From patchwork Tue Nov 5 21:38:11 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adrian Bunk X-Patchwork-Id: 178562 Delivered-To: patch@linaro.org Received: by 2002:a92:38d5:0:0:0:0:0 with SMTP id g82csp1331285ilf; Tue, 5 Nov 2019 13:39:07 -0800 (PST) X-Google-Smtp-Source: APXvYqwh0UiHo1oqFawTWajsH3D/UUaS+9ZCnSpaJdbxvZVDk0bbcPb4E74x8WUbFVfMbTpqg1BR X-Received: by 2002:a63:d951:: with SMTP id e17mr38258259pgj.243.1572989947103; Tue, 05 Nov 2019 13:39:07 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1572989947; cv=none; d=google.com; s=arc-20160816; b=zf7ItYsIXjybedRPflJAf4sQAWACibAQW1Kk2Dtoo3T3vzukMu9ATkzlZwF2Kem3Ko sKoabs2xrV1gS7gXcEMxdJo4ryo1ppSRstL/I0TkbIBfXndPtsGrDvW2TDbP2/MZT60q JEeu2XZQmmKkSP6KBi678+uBcdCqMMzykGZkwnCyPVkHlqkLalrH5FriiprSfIvidv+M 5lcu+N2OwPC69+Iywq2GOscN0GpPQYZtuq6/CRmgYxGX60ctOljo0BCVuJMyvHCci9v6 agRRtPsoD7Vskfo+f8rikIe4yUd5VrwYZuKvo4d3xTYCaL9wF976GY31/mUpTpMtockv fjwg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:sender:content-transfer-encoding:mime-version :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:message-id:date:to:from:dkim-signature :delivered-to; bh=uqssR+Zqq+qxNzxLF6irfsMkCqQ/ET+3bMmmduKDyPM=; b=kBSCK0yp3YyVSyBOPwmMw2+e4vIcCY4BhuQVMLOkYNyLVEEjNCcGtsbigl4h2pPvAo gQqjqYoAgsPYeqzBcZAqHjirugMp+OOaZI65UtREHWI2riDzV6rA8H5ga27DZ8YfRf0k c3W1oXTqQuzKS/vP9VEeMT7Te2WdkQossWkrlP9LH7GlcKgXQKXAyoZcihAwVzoNTpnB pu9XHYPROdtTXPHD/6sLJlDTBlGA2EhpRhHUbFA+EFOBesZ+OetJ7f94PC5US+pwD4C8 ML6Yc+sWNkR6Cehd+iXbAgraYAwrO0nxcXTrOTYto9y8kxPais0IZf8NzIjn8eqyh66u asVw== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@stusta.de header.s=default header.b=mJneFVLV; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=stusta.de Return-Path: Received: from mail.openembedded.org (mail.openembedded.org. [140.211.169.62]) by mx.google.com with ESMTP id x8si33170849pfq.176.2019.11.05.13.39.06; Tue, 05 Nov 2019 13:39:07 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) client-ip=140.211.169.62; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@stusta.de header.s=default header.b=mJneFVLV; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=stusta.de Received: from ec2-34-214-78-129.us-west-2.compute.amazonaws.com (localhost [127.0.0.1]) by mail.openembedded.org (Postfix) with ESMTP id B8CC37F8B8; Tue, 5 Nov 2019 21:38:58 +0000 (UTC) X-Original-To: openembedded-core@lists.openembedded.org Delivered-To: openembedded-core@lists.openembedded.org Received: from mail.stusta.mhn.de (mail.stusta.mhn.de [141.84.69.5]) by mail.openembedded.org (Postfix) with ESMTP id 5CA8A7F89C for ; Tue, 5 Nov 2019 21:38:14 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) by mail.stusta.mhn.de (Postfix) with ESMTPSA id 47731g2424zHq for ; Tue, 5 Nov 2019 22:38:15 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=stusta.de; s=default; t=1572989895; bh=IICYYiZKK3KYF1TU1E2lYtvx+emG3/pdXYJOPJqOA6M=; h=From:To:Subject:Date:From; b=mJneFVLV7Ro1sPt2r5ilVwXukYbEvimxxzo58p0hHuT0VB82yH6FuvWvTQvzA/2l4 TJ91d9dWNZW0/8HrtpE1qsCwI6rB3XiZJ14piU5RevnVR8JW6ZyvVHUici4jtnDX3S tLLBexP+IY4tNq/2fikDsfut9IMxI8uEmiVrNvqW6KBp/ONtPLB7qajEBqWC7k0WhH 9pSaF2x3VEAV1QX6np0IYCjKbFhhECCf7Lfw3VRy4cjCfhKTZbkSTA67B+RMO3o38C yRG4lt7qsFPff9+HK8gMKu1nDY+Je3dOkwDGIt7ebbCGkd+BTk1nTDAusrGfXIEjFC +vbJ+M5FlDn4UmAEggV+f2rhYF4iK3ZS08QSQRyOh1OZvu5443ceHWRYqKVih0CyUy 3Twd6jJbvlvQ0eblVGxJqehk28XR1TPFQ7meqikmTsvrJpUBnirvH1RqHxXC9eAGDV uPIWwcAjjBwmMOb5In1Ese+HmnpxHKoub8vHMb9bd7/tgrrPS1DoV/mRbgp5r9NG3H u+p1HsKFUrk0A5vOEAKV1ntMITuLEnUECqZN0z+wn9piilB39Y53CFmcjUgVNOhK+/ DaULmiDv1jY/FKmsgfNMXDwZrv9wMFhVx1FUvlxJjbTBPnfeJ+cO7ohtLxbA+FbbEB sxqAxlC5/yt/UFqvrdi7OqMQ= From: Adrian Bunk To: openembedded-core@lists.openembedded.org Date: Tue, 5 Nov 2019 23:38:11 +0200 Message-Id: <20191105213813.27546-3-bunk@stusta.de> X-Mailer: git-send-email 2.17.1 Subject: [OE-core] [zeus][PATCH] procps: whitelist CVE-2018-1121 X-BeenThere: openembedded-core@lists.openembedded.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Patches and discussions about the oe-core layer List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: openembedded-core-bounces@lists.openembedded.org Errors-To: openembedded-core-bounces@lists.openembedded.org From: Ross Burton This CVE is about race conditions in 'ps' which make it unsuitable for security audits. As these race conditions are unavoidable ps shouldn't be used for security auditing, so this isn't a valid CVE. Signed-off-by: Ross Burton Signed-off-by: Richard Purdie Signed-off-by: Adrian Bunk --- meta/recipes-extended/procps/procps_3.3.15.bb | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) -- 2.17.1 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core diff --git a/meta/recipes-extended/procps/procps_3.3.15.bb b/meta/recipes-extended/procps/procps_3.3.15.bb index 9756db0e7b..f240e54fd8 100644 --- a/meta/recipes-extended/procps/procps_3.3.15.bb +++ b/meta/recipes-extended/procps/procps_3.3.15.bb @@ -4,9 +4,9 @@ the /proc filesystem. The package includes the programs ps, top, vmstat, w, kill HOMEPAGE = "https://gitlab.com/procps-ng/procps" SECTION = "base" LICENSE = "GPLv2+ & LGPLv2+" -LIC_FILES_CHKSUM="file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ - file://COPYING.LIB;md5=4cf66a4984120007c9881cc871cf49db \ - " +LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ + file://COPYING.LIB;md5=4cf66a4984120007c9881cc871cf49db \ + " DEPENDS = "ncurses" @@ -64,3 +64,6 @@ python __anonymous() { d.setVarFlag('ALTERNATIVE_LINK_NAME', prog, '%s/%s' % (d.getVar('base_sbindir'), prog)) } +# 'ps' isn't suitable for use as a security tool so whitelist this CVE. +# https://bugzilla.redhat.com/show_bug.cgi?id=1575473#c3 +CVE_CHECK_WHITELIST += "CVE-2018-1121"