[Buildroot] [PATCH 00/10] Misc CVE ignores

[Buildroot] [PATCH 00/10] Misc CVE ignores

[Matt Weber]

 * I'm working on upstream NVD fixes for some of these.

 * There are roughly half of the ignore cases that are a bit of a
   challenge to identify where the fix was clearly tracked into
   a specific version. I tried to document in each commit as much
   as a could by linking to conversations clarifying the details.

Matt Weber (10):
  package/bind: ignore CVE-2017-3139
  package/coreutils: ignore CVE-2013-0221, CVE-2013-0222, CVE-2013-0223
  package/bind: ignore CVE-2019-6470
  package/cmake: ignore CVE-2016-10642
  package/flex: ignore CVE-2019-6293
  package/hostapd: ignore CVE-2021-30004 when using openssl
  package/wpa_supplicant: ignore CVE-2021-30004 when using openssl
  package/ncurses: ignore CVE-2018-10754, CVE-2018-19211,
    CVE-2018-19217, CVE-2019-17594, CVE-2019-17595
  package/rsyslog: ignore CVE-2015-3243
  package/tar: ignore CVE-2007-4476

 package/bind/bind.mk                     | 4 ++++
 package/cmake/cmake.mk                   | 2 ++
 package/coreutils/coreutils.mk           | 4 ++++
 package/flex/flex.mk                     | 3 +++
 package/hostapd/hostapd.mk               | 2 ++
 package/ncurses/ncurses.mk               | 6 ++++++
 package/rsyslog/rsyslog.mk               | 4 ++++
 package/tar/tar.mk                       | 2 ++
 package/wpa_supplicant/wpa_supplicant.mk | 2 ++
 9 files changed, 29 insertions(+)

-- 
2.17.1

[Buildroot] [PATCH 01/10] package/bind: ignore CVE-2017-3139

[Matt Weber]

This CVE is only relevant to the configuration of a specific
RHEL release (6.x).

https://bugzilla.redhat.com/show_bug.cgi?id=1447743

Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
 package/bind/bind.mk | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/package/bind/bind.mk b/package/bind/bind.mk
index 8e8896f3cc..d1a992b66e 100644
--- a/package/bind/bind.mk
+++ b/package/bind/bind.mk
@@ -13,6 +13,8 @@ BIND_CONFIG_SCRIPTS = bind9-config isc-config.sh
 BIND_LICENSE = MPL-2.0
 BIND_LICENSE_FILES = COPYRIGHT
 BIND_CPE_ID_VENDOR = isc
+# Only applies to RHEL6.x with DNSSEC validation on
+BIND_IGNORE_CVES = CVE-2017-3139
 BIND_TARGET_SERVER_SBIN = arpaname ddns-confgen dnssec-checkds dnssec-coverage
 BIND_TARGET_SERVER_SBIN += dnssec-importkey dnssec-keygen dnssec-revoke
 BIND_TARGET_SERVER_SBIN += dnssec-settime dnssec-verify genrandom
-- 
2.17.1

[Buildroot] [PATCH 02/10] package/coreutils: ignore CVE-2013-0221, CVE-2013-0222, CVE-2013-0223

[Matt Weber]

This CVE is only relevant to a build when the SUSE coreutils-i18n.patch
is included. The upstream codebase does not include this patch, nor
does Buildroot.

https://security-tracker.debian.org/tracker/CVE-2013-0221
https://security-tracker.debian.org/tracker/CVE-2013-0222
https://security-tracker.debian.org/tracker/CVE-2013-0223

Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
 package/coreutils/coreutils.mk | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/package/coreutils/coreutils.mk b/package/coreutils/coreutils.mk
index 0e75cdfcda..65234a113e 100644
--- a/package/coreutils/coreutils.mk
+++ b/package/coreutils/coreutils.mk
@@ -10,6 +10,10 @@ COREUTILS_SOURCE = coreutils-$(COREUTILS_VERSION).tar.xz
 COREUTILS_LICENSE = GPL-3.0+
 COREUTILS_LICENSE_FILES = COPYING
 COREUTILS_CPE_ID_VENDOR = gnu
+# Only when including SUSE coreutils-i18n.patch
+COREUTILS_IGNORE_CVES = CVE-2013-0221
+COREUTILS_IGNORE_CVES += CVE-2013-0222
+COREUTILS_IGNORE_CVES += CVE-2013-0223
 # We're patching m4/pthread-cond.m4
 COREUTILS_AUTORECONF = YES
 
-- 
2.17.1

[Buildroot] [PATCH 03/10] package/bind: ignore CVE-2019-6470

[Matt Weber]

There had existed in one of the ISC BIND libraries a bug in a
function that was used by dhcpd when operating in DHCPv6 mode.
There was also a bug in dhcpd relating to the use of this function
per its documentation, but the bug in the library function
prevented this from causing any harm. All releases of dhcpd from
ISC contain copies of this, and other, BIND libraries in
combinations that have been tested prior to release and are known
to not present issues like this.

Affects: Builds of dhcpd versions prior to version 4.4.1 when
using BIND versions 9.11.2 or later.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6470

Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
 package/bind/bind.mk | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/package/bind/bind.mk b/package/bind/bind.mk
index d1a992b66e..39c30dab6b 100644
--- a/package/bind/bind.mk
+++ b/package/bind/bind.mk
@@ -15,6 +15,8 @@ BIND_LICENSE_FILES = COPYRIGHT
 BIND_CPE_ID_VENDOR = isc
 # Only applies to RHEL6.x with DNSSEC validation on
 BIND_IGNORE_CVES = CVE-2017-3139
+# Library CVE and not used by bind but used by ISC DHCP
+BIND_IGNORE_CVES += CVE-2019-6470
 BIND_TARGET_SERVER_SBIN = arpaname ddns-confgen dnssec-checkds dnssec-coverage
 BIND_TARGET_SERVER_SBIN += dnssec-importkey dnssec-keygen dnssec-revoke
 BIND_TARGET_SERVER_SBIN += dnssec-settime dnssec-verify genrandom
-- 
2.17.1

[Buildroot] [PATCH 04/10] package/cmake: ignore CVE-2016-10642

[Matt Weber]

This is specific to the npm package that installs cmake, so isn't
relevant to Buildroot.
https://github.com/openembedded/openembedded-core/blob/14241ed09f9ed317045cf75a6d08416d3579bb8d/meta/recipes-devtools/cmake/cmake.inc

https://nvd.nist.gov/vuln/detail/CVE-2016-10642#vulnCurrentDescriptionTitle
 "cmake installs the cmake x86 linux binaries. cmake downloads
 binary resources over HTTP, which leaves it vulnerable to
 MITM attacks. It may be possible to cause remote code
 execution (RCE) by swapping out the requested binary with
 an attacker controlled binary if the attacker is on the
 network or positioned in between the user and the remote server."

Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
 package/cmake/cmake.mk | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/package/cmake/cmake.mk b/package/cmake/cmake.mk
index a3015fabfd..90fe868fa5 100644
--- a/package/cmake/cmake.mk
+++ b/package/cmake/cmake.mk
@@ -10,6 +10,8 @@ CMAKE_SITE = https://cmake.org/files/v$(CMAKE_VERSION_MAJOR)
 CMAKE_LICENSE = BSD-3-Clause
 CMAKE_LICENSE_FILES = Copyright.txt
 CMAKE_CPE_ID_VENDOR = cmake_project
+# Tool download MITM attack warning if using npm package to install cmake
+CMAKE_IGNORE_CVES = CVE-2016-10642
 
 # CMake is a particular package:
 # * CMake can be built using the generic infrastructure or the cmake one.
-- 
2.17.1

[Buildroot] [PATCH 05/10] package/flex: ignore CVE-2019-6293

[Matt Weber]

https://security-tracker.debian.org/tracker/CVE-2019-6293

https://github.com/NixOS/nixpkgs/issues/55386#issuecomment-683792976
 "But this bug does not cause stack overflows in the generated code.
 The function and file referred to in the bug (mark_beginning_as_normal
 in nfa.c) are part of the flex code generator, not part of the
 generated code. If flex crashes before generating any code, that
 can hardly be a vulnerability. If flex does not crash, the generated
 code is fine (or perhaps subject to other unreported bugs, who knows,
 but the NFA has been generated correctly)."

