[oe] OpenEmbedded and known security issues

[Holger Hans Peter Freyther]

Hi all,

the topic was brought up in another thread. Some of the software we are 
shipping as default is vulnerable to known security issues. It would take a 
full time position to subscribe to vendor security lists and make sure we are 
doing every security update as well. One example of currently vulnerable 
software in our repository is "libtool 2.2.6a" as it will dlopen a library 
from the $CWD... :)

Here is my proposal and it would be great to have some assistance. I'm using 
FreeBSD, and with FreeBSD there is huge ports tree (just like with the OE 
recipes), and since about 2003 there is this nice utility called portaudit..


1.) It offers to fetch a database from the FreeBSD servers. It is called 
"auditfile.tbz". The content of the file is quite simple, it has the 
projectname, the range of vulnerable versions, a link to the FreeBSD issue 
ticket, and the kind of vulnerability.

2.) The second mode of the script is to compare installed versions with the 
list of known vulnerabilities...


Now here comes the idea... Hack OE or bitbake to compare the PN to the PN of 
the database and the PV to the PV of known vulnerabilities.. and then mention 
a problem while parsing and then quit.


Known problems:
	- Sometimes our PN and their PN might not match so we need a different
          mapping somewhere in OE
	- The same might apply for the PV. specially with out -rX. So imagine 2.2.6a
          of libtool is vulnerable, and we apply the fix to it, we will still 
          call it 2.2.6a... so we might need a second mapping in OE to claim 
          where we have fixed known vulnerabilities..

so what do you guys think about the approach? Does someone care to hack this 
up? Would there be interest to sponsor a day or two for developing this?


regards
	holger