[OE-core][dunfell][PATCH] systemd: Whitelist CVE-2018-21029

[OE-core][dunfell][PATCH] systemd: Whitelist CVE-2018-21029

[Amol Gajbhiye]

From: Virendra Thakur <virendra.thakur@kpit.com>

The fix for this CVE-2018-21029 is already available in our code base.

Reference:
https://github.com/systemd/systemd-stable/commit/38e053c58fa139e0f546f327b5d8ce3db7cf1647

https://github.com/systemd/systemd-stable/commit/7f2f4faced3fda47e6b76ab73cde747cc20cf8b8

Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
---
 meta/recipes-core/systemd/systemd_244.5.bb | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/meta/recipes-core/systemd/systemd_244.5.bb b/meta/recipes-core/systemd/systemd_244.5.bb
index a648272bc0..711d23a26e 100644
--- a/meta/recipes-core/systemd/systemd_244.5.bb
+++ b/meta/recipes-core/systemd/systemd_244.5.bb
@@ -65,6 +65,9 @@ SRC_URI_MUSL = "\
 # already applied in 244.5
 CVE_CHECK_WHITELIST += "CVE-2020-13776"
 
+# Whitelist the CVE because cve patch is already present
+CVE_CHECK_WHITELIST += "CVE-2018-21029"
+
 PAM_PLUGINS = " \
     pam-plugin-unix \
     pam-plugin-loginuid \
-- 
2.17.1

Re: [dunfell][PATCH] systemd: Whitelist CVE-2018-21029

[Ranjitsinh Rathod]

[-- Attachment #1: Type: text/plain, Size: 82 bytes --]

Hi Steve,

Is there any reason to not take this?

Thanks,
Ranjitsinh Rathod

[-- Attachment #2: Type: text/html, Size: 102 bytes --]

Re: [OE-core] [dunfell][PATCH] systemd: Whitelist CVE-2018-21029

[Steve Sakoman]

On Tue, Jun 7, 2022 at 6:10 AM Ranjitsinh Rathod
<ranjitsinhrathod1991@gmail.com> wrote:

> Is there any reason to not take this?

I'm puzzled by this question! A patch with this subject line hasn't
been submitted to the list for dunfell. Also, the referenced CVE
doesn't show up on the CVE report for dunfell.

Steve

Re: [OE-core] [dunfell][PATCH] systemd: Whitelist CVE-2018-21029

[Randy MacLeod]

On 2022-06-07 12:18, Steve Sakoman wrote:
> On Tue, Jun 7, 2022 at 6:10 AM Ranjitsinh Rathod
> <ranjitsinhrathod1991@gmail.com> wrote:
>
>> Is there any reason to not take this?
> I'm puzzled by this question! A patch with this subject line hasn't
> been submitted to the list for dunfell.
I see the original patch, with a timestamp of 2022-06-02, 08:20 ET.
Do you need it to be resent?
>   Also, the referenced CVE
> doesn't show up on the CVE report for dunfell.
That's odd. Are you looking into that or is
the CVE report ignoring it since only version:
    systemd 239 <= v < 243 are vulnerable and dunfell has 245.5:

http://cgit.openembedded.org/openembedded-core/tree/meta/recipes-core/systemd/systemd_244.5.bb?h=dunfell

I'm woefully ignorant of the YP CVE report. Yet another thing to make 
time for...

>
> Steve
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#166678): https://lists.openembedded.org/g/openembedded-core/message/166678
> Mute This Topic: https://lists.openembedded.org/mt/91497880/3616765
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [randy.macleod@windriver.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

-- 
# Randy MacLeod
# Wind River Linux

Re: [OE-core] [dunfell][PATCH] systemd: Whitelist CVE-2018-21029

[Steve Sakoman]

On Tue, Jun 7, 2022 at 1:24 PM Randy MacLeod
<randy.macleod@windriver.com> wrote:
>
> On 2022-06-07 12:18, Steve Sakoman wrote:
> > On Tue, Jun 7, 2022 at 6:10 AM Ranjitsinh Rathod
> > <ranjitsinhrathod1991@gmail.com> wrote:
> >
> >> Is there any reason to not take this?
> > I'm puzzled by this question! A patch with this subject line hasn't
> > been submitted to the list for dunfell.
> I see the original patch, with a timestamp of 2022-06-02, 08:20 ET.
> Do you need it to be resent?

Sorry for the delay in responding, I've been having some email
strangeness the past couple of weeks.

Gmail decided the original patch was spam and moved it to the spam
folder (along with this followup)  Seems to have gotten more
aggressive in spam detection lately, since I see other patches there
too :-(

> >   Also, the referenced CVE
> > doesn't show up on the CVE report for dunfell.
> That's odd. Are you looking into that or is
> the CVE report ignoring it since only version:
>     systemd 239 <= v < 243 are vulnerable and dunfell has 245.5

This is indeed the reason it doesn't show up in the report: our
version is not affected.  Hence no need for this patch.

> I'm woefully ignorant of the YP CVE report. Yet another thing to make
> time for...

Never enough hours in the day . . .

Steve