CVE corrected for IMX7-EMMC linux-toradex module

Hello everyone.

I am currently using YOCTO to customize our distributions. During our activities, I uploaded a SBOM to a Dependency Track server, which includes the security vulnerabilities (CVE) explicitly fixed by each component.

To do this, during the generation, I use the CVE_CHECK_WHITELIST variable in each of the YOCTO recipes involved in the generation.

My question here concerns the linux-toradex component (kernel 5.4.193) from the dunfell branch for IMX7. As far i’ve see, the .bb rule and included files do not seems to contain any definition CVE_CHECK_WHITELIST variable.

Is the information about the fixed CVEs located elsewhere?
Is there a better method than using the CVE_CHECK_WHITELIST variable?
Does linux-toradex fix any CVEs, or is it a linux-kernel 5.4.193 without any fixes?

Thank you in advance.

Hi, I’m the Toradex AI Assistant. The Toradex Support team will follow up with you shortly!

Did you like my answer?

:+1: :-1:


Based on the provided context, the linux-toradex component for kernel version 5.4.193 does not explicitly define the CVE_CHECK_WHITELIST variable in its .bb rule or included files. This suggests that information about fixed CVEs might not be documented in the expected manner within the recipe files. Instead, you may need to look for CVE information in other related documentation or sources outside the standard recipe files, such as upstream kernel patches or security advisories from Toradex.

To determine if any CVEs have been fixed in this kernel version, it is advisable to consult the official Toradex documentation or security advisories. Additionally, checking changelogs or security bulletins associated with the linux-toradex component could provide insights into any vulnerabilities that have been addressed.

As for a better method than using the CVE_CHECK_WHITELIST variable, the context does not provide an alternative approach. Therefore, it would be best to rely on external sources or security advisories related to the linux-toradex component for detailed information on CVE fixes.

Please, also check if these links can help you solve your problem:

Updating OpenSSH Package.

Hello @mom,
We appreciate your patience. Are you using the cve-check class from yocto to check for the vulnerabilities?
The class will check for open vulnerabilities against a specific software version, and from my brief research, it looks like to mark an issue as fixed you have to apply a patch with a specific name format, or you would use the CVE_STATUS variable to mark the reason for ignoring a specific CVE. It seems like using CVE_CHECK_WHITELIST would be a way to add CVE’s to an ignored list, which means someone analyzed it and said it’s not relevant for the use case.

Is the information about the fixed CVEs located elsewhere?

CVE numbers for the linux kernel are assigned after a fix to a problem that has potential security implications was approved upstream. Please check CVEs — The Linux Kernel documentation for more information about the process.

Does linux-toradex fix any CVEs, or is it a linux-kernel 5.4.193 without any fixes?

Currently, Toradex is not actively patching the kernel versions for CVE’s. We maintain our kernel branches up-to-date with their respective upstream branches, which follow the CVE process described above.

I hope this helps,
Rafael