From adaae82c5872aa611b18a4c81bf60be268696442 Mon Sep 17 00:00:00 2001 From: Thomas Petazzoni Date: Wed, 20 Dec 2023 21:01:08 +0100 Subject: [PATCH] package/glibc: ignore CVEs not considered as security issues by upstream 5 CVEs affecting glibc according to the NVD database are considered as not being security issues by upstream glibc developers: * CVE-2010-4756: The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames. glibc maintainers position: "That's standard POSIX behaviour implemented by (e)glibc. Applications using glob need to impose limits for themselves" * CVE-2019-1010022: GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat. glibc maintainers position: "Not treated as a security issue by upstream https://sourceware.org/bugzilla/show_bug.cgi?id=22850" * CVE-2019-1010023: GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat. glibc maintainers position: "Not treated as a security issue by upstream https://sourceware.org/bugzilla/show_bug.cgi?id=22851" * CVE-2019-1010024: GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat. glibc maintainers position: "Not treated as a security issue by upstream https://sourceware.org/bugzilla/show_bug.cgi?id=22852" * CVE-2019-1010025: GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is "ASLR bypass itself is not a vulnerability. Glibc maintainers position: "Not treated as a security issue by upstream https://sourceware.org/bugzilla/show_bug.cgi?id=22853" Signed-off-by: Thomas Petazzoni Signed-off-by: Yann E. MORIN --- package/glibc/glibc.mk | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/package/glibc/glibc.mk b/package/glibc/glibc.mk index 32e6516c7f..29411c58e2 100644 --- a/package/glibc/glibc.mk +++ b/package/glibc/glibc.mk @@ -36,6 +36,20 @@ GLIBC_IGNORE_CVES += CVE-2023-4911 # 2.38 and the version we're really using. GLIBC_IGNORE_CVES += CVE-2023-5156 +# All these CVEs are considered as not being security issues by +# upstream glibc: +# https://security-tracker.debian.org/tracker/CVE-2010-4756 +# https://security-tracker.debian.org/tracker/CVE-2019-1010022 +# https://security-tracker.debian.org/tracker/CVE-2019-1010023 +# https://security-tracker.debian.org/tracker/CVE-2019-1010024 +# https://security-tracker.debian.org/tracker/CVE-2019-1010025 +GLIBC_IGNORE_CVES += \ + CVE-2010-4756 \ + CVE-2019-1010022 \ + CVE-2019-1010023 \ + CVE-2019-1010024 \ + CVE-2019-1010025 + # glibc is part of the toolchain so disable the toolchain dependency GLIBC_ADD_TOOLCHAIN_DEPENDENCY = NO