mirror of
git://git.yoctoproject.org/meta-virtualization.git
synced 2025-12-14 22:25:28 +01:00
23dff61259
Upstream Repository: https://github.com/grpc/grpc-go Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2024-7246 Type: Security Fix CVE: CVE-2024-7246 Score: 6.3 (Medium) Patch: https://github.com/grpc/grpc/issues/36245 Analysis: -CVE-2024-7246 describes an HTTP/2 HPACK header table poisoning issue found in the gRPC C-core implementation (grpc/grpc). -The vulnerability does not apply to the pure Go implementation (grpc-go) used in Yocto (meta-virtualization layer). -Marking as not-applicable-config (implementation difference). -The affected code path is not present in grpc-go.Hence ignoring the CVE for grpc-go. Reference: [1] https://nvd.nist.gov/vuln/detail/CVE-2024-7246 [2] https://github.com/grpc/grpc/issues/36245 [3] Upstream gRPC release notes confirming fixed versions for gRPC C-core (not grpc-go). Signed-off-by: Anil Dongare <adongare@cisco.com> Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
49 lines
1.7 KiB
BlitzBasic
49 lines
1.7 KiB
BlitzBasic
DESCRIPTION = "The Go language implementation of gRPC. HTTP/2 based RPC"
|
|
HOMEPAGE = "https://github.com/grpc/grpc-go"
|
|
SECTION = "devel/go"
|
|
LICENSE = "Apache-2.0"
|
|
LIC_FILES_CHKSUM = "file://src/${PKG_NAME}/LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57"
|
|
|
|
SRCNAME = "grpc-go"
|
|
|
|
PKG_NAME = "google.golang.org/grpc"
|
|
SRC_URI = "git://github.com/grpc/${SRCNAME}.git;destsuffix=${BB_GIT_DEFAULT_DESTSUFFIX}/src/${PKG_NAME};branch=v1.59.x;protocol=https"
|
|
|
|
SRCREV = "7765221f4bf6104973db7946d56936cf838cad46"
|
|
PV = "1.59.0+git"
|
|
|
|
# NO-OP the do compile rule because this recipe is source only.
|
|
do_compile() {
|
|
}
|
|
|
|
do_install() {
|
|
install -d ${D}${prefix}/local/go/src/${PKG_NAME}
|
|
for j in $(cd ${S} && find src/${PKG_NAME} -name "*.go"); do
|
|
if [ ! -d ${D}${prefix}/local/go/$(dirname $j) ]; then
|
|
mkdir -p ${D}${prefix}/local/go/$(dirname $j)
|
|
fi
|
|
cp $j ${D}${prefix}/local/go/$j
|
|
done
|
|
cp -r ${S}/src/${PKG_NAME}/LICENSE ${D}${prefix}/local/go/src/${PKG_NAME}/
|
|
}
|
|
|
|
SYSROOT_PREPROCESS_FUNCS += "go_grpc_sysroot_preprocess"
|
|
|
|
go_grpc_sysroot_preprocess () {
|
|
install -d ${SYSROOT_DESTDIR}${prefix}/local/go/src/${PKG_NAME}
|
|
cp -r ${D}${prefix}/local/go/src/${PKG_NAME} ${SYSROOT_DESTDIR}${prefix}/local/go/src/$(dirname ${PKG_NAME})
|
|
}
|
|
|
|
FILES:${PN} += " \
|
|
${prefix}/local/go/src/${PKG_NAME}/* \
|
|
"
|
|
|
|
# some CVEs are reported with "cpe:2.3:a:grpc:grpc:*:*:*:*:*:go:*:*"
|
|
# it's better to have false positives than false negatives
|
|
CVE_PRODUCT += "grpc"
|
|
# CVE-2024-7246 is an HTTP/2 HPACK poisoning issue in gRPC C-core
|
|
# (C/C++ implementation, meta-openembedded).
|
|
# grpc-go (Go implementation in meta-virtualization) does not
|
|
# contain the affected HPACK code path.
|
|
CVE_STATUS[CVE-2024-7246] = "not-applicable-config: CVE is for grpc (C-core), not grpc-go."
|