[OE-core] [Openembedded-architecture] OE-Core/Yocto Project's first CVE (CVE-2017-9731)
Mark Hatle
mark.hatle at windriver.com
Mon Jun 19 14:06:04 UTC 2017
On 6/19/17 5:38 AM, Richard Purdie wrote:
> I suspect this has been missed by some people so I want to spell it
> out. We have our first CVE in OE-Core itself.
>
> The issue is limited to binary ipks potentially exposing sensitive
> information through the "Source:" field which contained the full
> SRC_URI. Those urls could potentially contain sensitive information
> about servers and credentials.
Does any of the 'archiver' output include copies/versions of the full SRC_URI?
Same with the license management parts... (I don't think either do) but these
would be the places I'd think the SRC_URI might also be.
--Mark
> After discussion, I ended up changing the field to contain the recipe
> filename (no path). There was talk of filtering the urls however if you
> try, it becomes clear that sensitive elements can remain and no
> solution is likely 100% effective. The other package backends don't do
> this at all so this brings ipk more into line with them. Simply
> clearing the field doesn't work with the current opkg-utils. It can be
> changed but the change becomes more invasive.
>
> This fix has been merged to master.
>
> I also did take the decision to backport this change back to
> pyro/morty/krogoth too. I appreciate this can cause some disruption to
> people who rely on SRC_URI being in the Source: field however I
> couldn't see any other realistic way forward.
>
> Cheers,
>
> Richard
> _______________________________________________
> Openembedded-architecture mailing list
> Openembedded-architecture at lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-architecture
>
More information about the Openembedded-core
mailing list