[OE-core] [Openembedded-architecture] OE-Core/Yocto Project's first CVE (CVE-2017-9731)
Scott Murray
scott.murray at konsulko.com
Fri Jun 30 20:17:55 UTC 2017
On Thu, 29 Jun 2017, Richard Purdie wrote:
> On Wed, 2017-06-28 at 13:38 -0400, Scott Murray wrote:
> > On Mon, 19 Jun 2017, Richard Purdie wrote:
> >
> > >
> > > I suspect this has been missed by some people so I want to spell it
> > > out. We have our first CVE in OE-Core itself.
> > >
> > > The issue is limited to binary ipks potentially exposing sensitive
> > > information through the "Source:" field which contained the full
> > > SRC_URI. Those urls could potentially contain sensitive information
> > > about servers and credentials.
> > >
> > > After discussion, I ended up changing the field to contain the
> > > recipe
> > > filename (no path). There was talk of filtering the urls however if
> > > you
> > > try, it becomes clear that sensitive elements can remain and no
> > > solution is likely 100% effective. The other package backends don't
> > > do
> > > this at all so this brings ipk more into line with them. Simply
> > > clearing the field doesn't work with the current opkg-utils. It can
> > > be
> > > changed but the change becomes more invasive.
> > >
> > > This fix has been merged to master.
> > >
> > > I also did take the decision to backport this change back to
> > > pyro/morty/krogoth too. I appreciate this can cause some disruption
> > > to
> > > people who rely on SRC_URI being in the Source: field however I
> > > couldn't see any other realistic way forward.
> >
> > I noticed that this wasn't CC'ed to the yocto-security mailing list.
> > Was that just an oversight, or should that mailing list be considered
> > defunct at this point?
>
> Sorry, it was oversight...
Okay, good to know. IMO it might be worthwhile to post it there even if
it's a bit late, just to set a precedent of that list providing such
information, but it's your call.
Cheers,
Scott
More information about the Openembedded-core
mailing list