[Buildroot] [git commit branch/2023.02.x] package/libssh: ignore CVE-2023-3603
Peter Korsgaard
peter at korsgaard.com
Tue Sep 26 06:07:39 UTC 2023
commit: https://git.buildroot.net/buildroot/commit/?id=55e991660218e459b61d464cf801bf7121fd4ad0
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/2023.02.x
The affected code isn't present in any release, see [0].
[0]: https://www.libssh.org/2023/07/14/cve-2023-3603-potential-null-dereference-in-libsshs-sftp-server/
The CPE entry for this CVE is
cpe:2.3:a:libssh:libssh:-:*:*:*:*:*:*:*
We interpret the "-" as matching any version. It actually means
"unspecified version", which is the cop-out in case there is nothing
useful to match. We can't really make our infrastructure ignore "-"
entirely, because for all we know our version is an unreleased commit
sha which _is_ vulnerable. Thus, the only way out is an exclusion which
we'll never be able to remove.
Signed-off-by: Daniel Lang <dalang at gmx.at>
Signed-off-by: Arnout Vandecappelle <arnout at mind.be>
(cherry picked from commit a34a370f4ea27981be43df817f49320a59088e68)
Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
---
package/libssh/libssh.mk | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/package/libssh/libssh.mk b/package/libssh/libssh.mk
index e770d2b924..ff4cddaf91 100644
--- a/package/libssh/libssh.mk
+++ b/package/libssh/libssh.mk
@@ -17,6 +17,10 @@ LIBSSH_CONF_OPTS = \
-DWITH_STACK_PROTECTOR=OFF \
-DWITH_EXAMPLES=OFF
+# Not part of any release
+# https://www.libssh.org/2023/07/14/cve-2023-3603-potential-null-dereference-in-libsshs-sftp-server/
+LIBSSH_IGNORE_CVES += CVE-2023-3603
+
ifeq ($(BR2_ARM_INSTRUCTIONS_THUMB),y)
LIBSSH_CONF_OPTS += -DWITH_STACK_CLASH_PROTECTION=OFF
endif
More information about the buildroot
mailing list