Hi Soumya, Along with Debian, Suse also fixed the issue with those 4 dependent commits (https://bugzilla.suse.com/show_bug.cgi?id=1221831).
Debian added the "--disable-use-tty-group" configure option during build along with patch for complete fix ( https://launchpad.net/ubuntu/+source/util-linux/2.37.2-4ubuntu3.4). We already have that configure option in the recipe file. I think we can go ahead with the debian patch fix. Thanks & Regards, Vijay On Thu, Apr 25, 2024 at 8:56 AM Sambu, Soumya <[email protected]> wrote: > Hi Peter, > > Thank you for providing the details. > > Based on the information regarding the vulnerability report and the commit > history provided, it appears that our code is indeed vulnerable as the > commit introducing the vulnerability still exists in our codebase. > > Our util-linux version in the kirkstone branch is v2.37.4, and the > vulnerable code was introduced in commit cdd3cc7fa4 back in 2013. > > I've also noted that Debian is also fixing the CVE, along with the > dependent commits mentioned in the offending commits list. They have > already added upstream patches to address CVE-2024-28085 (839ff33b), as > detailed in their commit here: > https://salsa.debian.org/debian/util-linux/-/commit/839ff33b8002189411b679cc9ee99d1a99e099cb > . > > Please review the provided information, and let me know if there's > anything else we need to consider. > > Best Regards, > Soumya > ------------------------------ > *From:* Marko, Peter <[email protected]> > *Sent:* Friday, April 19, 2024 10:11 PM > *To:* Sambu, Soumya <[email protected]>; > [email protected] < > [email protected]>; [email protected] < > [email protected]> > *Subject:* RE: [OE-core][kirkstone][PATCH 1/1] util-linux: Fix > CVE-2024-28085 > > CAUTION: This email comes from a non Wind River email account! > Do not click links or open attachments unless you recognize the sender and > know the content is safe. > > Identical patch was already submitted and then requested to be ignored > because the issue is apparently introduced by one of the added patches. > https://lists.openembedded.org/g/openembedded-core/message/197670 > > Since the vulnerability report claims that our version IS vulnerable, it > would be interesting to know where the truth is... > https://github.com/skyler-ferrante/CVE-2024-28085 -> The vulnerable code > was introduced in commit cdd3cc7fa4 (2013). > > Peter >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#199964): https://lists.openembedded.org/g/openembedded-core/message/199964 Mute This Topic: https://lists.openembedded.org/mt/105617913/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
