From patchwork Mon Nov 4 13:51:05 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ross Burton X-Patchwork-Id: 178422 Delivered-To: patch@linaro.org Received: by 2002:ac9:3c86:0:0:0:0:0 with SMTP id w6csp4074544ocf; Mon, 4 Nov 2019 05:51:14 -0800 (PST) X-Google-Smtp-Source: APXvYqzquAvePst9YJ8iaRLoOYNrIPP3LImIofo3qXFyKtKD80dlN+ut0LtrsQ6FXJMD+ZsavkiW X-Received: by 2002:a17:902:243:: with SMTP id 61mr27138914plc.66.1572875474320; Mon, 04 Nov 2019 05:51:14 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1572875474; cv=none; d=google.com; s=arc-20160816; b=eyMBMPUn2JHvsqx3ThHKfUcYRP9m1SDg+Qsye9r4xac/CP9Ye7qbRAAjzIr/7PHpCn lWHmaOt8VbkM3rYGFSctvrbbV/q8F66vI34r0Yl/UWaq0t6RkUEmWjNt3+/EUk6awSe4 ORlSOktBccPbqqnampLz01aCxAkLfen2vpaNpWsOXEywkyZNVUKKjHybSbFDSxsXrlLa KHI9CJG+D7kBrwed+61hzQEBt833vaJlk74E9xyu+x2x0C+gsVq10R3Q6nxXZ53sUWxr BBxCGQL+/0xaSiQZJE5xHL21AUj6r0+FuFIMv3tRWXBeHfgjhs7zCGF7oOs8ZGIwFdtO Wczw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:sender:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:message-id:date:to:from:dkim-signature:delivered-to; bh=w1ogxXW/22kOoJaJKWLMKDiO0BskOYMckthZXlccn1U=; b=DDCe4ZgzQ16j5Qhf/rLVaApCvvDm8I/hOlopefESztx3e4U0Tt+Ft2EGNlsUVro4pI k1AdyxKLx1wQ8m7PE1PIdn07c0OfcvQQXKXtm1HXtZvK6vjhuRMTg251H1KSc8zMeN6S 5NpgkX0UB5aPm+kczYpT2k0y+DaJUZ/ZcsAwpxzVrakCl0UH70jr1HA2AnACYEbQ++tn huTYGqEW9GcxZ2S5qp6TQ0wJu0nlj+s3BDVnwKIXIG2ZC8wsCbFUXUpW/ZuQxZce4P2m K52FNvQL9ivlVKSnMxtmVaYYjzJheE7+QnFQSdkPYi3lCsBhWRLxgPyMdGmtyvHEQXgn 5cnQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@intel-com.20150623.gappssmtp.com header.s=20150623 header.b=2EfSH5Gv; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from mail.openembedded.org (mail.openembedded.org. [140.211.169.62]) by mx.google.com with ESMTP id c3si20091802plr.278.2019.11.04.05.51.13; Mon, 04 Nov 2019 05:51:14 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) client-ip=140.211.169.62; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@intel-com.20150623.gappssmtp.com header.s=20150623 header.b=2EfSH5Gv; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from ec2-34-214-78-129.us-west-2.compute.amazonaws.com (localhost [127.0.0.1]) by mail.openembedded.org (Postfix) with ESMTP id 0F4E17F899; Mon, 4 Nov 2019 13:51:11 +0000 (UTC) X-Original-To: openembedded-core@lists.openembedded.org Delivered-To: openembedded-core@lists.openembedded.org Received: from mail-wm1-f43.google.com (mail-wm1-f43.google.com [209.85.128.43]) by mail.openembedded.org (Postfix) with ESMTP id 68C5A7F881 for ; Mon, 4 Nov 2019 13:51:09 +0000 (UTC) Received: by mail-wm1-f43.google.com with SMTP id t26so12054238wmi.4 for ; Mon, 04 Nov 2019 05:51:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel-com.20150623.gappssmtp.com; s=20150623; h=from:to:subject:date:message-id:mime-version :content-transfer-encoding; bh=Ddt3ZfcFQkllPhYpVbA+LCQDlZRWk+DDHtjd51q8L5E=; b=2EfSH5Gv14AKDAmouLiA3xa08W4lKTtgywQMHdCyr44LS2FDVQzSgRPrzI+dtJ6IfF RE+2iXFk0AgWPO/SXUJZmP68eoHQs4PKyj+WXLhU9To3xbsq7KoBYRD3M925PotX19B7 Kw+o1hsNpkE3FMcMxioNb/nf2mfinkqWHxtjwceVVoEYpF9g8O9LIDy1LMLritk6Huif Vwq/0o3FyPTaEnLtv0hj7k8mJkPFx4zogtlaGmfcfoN+oSfaUy6bBC35fdENr0Cpg1c1 O836Pe3fc7x1BkBv/spIhqp5s0gaUbcWplY71L+4qThTyOXupyY+hMeG+GqSaKW3H7Na 0ZUQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:mime-version :content-transfer-encoding; bh=Ddt3ZfcFQkllPhYpVbA+LCQDlZRWk+DDHtjd51q8L5E=; b=TVDD9AyiaJjYbk60mPrw+EBDrnwCJX5htyRLu/+TQqOMGNC5MbX+CO1wGvrXDM5jHt NBphHmlyxH48mtcouH20jYydzD/vil+fWo2LXFbIuezdLTQnMCBc4teFYEAsLaTHCHke WokPXW9hvBfTAxzfD4qtSo/UKFZnaICQ4DRy8zpTheiFsnaY2KqKXTQLp2JYhWDw9Kb1 2BRNfRfGHtV3io2FHbHuDmv/BwPmQc4YwoDYG56CnvnRKFzaZ86of6NxO31cg0cDAl6r kAz25HAQT984dyGAFFpa08djhmhQg88oDllKL0lQJRQdKq3LkWd/MgOP5X/XouF32BuU KjmQ== X-Gm-Message-State: APjAAAUtEcIj020rnpVzz2zGlZu96pHTL1+77MKGKET/aeGWNjXzwb4o /hUBBFpUdhYO//cVCsdr3LFpNjABUHs= X-Received: by 2002:a1c:7c14:: with SMTP id x20mr8757886wmc.136.1572875469608; Mon, 04 Nov 2019 05:51:09 -0800 (PST) Received: from flashheart.burtonini.com (35.106.2.81.in-addr.arpa. [81.2.106.35]) by smtp.gmail.com with ESMTPSA id d11sm13431368wrn.28.2019.11.04.05.51.07 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 04 Nov 2019 05:51:08 -0800 (PST) From: Ross Burton To: openembedded-core@lists.openembedded.org Date: Mon, 4 Nov 2019 13:51:05 +0000 Message-Id: <20191104135106.14625-1-ross.burton@intel.com> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 Subject: [OE-core] [PATCH 1/2] procps: whitelist CVE-2018-1121 X-BeenThere: openembedded-core@lists.openembedded.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Patches and discussions about the oe-core layer List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: openembedded-core-bounces@lists.openembedded.org Errors-To: openembedded-core-bounces@lists.openembedded.org This CVE is about race conditions in 'ps' which make it unsuitable for security audits. As these race conditions are unavoidable ps shouldn't be used for security auditing, so this isn't a valid CVE. Signed-off-by: Ross Burton --- meta/recipes-extended/procps/procps_3.3.15.bb | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) -- 2.20.1 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core diff --git a/meta/recipes-extended/procps/procps_3.3.15.bb b/meta/recipes-extended/procps/procps_3.3.15.bb index 9756db0e7b7..e128477c5fa 100644 --- a/meta/recipes-extended/procps/procps_3.3.15.bb +++ b/meta/recipes-extended/procps/procps_3.3.15.bb @@ -4,9 +4,9 @@ the /proc filesystem. The package includes the programs ps, top, vmstat, w, kill HOMEPAGE = "https://gitlab.com/procps-ng/procps" SECTION = "base" LICENSE = "GPLv2+ & LGPLv2+" -LIC_FILES_CHKSUM="file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ - file://COPYING.LIB;md5=4cf66a4984120007c9881cc871cf49db \ - " +LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ + file://COPYING.LIB;md5=4cf66a4984120007c9881cc871cf49db \ + " DEPENDS = "ncurses" @@ -64,3 +64,6 @@ python __anonymous() { d.setVarFlag('ALTERNATIVE_LINK_NAME', prog, '%s/%s' % (d.getVar('base_sbindir'), prog)) } +# 'ps' isn't suitable for use as a security tool so whitelist this CVE. +# https://bugzilla.redhat.com/show_bug.cgi?id=1575473#c3 +CVE_CHECK_WHITELIST = "CVE-2018-1121" From patchwork Mon Nov 4 13:51:06 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ross Burton X-Patchwork-Id: 178423 Delivered-To: patch@linaro.org Received: by 2002:ac9:3c86:0:0:0:0:0 with SMTP id w6csp4074708ocf; Mon, 4 Nov 2019 05:51:23 -0800 (PST) X-Google-Smtp-Source: APXvYqypDPJpHoSVieChe6wkUblhXN173yusQMwArLKf8/BJNRG2p7QLsRkEVSDsBzRdFfy2qjVO X-Received: by 2002:a17:90a:eb18:: with SMTP id j24mr23402570pjz.85.1572875483531; Mon, 04 Nov 2019 05:51:23 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1572875483; cv=none; d=google.com; s=arc-20160816; b=ebg743wxEEgi6MFJlbowqs51d7GOYTz+NLMmVHahv2VprEbRh3UXcL7/5BnhmW6kGD xiU9asR3z1eHKRcRfZD+qH5jYJey6dGhbbbQNquVbyoJ5kbcdcP1q2TWw9+uiZuMF8uw iidN2LPv7o9e1bm6ZrZ+qZqFUTufybmiVVSxWSVc3/db2Gu2vl9CgN70DYdZ1JjJ2/IC 2TgCsD+4k3vryrNe3Qh5N2wErLCdjVMHvHCkaxUYcn4e0E7Squ5H/X4ZxjFOUCfJOxdO h3lzqPgnUIV5VyfEf0tEXzkbfKVPJjW0r8PM/acCkwQ+SyVg9ydFIZADxV4HtVhhtkJD TqKQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:sender:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:delivered-to; bh=4mz6+ufHCC8/ZcHxD68t+4z7HzpRgdIBk8QyTtu6ab0=; b=uvcyrCue+4ssA91Z10tgUuEOx+BG6YaPAoXfdIxNHSK4oPEEDviktj9+ElsWE3UOkz kH3AnKu4ajVqWJ0VyN/hCQIkXTg4wjJjO73SU5E3j0MIJOQoDXbc1ev+WgNCbTOh/2bk nFk0AbRfeKMlvQtf98aThjfoIfjnEHIx8Z9CuqS7IkUwfLkAdyzBFMrGAC6zo+G6uccF qCDKLne+/hT2Tht8pklvpocq4Pq0ZjwkS0xwZdC5LEsQtvJAG3F/7/MhvsiCq4jUVJ55 Ygl1aA63dpFi+IpYHBCRsit+IExOrBA8+A62/VyEK2hn1Q3oVDLmHEUsYDzJnJkwVW/T vmOA== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@intel-com.20150623.gappssmtp.com header.s=20150623 header.b=pDQiC5RV; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from mail.openembedded.org (mail.openembedded.org. [140.211.169.62]) by mx.google.com with ESMTP id u10si18346301plz.302.2019.11.04.05.51.23; Mon, 04 Nov 2019 05:51:23 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) client-ip=140.211.169.62; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@intel-com.20150623.gappssmtp.com header.s=20150623 header.b=pDQiC5RV; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from ec2-34-214-78-129.us-west-2.compute.amazonaws.com (localhost [127.0.0.1]) by mail.openembedded.org (Postfix) with ESMTP id 3AB607F8C1; Mon, 4 Nov 2019 13:51:20 +0000 (UTC) X-Original-To: openembedded-core@lists.openembedded.org Delivered-To: openembedded-core@lists.openembedded.org Received: from mail-wm1-f49.google.com (mail-wm1-f49.google.com [209.85.128.49]) by mail.openembedded.org (Postfix) with ESMTP id EA3A57F881 for ; Mon, 4 Nov 2019 13:51:09 +0000 (UTC) Received: by mail-wm1-f49.google.com with SMTP id 11so16787532wmk.0 for ; Mon, 04 Nov 2019 05:51:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel-com.20150623.gappssmtp.com; s=20150623; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=Nd8TWsrwP4UAVeP/ecM3jzGX6mFmdvC848p5nq2FRtQ=; b=pDQiC5RVcv/sMIht5I6SAXtqrEp9XYUoEh3iq1/v+Yu58uARigYrDaZu6rHfh55jq4 xLAvCfQ6qyOZzf68bAajaDiQjhXyJPVu4vSadbnqU5cd8jwy2ViyREW63GBZIl0jrwcv wHeUUFLGvBUY3CIUIfFdsX4BV+VTFuoeD6FANpbuJAtxZXphZ6a79/7HOblqUaMY7Cqj /BYEhOfT4TEOcrIf9lo8tCVQmzvjwVVxVkHU2iaag+tT2uDPKaHFTZrlOtBy8L32qlIz 0H3c3/nTt3SJvgAe70RyfPdBiEG2t+M6VZz3Lij7NdC3kkfm0f54AK4QZl9g9qkFhBrm dDFQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=Nd8TWsrwP4UAVeP/ecM3jzGX6mFmdvC848p5nq2FRtQ=; b=UQkhC9yS+988S5L3vNF6P2XD4n4bXjrRknL8V5fBZnzoeyHVn/90P8us62WxJQaDdJ kt3QsIK0IX3TjvX4gXFVHsuTUV26YXouFLnjTzbQp0yVNX37URperbGNvoz8kZmnjxLC KuifZWixlDkpU493ZmYYTZnXmDc49+MtZdrIq3T35S4tFcdKJlkKoOc9hn1E+/VWKkH7 ZQ6VA15JZSxpPlpIdcHg0Bf+C9ToHTuQ60dwLhSdUVSoPzVeIfvraas6OEh4J0meZYTF QTM+c1NYqmj7hoOYCnmiYQPvpQQcZKy1ta9YrWImI4MtldYimSIxTzjvdpMTGnrWZ21N sNbA== X-Gm-Message-State: APjAAAUJES0UIhZknH4JDsdjf53MApDnmqDRytekk98tQnMTf/81x3yZ e6aNT5Q2DinAA7PYdnjr2zXWY9Damqw= X-Received: by 2002:a7b:cc8b:: with SMTP id p11mr9284468wma.38.1572875470471; Mon, 04 Nov 2019 05:51:10 -0800 (PST) Received: from flashheart.burtonini.com (35.106.2.81.in-addr.arpa. [81.2.106.35]) by smtp.gmail.com with ESMTPSA id d11sm13431368wrn.28.2019.11.04.05.51.09 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 04 Nov 2019 05:51:09 -0800 (PST) From: Ross Burton To: openembedded-core@lists.openembedded.org Date: Mon, 4 Nov 2019 13:51:06 +0000 Message-Id: <20191104135106.14625-2-ross.burton@intel.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20191104135106.14625-1-ross.burton@intel.com> References: <20191104135106.14625-1-ross.burton@intel.com> MIME-Version: 1.0 Subject: [OE-core] [PATCH 2/2] libsndfile1: whitelist CVE-2018-13419 X-BeenThere: openembedded-core@lists.openembedded.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Patches and discussions about the oe-core layer List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: openembedded-core-bounces@lists.openembedded.org Errors-To: openembedded-core-bounces@lists.openembedded.org This is a memory leak that nobody else can replicate and has been rejected by upstream. Signed-off-by: Ross Burton --- meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb | 4 ++++ 1 file changed, 4 insertions(+) -- 2.20.1 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb index ffb45855a4b..0ba58399624 100644 --- a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb +++ b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb @@ -33,3 +33,7 @@ PACKAGECONFIG[alsa] = "--enable-alsa,--disable-alsa,alsa-lib" PACKAGECONFIG[regtest] = "--enable-sqlite,--disable-sqlite,sqlite3" inherit autotools lib_package pkgconfig + +# This can't be replicated and is just a memory leak. +# https://github.com/erikd/libsndfile/issues/398 +CVE_CHECK_WHITELIST = "CVE-2018-13419"