* [Buildroot] [PATCH] package/libssh: ignore CVE-2023-3603 @ 2023-09-06 20:09 Daniel Lang 2023-09-08 20:32 ` Thomas Petazzoni via buildroot 2023-09-26 6:08 ` Peter Korsgaard 0 siblings, 2 replies; 4+ messages in thread From: Daniel Lang @ 2023-09-06 20:09 UTC (permalink / raw) To: buildroot The affected code isn't present in any release, see [0]. [0]: https://www.libssh.org/2023/07/14/cve-2023-3603-potential-null-dereference-in-libsshs-sftp-server/ Signed-off-by: Daniel Lang <dalang@gmx.at> --- package/libssh/libssh.mk | 3 +++ 1 file changed, 3 insertions(+) diff --git a/package/libssh/libssh.mk b/package/libssh/libssh.mk index e770d2b924..f6c590ba0a 100644 --- a/package/libssh/libssh.mk +++ b/package/libssh/libssh.mk @@ -16,6 +16,9 @@ LIBSSH_SUPPORTS_IN_SOURCE_BUILD = NO LIBSSH_CONF_OPTS = \ -DWITH_STACK_PROTECTOR=OFF \ -DWITH_EXAMPLES=OFF +# Not part of this release +# https://www.libssh.org/2023/07/14/cve-2023-3603-potential-null-dereference-in-libsshs-sftp-server/ +LIBSSH_IGNORE_CVES += CVE-2023-3603 ifeq ($(BR2_ARM_INSTRUCTIONS_THUMB),y) LIBSSH_CONF_OPTS += -DWITH_STACK_CLASH_PROTECTION=OFF -- 2.42.0 _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [Buildroot] [PATCH] package/libssh: ignore CVE-2023-3603 2023-09-06 20:09 [Buildroot] [PATCH] package/libssh: ignore CVE-2023-3603 Daniel Lang @ 2023-09-08 20:32 ` Thomas Petazzoni via buildroot 2023-09-22 18:58 ` Arnout Vandecappelle via buildroot 2023-09-26 6:08 ` Peter Korsgaard 1 sibling, 1 reply; 4+ messages in thread From: Thomas Petazzoni via buildroot @ 2023-09-08 20:32 UTC (permalink / raw) To: Daniel Lang; +Cc: buildroot Hello Daniel, On Wed, 6 Sep 2023 22:09:27 +0200 Daniel Lang <dalang@gmx.at> wrote: > The affected code isn't present in any release, see [0]. > > [0]: https://www.libssh.org/2023/07/14/cve-2023-3603-potential-null-dereference-in-libsshs-sftp-server/ > > Signed-off-by: Daniel Lang <dalang@gmx.at> Here the NVD database tells us that the following CPE identifier is affected: cpe:2.3:a:libssh:libssh:-:*:*:*:*:*:*:* So the version field is not '*', but '-', and I think our pkg-stats script doesn't do the right thing when handling '-'. I remember asking the NVD maintainers about this, and they replied: The '-' in the URI 'cpe:2.3:a:ntp:ntp:-:*:*:*:*:*:*:*' is used because the affected version was not specified. We need to use the '-' when the affected version is not specified otherwise, using the '*' will incorrectly call all versions of NTP as vulnerable. The '*' is the wildcard, while the '-' is used to represent unspecified versions, a placeholder to an update, as explained earlier. I believe right now pkg-stats handles '-' like '*', but I'm not sure it's the right thing to do. But the answer from NVD didn't really help because "unspecified versions" doesn't mean much. Another thing that would be good to do in pkg-stats is warn if there is a CVE listed in <pkg>_IGNORE_CVES, but this CVE in fact does not affects the package. This would allow us to catch mistakes, but also cases where a CVE was added to the ignore list, but no longer needs to be in that list because the NVD data has been updated/improved. Best regards, Thomas -- Thomas Petazzoni, co-owner and CEO, Bootlin Embedded Linux and Kernel engineering and training https://bootlin.com _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [Buildroot] [PATCH] package/libssh: ignore CVE-2023-3603 2023-09-08 20:32 ` Thomas Petazzoni via buildroot @ 2023-09-22 18:58 ` Arnout Vandecappelle via buildroot 0 siblings, 0 replies; 4+ messages in thread From: Arnout Vandecappelle via buildroot @ 2023-09-22 18:58 UTC (permalink / raw) To: Thomas Petazzoni, Daniel Lang; +Cc: buildroot On 08/09/2023 22:32, Thomas Petazzoni via buildroot wrote: > Hello Daniel, > > On Wed, 6 Sep 2023 22:09:27 +0200 > Daniel Lang <dalang@gmx.at> wrote: > >> The affected code isn't present in any release, see [0]. >> >> [0]: https://www.libssh.org/2023/07/14/cve-2023-3603-potential-null-dereference-in-libsshs-sftp-server/ >> >> Signed-off-by: Daniel Lang <dalang@gmx.at> > > Here the NVD database tells us that the following CPE identifier is > affected: > > cpe:2.3:a:libssh:libssh:-:*:*:*:*:*:*:* > > So the version field is not '*', but '-', and I think our pkg-stats > script doesn't do the right thing when handling '-'. I remember asking > the NVD maintainers about this, and they replied: > > The '-' in the URI 'cpe:2.3:a:ntp:ntp:-:*:*:*:*:*:*:*' is used > because the affected version was not specified. We need to use the > '-' when the affected version is not specified otherwise, using the > '*' will incorrectly call all versions of NTP as vulnerable. > > > The '*' is the wildcard, while the '-' is used to represent > unspecified versions, a placeholder to an update, as explained > earlier. > > I believe right now pkg-stats handles '-' like '*', but I'm not sure > it's the right thing to do. But the answer from NVD didn't really help > because "unspecified versions" doesn't mean much. On the other hand, we can't interpret it as "this CVE doesn't apply to any version at all", because for all we know we actually _are_ using a vulnerable commit sha. And I'm sure there are other situations where the - is used that we also can't simply exclude. I think we should interpet the - as "human intervention is needed" - which is exactly what happened here. Therefore, I applied the commit to master, thanks. I extended the commit message with a bit of the above information. > Another thing that would be good to do in pkg-stats is warn if there is > a CVE listed in <pkg>_IGNORE_CVES, but this CVE in fact does not > affects the package. This would allow us to catch mistakes, but also > cases where a CVE was added to the ignore list, but no longer needs to > be in that list because the NVD data has been updated/improved. +1 to that! Regards, Arnout _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [Buildroot] [PATCH] package/libssh: ignore CVE-2023-3603 2023-09-06 20:09 [Buildroot] [PATCH] package/libssh: ignore CVE-2023-3603 Daniel Lang 2023-09-08 20:32 ` Thomas Petazzoni via buildroot @ 2023-09-26 6:08 ` Peter Korsgaard 1 sibling, 0 replies; 4+ messages in thread From: Peter Korsgaard @ 2023-09-26 6:08 UTC (permalink / raw) To: Daniel Lang; +Cc: buildroot >>>>> "Daniel" == Daniel Lang <dalang@gmx.at> writes: > The affected code isn't present in any release, see [0]. > [0]: > https://www.libssh.org/2023/07/14/cve-2023-3603-potential-null-dereference-in-libsshs-sftp-server/ > Signed-off-by: Daniel Lang <dalang@gmx.at> Committed to 2023.02.x, 2023.05.x and 2023.08.x, thanks. -- Bye, Peter Korsgaard _______________________________________________ buildroot mailing list buildroot@buildroot.org https://lists.buildroot.org/mailman/listinfo/buildroot ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2023-09-26 6:08 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2023-09-06 20:09 [Buildroot] [PATCH] package/libssh: ignore CVE-2023-3603 Daniel Lang 2023-09-08 20:32 ` Thomas Petazzoni via buildroot 2023-09-22 18:58 ` Arnout Vandecappelle via buildroot 2023-09-26 6:08 ` Peter Korsgaard
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox