[Buildroot] [PATCH] package/log4cxx: ignore CVE-2023-31038

[Buildroot] [PATCH] package/log4cxx: ignore CVE-2023-31038

[Thomas Petazzoni via buildroot]

CVE-2023-31038 affects log4cxx only if ODBC is supported. While
CVE-2023-31038 has been fixed in newer versions of log4cxx, there is
quite a huge gap to do a version bump, and the commit that fixes
CVE-2023-31038 could not be identified.

Therefore, we want to rely on the fact that our log4cxx package does
not support ODBC: there is indeed no explicit dependency on our
unixodbc package in log4cxx.mk. However, log4cxx automatically detects
if ODBC is available and if it is, it uses it.

So what we do in this commit is backport an upstream commit, which
adds explicitly options to enable/disable ODBC and ESMTP support, and
we use them to (1) always disable ODBC and (2) explicitly
enable/disable ESMTP support.

Thanks to ODBC being disabled, we're not affected by CVE-2023-31038.

Of course, there is a potential regression for users who were relying
on the implicit unixodbc dependency, but as we could not identify the
commit fixing the CVE-2023-31038, this is the best we can do at the
moment.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
 .../0001-Make-ODBC-and-SMTP-opt-in-191.patch  | 73 +++++++++++++++++++
 package/log4cxx/log4cxx.mk                    |  9 ++-
 2 files changed, 81 insertions(+), 1 deletion(-)
 create mode 100644 package/log4cxx/0001-Make-ODBC-and-SMTP-opt-in-191.patch

diff --git a/package/log4cxx/0001-Make-ODBC-and-SMTP-opt-in-191.patch b/package/log4cxx/0001-Make-ODBC-and-SMTP-opt-in-191.patch
new file mode 100644
index 0000000000..a116fcc491
--- /dev/null
+++ b/package/log4cxx/0001-Make-ODBC-and-SMTP-opt-in-191.patch
@@ -0,0 +1,73 @@
+From 4900c27cc284ba2f671ae92e6ffb4ab391f9507a Mon Sep 17 00:00:00 2001
+From: Robert Middleton <rm5248@users.noreply.github.com>
+Date: Mon, 6 Feb 2023 20:39:02 -0500
+Subject: [PATCH] Make ODBC and SMTP opt-in (#191)
+
+See #189
+
+Upstream: afeaab6d0f0107c77dfadcbe3708f170c48d5ed9
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+---
+ src/main/include/CMakeLists.txt | 40 ++++++++++++++++++++++++---------
+ 1 file changed, 30 insertions(+), 10 deletions(-)
+
+diff --git a/src/main/include/CMakeLists.txt b/src/main/include/CMakeLists.txt
+index e31443fb..d6835293 100644
+--- a/src/main/include/CMakeLists.txt
++++ b/src/main/include/CMakeLists.txt
+@@ -85,22 +85,42 @@ include(CheckIncludeFiles)
+ include(CheckIncludeFileCXX)
+ include(CheckLibraryExists)
+ 
+-if(WIN32)
+-	CHECK_INCLUDE_FILES(sqlext.h HAS_ODBC)
++option(LOG4CXX_ENABLE_ODBC "Support logging via ODBC" OFF)
++if(LOG4CXX_ENABLE_ODBC)
++    if(WIN32)
++            CHECK_INCLUDE_FILES(sqlext.h HAS_ODBC)
++    else()
++            include(FindPkgConfig)
++
++            pkg_check_modules( odbc odbc )
++            if(${odbc_FOUND})
++                    set(HAS_ODBC 1)
++            else()
++                    set(HAS_ODBC 0)
++            endif(${odbc_FOUND})
++    endif(WIN32)
++
++    if(NOT ${HAS_ODBC})
++        message(SEND_ERROR "ODBC not found but requested")
++    endif()
+ else()
+-	include(FindPkgConfig)
+-
+-	pkg_check_modules( odbc QUIET odbc )
+-	if(${odbc_FOUND})
+-		set(HAS_ODBC 1)
+-	endif(${odbc_FOUND})
+-endif(WIN32)
++    set(HAS_ODBC 0)
++endif(LOG4CXX_ENABLE_ODBC)
++
++option(LOG4CXX_ENABLE_ESMTP "Support logging via libesmtp" OFF)
++if(LOG4CXX_ENABLE_ESMTP)
++    CHECK_LIBRARY_EXISTS(esmtp smtp_create_session "" HAS_LIBESMTP)
++    if(NOT HAS_LIBESMTP)
++        message(SEND_ERROR "SMTP support with libesmtp not found but requested")
++    endif()
++else()
++    set(HAS_LIBESMTP 0)
++endif(LOG4CXX_ENABLE_ESMTP)
+ 
+ CHECK_INCLUDE_FILE_CXX(locale HAS_STD_LOCALE)
+ CHECK_FUNCTION_EXISTS(mbsrtowcs HAS_MBSRTOWCS)
+ CHECK_FUNCTION_EXISTS(wcstombs HAS_WCSTOMBS)
+ CHECK_FUNCTION_EXISTS(fwide HAS_FWIDE)
+-CHECK_LIBRARY_EXISTS(esmtp smtp_create_session "" HAS_LIBESMTP)
+ CHECK_FUNCTION_EXISTS(syslog HAS_SYSLOG)
+ if(UNIX)
+     set(CMAKE_REQUIRED_LIBRARIES "pthread")
+-- 
+2.41.0
+
diff --git a/package/log4cxx/log4cxx.mk b/package/log4cxx/log4cxx.mk
index a5569126d4..aee682529c 100644
--- a/package/log4cxx/log4cxx.mk
+++ b/package/log4cxx/log4cxx.mk
@@ -11,10 +11,14 @@ LOG4CXX_INSTALL_STAGING = YES
 LOG4CXX_LICENSE = Apache-2.0
 LOG4CXX_LICENSE_FILES = LICENSE
 LOG4CXX_CPE_ID_VENDOR = apache
+# We do not support ODBC functionality
+LOG4CXX_IGNORE_CVES = CVE-2023-31038
 
+# Note: if you want to support odbc, make sure CVE-2023-31038 is fixed
 LOG4CXX_CONF_OPTS = \
 	-DAPR_CONFIG_EXECUTABLE=$(STAGING_DIR)/usr/bin/apr-1-config \
-	-DAPR_UTIL_CONFIG_EXECUTABLE=$(STAGING_DIR)/usr/bin/apu-1-config
+	-DAPR_UTIL_CONFIG_EXECUTABLE=$(STAGING_DIR)/usr/bin/apu-1-config \
+	-DLOG4CXX_ENABLE_ODBC=OFF
 
 LOG4CXX_DEPENDENCIES = apr apr-util
 
@@ -23,7 +27,10 @@ LOG4CXX_DEPENDENCIES += boost
 endif
 
 ifeq ($(BR2_PACKAGE_LIBESMTP),y)
+LOG4CXX_CONF_OPTS += -DLOG4CXX_ENABLE_LIBESMTP=ON
 LOG4CXX_DEPENDENCIES += libesmtp
+else
+LOG4CXX_CONF_OPTS += -DLOG4CXX_ENABLE_LIBESMTP=OFF
 endif
 
 ifeq ($(BR2_USE_WCHAR),y)
-- 
2.41.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] package/log4cxx: ignore CVE-2023-31038

[Arnout Vandecappelle via buildroot]

On 29/08/2023 00:32, Thomas Petazzoni via buildroot wrote:
> CVE-2023-31038 affects log4cxx only if ODBC is supported. While
> CVE-2023-31038 has been fixed in newer versions of log4cxx, there is
> quite a huge gap to do a version bump, and the commit that fixes
> CVE-2023-31038 could not be identified.
> 
> Therefore, we want to rely on the fact that our log4cxx package does
> not support ODBC: there is indeed no explicit dependency on our
> unixodbc package in log4cxx.mk. However, log4cxx automatically detects
> if ODBC is available and if it is, it uses it.
> 
> So what we do in this commit is backport an upstream commit, which
> adds explicitly options to enable/disable ODBC and ESMTP support, and
> we use them to (1) always disable ODBC and (2) explicitly
> enable/disable ESMTP support.
> 
> Thanks to ODBC being disabled, we're not affected by CVE-2023-31038.
> 
> Of course, there is a potential regression for users who were relying
> on the implicit unixodbc dependency, but as we could not identify the
> commit fixing the CVE-2023-31038, this is the best we can do at the
> moment.
> 
> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

  Applied to master, thanks.

  Regards,
  Arnout

> ---
>   .../0001-Make-ODBC-and-SMTP-opt-in-191.patch  | 73 +++++++++++++++++++
>   package/log4cxx/log4cxx.mk                    |  9 ++-
>   2 files changed, 81 insertions(+), 1 deletion(-)
>   create mode 100644 package/log4cxx/0001-Make-ODBC-and-SMTP-opt-in-191.patch
> 
> diff --git a/package/log4cxx/0001-Make-ODBC-and-SMTP-opt-in-191.patch b/package/log4cxx/0001-Make-ODBC-and-SMTP-opt-in-191.patch
> new file mode 100644
> index 0000000000..a116fcc491
> --- /dev/null
> +++ b/package/log4cxx/0001-Make-ODBC-and-SMTP-opt-in-191.patch
> @@ -0,0 +1,73 @@
> +From 4900c27cc284ba2f671ae92e6ffb4ab391f9507a Mon Sep 17 00:00:00 2001
> +From: Robert Middleton <rm5248@users.noreply.github.com>
> +Date: Mon, 6 Feb 2023 20:39:02 -0500
> +Subject: [PATCH] Make ODBC and SMTP opt-in (#191)
> +
> +See #189
> +
> +Upstream: afeaab6d0f0107c77dfadcbe3708f170c48d5ed9
> +Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
> +---
> + src/main/include/CMakeLists.txt | 40 ++++++++++++++++++++++++---------
> + 1 file changed, 30 insertions(+), 10 deletions(-)
> +
> +diff --git a/src/main/include/CMakeLists.txt b/src/main/include/CMakeLists.txt
> +index e31443fb..d6835293 100644
> +--- a/src/main/include/CMakeLists.txt
> ++++ b/src/main/include/CMakeLists.txt
> +@@ -85,22 +85,42 @@ include(CheckIncludeFiles)
> + include(CheckIncludeFileCXX)
> + include(CheckLibraryExists)
> +
> +-if(WIN32)
> +-	CHECK_INCLUDE_FILES(sqlext.h HAS_ODBC)
> ++option(LOG4CXX_ENABLE_ODBC "Support logging via ODBC" OFF)
> ++if(LOG4CXX_ENABLE_ODBC)
> ++    if(WIN32)
> ++            CHECK_INCLUDE_FILES(sqlext.h HAS_ODBC)
> ++    else()
> ++            include(FindPkgConfig)
> ++
> ++            pkg_check_modules( odbc odbc )
> ++            if(${odbc_FOUND})
> ++                    set(HAS_ODBC 1)
> ++            else()
> ++                    set(HAS_ODBC 0)
> ++            endif(${odbc_FOUND})
> ++    endif(WIN32)
> ++
> ++    if(NOT ${HAS_ODBC})
> ++        message(SEND_ERROR "ODBC not found but requested")
> ++    endif()
> + else()
> +-	include(FindPkgConfig)
> +-
> +-	pkg_check_modules( odbc QUIET odbc )
> +-	if(${odbc_FOUND})
> +-		set(HAS_ODBC 1)
> +-	endif(${odbc_FOUND})
> +-endif(WIN32)
> ++    set(HAS_ODBC 0)
> ++endif(LOG4CXX_ENABLE_ODBC)
> ++
> ++option(LOG4CXX_ENABLE_ESMTP "Support logging via libesmtp" OFF)
> ++if(LOG4CXX_ENABLE_ESMTP)
> ++    CHECK_LIBRARY_EXISTS(esmtp smtp_create_session "" HAS_LIBESMTP)
> ++    if(NOT HAS_LIBESMTP)
> ++        message(SEND_ERROR "SMTP support with libesmtp not found but requested")
> ++    endif()
> ++else()
> ++    set(HAS_LIBESMTP 0)
> ++endif(LOG4CXX_ENABLE_ESMTP)
> +
> + CHECK_INCLUDE_FILE_CXX(locale HAS_STD_LOCALE)
> + CHECK_FUNCTION_EXISTS(mbsrtowcs HAS_MBSRTOWCS)
> + CHECK_FUNCTION_EXISTS(wcstombs HAS_WCSTOMBS)
