On 06/12/16 08:41, Sona Sarmadi wrote: > Another qustion: > > We don't have recipes for libcurl, I guess both curl and libcurl CVEs are > patched in the curl recipes, right? > I think curl uses libcurl, and libcurl is built when building curl. > > Those CVEs which are listed in the nvd.xml file under "cpe:/a:haxx:libcurl: > are not detected and reported by cve-check tool.
In the case of libcurl, it is build using the curl recipe, and currently cve-check class will look for BPN, so it won't check against libcurl. Can you open a bug for this? > [snip] > It seems that this tool does not detect all CVEs, e.g. bind has some CVE > patches but it is not reported, I tried all options below nothing is reported > (no cve.log file): > bitbake -c cve_check bind > bitbake -k -c cve_check universe > bitbake -k -c cve_check world > > There are some CVEs in bind (reported in nvd.xml file for our version > cpe:/a:isc:bind:9.10.3"/> ) but cve.check-tool does not report them ex: > (CVE-2016-2776). Do you know why? > > > CVEs are reported for the following packages using e.g. "bitbake -k -c > cve_check universe" > or "bitbake -c cve_check perl" > > tmp/work/i586-poky-linux/perl/5.22.1-r0/cve/cve.log > tmp/work/i586-poky-linux/foomatic-filters/4.0.17-r1/cve/cve.log > tmp/work/i586-poky-linux/flex/2.6.0-r0/cve/cve.log > tmp/work/i586-poky-linux/glibc/2.24-r0/cve/cve.log > tmp/work/i586-poky-linux/unzip/1_6.0-r5/cve/cve.log > tmp/work/i586-poky-linux/expat/2.2.0-r0/cve/cve.log > tmp/work/i586-poky-linux/gnutls/3.5.3-r0/cve/cve.log > tmp/work/i586-poky-linux/glibc-initial/2.24-r0/cve/cve.log > tmp/work/i586-poky-linux/libxml2/2.9.4-r0/cve/cve.log > tmp/work/i586-poky-linux/bzip2/1.0.6-r5/cve/cve.log > > We have more recipes which have CVE patches but they are not reported. > I have analyzed these; some of these CVEs are still marked as reserved on > Mitre and are not present in the nvd.xml files (although they are public > (e.g. Busybox: > https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2147). cve-check-tool will only check against the database that got from the nvd.xml files, and these files won't have information for not yet fully disclosed CVEs, so that is why you will find these cases frequently in OE recipes (Armin does a great job with CVEs). > > I don't understand why for instance bind CVEs are not detected and reported > by cve-check tool? > Is it because of cpe:/a:isc:bind? It looks for isc? I need to check on this, unfortunately my proxies decided to not download the database, I'll get back to you as soon as I can investigate more. > > morty/poky/meta$ find . -name *CVE-201*.patch > ./recipes-connectivity/ppp/ppp/fix-CVE-2015-3310.patch > > ./recipes-connectivity/bind/bind/CVE-2016-2776.patch ? > ./recipes-connectivity/bind/bind/CVE-2016-1286_2.patch > ./recipes-connectivity/bind/bind/CVE-2016-1285.patch > ./recipes-connectivity/bind/bind/CVE-2016-1286_1.patch > ./recipes-connectivity/bind/bind/CVE-2016-2088.patch > ./recipes-connectivity/bind/bind/CVE-2016-2775.patch > > ./recipes-extended/unzip/unzip/CVE-2015-7696.patch > ./recipes-extended/unzip/unzip/06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch > ./recipes-extended/unzip/unzip/CVE-2015-7697.patch > ./recipes-extended/xinetd/xinetd/xinetd-CVE-2013-4342.patch > ./recipes-extended/cpio/cpio-2.12/0001-Fix-CVE-2015-1197.patch > ./recipes-extended/cracklib/cracklib/0001-Apply-patch-to-fix-CVE-2016-6318.patch > ./recipes-extended/bzip2/bzip2-1.0.6/CVE-2016-3189.patch > ./recipes-extended/grep/grep-2.5.1a/grep-CVE-2012-5667.patch > ./recipes-extended/foomatic/foomatic-filters-4.0.17/CVE-2015-8327.patch > ./recipes-extended/foomatic/foomatic-filters-4.0.17/CVE-2015-8560.patch > ./recipes-multimedia/libtiff/files/CVE-2016-3945.patch > ./recipes-multimedia/libtiff/files/CVE-2016-3623.patch > ./recipes-multimedia/libtiff/files/CVE-2016-5323.patch > ./recipes-multimedia/libtiff/files/CVE-2016-5321.patch > ./recipes-multimedia/libtiff/files/CVE-2016-3991.patch > ./recipes-multimedia/libtiff/files/CVE-2016-3622.patch > ./recipes-multimedia/libtiff/files/CVE-2015-8781.patch > ./recipes-multimedia/libtiff/files/CVE-2015-8784.patch > ./recipes-multimedia/libtiff/files/CVE-2016-3186.patch > ./recipes-multimedia/libtiff/files/CVE-2016-3990.patch > ./recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch > ./recipes-core/systemd/systemd/CVE-2016-7795.patch > ./recipes-core/busybox/busybox/CVE-2016-2147_2.patch <<< Reserved on Mitre: > https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2147 > ./recipes-core/busybox/busybox/CVE-2016-2147.patch > ./recipes-core/busybox/busybox/CVE-2016-2148.patch <<< > https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2148 > ./recipes-devtools/elfutils/elfutils-0.148/elf_begin.c-CVE-2014-9447-fix.patch > ./recipes-devtools/python/python3/CVE-2016-5636.patch > ./recipes-devtools/python/python3/python3-fix-CVE-2016-1000110.patch > ./recipes-devtools/python/python/CVE-2016-5636.patch > ./recipes-devtools/python/python/python-fix-CVE-2016-1000110.patch > ./recipes-devtools/qemu/qemu/0002-fix-CVE-2016-7423.patch > ./recipes-devtools/qemu/qemu/0003-fix-CVE-2016-7908.patch > ./recipes-devtools/perl/perl/perl-fix-CVE-2015-8607.patch > ./recipes-devtools/perl/perl/perl-fix-CVE-2016-2381.patch > ./recipes-devtools/perl/perl/perl-fix-CVE-2016-1238.patch > ./recipes-devtools/perl/perl/perl-fix-CVE-2016-6185.patch > ./recipes-devtools/gcc/gcc-6.2/CVE-2016-4490.patch > ./recipes-devtools/flex/flex/CVE-2016-6354.patch > ./recipes-bsp/grub/files/0001-Fix-CVE-2015-8370-Grub2-user-pass-vulnerability.patch > ./recipes-support/nettle/nettle-2.7.1/CVE-2015-8804.patch > ./recipes-support/nettle/nettle-2.7.1/CVE-2015-8803_8805.patch > ./recipes-support/gnutls/gnutls/CVE-2016-7444.patch > ./recipes-support/boost/boost/boost-CVE-2012-2677.patch > ./recipes-support/gnupg/gnupg-1.4.7/GnuPG1-CVE-2012-6085.patch > ./recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4576.patch > ./recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4351.patch > ./recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4242.patch > > Thanks > //Sona > > > > > > > -- _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
