Re: [Buildroot] [PATCH 1/1] package/ffmpeg: ignore CVE-2021-38291

From: Thomas Petazzoni via buildroot <buildroot@buildroot.org>
To: Arnout Vandecappelle <arnout@mind.be>
Cc: Bernd Kuhls <bernd.kuhls@t-online.de>,
	Matthew Weber <Matthew.Weber@collins.com>,
	Mahyar Koshkouei <mahyar.koshkouei@gmail.com>,
	buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH 1/1] package/ffmpeg: ignore CVE-2021-38291
Date: Mon, 1 Aug 2022 20:54:05 +0200	[thread overview]
Message-ID: <20220801205405.6e9a83a3@windsurf> (raw)
In-Reply-To: <83ec6649-bd17-46dc-ae6f-ec30063358c2@mind.be>

Hello,

On Mon, 1 Aug 2022 20:02:44 +0200
Arnout Vandecappelle <arnout@mind.be> wrote:

> >   FFMPEG_CPE_ID_VENDOR = ffmpeg
> > +# fixed in version 4.4.1  
> 
>   For this one, I went and checked, and it is the NVD that is wrong. It has 
> cpe:2.3:a:ffmpeg:ffmpeg:*:*:*:*:*:*:*:*
> 
>   So the proper approach here is to fix it in the NVD. I'm not actually sure how 
> to do that. Matt, Thomas, do you know?

Yes: send an e-mail to nvd@nist.gov.

Here is an example e-mail I sent:

========================================================
Hello,

CVE-2014-3675 is marked in the NVD database as affecting all versions
of cpe:2.3:a:redhat:shim:-:*:*:*:*:*:*:*. However, this CVE has been
fixed by upstream commit
https://github.com/rhboot/shim/commit/e253c2a2c07bc526de1528ed9839b2b584025fa2#diff-874c9b6e2bf4c63b0f0a443f612426773d76e4f09dd313fbe0ad3fd6d42c22d4, which has been part of shim releases since version 0.8.

The problematic code has been introduced in shim 0.3. To the affected
versions are all versions >= 0.3 and < 0.8.

Could this be addressed in the CVE-2014-3675 entry ?

Thanks a lot,

Thomas
========================================================

I had to provide more details later on such as:

========================================================
Your CVE-2014-3675 CVE report points to:

  https://www.openwall.com/lists/oss-security/2014/10/13/4

Which indicates:

"""
1. OOB read access when parsing DHCPv6 packets (remote DoS).
   The severity is low. (CVE-2014-3675)
2. Heap overflow when parsing IPv6 addresses provided by tftp:// DHCPv6
   boot option (RCE).
   The severity is low to medium, as secure boot via PXE6 should
   rarely be seen ITW. Furthermore UEFI firmware seems to fail
   to properly verify provided PXE images at the first place. (CVE-2014-3676)

For both issues above there is a patch proposal:

http://suse.com/~krahmer/priv/shim1.diff
"""

This patch is exactly commit
https://github.com/rhboot/shim/commit/e253c2a2c07bc526de1528ed9839b2b584025fa2
in upstream shim.

And based on the shim Git repository, we can check that commit
e253c2a2c07bc526de1528ed9839b2b584025fa2  was first part of the 0.8
release:

$ git describe --contains e253c2a2c07bc526de1528ed9839b2b584025fa2
0.8~5

This CVE, and the fix for it, is related to the netboot code in
netboot.c. This entire netboot.c code was introduced in upstream commit
d8e330b95368ce43da47e114eb1d699eedb18e57
(https://github.com/rhboot/shim/commit/d8e330b95368ce43da47e114eb1d699eedb18e57).

And this commit itself was first included in the 0.3 release:

$ git describe --contains d8e330b95368ce43da47e114eb1d699eedb18e57
0.3~34

So any version prior to 0.3 is not affected by this issue, as shim
simply did not have netboot support.

This reasoning applies to both CVE-2014-3675 and CVE-2014-3676.

So the affected versions are >= 0.3 and < 0.8.

Does this help ?

Thanks a lot,
========================================================

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot