From patchwork Wed Apr 21 20:42:26 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matt Weber X-Patchwork-Id: 1468864 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=140.211.166.137; helo=smtp4.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=rockwellcollins.com header.i=@rockwellcollins.com header.a=rsa-sha256 header.s=hrcrc2020 header.b=otjhXbbp; dkim-atps=neutral Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4FQXZ73zcFz9sVq for ; Thu, 22 Apr 2021 06:43:11 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id F276A40628; Wed, 21 Apr 2021 20:43:08 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x1yaJC7pZlB7; Wed, 21 Apr 2021 20:43:08 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by smtp4.osuosl.org (Postfix) with ESMTP id 435DC40629; Wed, 21 Apr 2021 20:43:07 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133]) by ash.osuosl.org (Postfix) with ESMTP id 235D21C11A6 for ; Wed, 21 Apr 2021 20:42:40 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 12F684039C for ; Wed, 21 Apr 2021 20:42:40 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Authentication-Results: smtp2.osuosl.org (amavisd-new); dkim=pass (2048-bit key) header.d=rockwellcollins.com Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D_0_X4xHLxXa for ; Wed, 21 Apr 2021 20:42:39 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 Received: from ch3vs02.rockwellcollins.com (ch3vs02.rockwellcollins.com [205.175.226.29]) by smtp2.osuosl.org (Postfix) with ESMTPS id 0F6574036E for ; Wed, 21 Apr 2021 20:42:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rockwellcollins.com; s=hrcrc2020; h=from:to:cc:subject:date:message-id:in-reply-to: references; bh=11qrmBJOhk+AB+KkIEikvkxK9i2sUS9ra39NiUvkpW0=; b=otjhXbbpcNQ5TaT0JbtRWftfF3gMr7Xms1bVqPPYKum5Mto5MmurNv1i 2aj30vrEUulZXD0ZoFoxxvrkRt6YkP2ofD2tnvNTbL0IlZ9ac9jyNI0s6 zRGeer7kUOYdGyf7T5OZch1HXiuJOSD9+H4alaEyxDmi4/ta9XhuvFnQf wfvPDfSCKmhF06vsVrR+jiwaeUrWHjcIoyzprAbUFZVWRLhq4/z0IJWD0 CdD6M+QJdHA8R/Rv7jvbIBCzqUsjWmBe9wbPP0O+aXy8rj1+nvtgRuuzi WbqQdSZQE3bws+xDF4Ybo7mwoCv42So/aKgGYZprz6WYaKC83GsV2ZQnY Q==; IronPort-SDR: SzVMgVaL2dmZCqtVc1tT+hbKK74TG81K4LvDbszhdQGuMMoBVWUtP7NKBYqBUmyia1GhyNVFWH zs3ugUNZtNkJRuKzeWfP1oXooi97nLQY1N8WFniUtS8HcxKL5GNlI8RmbqhLCokA1eDzorJsFT 2K5qp/P535DKQUik1zFnnw0Gxrg/0pebU08ADbPyhbPdPWjmQMu/3KlXg27tqmmeFQR28hBLcx RvvNpEXJKGjPrz9788gXasXgFer59puqdkB4D2M7Hm64zz675qlEtLGUmKOJDdIVCr/EcWt03c wBc= Received: from ofwch3n02.rockwellcollins.com (HELO crulimr02.rockwellcollins.com) ([205.175.226.14]) by ch3vs02.rockwellcollins.com with ESMTP; 21 Apr 2021 15:42:37 -0500 X-Received: from biscuits.rockwellcollins.com (biscuits.rockwellcollins.lab [10.148.119.137]) by crulimr02.rockwellcollins.com (Postfix) with ESMTP id 3C5B960753; Wed, 21 Apr 2021 15:42:37 -0500 (CDT) From: Matt Weber To: buildroot@buildroot.org Date: Wed, 21 Apr 2021 15:42:26 -0500 Message-Id: <20210421204235.5956-2-matthew.weber@rockwellcollins.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210421204235.5956-1-matthew.weber@rockwellcollins.com> References: <20210421204235.5956-1-matthew.weber@rockwellcollins.com> Subject: [Buildroot] [PATCH 01/10] package/bind: ignore CVE-2017-3139 X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Matt Weber MIME-Version: 1.0 Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" This CVE is only relevant to the configuration of a specific RHEL release (6.x). https://bugzilla.redhat.com/show_bug.cgi?id=1447743 Signed-off-by: Matthew Weber --- package/bind/bind.mk | 2 ++ 1 file changed, 2 insertions(+) diff --git a/package/bind/bind.mk b/package/bind/bind.mk index 8e8896f3cc..d1a992b66e 100644 --- a/package/bind/bind.mk +++ b/package/bind/bind.mk @@ -13,6 +13,8 @@ BIND_CONFIG_SCRIPTS = bind9-config isc-config.sh BIND_LICENSE = MPL-2.0 BIND_LICENSE_FILES = COPYRIGHT BIND_CPE_ID_VENDOR = isc +# Only applies to RHEL6.x with DNSSEC validation on +BIND_IGNORE_CVES = CVE-2017-3139 BIND_TARGET_SERVER_SBIN = arpaname ddns-confgen dnssec-checkds dnssec-coverage BIND_TARGET_SERVER_SBIN += dnssec-importkey dnssec-keygen dnssec-revoke BIND_TARGET_SERVER_SBIN += dnssec-settime dnssec-verify genrandom From patchwork Wed Apr 21 20:42:27 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matt Weber X-Patchwork-Id: 1468865 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=140.211.166.136; helo=smtp3.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=rockwellcollins.com header.i=@rockwellcollins.com header.a=rsa-sha256 header.s=hrcrc2020 header.b=nw6x5pUc; dkim-atps=neutral Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4FQXZM6JbTz9sVq for ; Thu, 22 Apr 2021 06:43:23 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id D81C0607F0; Wed, 21 Apr 2021 20:43:21 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iNSRdUdtc7Qo; Wed, 21 Apr 2021 20:43:21 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by smtp3.osuosl.org (Postfix) with ESMTP id 4CC20607FA; Wed, 21 Apr 2021 20:43:20 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by ash.osuosl.org (Postfix) with ESMTP id 3684F1BF46D for ; Wed, 21 Apr 2021 20:42:40 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 304B54063E for ; Wed, 21 Apr 2021 20:42:40 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Authentication-Results: smtp4.osuosl.org (amavisd-new); dkim=pass (2048-bit key) header.d=rockwellcollins.com Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id paDXb5JXS3Bw for ; Wed, 21 Apr 2021 20:42:39 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 Received: from secvs04.rockwellcollins.com (secvs04.rockwellcollins.com [205.175.225.130]) by smtp4.osuosl.org (Postfix) with ESMTPS id 26ADC40628 for ; Wed, 21 Apr 2021 20:42:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rockwellcollins.com; s=hrcrc2020; h=from:to:cc:subject:date:message-id:in-reply-to: references; bh=jwtzJl2XZ+YhL6q/mggLcMhXppFavYMdVG7C0ciL3T0=; b=nw6x5pUcbV9H+6Iwlc1znA4FM2Ep+cTHZgTZVK23TQYSImWoY5nGznvD +3mIF0nOteXIOcy+PhQF+E5iGHTWi6SR+Aq8v3DUZ4fdjEpFZykHanQ+j 5X61Vi4zCPQIaxrKVbJHJRuEaQfsf5kWrycd8JYU6IGKrnrXqRGUBb/Cz CmjPNoeCb9XT35JOD0ThS10XsMb7KdbQ9962IfAxu0LF+ktlP8YDPHlTv gPaKAm3jNly7cYi3d5B+VCrewJ1NG4KOqN9LUr4VZt38y8JkOzsogwd12 rBadEe3cBrLRf9+pptHhGCcrNWFkcNPCv9/CepKRfVcVILs/g4r7dlXpH g==; IronPort-SDR: jR/W9NWwLFGUVduoNoraBBH4aoHMCURAIu+zjcI5CeAggu15mDpJ6WFIWoWQBfpB1WQhBntcOj rbengECd9RlhrZgQC6du+WXSJL+JDAr73Eh1SGIOkj9hcfFzooS/c4XD+cTg00uhRW5l3Hxl4f tIykGl9DSn6ylPjnVdbwWVO5sk7lKEWHBehCoTp1W4h+RzLxnVCgaqD5w8kK9a7QpIOLNs8Gkw ro4tZRC4aWgPYzmoQlnanU3dr5nESZJ1X7Wy8A6t2YcHSPmLiOJSA4tN6xqFeYtyzDB2SG7PUT Jpw= Received: from ofwgwc03.rockwellcollins.com (HELO crulimr02.rockwellcollins.com) ([205.175.225.12]) by secvs04.rockwellcollins.com with ESMTP; 21 Apr 2021 15:42:37 -0500 X-Received: from biscuits.rockwellcollins.com (biscuits.rockwellcollins.lab [10.148.119.137]) by crulimr02.rockwellcollins.com (Postfix) with ESMTP id 48D46600D2; Wed, 21 Apr 2021 15:42:37 -0500 (CDT) From: Matt Weber To: buildroot@buildroot.org Date: Wed, 21 Apr 2021 15:42:27 -0500 Message-Id: <20210421204235.5956-3-matthew.weber@rockwellcollins.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210421204235.5956-1-matthew.weber@rockwellcollins.com> References: <20210421204235.5956-1-matthew.weber@rockwellcollins.com> Subject: [Buildroot] [PATCH 02/10] package/coreutils: ignore CVE-2013-0221, CVE-2013-0222, CVE-2013-0223 X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Matt Weber MIME-Version: 1.0 Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" This CVE is only relevant to a build when the SUSE coreutils-i18n.patch is included. The upstream codebase does not include this patch, nor does Buildroot. https://security-tracker.debian.org/tracker/CVE-2013-0221 https://security-tracker.debian.org/tracker/CVE-2013-0222 https://security-tracker.debian.org/tracker/CVE-2013-0223 Signed-off-by: Matthew Weber --- package/coreutils/coreutils.mk | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/package/coreutils/coreutils.mk b/package/coreutils/coreutils.mk index 0e75cdfcda..65234a113e 100644 --- a/package/coreutils/coreutils.mk +++ b/package/coreutils/coreutils.mk @@ -10,6 +10,10 @@ COREUTILS_SOURCE = coreutils-$(COREUTILS_VERSION).tar.xz COREUTILS_LICENSE = GPL-3.0+ COREUTILS_LICENSE_FILES = COPYING COREUTILS_CPE_ID_VENDOR = gnu +# Only when including SUSE coreutils-i18n.patch +COREUTILS_IGNORE_CVES = CVE-2013-0221 +COREUTILS_IGNORE_CVES += CVE-2013-0222 +COREUTILS_IGNORE_CVES += CVE-2013-0223 # We're patching m4/pthread-cond.m4 COREUTILS_AUTORECONF = YES From patchwork Wed Apr 21 20:42:28 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matt Weber X-Patchwork-Id: 1468866 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=140.211.166.133; helo=smtp2.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=rockwellcollins.com header.i=@rockwellcollins.com header.a=rsa-sha256 header.s=hrcrc2020 header.b=dtXXpPtl; dkim-atps=neutral Received: from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4FQXZb6pn9z9sVq for ; Thu, 22 Apr 2021 06:43:35 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 49A1940404; Wed, 21 Apr 2021 20:43:34 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4mhpeVDp3CZ9; Wed, 21 Apr 2021 20:43:33 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by smtp2.osuosl.org (Postfix) with ESMTP id A4C31403A1; Wed, 21 Apr 2021 20:43:32 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by ash.osuosl.org (Postfix) with ESMTP id 360E01BF46D for ; Wed, 21 Apr 2021 20:42:41 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 9E8204063E for ; Wed, 21 Apr 2021 20:42:40 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Authentication-Results: smtp4.osuosl.org (amavisd-new); dkim=pass (2048-bit key) header.d=rockwellcollins.com Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gOShdnvbmIER for ; Wed, 21 Apr 2021 20:42:39 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 Received: from secvs04.rockwellcollins.com (secvs04.rockwellcollins.com [205.175.225.130]) by smtp4.osuosl.org (Postfix) with ESMTPS id 8BFF840629 for ; Wed, 21 Apr 2021 20:42:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rockwellcollins.com; s=hrcrc2020; h=from:to:cc:subject:date:message-id:in-reply-to: references; bh=UxBGxAJHpte4VJf8ECklO/XsAkLlt6nHeGe5TyDg470=; b=dtXXpPtlFhnTcmxCBB8CR/OecSxqFiIiZU3LrNiz+gOdD/UBsEwc7WTV A2vJOx83p7iPCYUBstFKCa7Ol3EXLGtxPK89we+4xjP9YW8AxJOia2aPX LdEV0WY4fAKz8EG5HGJApTEjOq1TNWgFxQqJPMvks3oTyE6sV0ur55slt NR02puICgzb/iRi0zpmt7fDGCOrq4ETQYFj49YmigPHfQ2d4Tg9aiQ69Q NBtHw/ERwcTlKRxqSIRlUH4SkcFnctvb1C2FNqLEqT5la8CFrPVndO9kR ULxDZ+J4JcA5HwEw+bBdaBurd/LmlJduYqR6+CJb+MtEOkDb+k8gij+JT w==; IronPort-SDR: p8P55gXPZScJD+eBEeSlOGc6nS70XZC92w7U+AGPjvoo7N8zRVufvBi7Gu3DIA0ufDdlxBs95y cNUZzPrAsS/2Jkv7Xwwk6I9ZRVGW6XPPzt8b4Mtdl5pFin0Am8YqventPE0ftKomhSNVn1P/Yz o6dkXlPfY5/csXKFTHc0J5GbMs/EKqvhH3kmiYI8sVlO/6VeyH38wiLhS9lLaCIRQCCUTEKE8P uReAzLCihOGeOkyWC/LzTJ6TbZjc0PGF8rrIpfxgctd0vU0BJl1gFXneD/ji4ikwf3mMjRqWG5 9SE= Received: from ofwgwc03.rockwellcollins.com (HELO crulimr02.rockwellcollins.com) ([205.175.225.12]) by secvs04.rockwellcollins.com with ESMTP; 21 Apr 2021 15:42:37 -0500 X-Received: from biscuits.rockwellcollins.com (biscuits.rockwellcollins.lab [10.148.119.137]) by crulimr02.rockwellcollins.com (Postfix) with ESMTP id 5590A60306; Wed, 21 Apr 2021 15:42:37 -0500 (CDT) From: Matt Weber To: buildroot@buildroot.org Date: Wed, 21 Apr 2021 15:42:28 -0500 Message-Id: <20210421204235.5956-4-matthew.weber@rockwellcollins.