[OE-core] cups: whitelist CVE-2018-6553

[OE-core] cups: whitelist CVE-2018-6553

[Steve Sakoman]

This an Ububtu specific issue:

The CUPS AppArmor profile incorrectly confined the dnssd backend
due to use of hard links. A local attacker could possibly use this
issue to escape confinement. This flaw affects versions prior to
2.2.7-1ubuntu2.1 in Ubuntu 18.04 LTS, prior to 2.2.4-7ubuntu3.1
in Ubuntu 17.10, prior to 2.1.3-4ubuntu0.5 in Ubuntu 16.04 LTS,
 and prior to 1.7.2-0ubuntu1.10 in Ubuntu 14.04 LTS

Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-extended/cups/cups.inc | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
index 87870e4aba..df8d4d284a 100644
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@@ -20,6 +20,9 @@ SRC_URI = "https://github.com/apple/cups/releases/download/v${PV}/${BP}-source.t
 UPSTREAM_CHECK_URI = "https://github.com/apple/cups/releases"
 UPSTREAM_CHECK_REGEX = "cups-(?P<pver>\d+\.\d+(\.\d+)?)-source.tar"
 
+# This is an Ubuntu only issue.
+CVE_CHECK_WHITELIST += "CVE-2018-6553"
+
 LEAD_SONAME = "libcupsdriver.so"
 
 CLEANBROKEN = "1"
-- 
2.17.1

Re: [OE-core] cups: whitelist CVE-2018-6553

[Anuj Mittal]

On Wed, 2020-11-18 at 05:25 -1000, Steve Sakoman wrote:
> This an Ububtu specific issue:
> 
> The CUPS AppArmor profile incorrectly confined the dnssd backend
> due to use of hard links. A local attacker could possibly use this
> issue to escape confinement. This flaw affects versions prior to
> 2.2.7-1ubuntu2.1 in Ubuntu 18.04 LTS, prior to 2.2.4-7ubuntu3.1
> in Ubuntu 17.10, prior to 2.1.3-4ubuntu0.5 in Ubuntu 16.04 LTS,
>  and prior to 1.7.2-0ubuntu1.10 in Ubuntu 14.04 LTS

It doesn't affect the default configuration but someone in theory could
have extended the recipe to have AppArmor support and then it might be
vulnerable?

Since this CVE is sort of distro specific and not package specific,
should this be part of recipe or the poky distro meta data?

Thanks,

Anuj

> 
> Signed-off-by: Steve Sakoman <steve@sakoman.com>
> ---
>  meta/recipes-extended/cups/cups.inc | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-
> extended/cups/cups.inc
> index 87870e4aba..df8d4d284a 100644
> --- a/meta/recipes-extended/cups/cups.inc
> +++ b/meta/recipes-extended/cups/cups.inc
> @@ -20,6 +20,9 @@ SRC_URI = "
> https://github.com/apple/cups/releases/download/v${PV}/${BP}-source.t
>  UPSTREAM_CHECK_URI = "https://github.com/apple/cups/releases"
>  UPSTREAM_CHECK_REGEX = "cups-(?P<pver>\d+\.\d+(\.\d+)?)-source.tar"
>  
> +# This is an Ubuntu only issue.
> +CVE_CHECK_WHITELIST += "CVE-2018-6553"
> +
>  LEAD_SONAME = "libcupsdriver.so"
>  
>  CLEANBROKEN = "1"
> 
> 
> 

Re: [OE-core] cups: whitelist CVE-2018-6553

[Steve Sakoman]

On Wed, Nov 18, 2020 at 1:56 PM Mittal, Anuj <anuj.mittal@intel.com> wrote:
>
> On Wed, 2020-11-18 at 05:25 -1000, Steve Sakoman wrote:
> > This an Ububtu specific issue:
> >
> > The CUPS AppArmor profile incorrectly confined the dnssd backend
> > due to use of hard links. A local attacker could possibly use this
> > issue to escape confinement. This flaw affects versions prior to
> > 2.2.7-1ubuntu2.1 in Ubuntu 18.04 LTS, prior to 2.2.4-7ubuntu3.1
> > in Ubuntu 17.10, prior to 2.1.3-4ubuntu0.5 in Ubuntu 16.04 LTS,
> >  and prior to 1.7.2-0ubuntu1.10 in Ubuntu 14.04 LTS
>
> It doesn't affect the default configuration but someone in theory could
> have extended the recipe to have AppArmor support and then it might be
> vulnerable?

I suppose if someone implemented AppArmor support and botched it in the
same way as it was in Ubuntu, then yes they would have the same vulnerability!

> Since this CVE is sort of distro specific and not package specific,
> should this be part of recipe or the poky distro meta data?

I'm open for suggestions.  There are many ways people can take our
standard recipes and implement a horribly insecure image. IMHO
this is one of the more unlikely paths that someone would take :-)

But if the community feels this is best in the poky distro metadata I have no
issue with that.

Steve
>
> Thanks,
>
> Anuj
>
> >
> > Signed-off-by: Steve Sakoman <steve@sakoman.com>
> > ---
> >  meta/recipes-extended/cups/cups.inc | 3 +++
> >  1 file changed, 3 insertions(+)
> >
> > diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-
> > extended/cups/cups.inc
> > index 87870e4aba..df8d4d284a 100644
> > --- a/meta/recipes-extended/cups/cups.inc
> > +++ b/meta/recipes-extended/cups/cups.inc
> > @@ -20,6 +20,9 @@ SRC_URI = "
> > https://github.com/apple/cups/releases/download/v${PV}/${BP}-source.t
> >  UPSTREAM_CHECK_URI = "https://github.com/apple/cups/releases"
> >  UPSTREAM_CHECK_REGEX = "cups-(?P<pver>\d+\.\d+(\.\d+)?)-source.tar"
> >
> > +# This is an Ubuntu only issue.
> > +CVE_CHECK_WHITELIST += "CVE-2018-6553"
> > +
> >  LEAD_SONAME = "libcupsdriver.so"
> >
> >  CLEANBROKEN = "1"
> >
> > 
> >
>

Re: [OE-core] cups: whitelist CVE-2018-6553

[Mikko Rapeli]

On Wed, Nov 18, 2020 at 02:12:18PM -1000, Steve Sakoman wrote:
> On Wed, Nov 18, 2020 at 1:56 PM Mittal, Anuj <anuj.mittal@intel.com> wrote:
> >
> > On Wed, 2020-11-18 at 05:25 -1000, Steve Sakoman wrote:
> > > This an Ububtu specific issue:
> > >
> > > The CUPS AppArmor profile incorrectly confined the dnssd backend
> > > due to use of hard links. A local attacker could possibly use this
> > > issue to escape confinement. This flaw affects versions prior to
> > > 2.2.7-1ubuntu2.1 in Ubuntu 18.04 LTS, prior to 2.2.4-7ubuntu3.1
> > > in Ubuntu 17.10, prior to 2.1.3-4ubuntu0.5 in Ubuntu 16.04 LTS,
> > >  and prior to 1.7.2-0ubuntu1.10 in Ubuntu 14.04 LTS
> >
> > It doesn't affect the default configuration but someone in theory could
> > have extended the recipe to have AppArmor support and then it might be
> > vulnerable?
> 
> I suppose if someone implemented AppArmor support and botched it in the
> same way as it was in Ubuntu, then yes they would have the same vulnerability!
> 
> > Since this CVE is sort of distro specific and not package specific,
> > should this be part of recipe or the poky distro meta data?
> 
> I'm open for suggestions.  There are many ways people can take our
> standard recipes and implement a horribly insecure image. IMHO
> this is one of the more unlikely paths that someone would take :-)
> 
> But if the community feels this is best in the poky distro metadata I have no
> issue with that.

I'd keep this CVE whitelist in cups recipe. CVEs details apply to an unmodified
poky version of the recipe. bbappends and other layers can do really weird things
including removing patches and downgrading SW versions which would also result
in bad CVE data overall but we can't possibly detect those cases inside the
recipe in poky or even distro configuration. Only way to be sure, is to review all
bbappends to recipes from all layers in product configurations. Devil is in
the details.

Cheers,

-Mikko