Message ID | 20210421204235.5956-6-matthew.weber@rockwellcollins.com |
---|---|
State | Accepted |
Headers | show
Return-Path: <buildroot-bounces@busybox.net> X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=2605:bc80:3010::137; helo=smtp4.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=<UNKNOWN>) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=rockwellcollins.com header.i=@rockwellcollins.com header.a=rsa-sha256 header.s=hrcrc2020 header.b=wKgbWEGm; dkim-atps=neutral Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4FQXb54m97z9sWD for <incoming-buildroot@patchwork.ozlabs.org>; Thu, 22 Apr 2021 06:44:01 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 86C6C40346; Wed, 21 Apr 2021 20:43:59 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5W8GydOcp75h; Wed, 21 Apr 2021 20:43:58 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by smtp4.osuosl.org (Postfix) with ESMTP id A5FF44040D; Wed, 21 Apr 2021 20:43:57 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133]) by ash.osuosl.org (Postfix) with ESMTP id 8AEC21C11A5 for <buildroot@lists.busybox.net>; Wed, 21 Apr 2021 20:42:41 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 836BB4039C for <buildroot@lists.busybox.net>; Wed, 21 Apr 2021 20:42:41 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Authentication-Results: smtp2.osuosl.org (amavisd-new); dkim=pass (2048-bit key) header.d=rockwellcollins.com Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h9P6WBg9o4KI for <buildroot@lists.busybox.net>; Wed, 21 Apr 2021 20:42:40 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 Received: from secvs04.rockwellcollins.com (secvs04.rockwellcollins.com [205.175.225.130]) by smtp2.osuosl.org (Postfix) with ESMTPS id 8C56C4036E for <buildroot@buildroot.org>; Wed, 21 Apr 2021 20:42:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rockwellcollins.com; s=hrcrc2020; h=from:to:cc:subject:date:message-id:in-reply-to: references; bh=wIbLsHsEr68n5gkemYjQ/8eP6ygYZLWAOCq/iI4mweA=; b=wKgbWEGmS4KukmF5oTzq3lmpwEIxCBtYnCnNJCYXbK2Rojdwt0oOkwjj SO+ZhIOCydfHvF7ReYJfrml8+P6RZD71UEmoDDNZ6hEwe0M1cQ4p4+LYy JwClYDYxKzUgqN9yJXI4x6ZubEUCcZpkGkQO4HKLf8xsvZEsPIUC9VKDm fTcecYF2Nhz7K8pKExGjOtkfMZUMfg1Me3TUoyciapI8D/tU45EqFg+fM Aoc+vqE3/EIBIBIxuf+AFpid3v2I/271qYjE8bXQ2+ZbJjEccJ/PGet++ R3ORu71cBG+LmpWAJogX8rwrXA32VGIWSbuX0o6GMYVKbHqi8QAI/H5f5 A==; IronPort-SDR: hblUSEHUiePgaSVS4NVlbbBnEs56JVt+201lN7P+S+Ncy5oX9gA/M8Wb7Dceur8QJy4autzEj4 O7XhpX87cgpWDczYJHqz1EXpBDUlE6PLbjxs//ZJcv7neEwccH09bYcBpGRgo0tTUFJMQVnMV+ wAI7LwKMh73THpretTs1zViCDn/2YycElDgoOrecnvsHXCkO4aDcAmWuDkZcR1gxENaT0EGlFj YV22WD9mxPlxZSyWAWQGXJWmeuXnhNAj6/2xveXKX8QqAKnNBUDh+EgH+NJ/6/FC0jve8ahclx BWw= Received: from ofwgwc03.rockwellcollins.com (HELO crulimr02.rockwellcollins.com) ([205.175.225.12]) by secvs04.rockwellcollins.com with ESMTP; 21 Apr 2021 15:42:37 -0500 X-Received: from biscuits.rockwellcollins.com (biscuits.rockwellcollins.lab [10.148.119.137]) by crulimr02.rockwellcollins.com (Postfix) with ESMTP id 5A706608B9; Wed, 21 Apr 2021 15:42:37 -0500 (CDT) From: Matt Weber <matthew.weber@rockwellcollins.com> To: buildroot@buildroot.org Date: Wed, 21 Apr 2021 15:42:30 -0500 Message-Id: <20210421204235.5956-6-matthew.weber@rockwellcollins.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210421204235.5956-1-matthew.weber@rockwellcollins.com> References: <20210421204235.5956-1-matthew.weber@rockwellcollins.com> Subject: [Buildroot] [PATCH 05/10] package/flex: ignore CVE-2019-6293 X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot <buildroot.busybox.net> List-Unsubscribe: <http://lists.busybox.net/mailman/options/buildroot>, <mailto:buildroot-request@busybox.net?subject=unsubscribe> List-Archive: <http://lists.busybox.net/pipermail/buildroot/> List-Post: <mailto:buildroot@busybox.net> List-Help: <mailto:buildroot-request@busybox.net?subject=help> List-Subscribe: <http://lists.busybox.net/mailman/listinfo/buildroot>, <mailto:buildroot-request@busybox.net?subject=subscribe> Cc: Matt Weber <matthew.weber@rockwellcollins.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" <buildroot-bounces@busybox.net> |
Series |
Misc CVE ignores
|
expand
|
diff --git a/package/flex/flex.mk b/package/flex/flex.mk index 2d00969662..85da5ddae8 100644 --- a/package/flex/flex.mk +++ b/package/flex/flex.mk @@ -10,6 +10,9 @@ FLEX_INSTALL_STAGING = YES FLEX_LICENSE = FLEX FLEX_LICENSE_FILES = COPYING FLEX_CPE_ID_VENDOR = flex_project +# bug does not cause stack overflows in the generated code and has been +# noted upstream as a bug in the code generator +FLEX_IGNORE_CVES = CVE-2019-6293 FLEX_DEPENDENCIES = $(TARGET_NLS_DEPENDENCIES) host-m4 HOST_FLEX_DEPENDENCIES = host-m4
https://security-tracker.debian.org/tracker/CVE-2019-6293 https://github.com/NixOS/nixpkgs/issues/55386#issuecomment-683792976 "But this bug does not cause stack overflows in the generated code. The function and file referred to in the bug (mark_beginning_as_normal in nfa.c) are part of the flex code generator, not part of the generated code. If flex crashes before generating any code, that can hardly be a vulnerability. If flex does not crash, the generated code is fine (or perhaps subject to other unreported bugs, who knows, but the NFA has been generated correctly)." Upstream has chosen to not provide a fix https://github.com/microsoft/CBL-Mariner/pull/312 Signed-off-by: Matthew Weber <matthew.weber@rockwellcollins.com> --- package/flex/flex.mk | 3 +++ 1 file changed, 3 insertions(+)