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210421204235.5956-1-matthew.weber@rockwellcollins.com> References: <20210421204235.5956-1-matthew.weber@rockwellcollins.com> Subject: [Buildroot] [PATCH 03/10] package/bind: ignore CVE-2019-6470 X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Matt Weber MIME-Version: 1.0 Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" There had existed in one of the ISC BIND libraries a bug in a function that was used by dhcpd when operating in DHCPv6 mode. There was also a bug in dhcpd relating to the use of this function per its documentation, but the bug in the library function prevented this from causing any harm. All releases of dhcpd from ISC contain copies of this, and other, BIND libraries in combinations that have been tested prior to release and are known to not present issues like this. Affects: Builds of dhcpd versions prior to version 4.4.1 when using BIND versions 9.11.2 or later. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6470 Signed-off-by: Matthew Weber --- package/bind/bind.mk | 2 ++ 1 file changed, 2 insertions(+) diff --git a/package/bind/bind.mk b/package/bind/bind.mk index d1a992b66e..39c30dab6b 100644 --- a/package/bind/bind.mk +++ b/package/bind/bind.mk @@ -15,6 +15,8 @@ BIND_LICENSE_FILES = COPYRIGHT BIND_CPE_ID_VENDOR = isc # Only applies to RHEL6.x with DNSSEC validation on BIND_IGNORE_CVES = CVE-2017-3139 +# Library CVE and not used by bind but used by ISC DHCP +BIND_IGNORE_CVES += CVE-2019-6470 BIND_TARGET_SERVER_SBIN = arpaname ddns-confgen dnssec-checkds dnssec-coverage BIND_TARGET_SERVER_SBIN += dnssec-importkey dnssec-keygen dnssec-revoke BIND_TARGET_SERVER_SBIN += dnssec-settime dnssec-verify genrandom From patchwork Wed Apr 21 20:42:29 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matt Weber X-Patchwork-Id: 1468869 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=2605:bc80:3010::133; helo=smtp2.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=rockwellcollins.com header.i=@rockwellcollins.com header.a=rsa-sha256 header.s=hrcrc2020 header.b=ju8rcEtP; dkim-atps=neutral Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4FQXbL5zDcz9sVq for ; Thu, 22 Apr 2021 06:44:14 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id CB2CD40575; Wed, 21 Apr 2021 20:44:12 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VaMXaiqEN6Qz; Wed, 21 Apr 2021 20:44:12 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by smtp2.osuosl.org (Postfix) with ESMTP id 1097F405BB; Wed, 21 Apr 2021 20:44:11 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by ash.osuosl.org (Postfix) with ESMTP id 2479F1BF46D for ; Wed, 21 Apr 2021 20:42:42 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 5C92F4063E for ; Wed, 21 Apr 2021 20:42:41 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Authentication-Results: smtp4.osuosl.org (amavisd-new); dkim=pass (2048-bit key) header.d=rockwellcollins.com Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0uUkFS--1l76 for ; Wed, 21 Apr 2021 20:42:40 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 Received: from secvs04.rockwellcollins.com (secvs04.rockwellcollins.com [205.175.225.130]) by smtp4.osuosl.org (Postfix) with ESMTPS id E39F040630 for ; Wed, 21 Apr 2021 20:42:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rockwellcollins.com; s=hrcrc2020; h=from:to:cc:subject:date:message-id:in-reply-to: references; bh=us7gslRnPbUIYSZQyJyjNWq0elB7tYVaqAzcKubrwZg=; b=ju8rcEtPVyzy7233vcNimtBWfHKa+B8lxIOwsDl0Ix+PRE1Qq4oP9HWK gsOpnApuKldz1uTkk41/XLHygEjz4P8to1xpP3NMFY+e0kbLtnTtEdHQ4 xfX11W3jQH/DXLgu+6JG4VC9qxrtWJXQSU0Wm5CeXrAHs5mqBIhHUfrjD aQvIxuQ1gwN6NoHxL2XApMjJKq1oSS3uZT9Swbif2hKUnVQ0FuGUCKDnZ I+n4ySfuoK+sBOnnI3xv7gmnezs09C9XnVnDdU6+e+LE7KSwRiYc8F3KF epswRGtBgbfBbpx08/695pbt47qsl3Cj9Ha0poX6lEimHlNBqTjYFbUFi g==; IronPort-SDR: 7gQ9HSXfzvCdCIbWmXpllZs85bdl1bUIQRWpl8RcsFrlSC4YHKM7cXs06C+VqHJIcukgUJ8Ph2 xZG+Nt8EWaOPpypFDEQnSOqjAEhOWWRPKRXJB/TThxFHmvCX9rMlEPPoJWX5LyYkvvF5p9v2fr zaKMsLrcUBOrPplnGAtZ4ltPp8sdZPDrAdQjv7ba0l8dIxZ0IXIMDP3Md2DMp8yU4GavwEM20T EvYK3Ct2uGzXaIMw/yk3xEX5KkIOnIfIND8G72/s0miWHFbjdPADl5d3CB8Nr4Q/BpGf7LuOkO WZs= Received: from ofwgwc03.rockwellcollins.com (HELO crulimr02.rockwellcollins.com) ([205.175.225.12]) by secvs04.rockwellcollins.com with ESMTP; 21 Apr 2021 15:42:37 -0500 X-Received: from biscuits.rockwellcollins.com (biscuits.rockwellcollins.lab [10.148.119.137]) by crulimr02.rockwellcollins.com (Postfix) with ESMTP id 5818860876; Wed, 21 Apr 2021 15:42:37 -0500 (CDT) From: Matt Weber To: buildroot@buildroot.org Date: Wed, 21 Apr 2021 15:42:29 -0500 Message-Id: <20210421204235.5956-5-matthew.weber@rockwellcollins.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210421204235.5956-1-matthew.weber@rockwellcollins.com> References: <20210421204235.5956-1-matthew.weber@rockwellcollins.com> Subject: [Buildroot] [PATCH 04/10] package/cmake: ignore CVE-2016-10642 X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Matt Weber MIME-Version: 1.0 Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" This is specific to the npm package that installs cmake, so isn't relevant to Buildroot. https://github.com/openembedded/openembedded-core/blob/14241ed09f9ed317045cf75a6d08416d3579bb8d/meta/recipes-devtools/cmake/cmake.inc https://nvd.nist.gov/vuln/detail/CVE-2016-10642#vulnCurrentDescriptionTitle "cmake installs the cmake x86 linux binaries. cmake downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execution (RCE) by swapping out the requested binary with an attacker controlled binary if the attacker is on the network or positioned in between the user and the remote server." Signed-off-by: Matthew Weber --- package/cmake/cmake.mk | 2 ++ 1 file changed, 2 insertions(+) diff --git a/package/cmake/cmake.mk b/package/cmake/cmake.mk index a3015fabfd..90fe868fa5 100644 --- a/package/cmake/cmake.mk +++ b/package/cmake/cmake.mk @@ -10,6 +10,8 @@ CMAKE_SITE = https://cmake.org/files/v$(CMAKE_VERSION_MAJOR) CMAKE_LICENSE = BSD-3-Clause CMAKE_LICENSE_FILES = Copyright.txt CMAKE_CPE_ID_VENDOR = cmake_project +# Tool download MITM attack warning if using npm package to install cmake +CMAKE_IGNORE_CVES = CVE-2016-10642 # CMake is a particular package: # * CMake can be built using the generic infrastructure or the cmake one. From patchwork Wed Apr 21 20:42:30 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matt Weber X-Patchwork-Id: 1468868 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=2605:bc80:3010::137; helo=smtp4.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=rockwellcollins.com header.i=@rockwellcollins.com header.a=rsa-sha256 header.s=hrcrc2020 header.b=wKgbWEGm; dkim-atps=neutral Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4FQXb54m97z9sWD for ; Thu, 22 Apr 2021 06:44:01 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 86C6C40346; Wed, 21 Apr 2021 20:43:59 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5W8GydOcp75h; Wed, 21 Apr 2021 20:43:58 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by smtp4.osuosl.org (Postfix) with ESMTP id A5FF44040D; Wed, 21 Apr 2021 20:43:57 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133]) by ash.osuosl.org (Postfix) with ESMTP id 8AEC21C11A5 for ; Wed, 21 Apr 2021 20:42:41 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 836BB4039C for ; Wed, 21 Apr 2021 20:42:41 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Authentication-Results: smtp2.osuosl.org (amavisd-new); dkim=pass (2048-bit key) header.d=rockwellcollins.com Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h9P6WBg9o4KI for ; Wed, 21 Apr 2021 20:42:40 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 Received: from secvs04.rockwellcollins.com (secvs04.rockwellcollins.com [205.175.225.130]) by smtp2.osuosl.org (Postfix) with ESMTPS id 8C56C4036E for ; Wed, 21 Apr 2021 20:42:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rockwellcollins.com; s=hrcrc2020; h=from:to:cc:subject:date:message-id:in-reply-to: references; bh=wIbLsHsEr68n5gkemYjQ/8eP6ygYZLWAOCq/iI4mweA=; b=wKgbWEGmS4KukmF5oTzq3lmpwEIxCBtYnCnNJCYXbK2Rojdwt0oOkwjj SO+ZhIOCydfHvF7ReYJfrml8+P6RZD71UEmoDDNZ6hEwe0M1cQ4p4+LYy JwClYDYxKzUgqN9yJXI4x6ZubEUCcZpkGkQO4HKLf8xsvZEsPIUC9VKDm fTcecYF2Nhz7K8pKExGjOtkfMZUMfg1Me3TUoyciapI8D/tU45EqFg+fM Aoc+vqE3/EIBIBIxuf+AFpid3v2I/271qYjE8bXQ2+ZbJjEccJ/PGet++ R3ORu71cBG+LmpWAJogX8rwrXA32VGIWSbuX0o6GMYVKbHqi8QAI/H5f5 A==; IronPort-SDR: hblUSEHUiePgaSVS4NVlbbBnEs56JVt+201lN7P+S+Ncy5oX9gA/M8Wb7Dceur8QJy4autzEj4 O7XhpX87cgpWDczYJHqz1EXpBDUlE6PLbjxs//ZJcv7neEwccH09bYcBpGRgo0tTUFJMQVnMV+ wAI7LwKMh73THpretTs1zViCDn/2YycElDgoOrecnvsHXCkO4aDcAmWuDkZcR1gxENaT0EGlFj YV22WD9mxPlxZSyWAWQGXJWmeuXnhNAj6/2xveXKX8QqAKnNBUDh+EgH+NJ/6/FC0jve8ahclx BWw= Received: from ofwgwc03.rockwellcollins.com (HELO crulimr02.rockwellcollins.com) ([205.175.225.12]) by secvs04.rockwellcollins.com with ESMTP; 21 Apr 2021 15:42:37 -0500 X-Received: from biscuits.rockwellcollins.com (biscuits.rockwellcollins.lab [10.148.119.137]) by crulimr02.rockwellcollins.com (Postfix) with ESMTP id 5A706608B9; Wed, 21 Apr 2021 15:42:37 -0500 (CDT) From: Matt Weber To: buildroot@buildroot.org Date: Wed, 21 Apr 2021 15:42:30 -0500 Message-Id: <20210421204235.5956-6-matthew.weber@rockwellcollins.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210421204235.5956-1-matthew.weber@rockwellcollins.com> References: <20210421204235.5956-1-matthew.weber@rockwellcollins.com> Subject: [Buildroot] [PATCH 05/10] package/flex: ignore CVE-2019-6293 X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Matt Weber MIME-Version: 1.0 Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" https://security-tracker.debian.org/tracker/CVE-2019-6293 https://github.com/NixOS/nixpkgs/issues/55386#issuecomment-683792976 "But this bug does not cause stack overflows in the generated code. The function and file referred to in the bug (mark_beginning_as_normal in nfa.c) are part of the flex code generator, not part of the generated code. If flex crashes before generating any code, that can hardly be a vulnerability. If flex does not crash, the generated code is fine (or perhaps subject to other unreported bugs, who knows, but the NFA has been generated correctly)." Upstream has chosen to not provide a fix https://github.com/microsoft/CBL-Mariner/pull/312 Signed-off-by: Matthew Weber --- package/flex/flex.mk | 3 +++ 1 file changed, 3 insertions(+) diff --git a/package/flex/flex.mk b/package/flex/flex.mk index 2d00969662..85da5ddae8 100644 --- a/package/flex/flex.mk +++ b/package/flex/flex.mk @@ -10,6 +10,9 @@ FLEX_INSTALL_STAGING = YES FLEX_LICENSE = FLEX FLEX_LICENSE_FILES = COPYING FLEX_CPE_ID_VENDOR = flex_project +# bug does not cause stack overflows in the generated code and has been +# noted upstream as a bug in the code generator +FLEX_IGNORE_CVES = CVE-2019-6293 FLEX_DEPENDENCIES = $(TARGET_NLS_DEPENDENCIES) host-m4 HOST_FLEX_DEPENDENCIES = host-m4 From patchwork Wed Apr 21 20:42:31 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matt Weber X-Patchwork-Id: 1468867 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=2605:bc80:3010::133; helo=smtp2.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=rockwellcollins.com header.i=@rockwellcollins.com header.a=rsa-sha256 header.s=hrcrc2020 header.b=iZ9TXC0s; dkim-atps=neutral Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4FQXZs2kRTz9sVq for ; Thu, 22 Apr 2021 06:43:49 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id E0CFB403A1; Wed, 21 Apr 2021 20:43:46 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VEKPXn0j3CO7; Wed, 21 Apr 2021 20:43:46 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by smtp2.osuosl.org (Postfix) with ESMTP id 3276740516; Wed, 21 Apr 2021 20:43:45 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by ash.osuosl.org (Postfix) with ESMTP id 72E531BF46D for ; Wed, 21 Apr 2021 20:42:41 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 61B8183BB7 for ; Wed, 21 Apr 2021 20:42:40 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Authentication-Results: smtp1.osuosl.org (amavisd-new); dkim=pass (2048-bit key) header.d=rockwellcollins.com Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fRml0BKcmw9x for ; Wed, 21 Apr 2021 20:42:39 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 Received: from ch3vs05.rockwellcollins.com (ch3vs05.rockwellcollins.com [205.175.226.130]) by smtp1.osuosl.org (Postfix) with ESMTPS id 83A4683BBC for ; Wed, 21 Apr 2021 20:42:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rockwellcollins.com; s=hrcrc2020; h=from:to:cc:subject:date:message-id:in-reply-to: references; bh=u1AUhyTGvJmZ0he4GOEW5C2uZUfcI+E3tKYvrWoCR1E=; b=iZ9TXC0sOhIpKYmKSQZXm11CDMCCehySg1FI4tsyQVb/wgsEgQg+ha1P qNcHNNzNtO987vZghhCZQZbtFAKYbeMnUGC57LFjo0qYnrmathhHOof22 QJjJoxV7fhXDCpEJenMRPt7q3Til2CSfAzabPTMYrkbjN1M84Tn7b61UV vKQ82LHisMuCcjjfwzGmHa93GOcm2jGTXlItfd+KNA712tj3amT2b4XJU /FAtOHgU7fp8pzVb4dMgW/8rsQpBAAChPIqvK0eq5pZGAJU9XfDE8W75u ASrHy09d1CGr7o9LkEa1hKgwZ+01PpsBk0LuXn2ALmP5S1NxcBrCmRHjR w==; IronPort-SDR: ugdD+oEcR2XbwXXf1+eazfj6D4wgI9sDrurhjSgyfFle/MoPf8OVYV7xnI9y8tbePQrg5ySgG0 yXtut03xAAPDH1xfVUwH5PluseH4qWx3MoyNIlqVs6OSc8Gv9RGYTd88USONsUSSJ3oyTi69Gi HLgPlDohpMgPR4L79+zRHcPX1kK4loenw/b+YFNKuhiujO2gwXlfyxUGV8JfSMT9noLVXBOXqN isTae/rKr76zVgf5dWgimsLGfb/0eHiuGKezhblutxPpM8SdPNXhyDQe7AhK6yGLfQLTxZHbK2 AMc= Received: from ofwch3n02.rockwellcollins.com (HELO crulimr02.rockwellcollins.com) ([205.175.226.14]) by ch3vs05.rockwellcollins.com with ESMTP; 21 Apr 2021 15:42:37 -0500 X-Received: from biscuits.rockwellcollins.com (biscuits.rockwellcollins.lab [10.148.119.137]) by crulimr02.rockwellcollins.com (Postfix) with ESMTP id 5D11F608BC; Wed, 21 Apr 2021 15:42:37 -0500 (CDT) From: Matt Weber To: buildroot@buildroot.org Date: Wed, 21 Apr 2021 15:42:31 -0500 Message-Id: <20210421204235.5956-7-matthew.weber@rockwellcollins.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210421204235.5956-1-matthew.weber@rockwellcollins.com> References: <20210421204235.5956-1-matthew.weber@rockwellcollins.com> Subject: [Buildroot] [PATCH 06/10] package/hostapd: ignore CVE-2021-30004 when using openssl X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Matt Weber MIME-Version: 1.0 Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" The CVE can be ignored when the internal TLS impl isn't used. https://security-tracker.debian.org/tracker/CVE-2021-30004 "Issue only affects the "internal" TLS implementation (CONFIG_TLS=internal)" Signed-off-by: Matthew Weber --- package/hostapd/hostapd.mk | 2 ++ 1 file changed, 2 insertions(+) diff --git a/package/hostapd/hostapd.mk b/package/hostapd/hostapd.mk index efeefd8b35..2995545d18 100644 --- a/package/hostapd/hostapd.mk +++ b/package/hostapd/hostapd.mk @@ -38,6 +38,8 @@ ifeq ($(BR2_PACKAGE_LIBOPENSSL),y) HOSTAPD_DEPENDENCIES += host-pkgconf libopenssl HOSTAPD_LIBS += `$(PKG_CONFIG_HOST_BINARY) --libs openssl` HOSTAPD_CONFIG_EDITS += 's/\#\(CONFIG_TLS=openssl\)/\1/' +# Issue only affects the "internal" TLS implementation +HOSTAPD_IGNORE_CVES += CVE-2021-30004 else HOSTAPD_CONFIG_DISABLE += CONFIG_EAP_PWD CONFIG_EAP_TEAP HOSTAPD_CONFIG_EDITS += 's/\#\(CONFIG_TLS=\).*/\1internal/' From patchwork Wed Apr 21 20:42:32 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matt Weber X-Patchwork-Id: 1468863 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=140.211.166.133; helo=smtp2.