On Sun, Jan 17, 2021 at 11:16 AM Robert Joslyn <robert.jos...@redrectangle.org> wrote: > > According to the Intel security advisory [1], these CVEs are mitigated by > the following kernel commits: > > eddb7732119d53400f48a02536a84c509692faa8 Bluetooth: A2MP: Fix not > initializing all members > f19425641cb2572a33cb074d5e30283720bd4d22 Bluetooth: L2CAP: Fix calling > sk_filter on non-socket based channel > b560a208cda0297fef6ff85bbfd58a8f0a52a543 Bluetooth: MGMT: Fix not checking if > BT_HS is enabled > a2ec905d1e160a33b2e210e45ad30445ef26ce0e Bluetooth: fix kernel oops in > store_pending_adv_report > > The latest of these commits were backported from 5.10 to the stable kernel > tree in the 5.8.16 and 5.4.72 releases. Since the kernels provied by OE-core > contain these fixes, mark them as whitelisted.
This seems to be a good candidate for having the cpe database updated. Currently it is flagging all versions of bluez and Linux. I sent a request to have the entry updated. If they accept the request then we won't need this patch. If they deny it we can merge the patch. Thanks for doing the research on this one! Steve > [1]: > https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00435.html?wapkw=CVE-2020-12351 > > Signed-off-by: Robert Joslyn <robert.jos...@redrectangle.org> > --- > meta/recipes-connectivity/bluez5/bluez5_5.55.bb | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/meta/recipes-connectivity/bluez5/bluez5_5.55.bb > b/meta/recipes-connectivity/bluez5/bluez5_5.55.bb > index 8190924562..051fdef8ce 100644 > --- a/meta/recipes-connectivity/bluez5/bluez5_5.55.bb > +++ b/meta/recipes-connectivity/bluez5/bluez5_5.55.bb > @@ -3,6 +3,8 @@ require bluez5.inc > SRC_URI[md5sum] = "94972b8bc7ade60c72b0ffa6ccff2c0a" > SRC_URI[sha256sum] = > "8863717113c4897e2ad3271fc808ea245319e6fd95eed2e934fae8e0894e9b88" > > +CVE_CHECK_WHITELIST += "CVE-2020-12351 CVE-2020-12352" > + > # noinst programs in Makefile.tools that are conditional on READLINE > # support > NOINST_TOOLS_READLINE ?= " \ > -- > 2.26.2 > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#147037): https://lists.openembedded.org/g/openembedded-core/message/147037 Mute This Topic: https://lists.openembedded.org/mt/79760997/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
