[Buildroot] [PATCH 1/3] package/glibc: add proper CPE ID version detail

[Buildroot] [PATCH 1/3] package/glibc: add proper CPE ID version detail

[Thomas Petazzoni via buildroot]

As reported in bug 15895, the GLIBC_VERSION field having a value
looking like 2.38-27-g750a45a783906a19591fb8ff6b7841470f1f5701, it
prevents the CPE/CVE matching with the NVD database to work correctly.

This commit fixes that by defining GLIBC_CPE_ID_VERSION, derived from
GLIBC_VERSION, by extracting the base version.

Also, we update GLIBC_IGNORE_CVES to account for the CVEs that have
clearly been fixed between 2.38 and
2.38-27-g750a45a783906a19591fb8ff6b7841470f1f5701. There are a number
of other CVEs still affecting the glibc package, but they are not
related to this
2.38...2.38-27-g750a45a783906a19591fb8ff6b7841470f1f5701 range.

Fixes: #15895

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
 package/glibc/glibc.mk | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/package/glibc/glibc.mk b/package/glibc/glibc.mk
index 0b71530310..32e6516c7f 100644
--- a/package/glibc/glibc.mk
+++ b/package/glibc/glibc.mk
@@ -20,6 +20,22 @@ GLIBC_LICENSE = GPL-2.0+ (programs), LGPL-2.1+, BSD-3-Clause, MIT (library)
 GLIBC_LICENSE_FILES = COPYING COPYING.LIB LICENSES
 GLIBC_CPE_ID_VENDOR = gnu
 
+# Extract the base version (e.g. 2.38) from GLIBC_VERSION) in order to
+# allow proper matching with the CPE database.
+GLIBC_CPE_ID_VERSION = $(word 1, $(subst -,$(space),$(GLIBC_VERSION)))
+
+# Fixed by b25508dd774b617f99419bdc3cf2ace4560cd2d6, which is between
+# 2.38 and the version we're really using
+GLIBC_IGNORE_CVES += CVE-2023-4527
+
+# Fixed by 750a45a783906a19591fb8ff6b7841470f1f5710, which is between
+# 2.38 and the version we're really using.
+GLIBC_IGNORE_CVES += CVE-2023-4911
+
+# Fixed by 5ee59ca371b99984232d7584fe2b1a758b4421d3, which is between
+# 2.38 and the version we're really using.
+GLIBC_IGNORE_CVES += CVE-2023-5156
+
 # glibc is part of the toolchain so disable the toolchain dependency
 GLIBC_ADD_TOOLCHAIN_DEPENDENCY = NO
 
-- 
2.43.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 2/3] package/glibc: ignore CVEs not considered as security issues by upstream

[Thomas Petazzoni via buildroot]

5 CVEs affecting glibc according to the NVD database are considered as
not being security issues by upstream glibc developers:

* CVE-2010-4756: The glob implementation in the GNU C Library (aka
  glibc or libc6) allows remote authenticated users to cause a denial
  of service (CPU and memory consumption) via crafted glob expressions
  that do not match any pathnames. glibc maintainers position: "That's
  standard POSIX behaviour implemented by (e)glibc. Applications using
  glob need to impose limits for themselves"

* CVE-2019-1010022: GNU Libc current is affected by: Mitigation
  bypass. The impact is: Attacker may bypass stack guard
  protection. The component is: nptl. The attack vector is: Exploit
  stack buffer overflow vulnerability and use this bypass
  vulnerability to bypass stack guard. NOTE: Upstream comments
  indicate "this is being treated as a non-security bug and no real
  threat. glibc maintainers position: "Not treated as a security issue
  by upstream https://sourceware.org/bugzilla/show_bug.cgi?id=22850"

* CVE-2019-1010023: GNU Libc current is affected by: Re-mapping
  current loaded library with malicious ELF file. The impact is: In
  worst case attacker may evaluate privileges. The component is:
  libld. The attack vector is: Attacker sends 2 ELF files to victim
  and asks to run ldd on it. ldd execute code. NOTE: Upstream comments
  indicate "this is being treated as a non-security bug and no real
  threat. glibc maintainers position: "Not treated as a security issue
  by upstream https://sourceware.org/bugzilla/show_bug.cgi?id=22851"

* CVE-2019-1010024: GNU Libc current is affected by: Mitigation
  bypass. The impact is: Attacker may bypass ASLR using cache of
  thread stack and heap. The component is: glibc. NOTE: Upstream
  comments indicate "this is being treated as a non-security bug and
  no real threat. glibc maintainers position: "Not treated as a
  security issue by upstream
  https://sourceware.org/bugzilla/show_bug.cgi?id=22852"

* CVE-2019-1010025: GNU Libc current is affected by: Mitigation
  bypass. The impact is: Attacker may guess the heap addresses of
  pthread_created thread. The component is: glibc. NOTE: the vendor's
  position is "ASLR bypass itself is not a vulnerability. Glibc
  maintainers position: "Not treated as a security issue by upstream
  https://sourceware.org/bugzilla/show_bug.cgi?id=22853"

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
I believe those CVEs should be ignored, because they will never be
fixed, and therefore they cause additional noise that makes it more
difficult to spot the real CVEs that need to be fixed.
---
 package/glibc/glibc.mk | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/package/glibc/glibc.mk b/package/glibc/glibc.mk
index 32e6516c7f..29411c58e2 100644
--- a/package/glibc/glibc.mk
+++ b/package/glibc/glibc.mk
@@ -36,6 +36,20 @@ GLIBC_IGNORE_CVES += CVE-2023-4911
 # 2.38 and the version we're really using.
 GLIBC_IGNORE_CVES += CVE-2023-5156
 
+# All these CVEs are considered as not being security issues by
+# upstream glibc:
+#  https://security-tracker.debian.org/tracker/CVE-2010-4756
+#  https://security-tracker.debian.org/tracker/CVE-2019-1010022
+#  https://security-tracker.debian.org/tracker/CVE-2019-1010023
+#  https://security-tracker.debian.org/tracker/CVE-2019-1010024
+#  https://security-tracker.debian.org/tracker/CVE-2019-1010025
+GLIBC_IGNORE_CVES += \
+	CVE-2010-4756 \
+	CVE-2019-1010022 \
+	CVE-2019-1010023 \
+	CVE-2019-1010024 \
+	CVE-2019-1010025
+
 # glibc is part of the toolchain so disable the toolchain dependency
 GLIBC_ADD_TOOLCHAIN_DEPENDENCY = NO
 
-- 
2.43.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 3/3] package/glibc: ignore CVE-2023-0687, disputed

[Thomas Petazzoni via buildroot]

According to the glibc maintainers, CVE-2023-0687 is not a security
issue, and they have sent a rejection request to MITRE, so let's
ignore it.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
I have chosen to submit this one separately from the previous patch,
as it's a much newer one, so the Buildroot community may have a
different view on how we should handle this particular CVE.
---
 package/glibc/glibc.mk | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/package/glibc/glibc.mk b/package/glibc/glibc.mk
index 29411c58e2..a485d40f8d 100644
--- a/package/glibc/glibc.mk
+++ b/package/glibc/glibc.mk
@@ -50,6 +50,11 @@ GLIBC_IGNORE_CVES += \
 	CVE-2019-1010024 \
 	CVE-2019-1010025
 
+# This CVE is disputed, and the glibc maintainers don't consider it to
+# be a security issue, see
+# https://sourceware.org/bugzilla/show_bug.cgi?id=29444
+GLIBC_IGNORE_CVES += CVE-2023-0687
+
 # glibc is part of the toolchain so disable the toolchain dependency
 GLIBC_ADD_TOOLCHAIN_DEPENDENCY = NO
 
-- 
2.43.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 3/3] package/glibc: ignore CVE-2023-0687, disputed

[Yann E. MORIN]

Thomas, All,

On 2023-12-20 21:01 +0100, Thomas Petazzoni spake thusly:
> According to the glibc maintainers, CVE-2023-0687 is not a security
> issue, and they have sent a rejection request to MITRE, so let's
> ignore it.

This CVE is supposed to be fixed by 801af9fafd46 (gmon: Fix allocated
buffer overflow (bug 29444)) which is in 2.38:

    $ git tag --contains 801af9fafd46
    glibc-2.38
    glibc-2.38.9000

So the CVE DB should be updated to state that glibc >= 2.38 is not
affected.

Regards,
Yann E. MORIN.

> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
> ---
> I have chosen to submit this one separately from the previous patch,
> as it's a much newer one, so the Buildroot community may have a
> different view on how we should handle this particular CVE.
> ---
>  package/glibc/glibc.mk | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/package/glibc/glibc.mk b/package/glibc/glibc.mk
> index 29411c58e2..a485d40f8d 100644
> --- a/package/glibc/glibc.mk
> +++ b/package/glibc/glibc.mk
> @@ -50,6 +50,11 @@ GLIBC_IGNORE_CVES += \
>  	CVE-2019-1010024 \
>  	CVE-2019-1010025
>  
> +# This CVE is disputed, and the glibc maintainers don't consider it to
> +# be a security issue, see
> +# https://sourceware.org/bugzilla/show_bug.cgi?id=29444
> +GLIBC_IGNORE_CVES += CVE-2023-0687
> +
>  # glibc is part of the toolchain so disable the toolchain dependency
>  GLIBC_ADD_TOOLCHAIN_DEPENDENCY = NO
>  
> -- 
> 2.43.0
> 

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/3] package/glibc: add proper CPE ID version detail

[Yann E. MORIN]

Thomas, All,

On 2023-12-20 21:01 +0100, Thomas Petazzoni spake thusly:
> As reported in bug 15895, the GLIBC_VERSION field having a value
> looking like 2.38-27-g750a45a783906a19591fb8ff6b7841470f1f5701, it
> prevents the CPE/CVE matching with the NVD database to work correctly.
> 
> This commit fixes that by defining GLIBC_CPE_ID_VERSION, derived from
> GLIBC_VERSION, by extracting the base version.
> 
> Also, we update GLIBC_IGNORE_CVES to account for the CVEs that have
> clearly been fixed between 2.38 and
> 2.38-27-g750a45a783906a19591fb8ff6b7841470f1f5701. There are a number
> of other CVEs still affecting the glibc package, but they are not
> related to this
> 2.38...2.38-27-g750a45a783906a19591fb8ff6b7841470f1f5701 range.
> 
> Fixes: #15895
> 
> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

Applied to master, thanks.

Regards,
Yann E. MORIN.

> ---
>  package/glibc/glibc.mk | 16 ++++++++++++++++
>  1 file changed, 16 insertions(+)
> 
> diff --git a/package/glibc/glibc.mk b/package/glibc/glibc.mk
> index 0b71530310..32e6516c7f 100644
> --- a/package/glibc/glibc.mk
> +++ b/package/glibc/glibc.mk
> @@ -20,6 +20,22 @@ GLIBC_LICENSE = GPL-2.0+ (programs), LGPL-2.1+, BSD-3-Clause, MIT (library)
>  GLIBC_LICENSE_FILES = COPYING COPYING.LIB LICENSES
>  GLIBC_CPE_ID_VENDOR = gnu
>  
> +# Extract the base version (e.g. 2.38) from GLIBC_VERSION) in order to
> +# allow proper matching with the CPE database.
> +GLIBC_CPE_ID_VERSION = $(word 1, $(subst -,$(space),$(GLIBC_VERSION)))
> +
> +# Fixed by b25508dd774b617f99419bdc3cf2ace4560cd2d6, which is between
> +# 2.38 and the version we're really using
> +GLIBC_IGNORE_CVES += CVE-2023-4527
> +
> +# Fixed by 750a45a783906a19591fb8ff6b7841470f1f5710, which is between
> +# 2.38 and the version we're really using.
> +GLIBC_IGNORE_CVES += CVE-2023-4911
> +
> +# Fixed by 5ee59ca371b99984232d7584fe2b1a758b4421d3, which is between
> +# 2.38 and the version we're really using.
> +GLIBC_IGNORE_CVES += CVE-2023-5156
> +
>  # glibc is part of the toolchain so disable the toolchain dependency
>  GLIBC_ADD_TOOLCHAIN_DEPENDENCY = NO
>  
> -- 
> 2.43.0
> 

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 2/3] package/glibc: ignore CVEs not considered as security issues by upstream

[Yann E. MORIN]

