[Buildroot] [PATCH 1/1] package/rsync: annotate CVE-2017-16548
Akshay Bhat
akshay.bhat at timesys.com
Fri Apr 24 14:36:02 UTC 2020
On Thu, Apr 23, 2020 at 5:53 PM Thomas Petazzoni
<thomas.petazzoni at bootlin.com> wrote:
>
> Hello,
>
> I'm adding in Cc: Matthew Weber and Akshay Bhat for the interaction
> with NVD.
>
> Also adding Titouan Christophe for the discussion about our script that
> does the CVE checking.
>
> On Sun, 1 Mar 2020 20:27:27 +0100
> Fabrice Fontaine <fontaine.fabrice at gmail.com> wrote:
>
> > CVE-2017-165484 is misclassified (by our CVE tracker) as affecting
> > version 3.1.3, while in fact it affects 3.1.2 and 3.1.3-development
> >
> > Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
> > ---
> > package/rsync/rsync.mk | 4 ++++
> > 1 file changed, 4 insertions(+)
> >
> > diff --git a/package/rsync/rsync.mk b/package/rsync/rsync.mk
> > index 52875e428a..95d19a7f4c 100644
> > --- a/package/rsync/rsync.mk
> > +++ b/package/rsync/rsync.mk
> > @@ -13,6 +13,10 @@ RSYNC_CONF_OPTS = \
> > --with-included-zlib=no \
> > --with-included-popt=no
> >
> > +# CVE-2017-165484 is misclassified (by our CVE tracker) as affecting version 3.1.3,
> > +# while in fact it affects 3.1.2 and 3.1.3-development
> > +RSYNC_IGNORE_CVES += CVE-2017-16548
>
> Indeed commit 47a63d90e71d3e19e0e96052bb8c6b9cb140ecc1 which fixes this
> CVE is part of the 3.1.3 release. This means the NVD database is wrong.
>
> Instead of doing a workaround in Buildroot, can we report this to the
> NVD maintainers ?
Thanks for finding this. I have sent the below information to NVD,
will post back once I hear more:
There is an error in the cpe version information for:
https://nvd.nist.gov/vuln/detail/CVE-2017-16548
The correct range should be:
>From (excluding)
2.6.9
Up to (including)
3.1.2
Details:
Commit fixing the CVE:
https://git.samba.org/rsync.git/?p=rsync.git;a=commit;h=47a63d90e71d3e19e0e96052bb8c6b9cb140ecc1
Versions Containing fix:
$ git tag --contains 47a63d90e71d3e19e0e96052bb8c6b9cb140ecc1
v3.1.3
v3.1.3pre1
Commit introducing the CVE:
$ git log --oneline --diff-filter=A -- xattrs.c
16edf865 The improved --xattrs option is landing on the trunk.
Version introducing the CVE (excluding):
$ git -c 'versionsort.suffix=pre' tag --no-contains 16edf8659
--sort=-version:refname |head -1
v2.6.9
Thanks,
Akshay
More information about the buildroot
mailing list