Thanks for confirming. Regards, Soumya ________________________________ From: Vijay Anusuri <vanus...@mvista.com> Sent: Tuesday, May 28, 2024 2:54 PM To: Sambu, Soumya <soumya.sa...@windriver.com> Cc: Marko, Peter <peter.ma...@siemens.com>; openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> Subject: Re: [OE-core][kirkstone][PATCH 1/1] util-linux: Fix CVE-2024-28085
CAUTION: This email comes from a non Wind River email account! Do not click links or open attachments unless you recognize the sender and know the content is safe. Hi Soumya, Along with Debian, Suse also fixed the issue with those 4 dependent commits (https://bugzilla.suse.com/show_bug.cgi?id=1221831<https://urldefense.com/v3/__https://bugzilla.suse.com/show_bug.cgi?id=1221831__;!!AjveYdw8EvQ!cyCp4NgpbtgGBXs0V0Uc_ftkkCZ0pXkGBv7cZUX5W1b5fc3fwV5YiW9NC1NTgPsPW9XhRe-iBzfQtt9s1wA39lw$>). Debian added the "--disable-use-tty-group" configure option during build along with patch for complete fix (https://launchpad.net/ubuntu/+source/util-linux/2.37.2-4ubuntu3.4<https://urldefense.com/v3/__https://launchpad.net/ubuntu/*source/util-linux/2.37.2-4ubuntu3.4__;Kw!!AjveYdw8EvQ!cyCp4NgpbtgGBXs0V0Uc_ftkkCZ0pXkGBv7cZUX5W1b5fc3fwV5YiW9NC1NTgPsPW9XhRe-iBzfQtt9sb_OVOXc$>). We already have that configure option in the recipe file. I think we can go ahead with the debian patch fix. Thanks & Regards, Vijay On Thu, Apr 25, 2024 at 8:56 AM Sambu, Soumya <soumya.sa...@windriver.com<mailto:soumya.sa...@windriver.com>> wrote: Hi Peter, Thank you for providing the details. Based on the information regarding the vulnerability report and the commit history provided, it appears that our code is indeed vulnerable as the commit introducing the vulnerability still exists in our codebase. Our util-linux version in the kirkstone branch is v2.37.4, and the vulnerable code was introduced in commit cdd3cc7fa4 back in 2013. I've also noted that Debian is also fixing the CVE, along with the dependent commits mentioned in the offending commits list. They have already added upstream patches to address CVE-2024-28085 (839ff33b), as detailed in their commit here: https://salsa.debian.org/debian/util-linux/-/commit/839ff33b8002189411b679cc9ee99d1a99e099cb<https://urldefense.com/v3/__https://salsa.debian.org/debian/util-linux/-/commit/839ff33b8002189411b679cc9ee99d1a99e099cb__;!!AjveYdw8EvQ!cyCp4NgpbtgGBXs0V0Uc_ftkkCZ0pXkGBv7cZUX5W1b5fc3fwV5YiW9NC1NTgPsPW9XhRe-iBzfQtt9sw21x4gc$>. Please review the provided information, and let me know if there's anything else we need to consider. Best Regards, Soumya ________________________________ From: Marko, Peter <peter.ma...@siemens.com<mailto:peter.ma...@siemens.com>> Sent: Friday, April 19, 2024 10:11 PM To: Sambu, Soumya <soumya.sa...@windriver.com<mailto:soumya.sa...@windriver.com>>; openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org> <openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org>>; vanus...@mvista.com<mailto:vanus...@mvista.com> <vanus...@mvista.com<mailto:vanus...@mvista.com>> Subject: RE: [OE-core][kirkstone][PATCH 1/1] util-linux: Fix CVE-2024-28085 CAUTION: This email comes from a non Wind River email account! Do not click links or open attachments unless you recognize the sender and know the content is safe. Identical patch was already submitted and then requested to be ignored because the issue is apparently introduced by one of the added patches. https://lists.openembedded.org/g/openembedded-core/message/197670<https://urldefense.com/v3/__https://lists.openembedded.org/g/openembedded-core/message/197670__;!!AjveYdw8EvQ!cyCp4NgpbtgGBXs0V0Uc_ftkkCZ0pXkGBv7cZUX5W1b5fc3fwV5YiW9NC1NTgPsPW9XhRe-iBzfQtt9sRV9fOHI$> Since the vulnerability report claims that our version IS vulnerable, it would be interesting to know where the truth is... https://github.com/skyler-ferrante/CVE-2024-28085<https://urldefense.com/v3/__https://github.com/skyler-ferrante/CVE-2024-28085__;!!AjveYdw8EvQ!cyCp4NgpbtgGBXs0V0Uc_ftkkCZ0pXkGBv7cZUX5W1b5fc3fwV5YiW9NC1NTgPsPW9XhRe-iBzfQtt9s_sqIAQs$> -> The vulnerable code was introduced in commit cdd3cc7fa4 (2013). Peter
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#199965): https://lists.openembedded.org/g/openembedded-core/message/199965 Mute This Topic: https://lists.openembedded.org/mt/105617913/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
