From: "Steve Sakoman" <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][dunfell 05/22] glibc: Document and whitelist CVE-2019-1010022-25
Date: Wed, 12 May 2021 04:56:44 -1000 [thread overview]
Message-ID: <d3fb35d17b726e8b4d358f331cc9a095934d72cc.1620831171.git.steve@sakoman.com> (raw)
In-Reply-To: <cover.1620831171.git.steve@sakoman.com>
From: Richard Purdie <richard.purdie@linuxfoundation.org>
These CVEs are disputed by upstream and there is no plan to fix/address them. No
other distros are carrying patches for them. There is a patch for 1010025
however it isn't merged upstream and probably carries more risk of other bugs
than not having it.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit b238db678083cc15313b98d2e33f83cccab03fc6)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
meta/recipes-core/glibc/glibc_2.31.bb | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/meta/recipes-core/glibc/glibc_2.31.bb b/meta/recipes-core/glibc/glibc_2.31.bb
index 22858bc563..23242fff76 100644
--- a/meta/recipes-core/glibc/glibc_2.31.bb
+++ b/meta/recipes-core/glibc/glibc_2.31.bb
@@ -5,6 +5,19 @@ CVE_CHECK_WHITELIST += "CVE-2020-10029 CVE-2020-6096 CVE-2016-10228 CVE-2020-175
CVE-2021-27645 CVE-2021-3326 CVE-2020-27618 CVE-2020-29562 CVE-2019-25013 \
"
+# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010022
+# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010023
+# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010024
+# Upstream glibc maintainers dispute there is any issue and have no plans to address it further.
+# "this is being treated as a non-security bug and no real threat."
+CVE_CHECK_WHITELIST += "CVE-2019-1010022 CVE-2019-1010023 CVE-2019-1010024"
+
+# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010025
+# Allows for ASLR bypass so can bypass some hardening, not an exploit in itself, may allow
+# easier access for another. "ASLR bypass itself is not a vulnerability."
+# Potential patch at https://sourceware.org/bugzilla/show_bug.cgi?id=22853
+CVE_CHECK_WHITELIST += "CVE-2019-1010025"
+
DEPENDS += "gperf-native bison-native make-native"
NATIVESDKFIXES ?= ""
--
2.25.1
next prev parent reply other threads:[~2021-05-12 14:58 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-12 14:56 [OE-core][dunfell 00/22] Patch review Steve Sakoman
2021-05-12 14:56 ` [OE-core][dunfell 01/22] subversion: fix CVE-2020-17525 Steve Sakoman
2021-05-12 14:56 ` [OE-core][dunfell 02/22] qemu: fix CVE-2021-3392 Steve Sakoman
2021-05-12 14:56 ` [OE-core][dunfell 03/22] tiff: fix CVE-2020-35523 CVE-2020-35524 Steve Sakoman
2021-05-12 14:56 ` [OE-core][dunfell 04/22] python3-jinja2: 2.11.2 -> 2.11.3 Steve Sakoman
2021-05-12 14:56 ` Steve Sakoman [this message]
2021-05-12 14:56 ` [OE-core][dunfell 06/22] cairo: backport patch for CVE-2020-35492 Steve Sakoman
2021-05-12 14:56 ` [OE-core][dunfell 07/22] libnotify: whitelist CVE-2013-7381 (specific to the NodeJS bindings) Steve Sakoman
2021-05-12 14:56 ` [OE-core][dunfell 08/22] builder: whitelist CVE-2008-4178 (a different builder) Steve Sakoman
2021-05-12 14:56 ` [OE-core][dunfell 09/22] qemu: Exclude CVE-2017-5957 from cve-check Steve Sakoman
2021-05-12 14:56 ` [OE-core][dunfell 10/22] qemu: Exclude CVE-2007-0998 " Steve Sakoman
2021-05-12 14:56 ` [OE-core][dunfell 11/22] qemu: Exclude CVE-2018-18438 " Steve Sakoman
2021-05-12 14:56 ` [OE-core][dunfell 12/22] jquery: Exclude CVE-2007-2379 " Steve Sakoman
2021-05-12 14:56 ` [OE-core][dunfell 13/22] logrotate: Exclude CVE-2011-1548,1549,1550 " Steve Sakoman
2021-05-12 14:56 ` [OE-core][dunfell 14/22] openssh: Exclude CVE-2007-2768 " Steve Sakoman
2021-05-12 14:56 ` [OE-core][dunfell 15/22] oeqa/qemurunner: Fix binary vs str issue Steve Sakoman
2021-05-12 14:56 ` [OE-core][dunfell 16/22] oeqa/qemurunner: Improve handling of run_serial for shutdown commands Steve Sakoman
2021-05-12 14:56 ` [OE-core][dunfell 17/22] lsb-release: fix reproducibility failure Steve Sakoman
2021-05-12 14:56 ` [OE-core][dunfell 18/22] db: update CVE_PRODUCT Steve Sakoman
2021-05-12 14:56 ` [OE-core][dunfell 19/22] linux-firmware: upgrade 20210208 -> 20210315 Steve Sakoman
2021-05-12 14:56 ` [OE-core][dunfell 20/22] linux-yocto/5.4: qemuppc32: reduce serial shutdown issues Steve Sakoman
2021-05-12 14:57 ` [OE-core][dunfell 21/22] dejagnu: needs expect at runtime Steve Sakoman
2021-05-12 14:57 ` [OE-core][dunfell 22/22] linux-firmware: include all relevant files in -bcm4356 Steve Sakoman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d3fb35d17b726e8b4d358f331cc9a095934d72cc.1620831171.git.steve@sakoman.com \
--to=steve@sakoman.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.