[Buildroot] [PATCH] package/skopeo: ignore un-applicable CVE

[Buildroot] [PATCH] package/skopeo: ignore un-applicable CVE

[yann.morin]

From: "Yann E. MORIN" <yann.morin@orange.com>

The CVE tracker detects that CVE-2019-10214 impacts skopeo, but this is
a false positive. Indeed, that CVE applies to containers/image (which is
vendored in skopeo), and is matched for un-versioned skopeo (notice the
dash '-' in the CPE ID):

    https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:skopeo_project:skopeo:-:*:*:*:*:*:*:*

and does not apply to any versioned skopeo (1.16.1 and "any version" for
example; notice the star '*' or the version instead of the dash, in the
CPE ID):

    https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:skopeo_project:skopeo:*:*:*:*:*:*:*:*
    https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:skopeo_project:skopeo:1.16.1:*:*:*:*:*:*:*

This was fixed in containers/image in upstream commit a3d69a4a (Use the
same HTTP client for contacting the bearer token server and the
registry, 2019-08-01) which has been released in containers/image
v3.0.0 (2019-08-02), which has been vendored in skopeo since commit
bebcb94653cc (vendor github.com/containers/image@v3.0.0) released the
same day in skopeo 0.1.38 (2019-02-08).

Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
---
 package/skopeo/skopeo.mk | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/package/skopeo/skopeo.mk b/package/skopeo/skopeo.mk
index 9859d774d4..e2f7b8e889 100644
--- a/package/skopeo/skopeo.mk
+++ b/package/skopeo/skopeo.mk
@@ -11,6 +11,10 @@ SKOPEO_LICENSE = Apache-2.0
 SKOPEO_LICENSE_FILES = LICENSE
 SKOPEO_CPE_ID_VALID = YES
 
+# Applies to skopeo without a version; in practice, unaplicable since
+# skopeo 0.1.38 (2019-08-02)
+SKOPEO_CVE_IGNORE = CVE-2019-10214
+
 HOST_SKOPEO_DEPENDENCIES = \
 	host-btrfs-progs \
 	host-libgpgme \
-- 
2.34.1

____________________________________________________________________________________________________________
Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] package/skopeo: ignore un-applicable CVE

[Thomas Petazzoni via buildroot]

Hello Yann,

On Tue, 17 Sep 2024 12:17:17 +0200
<yann.morin@orange.com> wrote:

> From: "Yann E. MORIN" <yann.morin@orange.com>
> 
> The CVE tracker detects that CVE-2019-10214 impacts skopeo, but this is
> a false positive. Indeed, that CVE applies to containers/image (which is
> vendored in skopeo), and is matched for un-versioned skopeo (notice the
> dash '-' in the CPE ID):
> 
>     https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:skopeo_project:skopeo:-:*:*:*:*:*:*:*
> 
> and does not apply to any versioned skopeo (1.16.1 and "any version" for
> example; notice the star '*' or the version instead of the dash, in the
> CPE ID):
> 
>     https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:skopeo_project:skopeo:*:*:*:*:*:*:*:*
>     https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:skopeo_project:skopeo:1.16.1:*:*:*:*:*:*:*

Wow, it took me a while to process the explanation here. Let me
rephrase what I understood:

- The NVD database entry for CVE-2019-10214 indicates that one of the
  affected CPE IDs is cpe:2.3:a:skopeo_project:skopeo:-:*:*:*:*:*:*:*

- The CPE ID generated by Buildroot for the skopeo package is
  cpe:2.3:a:skopeo_project:skopeo:1.16.0:*:*:*:*:*:*:*

- Because pkg-stats handles "-" as "any version is affected", then it
  causes CVE-2019-10214 to be assumed to affect our version of skopeo

> This was fixed in containers/image in upstream commit a3d69a4a (Use the
> same HTTP client for contacting the bearer token server and the
> registry, 2019-08-01) which has been released in containers/image
> v3.0.0 (2019-08-02), which has been vendored in skopeo since commit
> bebcb94653cc (vendor github.com/containers/image@v3.0.0) released the
> same day in skopeo 0.1.38 (2019-02-08).

So I agree, but then the proper course of action we recommend to our
contributors in this situation, is to contact the NVD people and have
them update their database entry. In this case, you already have the
needed information, as you tracked which exact version fixed the issue.
Could you contact the NVD database maintainers to get this fixed
upstream?

Thanks a lot!

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot