[Buildroot] [PATCH] package/lightning: stop spam!

[Buildroot] [PATCH] package/lightning: stop spam!

[Paul Cercueil]

Every week I receive an automated email that tells me about the
CVE-2020-7747 vulnerability in Lightning. This vulnerability however
applies to the Javascript lightning-server project, and not to the
GNU Lightning project.

Ignore this CVE in the Lightning package to reduce my stress levels.

Signed-off-by: Paul Cercueil <paul@crapouillou.net>
---
 package/lightning/lightning.mk | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/package/lightning/lightning.mk b/package/lightning/lightning.mk
index 3bd17bef56..38b132e082 100644
--- a/package/lightning/lightning.mk
+++ b/package/lightning/lightning.mk
@@ -12,6 +12,10 @@ LIGHTNING_INSTALL_STAGING = YES
 # We're patching include/Makefile.am
 LIGHTNING_AUTORECONF = YES
 
+# CVE-2020-7747 is for the Javascript lightning-server project, and not for
+# GNU Lightning.
+LIGHTNING_IGNORE_CVES = CVE-2020-7747
+
 ifeq ($(BR2_PACKAGE_LIGHTNING_DISASSEMBLER),y)
 LIGHTNING_DEPENDENCIES += binutils zlib
 LIGHTNING_CONF_OPTS += --enable-disassembler
-- 
2.33.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] package/lightning: stop spam!

[Yann E. MORIN]

Paul, All,

+Matthew

On 2021-10-15 22:50 +0100, Paul Cercueil spake thusly:
> Every week I receive an automated email that tells me about the
> CVE-2020-7747 vulnerability in Lightning. This vulnerability however
> applies to the Javascript lightning-server project, and not to the
> GNU Lightning project.
> 
> Ignore this CVE in the Lightning package to reduce my stress levels.
> 
> Signed-off-by: Paul Cercueil <paul@crapouillou.net>

The goal of sending those automated emails, is explicitly to have people
registered on DEVELOPPERS, to take action on those CVE reports. Such
actions can be bumping the package to an non-affected version,
backporting an upstream patch, or, as you did, mark them to be ignored.

Bonus point if the NIST CPE DB is updated to avoid the mismatch, like
adding an entry for GNU lightning, and thus settign the correct CPE_ID
in Buildroot.

Matt: is there a process to update the NIST CPE DB? Can we add that in the
manual, even just as an URL?

Anyway: applied to master, after rewording the commit log to avoid the
personal-tone message, thanks.

Regards,
Yann E. MORIN.

> ---
>  package/lightning/lightning.mk | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/package/lightning/lightning.mk b/package/lightning/lightning.mk
> index 3bd17bef56..38b132e082 100644
> --- a/package/lightning/lightning.mk
> +++ b/package/lightning/lightning.mk
> @@ -12,6 +12,10 @@ LIGHTNING_INSTALL_STAGING = YES
>  # We're patching include/Makefile.am
>  LIGHTNING_AUTORECONF = YES
>  
> +# CVE-2020-7747 is for the Javascript lightning-server project, and not for
> +# GNU Lightning.
> +LIGHTNING_IGNORE_CVES = CVE-2020-7747
> +
>  ifeq ($(BR2_PACKAGE_LIGHTNING_DISASSEMBLER),y)
>  LIGHTNING_DEPENDENCIES += binutils zlib
>  LIGHTNING_CONF_OPTS += --enable-disassembler
> -- 
> 2.33.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [External] Re: [PATCH] package/lightning: stop spam!

[Weber, Matthew L Collins via buildroot]

Yann,

> From: Yann E. MORIN <yann.morin.1998@free.fr>
> Sent: Saturday, October 16, 2021 3:02 AM
> To: Paul Cercueil <paul@crapouillou.net>
> Cc: buildroot@buildroot.org <buildroot@buildroot.org>; Weber, Matthew L Collins <Matthew.Weber@collins.com>
> Subject: [External] Re: [Buildroot] [PATCH] package/lightning: stop spam!
>  
> Paul, All,
>
> +Matthew
>
> On 2021-10-15 22:50 +0100, Paul Cercueil spake thusly:
> > Every week I receive an automated email that tells me about the
> > CVE-2020-7747 vulnerability in Lightning. This vulnerability however
> > applies to the Javascript lightning-server project, and not to the
> > GNU Lightning project.
> >
> > Ignore this CVE in the Lightning package to reduce my stress levels.
> >
> > Signed-off-by: Paul Cercueil <paul@crapouillou.net>
>
> The goal of sending those automated emails, is explicitly to have people
> registered on DEVELOPPERS, to take action on those CVE reports. Such
> actions can be bumping the package to an non-affected version,
> backporting an upstream patch, or, as you did, mark them to be ignored.
>
> Bonus point if the NIST CPE DB is updated to avoid the mismatch, like
> adding an entry for GNU lightning, and thus settign the correct CPE_ID
> in Buildroot.
>
> Matt: is there a process to update the NIST CPE DB? Can we add that in the
> manual, even just as an URL?

Thomas and I had started this elinux page covering adding/updating a CVE or CPE.
https://www.elinux.org/Buildroot:Security_Vulnerability_Management

So in this case, I think we need to submit an entry for the GNU lightning package (cpe:2.3:a:gnu:lightning:2.1.3:*:*:*:*:*:*:*) as there isn't a CPE.  Once that's added, then this .mk can set "LIGHTNING_CPE_ID_VENDOR = gnu" so the CVE filter is clear for this package (right now it is free txt based and that's why you've picked up the server CVE).  I've emailed the XML [1] to NIST to make this update.

Regards,
Matt



[1]
<?xml version="1.0" encoding="utf-8"?>
<cpe-list xmlns="http://cpe.mitre.org/dictionary/2.0" xmlns:config="http://scap.nist.gov/schema/configuration/0.1" xmlns:cpe-23="http://scap.nist.gov/schema/cpe-extension/2.3" xmlns:meta="http://scap.nist.gov/schema/cpe-dictionary-metadata/0.2" xmlns:ns6="http://scap.nist.gov/schema/scap-core/0.1" xmlns:scap-core="http://scap.nist.gov/schema/scap-core/0.3" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://scap.nist.gov/schema/cpe-extension/2.3 https://scap.nist.gov/schema/cpe/2.3/cpe-dictionary-extension_2.3.xsd http://cpe.mitre.org/dictionary/2.0 https://scap.nist.gov/schema/cpe/2.3/cpe-dictionary_2.3.xsd http://scap.nist.gov/schema/cpe-dictionary-metadata/0.2 https://scap.nist.gov/schema/cpe/2.1/cpe-dictionary-metadata_0.2.xsd http://scap.nist.gov/schema/scap-core/0.3 https://scap.nist.gov/schema/nvd/scap-core_0.3.xsd http://scap.nist.gov/schema/configuration/0.1 https://scap.nist.gov/schema/nvd/configuration_0.1.xsd http://scap.nist.gov/schema/scap-core/0.1 https://scap.nist.gov/schema/nvd/scap-core_0.1.xsd">
        <cpe-item name="cpe:/a:gnu:lightning:2.1.3">
                <title xml:lang="en-US">GNU Lightning Project 2.1.3</title>
                <references>
                        <reference href="http://git.savannah.gnu.org/cgit/lightning.git">VERSION</reference>
                        <reference href="https://www.gnu.org/software/lightning/">PRODUCT</reference>
                </references>
                <cpe-23:cpe23-item name="cpe:2.3:a:gnu:lightning:2.1.3:*:*:*:*:*:*:*"/>
        </cpe-item>
</cpe-list>
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [External] Re: [PATCH] package/lightning: stop spam!

[Yann E. MORIN]

Matthew, All,

On 2021-10-18 13:21 +0000, Weber, Matthew L                            Collins spake thusly:
> > From: Yann E. MORIN <yann.morin.1998@free.fr>
> > Matt: is there a process to update the NIST CPE DB? Can we add that in the
> > manual, even just as an URL?
> Thomas and I had started this elinux page covering adding/updating a CVE or CPE.
> https://www.elinux.org/Buildroot:Security_Vulnerability_Management

Ah, great! :-)

> So in this case, I think we need to submit an entry for the GNU
> lightning package (cpe:2.3:a:gnu:lightning:2.1.3:*:*:*:*:*:*:*) as
> there isn't a CPE. [...] I've emailed the XML [1] to NIST to make
> this update.

So if I follow correctly, GNU lightning did not exist in the NIST CPE.
I tried to look for it yesterday, and it turned up mothing.

But now, in addition to the one version you submitted (as per your XML,
below), there are a bunch of results, from version 1.0 up to and
including 2.1.3:

    https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=cpe:2.3:a:gnu:lightning

They were all added on 2021-10-18, so am I wrong in understanding that
your submission triggered some (automated/manual) scanning of the
upstream repo to generate all those entries?

> Once that's added, then this .mk can set "LIGHTNING_CPE_ID_VENDOR =
> gnu" so the CVE filter is clear for this package (right now it is
> free txt based and that's why you've picked up the server CVE).

Patch pending to be sent; pkg-stats still reports "CPE version unknown
in CPE database", although the website does include 2.1.3...

Thanks ! :-)

Regards,
Yann E. MORIN.

> Regards,
> Matt
> 
> 
> 
> [1]
> <?xml version="1.0" encoding="utf-8"?>
> <cpe-list xmlns="http://cpe.mitre.org/dictionary/2.0" xmlns:config="http://scap.nist.gov/schema/configuration/0.1" xmlns:cpe-23="http://scap.nist.gov/schema/cpe-extension/2.3" xmlns:meta="http://scap.nist.gov/schema/cpe-dictionary-metadata/0.2" xmlns:ns6="http://scap.nist.gov/schema/scap-core/0.1" xmlns:scap-core="http://scap.nist.gov/schema/scap-core/0.3" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://scap.nist.gov/schema/cpe-extension/2.3 https://scap.nist.gov/schema/cpe/2.3/cpe-dictionary-extension_2.3.xsd http://cpe.mitre.org/dictionary/2.0 https://scap.nist.gov/schema/cpe/2.3/cpe-dictionary_2.3.xsd http://scap.nist.gov/schema/cpe-dictionary-metadata/0.2 https://scap.nist.gov/schema/cpe/2.1/cpe-dictionary-metadata_0.2.xsd http://scap.nist.gov/schema/scap-core/0.3 https://scap.nist.gov/schema/nvd/scap-core_0.3.xsd http://scap.nist.gov/schema/configuration/0.1 https://scap.nist.gov/schema/nvd/configuration_0.1.xsd http://scap.nist.gov/schema/scap
 -core/0.1 https://scap.nist.gov/schema/nvd/scap-core_0.1.xsd">
>         <cpe-item name="cpe:/a:gnu:lightning:2.1.3">
>                 <title xml:lang="en-US">GNU Lightning Project 2.1.3</title>
>                 <references>
>                         <reference href="http://git.savannah.gnu.org/cgit/lightning.git">VERSION</reference>
>                         <reference href="https://www.gnu.org/software/lightning/">PRODUCT</reference>
>                 </references>
>                 <cpe-23:cpe23-item name="cpe:2.3:a:gnu:lightning:2.1.3:*:*:*:*:*:*:*"/>
>         </cpe-item>
> </cpe-list>

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [External] Re: [PATCH] package/lightning: stop spam!

[Weber, Matthew L Collins via buildroot]

Yann,

> From: Yann E. MORIN <yann.morin.1998@free.fr>
> Sent: Monday, October 18, 2021 10:33 AM
> To: Weber, Matthew L Collins <Matthew.Weber@collins.com>
> Cc: Paul Cercueil <paul@crapouillou.net>; buildroot@buildroot.org <buildroot@buildroot.org>
> Subject: Re: [External] Re: [Buildroot] [PATCH] package/lightning: stop spam!
>  
> Matthew, All,
>
> On 2021-10-18 13:21 +0000, Weber, Matthew L                            Collins spake thusly:

[snip]

>
> > So in this case, I think we need to submit an entry for the GNU
> > lightning package (cpe:2.3:a:gnu:lightning:2.1.3:*:*:*:*:*:*:*) as
> > there isn't a CPE. [...] I've emailed the XML [1] to NIST to make
> > this update.
>
> So if I follow correctly, GNU lightning did not exist in the NIST CPE.
> I tried to look for it yesterday, and it turned up mothing.
>
> But now, in addition to the one version you submitted (as per your XML,
> below), there are a bunch of results, from version 1.0 up to and
> including 2.1.3:

Correct, they add all entries so that the package now can be tagged with CVE when they come up. They needed the latest example xml and then create the rest.

> > Once that's added, then this .mk can set "LIGHTNING_CPE_ID_VENDOR =
> > gnu" so the CVE filter is clear for this package (right now it is
> > free txt based and that's why you've picked up the server CVE).
>
> Patch pending to be sent; pkg-stats still reports "CPE version unknown
> in CPE database", although the website does include 2.1.3...

The CPE isn't yet set as valid in Buildroot so it can't find it. (guessing that script has some delay as well for updates?)

Regards,
Matt
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot