mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-05-08 05:09:24 +00:00
Code Issues Projects Releases Wiki Activity

linux/generate-cve-exclusions: fix mishandling of boundary values

Browse Source 
affected_versions in kernel_cves.json does not mean "first affected version
to last affected version" but actually "first affected version to fixed
version". Therefore, the variable names, conditional expressions, and
CVE_STATUS descriptions should be fixed.

For example, when the script was run against v6.1, if affected_versions was
"xxx to 6.1", the output was "cpe-stable-backport: Backported in 6.1", but
this should be "fixed-version: Fixed from version 6.1".

(From OE-Core rev: 2064b2f9b92e2dff45dab633598b5ed37145d0b6)

Signed-off-by: Yuta Hayama <hayama@lineo.co.jp>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Yuta Hayama
2023-09-05 16:29:06 +09:00
committed by Richard Purdie
parent 7cf595a49b
commit 3b9c48837f
1 changed files with 7 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta/recipes-kernel/linux/generate-cve-exclusions.py
+7 -7
View File
@@ -62,17 +62,17 @@ do_cve_check[prefuncs] += "check_kernel_cve_status_version"
continue
affected = data["affected_versions"]
first_affected, last_affected = re.search(r"(.+) to (.+)", affected).groups()
first_affected, fixed = re.search(r"(.+) to (.+)", affected).groups()
first_affected = parse_version(first_affected)
last_affected = parse_version(last_affected)
fixed = parse_version(fixed)
if not last_affected:
if not fixed:
print(f"# {cve} has no known resolution")
elif first_affected and version < first_affected:
print(f'CVE_STATUS[{cve}] = "fixed-version: only affects {first_affected} onwards"')
elif last_affected < version:
elif fixed <= version:
print(
f'CVE_STATUS[{cve}] = "fixed-version: Fixed after version {last_affected}"'
f'CVE_STATUS[{cve}] = "fixed-version: Fixed from version {fixed}"'
)
else:
if cve in stream_data:
@@ -87,9 +87,9 @@ do_cve_check[prefuncs] += "check_kernel_cve_status_version"
# TODO print a note that the kernel needs bumping
print(f"# {cve} needs backporting (fixed from {backport_ver})")
else:
print(f"# {cve} needs backporting (fixed from {last_affected})")
print(f"# {cve} needs backporting (fixed from {fixed})")
else:
print(f"# {cve} needs backporting (fixed from {last_affected})")
print(f"# {cve} needs backporting (fixed from {fixed})")
print()