#cip log

13:01:19 <jki> #startmeeting CIP IRC weekly meeting
13:01:19 <brlogger> Meeting started Thu Oct 14 13:01:19 2021 UTC and is due to finish in 60 minutes.  The chair is jki. Information about MeetBot at http://wiki.debian.org/MeetBot.
13:01:19 <brlogger> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
13:01:19 <brlogger> The meeting name has been set to 'cip_irc_weekly_meeting'
13:01:30 <jki> hi all, please say hello if you are around
13:01:31 <pavel> hi
13:01:36 <uli> hello
13:01:37 <iwamatsu> hi
13:01:39 <masami> hello
13:01:44 <josiah|2> hi
13:01:52 <alicef> o/
13:02:27 <patersonc[m]> hello
13:02:38 <josiah|2> Hi
13:02:49 <jki> full house, great
13:02:56 <jki> #topic AI review
13:03:03 <jki> 1. Combine root filesystem with kselftest binary - iwamatsu & alicef
13:03:11 <alicef> hi o/
13:03:41 <iwamatsu> no update
13:03:56 <alicef> the kernelci patch for using the gz isar-core-cip is almost finished and will be merged probably this week
13:04:16 <patersonc[m]> \o/
13:04:17 <jki> great!
13:04:34 <iwamatsu> yey
13:04:41 <alicef> depend from how much it will take other pull request to be checked
13:04:56 <alicef> that are conflicting with our pull request
13:05:17 <alicef> this is only for managing gz compression
13:06:06 <alicef> so I'm currently starting to test the pull request for implement isar-core-cip
13:06:41 <alicef> for check that everything work correctly with kernelci
13:07:13 <alicef> and maybe do some changes depending from the result
13:08:08 <jki> very good news
13:08:27 <jki> 2. Document new LAVA domains in wiki - patersonc
13:08:34 <patersonc[m]> Done
13:08:43 <jki> \o/
13:09:08 <jki> 3. Look into S3 artifact upload issues - patersonc
13:09:20 <patersonc[m]> Not done
13:10:18 <jki> any new AIs?
13:10:35 <alicef> one
13:10:35 <jki> 3
13:10:42 <jki> go ahead!
13:11:33 <alicef> looks like lava is using jquery 3.4.0 and could be affected by XSS CVE-2020-11023
13:12:02 <alicef> I'm trying to fix it upstream but I have no replay from lavasoftware people
13:12:47 <jki> uh
13:13:03 <alicef> for getting permission to send merge request
13:13:23 <jki> do we have an idea where this could be affecting security?
13:13:54 <alicef> lava.ciplatform.org is using lava
13:14:06 <jki> i know
13:14:36 <alicef> GKernelCI is also
13:15:06 <alicef> I'm currently working on patching GKernelCI and trying to send the patch upstream if something come out
13:15:09 <jki> question is, e.g., if only authorized users to exploit that or any visitor
13:16:29 <alicef> from the CVE: passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
13:16:50 <alicef> is affecting jquery equal to 1.0.3 and before 3.5.0
13:18:01 <jki> should we ping someone from kernelci on that directly?
13:18:49 <alicef> currently I'm trying to talk about it with #lavasoftware and wait for their replay
13:18:56 <jki> ok
13:19:21 <jki> then lets wait and meanwhile at this as AI on the stack
13:19:31 <alicef> my idea is to just trying to update jquery as was arleady updated also in the pust for some security concern
13:19:55 <patersonc[m]> Thanks alicef
13:20:12 <alicef> s/pust/past
13:20:26 <alicef> s/arleady/already
13:20:38 <jki> Quirin just pointed me to https://git.lavasoftware.org/lava/lava/-/issues/421 - TL;DR No fix because we don't use the dangerous code
13:21:15 <alicef> that's nice
13:21:22 <jki> wait, that is not the same one, is it?
13:21:35 <jki> CVE-2020-11022
13:21:42 <alicef> mmm oh right
13:21:46 <jki> you wrote CVE-2020-11023
13:21:59 <alicef> let me open a new issue if so
13:22:11 <jki> thanks!
