From patchwork Mon Nov 4 14:26:52 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: [v2,1/3] libpng: whitelist CVE-2019-17371 X-Patchwork-Submitter: Ross Burton X-Patchwork-Id: 178429 Message-Id: <20191104142654.20440-1-ross.burton@intel.com> To: openembedded-core@lists.openembedded.org Date: Mon, 4 Nov 2019 14:26:52 +0000 From: Ross Burton List-Id: Patches and discussions about the oe-core layer This is actually a memory leak in gif2png 2.x, so whitelist it in the libpng recipe. Signed-off-by: Ross Burton --- meta/recipes-multimedia/libpng/libpng_1.6.37.bb | 3 +++ 1 file changed, 3 insertions(+) -- 2.20.1 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb index 66af2f3d60e..2ed87a84374 100644 --- a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb +++ b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb @@ -29,3 +29,6 @@ PACKAGES =+ "${PN}-tools" FILES_${PN}-tools = "${bindir}/png-fix-itxt ${bindir}/pngfix ${bindir}/pngcp" BBCLASSEXTEND = "native nativesdk" + +# CVE-2019-17371 is actually a memory leak in gif2png 2.x +CVE_CHECK_WHITELIST += "CVE-2019-17371" From patchwork Mon Nov 4 14:26:53 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: [v2,2/3] procps: whitelist CVE-2018-1121 X-Patchwork-Submitter: Ross Burton X-Patchwork-Id: 178430 Message-Id: <20191104142654.20440-2-ross.burton@intel.com> To: openembedded-core@lists.openembedded.org Date: Mon, 4 Nov 2019 14:26:53 +0000 From: Ross Burton List-Id: Patches and discussions about the oe-core layer This CVE is about race conditions in 'ps' which make it unsuitable for security audits. As these race conditions are unavoidable ps shouldn't be used for security auditing, so this isn't a valid CVE. Signed-off-by: Ross Burton --- meta/recipes-extended/procps/procps_3.3.15.bb | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) -- 2.20.1 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core diff --git a/meta/recipes-extended/procps/procps_3.3.15.bb b/meta/recipes-extended/procps/procps_3.3.15.bb index 9756db0e7b7..f240e54fd84 100644 --- a/meta/recipes-extended/procps/procps_3.3.15.bb +++ b/meta/recipes-extended/procps/procps_3.3.15.bb @@ -4,9 +4,9 @@ the /proc filesystem. The package includes the programs ps, top, vmstat, w, kill HOMEPAGE = "https://gitlab.com/procps-ng/procps" SECTION = "base" LICENSE = "GPLv2+ & LGPLv2+" -LIC_FILES_CHKSUM="file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ - file://COPYING.LIB;md5=4cf66a4984120007c9881cc871cf49db \ - " +LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ + file://COPYING.LIB;md5=4cf66a4984120007c9881cc871cf49db \ + " DEPENDS = "ncurses" @@ -64,3 +64,6 @@ python __anonymous() { d.setVarFlag('ALTERNATIVE_LINK_NAME', prog, '%s/%s' % (d.getVar('base_sbindir'), prog)) } +# 'ps' isn't suitable for use as a security tool so whitelist this CVE. +# https://bugzilla.redhat.com/show_bug.cgi?id=1575473#c3 +CVE_CHECK_WHITELIST += "CVE-2018-1121" From patchwork Mon Nov 4 14:26:54 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: [v2,3/3] libsndfile1: whitelist CVE-2018-13419 X-Patchwork-Submitter: Ross Burton X-Patchwork-Id: 178431 Message-Id: <20191104142654.20440-3-ross.burton@intel.com> To: openembedded-core@lists.openembedded.org Date: Mon, 4 Nov 2019 14:26:54 +0000 From: Ross Burton List-Id: Patches and discussions about the oe-core layer This is a memory leak that nobody else can replicate and has been rejected by upstream. Signed-off-by: Ross Burton --- meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb | 4 ++++ 1 file changed, 4 insertions(+) -- 2.20.1 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb index ffb45855a4b..7855008f3d8 100644 --- a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb +++ b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb @@ -33,3 +33,7 @@ PACKAGECONFIG[alsa] = "--enable-alsa,--disable-alsa,alsa-lib" PACKAGECONFIG[regtest] = "--enable-sqlite,--disable-sqlite,sqlite3" inherit autotools lib_package pkgconfig + +# This can't be replicated and is just a memory leak. +# https://github.com/erikd/libsndfile/issues/398 +CVE_CHECK_WHITELIST += "CVE-2018-13419"