'Re: [oe] [meta-oe][dunfell][PATCH] protobuf: Whitelist CVE-2015-5237'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openembedded-devel
Subject:    Re: [oe] [meta-oe][dunfell][PATCH] protobuf: Whitelist CVE-2015-5237
From:       "Armin Kuster" <akuster808 () gmail ! com>
Date:       2021-06-27 13:07:54
Message-ID: 88c8025b-640c-998b-8f94-ac5624c8bd74 () gmail ! com
[Download RAW message or body]

On 6/15/21 12:19 AM, RAHUL taya wrote:
> As per below reference links this CVE issue seems to be minor and
> harmless and as per upstream this is not a real issue in practice.
> 
> And as per red hat this issue is marked as low severity.
> 
> 1. https://bugzilla.suse.com/show_bug.cgi?id=CVE-2015-5237
> 2. https://security-tracker.debian.org/tracker/CVE-2015-5237
> 3. https://ubuntu.com/security/CVE-2015-5237
> 4. https://github.com/protocolbuffers/protobuf/issues/760
I believe it is  bad form for a upstream project to not fix Security
issues based on their score. The decision should be left up to the
consumers of sed repo, layer or Project.

BTW, the NVD score is 8.8. IMHO, it should be fixed, not masked out.  If
you want to evaluate it yourself and decide to excluded this issue from
you project or product, you are able to do so in your own layer.

- armin


> 
> As per NVD link: https://nvd.nist.gov/vuln/detail/CVE-2015-5237#range-6634983
> it affects version upto 3.1(including)
> 
> Signed-off-by: Rahul Taya <Rahultaya96@gmail.com>
> ---
> meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb | 8 ++++++++
> 1 file changed, 8 insertions(+)
> 
> diff --git a/meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb \
> b/meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb index 4d6c5b255..f845a72a0 \
>                 100644
> --- a/meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb
> +++ b/meta-oe/recipes-devtools/protobuf/protobuf_3.11.4.bb
> @@ -88,3 +88,11 @@ LDFLAGS_append_arm = " -latomic"
> LDFLAGS_append_mips = " -latomic"
> LDFLAGS_append_powerpc = " -latomic"
> LDFLAGS_append_mipsel = " -latomic"
> +
> +# As per below links this issue is minor and harmless and
> +# as per upstream this is not a real issue in practice.
> +# https://bugzilla.suse.com/show_bug.cgi?id=CVE-2015-5237
> +# https://security-tracker.debian.org/tracker/CVE-2015-5237
> +# https://ubuntu.com/security/CVE-2015-5237
> +# https://github.com/protocolbuffers/protobuf/issues/760
> +CVE_CHECK_WHITELIST += "CVE-2015-5237"
> 
> 
> 



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#92034): https://lists.openembedded.org/g/openembedded-devel/message/92034
Mute This Topic: https://lists.openembedded.org/mt/83550818/4455120
Group Owner: openembedded-devel+owner@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [openembedded-devel@marc.info]
-=-=-=-=-=-=-=-=-=-=-=-



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic