[zeus,06/31] procps: whitelist CVE-2018-1121

Message ID	16b98e759a33d9f20e5b40aa1cff5b1c27dbee9d.1573658916.git.akuster808@gmail.com
State	New
Headers	show Delivered-To: patch@linaro.org Received-SPF: pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) client-ip=140.211.169.62; From: Armin Kuster <akuster808@gmail.com> To: openembedded-core@lists.openembedded.org Date: Wed, 13 Nov 2019 07:31:48 -0800 Message-Id: <16b98e759a33d9f20e5b40aa1cff5b1c27dbee9d.1573658916.git.akuster808@gmail.com> In-Reply-To: <cover.1573658915.git.akuster808@gmail.com> References: <cover.1573658915.git.akuster808@gmail.com> Subject: [OE-core] [zeus 06/31] procps: whitelist CVE-2018-1121 Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: openembedded-core-bounces@lists.openembedded.org Errors-To: openembedded-core-bounces@lists.openembedded.org
Series	None \| expand [zeus,05/31] libpng: whitelist CVE-2019-17371 [zeus,06/31] procps: whitelist CVE-2018-1121 [zeus,07/31] libsndfile1: whitelist CVE-2018-13419 [zeus,08/31] libpam: set CVE_PRODUCT [zeus,12/31] file: fix CVE-2019-18218 [zeus,13/31] file: run test suite when building natively [zeus,17/31] cve-check: ensure all known CVEs are in the report [zeus,18/31] qemu-helper-native: add missing option to getopt() call [zeus,19/31] qemu-helper-native: showing help shouldn't be an error [zeus,20/31] qemu-helper-native: pass compiler flags [zeus,23/31] cve-check: failure to parse versions should be more visible [zeus,25/31] recipeutils-test: use a small dependency in the dummy recipe [zeus,26/31] patch: the CVE-2019-13638 fix also handles CVE-2018-20969

Message ID

16b98e759a33d9f20e5b40aa1cff5b1c27dbee9d.1573658916.git.akuster808@gmail.com

State

New

Headers

Received-SPF: pass (google.com: best guess record for domain of
	openembedded-core-bounces@lists.openembedded.org designates
	140.211.169.62 as permitted sender) client-ip=140.211.169.62; 
From: Armin Kuster <akuster808@gmail.com>
To: openembedded-core@lists.openembedded.org
Date: Wed, 13 Nov 2019 07:31:48 -0800
Message-Id: <16b98e759a33d9f20e5b40aa1cff5b1c27dbee9d.1573658916.git.akuster808@gmail.com>
In-Reply-To: <cover.1573658915.git.akuster808@gmail.com>
References: <cover.1573658915.git.akuster808@gmail.com>
Subject: [OE-core] [zeus 06/31] procps: whitelist CVE-2018-1121
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: openembedded-core-bounces@lists.openembedded.org
Errors-To: openembedded-core-bounces@lists.openembedded.org

Series

None | expand

Commit Message

Armin Kuster Nov. 13, 2019, 3:31 p.m. UTC

From: Ross Burton <ross.burton@intel.com>


This CVE is about race conditions in 'ps' which make it unsuitable for security
audits.  As these race conditions are unavoidable ps shouldn't be used for
security auditing, so this isn't a valid CVE.

Signed-off-by: Ross Burton <ross.burton@intel.com>

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

Signed-off-by: Adrian Bunk <bunk@stusta.de>

Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>

---
 meta/recipes-extended/procps/procps_3.3.15.bb | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

-- 
2.7.4

-- 
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

diff --git a/meta/recipes-extended/procps/procps_3.3.15.bb b/meta/recipes-extended/procps/procps_3.3.15.bb
index 9756db0..f240e54 100644
--- a/meta/recipes-extended/procps/procps_3.3.15.bb
+++ b/meta/recipes-extended/procps/procps_3.3.15.bb
@@ -4,9 +4,9 @@  the /proc filesystem. The package includes the programs ps, top, vmstat, w, kill
 HOMEPAGE = "https://gitlab.com/procps-ng/procps"
 SECTION = "base"
 LICENSE = "GPLv2+ & LGPLv2+"
-LIC_FILES_CHKSUM="file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
-                  file://COPYING.LIB;md5=4cf66a4984120007c9881cc871cf49db \
-                 "
+LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
+                    file://COPYING.LIB;md5=4cf66a4984120007c9881cc871cf49db \
+                    "
 
 DEPENDS = "ncurses"
 
@@ -64,3 +64,6 @@  python __anonymous() {
         d.setVarFlag('ALTERNATIVE_LINK_NAME', prog, '%s/%s' % (d.getVar('base_sbindir'), prog))
 }
 
+# 'ps' isn't suitable for use as a security tool so whitelist this CVE.
+# https://bugzilla.redhat.com/show_bug.cgi?id=1575473#c3
+CVE_CHECK_WHITELIST += "CVE-2018-1121"