On Thu, 29 Jun 2017, Richard Purdie wrote: > On Wed, 2017-06-28 at 13:38 -0400, Scott Murray wrote: > > On Mon, 19 Jun 2017, Richard Purdie wrote: > > > > > > > > I suspect this has been missed by some people so I want to spell it > > > out. We have our first CVE in OE-Core itself. > > > > > > The issue is limited to binary ipks potentially exposing sensitive > > > information through the "Source:" field which contained the full > > > SRC_URI. Those urls could potentially contain sensitive information > > > about servers and credentials. > > > > > > After discussion, I ended up changing the field to contain the > > > recipe > > > filename (no path). There was talk of filtering the urls however if > > > you > > > try, it becomes clear that sensitive elements can remain and no > > > solution is likely 100% effective. The other package backends don't > > > do > > > this at all so this brings ipk more into line with them. Simply > > > clearing the field doesn't work with the current opkg-utils. It can > > > be > > > changed but the change becomes more invasive. > > > > > > This fix has been merged to master. > > > > > > I also did take the decision to backport this change back to > > > pyro/morty/krogoth too. I appreciate this can cause some disruption > > > to > > > people who rely on SRC_URI being in the Source: field however I > > > couldn't see any other realistic way forward. > > > > I noticed that this wasn't CC'ed to the yocto-security mailing list. > > Was that just an oversight, or should that mailing list be considered > > defunct at this point? > > Sorry, it was oversight...
Okay, good to know. IMO it might be worthwhile to post it there even if it's a bit late, just to set a precedent of that list providing such information, but it's your call. Cheers, Scott -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
