[Buildroot] [PATCH] package/log4cxx: ignore CVE-2023-31038

Arnout Vandecappelle arnout at mind.be
Wed Aug 30 20:04:55 UTC 2023 


On 29/08/2023 00:32, Thomas Petazzoni via buildroot wrote:
> CVE-2023-31038 affects log4cxx only if ODBC is supported. While
> CVE-2023-31038 has been fixed in newer versions of log4cxx, there is
> quite a huge gap to do a version bump, and the commit that fixes
> CVE-2023-31038 could not be identified.
> 
> Therefore, we want to rely on the fact that our log4cxx package does
> not support ODBC: there is indeed no explicit dependency on our
> unixodbc package in log4cxx.mk. However, log4cxx automatically detects
> if ODBC is available and if it is, it uses it.
> 
> So what we do in this commit is backport an upstream commit, which
> adds explicitly options to enable/disable ODBC and ESMTP support, and
> we use them to (1) always disable ODBC and (2) explicitly
> enable/disable ESMTP support.
> 
> Thanks to ODBC being disabled, we're not affected by CVE-2023-31038.
> 
> Of course, there is a potential regression for users who were relying
> on the implicit unixodbc dependency, but as we could not identify the
> commit fixing the CVE-2023-31038, this is the best we can do at the
> moment.
> 
> Signed-off-by: Thomas Petazzoni <thomas.petazzoni at bootlin.com>

  Applied to master, thanks.

  Regards,
  Arnout

> ---
>   .../0001-Make-ODBC-and-SMTP-opt-in-191.patch  | 73 +++++++++++++++++++
>   package/log4cxx/log4cxx.mk                    |  9 ++-
>   2 files changed, 81 insertions(+), 1 deletion(-)
>   create mode 100644 package/log4cxx/0001-Make-ODBC-and-SMTP-opt-in-191.patch
> 
> diff --git a/package/log4cxx/0001-Make-ODBC-and-SMTP-opt-in-191.patch b/package/log4cxx/0001-Make-ODBC-and-SMTP-opt-in-191.patch
> new file mode 100644
> index 0000000000..a116fcc491
> --- /dev/null
> +++ b/package/log4cxx/0001-Make-ODBC-and-SMTP-opt-in-191.patch
> @@ -0,0 +1,73 @@
> +From 4900c27cc284ba2f671ae92e6ffb4ab391f9507a Mon Sep 17 00:00:00 2001
> +From: Robert Middleton <rm5248 at users.noreply.github.com>
> +Date: Mon, 6 Feb 2023 20:39:02 -0500
> +Subject: [PATCH] Make ODBC and SMTP opt-in (#191)
> +
> +See #189
> +
> +Upstream: afeaab6d0f0107c77dfadcbe3708f170c48d5ed9
> +Signed-off-by: Thomas Petazzoni <thomas.petazzoni at bootlin.com>
> +---
> + src/main/include/CMakeLists.txt | 40 ++++++++++++++++++++++++---------
> + 1 file changed, 30 insertions(+), 10 deletions(-)
> +
> +diff --git a/src/main/include/CMakeLists.txt b/src/main/include/CMakeLists.txt
> +index e31443fb..d6835293 100644
> +--- a/src/main/include/CMakeLists.txt
> ++++ b/src/main/include/CMakeLists.txt
> +@@ -85,22 +85,42 @@ include(CheckIncludeFiles)
> + include(CheckIncludeFileCXX)
> + include(CheckLibraryExists)
> +
> +-if(WIN32)
> +-	CHECK_INCLUDE_FILES(sqlext.h HAS_ODBC)
> ++option(LOG4CXX_ENABLE_ODBC "Support logging via ODBC" OFF)
> ++if(LOG4CXX_ENABLE_ODBC)
> ++    if(WIN32)
> ++            CHECK_INCLUDE_FILES(sqlext.h HAS_ODBC)
> ++    else()
> ++            include(FindPkgConfig)
> ++
> ++            pkg_check_modules( odbc odbc )
> ++            if(${odbc_FOUND})
> ++                    set(HAS_ODBC 1)
> ++            else()
> ++                    set(HAS_ODBC 0)
> ++            endif(${odbc_FOUND})
> ++    endif(WIN32)
> ++
> ++    if(NOT ${HAS_ODBC})
> ++        message(SEND_ERROR "ODBC not found but requested")
> ++    endif()
> + else()
> +-	include(FindPkgConfig)
> +-
> +-	pkg_check_modules( odbc QUIET odbc )
> +-	if(${odbc_FOUND})
> +-		set(HAS_ODBC 1)
> +-	endif(${odbc_FOUND})
> +-endif(WIN32)
> ++    set(HAS_ODBC 0)
> ++endif(LOG4CXX_ENABLE_ODBC)
> ++
> ++option(LOG4CXX_ENABLE_ESMTP "Support logging via libesmtp" OFF)
> ++if(LOG4CXX_ENABLE_ESMTP)
> ++    CHECK_LIBRARY_EXISTS(esmtp smtp_create_session "" HAS_LIBESMTP)
> ++    if(NOT HAS_LIBESMTP)
> ++        message(SEND_ERROR "SMTP support with libesmtp not found but requested")
> ++    endif()
> ++else()
> ++    set(HAS_LIBESMTP 0)
> ++endif(LOG4CXX_ENABLE_ESMTP)
> +
> + CHECK_INCLUDE_FILE_CXX(locale HAS_STD_LOCALE)
> + CHECK_FUNCTION_EXISTS(mbsrtowcs HAS_MBSRTOWCS)
> + CHECK_FUNCTION_EXISTS(wcstombs HAS_WCSTOMBS)
> + CHECK_FUNCTION_EXISTS(fwide HAS_FWIDE)
> +-CHECK_LIBRARY_EXISTS(esmtp smtp_create_session "" HAS_LIBESMTP)
> + CHECK_FUNCTION_EXISTS(syslog HAS_SYSLOG)
> + if(UNIX)
> +     set(CMAKE_REQUIRED_LIBRARIES "pthread")
> +--
> +2.41.0
> +
> diff --git a/package/log4cxx/log4cxx.mk b/package/log4cxx/log4cxx.mk
> index a5569126d4..aee682529c 100644
> --- a/package/log4cxx/log4cxx.mk
> +++ b/package/log4cxx/log4cxx.mk
> @@ -11,10 +11,14 @@ LOG4CXX_INSTALL_STAGING = YES
>   LOG4CXX_LICENSE = Apache-2.0
>   LOG4CXX_LICENSE_FILES = LICENSE
>   LOG4CXX_CPE_ID_VENDOR = apache
> +# We do not support ODBC functionality
> +LOG4CXX_IGNORE_CVES = CVE-2023-31038
>   
> +# Note: if you want to support odbc, make sure CVE-2023-31038 is fixed
>   LOG4CXX_CONF_OPTS = \
>   	-DAPR_CONFIG_EXECUTABLE=$(STAGING_DIR)/usr/bin/apr-1-config \
> -	-DAPR_UTIL_CONFIG_EXECUTABLE=$(STAGING_DIR)/usr/bin/apu-1-config
> +	-DAPR_UTIL_CONFIG_EXECUTABLE=$(STAGING_DIR)/usr/bin/apu-1-config \
> +	-DLOG4CXX_ENABLE_ODBC=OFF
>   
>   LOG4CXX_DEPENDENCIES = apr apr-util
>   
> @@ -23,7 +27,10 @@ LOG4CXX_DEPENDENCIES += boost
>   endif
>   
>   ifeq ($(BR2_PACKAGE_LIBESMTP),y)
> +LOG4CXX_CONF_OPTS += -DLOG4CXX_ENABLE_LIBESMTP=ON
>   LOG4CXX_DEPENDENCIES += libesmtp
> +else
> +LOG4CXX_CONF_OPTS += -DLOG4CXX_ENABLE_LIBESMTP=OFF
>   endif
>   
>   ifeq ($(BR2_USE_WCHAR),y)

More information about the buildroot mailing list