From: Peter Marko <[email protected]> NVD CVE report [1] links Ubuntu bug [2] which has a very good description/discussion about this issue. It applies only to distros patching wpa-supplicant to allow non-root users (e.g. via netdev group) to load modules. This is not the case of Yocto.
Quote: So upstream isn't vulnerable as they only expose the dbus interface to root. Downstreams like Ubuntu and Chromium added a patch that grants access to the netdev group. The patch is the problem, not the upstream code IMHO. There is also a commit [3] associated with this CVE, however that only provides build-time configuration to limit paths which can be accessed but it acts only as a mitigation for distros which allow non-root users to load crafted modules. [1] https://nvd.nist.gov/vuln/detail/CVE-2024-5290 [2] https://bugs.launchpad.net/ubuntu/+source/wpa/+bug/2067613 [3] https://w1.fi/cgit/hostap/commit/?id=c84388ee4c66bcd310db57489eac4a75fc600747 Signed-off-by: Peter Marko <[email protected]> Signed-off-by: Steve Sakoman <[email protected]> --- .../recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb index 70f1fd6fc9..696176907c 100644 --- a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant_2.10.bb @@ -31,6 +31,9 @@ SRC_URI[sha256sum] = "20df7ae5154b3830355f8ab4269123a87affdea59fe74fe9292a91d0d7 CVE_PRODUCT = "wpa_supplicant" +# not-applicable-platform: this only affects Ubuntu and other platforms patching wpa-supplicant +CVE_CHECK_IGNORE += "CVE-2024-5290" + S = "${WORKDIR}/wpa_supplicant-${PV}" PACKAGES:prepend = "wpa-supplicant-passphrase wpa-supplicant-cli " -- 2.34.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#205187): https://lists.openembedded.org/g/openembedded-core/message/205187 Mute This Topic: https://lists.openembedded.org/mt/108779035/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
