diff mbox series

[mickledore,01/37] libarchive: ignore CVE-2023-30571

Message ID	ffa8f92aa6f8405d8fea117af2f212ba190de393.1691683295.git.steve@sakoman.com
State	New
Headers	show Return-Path: <steve@sakoman.com> ip: 209.85.210.182, mailfrom: steve@sakoman.com) From: Steve Sakoman <steve@sakoman.com> To: openembedded-core@lists.openembedded.org Subject: [OE-core][mickledore 01/37] libarchive: ignore CVE-2023-30571 Date: Thu, 10 Aug 2023 06:04:00 -1000 Message-Id: <ffa8f92aa6f8405d8fea117af2f212ba190de393.1691683295.git.steve@sakoman.com> In-Reply-To: <cover.1691683295.git.steve@sakoman.com> References: <cover.1691683295.git.steve@sakoman.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[mickledore,01/37] libarchive: ignore CVE-2023-30571 \| expand [mickledore,01/37] libarchive: ignore CVE-2023-30571 [mickledore,02/37] ncurses: fix CVE-2023-29491 [mickledore,03/37] go: update 1.20.5 -> 1.20.6 [mickledore,04/37] python3-certifi: upgrade 2022.12.7 -> 2023.7.22 [mickledore,05/37] libnss-nis: upgrade 3.1 -> 3.2 [mickledore,06/37] linux-firmware: upgrade 20230515 -> 20230625 [mickledore,07/37] linux-firmware: package firmare for Dragonboard 410c [mickledore,08/37] opkg: upgrade 0.6.1 -> 0.6.2 [mickledore,09/37] opkg-utils: upgrade 0.5.0 -> 0.6.2 [mickledore,10/37] linux-yocto/5.15: update to v5.15.122 [mickledore,11/37] linux-yocto/5.15: update to v5.15.123 [mickledore,12/37] linux-yocto/5.15: update to v5.15.124 [mickledore,13/37] linux-yocto/6.1: cfg: update ima.cfg to match current meta-integrity [mickledore,14/37] bind: upgrade 9.18.15 -> 9.18.16 [mickledore,15/37] Revert "rootfs-postcommands.bbclass: add post func remove_unused_dnf_log_lock" [mickledore,16/37] ptest-runner: Pull in parallel test fixes and output handling [mickledore,17/37] shadow-sysroot: add license information [mickledore,18/37] resulttool/resultutils: allow index generation despite corrupt json [mickledore,19/37] automake: fix buildtest patch [mickledore,20/37] glibc-testsuite: Fix network restrictions causing test failures [mickledore,21/37] selftest/cases/glibc.py: fix the override syntax [mickledore,22/37] rootfs: Add debugfs package db file copy and cleanup [mickledore,23/37] rpm: Pick debugfs package db files/dirs explicitly [mickledore,24/37] kernel: Fix path comparison in kernel staging dir symlinking [mickledore,25/37] ltp: add RDEPENDS on findutils [mickledore,26/37] file: return wrapper to fix builds when file is in buildtools-tarball [mickledore,27/37] scripts/resulttool: add mention about new detected tests [mickledore,28/37] mdadm: add util-linux-blockdev ptest dependency [mickledore,29/37] glibc/check-test-wrapper: don't emit warnings from ssh [mickledore,30/37] selftest/cases/glibc.py: increase the memory for testing [mickledore,31/37] oeqa/utils/nfs: allow requesting non-udp ports [mickledore,32/37] selftest/cases/glibc.py: switch to using NFS over TCP [mickledore,33/37] file: fix the way path is written to environment-setup.d [mickledore,34/37] oeqa/target/ssh: Ensure EAGAIN doesn't truncate output [mickledore,35/37] oeqa/runtime/ltp: Increase ltp test output timeout [mickledore,36/37] ltp: Add kernel loopback module dependency [mickledore,37/37] target/ssh: Ensure exit code set for commands

Commit Message

Steve Sakoman Aug. 10, 2023, 4:04 p.m. UTC

From: Peter Marko <peter.marko@siemens.com>

This issue was reported and discusses under [1] which is linked in NVD CVE report.
It was already documented that some parts or libarchive are thread safe and some not.
[2] was now merged to document that also reported function is not thread safe.
So this CVE *now* reports thread race condition for non-thread-safe function.
And as such the CVE report is now invalid.

The issue is still not closed for 2 reasons:
* better document what is and what is not thread safe
* request to public if someone could make these functions thread safe
This should however not invalidate above statment about ignoring this CVE.

[1] https://github.com/libarchive/libarchive/issues/1876
[2] https://github.com/libarchive/libarchive/pull/1875

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-extended/libarchive/libarchive_3.6.2.bb | 3 +++
 1 file changed, 3 insertions(+)

diff mbox series

Patch

diff --git a/meta/recipes-extended/libarchive/libarchive_3.6.2.bb b/meta/recipes-extended/libarchive/libarchive_3.6.2.bb
index aafede3da8..6e0bc426f5 100644
--- a/meta/recipes-extended/libarchive/libarchive_3.6.2.bb
+++ b/meta/recipes-extended/libarchive/libarchive_3.6.2.bb
@@ -33,6 +33,9 @@  UPSTREAM_CHECK_URI = "http://libarchive.org/"
 
 SRC_URI[sha256sum] = "ba6d02f15ba04aba9c23fd5f236bb234eab9d5209e95d1c4df85c44d5f19b9b3"
 
+# upstream-wontfix: upstream has documented that reported function is not thread-safe
+CVE_CHECK_IGNORE += "CVE-2023-30571"
+
 inherit autotools update-alternatives pkgconfig
 
 CPPFLAGS += "-I${WORKDIR}/extra-includes"