[OE-core] [RFC] Mark of upstream CVE patches
Sona Sarmadi
sona.sarmadi at enea.com
Wed Dec 16 09:03:06 UTC 2015
Hi Mariano, all,
See my comments regarding "Bug 8119 - Define a format to mark Upstream CVE patches" below.
> There is an initiative to track vulnerable software being built (see bugs 8119
> and 7515). The idea is to have a testing tool that would check the recipe
> versions against CVEs. In order to accomplish such task there is need to
> reliable mark the patches from upstream that solve CVEs.
>
> There have been two options to mark the patches that solve CVEs:
>
> 1. Have "CVE" and the CVE number as the patch filename.
> Pros:
> Doesn't require a new tag.
> Cons:
> It is not flexible to add more information, for example two CVEs in the same
> patch
> 2. Add a new tag in the patch that have the CVE information.
> Pros:
> It is flexible and can add more information.
> Cons:
> Require a change in the patch metadata.
>
> What I would recommend is to add a new tag in the patch, it must contain the
> CVE ID. With this it would be possible to look for the CVE information easily in
> the testing tool or in NIST, MITRE, or another web page. For example, this
> would be part of the patch for CVE-2013-6435, currently in OE-Core:
>
> -- snip --
>
> Upstream-Status: Backport
> CVE: CVE-2013-6435
>
> Reference:
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6435
>
> -- snip --
>
> The expected output of this discussion is a standard format for CVE patches
> that most, if not all, of community members agree on.
>
> Please let me know your comments.
We are supposed to have reference to the CVE identifier both in the patch file/s
and the commit message(e.g. xxx- CVE-2013-6435.pacth) according to the guidelines
for "Patch name convention and commit message" in the Yocto
Wiki https://wiki.yoctoproject.org/wiki/Security.
If a patch address multiple CVEs, perhaps we should name the patch:
Fix-for-multiple-CVEs.patch and list all CVEs in the patch file.
Will this not solve the problem? Do you think there is still need for a new tag "CVE"?
Adding RedHat reference is ok for me along with Mitre & NVD or other useful
& reliable references.
I have updated Yocto security wiki. Please feel free to update the page if you have
some improvement or send your text/suggestion to me or Michael and we will help you.
Thanks
//Sona
More information about the Openembedded-core
mailing list