From: Adrian Bunk <bunk@stusta.de>
To: Ross Burton <ross.burton@intel.com>
Cc: openembedded-core@lists.openembedded.org
Subject: Re: [PATCH] libpng: whitelist CVE-2019-17371
Date: Mon, 4 Nov 2019 17:40:47 +0200 [thread overview]
Message-ID: <20191104154047.GB5390@localhost> (raw)
In-Reply-To: <e1411b32-8500-2971-ff45-ec717c14d3be@intel.com>
On Mon, Nov 04, 2019 at 02:24:08PM +0000, Ross Burton wrote:
> On 04/11/2019 14:01, Adrian Bunk wrote:
> > On Mon, Nov 04, 2019 at 12:42:51PM +0000, Ross Burton wrote:
> > > This is actually a memory leak in gif2png 2.x, so whitelist it in the libpng
> > > recipe.
> > >
> > > Signed-off-by: Ross Burton <ross.burton@intel.com>
> > > ---
> > > meta/recipes-multimedia/libpng/libpng_1.6.37.bb | 3 +++
> > > 1 file changed, 3 insertions(+)
> > >
> > > diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb
> > > index 66af2f3d60e..07970e14360 100644
> > > --- a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb
> > > +++ b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb
> > > @@ -29,3 +29,6 @@ PACKAGES =+ "${PN}-tools"
> > > FILES_${PN}-tools = "${bindir}/png-fix-itxt ${bindir}/pngfix ${bindir}/pngcp"
> > > BBCLASSEXTEND = "native nativesdk"
> > > +
> > > +# CVE-2019-17371 is actually a memory leak in gif2png 2.x
> > > +CVE_CHECK_WHITELIST = "CVE-2019-17371"
> >
> > These should use += to not overwrite whitelists defined by
> > the distribution or the user.
>
> IMHO, the distribution or user should be using _append. The whitelist
> should be explicitly per-recipe: there's a CVE which is tagged incorrectly
> as being in openssl *and* mod_ssl, we don't want to whitelist it globally
> but only in openssl.
>...
What I had in mind are a distribution-wide cve-whitelist.inc included
from the distro conf or using CVE_CHECK_WHITELIST in conf/local.conf,
you don't want to start creating dozens of bbappend files in such
usecases.
This CVE where a change in OpenSSL created a vulnerability in Apache
would go to the global whitelist for me when I am not using Apache.
In OE it should not be whitelisted in both OpenSSL and Apache, but
this is a different situation.
> Ross
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
prev parent reply other threads:[~2019-11-04 15:40 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-04 12:42 [PATCH] libpng: whitelist CVE-2019-17371 Ross Burton
2019-11-04 14:01 ` Adrian Bunk
2019-11-04 14:24 ` Ross Burton
2019-11-04 15:40 ` Adrian Bunk [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191104154047.GB5390@localhost \
--to=bunk@stusta.de \
--cc=openembedded-core@lists.openembedded.org \
--cc=ross.burton@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.