Thomas, All,

On 2023-12-20 21:01 +0100, Thomas Petazzoni spake thusly:
> 5 CVEs affecting glibc according to the NVD database are considered as
> not being security issues by upstream glibc developers:
> 
> * CVE-2010-4756: The glob implementation in the GNU C Library (aka
>   glibc or libc6) allows remote authenticated users to cause a denial
>   of service (CPU and memory consumption) via crafted glob expressions
>   that do not match any pathnames. glibc maintainers position: "That's
>   standard POSIX behaviour implemented by (e)glibc. Applications using
>   glob need to impose limits for themselves"
> 
> * CVE-2019-1010022: GNU Libc current is affected by: Mitigation
>   bypass. The impact is: Attacker may bypass stack guard
>   protection. The component is: nptl. The attack vector is: Exploit
>   stack buffer overflow vulnerability and use this bypass
>   vulnerability to bypass stack guard. NOTE: Upstream comments
>   indicate "this is being treated as a non-security bug and no real
>   threat. glibc maintainers position: "Not treated as a security issue
>   by upstream https://sourceware.org/bugzilla/show_bug.cgi?id=22850"
> 
> * CVE-2019-1010023: GNU Libc current is affected by: Re-mapping
>   current loaded library with malicious ELF file. The impact is: In
>   worst case attacker may evaluate privileges. The component is:
>   libld. The attack vector is: Attacker sends 2 ELF files to victim
>   and asks to run ldd on it. ldd execute code. NOTE: Upstream comments
>   indicate "this is being treated as a non-security bug and no real
>   threat. glibc maintainers position: "Not treated as a security issue
>   by upstream https://sourceware.org/bugzilla/show_bug.cgi?id=22851"
> 
> * CVE-2019-1010024: GNU Libc current is affected by: Mitigation
>   bypass. The impact is: Attacker may bypass ASLR using cache of
>   thread stack and heap. The component is: glibc. NOTE: Upstream
>   comments indicate "this is being treated as a non-security bug and
>   no real threat. glibc maintainers position: "Not treated as a
>   security issue by upstream
>   https://sourceware.org/bugzilla/show_bug.cgi?id=22852"
> 
> * CVE-2019-1010025: GNU Libc current is affected by: Mitigation
>   bypass. The impact is: Attacker may guess the heap addresses of
>   pthread_created thread. The component is: glibc. NOTE: the vendor's
>   position is "ASLR bypass itself is not a vulnerability. Glibc
>   maintainers position: "Not treated as a security issue by upstream
>   https://sourceware.org/bugzilla/show_bug.cgi?id=22853"
> 
> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

Applied to master, thanks.

Ultimately, it would be nice if we could supplement the ignored list
with the reason for ignoring the CVE, but that's food for later.

Regards,
Yann E. MORIN.

> ---
> I believe those CVEs should be ignored, because they will never be
> fixed, and therefore they cause additional noise that makes it more
> difficult to spot the real CVEs that need to be fixed.
> ---
>  package/glibc/glibc.mk | 14 ++++++++++++++
>  1 file changed, 14 insertions(+)
> 
> diff --git a/package/glibc/glibc.mk b/package/glibc/glibc.mk
> index 32e6516c7f..29411c58e2 100644
> --- a/package/glibc/glibc.mk
> +++ b/package/glibc/glibc.mk
> @@ -36,6 +36,20 @@ GLIBC_IGNORE_CVES += CVE-2023-4911
>  # 2.38 and the version we're really using.
>  GLIBC_IGNORE_CVES += CVE-2023-5156
>  
> +# All these CVEs are considered as not being security issues by
> +# upstream glibc:
> +#  https://security-tracker.debian.org/tracker/CVE-2010-4756
> +#  https://security-tracker.debian.org/tracker/CVE-2019-1010022
> +#  https://security-tracker.debian.org/tracker/CVE-2019-1010023
> +#  https://security-tracker.debian.org/tracker/CVE-2019-1010024
> +#  https://security-tracker.debian.org/tracker/CVE-2019-1010025
> +GLIBC_IGNORE_CVES += \
> +	CVE-2010-4756 \
> +	CVE-2019-1010022 \
> +	CVE-2019-1010023 \
> +	CVE-2019-1010024 \
> +	CVE-2019-1010025
> +
>  # glibc is part of the toolchain so disable the toolchain dependency
>  GLIBC_ADD_TOOLCHAIN_DEPENDENCY = NO
>  
> -- 
> 2.43.0
> 

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/3] package/glibc: add proper CPE ID version detail

[Peter Korsgaard]

>>>>> "Thomas" == Thomas Petazzoni via buildroot <buildroot@buildroot.org> writes:

 > As reported in bug 15895, the GLIBC_VERSION field having a value
 > looking like 2.38-27-g750a45a783906a19591fb8ff6b7841470f1f5701, it
 > prevents the CPE/CVE matching with the NVD database to work correctly.

 > This commit fixes that by defining GLIBC_CPE_ID_VERSION, derived from
 > GLIBC_VERSION, by extracting the base version.

