From: Adrian Bunk <bunk@stusta.de>
To: Ross Burton <ross.burton@intel.com>
Cc: openembedded-core@lists.openembedded.org
Subject: Re: [PATCH] libpng: whitelist CVE-2019-17371
Date: Mon, 4 Nov 2019 17:40:47 +0200 [thread overview]
Message-ID: <20191104154047.GB5390@localhost> (raw)
In-Reply-To: <e1411b32-8500-2971-ff45-ec717c14d3be@intel.com>
On Mon, Nov 04, 2019 at 02:24:08PM +0000, Ross Burton wrote:
> On 04/11/2019 14:01, Adrian Bunk wrote:
> > On Mon, Nov 04, 2019 at 12:42:51PM +0000, Ross Burton wrote:
> > > This is actually a memory leak in gif2png 2.x, so whitelist it in the libpng
> > > recipe.
> > >
> > > Signed-off-by: Ross Burton <ross.burton@intel.com>
> > > ---
> > > meta/recipes-multimedia/libpng/libpng_1.6.37.bb | 3 +++
> > > 1 file changed, 3 insertions(+)
> > >
> > > diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb
> > > index 66af2f3d60e..07970e14360 100644
> > > --- a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb
> > > +++ b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb
> > > @@ -29,3 +29,6 @@ PACKAGES =+ "${PN}-tools"
> > > FILES_${PN}-tools = "${bindir}/png-fix-itxt ${bindir}/pngfix ${bindir}/pngcp"
> > > BBCLASSEXTEND = "native nativesdk"
> > > +
> > > +# CVE-2019-17371 is actually a memory leak in gif2png 2.x
> > > +CVE_CHECK_WHITELIST = "CVE-2019-17371"
> >
> > These should use += to not overwrite whitelists defined by
> > the distribution or the user.
>
> IMHO, the distribution or user should be using _append. The whitelist
> should be explicitly per-recipe: there's a CVE which is tagged incorrectly
> as being in openssl *and* mod_ssl, we don't want to whitelist it globally
> but only in openssl.
>...
What I had in mind are a distribution-wide cve-whitelist.inc included
from the distro conf or using CVE_CHECK_WHITELIST in conf/local.conf,
you don't want to start creating dozens of bbappend files in such
usecases.
This CVE where a change in OpenSSL created a vulnerability in Apache
would go to the global whitelist for me when I am not using Apache.
In OE it should not be whitelisted in both OpenSSL and Apache, but
this is a different situation.
> Ross
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed
prev parent reply other threads:[~2019-11-04 15:40 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-04 12:42 [PATCH] libpng: whitelist CVE-2019-17371 Ross Burton
2019-11-04 14:01 ` Adrian Bunk
2019-11-04 14:24 ` Ross Burton
2019-11-04 15:40 ` Adrian Bunk [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191104154047.GB5390@localhost \
--to=bunk@stusta.de \
--cc=openembedded-core@lists.openembedded.org \
--cc=ross.burton@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox