From patchwork Mon Nov 4 13:51:05 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ross Burton X-Patchwork-Id: 178422 Delivered-To: patch@linaro.org Received: by 2002:ac9:3c86:0:0:0:0:0 with SMTP id w6csp4074544ocf; Mon, 4 Nov 2019 05:51:14 -0800 (PST) X-Google-Smtp-Source: APXvYqzquAvePst9YJ8iaRLoOYNrIPP3LImIofo3qXFyKtKD80dlN+ut0LtrsQ6FXJMD+ZsavkiW X-Received: by 2002:a17:902:243:: with SMTP id 61mr27138914plc.66.1572875474320; Mon, 04 Nov 2019 05:51:14 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1572875474; cv=none; d=google.com; s=arc-20160816; b=eyMBMPUn2JHvsqx3ThHKfUcYRP9m1SDg+Qsye9r4xac/CP9Ye7qbRAAjzIr/7PHpCn lWHmaOt8VbkM3rYGFSctvrbbV/q8F66vI34r0Yl/UWaq0t6RkUEmWjNt3+/EUk6awSe4 ORlSOktBccPbqqnampLz01aCxAkLfen2vpaNpWsOXEywkyZNVUKKjHybSbFDSxsXrlLa KHI9CJG+D7kBrwed+61hzQEBt833vaJlk74E9xyu+x2x0C+gsVq10R3Q6nxXZ53sUWxr BBxCGQL+/0xaSiQZJE5xHL21AUj6r0+FuFIMv3tRWXBeHfgjhs7zCGF7oOs8ZGIwFdtO Wczw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:sender:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:message-id:date:to:from:dkim-signature:delivered-to; bh=w1ogxXW/22kOoJaJKWLMKDiO0BskOYMckthZXlccn1U=; b=DDCe4ZgzQ16j5Qhf/rLVaApCvvDm8I/hOlopefESztx3e4U0Tt+Ft2EGNlsUVro4pI k1AdyxKLx1wQ8m7PE1PIdn07c0OfcvQQXKXtm1HXtZvK6vjhuRMTg251H1KSc8zMeN6S 5NpgkX0UB5aPm+kczYpT2k0y+DaJUZ/ZcsAwpxzVrakCl0UH70jr1HA2AnACYEbQ++tn huTYGqEW9GcxZ2S5qp6TQ0wJu0nlj+s3BDVnwKIXIG2ZC8wsCbFUXUpW/ZuQxZce4P2m K52FNvQL9ivlVKSnMxtmVaYYjzJheE7+QnFQSdkPYi3lCsBhWRLxgPyMdGmtyvHEQXgn 5cnQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@intel-com.20150623.gappssmtp.com header.s=20150623 header.b=2EfSH5Gv; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from mail.openembedded.org (mail.openembedded.org. [140.211.169.62]) by mx.google.com with ESMTP id c3si20091802plr.278.2019.11.04.05.51.13; Mon, 04 Nov 2019 05:51:14 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) client-ip=140.211.169.62; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@intel-com.20150623.gappssmtp.com header.s=20150623 header.b=2EfSH5Gv; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from ec2-34-214-78-129.us-west-2.compute.amazonaws.com (localhost [127.0.0.1]) by mail.openembedded.org (Postfix) with ESMTP id 0F4E17F899; Mon, 4 Nov 2019 13:51:11 +0000 (UTC) X-Original-To: openembedded-core@lists.openembedded.org Delivered-To: openembedded-core@lists.openembedded.org Received: from mail-wm1-f43.google.com (mail-wm1-f43.google.com [209.85.128.43]) by mail.openembedded.org (Postfix) with ESMTP id 68C5A7F881 for ; Mon, 4 Nov 2019 13:51:09 +0000 (UTC) Received: by mail-wm1-f43.google.com with SMTP id t26so12054238wmi.4 for ; Mon, 04 Nov 2019 05:51:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel-com.20150623.gappssmtp.com; s=20150623; h=from:to:subject:date:message-id:mime-version :content-transfer-encoding; bh=Ddt3ZfcFQkllPhYpVbA+LCQDlZRWk+DDHtjd51q8L5E=; b=2EfSH5Gv14AKDAmouLiA3xa08W4lKTtgywQMHdCyr44LS2FDVQzSgRPrzI+dtJ6IfF RE+2iXFk0AgWPO/SXUJZmP68eoHQs4PKyj+WXLhU9To3xbsq7KoBYRD3M925PotX19B7 Kw+o1hsNpkE3FMcMxioNb/nf2mfinkqWHxtjwceVVoEYpF9g8O9LIDy1LMLritk6Huif