* [Buildroot] [PATCH] package/ripgrep: ignore CVE-2021-3013 as Windows only
@ 2021-09-30 3:52 sam.voss
2021-10-03 20:19 ` Yann E. MORIN
2021-10-06 15:22 ` Peter Korsgaard
0 siblings, 2 replies; 3+ messages in thread
From: sam.voss @ 2021-09-30 3:52 UTC (permalink / raw)
To: buildroot; +Cc: Sam Voss
From: Sam Voss <sam.voss@gmail.com>
CVE-2021-3013 does not impact any buildroot versions of ripgrep as it is
a Windows-only exploit targeting ripgrep versions earlier than 13. It
can be safely ignored on our LTS branches.
Signed-off-by: Sam Voss <sam.voss@gmail.com>
---
Note: Please apply this patch to:
* 2021.02.x
* 2021.05.x
* 2021.08.x
Master currently has version 13, which does not report this CVE.
---
package/ripgrep/ripgrep.mk | 3 +++
1 file changed, 3 insertions(+)
diff --git a/package/ripgrep/ripgrep.mk b/package/ripgrep/ripgrep.mk
index 450bb020e3..8d0185595d 100644
--- a/package/ripgrep/ripgrep.mk
+++ b/package/ripgrep/ripgrep.mk
@@ -10,6 +10,9 @@ RIPGREP_LICENSE = MIT
RIPGREP_LICENSE_FILES = LICENSE-MIT
RIPGREP_CPE_ID_VENDOR = ripgrep_project
+# CVE only impacts ripgrep on Windows
+RIPGREP_IGNORE_CVES += CVE-2021-3013
+
RIPGREP_DEPENDENCIES = host-rustc
RIPGREP_CARGO_ENV = CARGO_HOME=$(HOST_DIR)/share/cargo \
__CARGO_TEST_CHANNEL_OVERRIDE_DO_NOT_USE_THIS="nightly" \
--
2.33.0
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH] package/ripgrep: ignore CVE-2021-3013 as Windows only
2021-09-30 3:52 [Buildroot] [PATCH] package/ripgrep: ignore CVE-2021-3013 as Windows only sam.voss
@ 2021-10-03 20:19 ` Yann E. MORIN
2021-10-06 15:22 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Yann E. MORIN @ 2021-10-03 20:19 UTC (permalink / raw)
To: sam.voss; +Cc: buildroot
Sam, All
On 2021-09-29 22:52 -0500, sam.voss@gmail.com spake thusly:
> From: Sam Voss <sam.voss@gmail.com>
>
> CVE-2021-3013 does not impact any buildroot versions of ripgrep as it is
> a Windows-only exploit targeting ripgrep versions earlier than 13. It
> can be safely ignored on our LTS branches.
>
> Signed-off-by: Sam Voss <sam.voss@gmail.com>
Applied to master, thanks.
I've just added an URL to the NVD for reference.
Regards,
Yann E. MORIN.
> ---
>
> Note: Please apply this patch to:
>
> * 2021.02.x
> * 2021.05.x
> * 2021.08.x
>
> Master currently has version 13, which does not report this CVE.
> ---
> package/ripgrep/ripgrep.mk | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/package/ripgrep/ripgrep.mk b/package/ripgrep/ripgrep.mk
> index 450bb020e3..8d0185595d 100644
> --- a/package/ripgrep/ripgrep.mk
> +++ b/package/ripgrep/ripgrep.mk
> @@ -10,6 +10,9 @@ RIPGREP_LICENSE = MIT
> RIPGREP_LICENSE_FILES = LICENSE-MIT
> RIPGREP_CPE_ID_VENDOR = ripgrep_project
>
> +# CVE only impacts ripgrep on Windows
> +RIPGREP_IGNORE_CVES += CVE-2021-3013
> +
> RIPGREP_DEPENDENCIES = host-rustc
> RIPGREP_CARGO_ENV = CARGO_HOME=$(HOST_DIR)/share/cargo \
> __CARGO_TEST_CHANNEL_OVERRIDE_DO_NOT_USE_THIS="nightly" \
> --
> 2.33.0
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH] package/ripgrep: ignore CVE-2021-3013 as Windows only
2021-09-30 3:52 [Buildroot] [PATCH] package/ripgrep: ignore CVE-2021-3013 as Windows only sam.voss
2021-10-03 20:19 ` Yann E. MORIN
@ 2021-10-06 15:22 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2021-10-06 15:22 UTC (permalink / raw)
To: sam.voss; +Cc: buildroot
>>>>> "sam" == sam voss <sam.voss@gmail.com> writes:
> From: Sam Voss <sam.voss@gmail.com>
> CVE-2021-3013 does not impact any buildroot versions of ripgrep as it is
> a Windows-only exploit targeting ripgrep versions earlier than 13. It
> can be safely ignored on our LTS branches.
> Signed-off-by: Sam Voss <sam.voss@gmail.com>
> ---
> Note: Please apply this patch to:
> * 2021.02.x
> * 2021.05.x
> * 2021.08.x
> Master currently has version 13, which does not report this CVE.
Committed to 2021.02.x, 2021.05.x and 2021.08.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-10-06 15:22 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-30 3:52 [Buildroot] [PATCH] package/ripgrep: ignore CVE-2021-3013 as Windows only sam.voss
2021-10-03 20:19 ` Yann E. MORIN
2021-10-06 15:22 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.