mirrors/buildroot
0
0
Fork 0
mirror of https://git.busybox.net/buildroot.git synced 2024-11-23 21:43:30 +08:00
Code Issues Packages Projects Releases Wiki Activity

package/glibc: ignore CVEs not considered as security issues by upstream

Browse Source 
5 CVEs affecting glibc according to the NVD database are considered as
not being security issues by upstream glibc developers:

* CVE-2010-4756: The glob implementation in the GNU C Library (aka
  glibc or libc6) allows remote authenticated users to cause a denial
  of service (CPU and memory consumption) via crafted glob expressions
  that do not match any pathnames. glibc maintainers position: "That's
  standard POSIX behaviour implemented by (e)glibc. Applications using
  glob need to impose limits for themselves"

* CVE-2019-1010022: GNU Libc current is affected by: Mitigation
  bypass. The impact is: Attacker may bypass stack guard
  protection. The component is: nptl. The attack vector is: Exploit
  stack buffer overflow vulnerability and use this bypass
  vulnerability to bypass stack guard. NOTE: Upstream comments
  indicate "this is being treated as a non-security bug and no real
  threat. glibc maintainers position: "Not treated as a security issue
  by upstream https://sourceware.org/bugzilla/show_bug.cgi?id=22850"

* CVE-2019-1010023: GNU Libc current is affected by: Re-mapping
  current loaded library with malicious ELF file. The impact is: In
  worst case attacker may evaluate privileges. The component is:
  libld. The attack vector is: Attacker sends 2 ELF files to victim
  and asks to run ldd on it. ldd execute code. NOTE: Upstream comments
  indicate "this is being treated as a non-security bug and no real
  threat. glibc maintainers position: "Not treated as a security issue
  by upstream https://sourceware.org/bugzilla/show_bug.cgi?id=22851"

* CVE-2019-1010024: GNU Libc current is affected by: Mitigation
  bypass. The impact is: Attacker may bypass ASLR using cache of
  thread stack and heap. The component is: glibc. NOTE: Upstream
  comments indicate "this is being treated as a non-security bug and
  no real threat. glibc maintainers position: "Not treated as a
  security issue by upstream
  https://sourceware.org/bugzilla/show_bug.cgi?id=22852"

* CVE-2019-1010025: GNU Libc current is affected by: Mitigation
  bypass. The impact is: Attacker may guess the heap addresses of
  pthread_created thread. The component is: glibc. NOTE: the vendor's
  position is "ASLR bypass itself is not a vulnerability. Glibc
  maintainers position: "Not treated as a security issue by upstream
  https://sourceware.org/bugzilla/show_bug.cgi?id=22853"

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
This commit is contained in:
Thomas Petazzoni 2023-12-20 21:01:08 +01:00 committed by Yann E. MORIN
parent af8c0e5c74
commit adaae82c58
1 changed files with 14 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
package/glibc/glibc.mk
View File

@ -36,6 +36,20 @@ GLIBC_IGNORE_CVES += CVE-2023-4911
# 2.38 and the version we're really using.
GLIBC_IGNORE_CVES += CVE-2023-5156
# All these CVEs are considered as not being security issues by
# upstream glibc:
# https://security-tracker.debian.org/tracker/CVE-2010-4756
# https://security-tracker.debian.org/tracker/CVE-2019-1010022
# https://security-tracker.debian.org/tracker/CVE-2019-1010023
# https://security-tracker.debian.org/tracker/CVE-2019-1010024
# https://security-tracker.debian.org/tracker/CVE-2019-1010025
GLIBC_IGNORE_CVES += \
CVE-2010-4756 \
CVE-2019-1010022 \
CVE-2019-1010023 \
CVE-2019-1010024 \
CVE-2019-1010025
# glibc is part of the toolchain so disable the toolchain dependency
GLIBC_ADD_TOOLCHAIN_DEPENDENCY = NO