Skip to content
Snippets Groups Projects
Select Git revision
  • master-next
  • master
  • scarthgap
  • kirkstone
  • styhead
  • dunfell
  • nanbield
  • mickledore
  • langdale
  • mickledore-next
  • honister
  • gatesgarth
  • hardknott
  • thud
  • warrior
  • zeus
  • pyro
  • sumo
  • rocko
  • jethro
  • yocto-5.1.3
  • styhead-5.1.3
  • yocto-4.0.25
  • kirkstone-4.0.25
  • yocto-5.0.7
  • scarthgap-5.0.7
  • 5.2_M2
  • yocto-4.0.24
  • kirkstone-4.0.24
  • yocto-5.1.2
  • styhead-5.1.2
  • 5.2_M1
  • yocto-5.0.6
  • scarthgap-5.0.6
  • styhead-5.1.1
  • yocto-5.1.1
  • yocto-4.0.23
  • kirkstone-4.0.23
  • yocto-5.0.5
  • scarthgap-5.0.5
40 results
Compare
user avatar
wpa-supplicant: Ignore CVE-2024-5290
Peter Marko authored 
NVD CVE report [1] links Ubuntu bug [2] which has a very good
description/discussion about this issue.
It applies only to distros patching wpa-supplicant to allow non-root
users (e.g. via netdev group) to load modules.
This is not the case of Yocto.

Quote:
So upstream isn't vulnerable as they only expose the dbus interface to
root. Downstreams like Ubuntu and Chromium added a patch that grants
access to the netdev group. The patch is the problem, not the upstream
code IMHO.

There is also a commit [3] associated with this CVE, however that only
provides build-time configuration to limit paths which can be accessed
but it acts only as a mitigation for distros which allow non-root users
to load crafted modules.

[1] https://nvd.nist.gov/vuln/detail/CVE-2024-5290
[2] https://bugs.launchpad.net/ubuntu/+source/wpa/+bug/2067613
[3] https://w1.fi/cgit/hostap/commit/?id=c84388ee4c66bcd310db57489eac4a75fc600747



(From OE-Core rev: 603047ab3c85009c384793cdbdd8e6ae1aebd737)

Signed-off-by: default avatarPeter Marko <peter.marko@siemens.com>
Signed-off-by: default avatarSteve Sakoman <steve@sakoman.com>
808700d1
History
user avatar 808700d1
History
Name Last commit Last update