| Message ID | 20220731113249.93158-1-bernd.kuhls@t-online.de |
|---|---|
| State | Handled Elsewhere |
| Headers | show |
| Series | [1/1] package/ffmpeg: ignore CVE-2021-38291 | expand |
On 31/07/2022 13:32, Bernd Kuhls wrote: > Fixed in version 4.4.1 by > http://git.videolan.org/?p=ffmpeg.git;a=blob;f=Changelog;h=1845c0c85c56d300b6b2ffea43d4adc610caa2f5;hb=refs/heads/release/4.4#l160 > http://git.videolan.org/?p=ffmpeg.git;a=commit;h=07dec5b0c383ebd6053bdf0a022dfe4aa01b9b70 > > Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> > --- > package/ffmpeg/ffmpeg.mk | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/package/ffmpeg/ffmpeg.mk b/package/ffmpeg/ffmpeg.mk > index 82d229903f..d43274c4a7 100644 > --- a/package/ffmpeg/ffmpeg.mk > +++ b/package/ffmpeg/ffmpeg.mk > @@ -17,6 +17,8 @@ FFMPEG_LICENSE_FILES += COPYING.GPLv2 > endif > > FFMPEG_CPE_ID_VENDOR = ffmpeg > +# fixed in version 4.4.1 For this one, I went and checked, and it is the NVD that is wrong. It has cpe:2.3:a:ffmpeg:ffmpeg:*:*:*:*:*:*:*:* So the proper approach here is to fix it in the NVD. I'm not actually sure how to do that. Matt, Thomas, do you know? Regards, Arnout > +FFMPEG_IGNORE_CVES += CVE-2021-38291 > > FFMPEG_CONF_OPTS = \ > --prefix=/usr \
Hello, On Mon, 1 Aug 2022 20:02:44 +0200 Arnout Vandecappelle <arnout@mind.be> wrote: > > FFMPEG_CPE_ID_VENDOR = ffmpeg > > +# fixed in version 4.4.1 > > For this one, I went and checked, and it is the NVD that is wrong. It has > cpe:2.3:a:ffmpeg:ffmpeg:*:*:*:*:*:*:*:* > > So the proper approach here is to fix it in the NVD. I'm not actually sure how > to do that. Matt, Thomas, do you know? Yes: send an e-mail to nvd@nist.gov. Here is an example e-mail I sent: ======================================================== Hello, CVE-2014-3675 is marked in the NVD database as affecting all versions of cpe:2.3:a:redhat:shim:-:*:*:*:*:*:*:*. However, this CVE has been fixed by upstream commit https://github.com/rhboot/shim/commit/e253c2a2c07bc526de1528ed9839b2b584025fa2#diff-874c9b6e2bf4c63b0f0a443f612426773d76e4f09dd313fbe0ad3fd6d42c22d4, which has been part of shim releases since version 0.8. The problematic code has been introduced in shim 0.3. To the affected versions are all versions >= 0.3 and < 0.8. Could this be addressed in the CVE-2014-3675 entry ? Thanks a lot, Thomas ======================================================== I had to provide more details later on such as: ======================================================== Your CVE-2014-3675 CVE report points to: https://www.openwall.com/lists/oss-security/2014/10/13/4 Which indicates: """ 1. OOB read access when parsing DHCPv6 packets (remote DoS). The severity is low. (CVE-2014-3675) 2. Heap overflow when parsing IPv6 addresses provided by tftp:// DHCPv6 boot option (RCE). The severity is low to medium, as secure boot via PXE6 should rarely be seen ITW. Furthermore UEFI firmware seems to fail to properly verify provided PXE images at the first place. (CVE-2014-3676) For both issues above there is a patch proposal: http://suse.com/~krahmer/priv/shim1.diff """ This patch is exactly commit https://github.com/rhboot/shim/commit/e253c2a2c07bc526de1528ed9839b2b584025fa2 in upstream shim. And based on the shim Git repository, we can check that commit e253c2a2c07bc526de1528ed9839b2b584025fa2 was first part of the 0.8 release: $ git describe --contains e253c2a2c07bc526de1528ed9839b2b584025fa2 0.8~5 This CVE, and the fix for it, is related to the netboot code in netboot.c. This entire netboot.c code was introduced in upstream commit d8e330b95368ce43da47e114eb1d699eedb18e57 (https://github.com/rhboot/shim/commit/d8e330b95368ce43da47e114eb1d699eedb18e57). And this commit itself was first included in the 0.3 release: $ git describe --contains d8e330b95368ce43da47e114eb1d699eedb18e57 0.3~34 So any version prior to 0.3 is not affected by this issue, as shim simply did not have netboot support. This reasoning applies to both CVE-2014-3675 and CVE-2014-3676. So the affected versions are >= 0.3 and < 0.8. Does this help ? Thanks a lot, ======================================================== Thomas
diff --git a/package/ffmpeg/ffmpeg.mk b/package/ffmpeg/ffmpeg.mk index 82d229903f..d43274c4a7 100644 --- a/package/ffmpeg/ffmpeg.mk +++ b/package/ffmpeg/ffmpeg.mk @@ -17,6 +17,8 @@ FFMPEG_LICENSE_FILES += COPYING.GPLv2 endif FFMPEG_CPE_ID_VENDOR = ffmpeg +# fixed in version 4.4.1 +FFMPEG_IGNORE_CVES += CVE-2021-38291 FFMPEG_CONF_OPTS = \ --prefix=/usr \
Fixed in version 4.4.1 by http://git.videolan.org/?p=ffmpeg.git;a=blob;f=Changelog;h=1845c0c85c56d300b6b2ffea43d4adc610caa2f5;hb=refs/heads/release/4.4#l160 http://git.videolan.org/?p=ffmpeg.git;a=commit;h=07dec5b0c383ebd6053bdf0a022dfe4aa01b9b70 Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> --- package/ffmpeg/ffmpeg.mk | 2 ++ 1 file changed, 2 insertions(+)