* [Buildroot] [PATCH 1/1] package/rsync: annotate CVE-2017-16548
@ 2020-03-01 19:27 Fabrice Fontaine
2020-04-23 21:53 ` Thomas Petazzoni
0 siblings, 1 reply; 6+ messages in thread
From: Fabrice Fontaine @ 2020-03-01 19:27 UTC (permalink / raw)
To: buildroot
CVE-2017-165484 is misclassified (by our CVE tracker) as affecting
version 3.1.3, while in fact it affects 3.1.2 and 3.1.3-development
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
package/rsync/rsync.mk | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/package/rsync/rsync.mk b/package/rsync/rsync.mk
index 52875e428a..95d19a7f4c 100644
--- a/package/rsync/rsync.mk
+++ b/package/rsync/rsync.mk
@@ -13,6 +13,10 @@ RSYNC_CONF_OPTS = \
--with-included-zlib=no \
--with-included-popt=no
+# CVE-2017-165484 is misclassified (by our CVE tracker) as affecting version 3.1.3,
+# while in fact it affects 3.1.2 and 3.1.3-development
+RSYNC_IGNORE_CVES += CVE-2017-16548
+
ifeq ($(BR2_PACKAGE_ACL),y)
RSYNC_DEPENDENCIES += acl
else
--
2.25.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [Buildroot] [PATCH 1/1] package/rsync: annotate CVE-2017-16548
2020-03-01 19:27 [Buildroot] [PATCH 1/1] package/rsync: annotate CVE-2017-16548 Fabrice Fontaine
@ 2020-04-23 21:53 ` Thomas Petazzoni
2020-04-24 14:36 ` Akshay Bhat
0 siblings, 1 reply; 6+ messages in thread
From: Thomas Petazzoni @ 2020-04-23 21:53 UTC (permalink / raw)
To: buildroot
Hello,
I'm adding in Cc: Matthew Weber and Akshay Bhat for the interaction
with NVD.
Also adding Titouan Christophe for the discussion about our script that
does the CVE checking.
On Sun, 1 Mar 2020 20:27:27 +0100
Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote:
> CVE-2017-165484 is misclassified (by our CVE tracker) as affecting
> version 3.1.3, while in fact it affects 3.1.2 and 3.1.3-development
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> ---
> package/rsync/rsync.mk | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/package/rsync/rsync.mk b/package/rsync/rsync.mk
> index 52875e428a..95d19a7f4c 100644
> --- a/package/rsync/rsync.mk
> +++ b/package/rsync/rsync.mk
> @@ -13,6 +13,10 @@ RSYNC_CONF_OPTS = \
> --with-included-zlib=no \
> --with-included-popt=no
>
> +# CVE-2017-165484 is misclassified (by our CVE tracker) as affecting version 3.1.3,
> +# while in fact it affects 3.1.2 and 3.1.3-development
> +RSYNC_IGNORE_CVES += CVE-2017-16548
Indeed commit 47a63d90e71d3e19e0e96052bb8c6b9cb140ecc1 which fixes this
CVE is part of the 3.1.3 release. This means the NVD database is wrong.
Instead of doing a workaround in Buildroot, can we report this to the
NVD maintainers ?
But now that I look at https://nvd.nist.gov/vuln/detail/CVE-2017-16548
I see that the affected versions are 3.1.2 and 3.1.3pre1. Even the
latter is not correct: the commit was merged before the 3.1.3pre1 tag.
In addition, I don't see this "pre1" information in the version
information available in the JSON in format 1.0 we use.
Perhaps the JSON in format 1.1 has more detailed information, and we
should switch to using JSON in format 1.1.
Thanks,
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Buildroot] [PATCH 1/1] package/rsync: annotate CVE-2017-16548
2020-04-23 21:53 ` Thomas Petazzoni
@ 2020-04-24 14:36 ` Akshay Bhat
2020-04-24 14:46 ` Thomas Petazzoni
0 siblings, 1 reply; 6+ messages in thread
From: Akshay Bhat @ 2020-04-24 14:36 UTC (permalink / raw)
To: buildroot
On Thu, Apr 23, 2020 at 5:53 PM Thomas Petazzoni
<thomas.petazzoni@bootlin.com> wrote:
>
> Hello,
>
> I'm adding in Cc: Matthew Weber and Akshay Bhat for the interaction
> with NVD.
>
> Also adding Titouan Christophe for the discussion about our script that
> does the CVE checking.
>
> On Sun, 1 Mar 2020 20:27:27 +0100
> Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote:
>
> > CVE-2017-165484 is misclassified (by our CVE tracker) as affecting
> > version 3.1.3, while in fact it affects 3.1.2 and 3.1.3-development
> >
> > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> > ---
> > package/rsync/rsync.mk | 4 ++++
> > 1 file changed, 4 insertions(+)
> >
> > diff --git a/package/rsync/rsync.mk b/package/rsync/rsync.mk
> > index 52875e428a..95d19a7f4c 100644
> > --- a/package/rsync/rsync.mk
> > +++ b/package/rsync/rsync.mk
> > @@ -13,6 +13,10 @@ RSYNC_CONF_OPTS = \
> > --with-included-zlib=no \
> > --with-included-popt=no
> >
> > +# CVE-2017-165484 is misclassified (by our CVE tracker) as affecting version 3.1.3,
> > +# while in fact it affects 3.1.2 and 3.1.3-development
> > +RSYNC_IGNORE_CVES += CVE-2017-16548
>
> Indeed commit 47a63d90e71d3e19e0e96052bb8c6b9cb140ecc1 which fixes this
> CVE is part of the 3.1.3 release. This means the NVD database is wrong.
>
> Instead of doing a workaround in Buildroot, can we report this to the
> NVD maintainers ?
Thanks for finding this. I have sent the below information to NVD,
will post back once I hear more:
There is an error in the cpe version information for:
https://nvd.nist.gov/vuln/detail/CVE-2017-16548
The correct range should be:
From (excluding)
2.6.9
Up to (including)
3.1.2
Details:
Commit fixing the CVE:
https://git.samba.org/rsync.git/?p=rsync.git;a=commit;h=47a63d90e71d3e19e0e96052bb8c6b9cb140ecc1
Versions Containing fix:
$ git tag --contains 47a63d90e71d3e19e0e96052bb8c6b9cb140ecc1
v3.1.3
v3.1.3pre1
Commit introducing the CVE:
$ git log --oneline --diff-filter=A -- xattrs.c
16edf865 The improved --xattrs option is landing on the trunk.
Version introducing the CVE (excluding):
$ git -c 'versionsort.suffix=pre' tag --no-contains 16edf8659
--sort=-version:refname |head -1
v2.6.9
Thanks,
Akshay
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Buildroot] [PATCH 1/1] package/rsync: annotate CVE-2017-16548
2020-04-24 14:36 ` Akshay Bhat
@ 2020-04-24 14:46 ` Thomas Petazzoni
2020-05-01 14:30 ` Akshay Bhat
0 siblings, 1 reply; 6+ messages in thread
From: Thomas Petazzoni @ 2020-04-24 14:46 UTC (permalink / raw)
To: buildroot
On Fri, 24 Apr 2020 10:36:02 -0400
Akshay Bhat <akshay.bhat@timesys.com> wrote:
> Thanks for finding this. I have sent the below information to NVD,
> will post back once I hear more:
> There is an error in the cpe version information for:
> https://nvd.nist.gov/vuln/detail/CVE-2017-16548
Wow, thanks a lot for sending this up to the NVD database maintainers!
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Buildroot] [PATCH 1/1] package/rsync: annotate CVE-2017-16548
2020-04-24 14:46 ` Thomas Petazzoni
@ 2020-05-01 14:30 ` Akshay Bhat
2020-05-02 9:29 ` Thomas Petazzoni
0 siblings, 1 reply; 6+ messages in thread
From: Akshay Bhat @ 2020-05-01 14:30 UTC (permalink / raw)
To: buildroot
On Fri, Apr 24, 2020 at 10:46 AM Thomas Petazzoni
<thomas.petazzoni@bootlin.com> wrote:
>
> On Fri, 24 Apr 2020 10:36:02 -0400
> Akshay Bhat <akshay.bhat@timesys.com> wrote:
>
> > Thanks for finding this. I have sent the below information to NVD,
> > will post back once I hear more:
> > There is an error in the cpe version information for:
> > https://nvd.nist.gov/vuln/detail/CVE-2017-16548
>
> Wow, thanks a lot for sending this up to the NVD database maintainers!
After a bit of back and forth with the NVD maintainers, the
information has finally been updated:
https://nvd.nist.gov/vuln/detail/CVE-2017-16548
Thanks,
Akshay
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Buildroot] [PATCH 1/1] package/rsync: annotate CVE-2017-16548
2020-05-01 14:30 ` Akshay Bhat
@ 2020-05-02 9:29 ` Thomas Petazzoni
0 siblings, 0 replies; 6+ messages in thread
From: Thomas Petazzoni @ 2020-05-02 9:29 UTC (permalink / raw)
To: buildroot
On Fri, 1 May 2020 10:30:26 -0400
Akshay Bhat <akshay.bhat@timesys.com> wrote:
> After a bit of back and forth with the NVD maintainers, the
> information has finally been updated:
> https://nvd.nist.gov/vuln/detail/CVE-2017-16548
Thanks a lot for this work!
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2020-05-02 9:29 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-03-01 19:27 [Buildroot] [PATCH 1/1] package/rsync: annotate CVE-2017-16548 Fabrice Fontaine
2020-04-23 21:53 ` Thomas Petazzoni
2020-04-24 14:36 ` Akshay Bhat
2020-04-24 14:46 ` Thomas Petazzoni
2020-05-01 14:30 ` Akshay Bhat
2020-05-02 9:29 ` Thomas Petazzoni
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.