package/glibc: ignore CVEs not considered as security issues by upstream
5 CVEs affecting glibc according to the NVD database are considered as
not being security issues by upstream glibc developers:
* CVE-2010-4756: The glob implementation in the GNU C Library (aka
glibc or libc6) allows remote authenticated users to cause a denial
of service (CPU and memory consumption) via crafted glob expressions
that do not match any pathnames. glibc maintainers position: "That's
standard POSIX behaviour implemented by (e)glibc. Applications using
glob need to impose limits for themselves"
* CVE-2019-1010022: GNU Libc current is affected by: Mitigation
bypass. The impact is: Attacker may bypass stack guard
protection. The component is: nptl. The attack vector is: Exploit
stack buffer overflow vulnerability and use this bypass
vulnerability to bypass stack guard. NOTE: Upstream comments
indicate "this is being treated as a non-security bug and no real
threat. glibc maintainers position: "Not treated as a security issue
by upstream https://sourceware.org/bugzilla/show_bug.cgi?id=22850"
* CVE-2019-1010023: GNU Libc current is affected by: Re-mapping
current loaded library with malicious ELF file. The impact is: In
worst case attacker may evaluate privileges. The component is:
libld. The attack vector is: Attacker sends 2 ELF files to victim
and asks to run ldd on it. ldd execute code. NOTE: Upstream comments
indicate "this is being treated as a non-security bug and no real
threat. glibc maintainers position: "Not treated as a security issue
by upstream https://sourceware.org/bugzilla/show_bug.cgi?id=22851"
* CVE-2019-1010024: GNU Libc current is affected by: Mitigation
bypass. The impact is: Attacker may bypass ASLR using cache of
thread stack and heap. The component is: glibc. NOTE: Upstream
comments indicate "this is being treated as a non-security bug and
no real threat. glibc maintainers position: "Not treated as a
security issue by upstream
https://sourceware.org/bugzilla/show_bug.cgi?id=22852"
* CVE-2019-1010025: GNU Libc current is affected by: Mitigation
bypass. The impact is: Attacker may guess the heap addresses of
pthread_created thread. The component is: glibc. NOTE: the vendor's
position is "ASLR bypass itself is not a vulnerability. Glibc
maintainers position: "Not treated as a security issue by upstream
https://sourceware.org/bugzilla/show_bug.cgi?id=22853"
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
(cherry picked from commit adaae82c58)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This commit is contained in:
Thomas Petazzoni
Peter Korsgaard
parent
ec1b39ed8a
commit
a84c3d64a6
@ -36,6 +36,20 @@ GLIBC_IGNORE_CVES += CVE-2023-4911
|
||||
# 2.38 and the version we're really using.
|
||||
GLIBC_IGNORE_CVES += CVE-2023-5156
|
||||
|
||||
# All these CVEs are considered as not being security issues by
|
||||
# upstream glibc:
|
||||
# https://security-tracker.debian.org/tracker/CVE-2010-4756
|
||||
# https://security-tracker.debian.org/tracker/CVE-2019-1010022
|
||||
# https://security-tracker.debian.org/tracker/CVE-2019-1010023
|
||||
# https://security-tracker.debian.org/tracker/CVE-2019-1010024
|
||||
# https://security-tracker.debian.org/tracker/CVE-2019-1010025
|
||||
GLIBC_IGNORE_CVES += \
|
||||
CVE-2010-4756 \
|
||||
CVE-2019-1010022 \
|
||||
CVE-2019-1010023 \
|
||||
CVE-2019-1010024 \
|
||||
CVE-2019-1010025
|
||||
|
||||
# glibc is part of the toolchain so disable the toolchain dependency
|
||||
GLIBC_ADD_TOOLCHAIN_DEPENDENCY = NO
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user