[dunfell] systemd: Whitelist CVE-2018-21029

Message ID	20220602122005.17173-1-anolgajbhiye99@gmail.com
State	New, archived
Headers	show Return-Path: <anolgajbhiye99@gmail.com> ip: 209.85.210.180, mailfrom: anolgajbhiye99@gmail.com) From: Amol Gajbhiye <anolgajbhiye99@gmail.com> To: openembedded-core@lists.openembedded.org, amol.gajbhiye@kpit.com Cc: ranjitsinh.rathod@kpit.com, Virendra Thakur <virendra.thakur@kpit.com> Subject: [OE-core][dunfell][PATCH] systemd: Whitelist CVE-2018-21029 Date: Thu, 2 Jun 2022 17:50:05 +0530 Message-Id: <20220602122005.17173-1-anolgajbhiye99@gmail.com>
Series	[dunfell] systemd: Whitelist CVE-2018-21029 \| expand [dunfell] systemd: Whitelist CVE-2018-21029

Message ID

20220602122005.17173-1-anolgajbhiye99@gmail.com

State

New, archived

Headers

From: Amol Gajbhiye <anolgajbhiye99@gmail.com>
To: openembedded-core@lists.openembedded.org,
	amol.gajbhiye@kpit.com
Cc: ranjitsinh.rathod@kpit.com,
	Virendra Thakur <virendra.thakur@kpit.com>
Subject: [OE-core][dunfell][PATCH] systemd: Whitelist CVE-2018-21029
Date: Thu,  2 Jun 2022 17:50:05 +0530
Message-Id: <20220602122005.17173-1-anolgajbhiye99@gmail.com>

Series

[dunfell] systemd: Whitelist CVE-2018-21029 | expand

Commit Message

Amol Gajbhiye June 2, 2022, 12:20 p.m. UTC

From: Virendra Thakur <virendra.thakur@kpit.com>

The fix for this CVE-2018-21029 is already available in our code base.

Reference:
https://github.com/systemd/systemd-stable/commit/38e053c58fa139e0f546f327b5d8ce3db7cf1647

https://github.com/systemd/systemd-stable/commit/7f2f4faced3fda47e6b76ab73cde747cc20cf8b8

Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
---
 meta/recipes-core/systemd/systemd_244.5.bb | 3 +++
 1 file changed, 3 insertions(+)

Comments

Ranjitsinh Rathod June 7, 2022, 4:10 p.m. UTC | #1

Hi Steve,

Is there any reason to not take this?

Thanks,
Ranjitsinh Rathod

Steve Sakoman June 7, 2022, 4:18 p.m. UTC | #2

On Tue, Jun 7, 2022 at 6:10 AM Ranjitsinh Rathod
<ranjitsinhrathod1991@gmail.com> wrote:

> Is there any reason to not take this?

I'm puzzled by this question! A patch with this subject line hasn't
been submitted to the list for dunfell. Also, the referenced CVE
doesn't show up on the CVE report for dunfell.

Steve

Randy MacLeod June 7, 2022, 11:24 p.m. UTC | #3

On 2022-06-07 12:18, Steve Sakoman wrote:
> On Tue, Jun 7, 2022 at 6:10 AM Ranjitsinh Rathod
> <ranjitsinhrathod1991@gmail.com> wrote:
>
>> Is there any reason to not take this?
> I'm puzzled by this question! A patch with this subject line hasn't
> been submitted to the list for dunfell.
I see the original patch, with a timestamp of 2022-06-02, 08:20 ET.
Do you need it to be resent?
>   Also, the referenced CVE
> doesn't show up on the CVE report for dunfell.
That's odd. Are you looking into that or is
the CVE report ignoring it since only version:
    systemd 239 <= v < 243 are vulnerable and dunfell has 245.5:

http://cgit.openembedded.org/openembedded-core/tree/meta/recipes-core/systemd/systemd_244.5.bb?h=dunfell

I'm woefully ignorant of the YP CVE report. Yet another thing to make 
time for...

>
> Steve
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#166678): https://lists.openembedded.org/g/openembedded-core/message/166678
> Mute This Topic: https://lists.openembedded.org/mt/91497880/3616765
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [randy.macleod@windriver.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Steve Sakoman June 20, 2022, 2:35 p.m. UTC | #4

On Tue, Jun 7, 2022 at 1:24 PM Randy MacLeod
<randy.macleod@windriver.com> wrote:
>
> On 2022-06-07 12:18, Steve Sakoman wrote:
> > On Tue, Jun 7, 2022 at 6:10 AM Ranjitsinh Rathod
> > <ranjitsinhrathod1991@gmail.com> wrote:
> >
> >> Is there any reason to not take this?
> > I'm puzzled by this question! A patch with this subject line hasn't
> > been submitted to the list for dunfell.
> I see the original patch, with a timestamp of 2022-06-02, 08:20 ET.
> Do you need it to be resent?

Sorry for the delay in responding, I've been having some email
strangeness the past couple of weeks.

Gmail decided the original patch was spam and moved it to the spam
folder (along with this followup)  Seems to have gotten more
aggressive in spam detection lately, since I see other patches there
too :-(

> >   Also, the referenced CVE
> > doesn't show up on the CVE report for dunfell.
> That's odd. Are you looking into that or is
> the CVE report ignoring it since only version:
>     systemd 239 <= v < 243 are vulnerable and dunfell has 245.5

This is indeed the reason it doesn't show up in the report: our
version is not affected.  Hence no need for this patch.

> I'm woefully ignorant of the YP CVE report. Yet another thing to make
> time for...

Never enough hours in the day . . .

Steve

diff --git a/meta/recipes-core/systemd/systemd_244.5.bb b/meta/recipes-core/systemd/systemd_244.5.bb
index a648272bc0..711d23a26e 100644
--- a/meta/recipes-core/systemd/systemd_244.5.bb
+++ b/meta/recipes-core/systemd/systemd_244.5.bb
@@ -65,6 +65,9 @@  SRC_URI_MUSL = "\
 # already applied in 244.5
 CVE_CHECK_WHITELIST += "CVE-2020-13776"
 
+# Whitelist the CVE because cve patch is already present
+CVE_CHECK_WHITELIST += "CVE-2018-21029"
+
 PAM_PLUGINS = " \
     pam-plugin-unix \
     pam-plugin-loginuid \

[dunfell] systemd: Whitelist CVE-2018-21029

Commit Message

Comments

Patch