| Message ID | 20210918165947.24076-1-peter@korsgaard.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | package/erlang: ignore Windows specific CVE-2021-29221 | expand |
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes: > CVE-2021-29221 is a Windows specific issue: > A local privilege escalation vulnerability was discovered in Erlang/OTP > prior to version 23.2.3. By adding files to an existing installation's > directory, a local attacker could hijack accounts of other users running > Erlang programs or possibly coerce a service running with "erlsrv.exe" to > execute arbitrary code as Local System. This can occur only under specific > conditions on Windows with unsafe filesystem permissions. > So ignore it. > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Committed to 2021.02.x, 2021.05.x and 2021.08.x, thanks.
diff --git a/package/erlang/erlang.mk b/package/erlang/erlang.mk index 59fcdba93f..527eb15a00 100644 --- a/package/erlang/erlang.mk +++ b/package/erlang/erlang.mk @@ -16,6 +16,9 @@ ERLANG_CPE_ID_VENDOR = erlang ERLANG_CPE_ID_PRODUCT = erlang\/otp ERLANG_INSTALL_STAGING = YES +# windows specific issue: https://nvd.nist.gov/vuln/detail/CVE-2021-29221 +ERLANG_IGNORE_CVES += CVE-2021-29221 + # Remove the leftover deps directory from the ssl app # See https://bugs.erlang.org/browse/ERL-1168 define ERLANG_REMOVE_SSL_DEPS
CVE-2021-29221 is a Windows specific issue: A local privilege escalation vulnerability was discovered in Erlang/OTP prior to version 23.2.3. By adding files to an existing installation's directory, a local attacker could hijack accounts of other users running Erlang programs or possibly coerce a service running with "erlsrv.exe" to execute arbitrary code as Local System. This can occur only under specific conditions on Windows with unsafe filesystem permissions. So ignore it. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> --- package/erlang/erlang.mk | 3 +++ 1 file changed, 3 insertions(+)