[OE-core] [Openembedded-architecture] OE-Core/Yocto Project's first CVE (CVE-2017-9731)
Richard Purdie
richard.purdie at linuxfoundation.org
Thu Jun 22 09:21:44 UTC 2017
On Tue, 2017-06-20 at 08:27 -0500, Sean Hudson wrote:
> On 2017-06-20 04:30 AM, Paul Eggleton wrote:
> >
> > On Monday, 19 June 2017 5:31:10 PM CEST Sean Hudson wrote:
> > >
> > > On 2017-06-19 09:05 AM, Mark Hatle wrote:
> > > >
> > > > It would be reasonable to write up a 'best practices' type
> > > > document.
> > > > Explaining that simply due to the nature of building many of
> > > > these things
> > > > will be 'leaked' and where some of them are leaked
> > > > through. (Package
> > > > generation, compilation, etc for instance.)
> > > That sounds reasonable, although, TBH, if someone is adding
> > > credentials
> > > to their SRC_URIs, I would expect that a best practice would be
> > > ignored.
> > > Perhaps adding a detection routine that emitted a warning during
> > > parsing for credentials in the SRC_URI might be
> > > warranted? Thoughts?
> > This might be useful yes. I think the stumbling block is that at
> > the moment we
> > would have to have it off by default and then the user is almost
> > certainly not
> > going to know to turn it on. Perhaps this is another thing that we
> > might check
> > in a "production" vs. "development" mode where the user can easily
> > switch to
> > the former to enable a set of more stringent checks.
> I'm not sure I follow. What would prevent us from turning on a warning
> that detected credentials in a SRC_URI by default? Even with Richard's
> change to prevent the information from propagating into the .ipk, it
> seems useful to notify the user. Personally, I'd like to know if one of
> the recipes I'm using has such information in it regardless of whether
> I'm generating a development or a production image.
We can certainly do this, its technically not an issue. My worry is
that if gives false security feelings since you can easily expose
hostnames or other information as well as credentials. Where do we
stop?
We could go as far as to stop bitbake supporting usernames/passwords in
urls. There are some usecases where that is useful though...
Cheers,
Richard
More information about the Openembedded-core
mailing list