[Buildroot] [Bug 15895] glibc version 'GLIBC_VERSION' does not match released glibc version

[bugzilla@busybox.net]

https://bugs.busybox.net/show_bug.cgi?id=15895

--- Comment #1 from Thomas Petazzoni <thomas.petazzoni@bootlin.com> ---
This CPE id is generated based on GLIBC_VERSION, in package/glibc/glibc.mk:

GLIBC_VERSION = 2.38-27-g750a45a783906a19591fb8ff6b7841470f1f5701

So indeed, the CPE id version field is
2.38-27-g750a45a783906a19591fb8ff6b7841470f1f5701.

glibc.mk should probably do:

GLIBC_CPE_ID_VERSION = 2.38

so that the CPE id has 2.38 has the version, allowing correct matching with the
NIST database.

*However*, this still will not give the correct results. Indeed, the matching
with NIST database will be done assuming we use 2.38, so it will report all
CVEs that affect the original 2.38 release. But Buildroot is not using 2.38,
but 2.38-27-g750a45a783906a19591fb8ff6b7841470f1f5701, which is 27 commits
above 2.38. This means that all CVEs fixed in those 27 commits will be reported
by this matching process, even if they are not applicable, because we already
have the fixes.

One option of course is to add GLIBC_IGNORE_CVES entries for those CVEs so that
they are ignored. But normally, we use that to ignore CVEs because they are
fixed by local patches, or because they are not applicable to the Buildroot
use-case/situation. It is a bit weird to have a GLIBC_IGNORE_CVES for a CVE
that in fact does not affect the version that we use. But admittedly, it would
be a valid entry for the version documented by GLIBC_CPE_ID_VERSION.

So in other words, my proposal would be:

- GLIBC_CPE_ID_VERSION = 2.38
- Addition of GLIBC_IGNORE_CVES entries for all CVEs fixed between 2.38 and
2.38-27-g750a45a783906a19591fb8ff6b7841470f1f5701

-- 
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot