[Openembedded-architecture] OE-Core/Yocto Project's first CVE (CVE-2017-9731)

Richard Purdie richard.purdie at linuxfoundation.org
Mon Jun 19 10:38:58 UTC 2017

I suspect this has been missed by some people so I want to spell it
out. We have our first CVE in OE-Core itself.

The issue is limited to binary ipks potentially exposing sensitive
information through the "Source:" field which contained the full
SRC_URI. Those urls could potentially contain sensitive information
about servers and credentials.

After discussion, I ended up changing the field to contain the recipe
filename (no path). There was talk of filtering the urls however if you
try, it becomes clear that sensitive elements can remain and no
solution is likely 100% effective. The other package backends don't do
this at all so this brings ipk more into line with them. Simply
clearing the field doesn't work with the current opkg-utils. It can be
changed but the change becomes more invasive.

This fix has been merged to master.

I also did take the decision to backport this change back to
pyro/morty/krogoth too. I appreciate this can cause some disruption to
people who rely on SRC_URI being in the Source: field however I
couldn't see any other realistic way forward.



More information about the Openembedded-architecture mailing list