[1/2] procps: whitelist CVE-2018-1121

Message ID	20191104135106.14625-1-ross.burton@intel.com
State	Superseded
Headers	show Delivered-To: patch@linaro.org Received-SPF: pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) client-ip=140.211.169.62; From: Ross Burton <ross.burton@intel.com> To: openembedded-core@lists.openembedded.org Date: Mon, 4 Nov 2019 13:51:05 +0000 Message-Id: <20191104135106.14625-1-ross.burton@intel.com> MIME-Version: 1.0 Subject: [OE-core] [PATCH 1/2] procps: whitelist CVE-2018-1121 Precedence: list Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: openembedded-core-bounces@lists.openembedded.org Errors-To: openembedded-core-bounces@lists.openembedded.org
Series	[1/2] procps: whitelist CVE-2018-1121 \| expand [1/2] procps: whitelist CVE-2018-1121 [2/2] libsndfile1: whitelist CVE-2018-13419

Message ID

20191104135106.14625-1-ross.burton@intel.com

State

Superseded

Headers

Received-SPF: pass (google.com: best guess record for domain of
	openembedded-core-bounces@lists.openembedded.org designates
	140.211.169.62 as permitted sender) client-ip=140.211.169.62; 
From: Ross Burton <ross.burton@intel.com>
To: openembedded-core@lists.openembedded.org
Date: Mon,  4 Nov 2019 13:51:05 +0000
Message-Id: <20191104135106.14625-1-ross.burton@intel.com>
MIME-Version: 1.0
Subject: [OE-core] [PATCH 1/2] procps: whitelist CVE-2018-1121
Precedence: list
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: openembedded-core-bounces@lists.openembedded.org
Errors-To: openembedded-core-bounces@lists.openembedded.org

Series

[1/2] procps: whitelist CVE-2018-1121 | expand

Commit Message

Ross Burton Nov. 4, 2019, 1:51 p.m. UTC

This CVE is about race conditions in 'ps' which make it unsuitable for security
audits.  As these race conditions are unavoidable ps shouldn't be used for
security auditing, so this isn't a valid CVE.

Signed-off-by: Ross Burton <ross.burton@intel.com>

---
 meta/recipes-extended/procps/procps_3.3.15.bb | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

-- 
2.20.1

-- 
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

diff --git a/meta/recipes-extended/procps/procps_3.3.15.bb b/meta/recipes-extended/procps/procps_3.3.15.bb
index 9756db0e7b7..e128477c5fa 100644
--- a/meta/recipes-extended/procps/procps_3.3.15.bb
+++ b/meta/recipes-extended/procps/procps_3.3.15.bb
@@ -4,9 +4,9 @@  the /proc filesystem. The package includes the programs ps, top, vmstat, w, kill
 HOMEPAGE = "https://gitlab.com/procps-ng/procps"
 SECTION = "base"
 LICENSE = "GPLv2+ & LGPLv2+"
-LIC_FILES_CHKSUM="file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
-                  file://COPYING.LIB;md5=4cf66a4984120007c9881cc871cf49db \
-                 "
+LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
+                    file://COPYING.LIB;md5=4cf66a4984120007c9881cc871cf49db \
+                    "
 
 DEPENDS = "ncurses"
 
@@ -64,3 +64,6 @@  python __anonymous() {
         d.setVarFlag('ALTERNATIVE_LINK_NAME', prog, '%s/%s' % (d.getVar('base_sbindir'), prog))
 }
 
+# 'ps' isn't suitable for use as a security tool so whitelist this CVE.
+# https://bugzilla.redhat.com/show_bug.cgi?id=1575473#c3
+CVE_CHECK_WHITELIST = "CVE-2018-1121"