[Buildroot] [autobuild.buildroot.net] Your daily results for 2021-03-21

[Buildroot] [autobuild.buildroot.net] Your daily results for 2021-03-21

[Alexander Dahl]

Hello,

I'm a little unhappy to annoy anyone with this request, however
reports like the one below pop up over and over again in my INBOX like
round about once a week.  That particular CVE issue in fastd was fixed
upstream in October 2020 and was fixed for buildroot by Fabrice
Fontaine few days later already.  See below.

On Mon, Mar 22, 2021 at 10:26:07AM -0000, Thomas Petazzoni wrote:
> Hello,
> 
> Packages having CVEs
> ====================
> 
> This is the list of packages for which a known CVE is affecting them,
> which means a security vulnerability exists for those packages.
> 
> CVEs for the 'master' branch
> ----------------------------
> 
>              name              |       CVE        |                             link                            
> -------------------------------+------------------+--------------------------------------------------------------
>                          fastd | CVE-2020-27638   | https://security-tracker.debian.org/tracker/CVE-2020-27638  
> 

Fixed in master with 7e4af3ce3f91 ("package/fastd: fix
CVE-2020-27638"). And it remains fixed after 148058a46293
("package/fastd: bump to version 21").

> 
> CVEs for the '2020.11.x' branch
> -------------------------------
> 
>              name              |       CVE        |                             link                            
> -------------------------------+------------------+--------------------------------------------------------------
>                          fastd | CVE-2020-27638   | https://security-tracker.debian.org/tracker/CVE-2020-27638  
> 

Same commits as above are in this branch, too.

> 
> CVEs for the '2021.02.x' branch
> -------------------------------
> 
>              name              |       CVE        |                             link                            
> -------------------------------+------------------+--------------------------------------------------------------
>                          fastd | CVE-2020-27638   | https://security-tracker.debian.org/tracker/CVE-2020-27638  
> 

Same commits as above are in this branch, too.

Could please someone with access to that bot fix it to not report
already addressed CVEs anymore?

Thanks and greets
Alex

-- 
/"\ ASCII RIBBON | ?With the first link, the chain is forged. The first
\ / CAMPAIGN     | speech censured, the first thought forbidden, the
 X  AGAINST      | first freedom denied, chains us all irrevocably.?
/ \ HTML MAIL    | (Jean-Luc Picard, quoting Judge Aaron Satie)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20210322/e90f2ebf/attachment.asc>

[Buildroot] [autobuild.buildroot.net] Your daily results for 2021-03-21

[Alexander Dahl]

Hei hei,

On Mon, Mar 22, 2021 at 12:48:36PM +0100, Alexander Dahl wrote:
> I'm a little unhappy to annoy anyone with this request, however
> reports like the one below pop up over and over again in my INBOX like
> round about once a week.  

Meanwhile I had a look at my mail archive and it's exactly once a
week, every Monday morning since November 2020. The mail headers
contain this:

Received: from ks383786.kimsufi.com (ks383786.kimsufi.com [94.23.254.152])
        (Authenticated sender: bot at bootlin.com)
        by relay3-d.mail.gandi.net (Postfix) with ESMTPSA id 6A91C60017
        for <post@lespocky.de>; Mon, 29 Mar 2021 09:29:51 +0000 (UTC)

Maybe that helps identifying the bot which sends those mails on behalf
of Thomas?

btw: the mails don't go to the list, but to me personally only. I just
forwarded it to the list in hope someone else than Thomas might also
have an idea what's going on.

Greets
Alex

> That particular CVE issue in fastd was fixed
> upstream in October 2020 and was fixed for buildroot by Fabrice
> Fontaine few days later already.  See below.
> 
> On Mon, Mar 22, 2021 at 10:26:07AM -0000, Thomas Petazzoni wrote:
> > Hello,
> > 
> > Packages having CVEs
> > ====================
> > 
> > This is the list of packages for which a known CVE is affecting them,
> > which means a security vulnerability exists for those packages.
> > 
> > CVEs for the 'master' branch
> > ----------------------------
> > 
> >              name              |       CVE        |                             link                            
> > -------------------------------+------------------+--------------------------------------------------------------
> >                          fastd | CVE-2020-27638   | https://security-tracker.debian.org/tracker/CVE-2020-27638  
> > 
> 
> Fixed in master with 7e4af3ce3f91 ("package/fastd: fix
> CVE-2020-27638"). And it remains fixed after 148058a46293
> ("package/fastd: bump to version 21").
> 
> > 
> > CVEs for the '2020.11.x' branch
> > -------------------------------
> > 
> >              name              |       CVE        |                             link                            
> > -------------------------------+------------------+--------------------------------------------------------------
> >                          fastd | CVE-2020-27638   | https://security-tracker.debian.org/tracker/CVE-2020-27638  
> > 
> 
> Same commits as above are in this branch, too.
> 
> > 
> > CVEs for the '2021.02.x' branch
> > -------------------------------
> > 
> >              name              |       CVE        |                             link                            
> > -------------------------------+------------------+--------------------------------------------------------------
> >                          fastd | CVE-2020-27638   | https://security-tracker.debian.org/tracker/CVE-2020-27638  
> > 
> 
> Same commits as above are in this branch, too.
> 
> Could please someone with access to that bot fix it to not report
> already addressed CVEs anymore?
> 
> Thanks and greets
> Alex
> 
> -- 
> /"\ ASCII RIBBON | ?With the first link, the chain is forged. The first
> \ / CAMPAIGN     | speech censured, the first thought forbidden, the
>  X  AGAINST      | first freedom denied, chains us all irrevocably.?
> / \ HTML MAIL    | (Jean-Luc Picard, quoting Judge Aaron Satie)



> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot


-- 
/"\ ASCII RIBBON | ?With the first link, the chain is forged. The first
\ / CAMPAIGN     | speech censured, the first thought forbidden, the
 X  AGAINST      | first freedom denied, chains us all irrevocably.?
/ \ HTML MAIL    | (Jean-Luc Picard, quoting Judge Aaron Satie)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20210329/9e7cf586/attachment.asc>

[Buildroot] [autobuild.buildroot.net] Your daily results for 2021-03-21

[Thomas Petazzoni]

Hello,

On Mon, 29 Mar 2021 15:23:57 +0200
Alexander Dahl <post@lespocky.de> wrote:

> On Mon, Mar 22, 2021 at 12:48:36PM +0100, Alexander Dahl wrote:
> > I'm a little unhappy to annoy anyone with this request, however
> > reports like the one below pop up over and over again in my INBOX like
> > round about once a week.    
> 
> Meanwhile I had a look at my mail archive and it's exactly once a
> week, every Monday morning since November 2020. The mail headers
> contain this:
> 
> Received: from ks383786.kimsufi.com (ks383786.kimsufi.com [94.23.254.152])
>         (Authenticated sender: bot at bootlin.com)
>         by relay3-d.mail.gandi.net (Postfix) with ESMTPSA id 6A91C60017
>         for <post@lespocky.de>; Mon, 29 Mar 2021 09:29:51 +0000 (UTC)
> 
> Maybe that helps identifying the bot which sends those mails on behalf
> of Thomas?

Well, there is no surprise, the bot is me :-)

> btw: the mails don't go to the list, but to me personally only. I just
> forwarded it to the list in hope someone else than Thomas might also
> have an idea what's going on.

No, this is not exactly what happens. Developers listed in the
DEVELOPERS file receive individual e-mails just for their
packages/defconfigs, if there is any issue to report. But a complete
report, for all packages/defconfigs/failures goes to the mailing list.

For this particular fastd CVE issue, what needs to be added is (1) the
proper CPE identifier information in the Buildroot package and (2) get
the NVD database maintainers to fix the CVE entry to indicate which
fastd version has fixed the security vulnerability.

Best regards,

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [autobuild.buildroot.net] Your daily results for 2021-03-21

[Alexander Dahl]

Hello Thomas,

thanks for looking into this.

On Mon, Mar 29, 2021 at 03:28:03PM +0200, Thomas Petazzoni wrote:
> For this particular fastd CVE issue, what needs to be added is (1) the
> proper CPE identifier information in the Buildroot package and (2) get
> the NVD database maintainers to fix the CVE entry to indicate which
> fastd version has fixed the security vulnerability.

Well, that's something to work with. Specific actions to take.

Thanks for those hints.

Greets
Alex

-- 
/"\ ASCII RIBBON | ?With the first link, the chain is forged. The first
\ / CAMPAIGN     | speech censured, the first thought forbidden, the
 X  AGAINST      | first freedom denied, chains us all irrevocably.?
/ \ HTML MAIL    | (Jean-Luc Picard, quoting Judge Aaron Satie)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20210329/60e2da9c/attachment.asc>

[Buildroot] [PATCH] package/fastd: add FASTD_CPE_ID_VERSION

[Alexander Dahl]

With that FASTD_CPE_ID expands to:

    cpe:2.3:a:fastd_project:fastd:21.0:*:*:*:*:*:*:*

That's the same as listed on
https://nvd.nist.gov/products/cpe/detail/826746

Signed-off-by: Alexander Dahl <post@lespocky.de>
---
 package/fastd/fastd.mk | 1 +
 1 file changed, 1 insertion(+)

diff --git a/package/fastd/fastd.mk b/package/fastd/fastd.mk
index bbec63d963..c1db1cc472 100644
--- a/package/fastd/fastd.mk
+++ b/package/fastd/fastd.mk
@@ -9,6 +9,7 @@ FASTD_SITE = https://github.com/NeoRaider/fastd/releases/download/v$(FASTD_VERSI
 FASTD_SOURCE = fastd-$(FASTD_VERSION).tar.xz
 FASTD_LICENSE = BSD-2-Clause
 FASTD_LICENSE_FILES = COPYRIGHT
+FASTD_CPE_ID_VERSION = $(FASTD_VERSION).0
 FASTD_DEPENDENCIES = host-bison host-pkgconf libuecc libsodium
 
 ifeq ($(BR2_PACKAGE_LIBCAP),y)

base-commit: 86d70b64815ca5ced09525d0537e48aa69f6976c
-- 
2.20.1

[Buildroot] [PATCH] package/fastd: add FASTD_CPE_ID_VERSION

[Thomas Petazzoni]

On Mon, 29 Mar 2021 21:29:05 +0200
Alexander Dahl <post@lespocky.de> wrote:

> With that FASTD_CPE_ID expands to:
> 
>     cpe:2.3:a:fastd_project:fastd:21.0:*:*:*:*:*:*:*
> 
> That's the same as listed on
> https://nvd.nist.gov/products/cpe/detail/826746
> 
> Signed-off-by: Alexander Dahl <post@lespocky.de>
> ---
>  package/fastd/fastd.mk | 1 +
>  1 file changed, 1 insertion(+)

Thanks a lot for taking a look at this! Applied, thanks.

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH] package/fastd: add FASTD_CPE_ID_VERSION

[Peter Korsgaard]

>>>>> "Alexander" == Alexander Dahl <post@lespocky.de> writes:

 > With that FASTD_CPE_ID expands to:
 >     cpe:2.3:a:fastd_project:fastd:21.0:*:*:*:*:*:*:*

 > That's the same as listed on
 > https://nvd.nist.gov/products/cpe/detail/826746

 > Signed-off-by: Alexander Dahl <post@lespocky.de>

Committed to 2021.02.x, thanks.

-- 
Bye, Peter Korsgaard

[Buildroot] fastd CPE/CVE reporting (Was: [autobuild.buildroot.net] Your daily results for 2021-03-21)

[Alexander Dahl]

Hello Thomas,

On Mon, Mar 29, 2021 at 03:28:03PM +0200, Thomas Petazzoni wrote:
> For this particular fastd CVE issue, what needs to be added is (1) the
> proper CPE identifier information in the Buildroot package and (2) get
> the NVD database maintainers to fix the CVE entry to indicate which
> fastd version has fixed the security vulnerability.

I hoped to have added the proper CPE identifier with ebe599de08ec
("package/fastd: add FASTD_CPE_ID_VERSION") in master (which was also
backported to 2021.02.x). However I got another warning mail today.

I'm not sure I understand (2) correctly. As far as I can see at
https://nvd.nist.gov/vuln/detail/CVE-2020-27638 that CVE is marked as
fixed for fastd 21.0.

Is there anything I missed to set for the buildroot package?

Greets
Alex

-- 
/"\ ASCII RIBBON | ?With the first link, the chain is forged. The first
\ / CAMPAIGN     | speech censured, the first thought forbidden, the
 X  AGAINST      | first freedom denied, chains us all irrevocably.?
/ \ HTML MAIL    | (Jean-Luc Picard, quoting Judge Aaron Satie)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20210405/c8f8e939/attachment.asc>

[Buildroot] fastd CPE/CVE reporting (Was: [autobuild.buildroot.net] Your daily results for 2021-03-21)

[Thomas Petazzoni]

Hello Alexander,

On Mon, 5 Apr 2021 14:36:01 +0200
Alexander Dahl <post@lespocky.de> wrote:

> On Mon, Mar 29, 2021 at 03:28:03PM +0200, Thomas Petazzoni wrote:
> > For this particular fastd CVE issue, what needs to be added is (1) the
> > proper CPE identifier information in the Buildroot package and (2) get
> > the NVD database maintainers to fix the CVE entry to indicate which
> > fastd version has fixed the security vulnerability.  
> 
> I hoped to have added the proper CPE identifier with ebe599de08ec
> ("package/fastd: add FASTD_CPE_ID_VERSION") in master (which was also
> backported to 2021.02.x). However I got another warning mail today.
> 
> I'm not sure I understand (2) correctly. As far as I can see at
> https://nvd.nist.gov/vuln/detail/CVE-2020-27638 that CVE is marked as
> fixed for fastd 21.0.
> 
> Is there anything I missed to set for the buildroot package?

I looked into this, and the bug is in the pkg-stats tool. Basically the
<pkg>_CPE_ID_VERSION field was used for exact matches of the CPE ID
into the NVD database. However, in this case there is no exact match as
the CPE ID of the CVE entry is
cpe:2.3:a:fastd_project:fastd:*:*:*:*:*:*:*:*. And then, when comparing
against the "Up to (excluding) 21.0" information, we were still using
<pkg>_VERSION rather than the version field of the CPE ID.

My fix for now is:

diff --git a/support/scripts/cve.py b/support/scripts/cve.py
index 6e97ea193f..183e7a0d7f 100755
--- a/support/scripts/cve.py
+++ b/support/scripts/cve.py
@@ -223,6 +223,8 @@ class CVE:
         # if we don't have a cpeid, build one based on name and version
         if not cpeid:
             cpeid = "cpe:2.3:*:*:%s:%s:*:*:*:*:*:*:*" % (name, version)
+        else:
+            pkg_version = distutils.version.LooseVersion(cpe_version(cpeid))
 
         for cpe in self.each_cpe():
             if not cpe_matches(cpe['id'], cpeid):

Which if you apply, and run "make pkg-stats" on a configuration that
has fastd enabled no longer shows this CVE as affecting the fastd
package.

I'll sleep on that and hopefully submit this patch properly in the next
days.

Thanks,

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] fastd CPE/CVE reporting

[Alexander Dahl]

Hello Thomas,

I tried a build based on qemu_x86_64_defconfig this morning like this:

1. `make distclean`
2. `make qemu_x86_64_defconfig`
3. `make menuconfig` and enable BR2_PACKAGE_FASTD
4. `make`

? (see below)

On Wed, Apr 07, 2021 at 12:04:38AM +0200, Thomas Petazzoni wrote:
> Hello Alexander,
> 
> On Mon, 5 Apr 2021 14:36:01 +0200
> Alexander Dahl <post@lespocky.de> wrote:
> 
> > On Mon, Mar 29, 2021 at 03:28:03PM +0200, Thomas Petazzoni wrote:
> > > For this particular fastd CVE issue, what needs to be added is (1) the
> > > proper CPE identifier information in the Buildroot package and (2) get
> > > the NVD database maintainers to fix the CVE entry to indicate which
> > > fastd version has fixed the security vulnerability.  
> > 
> > I hoped to have added the proper CPE identifier with ebe599de08ec
> > ("package/fastd: add FASTD_CPE_ID_VERSION") in master (which was also
> > backported to 2021.02.x). However I got another warning mail today.
> > 
> > I'm not sure I understand (2) correctly. As far as I can see at
> > https://nvd.nist.gov/vuln/detail/CVE-2020-27638 that CVE is marked as
> > fixed for fastd 21.0.
> > 
> > Is there anything I missed to set for the buildroot package?
> 
> I looked into this, and the bug is in the pkg-stats tool. Basically the
> <pkg>_CPE_ID_VERSION field was used for exact matches of the CPE ID
> into the NVD database. However, in this case there is no exact match as
> the CPE ID of the CVE entry is
> cpe:2.3:a:fastd_project:fastd:*:*:*:*:*:*:*:*. And then, when comparing
> against the "Up to (excluding) 21.0" information, we were still using
> <pkg>_VERSION rather than the version field of the CPE ID.

Sorry, I don't understand all the details. O:-)

> My fix for now is:
> 
> diff --git a/support/scripts/cve.py b/support/scripts/cve.py
> index 6e97ea193f..183e7a0d7f 100755
> --- a/support/scripts/cve.py
> +++ b/support/scripts/cve.py
> @@ -223,6 +223,8 @@ class CVE:
>          # if we don't have a cpeid, build one based on name and version
>          if not cpeid:
>              cpeid = "cpe:2.3:*:*:%s:%s:*:*:*:*:*:*:*" % (name, version)
> +        else:
> +            pkg_version = distutils.version.LooseVersion(cpe_version(cpeid))
>  
>          for cpe in self.each_cpe():
>              if not cpe_matches(cpe['id'], cpeid):
> 
> Which if you apply, and run "make pkg-stats" on a configuration that
> has fastd enabled no longer shows this CVE as affecting the fastd
> package.

