[Buildroot] [PATCH 1/1] package/lz4: annotate CVE-2014-4715

[Buildroot] [PATCH 1/1] package/lz4: annotate CVE-2014-4715

[Fabrice Fontaine]

CVE-2014-4715 is misclassified (by our CVE tracker) as affecting
version 1.9.2, while in fact this issue has been fixed since lz4-r130:
https://github.com/lz4/lz4/commit/140e6e72ddb6fc5f7cd28ce0c8ec3812ef4a9c08

See https://github.com/lz4/lz4/issues/818

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 package/lz4/lz4.mk | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/package/lz4/lz4.mk b/package/lz4/lz4.mk
index 2a658fbba5..1d32666ccc 100644
--- a/package/lz4/lz4.mk
+++ b/package/lz4/lz4.mk
@@ -10,6 +10,12 @@ LZ4_INSTALL_STAGING = YES
 LZ4_LICENSE = BSD-2-Clause (library), GPL-2.0+ (programs)
 LZ4_LICENSE_FILES = lib/LICENSE programs/COPYING
 
+# CVE-2014-4715 is misclassified (by our CVE tracker) as affecting version
+# 1.9.2, while in fact this issue has been fixed since lz4-r130:
+# https://github.com/lz4/lz4/commit/140e6e72ddb6fc5f7cd28ce0c8ec3812ef4a9c08
+# See https://github.com/lz4/lz4/issues/818
+LZ4_IGNORE_CVES += CVE-2014-4715
+
 ifeq ($(BR2_STATIC_LIBS),y)
 LZ4_MAKE_OPTS += BUILD_SHARED=no
 else ifeq ($(BR2_SHARED_LIBS),y)
-- 
2.25.1

[Buildroot] [PATCH 1/1] package/lz4: annotate CVE-2014-4715

[Thomas Petazzoni]

Hello,

+Matt Weber and Akshay Bhat to discuss this issue.

On Sat, 28 Mar 2020 10:51:38 +0100
Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote:

> CVE-2014-4715 is misclassified (by our CVE tracker) as affecting
> version 1.9.2, while in fact this issue has been fixed since lz4-r130:
> https://github.com/lz4/lz4/commit/140e6e72ddb6fc5f7cd28ce0c8ec3812ef4a9c08
> 
> See https://github.com/lz4/lz4/issues/818
> 
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

So I've applied this patch, but what can we do to fix this properly?
The NVD database says that versions < r118 are affected, but of course
with the project having changed its numbering scheme (current version
is 1.9.2), making comparisons is difficult.

Indeed, after r131, the next version was v1.7.3. Can we ask the NVD
maintainers to indicate that versions earlier than v1.7.3 are
vulnerable ?

Thanks,

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [PATCH 1/1] package/lz4: annotate CVE-2014-4715

[Akshay Bhat]

Hi Thomas,

On Sat, Mar 28, 2020 at 10:08 AM Thomas Petazzoni
<thomas.petazzoni@bootlin.com> wrote:
>
> So I've applied this patch, but what can we do to fix this properly?
> The NVD database says that versions < r118 are affected, but of course
> with the project having changed its numbering scheme (current version
> is 1.9.2), making comparisons is difficult.
>
> Indeed, after r131, the next version was v1.7.3. Can we ask the NVD
> maintainers to indicate that versions earlier than v1.7.3 are
> vulnerable ?

Interesting case! The fix has been there since r118 (including).
(Expand the tags in the github link:
https://github.com/lz4/lz4/commit/140e6e72ddb6fc5f7cd28ce0c8ec3812ef4a9c08)

Thankfully CVE-2014-4715 is the only CVE using the old version scheme.
So the 2 easy options are:
1. Live with the patch from Fabrice for ignore CVEs since we don't
expect this list to grow (OR)
2. Since there are only 2 tagged releases before r118, ask NVD to
change the affected version:
From
cpe:2.3:a:yann_collet:lz4:*:*:*:*:*:*:*:*  Up to (including) r118
To
cpe:2.3:a:yann_collet:lz4:r116:*:*:*:*:*:*:*
cpe:2.3:a:yann_collet:lz4:r117:*:*:*:*:*:*:*

This way comparing the new versions (eg:1.9.2) will not match with
either r116 or r117 since there is no  "<=" check involved.
I would not recommend changing it to earlier than v1.7.3 since r118 to
r131 that are technically less than v1.7.3 and those versions are not
affected by this CVE.

Looks like Yocto decided to go the ignore cve route as well:
http://cgit.openembedded.org/openembedded-core/tree/meta/recipes-support/lz4/lz4_1.9.2.bb?h=master#n21

I can shoot an email to NVD if the above explicit calling out of
r116/r117 versions seems a better route.

Thanks,
Akshay

[Buildroot] [PATCH 1/1] package/lz4: annotate CVE-2014-4715

[Akshay Bhat]

On Sat, Mar 28, 2020 at 11:07 AM Akshay Bhat <akshay.bhat@timesys.com> wrote:
>
> Hi Thomas,
>
> On Sat, Mar 28, 2020 at 10:08 AM Thomas Petazzoni
> <thomas.petazzoni@bootlin.com> wrote:
> >
> > So I've applied this patch, but what can we do to fix this properly?
> > The NVD database says that versions < r118 are affected, but of course
> > with the project having changed its numbering scheme (current version
> > is 1.9.2), making comparisons is difficult.
> >
> > Indeed, after r131, the next version was v1.7.3. Can we ask the NVD
> > maintainers to indicate that versions earlier than v1.7.3 are
> > vulnerable ?
>
> Interesting case! The fix has been there since r118 (including).
> (Expand the tags in the github link:
> https://github.com/lz4/lz4/commit/140e6e72ddb6fc5f7cd28ce0c8ec3812ef4a9c08)
>
> Thankfully CVE-2014-4715 is the only CVE using the old version scheme.
> So the 2 easy options are:
> 1. Live with the patch from Fabrice for ignore CVEs since we don't
> expect this list to grow (OR)
> 2. Since there are only 2 tagged releases before r118, ask NVD to
> change the affected version:
>
> From
> cpe:2.3:a:yann_collet:lz4:*:*:*:*:*:*:*:*  Up to (including) r118
> To
> cpe:2.3:a:yann_collet:lz4:r116:*:*:*:*:*:*:*
> cpe:2.3:a:yann_collet:lz4:r117:*:*:*:*:*:*:*

Hmm digging deeper the first release is r105, looks like all the tags
were not carried over to github when it was migrated!
https://fossies.org/linux/lz4/NEWS

So if we were to ask NVD to update the versions then we have to list
all versions before r118.

Another option is to make the version compare tool more intelligent to
not treat the old scheme (eg: r118) greater than current scheme (eg:
1.9.2).