> + CHECK_FUNCTION_EXISTS(fwide HAS_FWIDE)
> +-CHECK_LIBRARY_EXISTS(esmtp smtp_create_session "" HAS_LIBESMTP)
> + CHECK_FUNCTION_EXISTS(syslog HAS_SYSLOG)
> + if(UNIX)
> +     set(CMAKE_REQUIRED_LIBRARIES "pthread")
> +--
> +2.41.0
> +
> diff --git a/package/log4cxx/log4cxx.mk b/package/log4cxx/log4cxx.mk
> index a5569126d4..aee682529c 100644
> --- a/package/log4cxx/log4cxx.mk
> +++ b/package/log4cxx/log4cxx.mk
> @@ -11,10 +11,14 @@ LOG4CXX_INSTALL_STAGING = YES
>   LOG4CXX_LICENSE = Apache-2.0
>   LOG4CXX_LICENSE_FILES = LICENSE
>   LOG4CXX_CPE_ID_VENDOR = apache
> +# We do not support ODBC functionality
> +LOG4CXX_IGNORE_CVES = CVE-2023-31038
>   
> +# Note: if you want to support odbc, make sure CVE-2023-31038 is fixed
>   LOG4CXX_CONF_OPTS = \
>   	-DAPR_CONFIG_EXECUTABLE=$(STAGING_DIR)/usr/bin/apr-1-config \
> -	-DAPR_UTIL_CONFIG_EXECUTABLE=$(STAGING_DIR)/usr/bin/apu-1-config
> +	-DAPR_UTIL_CONFIG_EXECUTABLE=$(STAGING_DIR)/usr/bin/apu-1-config \
> +	-DLOG4CXX_ENABLE_ODBC=OFF
>   
>   LOG4CXX_DEPENDENCIES = apr apr-util
>   
> @@ -23,7 +27,10 @@ LOG4CXX_DEPENDENCIES += boost
>   endif
>   
>   ifeq ($(BR2_PACKAGE_LIBESMTP),y)
> +LOG4CXX_CONF_OPTS += -DLOG4CXX_ENABLE_LIBESMTP=ON
>   LOG4CXX_DEPENDENCIES += libesmtp
> +else
> +LOG4CXX_CONF_OPTS += -DLOG4CXX_ENABLE_LIBESMTP=OFF
>   endif
>   
>   ifeq ($(BR2_USE_WCHAR),y)
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH] package/log4cxx: ignore CVE-2023-31038

[Peter Korsgaard]

>>>>> "Thomas" == Thomas Petazzoni via buildroot <buildroot@buildroot.org> writes:

 > CVE-2023-31038 affects log4cxx only if ODBC is supported. While
 > CVE-2023-31038 has been fixed in newer versions of log4cxx, there is
 > quite a huge gap to do a version bump, and the commit that fixes
 > CVE-2023-31038 could not be identified.

 > Therefore, we want to rely on the fact that our log4cxx package does
 > not support ODBC: there is indeed no explicit dependency on our
 > unixodbc package in log4cxx.mk. However, log4cxx automatically detects
 > if ODBC is available and if it is, it uses it.

 > So what we do in this commit is backport an upstream commit, which
 > adds explicitly options to enable/disable ODBC and ESMTP support, and
 > we use them to (1) always disable ODBC and (2) explicitly
 > enable/disable ESMTP support.

 > Thanks to ODBC being disabled, we're not affected by CVE-2023-31038.

 > Of course, there is a potential regression for users who were relying
 > on the implicit unixodbc dependency, but as we could not identify the
 > commit fixing the CVE-2023-31038, this is the best we can do at the
 > moment.

 > Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

Committed to 2023.02.x and 2023.05.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot