[OE-core] [RFC] Mark of upstream CVE patches
Philip Balister
philip at balister.org
Tue Dec 15 16:30:06 UTC 2015
I also suggest copying the
https://lists.yoctoproject.org/listinfo/yocto-security
list.
Philip
On 12/15/2015 11:03 AM, Mariano Lopez wrote:
> There is an initiative to track vulnerable software being built (see
> bugs 8119 and 7515). The idea is to have a testing tool that would check
> the recipe versions against CVEs. In order to accomplish such task there
> is need to reliable mark the patches from upstream that solve CVEs.
>
> There have been two options to mark the patches that solve CVEs:
>
> 1. Have "CVE" and the CVE number as the patch filename.
> Pros:
> Doesn't require a new tag.
> Cons:
> It is not flexible to add more information, for example two CVEs in
> the same patch
>
> 2. Add a new tag in the patch that have the CVE information.
> Pros:
> It is flexible and can add more information.
> Cons:
> Require a change in the patch metadata.
>
> What I would recommend is to add a new tag in the patch, it must contain
> the CVE ID. With this it would be possible to look for the CVE
> information easily in the testing tool or in NIST, MITRE, or another web
> page. For example, this would be part of the patch for CVE-2013-6435,
> currently in OE-Core:
>
> -- snip --
>
> Upstream-Status: Backport
> CVE: CVE-2013-6435
>
> Reference:
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6435
>
> -- snip --
>
> The expected output of this discussion is a standard format for CVE
> patches that most, if not all, of community members agree on.
>
> Please let me know your comments.
>
> Cheers,
>
> Mariano Lopez
More information about the Openembedded-core
mailing list