> On Jan 20, 2021, at 10:18 AM, Steve Sakoman <st...@sakoman.com> wrote: > > On Sun, Jan 17, 2021 at 11:16 AM Robert Joslyn > <robert.jos...@redrectangle.org> wrote: >> >> According to the Intel security advisory [1], these CVEs are mitigated by >> the following kernel commits: >> >> eddb7732119d53400f48a02536a84c509692faa8 Bluetooth: A2MP: Fix not >> initializing all members >> f19425641cb2572a33cb074d5e30283720bd4d22 Bluetooth: L2CAP: Fix calling >> sk_filter on non-socket based channel >> b560a208cda0297fef6ff85bbfd58a8f0a52a543 Bluetooth: MGMT: Fix not checking >> if BT_HS is enabled >> a2ec905d1e160a33b2e210e45ad30445ef26ce0e Bluetooth: fix kernel oops in >> store_pending_adv_report >> >> The latest of these commits were backported from 5.10 to the stable kernel >> tree in the 5.8.16 and 5.4.72 releases. Since the kernels provied by OE-core >> contain these fixes, mark them as whitelisted. > > This seems to be a good candidate for having the cpe database updated. > Currently it is flagging all versions of bluez and Linux. > > I sent a request to have the entry updated. If they accept the > request then we won't need this patch. If they deny it we can merge > the patch.
Sounds good, thanks! Robert > > Thanks for doing the research on this one! > > Steve > >> [1]: >> https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00435.html?wapkw=CVE-2020-12351 >> >> Signed-off-by: Robert Joslyn <robert.jos...@redrectangle.org> >> --- >> meta/recipes-connectivity/bluez5/bluez5_5.55.bb | 2 ++ >> 1 file changed, 2 insertions(+) >> >> diff --git a/meta/recipes-connectivity/bluez5/bluez5_5.55.bb >> b/meta/recipes-connectivity/bluez5/bluez5_5.55.bb >> index 8190924562..051fdef8ce 100644 >> --- a/meta/recipes-connectivity/bluez5/bluez5_5.55.bb >> +++ b/meta/recipes-connectivity/bluez5/bluez5_5.55.bb >> @@ -3,6 +3,8 @@ require bluez5.inc >> SRC_URI[md5sum] = "94972b8bc7ade60c72b0ffa6ccff2c0a" >> SRC_URI[sha256sum] = >> "8863717113c4897e2ad3271fc808ea245319e6fd95eed2e934fae8e0894e9b88" >> >> +CVE_CHECK_WHITELIST += "CVE-2020-12351 CVE-2020-12352" >> + >> # noinst programs in Makefile.tools that are conditional on READLINE >> # support >> NOINST_TOOLS_READLINE ?= " \ >> -- >> 2.26.2 >> >> >> >> > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#147046): https://lists.openembedded.org/g/openembedded-core/message/147046 Mute This Topic: https://lists.openembedded.org/mt/79760997/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
