| Andrew Geissler | 517393d | 2023-01-13 08:55:19 -0600 | [diff] [blame^] | 1 | .. SPDX-License-Identifier: CC-BY-SA-2.0-UK |
| 2 | |
| 3 | Checking for Vulnerabilities |
| 4 | **************************** |
| 5 | |
| 6 | Vulnerabilities in Poky and OE-Core |
| 7 | =================================== |
| 8 | |
| 9 | The Yocto Project has an infrastructure to track and address unfixed |
| 10 | known security vulnerabilities, as tracked by the public |
| 11 | :wikipedia:`Common Vulnerabilities and Exposures (CVE) <Common_Vulnerabilities_and_Exposures>` |
| 12 | database. |
| 13 | |
| 14 | The Yocto Project maintains a `list of known vulnerabilities |
| 15 | <https://autobuilder.yocto.io/pub/non-release/patchmetrics/>`__ |
| 16 | for packages in Poky and OE-Core, tracking the evolution of the number of |
| 17 | unpatched CVEs and the status of patches. Such information is available for |
| 18 | the current development version and for each supported release. |
| 19 | |
| 20 | Security is a process, not a product, and thus at any time, a number of security |
| 21 | issues may be impacting Poky and OE-Core. It is up to the maintainers, users, |
| 22 | contributors and anyone interested in the issues to investigate and possibly fix them by |
| 23 | updating software components to newer versions or by applying patches to address them. |
| 24 | It is recommended to work with Poky and OE-Core upstream maintainers and submit |
| 25 | patches to fix them, see ":ref:`dev-manual/changes:submitting a change to the yocto project`" for details. |
| 26 | |
| 27 | Vulnerability check at build time |
| 28 | ================================= |
| 29 | |
| 30 | To enable a check for CVE security vulnerabilities using |
| 31 | :ref:`ref-classes-cve-check` in the specific image or target you are building, |
| 32 | add the following setting to your configuration:: |
| 33 | |
| 34 | INHERIT += "cve-check" |
| 35 | |
| 36 | The CVE database contains some old incomplete entries which have been |
| 37 | deemed not to impact Poky or OE-Core. These CVE entries can be excluded from the |
| 38 | check using build configuration:: |
| 39 | |
| 40 | include conf/distro/include/cve-extra-exclusions.inc |
| 41 | |
| 42 | With this CVE check enabled, BitBake build will try to map each compiled software component |
| 43 | recipe name and version information to the CVE database and generate recipe and |
| 44 | image specific reports. These reports will contain: |
| 45 | |
| 46 | - metadata about the software component like names and versions |
| 47 | |
| 48 | - metadata about the CVE issue such as description and NVD link |
| 49 | |
| 50 | - for each software component, a list of CVEs which are possibly impacting this version |
| 51 | |
| 52 | - status of each CVE: ``Patched``, ``Unpatched`` or ``Ignored`` |
| 53 | |
| 54 | The status ``Patched`` means that a patch file to address the security issue has been |
| 55 | applied. ``Unpatched`` status means that no patches to address the issue have been |
| 56 | applied and that the issue needs to be investigated. ``Ignored`` means that after |
| 57 | analysis, it has been deemed to ignore the issue as it for example affects |
| 58 | the software component on a different operating system platform. |
| 59 | |
| 60 | After a build with CVE check enabled, reports for each compiled source recipe will be |
| 61 | found in ``build/tmp/deploy/cve``. |
| 62 | |
| 63 | For example the CVE check report for the ``flex-native`` recipe looks like:: |
| 64 | |
| 65 | $ cat poky/build/tmp/deploy/cve/flex-native |
| 66 | LAYER: meta |
| 67 | PACKAGE NAME: flex-native |
| 68 | PACKAGE VERSION: 2.6.4 |
| 69 | CVE: CVE-2016-6354 |
| 70 | CVE STATUS: Patched |
| 71 | CVE SUMMARY: Heap-based buffer overflow in the yy_get_next_buffer function in Flex before 2.6.1 might allow context-dependent attackers to cause a denial of service or possibly execute arbitrary code via vectors involving num_to_read. |
| 72 | CVSS v2 BASE SCORE: 7.5 |
| 73 | CVSS v3 BASE SCORE: 9.8 |
| 74 | VECTOR: NETWORK |
| 75 | MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6354 |
| 76 | |
| 77 | LAYER: meta |
| 78 | PACKAGE NAME: flex-native |
| 79 | PACKAGE VERSION: 2.6.4 |
| 80 | CVE: CVE-2019-6293 |
| 81 | CVE STATUS: Ignored |
| 82 | CVE SUMMARY: An issue was discovered in the function mark_beginning_as_normal in nfa.c in flex 2.6.4. There is a stack exhaustion problem caused by the mark_beginning_as_normal function making recursive calls to itself in certain scenarios involving lots of '*' characters. Remote attackers could leverage this vulnerability to cause a denial-of-service. |
| 83 | CVSS v2 BASE SCORE: 4.3 |
| 84 | CVSS v3 BASE SCORE: 5.5 |
| 85 | VECTOR: NETWORK |
| 86 | MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-6293 |
| 87 | |
| 88 | For images, a summary of all recipes included in the image and their CVEs is also |
| 89 | generated in textual and JSON formats. These ``.cve`` and ``.json`` reports can be found |
| 90 | in the ``tmp/deploy/images`` directory for each compiled image. |
| 91 | |
| 92 | At build time CVE check will also throw warnings about ``Unpatched`` CVEs:: |
| 93 | |
| 94 | WARNING: flex-2.6.4-r0 do_cve_check: Found unpatched CVE (CVE-2019-6293), for more information check /poky/build/tmp/work/core2-64-poky-linux/flex/2.6.4-r0/temp/cve.log |
| 95 | WARNING: libarchive-3.5.1-r0 do_cve_check: Found unpatched CVE (CVE-2021-36976), for more information check /poky/build/tmp/work/core2-64-poky-linux/libarchive/3.5.1-r0/temp/cve.log |
| 96 | |
| 97 | It is also possible to check the CVE status of individual packages as follows:: |
| 98 | |
| 99 | bitbake -c cve_check flex libarchive |
| 100 | |
| 101 | Fixing CVE product name and version mappings |
| 102 | ============================================ |
| 103 | |
| 104 | By default, :ref:`ref-classes-cve-check` uses the recipe name :term:`BPN` as CVE |
| 105 | product name when querying the CVE database. If this mapping contains false positives, e.g. |
| 106 | some reported CVEs are not for the software component in question, or false negatives like |
| 107 | some CVEs are not found to impact the recipe when they should, then the problems can be |
| 108 | in the recipe name to CVE product mapping. These mapping issues can be fixed by setting |
| 109 | the :term:`CVE_PRODUCT` variable inside the recipe. This defines the name of the software component in the |
| 110 | upstream `NIST CVE database <https://nvd.nist.gov/>`__. |
| 111 | |
| 112 | The variable supports using vendor and product names like this:: |
| 113 | |
| 114 | CVE_PRODUCT = "flex_project:flex" |
| 115 | |
| 116 | In this example the vendor name used in the CVE database is ``flex_project`` and the |
| 117 | product is ``flex``. With this setting the ``flex`` recipe only maps to this specific |
| 118 | product and not products from other vendors with same name ``flex``. |
| 119 | |
| 120 | Similarly, when the recipe version :term:`PV` is not compatible with software versions used by |
| 121 | the upstream software component releases and the CVE database, these can be fixed using |
| 122 | the :term:`CVE_VERSION` variable. |
| 123 | |
| 124 | Note that if the CVE entries in the NVD database contain bugs or have missing or incomplete |
| 125 | information, it is recommended to fix the information there directly instead of working |
| 126 | around the issues possibly for a long time in Poky and OE-Core side recipes. Feedback to |
| 127 | NVD about CVE entries can be provided through the `NVD contact form <https://nvd.nist.gov/info/contact-form>`__. |
| 128 | |
| 129 | Fixing vulnerabilities in recipes |
| 130 | ================================= |
| 131 | |
| 132 | If a CVE security issue impacts a software component, it can be fixed by updating to a newer |
| 133 | version of the software component or by applying a patch. For Poky and OE-Core master branches, updating |
| 134 | to a newer software component release with fixes is the best option, but patches can be applied |
| 135 | if releases are not yet available. |
| 136 | |
| 137 | For stable branches, it is preferred to apply patches for the issues. For some software |