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=rockwellcollins.com header.i=@rockwellcollins.com header.a=rsa-sha256 header.s=hrcrc2020 header.b=oJLVFG2H; dkim-atps=neutral Received: from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4FQXYw0Wv4z9sWD for ; Thu, 22 Apr 2021 06:42:59 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 3EBA8403A1; Wed, 21 Apr 2021 20:42:56 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zUC-zIsirnOP; Wed, 21 Apr 2021 20:42:55 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by smtp2.osuosl.org (Postfix) with ESMTP id B999A40399; Wed, 21 Apr 2021 20:42:54 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by ash.osuosl.org (Postfix) with ESMTP id 02FD81C11A5 for ; Wed, 21 Apr 2021 20:42:40 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id F213583BB9 for ; Wed, 21 Apr 2021 20:42:39 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Authentication-Results: smtp1.osuosl.org (amavisd-new); dkim=pass (2048-bit key) header.d=rockwellcollins.com Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0ekULPhvRtd0 for ; Wed, 21 Apr 2021 20:42:39 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 Received: from da1vs02.rockwellcollins.com (da1vs02.rockwellcollins.com [205.175.227.29]) by smtp1.osuosl.org (Postfix) with ESMTPS id 0679B83BB7 for ; Wed, 21 Apr 2021 20:42:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rockwellcollins.com; s=hrcrc2020; h=from:to:cc:subject:date:message-id:in-reply-to: references; bh=wIW8M6OzTA1Ss2kbLTDBXgJ4oiv6M8+Rj584l6tNT14=; b=oJLVFG2He3u3576OOEKgM7U5Aqt1zZlN1EbIXiK1LtBtYrIgsSfOCCoo zjjRf7LsjmUFkGTkDXy+OZwb6EmNRBaxeIACwITDDM94iXqbkMN3uVjZ9 4PZA+fQubajodxSDzP3qetISFcP5hE7EloF5q9+245XSpWlBE+rltgDIh XmyhGrhrzXgwcZU4qMWnueV0F1/Fed24DhFyf18oMZM2B8H22CITEiwQ+ /hoF7ajt41DQG5+A5/T0wu3Y8/+xwezpl0Fpiglwg+IgveKZp+C9lnhEX +cWCVveIxGQLLch4/KgAFW3Q/3Bjat5fLkogeZemNrfPa9yQ/53IadUnG Q==; IronPort-SDR: /iE2v1x0oiYHQC7Yg+qdqwpESkcl0t1yU7bM4am22MFCODf7o13zN7B4Wcf/Tv2f7qEVLYDvtC rPxdTsi/8/hXOl6eWAjaa2DykG9KsnUSdkPTfQTr9FLP04DWwuus3v7bUV4IvZggskt6y5e65+ aG5hJm+y0DZkj3NTjeKThAhKq/xMbL0stAXntkI2gk8WQJSe2LTnnKc+FCkbqtCJMwqvc5QclZ ciMnBgxvBe2QiMG5D1mHVpfu86hzrKVPGb70XLsXG18EXGFBRMtrNpHpiAqwHbMdApvp5UiOjw //g= Received: from ofwda1n02.rockwellcollins.com (HELO crulimr02.rockwellcollins.com) ([205.175.227.14]) by da1vs02.rockwellcollins.com with ESMTP; 21 Apr 2021 15:42:37 -0500 X-Received: from biscuits.rockwellcollins.com (biscuits.rockwellcollins.lab [10.148.119.137]) by crulimr02.rockwellcollins.com (Postfix) with ESMTP id 69471608C1; Wed, 21 Apr 2021 15:42:37 -0500 (CDT) From: Matt Weber To: buildroot@buildroot.org Date: Wed, 21 Apr 2021 15:42:32 -0500 Message-Id: <20210421204235.5956-8-matthew.weber@rockwellcollins.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210421204235.5956-1-matthew.weber@rockwellcollins.com> References: <20210421204235.5956-1-matthew.weber@rockwellcollins.com> Subject: [Buildroot] [PATCH 07/10] package/wpa_supplicant: ignore CVE-2021-30004 when using openssl X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Matt Weber MIME-Version: 1.0 Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" The CVE can be ignored when the internal TLS impl isn't used. https://security-tracker.debian.org/tracker/CVE-2021-30004 "Issue only affects the "internal" TLS implementation (CONFIG_TLS=internal)" Signed-off-by: Matthew Weber --- package/wpa_supplicant/wpa_supplicant.mk | 2 ++ 1 file changed, 2 insertions(+) diff --git a/package/wpa_supplicant/wpa_supplicant.mk b/package/wpa_supplicant/wpa_supplicant.mk index 356ea91828..f59832645f 100644 --- a/package/wpa_supplicant/wpa_supplicant.mk +++ b/package/wpa_supplicant/wpa_supplicant.mk @@ -132,6 +132,8 @@ ifeq ($(BR2_PACKAGE_LIBOPENSSL),y) WPA_SUPPLICANT_DEPENDENCIES += host-pkgconf libopenssl WPA_SUPPLICANT_LIBS += `$(PKG_CONFIG_HOST_BINARY) --libs openssl` WPA_SUPPLICANT_CONFIG_EDITS += 's/\#\(CONFIG_TLS=openssl\)/\1/' +# Issue only affects the "internal" TLS implementation +WPA_SUPPLICANT_IGNORE_CVES += CVE-2021-30004 else WPA_SUPPLICANT_CONFIG_DISABLE += CONFIG_EAP_PWD CONFIG_EAP_TEAP WPA_SUPPLICANT_CONFIG_EDITS += 's/\#\(CONFIG_TLS=\).*/\1internal/' From patchwork Wed Apr 21 20:42:33 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matt Weber X-Patchwork-Id: 1468871 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=2605:bc80:3010::137; helo=smtp4.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=rockwellcollins.com header.i=@rockwellcollins.com header.a=rsa-sha256 header.s=hrcrc2020 header.b=K4me2+uJ; dkim-atps=neutral Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4FQXbr56Zjz9sVq for ; Thu, 22 Apr 2021 06:44:40 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 4BE6640346; Wed, 21 Apr 2021 20:44:38 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h84ORyXcYGxk; Wed, 21 Apr 2021 20:44:37 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by smtp4.osuosl.org (Postfix) with ESMTP id 713B2404DE; Wed, 21 Apr 2021 20:44:36 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by ash.osuosl.org (Postfix) with ESMTP id 27C351BF46D for ; Wed, 21 Apr 2021 20:42:43 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 879C540630 for ; Wed, 21 Apr 2021 20:42:41 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4nb-_nDjGwsy for ; Wed, 21 Apr 2021 20:42:40 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 Received: from secvs04.rockwellcollins.com (secvs04.rockwellcollins.com [205.175.225.130]) by smtp4.osuosl.org (Postfix) with ESMTPS id 8243040628 for ; Wed, 21 Apr 2021 20:42:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rockwellcollins.com; s=hrcrc2020; h=from:to:cc:subject:date:message-id:in-reply-to: references; bh=QixmgJBcvydufg4nyBFMxlg4Rkb+5DdcPCKrQt4xCwM=; b=K4me2+uJjCHGBLmDdm9/OT8xqmC7aDXx1hA5kJugTQ5hxLN7dS+6i2Ci iDHZgI0EC22DAMaAh3LD1QMPeT7olB4xqGj0nwuoW1FeVnWv61xiYr2ZQ TwZSKNegk0DNAaIqYAOe8HpAvhedmgUT0Fk45W+nbERTL3Wt8a/qrCIu9 5f0gMYogEskv4C29ZjaZR3bTe8LJckBvLV1Sl0pSkIBKUkmDWU89lfmu2 8vmskCGEpKoE+2/JfrpE652KvGn12hedUHhC6WVBS5ff+2zkLPeSp54jc XADhjmLRvIQw4NmFT6Zya7NgKKSTfsy2CueZO0CnAfGy3SdRvdfUevHhq w==; IronPort-SDR: UZ9/rR2NRrgQ8M2J1x8HJll/OK44NeAGxRdLlqId51jD53siGd78cJviyna9DRN7Cubb77cu14 B7W8qlrOt0zBS2qgHjNuRGHRiA+Rrx8oMY0rXbAqB6UOYIBbVvk0tAuPmSxMbopaOrfcbJ3OB8 ZgzR8OUsF1Sme55TO6UmWxdAQsr4iOR9Vqvj6kOefN2s6E/vWtFoGF1BaX0gY5fe7gVZKmVYSx O/yWT+UuSjCI8ne+Bwk5sSTt/CGIaOnWlkHp7N/KDj4uC2G2dqSUnNEaDFoiGAjGxjc7RYirfo x4U= Received: from ofwgwc03.rockwellcollins.com (HELO crulimr02.rockwellcollins.com) ([205.175.225.12]) by secvs04.rockwellcollins.com with ESMTP; 21 Apr 2021 15:42:37 -0500 X-Received: from biscuits.rockwellcollins.com (biscuits.rockwellcollins.lab [10.148.119.137]) by crulimr02.rockwellcollins.com (Postfix) with ESMTP id 7534C608CE; Wed, 21 Apr 2021 15:42:37 -0500 (CDT) From: Matt Weber To: buildroot@buildroot.org Date: Wed, 21 Apr 2021 15:42:33 -0500 Message-Id: <20210421204235.5956-9-matthew.weber@rockwellcollins.