[Buildroot] [git commit] package/glibc: ignore CVEs not considered as security issues by upstream
Yann E. MORIN
yann.morin.1998 at free.fr
Sat Dec 23 10:11:37 UTC 2023
commit: https://git.buildroot.net/buildroot/commit/?id=adaae82c5872aa611b18a4c81bf60be268696442
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master
5 CVEs affecting glibc according to the NVD database are considered as
not being security issues by upstream glibc developers:
* CVE-2010-4756: The glob implementation in the GNU C Library (aka
glibc or libc6) allows remote authenticated users to cause a denial
of service (CPU and memory consumption) via crafted glob expressions
that do not match any pathnames. glibc maintainers position: "That's
standard POSIX behaviour implemented by (e)glibc. Applications using
glob need to impose limits for themselves"
* CVE-2019-1010022: GNU Libc current is affected by: Mitigation
bypass. The impact is: Attacker may bypass stack guard
protection. The component is: nptl. The attack vector is: Exploit
stack buffer overflow vulnerability and use this bypass
vulnerability to bypass stack guard. NOTE: Upstream comments
indicate "this is being treated as a non-security bug and no real
threat. glibc maintainers position: "Not treated as a security issue
by upstream https://sourceware.org/bugzilla/show_bug.cgi?id=22850"
* CVE-2019-1010023: GNU Libc current is affected by: Re-mapping
current loaded library with malicious ELF file. The impact is: In
worst case attacker may evaluate privileges. The component is:
libld. The attack vector is: Attacker sends 2 ELF files to victim
and asks to run ldd on it. ldd execute code. NOTE: Upstream comments
indicate "this is being treated as a non-security bug and no real
threat. glibc maintainers position: "Not treated as a security issue
by upstream https://sourceware.org/bugzilla/show_bug.cgi?id=22851"
* CVE-2019-1010024: GNU Libc current is affected by: Mitigation
bypass. The impact is: Attacker may bypass ASLR using cache of
thread stack and heap. The component is: glibc. NOTE: Upstream
comments indicate "this is being treated as a non-security bug and
no real threat. glibc maintainers position: "Not treated as a
security issue by upstream
https://sourceware.org/bugzilla/show_bug.cgi?id=22852"
* CVE-2019-1010025: GNU Libc current is affected by: Mitigation
bypass. The impact is: Attacker may guess the heap addresses of
pthread_created thread. The component is: glibc. NOTE: the vendor's
position is "ASLR bypass itself is not a vulnerability. Glibc
maintainers position: "Not treated as a security issue by upstream
https://sourceware.org/bugzilla/show_bug.cgi?id=22853"
Signed-off-by: Thomas Petazzoni <thomas.petazzoni at bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998 at free.fr>
---
package/glibc/glibc.mk | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/package/glibc/glibc.mk b/package/glibc/glibc.mk
index 32e6516c7f..29411c58e2 100644
--- a/package/glibc/glibc.mk
+++ b/package/glibc/glibc.mk
@@ -36,6 +36,20 @@ GLIBC_IGNORE_CVES += CVE-2023-4911
# 2.38 and the version we're really using.
GLIBC_IGNORE_CVES += CVE-2023-5156
+# All these CVEs are considered as not being security issues by
+# upstream glibc:
+# https://security-tracker.debian.org/tracker/CVE-2010-4756
+# https://security-tracker.debian.org/tracker/CVE-2019-1010022
+# https://security-tracker.debian.org/tracker/CVE-2019-1010023
+# https://security-tracker.debian.org/tracker/CVE-2019-1010024
+# https://security-tracker.debian.org/tracker/CVE-2019-1010025
+GLIBC_IGNORE_CVES += \
+ CVE-2010-4756 \
+ CVE-2019-1010022 \
+ CVE-2019-1010023 \
+ CVE-2019-1010024 \
+ CVE-2019-1010025
+
# glibc is part of the toolchain so disable the toolchain dependency
GLIBC_ADD_TOOLCHAIN_DEPENDENCY = NO
More information about the buildroot
mailing list