[Buildroot] [PATCH 1/1] package/rsync: annotate CVE-2017-16548

All of lore.kernel.org
 help / color / mirror / Atom feed

* [Buildroot] [PATCH 1/1] package/rsync: annotate CVE-2017-16548
@ 2020-03-01 19:27 Fabrice Fontaine
  2020-04-23 21:53 ` Thomas Petazzoni
  0 siblings, 1 reply; 6+ messages in thread
From: Fabrice Fontaine @ 2020-03-01 19:27 UTC (permalink / raw)
  To: buildroot

CVE-2017-165484 is misclassified (by our CVE tracker) as affecting
version 3.1.3, while in fact it affects 3.1.2 and 3.1.3-development

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 package/rsync/rsync.mk | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/package/rsync/rsync.mk b/package/rsync/rsync.mk
index 52875e428a..95d19a7f4c 100644
--- a/package/rsync/rsync.mk
+++ b/package/rsync/rsync.mk
@@ -13,6 +13,10 @@ RSYNC_CONF_OPTS = \
 	--with-included-zlib=no \
 	--with-included-popt=no
 
+# CVE-2017-165484 is misclassified (by our CVE tracker) as affecting version 3.1.3,
+# while in fact it affects 3.1.2 and 3.1.3-development
+RSYNC_IGNORE_CVES += CVE-2017-16548
+
 ifeq ($(BR2_PACKAGE_ACL),y)
 RSYNC_DEPENDENCIES += acl
 else
-- 
2.25.0

^ permalink raw reply related	[flat|nested] 6+ messages in thread

* [Buildroot] [PATCH 1/1] package/rsync: annotate CVE-2017-16548
  2020-03-01 19:27 [Buildroot] [PATCH 1/1] package/rsync: annotate CVE-2017-16548 Fabrice Fontaine
@ 2020-04-23 21:53 ` Thomas Petazzoni
  2020-04-24 14:36   ` Akshay Bhat
  0 siblings, 1 reply; 6+ messages in thread
From: Thomas Petazzoni @ 2020-04-23 21:53 UTC (permalink / raw)
  To: buildroot

Hello,

I'm adding in Cc: Matthew Weber and Akshay Bhat for the interaction
with NVD.

Also adding Titouan Christophe for the discussion about our script that
does the CVE checking.

On Sun,  1 Mar 2020 20:27:27 +0100
Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote:

> CVE-2017-165484 is misclassified (by our CVE tracker) as affecting
> version 3.1.3, while in fact it affects 3.1.2 and 3.1.3-development
> 
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> ---
>  package/rsync/rsync.mk | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/package/rsync/rsync.mk b/package/rsync/rsync.mk
> index 52875e428a..95d19a7f4c 100644
> --- a/package/rsync/rsync.mk
> +++ b/package/rsync/rsync.mk
> @@ -13,6 +13,10 @@ RSYNC_CONF_OPTS = \
>  	--with-included-zlib=no \
>  	--with-included-popt=no
>  
> +# CVE-2017-165484 is misclassified (by our CVE tracker) as affecting version 3.1.3,
> +# while in fact it affects 3.1.2 and 3.1.3-development
> +RSYNC_IGNORE_CVES += CVE-2017-16548

Indeed commit 47a63d90e71d3e19e0e96052bb8c6b9cb140ecc1 which fixes this
CVE is part of the 3.1.3 release. This means the NVD database is wrong.

Instead of doing a workaround in Buildroot, can we report this to the
NVD maintainers ?

But now that I look at https://nvd.nist.gov/vuln/detail/CVE-2017-16548
I see that the affected versions are 3.1.2 and 3.1.3pre1. Even the
latter is not correct: the commit was merged before the 3.1.3pre1 tag.
In addition, I don't see this "pre1" information in the version
information available in the JSON in format 1.0 we use.

Perhaps the JSON in format 1.1 has more detailed information, and we
should switch to using JSON in format 1.1.

Thanks,

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [Buildroot] [PATCH 1/1] package/rsync: annotate CVE-2017-16548
  2020-04-23 21:53 ` Thomas Petazzoni
@ 2020-04-24 14:36   ` Akshay Bhat
  2020-04-24 14:46     ` Thomas Petazzoni
  0 siblings, 1 reply; 6+ messages in thread
From: Akshay Bhat @ 2020-04-24 14:36 UTC (permalink / raw)
  To: buildroot

On Thu, Apr 23, 2020 at 5:53 PM Thomas Petazzoni
<thomas.petazzoni@bootlin.com> wrote:
>
> Hello,
>
> I'm adding in Cc: Matthew Weber and Akshay Bhat for the interaction
> with NVD.
>
> Also adding Titouan Christophe for the discussion about our script that
> does the CVE checking.
>
> On Sun,  1 Mar 2020 20:27:27 +0100
> Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote:
>
> > CVE-2017-165484 is misclassified (by our CVE tracker) as affecting
> > version 3.1.3, while in fact it affects 3.1.2 and 3.1.3-development
> >
> > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> > ---
> >  package/rsync/rsync.mk | 4 ++++
> >  1 file changed, 4 insertions(+)
> >
> > diff --git a/package/rsync/rsync.mk b/package/rsync/rsync.mk
> > index 52875e428a..95d19a7f4c 100644
> > --- a/package/rsync/rsync.mk
> > +++ b/package/rsync/rsync.mk
> > @@ -13,6 +13,10 @@ RSYNC_CONF_OPTS = \
> >       --with-included-zlib=no \
> >       --with-included-popt=no
> >
> > +# CVE-2017-165484 is misclassified (by our CVE tracker) as affecting version 3.1.3,
> > +# while in fact it affects 3.1.2 and 3.1.3-development
> > +RSYNC_IGNORE_CVES += CVE-2017-16548
>
> Indeed commit 47a63d90e71d3e19e0e96052bb8c6b9cb140ecc1 which fixes this
> CVE is part of the 3.1.3 release. This means the NVD database is wrong.
>
> Instead of doing a workaround in Buildroot, can we report this to the
> NVD maintainers ?


Thanks for finding this. I have sent the below information to NVD,
will post back once I hear more:
There is an error in the cpe version information for:
https://nvd.nist.gov/vuln/detail/CVE-2017-16548

The correct range should be:
From (excluding)
2.6.9
Up to (including)
3.1.2

Details:
Commit fixing the CVE:
https://git.samba.org/rsync.git/?p=rsync.git;a=commit;h=47a63d90e71d3e19e0e96052bb8c6b9cb140ecc1

Versions Containing fix:
$ git tag --contains 47a63d90e71d3e19e0e96052bb8c6b9cb140ecc1
v3.1.3
v3.1.3pre1

Commit introducing the CVE:
$ git log --oneline --diff-filter=A -- xattrs.c
16edf865 The improved --xattrs option is landing on the trunk.
Version introducing the CVE (excluding):
$ git -c 'versionsort.suffix=pre' tag --no-contains 16edf8659
--sort=-version:refname |head -1
v2.6.9

Thanks,
Akshay

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [Buildroot] [PATCH 1/1] package/rsync: annotate CVE-2017-16548
  2020-04-24 14:36   ` Akshay Bhat
@ 2020-04-24 14:46     ` Thomas Petazzoni
  2020-05-01 14:30       ` Akshay Bhat
  0 siblings, 1 reply; 6+ messages in thread
From: Thomas Petazzoni @ 2020-04-24 14:46 UTC (permalink / raw)
  To: buildroot

On Fri, 24 Apr 2020 10:36:02 -0400
Akshay Bhat <akshay.bhat@timesys.com> wrote:

> Thanks for finding this. I have sent the below information to NVD,
> will post back once I hear more:
> There is an error in the cpe version information for:
> https://nvd.nist.gov/vuln/detail/CVE-2017-16548

Wow, thanks a lot for sending this up to the NVD database maintainers!

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [Buildroot] [PATCH 1/1] package/rsync: annotate CVE-2017-16548
  2020-04-24 14:46     ` Thomas Petazzoni
@ 2020-05-01 14:30       ` Akshay Bhat
  2020-05-02  9:29         ` Thomas Petazzoni
  0 siblings, 1 reply; 6+ messages in thread
From: Akshay Bhat @ 2020-05-01 14:30 UTC (permalink / raw)
  To: buildroot

On Fri, Apr 24, 2020 at 10:46 AM Thomas Petazzoni
<thomas.petazzoni@bootlin.com> wrote:
>
> On Fri, 24 Apr 2020 10:36:02 -0400
> Akshay Bhat <akshay.bhat@timesys.com> wrote:
>
> > Thanks for finding this. I have sent the below information to NVD,
> > will post back once I hear more:
> > There is an error in the cpe version information for:
> > https://nvd.nist.gov/vuln/detail/CVE-2017-16548
>
> Wow, thanks a lot for sending this up to the NVD database maintainers!

After a bit of back and forth with the NVD maintainers, the
information has finally been updated:
https://nvd.nist.gov/vuln/detail/CVE-2017-16548

Thanks,
Akshay

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [Buildroot] [PATCH 1/1] package/rsync: annotate CVE-2017-16548
  2020-05-01 14:30       ` Akshay Bhat
@ 2020-05-02  9:29         ` Thomas Petazzoni
  0 siblings, 0 replies; 6+ messages in thread
From: Thomas Petazzoni @ 2020-05-02  9:29 UTC (permalink / raw)
  To: buildroot

On Fri, 1 May 2020 10:30:26 -0400
Akshay Bhat <akshay.bhat@timesys.com> wrote:

> After a bit of back and forth with the NVD maintainers, the
> information has finally been updated:
> https://nvd.nist.gov/vuln/detail/CVE-2017-16548

Thanks a lot for this work!

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2020-05-02  9:29 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-03-01 19:27 [Buildroot] [PATCH 1/1] package/rsync: annotate CVE-2017-16548 Fabrice Fontaine
2020-04-23 21:53 ` Thomas Petazzoni
2020-04-24 14:36   ` Akshay Bhat
2020-04-24 14:46     ` Thomas Petazzoni
2020-05-01 14:30       ` Akshay Bhat
2020-05-02  9:29         ` Thomas Petazzoni

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.