CVEs are not detected and reported by cve-check tool?
Is it because of cpe:/a:isc:bind? It looks for isc?
morty/poky/meta$ find . -name *CVE-201*.patch ./recipes-connectivity/ppp/ppp/fix-CVE-2015-3310.patch
./recipes-connectivity/bind/bind/CVE-2016-2776.patch ?
./recipes-connectivity/bind/bind/CVE-2016-1286_2.patch
./recipes-connectivity/bind/bind/CVE-2016-1285.patch
./recipes-connectivity/bind/bind/CVE-2016-1286_1.patch
./recipes-connectivity/bind/bind/CVE-2016-2088.patch
./recipes-connectivity/bind/bind/CVE-2016-2775.patch
./recipes-extended/unzip/unzip/CVE-2015-7696.patch
./recipes-extended/unzip/unzip/06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch
./recipes-extended/unzip/unzip/CVE-2015-7697.patch
./recipes-extended/xinetd/xinetd/xinetd-CVE-2013-4342.patch
./recipes-extended/cpio/cpio-2.12/0001-Fix-CVE-2015-1197.patch
./recipes-extended/cracklib/cracklib/0001-Apply-patch-to-fix-CVE-2016-6318.patch
./recipes-extended/bzip2/bzip2-1.0.6/CVE-2016-3189.patch
./recipes-extended/grep/grep-2.5.1a/grep-CVE-2012-5667.patch
./recipes-extended/foomatic/foomatic-filters-4.0.17/CVE-2015-8327.patch
./recipes-extended/foomatic/foomatic-filters-4.0.17/CVE-2015-8560.patch
./recipes-multimedia/libtiff/files/CVE-2016-3945.patch
./recipes-multimedia/libtiff/files/CVE-2016-3623.patch
./recipes-multimedia/libtiff/files/CVE-2016-5323.patch
./recipes-multimedia/libtiff/files/CVE-2016-5321.patch
./recipes-multimedia/libtiff/files/CVE-2016-3991.patch
./recipes-multimedia/libtiff/files/CVE-2016-3622.patch
./recipes-multimedia/libtiff/files/CVE-2015-8781.patch
./recipes-multimedia/libtiff/files/CVE-2015-8784.patch
./recipes-multimedia/libtiff/files/CVE-2016-3186.patch
./recipes-multimedia/libtiff/files/CVE-2016-3990.patch
./recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch
./recipes-core/systemd/systemd/CVE-2016-7795.patch
./recipes-core/busybox/busybox/CVE-2016-2147_2.patch <<< Reserved on Mitre: https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2147
./recipes-core/busybox/busybox/CVE-2016-2147.patch
./recipes-core/busybox/busybox/CVE-2016-2148.patch <<< https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2148
./recipes-devtools/elfutils/elfutils-0.148/elf_begin.c-CVE-2014-9447-fix.patch
./recipes-devtools/python/python3/CVE-2016-5636.patch
./recipes-devtools/python/python3/python3-fix-CVE-2016-1000110.patch
./recipes-devtools/python/python/CVE-2016-5636.patch
./recipes-devtools/python/python/python-fix-CVE-2016-1000110.patch
./recipes-devtools/qemu/qemu/0002-fix-CVE-2016-7423.patch
./recipes-devtools/qemu/qemu/0003-fix-CVE-2016-7908.patch
./recipes-devtools/perl/perl/perl-fix-CVE-2015-8607.patch
./recipes-devtools/perl/perl/perl-fix-CVE-2016-2381.patch
./recipes-devtools/perl/perl/perl-fix-CVE-2016-1238.patch
./recipes-devtools/perl/perl/perl-fix-CVE-2016-6185.patch
./recipes-devtools/gcc/gcc-6.2/CVE-2016-4490.patch
./recipes-devtools/flex/flex/CVE-2016-6354.patch
./recipes-bsp/grub/files/0001-Fix-CVE-2015-8370-Grub2-user-pass-vulnerability.patch
./recipes-support/nettle/nettle-2.7.1/CVE-2015-8804.patch
./recipes-support/nettle/nettle-2.7.1/CVE-2015-8803_8805.patch
./recipes-support/gnutls/gnutls/CVE-2016-7444.patch
./recipes-support/boost/boost/boost-CVE-2012-2677.patch
./recipes-support/gnupg/gnupg-1.4.7/GnuPG1-CVE-2012-6085.patch
./recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4576.patch
./recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4351.patch
./recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4242.patch
Thanks
//Sona
More information about the yocto
mailing list