| Message ID | 20231220200110.1819507-1-thomas.petazzoni@bootlin.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [1/3] package/glibc: add proper CPE ID version detail | expand |
Thomas, All, On 2023-12-20 21:01 +0100, Thomas Petazzoni spake thusly: > As reported in bug 15895, the GLIBC_VERSION field having a value > looking like 2.38-27-g750a45a783906a19591fb8ff6b7841470f1f5701, it > prevents the CPE/CVE matching with the NVD database to work correctly. > > This commit fixes that by defining GLIBC_CPE_ID_VERSION, derived from > GLIBC_VERSION, by extracting the base version. > > Also, we update GLIBC_IGNORE_CVES to account for the CVEs that have > clearly been fixed between 2.38 and > 2.38-27-g750a45a783906a19591fb8ff6b7841470f1f5701. There are a number > of other CVEs still affecting the glibc package, but they are not > related to this > 2.38...2.38-27-g750a45a783906a19591fb8ff6b7841470f1f5701 range. > > Fixes: #15895 > > Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Applied to master, thanks. Regards, Yann E. MORIN. > --- > package/glibc/glibc.mk | 16 ++++++++++++++++ > 1 file changed, 16 insertions(+) > > diff --git a/package/glibc/glibc.mk b/package/glibc/glibc.mk > index 0b71530310..32e6516c7f 100644 > --- a/package/glibc/glibc.mk > +++ b/package/glibc/glibc.mk > @@ -20,6 +20,22 @@ GLIBC_LICENSE = GPL-2.0+ (programs), LGPL-2.1+, BSD-3-Clause, MIT (library) > GLIBC_LICENSE_FILES = COPYING COPYING.LIB LICENSES > GLIBC_CPE_ID_VENDOR = gnu > > +# Extract the base version (e.g. 2.38) from GLIBC_VERSION) in order to > +# allow proper matching with the CPE database. > +GLIBC_CPE_ID_VERSION = $(word 1, $(subst -,$(space),$(GLIBC_VERSION))) > + > +# Fixed by b25508dd774b617f99419bdc3cf2ace4560cd2d6, which is between > +# 2.38 and the version we're really using > +GLIBC_IGNORE_CVES += CVE-2023-4527 > + > +# Fixed by 750a45a783906a19591fb8ff6b7841470f1f5710, which is between > +# 2.38 and the version we're really using. > +GLIBC_IGNORE_CVES += CVE-2023-4911 > + > +# Fixed by 5ee59ca371b99984232d7584fe2b1a758b4421d3, which is between > +# 2.38 and the version we're really using. > +GLIBC_IGNORE_CVES += CVE-2023-5156 > + > # glibc is part of the toolchain so disable the toolchain dependency > GLIBC_ADD_TOOLCHAIN_DEPENDENCY = NO > > -- > 2.43.0 >
>>>>> "Thomas" == Thomas Petazzoni via buildroot <buildroot@buildroot.org> writes: > As reported in bug 15895, the GLIBC_VERSION field having a value > looking like 2.38-27-g750a45a783906a19591fb8ff6b7841470f1f5701, it > prevents the CPE/CVE matching with the NVD database to work correctly. > This commit fixes that by defining GLIBC_CPE_ID_VERSION, derived from > GLIBC_VERSION, by extracting the base version. > Also, we update GLIBC_IGNORE_CVES to account for the CVEs that have > clearly been fixed between 2.38 and > 2.38-27-g750a45a783906a19591fb8ff6b7841470f1f5701. There are a number > of other CVEs still affecting the glibc package, but they are not > related to this > 2.38...2.38-27-g750a45a783906a19591fb8ff6b7841470f1f5701 range. > Fixes: #15895 > Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> Committed to 2023.02.x (after adjusting to 2.36.x hashes) and 2023.11.x, thanks.
diff --git a/package/glibc/glibc.mk b/package/glibc/glibc.mk index 0b71530310..32e6516c7f 100644 --- a/package/glibc/glibc.mk +++ b/package/glibc/glibc.mk @@ -20,6 +20,22 @@ GLIBC_LICENSE = GPL-2.0+ (programs), LGPL-2.1+, BSD-3-Clause, MIT (library) GLIBC_LICENSE_FILES = COPYING COPYING.LIB LICENSES GLIBC_CPE_ID_VENDOR = gnu +# Extract the base version (e.g. 2.38) from GLIBC_VERSION) in order to +# allow proper matching with the CPE database. +GLIBC_CPE_ID_VERSION = $(word 1, $(subst -,$(space),$(GLIBC_VERSION))) + +# Fixed by b25508dd774b617f99419bdc3cf2ace4560cd2d6, which is between +# 2.38 and the version we're really using +GLIBC_IGNORE_CVES += CVE-2023-4527 + +# Fixed by 750a45a783906a19591fb8ff6b7841470f1f5710, which is between +# 2.38 and the version we're really using. +GLIBC_IGNORE_CVES += CVE-2023-4911 + +# Fixed by 5ee59ca371b99984232d7584fe2b1a758b4421d3, which is between +# 2.38 and the version we're really using. +GLIBC_IGNORE_CVES += CVE-2023-5156 + # glibc is part of the toolchain so disable the toolchain dependency GLIBC_ADD_TOOLCHAIN_DEPENDENCY = NO
As reported in bug 15895, the GLIBC_VERSION field having a value looking like 2.38-27-g750a45a783906a19591fb8ff6b7841470f1f5701, it prevents the CPE/CVE matching with the NVD database to work correctly. This commit fixes that by defining GLIBC_CPE_ID_VERSION, derived from GLIBC_VERSION, by extracting the base version. Also, we update GLIBC_IGNORE_CVES to account for the CVEs that have clearly been fixed between 2.38 and 2.38-27-g750a45a783906a19591fb8ff6b7841470f1f5701. There are a number of other CVEs still affecting the glibc package, but they are not related to this 2.38...2.38-27-g750a45a783906a19591fb8ff6b7841470f1f5701 range. Fixes: #15895 Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> --- package/glibc/glibc.mk | 16 ++++++++++++++++ 1 file changed, 16 insertions(+)