Vwq/0o3FyPTaEnLtv0hj7k8mJkPFx4zogtlaGmfcfoN+oSfaUy6bBC35fdENr0Cpg1c1 O836Pe3fc7x1BkBv/spIhqp5s0gaUbcWplY71L+4qThTyOXupyY+hMeG+GqSaKW3H7Na 0ZUQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:mime-version :content-transfer-encoding; bh=Ddt3ZfcFQkllPhYpVbA+LCQDlZRWk+DDHtjd51q8L5E=; b=TVDD9AyiaJjYbk60mPrw+EBDrnwCJX5htyRLu/+TQqOMGNC5MbX+CO1wGvrXDM5jHt NBphHmlyxH48mtcouH20jYydzD/vil+fWo2LXFbIuezdLTQnMCBc4teFYEAsLaTHCHke WokPXW9hvBfTAxzfD4qtSo/UKFZnaICQ4DRy8zpTheiFsnaY2KqKXTQLp2JYhWDw9Kb1 2BRNfRfGHtV3io2FHbHuDmv/BwPmQc4YwoDYG56CnvnRKFzaZ86of6NxO31cg0cDAl6r kAz25HAQT984dyGAFFpa08djhmhQg88oDllKL0lQJRQdKq3LkWd/MgOP5X/XouF32BuU KjmQ== X-Gm-Message-State: APjAAAUtEcIj020rnpVzz2zGlZu96pHTL1+77MKGKET/aeGWNjXzwb4o /hUBBFpUdhYO//cVCsdr3LFpNjABUHs= X-Received: by 2002:a1c:7c14:: with SMTP id x20mr8757886wmc.136.1572875469608; Mon, 04 Nov 2019 05:51:09 -0800 (PST) Received: from flashheart.burtonini.com (35.106.2.81.in-addr.arpa. [81.2.106.35]) by smtp.gmail.com with ESMTPSA id d11sm13431368wrn.28.2019.11.04.05.51.07 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 04 Nov 2019 05:51:08 -0800 (PST) From: Ross Burton To: openembedded-core@lists.openembedded.org Date: Mon, 4 Nov 2019 13:51:05 +0000 Message-Id: <20191104135106.14625-1-ross.burton@intel.com> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 Subject: [OE-core] [PATCH 1/2] procps: whitelist CVE-2018-1121 X-BeenThere: openembedded-core@lists.openembedded.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Patches and discussions about the oe-core layer List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: openembedded-core-bounces@lists.openembedded.org Errors-To: openembedded-core-bounces@lists.openembedded.org This CVE is about race conditions in 'ps' which make it unsuitable for security audits. As these race conditions are unavoidable ps shouldn't be used for security auditing, so this isn't a valid CVE. Signed-off-by: Ross Burton --- meta/recipes-extended/procps/procps_3.3.15.bb | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) -- 2.20.1 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core diff --git a/meta/recipes-extended/procps/procps_3.3.15.bb b/meta/recipes-extended/procps/procps_3.3.15.bb index 9756db0e7b7..e128477c5fa 100644 --- a/meta/recipes-extended/procps/procps_3.3.15.bb +++ b/meta/recipes-extended/procps/procps_3.3.15.bb @@ -4,9 +4,9 @@ the /proc filesystem. The package includes the programs ps, top, vmstat, w, kill HOMEPAGE = "https://gitlab.com/procps-ng/procps" SECTION = "base" LICENSE = "GPLv2+ & LGPLv2+" -LIC_FILES_CHKSUM="file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ - file://COPYING.LIB;md5=4cf66a4984120007c9881cc871cf49db \ - " +LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ + file://COPYING.LIB;md5=4cf66a4984120007c9881cc871cf49db \ + " DEPENDS = "ncurses" @@ -64,3 +64,6 @@ python __anonymous() { d.setVarFlag('ALTERNATIVE_LINK_NAME', prog, '%s/%s' % (d.getVar('base_sbindir'), prog)) } +# 'ps' isn't suitable for use as a security tool so whitelist this CVE. +# https://bugzilla.redhat.com/show_bug.cgi?id=1575473#c3 +CVE_CHECK_WHITELIST = "CVE-2018-1121"