[RFC,CFH,sumo,40/47] procps: whitelist CVE-2018-1121

Message ID	340de0c1062a72149b6b3b399215bafa61a52562.1573047195.git.mikko.rapeli@bmw.de
State	New
Headers	show Delivered-To: patch@linaro.org Received-SPF: pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) client-ip=140.211.169.62; From: Mikko Rapeli <mikko.rapeli@bmw.de> To: openembedded-core@lists.openembedded.org Date: Wed, 6 Nov 2019 17:37:55 +0200 Message-Id: <340de0c1062a72149b6b3b399215bafa61a52562.1573047195.git.mikko.rapeli@bmw.de> In-Reply-To: <cover.1573047194.git.mikko.rapeli@bmw.de> References: <cover.1573047194.git.mikko.rapeli@bmw.de> In-Reply-To: <cover.1573047194.git.mikko.rapeli@bmw.de> References: <cover.1573047194.git.mikko.rapeli@bmw.de> Symbol: ARC_NA(0.00) Symbol: DMARC_POLICY_SOFTFAIL(0.10) Symbol: R_SPF_NEUTRAL(0.00) Symbol: FROM_HAS_DN(0.00) Symbol: TO_DN_SOME(0.00) Symbol: MULTIPLE_UNIQUE_HEADERS(4.89) Symbol: MIME_GOOD(-0.10) Symbol: TO_MATCH_ENVRCPT_ALL(0.00) Symbol: RCPT_COUNT_THREE(0.00) Symbol: NEURAL_SPAM(0.00) Symbol: RCVD_TLS_LAST(0.00) Symbol: MID_CONTAINS_FROM(1.00) Symbol: IP_SCORE(-0.15) Symbol: FORGED_SENDER(0.30) Symbol: R_DKIM_NA(0.00) Symbol: MIME_TRACE(0.00) Symbol: ASN(0.00) Symbol: FROM_NEQ_ENVFROM(0.00) Symbol: RCVD_COUNT_TWO(0.00) Message: (SPF): spf neutral Message-ID: 340de0c1062a72149b6b3b399215bafa61a52562.1573047195.git.mikko.rapeli@bmw.de Subject: [OE-core] [PATCH RFC CFH][sumo 40/47] procps: whitelist CVE-2018-1121 Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: openembedded-core-bounces@lists.openembedded.org Errors-To: openembedded-core-bounces@lists.openembedded.org
Series	None \| expand [RFC,CFH,sumo,07/47] cve-check: be idiomatic [RFC,CFH,sumo,13/47] cve-check: remove redundant readline CVE whitelisting [RFC,CFH,sumo,14/47] cve-check-tool: remove [RFC,CFH,sumo,15/47] glibc: exclude child recipes from CVE scanning [RFC,CFH,sumo,17/47] cve-check: allow comparison of Vendor as well as Product [RFC,CFH,sumo,19/47] cve-update-db-native: use SQL placeholders instead of format strings [RFC,CFH,sumo,22/47] cve-update-db-native: use os.path.join instead of + [RFC,CFH,sumo,23/47] cve-update-db: actually inherit native [RFC,CFH,sumo,24/47] cve-update-db-native: use executemany() to optimise CPE insertion [RFC,CFH,sumo,25/47] cve-update-db-native: improve metadata parsing [RFC,CFH,sumo,26/47] cve-update-db-native: clean up JSON fetching [RFC,CFH,sumo,28/47] cve-check: ensure all known CVEs are in the report [RFC,CFH,sumo,29/47] cve-check: failure to parse versions should be more visible [RFC,CFH,sumo,37/47] flex: set CVE_PRODUCT to include vendor [RFC,CFH,sumo,39/47] libpam: set CVE_PRODUCT [RFC,CFH,sumo,40/47] procps: whitelist CVE-2018-1121 [RFC,CFH,sumo,41/47] libpng: whitelist CVE-2019-17371 [RFC,CFH,sumo,44/47] ed: set CVE vendor to avoid false positives [RFC,CFH,sumo,45/47] boost: set CVE vendor to Boost [RFC,CFH,sumo,46/47] subversion: set CVE vendor to Apache [RFC,CFH,sumo,47/47] git: set CVE vendor to git-scm

Message ID

340de0c1062a72149b6b3b399215bafa61a52562.1573047195.git.mikko.rapeli@bmw.de

State

New

Headers

Received-SPF: pass (google.com: best guess record for domain of
	openembedded-core-bounces@lists.openembedded.org designates
	140.211.169.62 as permitted sender) client-ip=140.211.169.62; 
From: Mikko Rapeli <mikko.rapeli@bmw.de>
To: openembedded-core@lists.openembedded.org
Date: Wed,  6 Nov 2019 17:37:55 +0200
Message-Id: <340de0c1062a72149b6b3b399215bafa61a52562.1573047195.git.mikko.rapeli@bmw.de>
In-Reply-To: <cover.1573047194.git.mikko.rapeli@bmw.de>
References: <cover.1573047194.git.mikko.rapeli@bmw.de>
In-Reply-To: <cover.1573047194.git.mikko.rapeli@bmw.de>
References: <cover.1573047194.git.mikko.rapeli@bmw.de>
Subject: [OE-core] [PATCH RFC CFH][sumo 40/47] procps: whitelist
	CVE-2018-1121
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: openembedded-core-bounces@lists.openembedded.org
Errors-To: openembedded-core-bounces@lists.openembedded.org

Series

None | expand

Commit Message

Mikko Rapeli Nov. 6, 2019, 3:37 p.m. UTC

From: Ross Burton <ross.burton@intel.com>


This CVE is about race conditions in 'ps' which make it unsuitable for security
audits.  As these race conditions are unavoidable ps shouldn't be used for
security auditing, so this isn't a valid CVE.

(From OE-Core rev: b3fa0654abf9ac32f683ac174e453ea5e64b6cb8)

Signed-off-by: Ross Burton <ross.burton@intel.com>

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>


Conflicts:
	meta/recipes-extended/procps/procps_3.3.15.bb
---
 meta/recipes-extended/procps/procps_3.3.12.bb | 3 +++
 1 file changed, 3 insertions(+)

-- 
1.9.1

-- 
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

diff --git a/meta/recipes-extended/procps/procps_3.3.12.bb b/meta/recipes-extended/procps/procps_3.3.12.bb
index 6e15b0a..d4ebaf9 100644
--- a/meta/recipes-extended/procps/procps_3.3.12.bb
+++ b/meta/recipes-extended/procps/procps_3.3.12.bb
@@ -64,3 +64,6 @@  python __anonymous() {
         d.setVarFlag('ALTERNATIVE_LINK_NAME', prog, '%s/%s' % (d.getVar('base_sbindir'), prog))
 }
 
+# 'ps' isn't suitable for use as a security tool so whitelist this CVE.
+# https://bugzilla.redhat.com/show_bug.cgi?id=1575473#c3
+CVE_CHECK_WHITELIST += "CVE-2018-1121"