* [Buildroot] [PATCH 01/10] package/bind: ignore CVE-2017-3139
2021-04-21 20:42 [Buildroot] [PATCH 00/10] Misc CVE ignores Matt Weber
@ 2021-04-21 20:42 ` Matt Weber
2021-04-21 20:42 ` [Buildroot] [PATCH 02/10] package/coreutils: ignore CVE-2013-0221, CVE-2013-0222, CVE-2013-0223 Matt Weber
` (9 subsequent siblings)
10 siblings, 0 replies; 16+ messages in thread
From: Matt Weber @ 2021-04-21 20:42 UTC (permalink / raw)
To: buildroot
This CVE is only relevant to the configuration of a specific
RHEL release (6.x).
https://bugzilla.redhat.com/show_bug.cgi?id=1447743
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
package/bind/bind.mk | 2 ++
1 file changed, 2 insertions(+)
diff --git a/package/bind/bind.mk b/package/bind/bind.mk
index 8e8896f3cc..d1a992b66e 100644
--- a/package/bind/bind.mk
+++ b/package/bind/bind.mk
@@ -13,6 +13,8 @@ BIND_CONFIG_SCRIPTS = bind9-config isc-config.sh
BIND_LICENSE = MPL-2.0
BIND_LICENSE_FILES = COPYRIGHT
BIND_CPE_ID_VENDOR = isc
+# Only applies to RHEL6.x with DNSSEC validation on
+BIND_IGNORE_CVES = CVE-2017-3139
BIND_TARGET_SERVER_SBIN = arpaname ddns-confgen dnssec-checkds dnssec-coverage
BIND_TARGET_SERVER_SBIN += dnssec-importkey dnssec-keygen dnssec-revoke
BIND_TARGET_SERVER_SBIN += dnssec-settime dnssec-verify genrandom
--
2.17.1
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [Buildroot] [PATCH 02/10] package/coreutils: ignore CVE-2013-0221, CVE-2013-0222, CVE-2013-0223
2021-04-21 20:42 [Buildroot] [PATCH 00/10] Misc CVE ignores Matt Weber
2021-04-21 20:42 ` [Buildroot] [PATCH 01/10] package/bind: ignore CVE-2017-3139 Matt Weber
@ 2021-04-21 20:42 ` Matt Weber
2021-04-26 19:15 ` Peter Korsgaard
2021-04-21 20:42 ` [Buildroot] [PATCH 03/10] package/bind: ignore CVE-2019-6470 Matt Weber
` (8 subsequent siblings)
10 siblings, 1 reply; 16+ messages in thread
From: Matt Weber @ 2021-04-21 20:42 UTC (permalink / raw)
To: buildroot
This CVE is only relevant to a build when the SUSE coreutils-i18n.patch
is included. The upstream codebase does not include this patch, nor
does Buildroot.
https://security-tracker.debian.org/tracker/CVE-2013-0221
https://security-tracker.debian.org/tracker/CVE-2013-0222
https://security-tracker.debian.org/tracker/CVE-2013-0223
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
package/coreutils/coreutils.mk | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/package/coreutils/coreutils.mk b/package/coreutils/coreutils.mk
index 0e75cdfcda..65234a113e 100644
--- a/package/coreutils/coreutils.mk
+++ b/package/coreutils/coreutils.mk
@@ -10,6 +10,10 @@ COREUTILS_SOURCE = coreutils-$(COREUTILS_VERSION).tar.xz
COREUTILS_LICENSE = GPL-3.0+
COREUTILS_LICENSE_FILES = COPYING
COREUTILS_CPE_ID_VENDOR = gnu
+# Only when including SUSE coreutils-i18n.patch
+COREUTILS_IGNORE_CVES = CVE-2013-0221
+COREUTILS_IGNORE_CVES += CVE-2013-0222
+COREUTILS_IGNORE_CVES += CVE-2013-0223
# We're patching m4/pthread-cond.m4
COREUTILS_AUTORECONF = YES
--
2.17.1
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [Buildroot] [PATCH 02/10] package/coreutils: ignore CVE-2013-0221, CVE-2013-0222, CVE-2013-0223
2021-04-21 20:42 ` [Buildroot] [PATCH 02/10] package/coreutils: ignore CVE-2013-0221, CVE-2013-0222, CVE-2013-0223 Matt Weber
@ 2021-04-26 19:15 ` Peter Korsgaard
0 siblings, 0 replies; 16+ messages in thread
From: Peter Korsgaard @ 2021-04-26 19:15 UTC (permalink / raw)
To: buildroot
>>>>> "Matt" == Matt Weber <matthew.weber@rockwellcollins.com> writes:
> This CVE is only relevant to a build when the SUSE coreutils-i18n.patch
> is included. The upstream codebase does not include this patch, nor
> does Buildroot.
