* [Buildroot] [PATCH 1/2] package/heirloom-mailx: fix comment about ignore CVE-2014-7844
@ 2023-08-28 21:22 Thomas Petazzoni via buildroot
2023-08-28 21:22 ` [Buildroot] [PATCH 2/2] package/heirloom-mailx: ignore CVE-2004-2771 Thomas Petazzoni via buildroot
2023-09-14 8:23 ` [Buildroot] [PATCH 1/2] package/heirloom-mailx: fix comment about ignore CVE-2014-7844 Peter Korsgaard
0 siblings, 2 replies; 5+ messages in thread
From: Thomas Petazzoni via buildroot @ 2023-08-28 21:22 UTC (permalink / raw)
To: Buildroot List; +Cc: Thomas Petazzoni
In commit
15972770cf34ed0b0ba330e3cc42c04f1c80c3c8 ("package/heirloom-mailx:
security bump to version 12.5-5 from Debian"), we added CVE-2014-7844
in HEIRLOOM_MAILX_IGNORE_CVES, but with the wrong comment about it: it
is a different patch in the Debian stack of patches that fixes
it. Indeed the description of patch
0011-outof-Introduce-expandaddr-flag.patch is:
=====================================================================
Subject: [PATCH 1/4] outof: Introduce expandaddr flag
Document that address expansion is disabled unless the expandaddr
binary option is set.
This has been assigned CVE-2014-7844 for BSD mailx, but it is not
a vulnerability in Heirloom mailx because this feature was documented.
=====================================================================
See also https://marc.info/?l=oss-security&m=141875285203183&w=2 for
details.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
package/heirloom-mailx/heirloom-mailx.mk | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/package/heirloom-mailx/heirloom-mailx.mk b/package/heirloom-mailx/heirloom-mailx.mk
index d3b8ad437a..bb2e1f48de 100644
--- a/package/heirloom-mailx/heirloom-mailx.mk
+++ b/package/heirloom-mailx/heirloom-mailx.mk
@@ -12,7 +12,7 @@ HEIRLOOM_MAILX_LICENSE = BSD-4-Clause, Bellcore (base64), OpenVision (imap_gssap
HEIRLOOM_MAILX_LICENSE_FILES = COPYING
HEIRLOOM_MAILX_CPE_ID_VENDOR = heirloom
HEIRLOOM_MAILX_CPE_ID_PRODUCT = mailx
-# 0014-globname-Invoke-wordexp-with-WRDE_NOCMD.patch in the Debian patches
+# 0011-outof-Introduce-expandaddr-flag.patch in the Debian patches
HEIRLOOM_MAILX_IGNORE_CVES += CVE-2014-7844
ifeq ($(BR2_PACKAGE_OPENSSL),y)
--
2.41.0
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [Buildroot] [PATCH 2/2] package/heirloom-mailx: ignore CVE-2004-2771
2023-08-28 21:22 [Buildroot] [PATCH 1/2] package/heirloom-mailx: fix comment about ignore CVE-2014-7844 Thomas Petazzoni via buildroot
@ 2023-08-28 21:22 ` Thomas Petazzoni via buildroot
2023-08-30 20:12 ` Arnout Vandecappelle via buildroot
2023-09-14 8:23 ` Peter Korsgaard
2023-09-14 8:23 ` [Buildroot] [PATCH 1/2] package/heirloom-mailx: fix comment about ignore CVE-2014-7844 Peter Korsgaard
1 sibling, 2 replies; 5+ messages in thread
From: Thomas Petazzoni via buildroot @ 2023-08-28 21:22 UTC (permalink / raw)
To: Buildroot List; +Cc: Thomas Petazzoni
The CVE-2004-2771 is already fixed by the Debian patch
0014-globname-Invoke-wordexp-with-WRDE_NOCMD.patch. The Debian patch
description is:
Subject: [PATCH 4/4] globname: Invoke wordexp with WRDE_NOCMD (CVE-2004-2771)
See also https://marc.info/?l=oss-security&m=141875285203183&w=2 for
more details.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
package/heirloom-mailx/heirloom-mailx.mk | 2 ++
1 file changed, 2 insertions(+)
diff --git a/package/heirloom-mailx/heirloom-mailx.mk b/package/heirloom-mailx/heirloom-mailx.mk
index bb2e1f48de..6e0f2c31ab 100644
--- a/package/heirloom-mailx/heirloom-mailx.mk
+++ b/package/heirloom-mailx/heirloom-mailx.mk
@@ -14,6 +14,8 @@ HEIRLOOM_MAILX_CPE_ID_VENDOR = heirloom
HEIRLOOM_MAILX_CPE_ID_PRODUCT = mailx
# 0011-outof-Introduce-expandaddr-flag.patch in the Debian patches
HEIRLOOM_MAILX_IGNORE_CVES += CVE-2014-7844
+# 0014-globname-Invoke-wordexp-with-WRDE_NOCMD.patch
+HEIRLOOM_MAILX_IGNORE_CVES += CVE-2004-2771
ifeq ($(BR2_PACKAGE_OPENSSL),y)
HEIRLOOM_MAILX_DEPENDENCIES += openssl
--
2.41.0
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [Buildroot] [PATCH 2/2] package/heirloom-mailx: ignore CVE-2004-2771
2023-08-28 21:22 ` [Buildroot] [PATCH 2/2] package/heirloom-mailx: ignore CVE-2004-2771 Thomas Petazzoni via buildroot
@ 2023-08-30 20:12 ` Arnout Vandecappelle via buildroot
2023-09-14 8:23 ` Peter Korsgaard
1 sibling, 0 replies; 5+ messages in thread
From: Arnout Vandecappelle via buildroot @ 2023-08-30 20:12 UTC (permalink / raw)
To: Thomas Petazzoni, Buildroot List
On 28/08/2023 23:22, Thomas Petazzoni via buildroot wrote:
> The CVE-2004-2771 is already fixed by the Debian patch
> 0014-globname-Invoke-wordexp-with-WRDE_NOCMD.patch. The Debian patch
> description is:
>
> Subject: [PATCH 4/4] globname: Invoke wordexp with WRDE_NOCMD (CVE-2004-2771)
>
> See also https://marc.info/?l=oss-security&m=141875285203183&w=2 for
> more details.
>
> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
> ---
> package/heirloom-mailx/heirloom-mailx.mk | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/package/heirloom-mailx/heirloom-mailx.mk b/package/heirloom-mailx/heirloom-mailx.mk
> index bb2e1f48de..6e0f2c31ab 100644
> --- a/package/heirloom-mailx/heirloom-mailx.mk
> +++ b/package/heirloom-mailx/heirloom-mailx.mk
> @@ -14,6 +14,8 @@ HEIRLOOM_MAILX_CPE_ID_VENDOR = heirloom
> HEIRLOOM_MAILX_CPE_ID_PRODUCT = mailx
> # 0011-outof-Introduce-expandaddr-flag.patch in the Debian patches
> HEIRLOOM_MAILX_IGNORE_CVES += CVE-2014-7844
> +# 0014-globname-Invoke-wordexp-with-WRDE_NOCMD.patch
I've added "in the Debian patches" like in the other comment.
With that, both applied to master, thanks.
Regards,
Arnout
> +HEIRLOOM_MAILX_IGNORE_CVES += CVE-2004-2771
>
> ifeq ($(BR2_PACKAGE_OPENSSL),y)
> HEIRLOOM_MAILX_DEPENDENCIES += openssl
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Buildroot] [PATCH 1/2] package/heirloom-mailx: fix comment about ignore CVE-2014-7844
2023-08-28 21:22 [Buildroot] [PATCH 1/2] package/heirloom-mailx: fix comment about ignore CVE-2014-7844 Thomas Petazzoni via buildroot
2023-08-28 21:22 ` [Buildroot] [PATCH 2/2] package/heirloom-mailx: ignore CVE-2004-2771 Thomas Petazzoni via buildroot
@ 2023-09-14 8:23 ` Peter Korsgaard
1 sibling, 0 replies; 5+ messages in thread
From: Peter Korsgaard @ 2023-09-14 8:23 UTC (permalink / raw)
To: Thomas Petazzoni via buildroot; +Cc: Thomas Petazzoni
>>>>> "Thomas" == Thomas Petazzoni via buildroot <buildroot@buildroot.org> writes:
> In commit
> 15972770cf34ed0b0ba330e3cc42c04f1c80c3c8 ("package/heirloom-mailx:
> security bump to version 12.5-5 from Debian"), we added CVE-2014-7844
> in HEIRLOOM_MAILX_IGNORE_CVES, but with the wrong comment about it: it
> is a different patch in the Debian stack of patches that fixes
> it. Indeed the description of patch
> 0011-outof-Introduce-expandaddr-flag.patch is:
> =====================================================================
> Subject: [PATCH 1/4] outof: Introduce expandaddr flag
> Document that address expansion is disabled unless the expandaddr
> binary option is set.
> This has been assigned CVE-2014-7844 for BSD mailx, but it is not
> a vulnerability in Heirloom mailx because this feature was documented.
> =====================================================================
> See also https://marc.info/?l=oss-security&m=141875285203183&w=2 for
> details.
> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Committed to 2023.02.x and 2023.05.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Buildroot] [PATCH 2/2] package/heirloom-mailx: ignore CVE-2004-2771
2023-08-28 21:22 ` [Buildroot] [PATCH 2/2] package/heirloom-mailx: ignore CVE-2004-2771 Thomas Petazzoni via buildroot
2023-08-30 20:12 ` Arnout Vandecappelle via buildroot
@ 2023-09-14 8:23 ` Peter Korsgaard
1 sibling, 0 replies; 5+ messages in thread
From: Peter Korsgaard @ 2023-09-14 8:23 UTC (permalink / raw)
To: Thomas Petazzoni via buildroot; +Cc: Thomas Petazzoni
>>>>> "Thomas" == Thomas Petazzoni via buildroot <buildroot@buildroot.org> writes:
> The CVE-2004-2771 is already fixed by the Debian patch
> 0014-globname-Invoke-wordexp-with-WRDE_NOCMD.patch. The Debian patch
> description is:
> Subject: [PATCH 4/4] globname: Invoke wordexp with WRDE_NOCMD (CVE-2004-2771)
> See also https://marc.info/?l=oss-security&m=141875285203183&w=2 for
> more details.
> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Committed to 2023.02.x and 2023.05.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2023-09-14 8:24 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-08-28 21:22 [Buildroot] [PATCH 1/2] package/heirloom-mailx: fix comment about ignore CVE-2014-7844 Thomas Petazzoni via buildroot
2023-08-28 21:22 ` [Buildroot] [PATCH 2/2] package/heirloom-mailx: ignore CVE-2004-2771 Thomas Petazzoni via buildroot
2023-08-30 20:12 ` Arnout Vandecappelle via buildroot
2023-09-14 8:23 ` Peter Korsgaard
2023-09-14 8:23 ` [Buildroot] [PATCH 1/2] package/heirloom-mailx: fix comment about ignore CVE-2014-7844 Peter Korsgaard
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).