[Buildroot] [PATCH 1/5] package/audiofile: annotate _IGNORE_CVES for the included security patches

[Buildroot] [PATCH 1/5] package/audiofile: annotate _IGNORE_CVES for the included security patches

[Peter Korsgaard]

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 package/audiofile/audiofile.mk | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/package/audiofile/audiofile.mk b/package/audiofile/audiofile.mk
index 2f2e8902e9..bb46436d85 100644
--- a/package/audiofile/audiofile.mk
+++ b/package/audiofile/audiofile.mk
@@ -15,6 +15,22 @@ AUDIOFILE_AUTORECONF = YES
 AUDIOFILE_LICENSE = GPL-2.0+, LGPL-2.1+
 AUDIOFILE_LICENSE_FILES = COPYING COPYING.GPL
 
+# 0003-Always-check-the-number-of-coefficients.patch
+AUDIOFILE_IGNORE_CVES += \
+	CVE-2017-6827 CVE-2017-6828 CVE-2017-6832 \
+	CVE-2017-6833 CVE-2017-6835 CVE-2017-6837
+# 0004-clamp-index-values-to-fix-index-overflow-in-IMA.cpp.patch
+AUDIOFILE_IGNORE_CVES += CVE-2017-6829
+# 0005-Check-for-multiplication-overflow-in-sfconvert.patch
+AUDIOFILE_IGNORE_CVES += \
+	CVE-2017-6830 CVE-2017-6834 CVE-2017-6836 CVE-2017-6838
+# 0006-Actually-fail-when-error-occurs-in-parseFormat.patch
+AUDIOFILE_IGNORE_CVES += CVE-2017-6831
+# 0007-Check-for-multiplication-overflow-in-MSADPCM-decodeS.patch
+AUDIOFILE_IGNORE_CVES += CVE-2017-6839
+# 0008-CVE-2015-7747.patch
+AUDIOFILE_IGNORE_CVES += CVE-2015-7747
+
 ifeq ($(BR2_PACKAGE_FLAC),y)
 AUDIOFILE_DEPENDENCIES += flac
 AUDIOFILE_CONF_OPTS += --enable-flac
-- 
2.20.1

[Buildroot] [PATCH 2/5] package/libsndfile: annotate _IGNORE_CVES for the included security patches

[Peter Korsgaard]

Also mark CVE-2018-13419 as disputed.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 package/libsndfile/libsndfile.mk | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/package/libsndfile/libsndfile.mk b/package/libsndfile/libsndfile.mk
index 22909ffb62..4a375ab609 100644
--- a/package/libsndfile/libsndfile.mk
+++ b/package/libsndfile/libsndfile.mk
@@ -10,6 +10,17 @@ LIBSNDFILE_INSTALL_STAGING = YES
 LIBSNDFILE_LICENSE = LGPL-2.1+
 LIBSNDFILE_LICENSE_FILES = COPYING
 
+# 0001-double64_init-Check-psf-sf.channels-against-upper-bo.patch
+LIBSNDFILE_IGNORE_CVES += CVE-2017-14634
+# 0002-Check-MAX_CHANNELS-in-sndfile-deinterleave.patch
+LIBSNDFILE_IGNORE_CVES += CVE-2018-13139 CVE-2018-19432
+# 0003-a-ulaw-fix-multiple-buffer-overflows-432.patch
+LIBSNDFILE_IGNORE_CVES += \
+	CVE-2017-14245 CVE-2017-14246 CVE-2017-17456 CVE-2017-17457 \
+	CVE-2018-19661 CVE-2018-19662
+# disputed
+LIBSNDFILE_IGNORE_CVES += CVE-2018-13419
+
 LIBSNDFILE_CONF_OPTS = \
 	--disable-sqlite \
 	--disable-alsa \
-- 
2.20.1

[Buildroot] [PATCH 3/5] package/libtomcrypt: annotate _IGNORE_CVES for the included security patches

[Peter Korsgaard]

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 package/libtomcrypt/libtomcrypt.mk | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/package/libtomcrypt/libtomcrypt.mk b/package/libtomcrypt/libtomcrypt.mk
index 583bcb15ff..c2f1babb49 100644
--- a/package/libtomcrypt/libtomcrypt.mk
+++ b/package/libtomcrypt/libtomcrypt.mk
@@ -13,6 +13,9 @@ LIBTOMCRYPT_INSTALL_STAGING = YES
 LIBTOMCRYPT_INSTALL_TARGET = NO # only static library
 LIBTOMCRYPT_DEPENDENCIES = libtommath
 
+# 0001-fix-CVE-2019-17362.patch
+LIBTOMCRYPT_IGNORE_CVES += CVE-2019-17362
+
 LIBTOMCRYPT_CFLAGS = -I./src/headers $(TARGET_CFLAGS) -DLTC_SOURCE -DLTM_DESC
 
 define LIBTOMCRYPT_BUILD_CMDS
-- 
2.20.1

[Buildroot] [PATCH 4/5] package/vorbis-tools: annotate _IGNORE_CVES for the included security patches

[Peter Korsgaard]

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 package/vorbis-tools/vorbis-tools.mk | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/package/vorbis-tools/vorbis-tools.mk b/package/vorbis-tools/vorbis-tools.mk
index 1bec1e2b96..407ea975e7 100644
--- a/package/vorbis-tools/vorbis-tools.mk
+++ b/package/vorbis-tools/vorbis-tools.mk
@@ -10,6 +10,14 @@ VORBIS_TOOLS_LICENSE = GPL-2.0
 VORBIS_TOOLS_LICENSE_FILES = COPYING
 VORBIS_TOOLS_DEPENDENCIES = libao libogg libvorbis libcurl
 VORBIS_TOOLS_CONF_OPTS = --program-transform-name=''
+
+# 0001-oggenc-Fix-large-alloca-on-bad-AIFF-input.patch
+VORBIS_TOOLS_IGNORE_CVES += CVE-2015-6749
+# 0002-oggenc-validate-count-of-channels-in-the-header-CVE-.patch
+VORBIS_TOOLS_IGNORE_CVES += CVE-2014-9638 CVE-2014-9639
+# 0003-oggenc-fix-crash-on-raw-file-close-reported-by-Hanno.patch
+VORBIS_TOOLS_IGNORE_CVES += CVE-2014-9640
+
 # ogg123 calls math functions but forgets to link with libm
 VORBIS_TOOLS_CONF_ENV = LIBS=-lm
 
-- 
2.20.1

[Buildroot] [PATCH 5/5] package/ipsec-tools: annotate _IGNORE_CVES for the included security patches

[Peter Korsgaard]

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 package/ipsec-tools/ipsec-tools.mk | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/package/ipsec-tools/ipsec-tools.mk b/package/ipsec-tools/ipsec-tools.mk
index 634d752661..72bd8c196c 100644
--- a/package/ipsec-tools/ipsec-tools.mk
+++ b/package/ipsec-tools/ipsec-tools.mk
@@ -15,6 +15,11 @@ IPSEC_TOOLS_DEPENDENCIES = openssl flex host-pkgconf host-flex host-bison
 # we patch configure.ac
 IPSEC_TOOLS_AUTORECONF = YES
 
+# 0004-CVE-2015-4047.patch
+IPSEC_TOOLS_IGNORE_CVES += CVE-2015-4047
+# 0005-CVE-2016-10396.patch
+IPSEC_TOOLS_IGNORE_CVES += CVE-2016-10396
+
 # configure hardcodes -Werror, so override CFLAGS on make invocation
 IPSEC_TOOLS_MAKE_OPTS = CFLAGS='$(TARGET_CFLAGS)'
 
-- 
2.20.1

[Buildroot] [PATCH 2/5] package/libsndfile: annotate _IGNORE_CVES for the included security patches

[Thomas Petazzoni]

On Wed, 19 Feb 2020 17:01:59 +0100
Peter Korsgaard <peter@korsgaard.com> wrote:

> Also mark CVE-2018-13419 as disputed.
> 
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

What does "disputed" means in this context ?

Thanks,

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH 2/5] package/libsndfile: annotate _IGNORE_CVES for the included security patches

[Peter Korsgaard]

>>>>> "Thomas" == Thomas Petazzoni <thomas.petazzoni@bootlin.com> writes:

 > On Wed, 19 Feb 2020 17:01:59 +0100
 > Peter Korsgaard <peter@korsgaard.com> wrote:

 >> Also mark CVE-2018-13419 as disputed.
 >> 
 >> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

 > What does "disputed" means in this context ?

That someone related to the project claims that it isn't a security
issue or cannot reproduce the issue.

Specifically for this CVE, see the discussion here:

https://github.com/erikd/libsndfile/issues/398

-- 
Bye, Peter Korsgaard

[Buildroot] [PATCH 2/5] package/libsndfile: annotate _IGNORE_CVES for the included security patches

[Thomas Petazzoni]

On Wed, 19 Feb 2020 22:37:04 +0100
Peter Korsgaard <peter@korsgaard.com> wrote:

>  > What does "disputed" means in this context ?  
> 
> That someone related to the project claims that it isn't a security
> issue or cannot reproduce the issue.
> 
> Specifically for this CVE, see the discussion here:
> 
> https://github.com/erikd/libsndfile/issues/398

That's the kind of thing I assumed, but perhaps we need to add at least
this link next to the IGNORE_CVES line ?

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH 2/5] package/libsndfile: annotate _IGNORE_CVES for the included security patches

[Peter Korsgaard]

>>>>> "Thomas" == Thomas Petazzoni <thomas.petazzoni@bootlin.com> writes:

 > On Wed, 19 Feb 2020 22:37:04 +0100
 > Peter Korsgaard <peter@korsgaard.com> wrote:

 >> > What does "disputed" means in this context ?  
 >> 
 >> That someone related to the project claims that it isn't a security
 >> issue or cannot reproduce the issue.
 >> 
 >> Specifically for this CVE, see the discussion here:
 >> 
 >> https://github.com/erikd/libsndfile/issues/398

 > That's the kind of thing I assumed, but perhaps we need to add at least
 > this link next to the IGNORE_CVES line ?

Do you think so? We don't really do it for the other things, E.G. we
simply claim that a specific patch fixes one or more CVEs, without
necessarily providing a lot of details besides the CVE identifier

From the CVE identifier you can then go and look up a bunch of these
things, E.G. on the Debian securitytracker or on the NVD website.

In a way, this is quite similar to how we claim specific licenses for a
package.

-- 
Bye, Peter Korsgaard

[Buildroot] [PATCH 2/5] package/libsndfile: annotate _IGNORE_CVES for the included security patches

[Thomas Petazzoni]

On Wed, 19 Feb 2020 23:06:59 +0100
Peter Korsgaard <peter@korsgaard.com> wrote:

>  > That's the kind of thing I assumed, but perhaps we need to add at least
>  > this link next to the IGNORE_CVES line ?  
> 
> Do you think so? We don't really do it for the other things, E.G. we
> simply claim that a specific patch fixes one or more CVEs, without
> necessarily providing a lot of details besides the CVE identifier
> 
> From the CVE identifier you can then go and look up a bunch of these
> things, E.G. on the Debian securitytracker or on the NVD website.
> 
> In a way, this is quite similar to how we claim specific licenses for a
> package.

Well, it's not a strong opinion, but I believe:

# disputed, https://github.com/erikd/libsndfile/issues/398

doesn't cost much more than

# disputed

And it directly tells people reading this .mk file what we mean by
"disputed", together with the background information about it.

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH 2/5] package/libsndfile: annotate _IGNORE_CVES for the included security patches

[Peter Korsgaard]

>>>>> "Thomas" == Thomas Petazzoni <thomas.petazzoni@bootlin.com> writes:

Hi,

 >> Do you think so? We don't really do it for the other things, E.G. we
 >> simply claim that a specific patch fixes one or more CVEs, without
 >> necessarily providing a lot of details besides the CVE identifier
 >> 
 >> From the CVE identifier you can then go and look up a bunch of these
 >> things, E.G. on the Debian securitytracker or on the NVD website.
 >> 
 >> In a way, this is quite similar to how we claim specific licenses for a
 >> package.

 > Well, it's not a strong opinion, but I believe:

 > # disputed, https://github.com/erikd/libsndfile/issues/398

 > doesn't cost much more than

 > # disputed

 > And it directly tells people reading this .mk file what we mean by
 > "disputed", together with the background information about it.

Fine by me. Do notice that the CVE page directly has this info as well,
so just knowing the CVE identifer will get you to it very fast:

https://nvd.nist.gov/vuln/detail/CVE-2018-13419
https://security-tracker.debian.org/tracker/CVE-2018-13419

-- 
Bye, Peter Korsgaard

[Buildroot] [PATCH 1/5] package/audiofile: annotate _IGNORE_CVES for the included security patches

[Peter Korsgaard]

>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:

 > Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Committed, thanks.

-- 
Bye, Peter Korsgaard

[Buildroot] [PATCH 2/5] package/libsndfile: annotate _IGNORE_CVES for the included security patches

[Peter Korsgaard]

>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:

 > Also mark CVE-2018-13419 as disputed.
 > Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
 > ---
 >  package/libsndfile/libsndfile.mk | 11 +++++++++++
 >  1 file changed, 11 insertions(+)

 > diff --git a/package/libsndfile/libsndfile.mk b/package/libsndfile/libsndfile.mk
 > index 22909ffb62..4a375ab609 100644
 > --- a/package/libsndfile/libsndfile.mk
 > +++ b/package/libsndfile/libsndfile.mk
 > @@ -10,6 +10,17 @@ LIBSNDFILE_INSTALL_STAGING = YES
 >  LIBSNDFILE_LICENSE = LGPL-2.1+
 >  LIBSNDFILE_LICENSE_FILES = COPYING
 
 > +# 0001-double64_init-Check-psf-sf.channels-against-upper-bo.patch
 > +LIBSNDFILE_IGNORE_CVES += CVE-2017-14634
 > +# 0002-Check-MAX_CHANNELS-in-sndfile-deinterleave.patch
 > +LIBSNDFILE_IGNORE_CVES += CVE-2018-13139 CVE-2018-19432
 > +# 0003-a-ulaw-fix-multiple-buffer-overflows-432.patch
 > +LIBSNDFILE_IGNORE_CVES += \
 > +	CVE-2017-14245 CVE-2017-14246 CVE-2017-17456 CVE-2017-17457 \
 > +	CVE-2018-19661 CVE-2018-19662
 > +# disputed

Committed after adding the dispute link as suggested by Thomas, thanks.

-- 
Bye, Peter Korsgaard

[Buildroot] [PATCH 3/5] package/libtomcrypt: annotate _IGNORE_CVES for the included security patches

[Peter Korsgaard]

>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:

 > Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Committed, thanks.

-- 
Bye, Peter Korsgaard

[Buildroot] [PATCH 5/5] package/ipsec-tools: annotate _IGNORE_CVES for the included security patches

[Peter Korsgaard]

>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:

 > Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Committed, thanks.

-- 
Bye, Peter Korsgaard

[Buildroot] [PATCH 4/5] package/vorbis-tools: annotate _IGNORE_CVES for the included security patches

[Peter Korsgaard]

>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:

 > Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Committed, thanks.

-- 
Bye, Peter Korsgaard