aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRichard Purdie <richard.purdie@linuxfoundation.org>2021-05-10 11:56:50 +0100
committerRichard Purdie <richard.purdie@linuxfoundation.org>2021-05-22 10:01:02 +0100
commit2d9ac28cdf29c2ca51d6a3ac1a33ff4c3cf9517e (patch)
tree88e50438aca12e70a819c4796ac6c7a6acea1032
parent45b56ddd82c2e5a2d116d9740f6077e056e6cee6 (diff)
downloadpoky-2d9ac28cdf29c2ca51d6a3ac1a33ff4c3cf9517e.tar.gz
poky-2d9ac28cdf29c2ca51d6a3ac1a33ff4c3cf9517e.tar.bz2
poky-2d9ac28cdf29c2ca51d6a3ac1a33ff4c3cf9517e.zip
glibc: Document and whitelist CVE-2019-1010022-25
These CVEs are disputed by upstream and there is no plan to fix/address them. No other distros are carrying patches for them. There is a patch for 1010025 however it isn't merged upstream and probably carries more risk of other bugs than not having it. (From OE-Core rev: e764a689844f19230cbf5f9741635f42f677e333) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-core/glibc/glibc_2.33.bb13
1 files changed, 13 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc_2.33.bb b/meta/recipes-core/glibc/glibc_2.33.bb
index 5e0baa53e8..75a1f36d6b 100644
--- a/meta/recipes-core/glibc/glibc_2.33.bb
+++ b/meta/recipes-core/glibc/glibc_2.33.bb
@@ -3,6 +3,19 @@ require glibc-version.inc
CVE_CHECK_WHITELIST += "CVE-2020-10029"
+# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010022
+# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010023
+# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010024
+# Upstream glibc maintainers dispute there is any issue and have no plans to address it further.
+# "this is being treated as a non-security bug and no real threat."
+CVE_CHECK_WHITELIST += "CVE-2019-1010022 CVE-2019-1010023 CVE-2019-1010024"
+
+# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010025
+# Allows for ASLR bypass so can bypass some hardening, not an exploit in itself, may allow
+# easier access for another. "ASLR bypass itself is not a vulnerability."
+# Potential patch at https://sourceware.org/bugzilla/show_bug.cgi?id=22853
+CVE_CHECK_WHITELIST += "CVE-2019-1010025"
+
DEPENDS += "gperf-native bison-native make-native"
NATIVESDKFIXES ?= ""