* [Buildroot] [PATCH] package/libssh: ignore CVE-2023-3603
@ 2023-09-06 20:09 Daniel Lang
2023-09-08 20:32 ` Thomas Petazzoni via buildroot
2023-09-26 6:08 ` Peter Korsgaard
0 siblings, 2 replies; 4+ messages in thread
From: Daniel Lang @ 2023-09-06 20:09 UTC (permalink / raw)
To: buildroot
The affected code isn't present in any release, see [0].
[0]: https://www.libssh.org/2023/07/14/cve-2023-3603-potential-null-dereference-in-libsshs-sftp-server/
Signed-off-by: Daniel Lang <dalang@gmx.at>
---
package/libssh/libssh.mk | 3 +++
1 file changed, 3 insertions(+)
diff --git a/package/libssh/libssh.mk b/package/libssh/libssh.mk
index e770d2b924..f6c590ba0a 100644
--- a/package/libssh/libssh.mk
+++ b/package/libssh/libssh.mk
@@ -16,6 +16,9 @@ LIBSSH_SUPPORTS_IN_SOURCE_BUILD = NO
LIBSSH_CONF_OPTS = \
-DWITH_STACK_PROTECTOR=OFF \
-DWITH_EXAMPLES=OFF
+# Not part of this release
+# https://www.libssh.org/2023/07/14/cve-2023-3603-potential-null-dereference-in-libsshs-sftp-server/
+LIBSSH_IGNORE_CVES += CVE-2023-3603
ifeq ($(BR2_ARM_INSTRUCTIONS_THUMB),y)
LIBSSH_CONF_OPTS += -DWITH_STACK_CLASH_PROTECTION=OFF
--
2.42.0
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [Buildroot] [PATCH] package/libssh: ignore CVE-2023-3603
2023-09-06 20:09 [Buildroot] [PATCH] package/libssh: ignore CVE-2023-3603 Daniel Lang
@ 2023-09-08 20:32 ` Thomas Petazzoni via buildroot
2023-09-22 18:58 ` Arnout Vandecappelle via buildroot
2023-09-26 6:08 ` Peter Korsgaard
1 sibling, 1 reply; 4+ messages in thread
From: Thomas Petazzoni via buildroot @ 2023-09-08 20:32 UTC (permalink / raw)
To: Daniel Lang; +Cc: buildroot
Hello Daniel,
On Wed, 6 Sep 2023 22:09:27 +0200
Daniel Lang <dalang@gmx.at> wrote:
> The affected code isn't present in any release, see [0].
>
> [0]: https://www.libssh.org/2023/07/14/cve-2023-3603-potential-null-dereference-in-libsshs-sftp-server/
>
> Signed-off-by: Daniel Lang <dalang@gmx.at>
Here the NVD database tells us that the following CPE identifier is
affected:
cpe:2.3:a:libssh:libssh:-:*:*:*:*:*:*:*
So the version field is not '*', but '-', and I think our pkg-stats
script doesn't do the right thing when handling '-'. I remember asking
the NVD maintainers about this, and they replied:
The '-' in the URI 'cpe:2.3:a:ntp:ntp:-:*:*:*:*:*:*:*' is used
because the affected version was not specified. We need to use the
'-' when the affected version is not specified otherwise, using the
'*' will incorrectly call all versions of NTP as vulnerable.
The '*' is the wildcard, while the '-' is used to represent
unspecified versions, a placeholder to an update, as explained
earlier.
I believe right now pkg-stats handles '-' like '*', but I'm not sure
it's the right thing to do. But the answer from NVD didn't really help
because "unspecified versions" doesn't mean much.
Another thing that would be good to do in pkg-stats is warn if there is
a CVE listed in <pkg>_IGNORE_CVES, but this CVE in fact does not
affects the package. This would allow us to catch mistakes, but also
cases where a CVE was added to the ignore list, but no longer needs to
be in that list because the NVD data has been updated/improved.
Best regards,
Thomas
--
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [Buildroot] [PATCH] package/libssh: ignore CVE-2023-3603
2023-09-08 20:32 ` Thomas Petazzoni via buildroot
@ 2023-09-22 18:58 ` Arnout Vandecappelle via buildroot
0 siblings, 0 replies; 4+ messages in thread
From: Arnout Vandecappelle via buildroot @ 2023-09-22 18:58 UTC (permalink / raw)
To: Thomas Petazzoni, Daniel Lang; +Cc: buildroot
On 08/09/2023 22:32, Thomas Petazzoni via buildroot wrote:
> Hello Daniel,
>
> On Wed, 6 Sep 2023 22:09:27 +0200
> Daniel Lang <dalang@gmx.at> wrote:
>
>> The affected code isn't present in any release, see [0].
>>
>> [0]: https://www.libssh.org/2023/07/14/cve-2023-3603-potential-null-dereference-in-libsshs-sftp-server/
>>
>> Signed-off-by: Daniel Lang <dalang@gmx.at>
>
> Here the NVD database tells us that the following CPE identifier is
> affected:
>
> cpe:2.3:a:libssh:libssh:-:*:*:*:*:*:*:*
>
> So the version field is not '*', but '-', and I think our pkg-stats
> script doesn't do the right thing when handling '-'. I remember asking
> the NVD maintainers about this, and they replied:
>
> The '-' in the URI 'cpe:2.3:a:ntp:ntp:-:*:*:*:*:*:*:*' is used
> because the affected version was not specified. We need to use the
> '-' when the affected version is not specified otherwise, using the
> '*' will incorrectly call all versions of NTP as vulnerable.
>
>
> The '*' is the wildcard, while the '-' is used to represent
> unspecified versions, a placeholder to an update, as explained
> earlier.
>
> I believe right now pkg-stats handles '-' like '*', but I'm not sure
> it's the right thing to do. But the answer from NVD didn't really help
> because "unspecified versions" doesn't mean much.
On the other hand, we can't interpret it as "this CVE doesn't apply to any
version at all", because for all we know we actually _are_ using a vulnerable
commit sha. And I'm sure there are other situations where the - is used that we
also can't simply exclude.
I think we should interpet the - as "human intervention is needed" - which is
exactly what happened here.
Therefore, I applied the commit to master, thanks. I extended the commit
message with a bit of the above information.
> Another thing that would be good to do in pkg-stats is warn if there is
> a CVE listed in <pkg>_IGNORE_CVES, but this CVE in fact does not
> affects the package. This would allow us to catch mistakes, but also
> cases where a CVE was added to the ignore list, but no longer needs to
> be in that list because the NVD data has been updated/improved.
+1 to that!
Regards,
Arnout
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [Buildroot] [PATCH] package/libssh: ignore CVE-2023-3603
2023-09-06 20:09 [Buildroot] [PATCH] package/libssh: ignore CVE-2023-3603 Daniel Lang
2023-09-08 20:32 ` Thomas Petazzoni via buildroot
@ 2023-09-26 6:08 ` Peter Korsgaard
1 sibling, 0 replies; 4+ messages in thread
From: Peter Korsgaard @ 2023-09-26 6:08 UTC (permalink / raw)
To: Daniel Lang; +Cc: buildroot
>>>>> "Daniel" == Daniel Lang <dalang@gmx.at> writes:
> The affected code isn't present in any release, see [0].
> [0]:
> https://www.libssh.org/2023/07/14/cve-2023-3603-potential-null-dereference-in-libsshs-sftp-server/
> Signed-off-by: Daniel Lang <dalang@gmx.at>
Committed to 2023.02.x, 2023.05.x and 2023.08.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2023-09-26 6:08 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-09-06 20:09 [Buildroot] [PATCH] package/libssh: ignore CVE-2023-3603 Daniel Lang
2023-09-08 20:32 ` Thomas Petazzoni via buildroot
2023-09-22 18:58 ` Arnout Vandecappelle via buildroot
2023-09-26 6:08 ` Peter Korsgaard
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox