[Buildroot] [PATCH 1/1] package/libtorrent: annotate CVE-2009-1760 and CVE-2016-5301
Thomas Petazzoni
thomas.petazzoni at bootlin.com
Sat Apr 25 14:13:18 UTC 2020
On Sun, 1 Mar 2020 21:00:49 +0100
Fabrice Fontaine <fontaine.fabrice at gmail.com> wrote:
> CVE-2009-1760 and CVE-2016-5301 are misclassified (by our CVE tracker)
> as affecting libtorrent, while in fact they affect libtorrent-rasterbar.
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
> ---
> package/libtorrent/libtorrent.mk | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/package/libtorrent/libtorrent.mk b/package/libtorrent/libtorrent.mk
> index c8310cab65..17c6f92ab4 100644
> --- a/package/libtorrent/libtorrent.mk
> +++ b/package/libtorrent/libtorrent.mk
> @@ -14,6 +14,10 @@ LIBTORRENT_INSTALL_STAGING = YES
> LIBTORRENT_LICENSE = GPL-2.0
> LIBTORRENT_LICENSE_FILES = COPYING
>
> +# CVE-2009-1760 and CVE-2016-5301 are misclassified (by our CVE tracker) as
> +# affecting libtorrent, while in fact they affect libtorrent-rasterbar.
> +LIBTORRENT_IGNORE_CVES += CVE-2009-1760 CVE-2016-5301
Here as well, I don't think this is the proper solution. You're just
papering over the actual problem, not solving it.
CVE-2009-1760 is described like this:
"affects" : {
"vendor" : {
"vendor_data" : [ {
"vendor_name" : "rasterbar_software",
"product" : {
"product_data" : [ {
"product_name" : "libtorrent",
So indeed, since we currently only match on "product_name", we believe
this CVE is for libtorrent, while it is for libtorrent-rasterbar.
The proper way to solve this is to have better CPE matching logic. Your
patch is just removing the CVEs from libtorrent, but not making them
appear for libtorrent-rasterbar (even though they probably wouldn't
appear as they are quite old).
Let's work together on a proper CPE matching logic instead.
Thanks,
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
More information about the buildroot
mailing list