[Buildroot] [autobuild.buildroot.net] Your daily results for 2020-07-12

[Buildroot] [autobuild.buildroot.net] Your daily results for 2020-07-12

[Guillaume Bres]

Thomas, all,

Packages with CVEs
> ==================
>
> This is the list of packages for which a known CVE is affecting them,
> which means a security vulnerability exists for those packages.
>
>              name              |       CVE        |
>      link
>
> -------------------------------+------------------+--------------------------------------------------------------
>                        libnids | CVE-2010-0751    |
> https://security-tracker.debian.org/tracker/CVE-2010-0751
>

What are your views about this problem?

Indeed I am using this lib to be able to (cross)compile 'dsniff' library,
but I did not want to introduce 'dsniff' to buildroot.
Do you consider this a problem, knowing that only one package requires this
lib & it is currently not integrated to Buildroot and, in my opinion,
should remain as is,

thanks

Guillaume W. Bres
Software engineer
<guillaume.bressaix@gmail.com>


Le lun. 13 juil. 2020 ? 09:42, Thomas Petazzoni <
thomas.petazzoni@bootlin.com> a ?crit :

> Hello,
>
> Packages with CVEs
> ==================
>
> This is the list of packages for which a known CVE is affecting them,
> which means a security vulnerability exists for those packages.
>
>              name              |       CVE        |
>      link
>
> -------------------------------+------------------+--------------------------------------------------------------
>                        libnids | CVE-2010-0751    |
> https://security-tracker.debian.org/tracker/CVE-2010-0751
>
> --
> http://autobuild.buildroot.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20200717/1de16067/attachment.html>

[Buildroot] [autobuild.buildroot.net] Your daily results for 2020-07-12

[Thomas Petazzoni]

Hello,

+Matt in Cc. Matt, we detected an incorrect thing in the NVD database,
see below.

On Fri, 17 Jul 2020 15:01:26 +0200
Guillaume Bres <guillaume.bressaix@gmail.com> wrote:

> Indeed I am using this lib to be able to (cross)compile 'dsniff' library,
> but I did not want to introduce 'dsniff' to buildroot.
> Do you consider this a problem, knowing that only one package requires this
> lib & it is currently not integrated to Buildroot and, in my opinion,
> should remain as is,

There is a one line patch that Debian applied back in the days to fix
this vulnerability:

  https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=576281;filename=CVE-2010-1144.patch;msg=5

However, this issue is fixed upstream in 1.24, as the code contains:

static void
ip_evictor(void)
{
  // fprintf(stderr, "ip_evict:numpack=%i\n", numpack);
  while (this_host && this_host->ip_frag_mem > IPFRAG_LOW_THRESH) {

This is consistent with the fact that Debian, which is packaging
version 1.24, no longer has the CVE patch.

This is even listed in the CHANGES file of the project:

v1.24 Mar 14 2010
- fixed another remotely triggerable NULL dereference in ip_fragment.c

The issue is that the NVD database entry for this CVE is wrong: it says
that version 1.24 is affected, while in fact it got fixed in 1.24. This
needs to be fixed in the NVD database. This libnids project
unfortunately doesn't have a publicly available version control system
with all the history, so it's not easy to say which versions are
affected, but at least versions prior to 1.24 are affected.

Matt: do you think we can get this to be fixed from the NVD database ?

In the mean time, in Buildroot I think we could add this CVE to
LIBNIDS_IGNORE_CVES, with a comment that say there's a bug in the NVD
database. You can send a patch that does that Guillaume if you want.

Thanks!

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [autobuild.buildroot.net] Your daily results for 2020-07-12

[Matthew Weber]

Thomas,  Daniel,

On Fri, Jul 17, 2020 at 10:39 AM Thomas Petazzoni
<thomas.petazzoni@bootlin.com> wrote:
>
> Hello,
>
> +Matt in Cc. Matt, we detected an incorrect thing in the NVD database,
> see below.
>
> On Fri, 17 Jul 2020 15:01:26 +0200
> Guillaume Bres <guillaume.bressaix@gmail.com> wrote:
>
> > Indeed I am using this lib to be able to (cross)compile 'dsniff' library,
> > but I did not want to introduce 'dsniff' to buildroot.
> > Do you consider this a problem, knowing that only one package requires this
> > lib & it is currently not integrated to Buildroot and, in my opinion,
> > should remain as is,
>
> There is a one line patch that Debian applied back in the days to fix
> this vulnerability:
>
>   https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=576281;filename=CVE-2010-1144.patch;msg=5
>
> However, this issue is fixed upstream in 1.24, as the code contains:
>
> static void
> ip_evictor(void)
> {
>   // fprintf(stderr, "ip_evict:numpack=%i\n", numpack);
>   while (this_host && this_host->ip_frag_mem > IPFRAG_LOW_THRESH) {
>
> This is consistent with the fact that Debian, which is packaging
> version 1.24, no longer has the CVE patch.
>
> This is even listed in the CHANGES file of the project:
>
> v1.24 Mar 14 2010
> - fixed another remotely triggerable NULL dereference in ip_fragment.c
>
> The issue is that the NVD database entry for this CVE is wrong: it says
> that version 1.24 is affected, while in fact it got fixed in 1.24. This
> needs to be fixed in the NVD database. This libnids project
> unfortunately doesn't have a publicly available version control system
> with all the history, so it's not easy to say which versions are
> affected, but at least versions prior to 1.24 are affected.
>
> Matt: do you think we can get this to be fixed from the NVD database ?
>

We should be able to.  Daniel, what is the current process for sending
a requested CVE version mapping update?

Guillaum, thanks for looking at this.

Regards,
Matt

[Buildroot] [autobuild.buildroot.net] Your daily results for 2020-07-12

[Matthew Weber]

+Daniel Riechers

On Fri, Jul 17, 2020 at 10:45 AM Matthew Weber
<matthew.weber@rockwellcollins.com> wrote:
>
> Thomas,  Daniel,
>
> On Fri, Jul 17, 2020 at 10:39 AM Thomas Petazzoni
> <thomas.petazzoni@bootlin.com> wrote:
> >
> > Hello,
> >
> > +Matt in Cc. Matt, we detected an incorrect thing in the NVD database,
> > see below.
> >
> > On Fri, 17 Jul 2020 15:01:26 +0200
> > Guillaume Bres <guillaume.bressaix@gmail.com> wrote:
> >
> > > Indeed I am using this lib to be able to (cross)compile 'dsniff' library,
> > > but I did not want to introduce 'dsniff' to buildroot.
> > > Do you consider this a problem, knowing that only one package requires this
> > > lib & it is currently not integrated to Buildroot and, in my opinion,
> > > should remain as is,
> >
> > There is a one line patch that Debian applied back in the days to fix
> > this vulnerability:
> >
> >   https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=576281;filename=CVE-2010-1144.patch;msg=5
> >
> > However, this issue is fixed upstream in 1.24, as the code contains:
> >
> > static void
> > ip_evictor(void)
> > {
> >   // fprintf(stderr, "ip_evict:numpack=%i\n", numpack);
> >   while (this_host && this_host->ip_frag_mem > IPFRAG_LOW_THRESH) {
> >
> > This is consistent with the fact that Debian, which is packaging
> > version 1.24, no longer has the CVE patch.
> >
> > This is even listed in the CHANGES file of the project:
> >
> > v1.24 Mar 14 2010
> > - fixed another remotely triggerable NULL dereference in ip_fragment.c
> >
> > The issue is that the NVD database entry for this CVE is wrong: it says
> > that version 1.24 is affected, while in fact it got fixed in 1.24. This
> > needs to be fixed in the NVD database. This libnids project
> > unfortunately doesn't have a publicly available version control system
> > with all the history, so it's not easy to say which versions are
> > affected, but at least versions prior to 1.24 are affected.
> >
> > Matt: do you think we can get this to be fixed from the NVD database ?
> >
>
> We should be able to.  Daniel, what is the current process for sending
> a requested CVE version mapping update?
>
> Guillaum, thanks for looking at this.
>
> Regards,
> Matt



-- 

Matthew Weber | Associate Director Software Engineer | Commercial Avionics

COLLINS AEROSPACE

400 Collins Road NE, Cedar Rapids, Iowa 52498, USA

Tel: +1 319 295 7349 | FAX: +1 319 263 6099

matthew.weber at collins.com | collinsaerospace.com



CONFIDENTIALITY WARNING: This message may contain proprietary and/or
privileged information of Collins Aerospace and its affiliated
companies. If you are not the intended recipient, please 1) Do not
disclose, copy, distribute or use this message or its contents. 2)
Advise the sender by return email. 3) Delete all copies (including all
attachments) from your computer. Your cooperation is greatly
appreciated.


Any export restricted material should be shared using my
matthew.weber at corp.rockwellcollins.com address.


ALPHA BRAVO COLLINS | Aerospace Redefined

         __ l __

 \- - - -o-(_)-o- - - -/

[Buildroot] [autobuild.buildroot.net] Your daily results for 2020-07-12

[Matthew Weber]

Thomas / Guillaume


On Fri, Jul 17, 2020 at 10:39 AM Thomas Petazzoni
<thomas.petazzoni@bootlin.com> wrote:
>
> Hello,
>
> +Matt in Cc. Matt, we detected an incorrect thing in the NVD database,
> see below.
>
> On Fri, 17 Jul 2020 15:01:26 +0200
> Guillaume Bres <guillaume.bressaix@gmail.com> wrote:
>
> > Indeed I am using this lib to be able to (cross)compile 'dsniff' library,
> > but I did not want to introduce 'dsniff' to buildroot.
> > Do you consider this a problem, knowing that only one package requires this
> > lib & it is currently not integrated to Buildroot and, in my opinion,
> > should remain as is,
>
> There is a one line patch that Debian applied back in the days to fix
> this vulnerability:
>
>   https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=576281;filename=CVE-2010-1144.patch;msg=5
>
> However, this issue is fixed upstream in 1.24, as the code contains:
>
> static void
> ip_evictor(void)
> {
>   // fprintf(stderr, "ip_evict:numpack=%i\n", numpack);
>   while (this_host && this_host->ip_frag_mem > IPFRAG_LOW_THRESH) {
>
> This is consistent with the fact that Debian, which is packaging
> version 1.24, no longer has the CVE patch.
>
> This is even listed in the CHANGES file of the project:
>
> v1.24 Mar 14 2010
> - fixed another remotely triggerable NULL dereference in ip_fragment.c
>
> The issue is that the NVD database entry for this CVE is wrong: it says
> that version 1.24 is affected, while in fact it got fixed in 1.24. This
> needs to be fixed in the NVD database. This libnids project
> unfortunately doesn't have a publicly available version control system
> with all the history, so it's not easy to say which versions are
> affected, but at least versions prior to 1.24 are affected.
>
> Matt: do you think we can get this to be fixed from the NVD database ?
>

I've submitted the following request to fix this

1) Navigated to https://cveform.mitre.org/
2) "Select a request type" as "Request and update to an existing CVE Entry"
3) "Type of update requested" as "Update Description"
4) "CVE ID to be updated" as 2010-0751
5) "Description" as "We've found that the v1.24 fixes the CVE and all
prior versions contain the bug.  The CVE currently lists that 1.24 is
still vulnerable.  This can be proved by checking the CHANGES file
within the source archive
(https://sourceforge.net/projects/libnids/files/libnids/1.24/libnids-1.24.tar.gz/download)
that outlines this ("fixed another remotely triggerable NULL
dereference in ip_fragment.c") comment.  Also within that archive the
source code src/ip_fragment on line 378 has the fix
(https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=576281;filename=CVE-2010-1144.patch;msg=5)
(NOTE 2010-1144 is a rejected CVE which was split to include
2010-0751)."


Thomas, do you think it would be beneficial to add a section with
these notes in the manual?

Best Regards,
Matt

[Buildroot] [autobuild.buildroot.net] Your daily results for 2020-07-12

[Thomas Petazzoni]

Hello Matt,

On Tue, 21 Jul 2020 10:13:03 -0500
Matthew Weber <matthew.weber@collins.com> wrote:

> I've submitted the following request to fix this
> 
> 1) Navigated to https://cveform.mitre.org/
> 2) "Select a request type" as "Request and update to an existing CVE Entry"
> 3) "Type of update requested" as "Update Description"
> 4) "CVE ID to be updated" as 2010-0751
> 5) "Description" as "We've found that the v1.24 fixes the CVE and all
> prior versions contain the bug.  The CVE currently lists that 1.24 is
> still vulnerable.  This can be proved by checking the CHANGES file
> within the source archive
> (https://sourceforge.net/projects/libnids/files/libnids/1.24/libnids-1.24.tar.gz/download)
> that outlines this ("fixed another remotely triggerable NULL
> dereference in ip_fragment.c") comment.  Also within that archive the
> source code src/ip_fragment on line 378 has the fix
> (https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=576281;filename=CVE-2010-1144.patch;msg=5)
> (NOTE 2010-1144 is a rejected CVE which was split to include
> 2010-0751)."

Thanks for doing this !

> Thomas, do you think it would be beneficial to add a section with
> these notes in the manual?

Reading your e-mail, I was precisely thinking "it would be great to
write this down somewhere". I don't know if the manual is the right
place though, as it is really for Buildroot maintainers/developers.
Would the Wiki be a better location ?

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [autobuild.buildroot.net] Your daily results for 2020-07-12

[Matthew Weber]

Thomas,

On Tue, Jul 21, 2020 at 10:27 AM Thomas Petazzoni
<thomas.petazzoni@bootlin.com> wrote:
>
> Hello Matt,
>
> On Tue, 21 Jul 2020 10:13:03 -0500
> Matthew Weber <matthew.weber@collins.com> wrote:
>
> > I've submitted the following request to fix this
> >
> > 1) Navigated to https://cveform.mitre.org/
> > 2) "Select a request type" as "Request and update to an existing CVE Entry"
> > 3) "Type of update requested" as "Update Description"
> > 4) "CVE ID to be updated" as 2010-0751
> > 5) "Description" as "We've found that the v1.24 fixes the CVE and all
> > prior versions contain the bug.  The CVE currently lists that 1.24 is
> > still vulnerable.  This can be proved by checking the CHANGES file
> > within the source archive
> > (https://sourceforge.net/projects/libnids/files/libnids/1.24/libnids-1.24.tar.gz/download)
> > that outlines this ("fixed another remotely triggerable NULL
> > dereference in ip_fragment.c") comment.  Also within that archive the
> > source code src/ip_fragment on line 378 has the fix
> > (https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=576281;filename=CVE-2010-1144.patch;msg=5)
> > (NOTE 2010-1144 is a rejected CVE which was split to include
> > 2010-0751)."
>
> Thanks for doing this !
>
> > Thomas, do you think it would be beneficial to add a section with
> > these notes in the manual?
>
> Reading your e-mail, I was precisely thinking "it would be great to
> write this down somewhere". I don't know if the manual is the right
> place though, as it is really for Buildroot maintainers/developers.
> Would the Wiki be a better location ?

Ah, yeah that could work.  I was looking at making a subsection under
"21.6. Reporting issues/bugs or getting help" if we do add it in the
manual.  There are going to be cases where a Buildroot CVE report
misreports because of our scripts, plus the case of an actual
dictionary bug.

Maybe we start on the wiki?

Regards,
Matt

[Buildroot] [autobuild.buildroot.net] Your daily results for 2020-07-12

[Thomas Petazzoni]

On Tue, 21 Jul 2020 10:30:34 -0500
Matthew Weber <matthew.weber@collins.com> wrote:

> Ah, yeah that could work.  I was looking at making a subsection under
> "21.6. Reporting issues/bugs or getting help" if we do add it in the
> manual.  There are going to be cases where a Buildroot CVE report
> misreports because of our scripts, plus the case of an actual
> dictionary bug.

I think section 21.6 is really more oriented towards end users of
Buildroot, and explain how they should get back to us to report
issues/bugs.

The topic of how to notify NVD maintainers of invalid CVEs is really
advanced, and mainly a Buildroot maintainer/developer topic.

> Maybe we start on the wiki?

Yes, I would say yes. Perhaps start a page related to security/CVE
tracking in Buildroot.

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[Buildroot] [autobuild.buildroot.net] Your daily results for 2020-07-12

[Matthew Weber]

On Tue, Jul 21, 2020 at 10:55 AM Thomas Petazzoni
<thomas.petazzoni@bootlin.com> wrote:
>
> On Tue, 21 Jul 2020 10:30:34 -0500
> Matthew Weber <matthew.weber@collins.com> wrote:
>
> > Ah, yeah that could work.  I was looking at making a subsection under
> > "21.6. Reporting issues/bugs or getting help" if we do add it in the
> > manual.  There are going to be cases where a Buildroot CVE report
> > misreports because of our scripts, plus the case of an actual
> > dictionary bug.
>
> I think section 21.6 is really more oriented towards end users of
> Buildroot, and explain how they should get back to us to report
> issues/bugs.
>
> The topic of how to notify NVD maintainers of invalid CVEs is really
> advanced, and mainly a Buildroot maintainer/developer topic.
>
> > Maybe we start on the wiki?
>
> Yes, I would say yes. Perhaps start a page related to security/CVE
> tracking in Buildroot.

On the main page I've added "Security Vulnerability Management" under
https://elinux.org/Buildroot#Important_links .  I took a quick first
cut at pkgstats and developer email info as well

Regards,
Matt

[Buildroot] [autobuild.buildroot.net] Your daily results for 2020-07-12

[Thomas Petazzoni]

On Tue, 21 Jul 2020 11:00:58 -0500
Matthew Weber <matthew.weber@collins.com> wrote:

> On the main page I've added "Security Vulnerability Management" under
> https://elinux.org/Buildroot#Important_links .  I took a quick first
> cut at pkgstats and developer email info as well

Thanks, looks good!

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com