From: Marta Rybczynska <rybczynska@gmail.com>
To: yocto-security@lists.yoctoproject.org,
bitbake-devel@lists.openembedded.org
Subject: YOCTO PROJECT SECURITY ADVISORY 2024-01-19
Date: Mon, 19 Feb 2024 14:43:23 +0100 [thread overview]
Message-ID: <CAApg2=R-9zcMJOSDQXyZpGPG6KfACeFh4=_xn0tn0gqza6APyg@mail.gmail.com> (raw)
YOCTO PROJECT SECURITY ADVISORY 2024-01-19
References: CVE-2024-25626 (HIGH severity, CVSS 8.8)
A remote execution vulnerability has been discovered in the Toaster
web application
included into bitbake, which is in turn a component of the Yocto
Project. An attacker
could craft an HTTP request that causes a run of attacker-controlled
command in the shell
running in with Toaster permissions. This issue does not require authorization.
Toaster is a web interface of Bitbake. It is disabled by default,
users need to launch
it explicitly. It should not be accessible from public or untrusted networks.
Users not using Toaster are not affected by this vulnerability.
Command line builds are not affected.
Solution: Update to Yocto Project 5.0, 3.1.31, 4.0.16, 4.3.2, or to
the current git versions.
Workarounds:
- Make sure Toaster is listening on local interfaces only.
- Run Toaster as a separate user with minimal permissions.
Thanks: The Yocto Project would like to to thank Michael Blunt for a
responsable disclosure.
References:
https://git.openembedded.org/bitbake/commit/?id=fe0881615896de844141393b21a121f7c3fa9d16
https://git.openembedded.org/bitbake/commit/?id=94e88efa9dbefd37f1d48459ade19797b6034b84
https://github.com/yoctoproject/poky/security/advisories/GHSA-75xw-78mm-72r4
Timeline:
19-November-2023 Information received by the Yocto Project Security team
21-November-2023 Issue confirmed by the Yocto Project
23-November-2023 Issue repriduced by the Yocto Project
20-December-2023 Fix pushed to the bitbake git repository
04-January-2024 A regression fix pushed to the bitbake git repository
16-February-2024 CVE entry has been assigned
19-February-2024 The issue has been made public and advisory published
reply other threads:[~2024-02-19 13:43 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAApg2=R-9zcMJOSDQXyZpGPG6KfACeFh4=_xn0tn0gqza6APyg@mail.gmail.com' \
--to=rybczynska@gmail.com \
--cc=bitbake-devel@lists.openembedded.org \
--cc=yocto-security@lists.yoctoproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).