[Buildroot] [PATCH] package/libssh: ignore CVE-2023-3603
Thomas Petazzoni
thomas.petazzoni at bootlin.com
Fri Sep 8 20:32:39 UTC 2023
Hello Daniel,
On Wed, 6 Sep 2023 22:09:27 +0200
Daniel Lang <dalang at gmx.at> wrote:
> The affected code isn't present in any release, see [0].
>
> [0]: https://www.libssh.org/2023/07/14/cve-2023-3603-potential-null-dereference-in-libsshs-sftp-server/
>
> Signed-off-by: Daniel Lang <dalang at gmx.at>
Here the NVD database tells us that the following CPE identifier is
affected:
cpe:2.3:a:libssh:libssh:-:*:*:*:*:*:*:*
So the version field is not '*', but '-', and I think our pkg-stats
script doesn't do the right thing when handling '-'. I remember asking
the NVD maintainers about this, and they replied:
The '-' in the URI 'cpe:2.3:a:ntp:ntp:-:*:*:*:*:*:*:*' is used
because the affected version was not specified. We need to use the
'-' when the affected version is not specified otherwise, using the
'*' will incorrectly call all versions of NTP as vulnerable.
The '*' is the wildcard, while the '-' is used to represent
unspecified versions, a placeholder to an update, as explained
earlier.
I believe right now pkg-stats handles '-' like '*', but I'm not sure
it's the right thing to do. But the answer from NVD didn't really help
because "unspecified versions" doesn't mean much.
Another thing that would be good to do in pkg-stats is warn if there is
a CVE listed in <pkg>_IGNORE_CVES, but this CVE in fact does not
affects the package. This would allow us to catch mistakes, but also
cases where a CVE was added to the ignore list, but no longer needs to
be in that list because the NVD data has been updated/improved.
Best regards,
Thomas
--
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
More information about the buildroot
mailing list