| 138 | components minor version updates can also be applied if they are backwards compatible. |
| 139 | |
| 140 | Here is an example of fixing CVE security issues with patch files, |
| 141 | an example from the :oe_layerindex:`ffmpeg recipe</layerindex/recipe/47350>`:: |
| 142 | |
| 143 | SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \ |
| 144 | file://0001-libavutil-include-assembly-with-full-path-from-sourc.patch \ |
| 145 | file://fix-CVE-2020-20446.patch \ |
| 146 | file://fix-CVE-2020-20453.patch \ |
| 147 | file://fix-CVE-2020-22015.patch \ |
| 148 | file://fix-CVE-2020-22021.patch \ |
| 149 | file://fix-CVE-2020-22033-CVE-2020-22019.patch \ |
| 150 | file://fix-CVE-2021-33815.patch \ |
| 151 | |
| 152 | A good practice is to include the CVE identifier in both the patch file name |
| 153 | and inside the patch file commit message using the format:: |
| 154 | |
| 155 | CVE: CVE-2020-22033 |
| 156 | |
| 157 | CVE checker will then capture this information and change the CVE status to ``Patched`` |
| 158 | in the generated reports. |
| 159 | |
| 160 | If analysis shows that the CVE issue does not impact the recipe due to configuration, platform, |
| 161 | version or other reasons, the CVE can be marked as ``Ignored`` using the :term:`CVE_CHECK_IGNORE` variable. |
| 162 | As mentioned previously, if data in the CVE database is wrong, it is recommend to fix those |
| 163 | issues in the CVE database directly. |
| 164 | |
| 165 | Recipes can be completely skipped by CVE check by including the recipe name in |
| 166 | the :term:`CVE_CHECK_SKIP_RECIPE` variable. |
| 167 | |
| 168 | Implementation details |
| 169 | ====================== |
| 170 | |
| 171 | Here's what the :ref:`ref-classes-cve-check` class does to find unpatched CVE IDs. |
| 172 | |
| 173 | First the code goes through each patch file provided by a recipe. If a valid CVE ID |
| 174 | is found in the name of the file, the corresponding CVE is considered as patched. |
| 175 | Don't forget that if multiple CVE IDs are found in the filename, only the last |
| 176 | one is considered. Then, the code looks for ``CVE: CVE-ID`` lines in the patch |
| 177 | file. The found CVE IDs are also considered as patched. |
| 178 | |
| 179 | Then, the code looks up all the CVE IDs in the NIST database for all the |
| 180 | products defined in :term:`CVE_PRODUCT`. Then, for each found CVE: |
| 181 | |
| 182 | - If the package name (:term:`PN`) is part of |
| 183 | :term:`CVE_CHECK_SKIP_RECIPE`, it is considered as ``Patched``. |
| 184 | |
| 185 | - If the CVE ID is part of :term:`CVE_CHECK_IGNORE`, it is |
| 186 | set as ``Ignored``. |
| 187 | |
| 188 | - If the CVE ID is part of the patched CVE for the recipe, it is |
| 189 | already considered as ``Patched``. |
| 190 | |
| 191 | - Otherwise, the code checks whether the recipe version (:term:`PV`) |
| 192 | is within the range of versions impacted by the CVE. If so, the CVE |
| 193 | is considered as ``Unpatched``. |
| 194 | |
| 195 | The CVE database is stored in :term:`DL_DIR` and can be inspected using |
| 196 | ``sqlite3`` command as follows:: |
| 197 | |
| 198 | sqlite3 downloads/CVE_CHECK/nvdcve_1.1.db .dump | grep CVE-2021-37462 |
| 199 | |
| 200 | When analyzing CVEs, it is recommended to: |
| 201 | |
| 202 | - study the latest information in `CVE database <https://nvd.nist.gov/vuln/search>`__. |
| 203 | |
| 204 | - check how upstream developers of the software component addressed the issue, e.g. |
| 205 | what patch was applied, which upstream release contains the fix. |
| 206 | |
| 207 | - check what other Linux distributions like `Debian <https://security-tracker.debian.org/tracker/>`__ |
| 208 | did to analyze and address the issue. |
| 209 | |
| 210 | - follow security notices from other Linux distributions. |
| 211 | |
| 212 | - follow public `open source security mailing lists <https://oss-security.openwall.org/wiki/mailing-lists>`__ for |
| 213 | discussions and advance notifications of CVE bugs and software releases with fixes. |
| 214 | |