13:22:58 <jki> any other AIs?
13:23:13 <jki> 3
13:23:16 <jki> 2
13:23:17 <jki> 1
13:23:27 <jki> #topic Kernel maintenance updates
13:23:38 <pavel> I have reviewed patches for 5.10.72,73,74.
13:23:52 <uli> reviewed for 5.10.71
13:23:59 <masami> There is four new CVEs this week
13:24:05 <masami> CVE-2021-0935: 4.4 hasn't been fixed yet. other stable kernels have been fixed.
13:24:09 <iwamatsu> I reviewed 5.10.72 and 73.
13:24:12 <masami> CVE-2021-0937, CVE-2021-0938, CVE-2021-0941: all stable kernels have been fixed.
13:24:21 <masami> CVE-2021-41864: 4.9 and 4.14 haven't been fixed yet.
13:24:43 <pavel> 4.19 and 4.14 are not really our focus; we can let someone else handle that.
13:24:52 <masami> s/four/five/s
13:25:49 <pavel> CVE..-0935: it is networking but not remotely exploitable afaict. I guess we can wait few weeks and try to do something about it if not fixed by then...?
13:26:13 <masami> pavel: 4.19 and 4.14? you mean 4.9 and 4.14?
13:26:32 <pavel> masami: Sorry. I meant 4.9 and 4.14. We do care about 4.19.
13:26:47 <masami> pavel: no problem.
13:27:12 <iwamatsu> About CVE-2021-0935, I am trying backportting.
13:27:44 <masami> iwamatsu: thank you
13:29:40 <jki> anything else under this topic?
13:29:56 <jki> 3
13:29:59 <jki> 2
13:30:00 <jki> 1
13:30:04 <jki> #topic Kernel testing
13:30:13 <patersonc[m]> Other then what Alice has been said previously I don't have much to add
13:30:51 <jki> then let's make it short, or?
13:31:06 <jki> 3
13:31:09 <jki> 2
13:31:13 <jki> 1
13:31:18 <jki> #topic AOB
13:32:06 <jki> I would like to hear if there is anything (further) to do regarding that wireless topic
13:34:12 <pav3l> Not really, I believe.
13:35:03 <jki> TSC meeting sounded like Security is expecting some statement from Kernel WG
13:35:24 <jki> but I may have misunderstood that
13:35:58 <pav3l> I missed that. What kind of statement?
13:36:26 <pav3l> We can't really promise them anything.
13:36:35 <jki> someone said kernel team would be "looking" into that
13:36:44 <jki> yeah, understood
13:36:58 <jki> summary would be kernel team can handle few selected wifi drivers, doing basic testing only, correct?
13:37:23 <pav3l> jki basically no testing.
13:37:38 <jki> compile "testing" only, ok
13:37:39 <pav3l> jki we can review patches from upstream, that's it.
13:37:54 <jki> was this communicated already?
13:38:15 <iwamatsu> we can not  test it on LAVA.
13:38:18 <pav3l> jki but that should be enough... And yes, I tried to explain that.
13:38:26 <jki> "building and probing seem reasonable tests currently"
13:38:37 <jki> what was meant by "probing"?
13:39:12 <pav3l> We want to have driver present on boards that have it...
13:39:27 <jki> ok
13:39:30 <iwamatsu> +1
13:39:31 <pav3l> ...to catch unlikely error that it fails during probe or something like that.
13:40:04 <jki> then I will try to point this out again during next TSC
13:41:22 <pav3l> Sounds good.
13:41:36 <jki> any other AOB?
13:41:41 <patersonc[m]> We may be able to add wifi to a LAVA lab if really needed
13:42:37 <jki> yeah, maybe just check if scanning works (known networks visible), that's what I tend to do manually
13:43:00 <jki> but already that requires that the thing is not in a metal box...
13:43:37 <jki> so, anything else?
13:43:52 <jki> 3
13:43:57 <jki> 2
13:44:01 <jki> 1
13:44:06 <jki> #endmeeting