Upstream has chosen to not provide a fix
 https://github.com/microsoft/CBL-Mariner/pull/312

Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
 package/flex/flex.mk | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/package/flex/flex.mk b/package/flex/flex.mk
index 2d00969662..85da5ddae8 100644
--- a/package/flex/flex.mk
+++ b/package/flex/flex.mk
@@ -10,6 +10,9 @@ FLEX_INSTALL_STAGING = YES
 FLEX_LICENSE = FLEX
 FLEX_LICENSE_FILES = COPYING
 FLEX_CPE_ID_VENDOR = flex_project
+# bug does not cause stack overflows in the generated code and has been
+# noted upstream as a bug in the code generator
+FLEX_IGNORE_CVES = CVE-2019-6293
 FLEX_DEPENDENCIES = $(TARGET_NLS_DEPENDENCIES) host-m4
 HOST_FLEX_DEPENDENCIES = host-m4
 
-- 
2.17.1

[Buildroot] [PATCH 06/10] package/hostapd: ignore CVE-2021-30004 when using openssl

[Matt Weber]

The CVE can be ignored when the internal TLS impl isn't used.

https://security-tracker.debian.org/tracker/CVE-2021-30004
 "Issue only affects the "internal" TLS implementation
 (CONFIG_TLS=internal)"

Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
 package/hostapd/hostapd.mk | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/package/hostapd/hostapd.mk b/package/hostapd/hostapd.mk
index efeefd8b35..2995545d18 100644
--- a/package/hostapd/hostapd.mk
+++ b/package/hostapd/hostapd.mk
@@ -38,6 +38,8 @@ ifeq ($(BR2_PACKAGE_LIBOPENSSL),y)
 HOSTAPD_DEPENDENCIES += host-pkgconf libopenssl
 HOSTAPD_LIBS += `$(PKG_CONFIG_HOST_BINARY) --libs openssl`
 HOSTAPD_CONFIG_EDITS += 's/\#\(CONFIG_TLS=openssl\)/\1/'
+# Issue only affects the "internal" TLS implementation
+HOSTAPD_IGNORE_CVES += CVE-2021-30004
 else
 HOSTAPD_CONFIG_DISABLE += CONFIG_EAP_PWD CONFIG_EAP_TEAP
 HOSTAPD_CONFIG_EDITS += 's/\#\(CONFIG_TLS=\).*/\1internal/'
-- 
2.17.1

[Buildroot] [PATCH 07/10] package/wpa_supplicant: ignore CVE-2021-30004 when using openssl

[Matt Weber]

The CVE can be ignored when the internal TLS impl isn't used.

https://security-tracker.debian.org/tracker/CVE-2021-30004
 "Issue only affects the "internal" TLS implementation
 (CONFIG_TLS=internal)"

Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
 package/wpa_supplicant/wpa_supplicant.mk | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/package/wpa_supplicant/wpa_supplicant.mk b/package/wpa_supplicant/wpa_supplicant.mk
index 356ea91828..f59832645f 100644
--- a/package/wpa_supplicant/wpa_supplicant.mk
+++ b/package/wpa_supplicant/wpa_supplicant.mk
@@ -132,6 +132,8 @@ ifeq ($(BR2_PACKAGE_LIBOPENSSL),y)
 WPA_SUPPLICANT_DEPENDENCIES += host-pkgconf libopenssl
 WPA_SUPPLICANT_LIBS += `$(PKG_CONFIG_HOST_BINARY) --libs openssl`
 WPA_SUPPLICANT_CONFIG_EDITS += 's/\#\(CONFIG_TLS=openssl\)/\1/'
+# Issue only affects the "internal" TLS implementation
+WPA_SUPPLICANT_IGNORE_CVES += CVE-2021-30004
 else
 WPA_SUPPLICANT_CONFIG_DISABLE += CONFIG_EAP_PWD CONFIG_EAP_TEAP
 WPA_SUPPLICANT_CONFIG_EDITS += 's/\#\(CONFIG_TLS=\).*/\1internal/'
-- 
2.17.1

[Buildroot] [PATCH 08/10] package/ncurses: ignore CVE-2018-10754, CVE-2018-19211, CVE-2018-19217, CVE-2019-17594, CVE-2019-17595

[Matt Weber]

Commit 4b21273d71d09 added upstream (security) patches up to 20200118
and in the commit description it outlines these CVEs were patched.

Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
 package/ncurses/ncurses.mk | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/package/ncurses/ncurses.mk b/package/ncurses/ncurses.mk
index 97e3e2c321..5d9c6bb0dd 100644
--- a/package/ncurses/ncurses.mk
+++ b/package/ncurses/ncurses.mk
@@ -11,6 +11,12 @@ NCURSES_DEPENDENCIES = host-ncurses
 NCURSES_LICENSE = MIT with advertising clause
 NCURSES_LICENSE_FILES = COPYING
 NCURSES_CPE_ID_VENDOR = gnu
+# Commit 4b21273d71d09 added upstream (security) patches up to 20200118
+NCURSES_IGNORE_CVES += CVE-2018-10754
+NCURSES_IGNORE_CVES += CVE-2018-19211
+NCURSES_IGNORE_CVES += CVE-2018-19217
+NCURSES_IGNORE_CVES += CVE-2019-17594
+NCURSES_IGNORE_CVES += CVE-2019-17595
 NCURSES_CONFIG_SCRIPTS = ncurses$(NCURSES_LIB_SUFFIX)6-config
 NCURSES_PATCH = \
 	$(addprefix https://invisible-mirror.net/archives/ncurses/$(NCURSES_VERSION)/, \
-- 
2.17.1

[Buildroot] [PATCH 09/10] package/rsyslog: ignore CVE-2015-3243

[Matt Weber]

https://security-tracker.debian.org/tracker/CVE-2015-3243
 "Rsyslog uses weak permissions for generating log files."

Ignoring this CVE for Buildroot as normally there are not local
users and a build could customize the rsyslog.conf to be more
restrictive ($FileCreateMode 0640).

Example fix from Alpino Linux
 https://github.com/libTorrentUser/alpino-linux-aports/commit/3cb5210cdac46fb8805d4028df16f5889f393a09

Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
 package/rsyslog/rsyslog.mk | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/package/rsyslog/rsyslog.mk b/package/rsyslog/rsyslog.mk
index 1aa81b8eac..6cf53ccb82 100644
--- a/package/rsyslog/rsyslog.mk
+++ b/package/rsyslog/rsyslog.mk
@@ -9,6 +9,10 @@ RSYSLOG_SITE = http://rsyslog.com/files/download/rsyslog
 RSYSLOG_LICENSE = GPL-3.0, LGPL-3.0, Apache-2.0
 RSYSLOG_LICENSE_FILES = COPYING COPYING.LESSER COPYING.ASL20
 RSYSLOG_CPE_ID_VENDOR = rsyslog
+# rsyslog uses weak permissions for generating log files.
+# Ignoring this CVE as Buildroot normally doesn't have local users and a build
+# could customize the rsyslog.conf to be more restrictive ($FileCreateMode 0640)
+RSYSLOG_IGNORE_CVES += CVE-2015-3243
 RSYSLOG_DEPENDENCIES = zlib libestr liblogging libfastjson host-pkgconf
 RSYSLOG_CONF_ENV = ac_cv_prog_cc_c99='-std=c99'
 RSYSLOG_PLUGINS = imdiag imfile impstats imptcp \
-- 
2.17.1

[Buildroot] [PATCH 10/10] package/tar: ignore CVE-2007-4476

[Matt Weber]

https://security-tracker.debian.org/tracker/CVE-2007-4476

Currently NVD has this incorrectly tagged for all versions.
The bug trackers on different distros show it was generally
fixed in versions >= 1.16 but because the impacted source
code is in the GNU paxutils, it is hard to follow in what
cases tar has been fixed around that 1.16 version.

https://bugs.gentoo.org/196978

https://www.itsecdb.com/oval/definition/oval/org.mitre.oval/def/9336/Buffer-overflow-in-the-safer-name-suffix-function-in-GNU-tar.html

Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
---
 package/tar/tar.mk | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/package/tar/tar.mk b/package/tar/tar.mk
index 690a5952ba..80d7495b00 100644
--- a/package/tar/tar.mk
+++ b/package/tar/tar.mk
@@ -13,6 +13,8 @@ TAR_CONF_OPTS = --exec-prefix=/
 TAR_LICENSE = GPL-3.0+
 TAR_LICENSE_FILES = COPYING
 TAR_CPE_ID_VENDOR = gnu
+# only tar <= 1.16
+TAR_IGNORE_CVES += CVE-2007-4476
 
 ifeq ($(BR2_PACKAGE_ACL),y)
 TAR_DEPENDENCIES += acl
-- 
2.17.1

[Buildroot] [PATCH 00/10] Misc CVE ignores

[Yann E. MORIN]

Matt, All,

On 2021-04-21 15:42 -0500, Matt Weber spake thusly:
>  * I'm working on upstream NVD fixes for some of these.
> 
>  * There are roughly half of the ignore cases that are a bit of a
>    challenge to identify where the fix was clearly tracked into
>    a specific version. I tried to document in each commit as much
>    as a could by linking to conversations clarifying the details.
> 
> Matt Weber (10):
>   package/bind: ignore CVE-2017-3139
>   package/coreutils: ignore CVE-2013-0221, CVE-2013-0222, CVE-2013-0223
>   package/bind: ignore CVE-2019-6470
>   package/cmake: ignore CVE-2016-10642
>   package/flex: ignore CVE-2019-6293

For this one, I've switched to using the actual upstream URL, rather
that of a downstream consumer:
    https://github.com/westes/flex/issues/414

>   package/hostapd: ignore CVE-2021-30004 when using openssl
>   package/wpa_supplicant: ignore CVE-2021-30004 when using openssl
>   package/ncurses: ignore CVE-2018-10754, CVE-2018-19211,
>     CVE-2018-19217, CVE-2019-17594, CVE-2019-17595
>   package/rsyslog: ignore CVE-2015-3243
>   package/tar: ignore CVE-2007-4476

Series applied to master, thanks.

Regards,
Yann E. MORIN.

>  package/bind/bind.mk                     | 4 ++++
>  package/cmake/cmake.mk                   | 2 ++
>  package/coreutils/coreutils.mk           | 4 ++++
>  package/flex/flex.mk                     | 3 +++
>  package/hostapd/hostapd.mk               | 2 ++
>  package/ncurses/ncurses.mk               | 6 ++++++
>  package/rsyslog/rsyslog.mk               | 4 ++++
>  package/tar/tar.mk                       | 2 ++
>  package/wpa_supplicant/wpa_supplicant.mk | 2 ++
>  9 files changed, 29 insertions(+)
> 
> -- 
> 2.17.1
> 
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

[Buildroot] [PATCH 02/10] package/coreutils: ignore CVE-2013-0221, CVE-2013-0222, CVE-2013-0223

[Peter Korsgaard]

>>>>> "Matt" == Matt Weber <matthew.weber@rockwellcollins.com> writes:

 > This CVE is only relevant to a build when the SUSE coreutils-i18n.patch
 > is included. The upstream codebase does not include this patch, nor
 > does Buildroot.

 > https://security-tracker.debian.org/tracker/CVE-2013-0221
 > https://security-tracker.debian.org/tracker/CVE-2013-0222
 > https://security-tracker.debian.org/tracker/CVE-2013-0223

 > Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
 > ---
 >  package/coreutils/coreutils.mk | 4 ++++
 >  1 file changed, 4 insertions(+)

 > diff --git a/package/coreutils/coreutils.mk b/package/coreutils/coreutils.mk
 > index 0e75cdfcda..65234a113e 100644
 > --- a/package/coreutils/coreutils.mk
 > +++ b/package/coreutils/coreutils.mk
 > @@ -10,6 +10,10 @@ COREUTILS_SOURCE = coreutils-$(COREUTILS_VERSION).tar.xz
 >  COREUTILS_LICENSE = GPL-3.0+
 >  COREUTILS_LICENSE_FILES = COPYING
 >  COREUTILS_CPE_ID_VENDOR = gnu
 > +# Only when including SUSE coreutils-i18n.patch
 > +COREUTILS_IGNORE_CVES = CVE-2013-0221
 > +COREUTILS_IGNORE_CVES += CVE-2013-0222
 > +COREUTILS_IGNORE_CVES += CVE-2013-0223

NIT: There is no problem having multiple CVE's on the same line:

COREUTILS_IGORE_CVES += CVE-2013-0221 CVE-2013-0222 CVE-2013-0223

-- 
Bye, Peter Korsgaard

[Buildroot] [PATCH 06/10] package/hostapd: ignore CVE-2021-30004 when using openssl

[Peter Korsgaard]

>>>>> "Matt" == Matt Weber <matthew.weber@rockwellcollins.com> writes:

 > The CVE can be ignored when the internal TLS impl isn't used.
 > https://security-tracker.debian.org/tracker/CVE-2021-30004
 >  "Issue only affects the "internal" TLS implementation
 >  (CONFIG_TLS=internal)"

 > Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>

A conditionally ignored CVE isn't great. Why not just add the fix?

I just gave it a try and it applies cleanly to 2.9.

