diff mbox series

package/ripgrep: ignore CVE-2021-3013 as Windows only

Message ID 20210930035250.23687-1-sam.voss@gmail.com
State Accepted
Headers show
Series package/ripgrep: ignore CVE-2021-3013 as Windows only | expand

Commit Message

Sam Voss Sept. 30, 2021, 3:52 a.m. UTC 
From: Sam Voss <sam.voss@gmail.com>

CVE-2021-3013 does not impact any buildroot versions of ripgrep as it is
a Windows-only exploit targeting ripgrep versions earlier than 13. It
can be safely ignored on our LTS branches.

Signed-off-by: Sam Voss <sam.voss@gmail.com>

---

Note: Please apply this patch to:

  * 2021.02.x
  * 2021.05.x
  * 2021.08.x

Master currently has version 13, which does not report this CVE.
---
 package/ripgrep/ripgrep.mk | 3 +++
 1 file changed, 3 insertions(+)

Comments

Yann E. MORIN Oct. 3, 2021, 8:19 p.m. UTC | #1 
Sam, All

On 2021-09-29 22:52 -0500, sam.voss@gmail.com spake thusly:
> From: Sam Voss <sam.voss@gmail.com>
> 
> CVE-2021-3013 does not impact any buildroot versions of ripgrep as it is
> a Windows-only exploit targeting ripgrep versions earlier than 13. It
> can be safely ignored on our LTS branches.
> 
> Signed-off-by: Sam Voss <sam.voss@gmail.com>

Applied to master, thanks.

I've just added an URL to the NVD for reference.

Regards,
Yann E. MORIN.

> ---
> 
> Note: Please apply this patch to:
> 
>   * 2021.02.x
>   * 2021.05.x
>   * 2021.08.x
> 
> Master currently has version 13, which does not report this CVE.
> ---
>  package/ripgrep/ripgrep.mk | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/package/ripgrep/ripgrep.mk b/package/ripgrep/ripgrep.mk
> index 450bb020e3..8d0185595d 100644
> --- a/package/ripgrep/ripgrep.mk
> +++ b/package/ripgrep/ripgrep.mk
> @@ -10,6 +10,9 @@ RIPGREP_LICENSE = MIT
>  RIPGREP_LICENSE_FILES = LICENSE-MIT
>  RIPGREP_CPE_ID_VENDOR = ripgrep_project
>  
> +# CVE only impacts ripgrep on Windows
> +RIPGREP_IGNORE_CVES += CVE-2021-3013
> +
>  RIPGREP_DEPENDENCIES = host-rustc
>  RIPGREP_CARGO_ENV = CARGO_HOME=$(HOST_DIR)/share/cargo \
>  	__CARGO_TEST_CHANNEL_OVERRIDE_DO_NOT_USE_THIS="nightly" \
> -- 
> 2.33.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
Peter Korsgaard Oct. 6, 2021, 3:22 p.m. UTC | #2 
>>>>> "sam" == sam voss <sam.voss@gmail.com> writes:

 > From: Sam Voss <sam.voss@gmail.com>
 > CVE-2021-3013 does not impact any buildroot versions of ripgrep as it is
 > a Windows-only exploit targeting ripgrep versions earlier than 13. It
 > can be safely ignored on our LTS branches.

 > Signed-off-by: Sam Voss <sam.voss@gmail.com>

 > ---

 > Note: Please apply this patch to:

 >   * 2021.02.x
 >   * 2021.05.x
 >   * 2021.08.x

 > Master currently has version 13, which does not report this CVE.

Committed to 2021.02.x, 2021.05.x and 2021.08.x, thanks.
diff mbox series

Patch

diff --git a/package/ripgrep/ripgrep.mk b/package/ripgrep/ripgrep.mk
index 450bb020e3..8d0185595d 100644
--- a/package/ripgrep/ripgrep.mk
+++ b/package/ripgrep/ripgrep.mk
@@ -10,6 +10,9 @@  RIPGREP_LICENSE = MIT
 RIPGREP_LICENSE_FILES = LICENSE-MIT
 RIPGREP_CPE_ID_VENDOR = ripgrep_project
 
+# CVE only impacts ripgrep on Windows
+RIPGREP_IGNORE_CVES += CVE-2021-3013
+
 RIPGREP_DEPENDENCIES = host-rustc
 RIPGREP_CARGO_ENV = CARGO_HOME=$(HOST_DIR)/share/cargo \
 	__CARGO_TEST_CHANNEL_OVERRIDE_DO_NOT_USE_THIS="nightly" \