> https://security-tracker.debian.org/tracker/CVE-2013-0221
> https://security-tracker.debian.org/tracker/CVE-2013-0222
> https://security-tracker.debian.org/tracker/CVE-2013-0223
> Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
> ---
> package/coreutils/coreutils.mk | 4 ++++
> 1 file changed, 4 insertions(+)
> diff --git a/package/coreutils/coreutils.mk b/package/coreutils/coreutils.mk
> index 0e75cdfcda..65234a113e 100644
> --- a/package/coreutils/coreutils.mk
> +++ b/package/coreutils/coreutils.mk
> @@ -10,6 +10,10 @@ COREUTILS_SOURCE = coreutils-$(COREUTILS_VERSION).tar.xz
> COREUTILS_LICENSE = GPL-3.0+
> COREUTILS_LICENSE_FILES = COPYING
> COREUTILS_CPE_ID_VENDOR = gnu
> +# Only when including SUSE coreutils-i18n.patch
> +COREUTILS_IGNORE_CVES = CVE-2013-0221
> +COREUTILS_IGNORE_CVES += CVE-2013-0222
> +COREUTILS_IGNORE_CVES += CVE-2013-0223
NIT: There is no problem having multiple CVE's on the same line:
COREUTILS_IGORE_CVES += CVE-2013-0221 CVE-2013-0222 CVE-2013-0223
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 16+ messages in thread
* [Buildroot] [PATCH 03/10] package/bind: ignore CVE-2019-6470
2021-04-21 20:42 [Buildroot] [PATCH 00/10] Misc CVE ignores Matt Weber
2021-04-21 20:42 ` [Buildroot] [PATCH 01/10] package/bind: ignore CVE-2017-3139 Matt Weber
2021-04-21 20:42 ` [Buildroot] [PATCH 02/10] package/coreutils: ignore CVE-2013-0221, CVE-2013-0222, CVE-2013-0223 Matt Weber
@ 2021-04-21 20:42 ` Matt Weber
2021-04-21 20:42 ` [Buildroot] [PATCH 04/10] package/cmake: ignore CVE-2016-10642 Matt Weber
` (7 subsequent siblings)
10 siblings, 0 replies; 16+ messages in thread
From: Matt Weber @ 2021-04-21 20:42 UTC (permalink / raw)
To: buildroot
There had existed in one of the ISC BIND libraries a bug in a
function that was used by dhcpd when operating in DHCPv6 mode.
There was also a bug in dhcpd relating to the use of this function
per its documentation, but the bug in the library function
prevented this from causing any harm. All releases of dhcpd from
ISC contain copies of this, and other, BIND libraries in
combinations that have been tested prior to release and are known
to not present issues like this.
Affects: Builds of dhcpd versions prior to version 4.4.1 when
using BIND versions 9.11.2 or later.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6470
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
package/bind/bind.mk | 2 ++
1 file changed, 2 insertions(+)
diff --git a/package/bind/bind.mk b/package/bind/bind.mk
index d1a992b66e..39c30dab6b 100644
--- a/package/bind/bind.mk
+++ b/package/bind/bind.mk
@@ -15,6 +15,8 @@ BIND_LICENSE_FILES = COPYRIGHT
BIND_CPE_ID_VENDOR = isc
# Only applies to RHEL6.x with DNSSEC validation on
BIND_IGNORE_CVES = CVE-2017-3139
+# Library CVE and not used by bind but used by ISC DHCP
+BIND_IGNORE_CVES += CVE-2019-6470
BIND_TARGET_SERVER_SBIN = arpaname ddns-confgen dnssec-checkds dnssec-coverage
BIND_TARGET_SERVER_SBIN += dnssec-importkey dnssec-keygen dnssec-revoke
BIND_TARGET_SERVER_SBIN += dnssec-settime dnssec-verify genrandom
--
2.17.1
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [Buildroot] [PATCH 04/10] package/cmake: ignore CVE-2016-10642
2021-04-21 20:42 [Buildroot] [PATCH 00/10] Misc CVE ignores Matt Weber
` (2 preceding siblings ...)
2021-04-21 20:42 ` [Buildroot] [PATCH 03/10] package/bind: ignore CVE-2019-6470 Matt Weber
@ 2021-04-21 20:42 ` Matt Weber
2021-04-21 20:42 ` [Buildroot] [PATCH 05/10] package/flex: ignore CVE-2019-6293 Matt Weber
` (6 subsequent siblings)
10 siblings, 0 replies; 16+ messages in thread
From: Matt Weber @ 2021-04-21 20:42 UTC (permalink / raw)
To: buildroot
This is specific to the npm package that installs cmake, so isn't
relevant to Buildroot.
https://github.com/openembedded/openembedded-core/blob/14241ed09f9ed317045cf75a6d08416d3579bb8d/meta/recipes-devtools/cmake/cmake.inc
https://nvd.nist.gov/vuln/detail/CVE-2016-10642#vulnCurrentDescriptionTitle
"cmake installs the cmake x86 linux binaries. cmake downloads
binary resources over HTTP, which leaves it vulnerable to
MITM attacks. It may be possible to cause remote code
execution (RCE) by swapping out the requested binary with
an attacker controlled binary if the attacker is on the
network or positioned in between the user and the remote server."
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
package/cmake/cmake.mk | 2 ++
1 file changed, 2 insertions(+)
diff --git a/package/cmake/cmake.mk b/package/cmake/cmake.mk
index a3015fabfd..90fe868fa5 100644
--- a/package/cmake/cmake.mk
+++ b/package/cmake/cmake.mk
@@ -10,6 +10,8 @@ CMAKE_SITE = https://cmake.org/files/v$(CMAKE_VERSION_MAJOR)
CMAKE_LICENSE = BSD-3-Clause
CMAKE_LICENSE_FILES = Copyright.txt
CMAKE_CPE_ID_VENDOR = cmake_project
+# Tool download MITM attack warning if using npm package to install cmake
+CMAKE_IGNORE_CVES = CVE-2016-10642
# CMake is a particular package:
# * CMake can be built using the generic infrastructure or the cmake one.
--
2.17.1
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [Buildroot] [PATCH 05/10] package/flex: ignore CVE-2019-6293
2021-04-21 20:42 [Buildroot] [PATCH 00/10] Misc CVE ignores Matt Weber
` (3 preceding siblings ...)
2021-04-21 20:42 ` [Buildroot] [PATCH 04/10] package/cmake: ignore CVE-2016-10642 Matt Weber
@ 2021-04-21 20:42 ` Matt Weber
2021-04-21 20:42 ` [Buildroot] [PATCH 06/10] package/hostapd: ignore CVE-2021-30004 when using openssl Matt Weber
` (5 subsequent siblings)
10 siblings, 0 replies; 16+ messages in thread
From: Matt Weber @ 2021-04-21 20:42 UTC (permalink / raw)
To: buildroot
https://security-tracker.debian.org/tracker/CVE-2019-6293
https://github.com/NixOS/nixpkgs/issues/55386#issuecomment-683792976
"But this bug does not cause stack overflows in the generated code.
The function and file referred to in the bug (mark_beginning_as_normal
in nfa.c) are part of the flex code generator, not part of the
generated code. If flex crashes before generating any code, that
can hardly be a vulnerability. If flex does not crash, the generated
code is fine (or perhaps subject to other unreported bugs, who knows,
but the NFA has been generated correctly)."
Upstream has chosen to not provide a fix
https://github.com/microsoft/CBL-Mariner/pull/312
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
package/flex/flex.mk | 3 +++
1 file changed, 3 insertions(+)
diff --git a/package/flex/flex.mk b/package/flex/flex.mk
index 2d00969662..85da5ddae8 100644
--- a/package/flex/flex.mk
+++ b/package/flex/flex.mk
@@ -10,6 +10,9 @@ FLEX_INSTALL_STAGING = YES
FLEX_LICENSE = FLEX
FLEX_LICENSE_FILES = COPYING
FLEX_CPE_ID_VENDOR = flex_project
+# bug does not cause stack overflows in the generated code and has been
+# noted upstream as a bug in the code generator
+FLEX_IGNORE_CVES = CVE-2019-6293
FLEX_DEPENDENCIES = $(TARGET_NLS_DEPENDENCIES) host-m4
HOST_FLEX_DEPENDENCIES = host-m4
--
2.17.1
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [Buildroot] [PATCH 06/10] package/hostapd: ignore CVE-2021-30004 when using openssl
2021-04-21 20:42 [Buildroot] [PATCH 00/10] Misc CVE ignores Matt Weber
` (4 preceding siblings ...)
2021-04-21 20:42 ` [Buildroot] [PATCH 05/10] package/flex: ignore CVE-2019-6293 Matt Weber
@ 2021-04-21 20:42 ` Matt Weber
2021-04-26 19:52 ` Peter Korsgaard
2021-04-21 20:42 ` [Buildroot] [PATCH 07/10] package/wpa_supplicant: " Matt Weber
` (4 subsequent siblings)
10 siblings, 1 reply; 16+ messages in thread
From: Matt Weber @ 2021-04-21 20:42 UTC (permalink / raw)
To: buildroot
The CVE can be ignored when the internal TLS impl isn't used.
https://security-tracker.debian.org/tracker/CVE-2021-30004
"Issue only affects the "internal" TLS implementation
(CONFIG_TLS=internal)"
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
package/hostapd/hostapd.mk | 2 ++
1 file changed, 2 insertions(+)
diff --git a/package/hostapd/hostapd.mk b/package/hostapd/hostapd.mk
index efeefd8b35..2995545d18 100644
--- a/package/hostapd/hostapd.mk
+++ b/package/hostapd/hostapd.mk
@@ -38,6 +38,8 @@ ifeq ($(BR2_PACKAGE_LIBOPENSSL),y)
HOSTAPD_DEPENDENCIES += host-pkgconf libopenssl
HOSTAPD_LIBS += `$(PKG_CONFIG_HOST_BINARY) --libs openssl`
HOSTAPD_CONFIG_EDITS += 's/\#\(CONFIG_TLS=openssl\)/\1/'
+# Issue only affects the "internal" TLS implementation
+HOSTAPD_IGNORE_CVES += CVE-2021-30004
else
HOSTAPD_CONFIG_DISABLE += CONFIG_EAP_PWD CONFIG_EAP_TEAP
HOSTAPD_CONFIG_EDITS += 's/\#\(CONFIG_TLS=\).*/\1internal/'
--
2.17.1
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [Buildroot] [PATCH 07/10] package/wpa_supplicant: ignore CVE-2021-30004 when using openssl
2021-04-21 20:42 [Buildroot] [PATCH 00/10] Misc CVE ignores Matt Weber
` (5 preceding siblings ...)
2021-04-21 20:42 ` [Buildroot] [PATCH 06/10] package/hostapd: ignore CVE-2021-30004 when using openssl Matt Weber
@ 2021-04-21 20:42 ` Matt Weber
2021-04-21 20:42 ` [Buildroot] [PATCH 08/10] package/ncurses: ignore CVE-2018-10754, CVE-2018-19211, CVE-2018-19217, CVE-2019-17594, CVE-2019-17595 Matt Weber
` (3 subsequent siblings)
10 siblings, 0 replies; 16+ messages in thread
From: Matt Weber @ 2021-04-21 20:42 UTC (permalink / raw)
To: buildroot
The CVE can be ignored when the internal TLS impl isn't used.
https://security-tracker.debian.org/tracker/CVE-2021-30004
"Issue only affects the "internal" TLS implementation
(CONFIG_TLS=internal)"
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
package/wpa_supplicant/wpa_supplicant.mk | 2 ++
1 file changed, 2 insertions(+)
diff --git a/package/wpa_supplicant/wpa_supplicant.mk b/package/wpa_supplicant/wpa_supplicant.mk
index 356ea91828..f59832645f 100644
--- a/package/wpa_supplicant/wpa_supplicant.mk
+++ b/package/wpa_supplicant/wpa_supplicant.mk
@@ -132,6 +132,8 @@ ifeq ($(BR2_PACKAGE_LIBOPENSSL),y)
WPA_SUPPLICANT_DEPENDENCIES += host-pkgconf libopenssl
WPA_SUPPLICANT_LIBS += `$(PKG_CONFIG_HOST_BINARY) --libs openssl`
WPA_SUPPLICANT_CONFIG_EDITS += 's/\#\(CONFIG_TLS=openssl\)/\1/'
+# Issue only affects the "internal" TLS implementation
+WPA_SUPPLICANT_IGNORE_CVES += CVE-2021-30004
else
WPA_SUPPLICANT_CONFIG_DISABLE += CONFIG_EAP_PWD CONFIG_EAP_TEAP
WPA_SUPPLICANT_CONFIG_EDITS += 's/\#\(CONFIG_TLS=\).*/\1internal/'
--
2.17.1
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [Buildroot] [PATCH 08/10] package/ncurses: ignore CVE-2018-10754, CVE-2018-19211, CVE-2018-19217, CVE-2019-17594, CVE-2019-17595
2021-04-21 20:42 [Buildroot] [PATCH 00/10] Misc CVE ignores Matt Weber
` (6 preceding siblings ...)
2021-04-21 20:42 ` [Buildroot] [PATCH 07/10] package/wpa_supplicant: " Matt Weber
@ 2021-04-21 20:42 ` Matt Weber
2021-04-21 20:42 ` [Buildroot] [PATCH 09/10] package/rsyslog: ignore CVE-2015-3243 Matt Weber
` (2 subsequent siblings)
10 siblings, 0 replies; 16+ messages in thread
From: Matt Weber @ 2021-04-21 20:42 UTC (permalink / raw)
To: buildroot
Commit 4b21273d71d09 added upstream (security) patches up to 20200118
and in the commit description it outlines these CVEs were patched.
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
package/ncurses/ncurses.mk | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/package/ncurses/ncurses.mk b/package/ncurses/ncurses.mk
index 97e3e2c321..5d9c6bb0dd 100644
--- a/package/ncurses/ncurses.mk
+++ b/package/ncurses/ncurses.mk
@@ -11,6 +11,12 @@ NCURSES_DEPENDENCIES = host-ncurses
NCURSES_LICENSE = MIT with advertising clause
NCURSES_LICENSE_FILES = COPYING
NCURSES_CPE_ID_VENDOR = gnu
+# Commit 4b21273d71d09 added upstream (security) patches up to 20200118
+NCURSES_IGNORE_CVES += CVE-2018-10754
+NCURSES_IGNORE_CVES += CVE-2018-19211
+NCURSES_IGNORE_CVES += CVE-2018-19217
+NCURSES_IGNORE_CVES += CVE-2019-17594
+NCURSES_IGNORE_CVES += CVE-2019-17595
NCURSES_CONFIG_SCRIPTS = ncurses$(NCURSES_LIB_SUFFIX)6-config
NCURSES_PATCH = \
$(addprefix https://invisible-mirror.net/archives/ncurses/$(NCURSES_VERSION)/, \
--
2.17.1
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [Buildroot] [PATCH 09/10] package/rsyslog: ignore CVE-2015-3243
2021-04-21 20:42 [Buildroot] [PATCH 00/10] Misc CVE ignores Matt Weber
` (7 preceding siblings ...)
2021-04-21 20:42 ` [Buildroot] [PATCH 08/10] package/ncurses: ignore CVE-2018-10754, CVE-2018-19211, CVE-2018-19217, CVE-2019-17594, CVE-2019-17595 Matt Weber
@ 2021-04-21 20:42 ` Matt Weber
2021-04-26 20:26 ` Peter Korsgaard
2021-04-21 20:42 ` [Buildroot] [PATCH 10/10] package/tar: ignore CVE-2007-4476 Matt Weber
2021-04-24 9:29 ` [Buildroot] [PATCH 00/10] Misc CVE ignores Yann E. MORIN
10 siblings, 1 reply; 16+ messages in thread
From: Matt Weber @ 2021-04-21 20:42 UTC (permalink / raw)
To: buildroot
https://security-tracker.debian.org/tracker/CVE-2015-3243
"Rsyslog uses weak permissions for generating log files."
Ignoring this CVE for Buildroot as normally there are not local
users and a build could customize the rsyslog.conf to be more
restrictive ($FileCreateMode 0640).
Example fix from Alpino Linux
https://github.com/libTorrentUser/alpino-linux-aports/commit/3cb5210cdac46fb8805d4028df16f5889f393a09
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
package/rsyslog/rsyslog.mk | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/package/rsyslog/rsyslog.mk b/package/rsyslog/rsyslog.mk
index 1aa81b8eac..6cf53ccb82 100644
--- a/package/rsyslog/rsyslog.mk
+++ b/package/rsyslog/rsyslog.mk
@@ -9,6 +9,10 @@ RSYSLOG_SITE = http://rsyslog.com/files/download/rsyslog
RSYSLOG_LICENSE = GPL-3.0, LGPL-3.0, Apache-2.0
RSYSLOG_LICENSE_FILES = COPYING COPYING.LESSER COPYING.ASL20
RSYSLOG_CPE_ID_VENDOR = rsyslog
+# rsyslog uses weak permissions for generating log files.
+# Ignoring this CVE as Buildroot normally doesn't have local users and a build
+# could customize the rsyslog.conf to be more restrictive ($FileCreateMode 0640)
+RSYSLOG_IGNORE_CVES += CVE-2015-3243
RSYSLOG_DEPENDENCIES = zlib libestr liblogging libfastjson host-pkgconf
RSYSLOG_CONF_ENV = ac_cv_prog_cc_c99='-std=c99'
RSYSLOG_PLUGINS = imdiag imfile impstats imptcp \
--
2.17.1
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [Buildroot] [PATCH 09/10] package/rsyslog: ignore CVE-2015-3243
2021-04-21 20:42 ` [Buildroot] [PATCH 09/10] package/rsyslog: ignore CVE-2015-3243 Matt Weber
@ 2021-04-26 20:26 ` Peter Korsgaard
0 siblings, 0 replies; 16+ messages in thread
From: Peter Korsgaard @ 2021-04-26 20:26 UTC (permalink / raw)
To: buildroot
>>>>> "Matt" == Matt Weber <matthew.weber@rockwellcollins.com> writes:
> https://security-tracker.debian.org/tracker/CVE-2015-3243
> "Rsyslog uses weak permissions for generating log files."
> Ignoring this CVE for Buildroot as normally there are not local
> users and a build could customize the rsyslog.conf to be more
> restrictive ($FileCreateMode 0640).
> Example fix from Alpino Linux
> https://github.com/libTorrentUser/alpino-linux-aports/commit/3cb5210cdac46fb8805d4028df16f5889f393a09
Here as well, I don't like ignoring the issue just because you COULD
work around it by doing customization outside Buildroot.
How about combining this with a patch to platform/redhat/rsyslog.conf to
set sensible permissions just like it is done for Alpino?
> Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
> ---
> package/rsyslog/rsyslog.mk | 4 ++++
> 1 file changed, 4 insertions(+)
> diff --git a/package/rsyslog/rsyslog.mk b/package/rsyslog/rsyslog.mk
> index 1aa81b8eac..6cf53ccb82 100644
> --- a/package/rsyslog/rsyslog.mk
> +++ b/package/rsyslog/rsyslog.mk
> @@ -9,6 +9,10 @@ RSYSLOG_SITE = http://rsyslog.com/files/download/rsyslog
> RSYSLOG_LICENSE = GPL-3.0, LGPL-3.0, Apache-2.0
> RSYSLOG_LICENSE_FILES = COPYING COPYING.LESSER COPYING.ASL20
> RSYSLOG_CPE_ID_VENDOR = rsyslog
> +# rsyslog uses weak permissions for generating log files.
> +# Ignoring this CVE as Buildroot normally doesn't have local users and a build
> +# could customize the rsyslog.conf to be more restrictive ($FileCreateMode 0640)
> +RSYSLOG_IGNORE_CVES += CVE-2015-3243
> RSYSLOG_DEPENDENCIES = zlib libestr liblogging libfastjson host-pkgconf
> RSYSLOG_CONF_ENV = ac_cv_prog_cc_c99='-std=c99'
> RSYSLOG_PLUGINS = imdiag imfile impstats imptcp \
> --
> 2.17.1
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 16+ messages in thread
* [Buildroot] [PATCH 10/10] package/tar: ignore CVE-2007-4476
2021-04-21 20:42 [Buildroot] [PATCH 00/10] Misc CVE ignores Matt Weber
` (8 preceding siblings ...)
2021-04-21 20:42 ` [Buildroot] [PATCH 09/10] package/rsyslog: ignore CVE-2015-3243 Matt Weber
@ 2021-04-21 20:42 ` Matt Weber
2021-04-24 9:29 ` [Buildroot] [PATCH 00/10] Misc CVE ignores Yann E. MORIN
10 siblings, 0 replies; 16+ messages in thread
From: Matt Weber @ 2021-04-21 20:42 UTC (permalink / raw)
To: buildroot
https://security-tracker.debian.org/tracker/CVE-2007-4476
Currently NVD has this incorrectly tagged for all versions.
The bug trackers on different distros show it was generally
fixed in versions >= 1.16 but because the impacted source
code is in the GNU paxutils, it is hard to follow in what
cases tar has been fixed around that 1.16 version.
https://bugs.gentoo.org/196978
https://www.itsecdb.com/oval/definition/oval/org.mitre.oval/def/9336/Buffer-overflow-in-the-safer-name-suffix-function-in-GNU-tar.html
Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
package/tar/tar.mk | 2 ++
1 file changed, 2 insertions(+)
diff --git a/package/tar/tar.mk b/package/tar/tar.mk
index 690a5952ba..80d7495b00 100644
--- a/package/tar/tar.mk
+++ b/package/tar/tar.mk
@@ -13,6 +13,8 @@ TAR_CONF_OPTS = --exec-prefix=/
TAR_LICENSE = GPL-3.0+
TAR_LICENSE_FILES = COPYING
TAR_CPE_ID_VENDOR = gnu
+# only tar <= 1.16
+TAR_IGNORE_CVES += CVE-2007-4476
ifeq ($(BR2_PACKAGE_ACL),y)
TAR_DEPENDENCIES += acl
--
2.17.1
^ permalink raw reply related [flat|nested] 16+ messages in thread
* [Buildroot] [PATCH 00/10] Misc CVE ignores
2021-04-21 20:42 [Buildroot] [PATCH 00/10] Misc CVE ignores Matt Weber
` (9 preceding siblings ...)
2021-04-21 20:42 ` [Buildroot] [PATCH 10/10] package/tar: ignore CVE-2007-4476 Matt Weber
@ 2021-04-24 9:29 ` Yann E. MORIN
2021-04-26 20:29 ` Peter Korsgaard
10 siblings, 1 reply; 16+ messages in thread
From: Yann E. MORIN @ 2021-04-24 9:29 UTC (permalink / raw)
To: buildroot
Matt, All,
On 2021-04-21 15:42 -0500, Matt Weber spake thusly:
> * I'm working on upstream NVD fixes for some of these.
>
> * There are roughly half of the ignore cases that are a bit of a
> challenge to identify where the fix was clearly tracked into
> a specific version. I tried to document in each commit as much
> as a could by linking to conversations clarifying the details.
>
> Matt Weber (10):
> package/bind: ignore CVE-2017-3139
> package/coreutils: ignore CVE-2013-0221, CVE-2013-0222, CVE-2013-0223
> package/bind: ignore CVE-2019-6470
> package/cmake: ignore CVE-2016-10642
> package/flex: ignore CVE-2019-6293
For this one, I've switched to using the actual upstream URL, rather
that of a downstream consumer:
https://github.com/westes/flex/issues/414
> package/hostapd: ignore CVE-2021-30004 when using openssl
> package/wpa_supplicant: ignore CVE-2021-30004 when using openssl
> package/ncurses: ignore CVE-2018-10754, CVE-2018-19211,
> CVE-2018-19217, CVE-2019-17594, CVE-2019-17595
> package/rsyslog: ignore CVE-2015-3243
> package/tar: ignore CVE-2007-4476
Series applied to master, thanks.
Regards,
Yann E. MORIN.
> package/bind/bind.mk | 4 ++++
> package/cmake/cmake.mk | 2 ++
> package/coreutils/coreutils.mk | 4 ++++
> package/flex/flex.mk | 3 +++
> package/hostapd/hostapd.mk | 2 ++
> package/ncurses/ncurses.mk | 6 ++++++
> package/rsyslog/rsyslog.mk | 4 ++++
> package/tar/tar.mk | 2 ++
> package/wpa_supplicant/wpa_supplicant.mk | 2 ++
> 9 files changed, 29 insertions(+)
>
> --
> 2.17.1
>
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
^ permalink raw reply [flat|nested] 16+ messages in thread
* [Buildroot] [PATCH 00/10] Misc CVE ignores
2021-04-24 9:29 ` [Buildroot] [PATCH 00/10] Misc CVE ignores Yann E. MORIN
@ 2021-04-26 20:29 ` Peter Korsgaard
0 siblings, 0 replies; 16+ messages in thread
From: Peter Korsgaard @ 2021-04-26 20:29 UTC (permalink / raw)
To: buildroot
>>>>> "Yann" == Yann E MORIN <yann.morin.1998@free.fr> writes:
> Matt, All,
> On 2021-04-21 15:42 -0500, Matt Weber spake thusly:
>> * I'm working on upstream NVD fixes for some of these.
>>
>> * There are roughly half of the ignore cases that are a bit of a
>> challenge to identify where the fix was clearly tracked into
>> a specific version. I tried to document in each commit as much
>> as a could by linking to conversations clarifying the details.
>>
>> Matt Weber (10):
>> package/bind: ignore CVE-2017-3139
>> package/coreutils: ignore CVE-2013-0221, CVE-2013-0222, CVE-2013-0223
>> package/bind: ignore CVE-2019-6470
>> package/cmake: ignore CVE-2016-10642
>> package/flex: ignore CVE-2019-6293
> For this one, I've switched to using the actual upstream URL, rather
> that of a downstream consumer:
> https://github.com/westes/flex/issues/414
>> package/hostapd: ignore CVE-2021-30004 when using openssl
>> package/wpa_supplicant: ignore CVE-2021-30004 when using openssl
>> package/ncurses: ignore CVE-2018-10754, CVE-2018-19211,
>> CVE-2018-19217, CVE-2019-17594, CVE-2019-17595
>> package/rsyslog: ignore CVE-2015-3243
>> package/tar: ignore CVE-2007-4476
> Series applied to master, thanks.
I am not so happy with the hostapd/wpa_supplicant/rsyslog ignores, but I
have applied the series to 2021.02.x anyway and will send followup
patches to master (and 2021.02.x) to improve those packages later.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 16+ messages in thread