[Buildroot] [autobuild.buildroot.net] Your daily results for 2020-07-12

From: Matthew Weber <matthew.weber@rockwellcollins.com>
To: buildroot@busybox.net
Subject: [Buildroot] [autobuild.buildroot.net] Your daily results for 2020-07-12
Date: Fri, 17 Jul 2020 10:46:00 -0500	[thread overview]
Message-ID: <CANQCQpba3fB=xDQ2zTz22RKtGroVc7RGy6BtQZShpZK3KMRLtg@mail.gmail.com> (raw)
In-Reply-To: <CANQCQpYvLur42NJ6BtBiMdgQynm644FQeB3h9pwG_o6WZmejTQ@mail.gmail.com>

+Daniel Riechers

On Fri, Jul 17, 2020 at 10:45 AM Matthew Weber
<matthew.weber@rockwellcollins.com> wrote:
>
> Thomas,  Daniel,
>
> On Fri, Jul 17, 2020 at 10:39 AM Thomas Petazzoni
> <thomas.petazzoni@bootlin.com> wrote:
> >
> > Hello,
> >
> > +Matt in Cc. Matt, we detected an incorrect thing in the NVD database,
> > see below.
> >
> > On Fri, 17 Jul 2020 15:01:26 +0200
> > Guillaume Bres <guillaume.bressaix@gmail.com> wrote:
> >
> > > Indeed I am using this lib to be able to (cross)compile 'dsniff' library,
> > > but I did not want to introduce 'dsniff' to buildroot.
> > > Do you consider this a problem, knowing that only one package requires this
> > > lib & it is currently not integrated to Buildroot and, in my opinion,
> > > should remain as is,
> >
> > There is a one line patch that Debian applied back in the days to fix
> > this vulnerability:
> >
> >   https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=576281;filename=CVE-2010-1144.patch;msg=5
> >
> > However, this issue is fixed upstream in 1.24, as the code contains:
> >
> > static void
> > ip_evictor(void)
> > {
> >   // fprintf(stderr, "ip_evict:numpack=%i\n", numpack);
> >   while (this_host && this_host->ip_frag_mem > IPFRAG_LOW_THRESH) {
> >
> > This is consistent with the fact that Debian, which is packaging
> > version 1.24, no longer has the CVE patch.
> >
> > This is even listed in the CHANGES file of the project:
> >
> > v1.24 Mar 14 2010
> > - fixed another remotely triggerable NULL dereference in ip_fragment.c
> >
> > The issue is that the NVD database entry for this CVE is wrong: it says
> > that version 1.24 is affected, while in fact it got fixed in 1.24. This
> > needs to be fixed in the NVD database. This libnids project
> > unfortunately doesn't have a publicly available version control system
> > with all the history, so it's not easy to say which versions are
> > affected, but at least versions prior to 1.24 are affected.
> >
> > Matt: do you think we can get this to be fixed from the NVD database ?
> >
>
> We should be able to.  Daniel, what is the current process for sending
> a requested CVE version mapping update?
>
> Guillaum, thanks for looking at this.
>
> Regards,
> Matt

-- 

Matthew Weber | Associate Director Software Engineer | Commercial Avionics

COLLINS AEROSPACE

400 Collins Road NE, Cedar Rapids, Iowa 52498, USA

Tel: +1 319 295 7349 | FAX: +1 319 263 6099

matthew.weber at collins.com | collinsaerospace.com

CONFIDENTIALITY WARNING: This message may contain proprietary and/or
privileged information of Collins Aerospace and its affiliated
companies. If you are not the intended recipient, please 1) Do not
disclose, copy, distribute or use this message or its contents. 2)
Advise the sender by return email. 3) Delete all copies (including all
attachments) from your computer. Your cooperation is greatly
appreciated.

Any export restricted material should be shared using my
matthew.weber at corp.rockwellcollins.com address.

ALPHA BRAVO COLLINS | Aerospace Redefined

         __ l __

 \- - - -o-(_)-o- - - -/