* [PATCH] iputils: Whitelist CVE-2000-1213 CVE-2000-1214
@ 2019-11-04 20:55 Adrian Bunk
2019-11-05 10:38 ` Ross Burton
2019-11-11 10:43 ` Adrian Bunk
0 siblings, 2 replies; 5+ messages in thread
From: Adrian Bunk @ 2019-11-04 20:55 UTC (permalink / raw)
To: openembedded-core
Signed-off-by: Adrian Bunk <bunk@stusta.de>
---
meta/recipes-extended/iputils/iputils_s20190709.bb | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/meta/recipes-extended/iputils/iputils_s20190709.bb b/meta/recipes-extended/iputils/iputils_s20190709.bb
index d8f2470d0c..3f9e9917f0 100644
--- a/meta/recipes-extended/iputils/iputils_s20190709.bb
+++ b/meta/recipes-extended/iputils/iputils_s20190709.bb
@@ -17,6 +17,10 @@ S = "${WORKDIR}/git"
UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>s\d+)"
+# Fixed in 2000-10-10, but the versioning of iputils
+# breaks the version order.
+CVE_CHECK_WHITELIST += "CVE-2000-1213 CVE-2000-1214"
+
PACKAGECONFIG ??= "libcap libgcrypt rarpd traceroute6"
PACKAGECONFIG[libcap] = "-DUSE_CAP=true, -DUSE_CAP=false, libcap"
PACKAGECONFIG[libgcrypt] = "-DUSE_CRYPTO=gcrypt, -DUSE_CRYPTO=none, libgcrypt"
--
2.17.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH] iputils: Whitelist CVE-2000-1213 CVE-2000-1214
2019-11-04 20:55 [PATCH] iputils: Whitelist CVE-2000-1213 CVE-2000-1214 Adrian Bunk
@ 2019-11-05 10:38 ` Ross Burton
2019-11-05 11:01 ` Adrian Bunk
2019-11-11 10:43 ` Adrian Bunk
1 sibling, 1 reply; 5+ messages in thread
From: Ross Burton @ 2019-11-05 10:38 UTC (permalink / raw)
To: Adrian Bunk, openembedded-core
On 04/11/2019 20:55, Adrian Bunk wrote:
> +# Fixed in 2000-10-10, but the versioning of iputils
> +# breaks the version order.
> +CVE_CHECK_WHITELIST += "CVE-2000-1213 CVE-2000-1214"
So the problem is that our PV matches the upstream git tags, which don't
match the naming convention in the CPE entries.
The tags are of the form s20190709, but the CPE uses 2010-10-10.
If we assume that the CPE version scheme will remain the same then we
can handle this for all cases in the recipe:
def cve_version(d):
import re
m = re.match(r"s(\d{4})(\d{2})(\d{2})", d.getVar("PV"))
return "-".join(m.groups())
CVE_VERSION = "${@cve_version(d)}"
Ross
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] iputils: Whitelist CVE-2000-1213 CVE-2000-1214
2019-11-05 10:38 ` Ross Burton
@ 2019-11-05 11:01 ` Adrian Bunk
2019-11-05 11:59 ` Ross Burton
0 siblings, 1 reply; 5+ messages in thread
From: Adrian Bunk @ 2019-11-05 11:01 UTC (permalink / raw)
To: Ross Burton; +Cc: openembedded-core
On Tue, Nov 05, 2019 at 10:38:32AM +0000, Ross Burton wrote:
> On 04/11/2019 20:55, Adrian Bunk wrote:
> > +# Fixed in 2000-10-10, but the versioning of iputils
> > +# breaks the version order.
> > +CVE_CHECK_WHITELIST += "CVE-2000-1213 CVE-2000-1214"
>
> So the problem is that our PV matches the upstream git tags, which don't
> match the naming convention in the CPE entries.
>
> The tags are of the form s20190709, but the CPE uses 2010-10-10.
>
> If we assume that the CPE version scheme will remain the same
>...
CVE-2010-2529 had an explicit list of affected versions of the
scheme 20100214.
These 19 year old ones from a time when CVE was new are outliers.
I would expect versions in new CVE to match the OE versioning,
except that the 's' might (or might not) be missing.
> Ross
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] iputils: Whitelist CVE-2000-1213 CVE-2000-1214
2019-11-05 11:01 ` Adrian Bunk
@ 2019-11-05 11:59 ` Ross Burton
0 siblings, 0 replies; 5+ messages in thread
From: Ross Burton @ 2019-11-05 11:59 UTC (permalink / raw)
To: Adrian Bunk; +Cc: openembedded-core
On 05/11/2019 11:01, Adrian Bunk wrote:
> On Tue, Nov 05, 2019 at 10:38:32AM +0000, Ross Burton wrote:
>> On 04/11/2019 20:55, Adrian Bunk wrote:
>>> +# Fixed in 2000-10-10, but the versioning of iputils
>>> +# breaks the version order.
>>> +CVE_CHECK_WHITELIST += "CVE-2000-1213 CVE-2000-1214"
>>
>> So the problem is that our PV matches the upstream git tags, which don't
>> match the naming convention in the CPE entries.
>>
>> The tags are of the form s20190709, but the CPE uses 2010-10-10.
>>
>> If we assume that the CPE version scheme will remain the same
>> ...
>
> CVE-2010-2529 had an explicit list of affected versions of the
> scheme 20100214.
>
> These 19 year old ones from a time when CVE was new are outliers.
> I would expect versions in new CVE to match the OE versioning,
> except that the 's' might (or might not) be missing.
<shakes fist>
Of course -2529 uses a different CPE product/vendor name to -1213 so
didn't appear in my search.
Okay, lets use the whitelist approach.
Ross
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] iputils: Whitelist CVE-2000-1213 CVE-2000-1214
2019-11-04 20:55 [PATCH] iputils: Whitelist CVE-2000-1213 CVE-2000-1214 Adrian Bunk
2019-11-05 10:38 ` Ross Burton
@ 2019-11-11 10:43 ` Adrian Bunk
1 sibling, 0 replies; 5+ messages in thread
From: Adrian Bunk @ 2019-11-11 10:43 UTC (permalink / raw)
To: openembedded-core
ping
Thanks
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2019-11-11 10:43 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-11-04 20:55 [PATCH] iputils: Whitelist CVE-2000-1213 CVE-2000-1214 Adrian Bunk
2019-11-05 10:38 ` Ross Burton
2019-11-05 11:01 ` Adrian Bunk
2019-11-05 11:59 ` Ross Burton
2019-11-11 10:43 ` Adrian Bunk
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.