| Message ID | 20250117080709.3112142-1-spushpka@cisco.com |
|---|---|
| State | New |
| Headers | show |
| Series | [master] glibc 2.40: Deferred CVE-2010-4756 | expand |
This is already done in cve-extra-exclusions.inc So if this goes to the recipe, it should be removed from that file. Peter > -----Original Message----- > From: openembedded-core@lists.openembedded.org <openembedded- > core@lists.openembedded.org> On Behalf Of Shubham Pushpkar via > lists.openembedded.org > Sent: Friday, January 17, 2025 9:07 > To: openembedded-core@lists.openembedded.org > Cc: xe-linux-external@cisco.com; spushpka@cisco.com > Subject: [OE-core] [master] [PATCH] glibc 2.40: Deferred CVE-2010-4756 > > Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2010-4756 > Type: Security Advisory > CVE: CVE-2010-4756 > Score: 4.0 > > Analysis: > - It is a bug in network facing services if users pass > in unsanitized inputs to glob, without using appropriate > rlimits on memory usage. [1] > - Issue is memory exhaustion via glob() calls, e.g. from > within an ftp server. It is not a security issue, ftp servers > shouldn't be passing this to libc glob. [2] > - Hence skipping the CVE for now. > > Reference: > [1] https://bugzilla.redhat.com/show_bug.cgi?id=681681 > [2] https://github.com/openembedded/openembedded- > core/commit/cf282ae03db3 > > Signed-off-by: Shubham Pushpkar <spushpka@cisco.com> > --- > meta/recipes-core/glibc/glibc_2.40.bb | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/meta/recipes-core/glibc/glibc_2.40.bb b/meta/recipes- > core/glibc/glibc_2.40.bb > index 3e855b19d8..3210492764 100644 > --- a/meta/recipes-core/glibc/glibc_2.40.bb > +++ b/meta/recipes-core/glibc/glibc_2.40.bb > @@ -20,6 +20,12 @@ CVE_STATUS_GROUPS += > "CVE_STATUS_STABLE_BACKPORTS" > CVE_STATUS_STABLE_BACKPORTS = "" > CVE_STATUS_STABLE_BACKPORTS[status] = "cpe-stable-backport: fix > available in used git hash" > > +# glibc https://nvd.nist.gov/vuln/detail/CVE-2010-4756 > +CVE_STATUS[CVE-2010-4756] = "upstream-wontfix: \ > +Issue is memory exhaustion via glob() calls, e.g. from within an ftp server. \ > +Upstream don't see it as a security issue, ftp servers shouldn't be passing this > to libc glob. \ > +Exclude as upstream have no plans to add BSD's GLOB_LIMIT." > + > DEPENDS += "gperf-native bison-native" > > NATIVESDKFIXES ?= "" > -- > 2.35.6
diff --git a/meta/recipes-core/glibc/glibc_2.40.bb b/meta/recipes-core/glibc/glibc_2.40.bb index 3e855b19d8..3210492764 100644 --- a/meta/recipes-core/glibc/glibc_2.40.bb +++ b/meta/recipes-core/glibc/glibc_2.40.bb @@ -20,6 +20,12 @@ CVE_STATUS_GROUPS += "CVE_STATUS_STABLE_BACKPORTS" CVE_STATUS_STABLE_BACKPORTS = "" CVE_STATUS_STABLE_BACKPORTS[status] = "cpe-stable-backport: fix available in used git hash" +# glibc https://nvd.nist.gov/vuln/detail/CVE-2010-4756 +CVE_STATUS[CVE-2010-4756] = "upstream-wontfix: \ +Issue is memory exhaustion via glob() calls, e.g. from within an ftp server. \ +Upstream don't see it as a security issue, ftp servers shouldn't be passing this to libc glob. \ +Exclude as upstream have no plans to add BSD's GLOB_LIMIT." + DEPENDS += "gperf-native bison-native" NATIVESDKFIXES ?= ""
Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2010-4756 Type: Security Advisory CVE: CVE-2010-4756 Score: 4.0 Analysis: - It is a bug in network facing services if users pass in unsanitized inputs to glob, without using appropriate rlimits on memory usage. [1] - Issue is memory exhaustion via glob() calls, e.g. from within an ftp server. It is not a security issue, ftp servers shouldn't be passing this to libc glob. [2] - Hence skipping the CVE for now. Reference: [1] https://bugzilla.redhat.com/show_bug.cgi?id=681681 [2] https://github.com/openembedded/openembedded-core/commit/cf282ae03db3 Signed-off-by: Shubham Pushpkar <spushpka@cisco.com> --- meta/recipes-core/glibc/glibc_2.40.bb | 6 ++++++ 1 file changed, 6 insertions(+)