* [Buildroot] [PATCH 1/1] package/boost: annotate _IGNORE_CVES for CVE-2009-3654
@ 2020-02-29 9:46 Fabrice Fontaine
2020-02-29 16:36 ` Yann E. MORIN
0 siblings, 1 reply; 4+ messages in thread
From: Fabrice Fontaine @ 2020-02-29 9:46 UTC (permalink / raw)
To: buildroot
Unspecified vulnerability in Boost before 6.x-1.03, a module for Drupal,
allows remote attackers to create new webroot directories via unknown
attack vectors.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
package/boost/boost.mk | 3 +++
1 file changed, 3 insertions(+)
diff --git a/package/boost/boost.mk b/package/boost/boost.mk
index 322429a10c..c9e80266e0 100644
--- a/package/boost/boost.mk
+++ b/package/boost/boost.mk
@@ -11,6 +11,9 @@ BOOST_INSTALL_STAGING = YES
BOOST_LICENSE = BSL-1.0
BOOST_LICENSE_FILES = LICENSE_1_0.txt
+# module for Drupal
+BOOST_IGNORE_CVES += CVE-2009-3654
+
# keep host variant as minimal as possible
HOST_BOOST_FLAGS = --without-icu --with-toolset=gcc \
--without-libraries=$(subst $(space),$(comma),atomic chrono context \
--
2.25.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [Buildroot] [PATCH 1/1] package/boost: annotate _IGNORE_CVES for CVE-2009-3654
2020-02-29 9:46 [Buildroot] [PATCH 1/1] package/boost: annotate _IGNORE_CVES for CVE-2009-3654 Fabrice Fontaine
@ 2020-02-29 16:36 ` Yann E. MORIN
2020-02-29 17:07 ` Peter Korsgaard
0 siblings, 1 reply; 4+ messages in thread
From: Yann E. MORIN @ 2020-02-29 16:36 UTC (permalink / raw)
To: buildroot
Fabrice, All,
On 2020-02-29 10:46 +0100, Fabrice Fontaine spake thusly:
> Unspecified vulnerability in Boost before 6.x-1.03, a module for Drupal,
> allows remote attackers to create new webroot directories via unknown
> attack vectors.
Yes, good to know, but the interesting bit is why we are not affected,
which your commit log fails to specify.
Also, the comment should say so as well. Maybe just something like:
# Module for Drupal, not installed in Buildroot
BOOST_IGNORE_CVES +=...
Care to respin with explanations, please?
Regards,
Yann E. MORIN.
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> ---
> package/boost/boost.mk | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/package/boost/boost.mk b/package/boost/boost.mk
> index 322429a10c..c9e80266e0 100644
> --- a/package/boost/boost.mk
> +++ b/package/boost/boost.mk
> @@ -11,6 +11,9 @@ BOOST_INSTALL_STAGING = YES
> BOOST_LICENSE = BSL-1.0
> BOOST_LICENSE_FILES = LICENSE_1_0.txt
>
> +# module for Drupal
> +BOOST_IGNORE_CVES += CVE-2009-3654
> +
> # keep host variant as minimal as possible
> HOST_BOOST_FLAGS = --without-icu --with-toolset=gcc \
> --without-libraries=$(subst $(space),$(comma),atomic chrono context \
> --
> 2.25.0
>
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
^ permalink raw reply [flat|nested] 4+ messages in thread* [Buildroot] [PATCH 1/1] package/boost: annotate _IGNORE_CVES for CVE-2009-3654
2020-02-29 16:36 ` Yann E. MORIN
@ 2020-02-29 17:07 ` Peter Korsgaard
2020-02-29 17:11 ` Yann E. MORIN
0 siblings, 1 reply; 4+ messages in thread
From: Peter Korsgaard @ 2020-02-29 17:07 UTC (permalink / raw)
To: buildroot
>>>>> "Yann" == Yann E MORIN <yann.morin.1998@free.fr> writes:
> Fabrice, All,
> On 2020-02-29 10:46 +0100, Fabrice Fontaine spake thusly:
>> Unspecified vulnerability in Boost before 6.x-1.03, a module for Drupal,
>> allows remote attackers to create new webroot directories via unknown
>> attack vectors.
> Yes, good to know, but the interesting bit is why we are not affected,
> which your commit log fails to specify.
> Also, the comment should say so as well. Maybe just something like:
> # Module for Drupal, not installed in Buildroot
> BOOST_IGNORE_CVES +=...
It is not because we don't install some optional part of boost, it is
simply that our CVE logic thinks that this CVE applies to our boost
package, whereas it is really for some kind of drupal module:
https://nvd.nist.gov/vuln/detail/CVE-2009-3654
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Buildroot] [PATCH 1/1] package/boost: annotate _IGNORE_CVES for CVE-2009-3654
2020-02-29 17:07 ` Peter Korsgaard
@ 2020-02-29 17:11 ` Yann E. MORIN
0 siblings, 0 replies; 4+ messages in thread
From: Yann E. MORIN @ 2020-02-29 17:11 UTC (permalink / raw)
To: buildroot
Peter, Fabrice, All,
On 2020-02-29 18:07 +0100, Peter Korsgaard spake thusly:
> >>>>> "Yann" == Yann E MORIN <yann.morin.1998@free.fr> writes:
>
> > Fabrice, All,
> > On 2020-02-29 10:46 +0100, Fabrice Fontaine spake thusly:
> >> Unspecified vulnerability in Boost before 6.x-1.03, a module for Drupal,
> >> allows remote attackers to create new webroot directories via unknown
> >> attack vectors.
>
> > Yes, good to know, but the interesting bit is why we are not affected,
> > which your commit log fails to specify.
>
> > Also, the comment should say so as well. Maybe just something like:
>
> > # Module for Drupal, not installed in Buildroot
> > BOOST_IGNORE_CVES +=...
>
> It is not because we don't install some optional part of boost, it is
> simply that our CVE logic thinks that this CVE applies to our boost
> package, whereas it is really for some kind of drupal module:
>
> https://nvd.nist.gov/vuln/detail/CVE-2009-3654
Ah, it is the other way around, then...
I'll apply to master with a bit of rephrasing to make that obvious,
then.
Regards,
Yann E. MORIN.
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-02-29 17:11 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-02-29 9:46 [Buildroot] [PATCH 1/1] package/boost: annotate _IGNORE_CVES for CVE-2009-3654 Fabrice Fontaine
2020-02-29 16:36 ` Yann E. MORIN
2020-02-29 17:07 ` Peter Korsgaard
2020-02-29 17:11 ` Yann E. MORIN
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox