Thank you, Marta! Here's what I sent to NIST:
CVE-2022-3515 appears to erroneously be listed as an unpatched vulnerability in Yocto, a collection of tools to build Linux distributions. There is an upstream configuration where gnupg (2.3.7) uses libksba (1.6.4). The vulnerability was fixed in Libksba 1.6.2 (and carries the patch in 1.6.4). Libksba correctly shows a "patched" status, but the CPEs (cpe:2.3:a:gnupg:gnupg) also match against GnuPG. Removing the two CPEs in configuration 4 would resolve the issue. ________________________________ From: Marta Rybczynska <[email protected]> Sent: Tuesday, June 18, 2024 7:48 AM To: Clayton Casciato <[email protected]> Cc: [email protected] <[email protected]>; [email protected] <[email protected]>; [email protected] <[email protected]> Subject: Re: [OE-core] gnupg CVE-2022-3515 #kirkstone On Fri, Jun 14, 2024 at 12:51 AM Clayton Casciato via lists.openembedded.org<http://lists.openembedded.org> <[email protected]<mailto:[email protected]>> wrote: Hello! "OE-core CVE metrics for kirkstone on Sun 09 Jun 2024 02:00:01 AM HST" reports CVE-2022-3515<https://nvd.nist.gov/vuln/detail/CVE-2022-3515> as "unpatched", as do local builds with "cve-check". NIST lists GnuPG as vulnerable from 2.3.0 to 2.4.0, which is why this is reported as a CVE. This vulnerability was fixed in Libksba 1.6.2 (upstream issue<https://dev.gnupg.org/T6230>, upstream patch<https://dev.gnupg.org/rK4b7d9cd4a018898d7714ce06f3faf2626c14582b>). meta/recipes-support/gnupg/gnupg_2.3.7.bb<https://git.openembedded.org/openembedded-core/tree/meta/recipes-support/gnupg/gnupg_2.3.7.bb?h=kirkstone> DEPENDS libksba meta/recipes-support/libksba/libksba_1.6.4.bb<https://git.openembedded.org/openembedded-core/tree/meta/recipes-support/libksba/libksba_1.6.4.bb?h=kirkstone> I manually verified the upstream patch exists in the fetched libksba-1.6.4.tar.bz2. $ sed -n '185,190p' libksba-1.6.4/src/ber-help.c Should this CVE be added to meta/conf/distro/include/cve-extra-exclusions.inc? Hello, From what I see, this is the NVD entry that is wrong, as it mentions this CVE for gnupg, while the original advisory mentions libksba only. And so does the direct CVE entry. For now, use CVE_STATUS, but only in your gnupg recipe. We do not need this one to be visible globally, and the NVD entry for the libksba is correct. You can notify NVD that the entry is wrong by writing at the address that is linked at https://nvd.nist.gov/vuln/detail/CVE-2022-3515 in the Are we missing a CPE here? Please let us know<mailto:[email protected]>. part. I've fixed in the overrides repo. Kind regards, Marta
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#200872): https://lists.openembedded.org/g/openembedded-core/message/200872 Mute This Topic: https://lists.openembedded.org/mt/106661542/21656 Mute #kirkstone:https://lists.openembedded.org/g/openembedded-core/mutehashtag/kirkstone Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
