On Wed, Nov 18, 2020 at 1:56 PM Mittal, Anuj <[email protected]> wrote: > > On Wed, 2020-11-18 at 05:25 -1000, Steve Sakoman wrote: > > This an Ububtu specific issue: > > > > The CUPS AppArmor profile incorrectly confined the dnssd backend > > due to use of hard links. A local attacker could possibly use this > > issue to escape confinement. This flaw affects versions prior to > > 2.2.7-1ubuntu2.1 in Ubuntu 18.04 LTS, prior to 2.2.4-7ubuntu3.1 > > in Ubuntu 17.10, prior to 2.1.3-4ubuntu0.5 in Ubuntu 16.04 LTS, > > and prior to 1.7.2-0ubuntu1.10 in Ubuntu 14.04 LTS > > It doesn't affect the default configuration but someone in theory could > have extended the recipe to have AppArmor support and then it might be > vulnerable?
I suppose if someone implemented AppArmor support and botched it in the same way as it was in Ubuntu, then yes they would have the same vulnerability! > Since this CVE is sort of distro specific and not package specific, > should this be part of recipe or the poky distro meta data? I'm open for suggestions. There are many ways people can take our standard recipes and implement a horribly insecure image. IMHO this is one of the more unlikely paths that someone would take :-) But if the community feels this is best in the poky distro metadata I have no issue with that. Steve > > Thanks, > > Anuj > > > > > Signed-off-by: Steve Sakoman <[email protected]> > > --- > > meta/recipes-extended/cups/cups.inc | 3 +++ > > 1 file changed, 3 insertions(+) > > > > diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes- > > extended/cups/cups.inc > > index 87870e4aba..df8d4d284a 100644 > > --- a/meta/recipes-extended/cups/cups.inc > > +++ b/meta/recipes-extended/cups/cups.inc > > @@ -20,6 +20,9 @@ SRC_URI = " > > https://github.com/apple/cups/releases/download/v${PV}/${BP}-source.t > > UPSTREAM_CHECK_URI = "https://github.com/apple/cups/releases"; > > UPSTREAM_CHECK_REGEX = "cups-(?P<pver>\d+\.\d+(\.\d+)?)-source.tar" > > > > +# This is an Ubuntu only issue. > > +CVE_CHECK_WHITELIST += "CVE-2018-6553" > > + > > LEAD_SONAME = "libcupsdriver.so" > > > > CLEANBROKEN = "1" > > > > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#144797): https://lists.openembedded.org/g/openembedded-core/message/144797 Mute This Topic: https://lists.openembedded.org/mt/78342724/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