I tried this:

5. `make pkg-stats` (result still reports fastd CVE)
6. saved output/pkg-stats.html for later comparison
7. applied your diff and `make pkg-stats` again

This is the diff in the resulting html:

--- pkg-stats.html.old  2021-04-07 09:02:37.489491665 +0200
+++ pkg-stats.html      2021-04-07 10:02:20.819888329 +0200
@@ -387,7 +387,7 @@
   <td class="centered">1.46.2</td>
   <td class="centered correct version-good"><a href="https://release-monitoring.org/project/646"><b>1.46.2</b></a><br/>found by <a href="https://release-monitoring.org/distro/Buildroot/">distro</a></td>
   <td class="centered correct">0</td>
-  <td class="centered good_url"><a href=http://e2fsprogs.sourceforge.net>Link</a></td>
+  <td class="centered missing_url invalid_url"><a href=http://e2fsprogs.sourceforge.net>invalid (err)</a></td>
   <td class="centered cve-ok">
     N/A
   </td>
@@ -406,7 +406,7 @@
   <td class="centered">2.3.0</td>
   <td class="centered correct version-good"><a href="https://release-monitoring.org/project/770"><b>2.3.0</b></a><br/>found by <a href="https://release-monitoring.org/distro/Buildroot/">distro</a></td>
   <td class="centered correct">0</td>
-  <td class="centered good_url"><a href=http://expat.sourceforge.net>Link</a></td>
+  <td class="centered missing_url invalid_url"><a href=http://expat.sourceforge.net>invalid (err)</a></td>
   <td class="centered cve-ok">
     N/A
   </td>
@@ -444,8 +444,8 @@
   <td class="centered correct version-good"><a href="https://release-monitoring.org/project/17116"><b>21</b></a><br/>found by <a href="https://release-monitoring.org/distro/Buildroot/">distro</a></td>
   <td class="centered correct">0</td>
   <td class="centered good_url"><a href=https://github.com/NeoRaider/fastd/wiki>Link</a></td>
-  <td class="centered cve-nok">
-   <a href="https://security-tracker.debian.org/tracker/CVE-2020-27638">CVE-2020-27638<br/>
+  <td class="centered cve-ok">
+    N/A
   </td>
   <td class="left cpe-ok">
   <code>cpe:2.3:a:fastd_project:fastd:21.0:*:*:*:*:*:*:*</code>
@@ -1182,12 +1182,12 @@
 <tr><td>Packages that are up-to-date</td><td>24</td></tr>
 <tr><td>Packages that are not up-to-date</td><td>16</td></tr>
 <tr><td>Packages with no known upstream version</td><td>14</td></tr>
-<tr><td>Packages affected by CVEs</td><td>5</td></tr>
-<tr><td>Total number of CVEs affecting all packages</td><td>92</td></tr>
+<tr><td>Packages affected by CVEs</td><td>4</td></tr>
+<tr><td>Total number of CVEs affecting all packages</td><td>91</td></tr>
 <tr><td>Packages with CPE ID</td><td>23</td></tr>
 <tr><td>Packages without CPE ID</td><td>31</td></tr>
 </table>
-<p><i>Updated on 2021-04-07 06:35:10.183488, git commit d043f5775ac8d74e4970e03eec0cd8fe054e6263</i></p>
+<p><i>Updated on 2021-04-07 07:07:16.009887, git commit d043f5775ac8d74e4970e03eec0cd8fe054e6263</i></p>

 </body>
 <script>

So it looks good to me for fastd now, but I'm not sure about the
changes for e2fsprogs and expat. Is that a side effect of your diff?

> I'll sleep on that and hopefully submit this patch properly in the next
> days.
> 
> Thanks,

Thanks and Greets
Alex

-- 
/"\ ASCII RIBBON | ?With the first link, the chain is forged. The first
\ / CAMPAIGN     | speech censured, the first thought forbidden, the
 X  AGAINST      | first freedom denied, chains us all irrevocably.?
/ \ HTML MAIL    | (Jean-Luc Picard, quoting Judge Aaron Satie)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20210407/3d281624/attachment.asc>