 > Also, we update GLIBC_IGNORE_CVES to account for the CVEs that have
 > clearly been fixed between 2.38 and
 > 2.38-27-g750a45a783906a19591fb8ff6b7841470f1f5701. There are a number
 > of other CVEs still affecting the glibc package, but they are not
 > related to this
 > 2.38...2.38-27-g750a45a783906a19591fb8ff6b7841470f1f5701 range.

 > Fixes: #15895

 > Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

Committed to 2023.02.x (after adjusting to 2.36.x hashes) and 2023.11.x,
thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 2/3] package/glibc: ignore CVEs not considered as security issues by upstream

[Peter Korsgaard]

>>>>> "Thomas" == Thomas Petazzoni via buildroot <buildroot@buildroot.org> writes:

 > 5 CVEs affecting glibc according to the NVD database are considered as
 > not being security issues by upstream glibc developers:

 > * CVE-2010-4756: The glob implementation in the GNU C Library (aka
 >   glibc or libc6) allows remote authenticated users to cause a denial
 >   of service (CPU and memory consumption) via crafted glob expressions
 >   that do not match any pathnames. glibc maintainers position: "That's
 >   standard POSIX behaviour implemented by (e)glibc. Applications using
 >   glob need to impose limits for themselves"

 > * CVE-2019-1010022: GNU Libc current is affected by: Mitigation
 >   bypass. The impact is: Attacker may bypass stack guard
 >   protection. The component is: nptl. The attack vector is: Exploit
 >   stack buffer overflow vulnerability and use this bypass
 >   vulnerability to bypass stack guard. NOTE: Upstream comments
 >   indicate "this is being treated as a non-security bug and no real
 >   threat. glibc maintainers position: "Not treated as a security issue
 >   by upstream https://sourceware.org/bugzilla/show_bug.cgi?id=22850"

 > * CVE-2019-1010023: GNU Libc current is affected by: Re-mapping
 >   current loaded library with malicious ELF file. The impact is: In
 >   worst case attacker may evaluate privileges. The component is:
 >   libld. The attack vector is: Attacker sends 2 ELF files to victim
 >   and asks to run ldd on it. ldd execute code. NOTE: Upstream comments
 >   indicate "this is being treated as a non-security bug and no real
 >   threat. glibc maintainers position: "Not treated as a security issue
 >   by upstream https://sourceware.org/bugzilla/show_bug.cgi?id=22851"

 > * CVE-2019-1010024: GNU Libc current is affected by: Mitigation
 >   bypass. The impact is: Attacker may bypass ASLR using cache of
 >   thread stack and heap. The component is: glibc. NOTE: Upstream
 >   comments indicate "this is being treated as a non-security bug and
 >   no real threat. glibc maintainers position: "Not treated as a
 >   security issue by upstream
 >   https://sourceware.org/bugzilla/show_bug.cgi?id=22852"

 > * CVE-2019-1010025: GNU Libc current is affected by: Mitigation
 >   bypass. The impact is: Attacker may guess the heap addresses of
 >   pthread_created thread. The component is: glibc. NOTE: the vendor's
 >   position is "ASLR bypass itself is not a vulnerability. Glibc
 >   maintainers position: "Not treated as a security issue by upstream
 >   https://sourceware.org/bugzilla/show_bug.cgi?id=22853"

 > Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
 > ---
 > I believe those CVEs should be ignored, because they will never be
 > fixed, and therefore they cause additional noise that makes it more
 > difficult to spot the real CVEs that need to be fixed.

Committed to 2023.02.x and 2023.11.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 3/3] package/glibc: ignore CVE-2023-0687, disputed

[Thomas Petazzoni via buildroot]

Hello Yann,

On Sat, 23 Dec 2023 11:19:57 +0100
"Yann E. MORIN" <yann.morin.1998@free.fr> wrote:

> This CVE is supposed to be fixed by 801af9fafd46 (gmon: Fix allocated
> buffer overflow (bug 29444)) which is in 2.38:
> 
>     $ git tag --contains 801af9fafd46
>     glibc-2.38
>     glibc-2.38.9000
> 
> So the CVE DB should be updated to state that glibc >= 2.38 is not
> affected.

Good point. Sorry for the delay in getting back to you. I just send a
mail to the NVD maintainers, Cc'ed to the Buildroot mailing list. I'll
mark my patch as Rejected in patchwork.

Thanks!

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot