On Wed, 2020-11-18 at 05:25 -1000, Steve Sakoman wrote: > This an Ububtu specific issue: > > The CUPS AppArmor profile incorrectly confined the dnssd backend > due to use of hard links. A local attacker could possibly use this > issue to escape confinement. This flaw affects versions prior to > 2.2.7-1ubuntu2.1 in Ubuntu 18.04 LTS, prior to 2.2.4-7ubuntu3.1 > in Ubuntu 17.10, prior to 2.1.3-4ubuntu0.5 in Ubuntu 16.04 LTS, > and prior to 1.7.2-0ubuntu1.10 in Ubuntu 14.04 LTS
It doesn't affect the default configuration but someone in theory could have extended the recipe to have AppArmor support and then it might be vulnerable? Since this CVE is sort of distro specific and not package specific, should this be part of recipe or the poky distro meta data? Thanks, Anuj > > Signed-off-by: Steve Sakoman <[email protected]> > --- > meta/recipes-extended/cups/cups.inc | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes- > extended/cups/cups.inc > index 87870e4aba..df8d4d284a 100644 > --- a/meta/recipes-extended/cups/cups.inc > +++ b/meta/recipes-extended/cups/cups.inc > @@ -20,6 +20,9 @@ SRC_URI = " > https://github.com/apple/cups/releases/download/v${PV}/${BP}-source.t > UPSTREAM_CHECK_URI = "https://github.com/apple/cups/releases"; > UPSTREAM_CHECK_REGEX = "cups-(?P<pver>\d+\.\d+(\.\d+)?)-source.tar" > > +# This is an Ubuntu only issue. > +CVE_CHECK_WHITELIST += "CVE-2018-6553" > + > LEAD_SONAME = "libcupsdriver.so" > > CLEANBROKEN = "1" > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#144796): https://lists.openembedded.org/g/openembedded-core/message/144796 Mute This Topic: https://lists.openembedded.org/mt/78342724/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
