glibc: Document and whitelist CVE-2019-1010022-25

These CVEs are disputed by upstream and there is no plan to fix/address them. No other distros are carrying patches for them. There is a patch for 1010025 however it isn't merged upstream and probably carries more risk of other bugs than not having it. (From OE-Core rev: b238db678083cc15313b98d2e33f83cccab03fc6) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-05-10 11:56:50 +0100
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-05-11 11:54:26 +0100
commit: 217e7c61c52b89283f1ab30e38fd8c9c76f9bec1 (patch)
tree: e5b8dfb1529d0c02a67c06acfb9822a1950f9f38 /meta/recipes-core/glibc
parent: 1c926417e1ac08d10819e3eae32727a4654f3cab (diff)
download: poky-217e7c61c52b89283f1ab30e38fd8c9c76f9bec1.tar.gz
1 files changed, 13 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc_2.33.bb b/meta/recipes-core/glibc/glibc_2.33.bb
index 5e0baa53e8..75a1f36d6b 100644
--- a/meta/recipes-core/glibc/glibc_2.33.bb
+++ b/meta/recipes-core/glibc/glibc_2.33.bb
@@ -3,6 +3,19 @@ require glibc-version.inc
 CVE_CHECK_WHITELIST += "CVE-2020-10029"
+# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010022
+# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010023
+# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010024
+# Upstream glibc maintainers dispute there is any issue and have no plans to address it further.
+# "this is being treated as a non-security bug and no real threat."
+CVE_CHECK_WHITELIST += "CVE-2019-1010022 CVE-2019-1010023 CVE-2019-1010024"
+# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010025
+# Allows for ASLR bypass so can bypass some hardening, not an exploit in itself, may allow
+# easier access for another. "ASLR bypass itself is not a vulnerability."
+# Potential patch at https://sourceware.org/bugzilla/show_bug.cgi?id=22853
+CVE_CHECK_WHITELIST += "CVE-2019-1010025"
 DEPENDS += "gperf-native bison-native make-native"
 NATIVESDKFIXES ?= ""
author	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-05-10 11:56:50 +0100
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-05-11 11:54:26 +0100
commit	217e7c61c52b89283f1ab30e38fd8c9c76f9bec1 (patch)
tree	e5b8dfb1529d0c02a67c06acfb9822a1950f9f38 /meta/recipes-core/glibc
parent	1c926417e1ac08d10819e3eae32727a4654f3cab (diff)
download	poky-217e7c61c52b89283f1ab30e38fd8c9c76f9bec1.tar.gz

diff --git a/meta/recipes-core/glibc/glibc_2.33.bb b/meta/recipes-core/glibc/glibc_2.33.bb index 5e0baa53e8..75a1f36d6b 100644 --- a/meta/recipes-core/glibc/glibc_2.33.bb +++ b/meta/recipes-core/glibc/glibc_2.33.bb
@@ -3,6 +3,19 @@ require glibc-version.inc
3		3
4	CVE_CHECK_WHITELIST += "CVE-2020-10029"	4	CVE_CHECK_WHITELIST += "CVE-2020-10029"
5		5
		6	# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010022
		7	# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010023
		8	# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010024
		9	# Upstream glibc maintainers dispute there is any issue and have no plans to address it further.
		10	# "this is being treated as a non-security bug and no real threat."
		11	CVE_CHECK_WHITELIST += "CVE-2019-1010022 CVE-2019-1010023 CVE-2019-1010024"
		12
		13	# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010025
		14	# Allows for ASLR bypass so can bypass some hardening, not an exploit in itself, may allow
		15	# easier access for another. "ASLR bypass itself is not a vulnerability."
		16	# Potential patch at https://sourceware.org/bugzilla/show_bug.cgi?id=22853
		17	CVE_CHECK_WHITELIST += "CVE-2019-1010025"
		18
6	DEPENDS += "gperf-native bison-native make-native"	19	DEPENDS += "gperf-native bison-native make-native"
7		20
8	NATIVESDKFIXES ?= ""	21	NATIVESDKFIXES ?= ""