Hi Peter, Thank you for providing the details.
Based on the information regarding the vulnerability report and the commit history provided, it appears that our code is indeed vulnerable as the commit introducing the vulnerability still exists in our codebase. Our util-linux version in the kirkstone branch is v2.37.4, and the vulnerable code was introduced in commit cdd3cc7fa4 back in 2013. I've also noted that Debian is also fixing the CVE, along with the dependent commits mentioned in the offending commits list. They have already added upstream patches to address CVE-2024-28085 (839ff33b), as detailed in their commit here: https://salsa.debian.org/debian/util-linux/-/commit/839ff33b8002189411b679cc9ee99d1a99e099cb. Please review the provided information, and let me know if there's anything else we need to consider. Best Regards, Soumya ________________________________ From: Marko, Peter <[email protected]> Sent: Friday, April 19, 2024 10:11 PM To: Sambu, Soumya <[email protected]>; [email protected] <[email protected]>; [email protected] <[email protected]> Subject: RE: [OE-core][kirkstone][PATCH 1/1] util-linux: Fix CVE-2024-28085 CAUTION: This email comes from a non Wind River email account! Do not click links or open attachments unless you recognize the sender and know the content is safe. Identical patch was already submitted and then requested to be ignored because the issue is apparently introduced by one of the added patches. https://lists.openembedded.org/g/openembedded-core/message/197670 Since the vulnerability report claims that our version IS vulnerable, it would be interesting to know where the truth is... https://github.com/skyler-ferrante/CVE-2024-28085 -> The vulnerable code was introduced in commit cdd3cc7fa4 (2013). Peter
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#198693): https://lists.openembedded.org/g/openembedded-core/message/198693 Mute This Topic: https://lists.openembedded.org/mt/105617913/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
