From: Thomas Petazzoni via buildroot <buildroot@buildroot.org>
To: <yann.morin@orange.com>
Cc: <buildroot@buildroot.org>
Subject: Re: [Buildroot] [PATCH] package/skopeo: ignore un-applicable CVE
Date: Sat, 26 Oct 2024 17:35:02 +0200 [thread overview]
Message-ID: <20241026173502.4f6911a3@windsurf> (raw)
In-Reply-To: <45637d224995588db97c5908d41ea67600e432f3.1726568237.git.yann.morin@orange.com>
Hello Yann,
On Tue, 17 Sep 2024 12:17:17 +0200
<yann.morin@orange.com> wrote:
> From: "Yann E. MORIN" <yann.morin@orange.com>
>
> The CVE tracker detects that CVE-2019-10214 impacts skopeo, but this is
> a false positive. Indeed, that CVE applies to containers/image (which is
> vendored in skopeo), and is matched for un-versioned skopeo (notice the
> dash '-' in the CPE ID):
>
> https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:skopeo_project:skopeo:-:*:*:*:*:*:*:*
>
> and does not apply to any versioned skopeo (1.16.1 and "any version" for
> example; notice the star '*' or the version instead of the dash, in the
> CPE ID):
>
> https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:skopeo_project:skopeo:*:*:*:*:*:*:*:*
> https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:skopeo_project:skopeo:1.16.1:*:*:*:*:*:*:*
Wow, it took me a while to process the explanation here. Let me
rephrase what I understood:
- The NVD database entry for CVE-2019-10214 indicates that one of the
affected CPE IDs is cpe:2.3:a:skopeo_project:skopeo:-:*:*:*:*:*:*:*
- The CPE ID generated by Buildroot for the skopeo package is
cpe:2.3:a:skopeo_project:skopeo:1.16.0:*:*:*:*:*:*:*
- Because pkg-stats handles "-" as "any version is affected", then it
causes CVE-2019-10214 to be assumed to affect our version of skopeo
> This was fixed in containers/image in upstream commit a3d69a4a (Use the
> same HTTP client for contacting the bearer token server and the
> registry, 2019-08-01) which has been released in containers/image
> v3.0.0 (2019-08-02), which has been vendored in skopeo since commit
> bebcb94653cc (vendor github.com/containers/image@v3.0.0) released the
> same day in skopeo 0.1.38 (2019-02-08).
So I agree, but then the proper course of action we recommend to our
contributors in this situation, is to contact the NVD people and have
them update their database entry. In this case, you already have the
needed information, as you tracked which exact version fixed the issue.
Could you contact the NVD database maintainers to get this fixed
upstream?
Thanks a lot!
Thomas
--
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
prev parent reply other threads:[~2024-10-26 15:35 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-17 10:17 [Buildroot] [PATCH] package/skopeo: ignore un-applicable CVE yann.morin
2024-10-26 15:35 ` Thomas Petazzoni via buildroot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241026173502.4f6911a3@windsurf \
--to=buildroot@buildroot.org \
--cc=thomas.petazzoni@bootlin.com \
--cc=yann.morin@orange.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox