* [Buildroot] [autobuild.buildroot.net] Your daily results for 2020-07-12 [not found] <5f0c105a.1c69fb81.17d79.8de3SMTPIN_ADDED_MISSING@mx.google.com> @ 2020-07-17 13:01 ` Guillaume Bres 2020-07-17 15:37 ` Thomas Petazzoni 0 siblings, 1 reply; 10+ messages in thread From: Guillaume Bres @ 2020-07-17 13:01 UTC (permalink / raw) To: buildroot Thomas, all, Packages with CVEs > ================== > > This is the list of packages for which a known CVE is affecting them, > which means a security vulnerability exists for those packages. > > name | CVE | > link > > -------------------------------+------------------+-------------------------------------------------------------- > libnids | CVE-2010-0751 | > https://security-tracker.debian.org/tracker/CVE-2010-0751 > What are your views about this problem? Indeed I am using this lib to be able to (cross)compile 'dsniff' library, but I did not want to introduce 'dsniff' to buildroot. Do you consider this a problem, knowing that only one package requires this lib & it is currently not integrated to Buildroot and, in my opinion, should remain as is, thanks Guillaume W. Bres Software engineer <guillaume.bressaix@gmail.com> Le lun. 13 juil. 2020 ? 09:42, Thomas Petazzoni < thomas.petazzoni@bootlin.com> a ?crit : > Hello, > > Packages with CVEs > ================== > > This is the list of packages for which a known CVE is affecting them, > which means a security vulnerability exists for those packages. > > name | CVE | > link > > -------------------------------+------------------+-------------------------------------------------------------- > libnids | CVE-2010-0751 | > https://security-tracker.debian.org/tracker/CVE-2010-0751 > > -- > http://autobuild.buildroot.net > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20200717/1de16067/attachment.html> ^ permalink raw reply [flat|nested] 10+ messages in thread
* [Buildroot] [autobuild.buildroot.net] Your daily results for 2020-07-12 2020-07-17 13:01 ` [Buildroot] [autobuild.buildroot.net] Your daily results for 2020-07-12 Guillaume Bres @ 2020-07-17 15:37 ` Thomas Petazzoni 2020-07-17 15:45 ` Matthew Weber 2020-07-21 15:13 ` Matthew Weber 0 siblings, 2 replies; 10+ messages in thread From: Thomas Petazzoni @ 2020-07-17 15:37 UTC (permalink / raw) To: buildroot Hello, +Matt in Cc. Matt, we detected an incorrect thing in the NVD database, see below. On Fri, 17 Jul 2020 15:01:26 +0200 Guillaume Bres <guillaume.bressaix@gmail.com> wrote: > Indeed I am using this lib to be able to (cross)compile 'dsniff' library, > but I did not want to introduce 'dsniff' to buildroot. > Do you consider this a problem, knowing that only one package requires this > lib & it is currently not integrated to Buildroot and, in my opinion, > should remain as is, There is a one line patch that Debian applied back in the days to fix this vulnerability: https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=576281;filename=CVE-2010-1144.patch;msg=5 However, this issue is fixed upstream in 1.24, as the code contains: static void ip_evictor(void) { // fprintf(stderr, "ip_evict:numpack=%i\n", numpack); while (this_host && this_host->ip_frag_mem > IPFRAG_LOW_THRESH) { This is consistent with the fact that Debian, which is packaging version 1.24, no longer has the CVE patch. This is even listed in the CHANGES file of the project: v1.24 Mar 14 2010 - fixed another remotely triggerable NULL dereference in ip_fragment.c The issue is that the NVD database entry for this CVE is wrong: it says that version 1.24 is affected, while in fact it got fixed in 1.24. This needs to be fixed in the NVD database. This libnids project unfortunately doesn't have a publicly available version control system with all the history, so it's not easy to say which versions are affected, but at least versions prior to 1.24 are affected. Matt: do you think we can get this to be fixed from the NVD database ? In the mean time, in Buildroot I think we could add this CVE to LIBNIDS_IGNORE_CVES, with a comment that say there's a bug in the NVD database. You can send a patch that does that Guillaume if you want. Thanks! Thomas -- Thomas Petazzoni, CTO, Bootlin Embedded Linux and Kernel engineering https://bootlin.com ^ permalink raw reply [flat|nested] 10+ messages in thread
* [Buildroot] [autobuild.buildroot.net] Your daily results for 2020-07-12 2020-07-17 15:37 ` Thomas Petazzoni @ 2020-07-17 15:45 ` Matthew Weber 2020-07-17 15:46 ` Matthew Weber 2020-07-21 15:13 ` Matthew Weber 1 sibling, 1 reply; 10+ messages in thread From: Matthew Weber @ 2020-07-17 15:45 UTC (permalink / raw) To: buildroot Thomas, Daniel, On Fri, Jul 17, 2020 at 10:39 AM Thomas Petazzoni <thomas.petazzoni@bootlin.com> wrote: > > Hello, > > +Matt in Cc. Matt, we detected an incorrect thing in the NVD database, > see below. > > On Fri, 17 Jul 2020 15:01:26 +0200 > Guillaume Bres <guillaume.bressaix@gmail.com> wrote: > > > Indeed I am using this lib to be able to (cross)compile 'dsniff' library, > > but I did not want to introduce 'dsniff' to buildroot. > > Do you consider this a problem, knowing that only one package requires this > > lib & it is currently not integrated to Buildroot and, in my opinion, > > should remain as is, > > There is a one line patch that Debian applied back in the days to fix > this vulnerability: > > https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=576281;filename=CVE-2010-1144.patch;msg=5 > > However, this issue is fixed upstream in 1.24, as the code contains: > > static void > ip_evictor(void) > { > // fprintf(stderr, "ip_evict:numpack=%i\n", numpack); > while (this_host && this_host->ip_frag_mem > IPFRAG_LOW_THRESH) { > > This is consistent with the fact that Debian, which is packaging > version 1.24, no longer has the CVE patch. > > This is even listed in the CHANGES file of the project: > > v1.24 Mar 14 2010 > - fixed another remotely triggerable NULL dereference in ip_fragment.c > > The issue is that the NVD database entry for this CVE is wrong: it says > that version 1.24 is affected, while in fact it got fixed in 1.24. This > needs to be fixed in the NVD database. This libnids project > unfortunately doesn't have a publicly available version control system > with all the history, so it's not easy to say which versions are > affected, but at least versions prior to 1.24 are affected. > > Matt: do you think we can get this to be fixed from the NVD database ? > We should be able to. Daniel, what is the current process for sending a requested CVE version mapping update? Guillaum, thanks for looking at this. Regards, Matt ^ permalink raw reply [flat|nested] 10+ messages in thread
* [Buildroot] [autobuild.buildroot.net] Your daily results for 2020-07-12 2020-07-17 15:45 ` Matthew Weber @ 2020-07-17 15:46 ` Matthew Weber 0 siblings, 0 replies; 10+ messages in thread From: Matthew Weber @ 2020-07-17 15:46 UTC (permalink / raw) To: buildroot +Daniel Riechers On Fri, Jul 17, 2020 at 10:45 AM Matthew Weber <matthew.weber@rockwellcollins.com> wrote: > > Thomas, Daniel, > > On Fri, Jul 17, 2020 at 10:39 AM Thomas Petazzoni > <thomas.petazzoni@bootlin.com> wrote: > > > > Hello, > > > > +Matt in Cc. Matt, we detected an incorrect thing in the NVD database, > > see below. > > > > On Fri, 17 Jul 2020 15:01:26 +0200 > > Guillaume Bres <guillaume.bressaix@gmail.com> wrote: > > > > > Indeed I am using this lib to be able to (cross)compile 'dsniff' library, > > > but I did not want to introduce 'dsniff' to buildroot. > > > Do you consider this a problem, knowing that only one package requires this > > > lib & it is currently not integrated to Buildroot and, in my opinion, > > > should remain as is, > > > > There is a one line patch that Debian applied back in the days to fix > > this vulnerability: > > > > https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=576281;filename=CVE-2010-1144.patch;msg=5 > > > > However, this issue is fixed upstream in 1.24, as the code contains: > > > > static void > > ip_evictor(void) > > { > > // fprintf(stderr, "ip_evict:numpack=%i\n", numpack); > > while (this_host && this_host->ip_frag_mem > IPFRAG_LOW_THRESH) { > > > > This is consistent with the fact that Debian, which is packaging > > version 1.24, no longer has the CVE patch. > > > > This is even listed in the CHANGES file of the project: > > > > v1.24 Mar 14 2010 > > - fixed another remotely triggerable NULL dereference in ip_fragment.c > > > > The issue is that the NVD database entry for this CVE is wrong: it says > > that version 1.24 is affected, while in fact it got fixed in 1.24. This > > needs to be fixed in the NVD database. This libnids project > > unfortunately doesn't have a publicly available version control system > > with all the history, so it's not easy to say which versions are > > affected, but at least versions prior to 1.24 are affected. > > > > Matt: do you think we can get this to be fixed from the NVD database ? > > > > We should be able to. Daniel, what is the current process for sending > a requested CVE version mapping update? > > Guillaum, thanks for looking at this. > > Regards, > Matt -- Matthew Weber | Associate Director Software Engineer | Commercial Avionics COLLINS AEROSPACE 400 Collins Road NE, Cedar Rapids, Iowa 52498, USA Tel: +1 319 295 7349 | FAX: +1 319 263 6099 matthew.weber at collins.com | collinsaerospace.com CONFIDENTIALITY WARNING: This message may contain proprietary and/or privileged information of Collins Aerospace and its affiliated companies. If you are not the intended recipient, please 1) Do not disclose, copy, distribute or use this message or its contents. 2) Advise the sender by return email. 3) Delete all copies (including all attachments) from your computer. Your cooperation is greatly appreciated. Any export restricted material should be shared using my matthew.weber at corp.rockwellcollins.com address. ALPHA BRAVO COLLINS | Aerospace Redefined __ l __ \- - - -o-(_)-o- - - -/ ^ permalink raw reply [flat|nested] 10+ messages in thread
* [Buildroot] [autobuild.buildroot.net] Your daily results for 2020-07-12 2020-07-17 15:37 ` Thomas Petazzoni 2020-07-17 15:45 ` Matthew Weber @ 2020-07-21 15:13 ` Matthew Weber 2020-07-21 15:23 ` Thomas Petazzoni 1 sibling, 1 reply; 10+ messages in thread From: Matthew Weber @ 2020-07-21 15:13 UTC (permalink / raw) To: buildroot Thomas / Guillaume On Fri, Jul 17, 2020 at 10:39 AM Thomas Petazzoni <thomas.petazzoni@bootlin.com> wrote: > > Hello, > > +Matt in Cc. Matt, we detected an incorrect thing in the NVD database, > see below. > > On Fri, 17 Jul 2020 15:01:26 +0200 > Guillaume Bres <guillaume.bressaix@gmail.com> wrote: > > > Indeed I am using this lib to be able to (cross)compile 'dsniff' library, > > but I did not want to introduce 'dsniff' to buildroot. > > Do you consider this a problem, knowing that only one package requires this > > lib & it is currently not integrated to Buildroot and, in my opinion, > > should remain as is, > > There is a one line patch that Debian applied back in the days to fix > this vulnerability: > > https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=576281;filename=CVE-2010-1144.patch;msg=5 > > However, this issue is fixed upstream in 1.24, as the code contains: > > static void > ip_evictor(void) > { > // fprintf(stderr, "ip_evict:numpack=%i\n", numpack); > while (this_host && this_host->ip_frag_mem > IPFRAG_LOW_THRESH) { > > This is consistent with the fact that Debian, which is packaging > version 1.24, no longer has the CVE patch. > > This is even listed in the CHANGES file of the project: > > v1.24 Mar 14 2010 > - fixed another remotely triggerable NULL dereference in ip_fragment.c > > The issue is that the NVD database entry for this CVE is wrong: it says > that version 1.24 is affected, while in fact it got fixed in 1.24. This > needs to be fixed in the NVD database. This libnids project > unfortunately doesn't have a publicly available version control system > with all the history, so it's not easy to say which versions are > affected, but at least versions prior to 1.24 are affected. > > Matt: do you think we can get this to be fixed from the NVD database ? > I've submitted the following request to fix this 1) Navigated to https://cveform.mitre.org/ 2) "Select a request type" as "Request and update to an existing CVE Entry" 3) "Type of update requested" as "Update Description" 4) "CVE ID to be updated" as 2010-0751 5) "Description" as "We've found that the v1.24 fixes the CVE and all prior versions contain the bug. The CVE currently lists that 1.24 is still vulnerable. This can be proved by checking the CHANGES file within the source archive (https://sourceforge.net/projects/libnids/files/libnids/1.24/libnids-1.24.tar.gz/download) that outlines this ("fixed another remotely triggerable NULL dereference in ip_fragment.c") comment. Also within that archive the source code src/ip_fragment on line 378 has the fix (https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=576281;filename=CVE-2010-1144.patch;msg=5) (NOTE 2010-1144 is a rejected CVE which was split to include 2010-0751)." Thomas, do you think it would be beneficial to add a section with these notes in the manual? Best Regards, Matt ^ permalink raw reply [flat|nested] 10+ messages in thread
* [Buildroot] [autobuild.buildroot.net] Your daily results for 2020-07-12 2020-07-21 15:13 ` Matthew Weber @ 2020-07-21 15:23 ` Thomas Petazzoni 2020-07-21 15:30 ` Matthew Weber 0 siblings, 1 reply; 10+ messages in thread From: Thomas Petazzoni @ 2020-07-21 15:23 UTC (permalink / raw) To: buildroot Hello Matt, On Tue, 21 Jul 2020 10:13:03 -0500 Matthew Weber <matthew.weber@collins.com> wrote: > I've submitted the following request to fix this > > 1) Navigated to https://cveform.mitre.org/ > 2) "Select a request type" as "Request and update to an existing CVE Entry" > 3) "Type of update requested" as "Update Description" > 4) "CVE ID to be updated" as 2010-0751 > 5) "Description" as "We've found that the v1.24 fixes the CVE and all > prior versions contain the bug. The CVE currently lists that 1.24 is > still vulnerable. This can be proved by checking the CHANGES file > within the source archive > (https://sourceforge.net/projects/libnids/files/libnids/1.24/libnids-1.24.tar.gz/download) > that outlines this ("fixed another remotely triggerable NULL > dereference in ip_fragment.c") comment. Also within that archive the > source code src/ip_fragment on line 378 has the fix > (https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=576281;filename=CVE-2010-1144.patch;msg=5) > (NOTE 2010-1144 is a rejected CVE which was split to include > 2010-0751)." Thanks for doing this ! > Thomas, do you think it would be beneficial to add a section with > these notes in the manual? Reading your e-mail, I was precisely thinking "it would be great to write this down somewhere". I don't know if the manual is the right place though, as it is really for Buildroot maintainers/developers. Would the Wiki be a better location ? Thomas -- Thomas Petazzoni, CTO, Bootlin Embedded Linux and Kernel engineering https://bootlin.com ^ permalink raw reply [flat|nested] 10+ messages in thread
* [Buildroot] [autobuild.buildroot.net] Your daily results for 2020-07-12 2020-07-21 15:23 ` Thomas Petazzoni @ 2020-07-21 15:30 ` Matthew Weber 2020-07-21 15:53 ` Thomas Petazzoni 0 siblings, 1 reply; 10+ messages in thread From: Matthew Weber @ 2020-07-21 15:30 UTC (permalink / raw) To: buildroot Thomas, On Tue, Jul 21, 2020 at 10:27 AM Thomas Petazzoni <thomas.petazzoni@bootlin.com> wrote: > > Hello Matt, > > On Tue, 21 Jul 2020 10:13:03 -0500 > Matthew Weber <matthew.weber@collins.com> wrote: > > > I've submitted the following request to fix this > > > > 1) Navigated to https://cveform.mitre.org/ > > 2) "Select a request type" as "Request and update to an existing CVE Entry" > > 3) "Type of update requested" as "Update Description" > > 4) "CVE ID to be updated" as 2010-0751 > > 5) "Description" as "We've found that the v1.24 fixes the CVE and all > > prior versions contain the bug. The CVE currently lists that 1.24 is > > still vulnerable. This can be proved by checking the CHANGES file > > within the source archive > > (https://sourceforge.net/projects/libnids/files/libnids/1.24/libnids-1.24.tar.gz/download) > > that outlines this ("fixed another remotely triggerable NULL > > dereference in ip_fragment.c") comment. Also within that archive the > > source code src/ip_fragment on line 378 has the fix > > (https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=576281;filename=CVE-2010-1144.patch;msg=5) > > (NOTE 2010-1144 is a rejected CVE which was split to include > > 2010-0751)." > > Thanks for doing this ! > > > Thomas, do you think it would be beneficial to add a section with > > these notes in the manual? > > Reading your e-mail, I was precisely thinking "it would be great to > write this down somewhere". I don't know if the manual is the right > place though, as it is really for Buildroot maintainers/developers. > Would the Wiki be a better location ? Ah, yeah that could work. I was looking at making a subsection under "21.6. Reporting issues/bugs or getting help" if we do add it in the manual. There are going to be cases where a Buildroot CVE report misreports because of our scripts, plus the case of an actual dictionary bug. Maybe we start on the wiki? Regards, Matt ^ permalink raw reply [flat|nested] 10+ messages in thread
* [Buildroot] [autobuild.buildroot.net] Your daily results for 2020-07-12 2020-07-21 15:30 ` Matthew Weber @ 2020-07-21 15:53 ` Thomas Petazzoni 2020-07-21 16:00 ` Matthew Weber 0 siblings, 1 reply; 10+ messages in thread From: Thomas Petazzoni @ 2020-07-21 15:53 UTC (permalink / raw) To: buildroot On Tue, 21 Jul 2020 10:30:34 -0500 Matthew Weber <matthew.weber@collins.com> wrote: > Ah, yeah that could work. I was looking at making a subsection under > "21.6. Reporting issues/bugs or getting help" if we do add it in the > manual. There are going to be cases where a Buildroot CVE report > misreports because of our scripts, plus the case of an actual > dictionary bug. I think section 21.6 is really more oriented towards end users of Buildroot, and explain how they should get back to us to report issues/bugs. The topic of how to notify NVD maintainers of invalid CVEs is really advanced, and mainly a Buildroot maintainer/developer topic. > Maybe we start on the wiki? Yes, I would say yes. Perhaps start a page related to security/CVE tracking in Buildroot. Thomas -- Thomas Petazzoni, CTO, Bootlin Embedded Linux and Kernel engineering https://bootlin.com ^ permalink raw reply [flat|nested] 10+ messages in thread
* [Buildroot] [autobuild.buildroot.net] Your daily results for 2020-07-12 2020-07-21 15:53 ` Thomas Petazzoni @ 2020-07-21 16:00 ` Matthew Weber 2020-07-21 17:28 ` Thomas Petazzoni 0 siblings, 1 reply; 10+ messages in thread From: Matthew Weber @ 2020-07-21 16:00 UTC (permalink / raw) To: buildroot On Tue, Jul 21, 2020 at 10:55 AM Thomas Petazzoni <thomas.petazzoni@bootlin.com> wrote: > > On Tue, 21 Jul 2020 10:30:34 -0500 > Matthew Weber <matthew.weber@collins.com> wrote: > > > Ah, yeah that could work. I was looking at making a subsection under > > "21.6. Reporting issues/bugs or getting help" if we do add it in the > > manual. There are going to be cases where a Buildroot CVE report > > misreports because of our scripts, plus the case of an actual > > dictionary bug. > > I think section 21.6 is really more oriented towards end users of > Buildroot, and explain how they should get back to us to report > issues/bugs. > > The topic of how to notify NVD maintainers of invalid CVEs is really > advanced, and mainly a Buildroot maintainer/developer topic. > > > Maybe we start on the wiki? > > Yes, I would say yes. Perhaps start a page related to security/CVE > tracking in Buildroot. On the main page I've added "Security Vulnerability Management" under https://elinux.org/Buildroot#Important_links . I took a quick first cut at pkgstats and developer email info as well Regards, Matt ^ permalink raw reply [flat|nested] 10+ messages in thread
* [Buildroot] [autobuild.buildroot.net] Your daily results for 2020-07-12 2020-07-21 16:00 ` Matthew Weber @ 2020-07-21 17:28 ` Thomas Petazzoni 0 siblings, 0 replies; 10+ messages in thread From: Thomas Petazzoni @ 2020-07-21 17:28 UTC (permalink / raw) To: buildroot On Tue, 21 Jul 2020 11:00:58 -0500 Matthew Weber <matthew.weber@collins.com> wrote: > On the main page I've added "Security Vulnerability Management" under > https://elinux.org/Buildroot#Important_links . I took a quick first > cut at pkgstats and developer email info as well Thanks, looks good! Thomas -- Thomas Petazzoni, CTO, Bootlin Embedded Linux and Kernel engineering https://bootlin.com ^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2020-07-21 17:28 UTC | newest] Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- [not found] <5f0c105a.1c69fb81.17d79.8de3SMTPIN_ADDED_MISSING@mx.google.com> 2020-07-17 13:01 ` [Buildroot] [autobuild.buildroot.net] Your daily results for 2020-07-12 Guillaume Bres 2020-07-17 15:37 ` Thomas Petazzoni 2020-07-17 15:45 ` Matthew Weber 2020-07-17 15:46 ` Matthew Weber 2020-07-21 15:13 ` Matthew Weber 2020-07-21 15:23 ` Thomas Petazzoni 2020-07-21 15:30 ` Matthew Weber 2020-07-21 15:53 ` Thomas Petazzoni 2020-07-21 16:00 ` Matthew Weber 2020-07-21 17:28 ` Thomas Petazzoni
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.