Re: [Buildroot] [PATCH 2/3] package/glibc: ignore CVEs not considered as security issues by upstream

From: "Yann E. MORIN" <yann.morin.1998@free.fr>
To: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: peter.verbrugge@technolution.nl,
	Romain Naour <romain.naour@gmail.com>,
	Buildroot List <buildroot@buildroot.org>
Subject: Re: [Buildroot] [PATCH 2/3] package/glibc: ignore CVEs not considered as security issues by upstream
Date: Sat, 23 Dec 2023 11:22:44 +0100	[thread overview]
Message-ID: <ZYa09G--ff0D9HNh@landeda> (raw)
In-Reply-To: <20231220200110.1819507-2-thomas.petazzoni@bootlin.com>

Thomas, All,

On 2023-12-20 21:01 +0100, Thomas Petazzoni spake thusly:
> 5 CVEs affecting glibc according to the NVD database are considered as
> not being security issues by upstream glibc developers:
> 
> * CVE-2010-4756: The glob implementation in the GNU C Library (aka
>   glibc or libc6) allows remote authenticated users to cause a denial
>   of service (CPU and memory consumption) via crafted glob expressions
>   that do not match any pathnames. glibc maintainers position: "That's
>   standard POSIX behaviour implemented by (e)glibc. Applications using
>   glob need to impose limits for themselves"
> 
> * CVE-2019-1010022: GNU Libc current is affected by: Mitigation
>   bypass. The impact is: Attacker may bypass stack guard
>   protection. The component is: nptl. The attack vector is: Exploit
>   stack buffer overflow vulnerability and use this bypass
>   vulnerability to bypass stack guard. NOTE: Upstream comments
>   indicate "this is being treated as a non-security bug and no real
>   threat. glibc maintainers position: "Not treated as a security issue
>   by upstream https://sourceware.org/bugzilla/show_bug.cgi?id=22850"
> 
> * CVE-2019-1010023: GNU Libc current is affected by: Re-mapping
>   current loaded library with malicious ELF file. The impact is: In
>   worst case attacker may evaluate privileges. The component is:
>   libld. The attack vector is: Attacker sends 2 ELF files to victim
>   and asks to run ldd on it. ldd execute code. NOTE: Upstream comments
>   indicate "this is being treated as a non-security bug and no real
>   threat. glibc maintainers position: "Not treated as a security issue
>   by upstream https://sourceware.org/bugzilla/show_bug.cgi?id=22851"
> 
> * CVE-2019-1010024: GNU Libc current is affected by: Mitigation
>   bypass. The impact is: Attacker may bypass ASLR using cache of
>   thread stack and heap. The component is: glibc. NOTE: Upstream
>   comments indicate "this is being treated as a non-security bug and
>   no real threat. glibc maintainers position: "Not treated as a
>   security issue by upstream
>   https://sourceware.org/bugzilla/show_bug.cgi?id=22852"
> 
> * CVE-2019-1010025: GNU Libc current is affected by: Mitigation
>   bypass. The impact is: Attacker may guess the heap addresses of
>   pthread_created thread. The component is: glibc. NOTE: the vendor's
>   position is "ASLR bypass itself is not a vulnerability. Glibc
>   maintainers position: "Not treated as a security issue by upstream
>   https://sourceware.org/bugzilla/show_bug.cgi?id=22853"
> 
> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

Applied to master, thanks.

Ultimately, it would be nice if we could supplement the ignored list
with the reason for ignoring the CVE, but that's food for later.

Regards,
Yann E. MORIN.

> ---
> I believe those CVEs should be ignored, because they will never be
> fixed, and therefore they cause additional noise that makes it more
> difficult to spot the real CVEs that need to be fixed.
> ---
>  package/glibc/glibc.mk | 14 ++++++++++++++
>  1 file changed, 14 insertions(+)
> 
> diff --git a/package/glibc/glibc.mk b/package/glibc/glibc.mk
> index 32e6516c7f..29411c58e2 100644
> --- a/package/glibc/glibc.mk
> +++ b/package/glibc/glibc.mk
> @@ -36,6 +36,20 @@ GLIBC_IGNORE_CVES += CVE-2023-4911
>  # 2.38 and the version we're really using.
>  GLIBC_IGNORE_CVES += CVE-2023-5156
>  
> +# All these CVEs are considered as not being security issues by
> +# upstream glibc:
> +#  https://security-tracker.debian.org/tracker/CVE-2010-4756
> +#  https://security-tracker.debian.org/tracker/CVE-2019-1010022
> +#  https://security-tracker.debian.org/tracker/CVE-2019-1010023
> +#  https://security-tracker.debian.org/tracker/CVE-2019-1010024
> +#  https://security-tracker.debian.org/tracker/CVE-2019-1010025
> +GLIBC_IGNORE_CVES += \
> +	CVE-2010-4756 \
> +	CVE-2019-1010022 \
> +	CVE-2019-1010023 \
> +	CVE-2019-1010024 \
> +	CVE-2019-1010025
> +
>  # glibc is part of the toolchain so disable the toolchain dependency
>  GLIBC_ADD_TOOLCHAIN_DEPENDENCY = NO
>  
> -- 
> 2.43.0
> 

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot