Re: [OE-core] [PATCH v2 1/1] cve-check: Rework patch parsing

Sun, 12 Jan 2025 04:27:43 -0800 

Richard,

This regression is fixed by 
https://lists.openembedded.org/g/openembedded-core/message/209573

Peter

> -----Original Message-----
> From: openembedded-core@lists.openembedded.org <openembedded-
> c...@lists.openembedded.org> On Behalf Of Richard Purdie via
> lists.openembedded.org
> Sent: Sunday, January 12, 2025 13:18
> To: colinmca...@gmail.com; openembedded-core@lists.openembedded.org
> Subject: Re: [OE-core] [PATCH v2 1/1] cve-check: Rework patch parsing
> 
> On Mon, 2024-12-30 at 19:22 +0000, Colin McAllister via lists.openembedded.org
> wrote:
> > The cve_check functionality to parse CVE IDs from the patch filename and
> > patch contents have been reworked to improve parsing and also utilize
> > tests. This ensures that the parsing works as intended.
> >
> > Additionally, the new patched_cves dict has a few issues I tried to fix
> > as well. If multiple patch files exist for a single CVE ID, only the
> > last one will show up with the "resource" key. The value for the
> > "resource" key has been updated to hold a list and return all patch
> > files associated with a given CVE ID. Also, at the end of
> > get_patch_cves, CVE_STATUS can overwrite an existing entry in the dict.
> > This could cause an issue, for example, if a CVE has been addressed via
> > a patch, but a CVE_STATUS line also exists that ignores the given CVE
> > ID. A warning has been added if this ever happens.
> >
> > Signed-off-by: Colin McAllister <colinmca...@gmail.com>
> > ---
> >
> > I noticed that there are some patches, especially in older verisons of
> > Yocto, where the "CVE: " tag was used with multiple CVE IDs in different
> > formats, like "CVE-YYYY-XXXX & CVE-YYYY-XXXX" or
> > "CVE-YYYY-XXXX, CVE-YYYY-XXXX". Currently, only space-delimited CVE
> > IDs will be parsed, but documentation doesn't indicate that is the only
> > supported format. I figured it'd be nice to update the code to be able
> > to support multiple formats, that way this patch could be backported to
> > fix those patches. I also wanted to add unit tests to ensure the patch
> > parsing behavior is preserved.
> >
> > I'd also like to update the patch filename parsing to parse multiple CVE
> > IDs from the filename, but based on the comments, it seems like there
> > was a reason why only the last CVE ID is extracted from the filename.
> > I'd be happy to submit a V2 patch or an additional patch to update the
> > function if that sounds good for the maintainers.
> 
> I think this resulted in a few issues. The weekly CVE report gained 32
> new entries this week and many of them are clearly patched.
> 
> New this week: 32 CVEs
> CVE-2014-8139 (CVSS3: 7.8 HIGH): unzip:unzip-native
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8139 *
> CVE-2014-8140 (CVSS3: 7.8 HIGH): unzip:unzip-native
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8140 *
> CVE-2014-8141 (CVSS3: 7.8 HIGH): unzip:unzip-native
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8141 *
> CVE-2014-9636 (CVSS3: N/A): unzip:unzip-native
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9636 *
> CVE-2014-9913 (CVSS3: 4.0 MEDIUM): unzip:unzip-native
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9913 *
> CVE-2015-7696 (CVSS3: N/A): unzip:unzip-native
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7696 *
> CVE-2015-7697 (CVSS3: N/A): unzip:unzip-native
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7697 *
> CVE-2016-9844 (CVSS3: 4.0 MEDIUM): unzip:unzip-native
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9844 *
> CVE-2018-1000035 (CVSS3: 7.8 HIGH): unzip:unzip-native
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000035 *
> CVE-2018-1000156 (CVSS3: 7.8 HIGH): patch:patch-native
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000156 *
> CVE-2018-10195 (CVSS3: 7.1 HIGH): lrzsz
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10195 *
> CVE-2018-18384 (CVSS3: 5.5 MEDIUM): unzip:unzip-native
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-18384 *
> CVE-2018-20969 (CVSS3: 7.8 HIGH): patch:patch-native
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-20969 *
> CVE-2018-6951 (CVSS3: 7.5 HIGH): patch:patch-native
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-6951 *
> CVE-2018-6952 (CVSS3: 7.5 HIGH): patch:patch-native
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-6952 *
> CVE-2019-13232 (CVSS3: 3.3 LOW): unzip:unzip-native
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-13232 *
> CVE-2019-13636 (CVSS3: 5.9 MEDIUM): patch:patch-native
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-13636 *
> CVE-2019-13638 (CVSS3: 7.8 HIGH): patch:patch-native
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-13638 *
> CVE-2019-20633 (CVSS3: 5.5 MEDIUM): patch:patch-native
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20633 *
> CVE-2020-27748 (CVSS3: 6.5 MEDIUM): xdg-utils
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27748 *
> CVE-2021-3468 (CVSS3: 5.5 MEDIUM): avahi
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3468 *
> CVE-2021-4217 (CVSS3: 3.3 LOW): unzip:unzip-native
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-4217 *
> CVE-2022-0529 (CVSS3: 5.5 MEDIUM): unzip:unzip-native
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0529 *
> CVE-2022-0530 (CVSS3: 5.5 MEDIUM): unzip:unzip-native
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0530 *
> CVE-2022-33065 (CVSS3: 7.8 HIGH): libsndfile1
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-33065 *
> CVE-2022-4055 (CVSS3: 7.4 HIGH): xdg-utils
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-4055 *
> CVE-2023-38469 (CVSS3: 5.5 MEDIUM): avahi
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-38469 *
> CVE-2023-38470 (CVSS3: 5.5 MEDIUM): avahi
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-38470 *
> CVE-2023-38471 (CVSS3: 5.5 MEDIUM): avahi
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-38471 *
> CVE-2023-38472 (CVSS3: 5.5 MEDIUM): avahi
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-38472 *
> CVE-2023-38473 (CVSS3: 5.5 MEDIUM): avahi
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-38473 *
> CVE-2024-50612 (CVSS3: 5.5 MEDIUM): libsndfile1
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-50612 *
> 
> meta/recipes-extended/unzip/unzip has:
> 
> 0001-unzip-fix-CVE-2018-1000035.patch
> 09-cve-2014-8139-crc-overflow.patch
> 10-cve-2014-8140-test-compr-eb.patch
> 11-cve-2014-8141-getzip64data.patch
> 18-cve-2014-9913-unzip-buffer-overflow.patch
> 19-cve-2016-9844-zipinfo-buffer-overflow.patch
> cve-2014-9636.patch
> CVE-2015-7696.patch
> CVE-2015-7697.patch
> CVE-2018-18384.patch
> CVE-2019-13232_p1.patch
> CVE-2019-13232_p2.patch
> CVE-2019-13232_p3.patch
> CVE-2021-4217.patch
> CVE-2022-0529.patch
> CVE-2022-0530.patch
> 
> which cover some of the above.
> 
> Cheers,
> 
> Richard

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#209680): 
https://lists.openembedded.org/g/openembedded-core/message/209680
Mute This Topic: https://lists.openembedded.org/mt/110347357/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to