NetCube-Systems-Austria/kumquat-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

package/libssh: ignore CVE-2023-3603

Browse Source 
The affected code isn't present in any release, see [0].

[0]: https://www.libssh.org/2023/07/14/cve-2023-3603-potential-null-dereference-in-libsshs-sftp-server/

The CPE entry for this CVE is
  cpe:2.3🅰️libssh:libssh:-:*:*:*:*:*:*:*
We interpret the "-" as matching any version. It actually means
"unspecified version", which is the cop-out in case there is nothing
useful to match. We can't really make our infrastructure ignore "-"
entirely, because for all we know our version is an unreleased commit
sha which _is_ vulnerable. Thus, the only way out is an exclusion which
we'll never be able to remove.

Signed-off-by: Daniel Lang <dalang@gmx.at>
Signed-off-by: Arnout Vandecappelle <arnout@mind.be>
(cherry picked from commit a34a370f4e)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This commit is contained in:
Daniel Lang 2023-09-06 22:09:27 +02:00 committed by Peter Korsgaard
parent f35f7c3eab
commit e69fb48640
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
package/libssh/libssh.mk
View File

@ -17,6 +17,10 @@ LIBSSH_CONF_OPTS = \
-DWITH_STACK_PROTECTOR=OFF \
-DWITH_EXAMPLES=OFF
# Not part of any release
# https://www.libssh.org/2023/07/14/cve-2023-3603-potential-null-dereference-in-libsshs-sftp-server/
LIBSSH_IGNORE_CVES += CVE-2023-3603
ifeq ($(BR2_ARM_INSTRUCTIONS_THUMB),y)
LIBSSH_CONF_OPTS += -DWITH_STACK_CLASH_PROTECTION=OFF
endif