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210421204235.5956-1-matthew.weber@rockwellcollins.com> References: <20210421204235.5956-1-matthew.weber@rockwellcollins.com> Subject: [Buildroot] [PATCH 08/10] package/ncurses: ignore CVE-2018-10754, CVE-2018-19211, CVE-2018-19217, CVE-2019-17594, CVE-2019-17595 X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Matt Weber MIME-Version: 1.0 Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" Commit 4b21273d71d09 added upstream (security) patches up to 20200118 and in the commit description it outlines these CVEs were patched. Signed-off-by: Matthew Weber --- package/ncurses/ncurses.mk | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/package/ncurses/ncurses.mk b/package/ncurses/ncurses.mk index 97e3e2c321..5d9c6bb0dd 100644 --- a/package/ncurses/ncurses.mk +++ b/package/ncurses/ncurses.mk @@ -11,6 +11,12 @@ NCURSES_DEPENDENCIES = host-ncurses NCURSES_LICENSE = MIT with advertising clause NCURSES_LICENSE_FILES = COPYING NCURSES_CPE_ID_VENDOR = gnu +# Commit 4b21273d71d09 added upstream (security) patches up to 20200118 +NCURSES_IGNORE_CVES += CVE-2018-10754 +NCURSES_IGNORE_CVES += CVE-2018-19211 +NCURSES_IGNORE_CVES += CVE-2018-19217 +NCURSES_IGNORE_CVES += CVE-2019-17594 +NCURSES_IGNORE_CVES += CVE-2019-17595 NCURSES_CONFIG_SCRIPTS = ncurses$(NCURSES_LIB_SUFFIX)6-config NCURSES_PATCH = \ $(addprefix https://invisible-mirror.net/archives/ncurses/$(NCURSES_VERSION)/, \ From patchwork Wed Apr 21 20:42:34 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matt Weber X-Patchwork-Id: 1468872 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=2605:bc80:3010::138; helo=smtp1.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=rockwellcollins.com header.i=@rockwellcollins.com header.a=rsa-sha256 header.s=hrcrc2020 header.b=KXuFYBoz; dkim-atps=neutral Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4FQXc52Y8Dz9sVq for ; Thu, 22 Apr 2021 06:44:53 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 48A2E83B8F; Wed, 21 Apr 2021 20:44:51 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oClNWizj-LUb; Wed, 21 Apr 2021 20:44:50 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by smtp1.osuosl.org (Postfix) with ESMTP id B2FC483437; Wed, 21 Apr 2021 20:44:49 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by ash.osuosl.org (Postfix) with ESMTP id 37F901BF46D for ; Wed, 21 Apr 2021 20:42:44 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 1573640628 for ; Wed, 21 Apr 2021 20:42:42 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Authentication-Results: smtp4.osuosl.org (amavisd-new); dkim=pass (2048-bit key) header.d=rockwellcollins.com Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iPYLljo2I6iY for ; Wed, 21 Apr 2021 20:42:41 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 Received: from secvs04.rockwellcollins.com (secvs04.rockwellcollins.com [205.175.225.130]) by smtp4.osuosl.org (Postfix) with ESMTPS id E746340629 for ; Wed, 21 Apr 2021 20:42:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rockwellcollins.com; s=hrcrc2020; h=from:to:cc:subject:date:message-id:in-reply-to: references; bh=kQEsUAIwzJFfxQEcxhTvExJZ4ejuaTy+6HMRJHL7DXk=; b=KXuFYBoz4A+/ly4EbG0pEFHF8Rwt7Vqk2u/sD4knFYNDjbKJOgE6WwBv R4dd/RbY/7q6UWptYPXTHr4ixKwnVuRuxq2kt/jaq4lfmGp0otVZrhNug i0AvpjaCR2d9V5CVAQkiIksM1EmRHAywyK7sjZcgaaKHx3VjrWN9ZH9BE wsnlGGzPZoSQ7mTCD93kxRkK7p2yqWZyvoHNgZ9tBDSgoj4yQ0WXmXiVe sAEzZ62udCZZ4jrKJ6EmHke07/vMXBw7npeK3rk0sFyw24JRcTqiQCnfU FcJTpbsqYunyJlPE1b4ohudQMmRrSpJDnjOmGsjqohNWYf5jknyDbXvn7 Q==; IronPort-SDR: 3Roo7rzvE69GIzCwaMZp5PvH7BlSyzIdVjqLPK4WbFOBDobRPxWky10vG2Tr55a+jC2pTyDLwe +jSM5iiXVdTUQsDcn5sdZAA9zSEjwGCJkvudm21QEAeFKsETf+kf1SkG01HUA2SFl5ugeobGXC q6IZiR0Ec03ailzZpxdSBRPxzHmivVJxQ7LWLfnSXOEr1BXF7KsiGFYIeBfcYBO0G8It1BsEgf Qxy/RiCF+h8RhnodQtVyNBcNbUqBR1qO/NThl3fXCwuianLdA5Sjb9zAY2/ya3gxO6xz7zx7FW HhY= Received: from ofwgwc03.rockwellcollins.com (HELO crulimr02.rockwellcollins.com) ([205.175.225.12]) by secvs04.rockwellcollins.com with ESMTP; 21 Apr 2021 15:42:37 -0500 X-Received: from biscuits.rockwellcollins.com (biscuits.rockwellcollins.lab [10.148.119.137]) by crulimr02.rockwellcollins.com (Postfix) with ESMTP id 81BD4608D2; Wed, 21 Apr 2021 15:42:37 -0500 (CDT) From: Matt Weber To: buildroot@buildroot.org Date: Wed, 21 Apr 2021 15:42:34 -0500 Message-Id: <20210421204235.5956-10-matthew.weber@rockwellcollins.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210421204235.5956-1-matthew.weber@rockwellcollins.com> References: <20210421204235.5956-1-matthew.weber@rockwellcollins.com> Subject: [Buildroot] [PATCH 09/10] package/rsyslog: ignore CVE-2015-3243 X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Matt Weber MIME-Version: 1.0 Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" https://security-tracker.debian.org/tracker/CVE-2015-3243 "Rsyslog uses weak permissions for generating log files." Ignoring this CVE for Buildroot as normally there are not local users and a build could customize the rsyslog.conf to be more restrictive ($FileCreateMode 0640). Example fix from Alpino Linux https://github.com/libTorrentUser/alpino-linux-aports/commit/3cb5210cdac46fb8805d4028df16f5889f393a09 Signed-off-by: Matthew Weber --- package/rsyslog/rsyslog.mk | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/package/rsyslog/rsyslog.mk b/package/rsyslog/rsyslog.mk index 1aa81b8eac..6cf53ccb82 100644 --- a/package/rsyslog/rsyslog.mk +++ b/package/rsyslog/rsyslog.mk @@ -9,6 +9,10 @@ RSYSLOG_SITE = http://rsyslog.com/files/download/rsyslog RSYSLOG_LICENSE = GPL-3.0, LGPL-3.0, Apache-2.0 RSYSLOG_LICENSE_FILES = COPYING COPYING.LESSER COPYING.ASL20 RSYSLOG_CPE_ID_VENDOR = rsyslog +# rsyslog uses weak permissions for generating log files. +# Ignoring this CVE as Buildroot normally doesn't have local users and a build +# could customize the rsyslog.conf to be more restrictive ($FileCreateMode 0640) +RSYSLOG_IGNORE_CVES += CVE-2015-3243 RSYSLOG_DEPENDENCIES = zlib libestr liblogging libfastjson host-pkgconf RSYSLOG_CONF_ENV = ac_cv_prog_cc_c99='-std=c99' RSYSLOG_PLUGINS = imdiag imfile impstats imptcp \ From patchwork Wed Apr 21 20:42:35 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matt Weber X-Patchwork-Id: 1468870 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=2605:bc80:3010::138; helo=smtp1.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=rockwellcollins.com header.i=@rockwellcollins.com header.a=rsa-sha256 header.s=hrcrc2020 header.b=FK1/Cv2m; dkim-atps=neutral Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4FQXbc0TYsz9sVq for ; Thu, 22 Apr 2021 06:44:27 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 893418333E; Wed, 21 Apr 2021 20:44:25 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id igJ3ZLzwM8x2; Wed, 21 Apr 2021 20:44:24 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by smtp1.osuosl.org (Postfix) with ESMTP id ED76582F8A; Wed, 21 Apr 2021 20:44:23 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133]) by ash.osuosl.org (Postfix) with ESMTP id D9D931BF46D for ; Wed, 21 Apr 2021 20:42:42 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id C791A4036E for ; Wed, 21 Apr 2021 20:42:41 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Authentication-Results: smtp2.osuosl.org (amavisd-new); dkim=pass (2048-bit key) header.d=rockwellcollins.com Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uhD0U5FTp2ma for ; Wed, 21 Apr 2021 20:42:41 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 Received: from secvs04.rockwellcollins.com (secvs04.rockwellcollins.com [205.175.225.130]) by smtp2.osuosl.org (Postfix) with ESMTPS id E465D40399 for ; Wed, 21 Apr 2021 20:42:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rockwellcollins.com; s=hrcrc2020; h=from:to:cc:subject:date:message-id:in-reply-to: references; bh=8MzYAaoYyUugQICkadsMLLXW9oFUs/LROsTmczfdOUQ=; b=FK1/Cv2mnbMvNmHAjD2ucBhcViK4AMR1JYwcp5yo1rqISLgwKvlRD2uA bew494+spqzsTS0DvzylMHnHXZR755pWv9KcQnsTxXvsd6m3BM/6JDJI5 8onDzBWy23SxvXx7WztIXRT9cKwxQhxndii6WLxCl6tGYxUEneISiuk1B deBwXiG55HGcOtkRnrtaAmYzQqB1g/jpRpQCET3z9oQypUyjqcPY1HUUT o8U050jt8QJ2GBHN/3vMRrj9omswpCgTGmPF4g4ha3jUnE6mIlXHYU3UP yO0iAEGPQlQRdhAkLL0j0iPMIONaPkxZM+69ROXaOX3PvF+gnC1cJHdwM A==; IronPort-SDR: 12U4NXCbw3DhZ4demsg+9juGTe5AdUNN00R6zwgBCWKRa18vpwH8PthQ8E3NV/EmLW6THFzuGF HrjnkowMDRS89MLUqjSBMMgVbxz1CzRB9Im/gyfoJ2I3lUMTTz8WcOvp4nKYpRibi/rBz0E8qk pAOqA+Lk+wxRkhZR2WZzGXrnEjdmufpe+MV4ijdEIGAIBDanIh8wm+H+pdnjDpIfIQZIUVNE9X 602ZpPfly7YDQhi5Htr3M76kAseLcny4qIJcKNQpEfTFeArA2+lTtAecBBHaIZ+RAoX2xok3B7 vO0= Received: from ofwgwc03.rockwellcollins.com (HELO crulimr02.rockwellcollins.com) ([205.175.225.12]) by secvs04.rockwellcollins.com with ESMTP; 21 Apr 2021 15:42:37 -0500 X-Received: from biscuits.rockwellcollins.com (biscuits.rockwellcollins.lab [10.148.119.137]) by crulimr02.rockwellcollins.com (Postfix) with ESMTP id 84805608DA; Wed, 21 Apr 2021 15:42:37 -0500 (CDT) From: Matt Weber To: buildroot@buildroot.org Date: Wed, 21 Apr 2021 15:42:35 -0500 Message-Id: <20210421204235.5956-11-matthew.weber@rockwellcollins.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210421204235.5956-1-matthew.weber@rockwellcollins.com> References: <20210421204235.5956-1-matthew.weber@rockwellcollins.com> Subject: [Buildroot] [PATCH 10/10] package/tar: ignore CVE-2007-4476 X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Matt Weber MIME-Version: 1.0 Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" https://security-tracker.debian.org/tracker/CVE-2007-4476 Currently NVD has this incorrectly tagged for all versions. The bug trackers on different distros show it was generally fixed in versions >= 1.16 but because the impacted source code is in the GNU paxutils, it is hard to follow in what cases tar has been fixed around that 1.16 version. https://bugs.gentoo.org/196978 https://www.itsecdb.com/oval/definition/oval/org.mitre.oval/def/9336/Buffer-overflow-in-the-safer-name-suffix-function-in-GNU-tar.html Signed-off-by: Matthew Weber --- package/tar/tar.mk | 2 ++ 1 file changed, 2 insertions(+) diff --git a/package/tar/tar.mk b/package/tar/tar.mk index 690a5952ba..80d7495b00 100644 --- a/package/tar/tar.mk +++ b/package/tar/tar.mk @@ -13,6 +13,8 @@ TAR_CONF_OPTS = --exec-prefix=/ TAR_LICENSE = GPL-3.0+ TAR_LICENSE_FILES = COPYING TAR_CPE_ID_VENDOR = gnu +# only tar <= 1.16 +TAR_IGNORE_CVES += CVE-2007-4476 ifeq ($(BR2_PACKAGE_ACL),y) TAR_DEPENDENCIES += acl