On 06/19/2017 06:38 AM, Richard Purdie wrote: > I suspect this has been missed by some people so I want to spell it > out. We have our first CVE in OE-Core itself. > > The issue is limited to binary ipks potentially exposing sensitive > information through the "Source:" field which contained the full > SRC_URI. Those urls could potentially contain sensitive information > about servers and credentials.
So the issue is leaking credentials, not build system paths? I mention this because we do leak build system paths into images in other places. Philip > > After discussion, I ended up changing the field to contain the recipe > filename (no path). There was talk of filtering the urls however if you > try, it becomes clear that sensitive elements can remain and no > solution is likely 100% effective. The other package backends don't do > this at all so this brings ipk more into line with them. Simply > clearing the field doesn't work with the current opkg-utils. It can be > changed but the change becomes more invasive. > > This fix has been merged to master. > > I also did take the decision to backport this change back to > pyro/morty/krogoth too. I appreciate this can cause some disruption to > people who rely on SRC_URI being in the Source: field however I > couldn't see any other realistic way forward. > > Cheers, > > Richard > _______________________________________________ > Openembedded-architecture mailing list > openembedded-architect...@lists.openembedded.org > http://lists.openembedded.org/mailman/listinfo/openembedded-architecture > -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