-- 
Bye, Peter Korsgaard

[Buildroot] [PATCH 09/10] package/rsyslog: ignore CVE-2015-3243

[Peter Korsgaard]

>>>>> "Matt" == Matt Weber <matthew.weber@rockwellcollins.com> writes:

 > https://security-tracker.debian.org/tracker/CVE-2015-3243
 >  "Rsyslog uses weak permissions for generating log files."

 > Ignoring this CVE for Buildroot as normally there are not local
 > users and a build could customize the rsyslog.conf to be more
 > restrictive ($FileCreateMode 0640).

 > Example fix from Alpino Linux
 >  https://github.com/libTorrentUser/alpino-linux-aports/commit/3cb5210cdac46fb8805d4028df16f5889f393a09

Here as well, I don't like ignoring the issue just because you COULD
work around it by doing customization outside Buildroot.

How about combining this with a patch to platform/redhat/rsyslog.conf to
set sensible permissions just like it is done for Alpino?

 > Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com>
 > ---
 >  package/rsyslog/rsyslog.mk | 4 ++++
 >  1 file changed, 4 insertions(+)

 > diff --git a/package/rsyslog/rsyslog.mk b/package/rsyslog/rsyslog.mk
 > index 1aa81b8eac..6cf53ccb82 100644
 > --- a/package/rsyslog/rsyslog.mk
 > +++ b/package/rsyslog/rsyslog.mk
 > @@ -9,6 +9,10 @@ RSYSLOG_SITE = http://rsyslog.com/files/download/rsyslog
 >  RSYSLOG_LICENSE = GPL-3.0, LGPL-3.0, Apache-2.0
 >  RSYSLOG_LICENSE_FILES = COPYING COPYING.LESSER COPYING.ASL20
 >  RSYSLOG_CPE_ID_VENDOR = rsyslog
 > +# rsyslog uses weak permissions for generating log files.
 > +# Ignoring this CVE as Buildroot normally doesn't have local users and a build
 > +# could customize the rsyslog.conf to be more restrictive ($FileCreateMode 0640)
 > +RSYSLOG_IGNORE_CVES += CVE-2015-3243
 >  RSYSLOG_DEPENDENCIES = zlib libestr liblogging libfastjson host-pkgconf
 >  RSYSLOG_CONF_ENV = ac_cv_prog_cc_c99='-std=c99'
 >  RSYSLOG_PLUGINS = imdiag imfile impstats imptcp \
 > -- 
 > 2.17.1

 > _______________________________________________
 > buildroot mailing list
 > buildroot at busybox.net
 > http://lists.busybox.net/mailman/listinfo/buildroot

-- 
Bye, Peter Korsgaard

[Buildroot] [PATCH 00/10] Misc CVE ignores

[Peter Korsgaard]

>>>>> "Yann" == Yann E MORIN <yann.morin.1998@free.fr> writes:

 > Matt, All,
 > On 2021-04-21 15:42 -0500, Matt Weber spake thusly:
 >> * I'm working on upstream NVD fixes for some of these.
 >> 
 >> * There are roughly half of the ignore cases that are a bit of a
 >> challenge to identify where the fix was clearly tracked into
 >> a specific version. I tried to document in each commit as much
 >> as a could by linking to conversations clarifying the details.
 >> 
 >> Matt Weber (10):
 >> package/bind: ignore CVE-2017-3139
 >> package/coreutils: ignore CVE-2013-0221, CVE-2013-0222, CVE-2013-0223
 >> package/bind: ignore CVE-2019-6470
 >> package/cmake: ignore CVE-2016-10642
 >> package/flex: ignore CVE-2019-6293

 > For this one, I've switched to using the actual upstream URL, rather
 > that of a downstream consumer:
 >     https://github.com/westes/flex/issues/414

 >> package/hostapd: ignore CVE-2021-30004 when using openssl
 >> package/wpa_supplicant: ignore CVE-2021-30004 when using openssl
 >> package/ncurses: ignore CVE-2018-10754, CVE-2018-19211,
 >> CVE-2018-19217, CVE-2019-17594, CVE-2019-17595
 >> package/rsyslog: ignore CVE-2015-3243
 >> package/tar: ignore CVE-2007-4476

 > Series applied to master, thanks.

I am not so happy with the hostapd/wpa_supplicant/rsyslog ignores, but I
have applied the series to 2021.02.x anyway and will send followup
patches to master (and 2021.02.x) to improve those packages later.

-- 
Bye, Peter Korsgaard