cve-extra-exclusions: ignore inapplicable linux-yocto CVEs

Multiple CVEs are patched in kernel but appear as active because the NVD database is not up to date. In common file cve-extra-exclusion.inc, CVEs are ignored if and only if all versions of kernel used are patched. In cve-exclusion_6.1.inc, only ignore CVEs that are patched in v6.1, and not patched in v5.15. Recipes of version 6.1 should include this file. Reviewed-by: Yoann Congal <yoann.congal@smile.fr> (From OE-Core rev: 5feb065f1b1aaf218f71cc9d31a9251b139b9442) Signed-off-by: Geoffrey GIRY <geoffrey.giry@smile.fr> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2026-06-03 01:40:07 +00:00 · 2023-04-05 12:34:54 +02:00
parent 0e5bdb623b
commit b8bfd3b01b
5 changed files with 74 additions and 3 deletions
@@ -0,0 +1,15 @@
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3523
+# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
+# Patched in kernel since v6.1 16ce101db85db694a91380aa4c89b25530871d33
+CVE_CHECK_IGNORE += "CVE-2022-3523"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3566
+# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
+# Patched in kernel since v6.1 f49cd2f4d6170d27a2c61f1fecb03d8a70c91f57
+CVE_CHECK_IGNORE += "CVE-2022-3566"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3567
+# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
+# Patched in kernel since v6.1 364f997b5cfe1db0d63a390fe7c801fa2b3115f6
+CVE_CHECK_IGNORE += "CVE-2022-3567"
+
@@ -2,6 +2,9 @@ KBRANCH ?= "v6.1/standard/preempt-rt/base"

 require recipes-kernel/linux/linux-yocto.inc

+# CVE exclusions
+include recipes-kernel/linux/cve-exclusion_6.1.inc
+
 # Skip processing of this recipe if it is not explicitly specified as the
 # PREFERRED_PROVIDER for virtual/kernel. This avoids errors when trying
 # to build multiple virtual/kernel providers, e.g. as dependency of
@@ -5,6 +5,9 @@ KCONFIG_MODE = "--allnoconfig"

 require recipes-kernel/linux/linux-yocto.inc

+# CVE exclusions
+include recipes-kernel/linux/cve-exclusion_6.1.inc
+
 LINUX_VERSION ?= "6.1.20"
 LIC_FILES_CHKSUM = "file://COPYING;md5=6bc538ed5bd9a7fc9398086aedcd7e46"

@@ -2,6 +2,9 @@ KBRANCH ?= "v6.1/standard/base"

 require recipes-kernel/linux/linux-yocto.inc

+# CVE exclusions
+include recipes-kernel/linux/cve-exclusion_6.1.inc
+
 # board specific branches
 KBRANCH:qemuarm  ?= "v6.1/standard/arm-versatile-926ejs"
 KBRANCH:qemuarm64 ?= "v6.1/standard/qemuarm64"