| Message ID | 20200328095138.959798-1-fontaine.fabrice@gmail.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [1/1] package/lz4: annotate CVE-2014-4715 | expand |
Hello, +Matt Weber and Akshay Bhat to discuss this issue. On Sat, 28 Mar 2020 10:51:38 +0100 Fabrice Fontaine <fontaine.fabrice@gmail.com> wrote: > CVE-2014-4715 is misclassified (by our CVE tracker) as affecting > version 1.9.2, while in fact this issue has been fixed since lz4-r130: > https://github.com/lz4/lz4/commit/140e6e72ddb6fc5f7cd28ce0c8ec3812ef4a9c08 > > See https://github.com/lz4/lz4/issues/818 > > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> So I've applied this patch, but what can we do to fix this properly? The NVD database says that versions < r118 are affected, but of course with the project having changed its numbering scheme (current version is 1.9.2), making comparisons is difficult. Indeed, after r131, the next version was v1.7.3. Can we ask the NVD maintainers to indicate that versions earlier than v1.7.3 are vulnerable ? Thanks, Thomas
Hi Thomas, On Sat, Mar 28, 2020 at 10:08 AM Thomas Petazzoni <thomas.petazzoni@bootlin.com> wrote: > > So I've applied this patch, but what can we do to fix this properly? > The NVD database says that versions < r118 are affected, but of course > with the project having changed its numbering scheme (current version > is 1.9.2), making comparisons is difficult. > > Indeed, after r131, the next version was v1.7.3. Can we ask the NVD > maintainers to indicate that versions earlier than v1.7.3 are > vulnerable ? Interesting case! The fix has been there since r118 (including). (Expand the tags in the github link: https://github.com/lz4/lz4/commit/140e6e72ddb6fc5f7cd28ce0c8ec3812ef4a9c08) Thankfully CVE-2014-4715 is the only CVE using the old version scheme. So the 2 easy options are: 1. Live with the patch from Fabrice for ignore CVEs since we don't expect this list to grow (OR) 2. Since there are only 2 tagged releases before r118, ask NVD to change the affected version: From cpe:2.3:a:yann_collet:lz4:*:*:*:*:*:*:*:* Up to (including) r118 To cpe:2.3:a:yann_collet:lz4:r116:*:*:*:*:*:*:* cpe:2.3:a:yann_collet:lz4:r117:*:*:*:*:*:*:* This way comparing the new versions (eg:1.9.2) will not match with either r116 or r117 since there is no "<=" check involved. I would not recommend changing it to earlier than v1.7.3 since r118 to r131 that are technically less than v1.7.3 and those versions are not affected by this CVE. Looks like Yocto decided to go the ignore cve route as well: http://cgit.openembedded.org/openembedded-core/tree/meta/recipes-support/lz4/lz4_1.9.2.bb?h=master#n21 I can shoot an email to NVD if the above explicit calling out of r116/r117 versions seems a better route. Thanks, Akshay
On Sat, Mar 28, 2020 at 11:07 AM Akshay Bhat <akshay.bhat@timesys.com> wrote: > > Hi Thomas, > > On Sat, Mar 28, 2020 at 10:08 AM Thomas Petazzoni > <thomas.petazzoni@bootlin.com> wrote: > > > > So I've applied this patch, but what can we do to fix this properly? > > The NVD database says that versions < r118 are affected, but of course > > with the project having changed its numbering scheme (current version > > is 1.9.2), making comparisons is difficult. > > > > Indeed, after r131, the next version was v1.7.3. Can we ask the NVD > > maintainers to indicate that versions earlier than v1.7.3 are > > vulnerable ? > > Interesting case! The fix has been there since r118 (including). > (Expand the tags in the github link: > https://github.com/lz4/lz4/commit/140e6e72ddb6fc5f7cd28ce0c8ec3812ef4a9c08) > > Thankfully CVE-2014-4715 is the only CVE using the old version scheme. > So the 2 easy options are: > 1. Live with the patch from Fabrice for ignore CVEs since we don't > expect this list to grow (OR) > 2. Since there are only 2 tagged releases before r118, ask NVD to > change the affected version: > > From > cpe:2.3:a:yann_collet:lz4:*:*:*:*:*:*:*:* Up to (including) r118 > To > cpe:2.3:a:yann_collet:lz4:r116:*:*:*:*:*:*:* > cpe:2.3:a:yann_collet:lz4:r117:*:*:*:*:*:*:* Hmm digging deeper the first release is r105, looks like all the tags were not carried over to github when it was migrated! https://fossies.org/linux/lz4/NEWS So if we were to ask NVD to update the versions then we have to list all versions before r118. Another option is to make the version compare tool more intelligent to not treat the old scheme (eg: r118) greater than current scheme (eg: 1.9.2).
diff --git a/package/lz4/lz4.mk b/package/lz4/lz4.mk index 2a658fbba5..1d32666ccc 100644 --- a/package/lz4/lz4.mk +++ b/package/lz4/lz4.mk @@ -10,6 +10,12 @@ LZ4_INSTALL_STAGING = YES LZ4_LICENSE = BSD-2-Clause (library), GPL-2.0+ (programs) LZ4_LICENSE_FILES = lib/LICENSE programs/COPYING +# CVE-2014-4715 is misclassified (by our CVE tracker) as affecting version +# 1.9.2, while in fact this issue has been fixed since lz4-r130: +# https://github.com/lz4/lz4/commit/140e6e72ddb6fc5f7cd28ce0c8ec3812ef4a9c08 +# See https://github.com/lz4/lz4/issues/818 +LZ4_IGNORE_CVES += CVE-2014-4715 + ifeq ($(BR2_STATIC_LIBS),y) LZ4_MAKE_OPTS += BUILD_SHARED=no else ifeq ($(BR2_SHARED_LIBS),y)
CVE-2014-4715 is misclassified (by our CVE tracker) as affecting version 1.9.2, while in fact this issue has been fixed since lz4-r130: https://github.com/lz4/lz4/commit/140e6e72ddb6fc5f7cd28ce0c8ec3812ef4a9c08 See https://github.com/lz4/lz4/issues/818 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> --- package/lz4/lz4.mk | 6 ++++++ 1 file changed, 6 insertions(+)