Halaman utama Jelajahi Bantuan
Daftar Masuk
PUBLIC_REPOS
/
buildroot
cermin dari git://git.buildroot.net/buildroot
2
1
Fork 0
Berkas
Jelajahi Sumber

package/glibc: ignore CVEs not considered as security issues by upstream

5 CVEs affecting glibc according to the NVD database are considered as
not being security issues by upstream glibc developers:

* CVE-2010-4756: The glob implementation in the GNU C Library (aka
  glibc or libc6) allows remote authenticated users to cause a denial
  of service (CPU and memory consumption) via crafted glob expressions
  that do not match any pathnames. glibc maintainers position: "That's
  standard POSIX behaviour implemented by (e)glibc. Applications using
  glob need to impose limits for themselves"

* CVE-2019-1010022: GNU Libc current is affected by: Mitigation
  bypass. The impact is: Attacker may bypass stack guard
  protection. The component is: nptl. The attack vector is: Exploit
  stack buffer overflow vulnerability and use this bypass
  vulnerability to bypass stack guard. NOTE: Upstream comments
  indicate "this is being treated as a non-security bug and no real
  threat. glibc maintainers position: "Not treated as a security issue
  by upstream https://sourceware.org/bugzilla/show_bug.cgi?id=22850"

* CVE-2019-1010023: GNU Libc current is affected by: Re-mapping
  current loaded library with malicious ELF file. The impact is: In
  worst case attacker may evaluate privileges. The component is:
  libld. The attack vector is: Attacker sends 2 ELF files to victim
  and asks to run ldd on it. ldd execute code. NOTE: Upstream comments
  indicate "this is being treated as a non-security bug and no real
  threat. glibc maintainers position: "Not treated as a security issue
  by upstream https://sourceware.org/bugzilla/show_bug.cgi?id=22851"

* CVE-2019-1010024: GNU Libc current is affected by: Mitigation
  bypass. The impact is: Attacker may bypass ASLR using cache of
  thread stack and heap. The component is: glibc. NOTE: Upstream
  comments indicate "this is being treated as a non-security bug and
  no real threat. glibc maintainers position: "Not treated as a
  security issue by upstream
  https://sourceware.org/bugzilla/show_bug.cgi?id=22852"

* CVE-2019-1010025: GNU Libc current is affected by: Mitigation
  bypass. The impact is: Attacker may guess the heap addresses of
  pthread_created thread. The component is: glibc. NOTE: the vendor's
  position is "ASLR bypass itself is not a vulnerability. Glibc
  maintainers position: "Not treated as a security issue by upstream
  https://sourceware.org/bugzilla/show_bug.cgi?id=22853"

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Thomas Petazzoni 1 tahun lalu
induk
af8c0e5c74
melakukan
adaae82c58
1 mengubah file dengan 14 tambahan dan 0 penghapusan
Tampilan Split Tampilkan Statistik Diff
  1. 14 0
      package/glibc/glibc.mk

+ 14 - 0
package/glibc/glibc.mk
Tampilan Berkas 

@@ -36,6 +36,20 @@ GLIBC_IGNORE_CVES += CVE-2023-4911
 
 # 2.38 and the version we're really using.
 
 GLIBC_IGNORE_CVES += CVE-2023-5156
 
 
+# All these CVEs are considered as not being security issues by
 
+# upstream glibc:
 
+#  https://security-tracker.debian.org/tracker/CVE-2010-4756
 
+#  https://security-tracker.debian.org/tracker/CVE-2019-1010022
 
+#  https://security-tracker.debian.org/tracker/CVE-2019-1010023
 
+#  https://security-tracker.debian.org/tracker/CVE-2019-1010024
 
+#  https://security-tracker.debian.org/tracker/CVE-2019-1010025
 
+GLIBC_IGNORE_CVES += \
 
+	CVE-2010-4756 \
 
+	CVE-2019-1010022 \
 
+	CVE-2019-1010023 \
 
+	CVE-2019-1010024 \
 
+	CVE-2019-1010025
 
+
 
 # glibc is part of the toolchain so disable the toolchain dependency
 
 GLIBC_ADD_TOOLCHAIN_DEPENDENCY = NO