Re: [oe] [meta-networking][meta-oe][master][dunfell][PATCH] mdns: Whitelisted CVE-2007-0613 for mdns

[Khem Raj]

Hello Sana

It was in latest pull from Armin which was merged today
it should be in already in dunfell now. Let us know if not.

On 3/19/21 6:31 AM, Sana Kazi wrote:

Hi Team,

Could you please review below patch to be upstreamed for mdns


Thanks & Regards,

Sana Kazi
  KPIT Technologies Limited



------------------------------------------------------------------------
*From:* Sana Kazi <sana.k...@kpit.com>
*Sent:* Tuesday, March 9, 2021 12:06 PM

*To:* Openembedded-devel@lists.openembedded.org <Openembedded-devel@lists.openembedded.org>; raj.k...@gmail.com <raj.k...@gmail.com> *Cc:* Nisha Parrakat <nisha.parra...@kpit.com>; Aditya Tayade <aditya.tay...@kpit.com>; Harpritkaur Bhandari <harpritkaur.bhand...@kpit.com> *Subject:* [meta-networking][meta-oe][master][dunfell][PATCH] mdns: Whitelisted CVE-2007-0613 for mdns

CVE-2007-0613 is not applicable as it only affects Apple products
i.e. ichat,mdnsresponder, instant message framework and MacOS.

Also, https://www.exploit-db.com/exploits/3230 <https://www.exploit-db.com/exploits/3230> shows the part of code

affected by CVE-2007-0613 which is not preset in upstream source code.
Hence, CVE-2007-0613 does not affect other Yocto implementations and
is not reported for other distros can be marked whitelisted.
Links:

https://vulmon.com/vulnerabilitydetails?qid=CVE-2007-0613 <https://vulmon.com/vulnerabilitydetails?qid=CVE-2007-0613>

https://www.incibe-cert.es/en/early-warning/vulnerabilities/cve-2007-0613 
<https://www.incibe-cert.es/en/early-warning/vulnerabilities/cve-2007-0613>

https://security-tracker.debian.org/tracker/CVE-2007-0613 <https://security-tracker.debian.org/tracker/CVE-2007-0613> https://ubuntu.com/security/CVE-2007-0613 <https://ubuntu.com/security/CVE-2007-0613> https://vulmon.com/vulnerabilitydetails?qid=CVE-2007-0613 <https://vulmon.com/vulnerabilitydetails?qid=CVE-2007-0613>

---
  .../recipes-protocols/mdns/mdns_1310.40.42.bb       | 13 +++++++++++++
  1 file changed, 13 insertions(+)

diff --git a/meta-networking/recipes-protocols/mdns/mdns_1310.40.42.bb b/meta-networking/recipes-protocols/mdns/mdns_1310.40.42.bb

index 445ed87e4..60bc26bf1 100644
--- a/meta-networking/recipes-protocols/mdns/mdns_1310.40.42.bb
+++ b/meta-networking/recipes-protocols/mdns/mdns_1310.40.42.bb

@@ -27,6 +27,19 @@ SRC_URI[sha256sum] = "bea29e1616cd56ccb8f88c0fad2bcdc4031f4deb2d899c793e2f27a838

  CVE_PRODUCT = "apple:mdnsresponder"

+# CVE-2007-0613 is not applicable as it only affects Apple products
+# i.e. ichat,mdnsresponder, instant message framework and MacOS.

+# Also, https://www.exploit-db.com/exploits/3230 <https://www.exploit-db.com/exploits/3230> shows the part of code

+# affected by CVE-2007-0613 which is not preset in upstream source code.
+# Hence, CVE-2007-0613 does not affect other Yocto implementations and
+# is not reported for other distros can be marked whitelisted.
+# Links:

+# https://vulmon.com/vulnerabilitydetails?qid=CVE-2007-0613 <https://vulmon.com/vulnerabilitydetails?qid=CVE-2007-0613> +# https://www.incibe-cert.es/en/early-warning/vulnerabilities/cve-2007-0613 <https://www.incibe-cert.es/en/early-warning/vulnerabilities/cve-2007-0613> +# https://security-tracker.debian.org/tracker/CVE-2007-0613 <https://security-tracker.debian.org/tracker/CVE-2007-0613> +# https://vulmon.com/vulnerabilitydetails?qid=CVE-2007-0613 <https://vulmon.com/vulnerabilitydetails?qid=CVE-2007-0613>

+CVE_CHECK_WHITELIST += "CVE-2007-0613"
+
  PARALLEL_MAKE = ""

  S = "${WORKDIR}/mDNSResponder-${PV}/mDNSPosix"
--
2.17.1

This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#90222): 
https://lists.openembedded.org/g/openembedded-devel/message/90222
Mute This Topic: https://lists.openembedded.org/mt/81195756/21656
Group Owner: openembedded-devel+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-