Re: [Buildroot] [PATCH 2/3] package/glibc: ignore CVEs not considered as security issues by upstream

From: Peter Korsgaard <peter@korsgaard.com>
To: Thomas Petazzoni via buildroot <buildroot@buildroot.org>
Cc: Romain Naour <romain.naour@gmail.com>,
	peter.verbrugge@technolution.nl,
	"Yann E. MORIN" <yann.morin.1998@free.fr>,
	Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Subject: Re: [Buildroot] [PATCH 2/3] package/glibc: ignore CVEs not considered as security issues by upstream
Date: Sun, 07 Jan 2024 23:26:28 +0100	[thread overview]
Message-ID: <878r50zsob.fsf@48ers.dk> (raw)
In-Reply-To: <20231220200110.1819507-2-thomas.petazzoni@bootlin.com> (Thomas Petazzoni via buildroot's message of "Wed, 20 Dec 2023 21:01:08 +0100")

>>>>> "Thomas" == Thomas Petazzoni via buildroot <buildroot@buildroot.org> writes:

 > 5 CVEs affecting glibc according to the NVD database are considered as
 > not being security issues by upstream glibc developers:

 > * CVE-2010-4756: The glob implementation in the GNU C Library (aka
 >   glibc or libc6) allows remote authenticated users to cause a denial
 >   of service (CPU and memory consumption) via crafted glob expressions
 >   that do not match any pathnames. glibc maintainers position: "That's
 >   standard POSIX behaviour implemented by (e)glibc. Applications using
 >   glob need to impose limits for themselves"

 > * CVE-2019-1010022: GNU Libc current is affected by: Mitigation
 >   bypass. The impact is: Attacker may bypass stack guard
 >   protection. The component is: nptl. The attack vector is: Exploit
 >   stack buffer overflow vulnerability and use this bypass
 >   vulnerability to bypass stack guard. NOTE: Upstream comments
 >   indicate "this is being treated as a non-security bug and no real
 >   threat. glibc maintainers position: "Not treated as a security issue
 >   by upstream https://sourceware.org/bugzilla/show_bug.cgi?id=22850"

 > * CVE-2019-1010023: GNU Libc current is affected by: Re-mapping
 >   current loaded library with malicious ELF file. The impact is: In
 >   worst case attacker may evaluate privileges. The component is:
 >   libld. The attack vector is: Attacker sends 2 ELF files to victim
 >   and asks to run ldd on it. ldd execute code. NOTE: Upstream comments
 >   indicate "this is being treated as a non-security bug and no real
 >   threat. glibc maintainers position: "Not treated as a security issue
 >   by upstream https://sourceware.org/bugzilla/show_bug.cgi?id=22851"

 > * CVE-2019-1010024: GNU Libc current is affected by: Mitigation
 >   bypass. The impact is: Attacker may bypass ASLR using cache of
 >   thread stack and heap. The component is: glibc. NOTE: Upstream
 >   comments indicate "this is being treated as a non-security bug and
 >   no real threat. glibc maintainers position: "Not treated as a
 >   security issue by upstream
 >   https://sourceware.org/bugzilla/show_bug.cgi?id=22852"

 > * CVE-2019-1010025: GNU Libc current is affected by: Mitigation
 >   bypass. The impact is: Attacker may guess the heap addresses of
 >   pthread_created thread. The component is: glibc. NOTE: the vendor's
 >   position is "ASLR bypass itself is not a vulnerability. Glibc
 >   maintainers position: "Not treated as a security issue by upstream
 >   https://sourceware.org/bugzilla/show_bug.cgi?id=22853"

 > Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
 > ---
 > I believe those CVEs should be ignored, because they will never be
 > fixed, and therefore they cause additional noise that makes it more
 > difficult to spot the real CVEs that need to be fixed.

Committed to 2023.02.x and 2023.11.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot