Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2024-35326, CVE-2024-35328, CVE-2024-35329 #302

Open
perlpunk opened this issue Jul 17, 2024 · 5 comments
Open

CVE-2024-35326, CVE-2024-35328, CVE-2024-35329 #302

perlpunk opened this issue Jul 17, 2024 · 5 comments

Comments

@perlpunk
Copy link
Member

perlpunk commented Jul 17, 2024
edited
Loading

The following CVEs I do not consider as vulnerabilties:

They are all missing to initialize structs with the according proper functions for that, so there doesn't exist any working code that could be exploited.
I already contacted mitre.org for CVE-2024-35329 over a month ago to reject this, but no reply :(

There has already been some discussion in #298 but I decided to create a new issue because the thread is hard to read because of the discussion of how those CVEs were (not) reported and published.
@perlpunk perlpunk mentioned this issue Jul 17, 2024
Closed
@hasufell
Copy link

I'm starting to think someone is abusing the CVE process to spam maintainers with low quality bug reports.

@zhuofeng6
Copy link

CVE-2024-35326, CVE-2024-35328
Did these two cve rejects, to nvd

halstead pushed a commit to yoctoproject/poky that referenced this issue Aug 1, 2024
@nikomauno @rpurdie
libyaml: Amend CVE status as 'upstream-wontfix'
f3479f7 
Use an existing defined CVE_CHECK_STATUSMAP key in
meta/lib/oe/cve_check.py in order to avoid following complaint from
BitBake:

  WARNING: libyaml-native-0.2.5-r0 do_create_spdx: Invalid detail "wontfix" for CVE_STATUS[CVE-2024-35328] = "wontfix: Upstream thinks there is no working code that is exploitable - yaml/libyaml#302", fallback to Unpatched

(From OE-Core rev: c66d9a2a0d197498fa21ee8ca51a4afb59f75473)

Signed-off-by: Niko Mauno <[email protected]>
Signed-off-by: Richard Purdie <[email protected]>
halstead pushed a commit to openembedded/openembedded-core that referenced this issue Aug 1, 2024
@nikomauno @rpurdie
libyaml: Amend CVE status as 'upstream-wontfix'
c66d9a2 
Use an existing defined CVE_CHECK_STATUSMAP key in
meta/lib/oe/cve_check.py in order to avoid following complaint from
BitBake:

  WARNING: libyaml-native-0.2.5-r0 do_create_spdx: Invalid detail "wontfix" for CVE_STATUS[CVE-2024-35328] = "wontfix: Upstream thinks there is no working code that is exploitable - yaml/libyaml#302", fallback to Unpatched

Signed-off-by: Niko Mauno <[email protected]>
Signed-off-by: Richard Purdie <[email protected]>
daregit pushed a commit to daregit/yocto-combined that referenced this issue Aug 1, 2024
@nikomauno @rpurdie
src/poky:libyaml: Amend CVE status as 'upstream-wontfix'
6e5fb87 
Use an existing defined CVE_CHECK_STATUSMAP key in
meta/lib/oe/cve_check.py in order to avoid following complaint from
BitBake:

  WARNING: libyaml-native-0.2.5-r0 do_create_spdx: Invalid detail "wontfix" for CVE_STATUS[CVE-2024-35328] = "wontfix: Upstream thinks there is no working code that is exploitable - yaml/libyaml#302", fallback to Unpatched

(From OE-Core rev: c66d9a2a0d197498fa21ee8ca51a4afb59f75473)

Signed-off-by: Niko Mauno <niko.maunovaisala.com>
Signed-off-by: Richard Purdie <richard.purdielinuxfoundation.org>
daregit pushed a commit to daregit/yocto-combined that referenced this issue Aug 1, 2024
@nikomauno @rpurdie
src/poky:libyaml: Amend CVE status as 'upstream-wontfix'
74bc69f 
Use an existing defined CVE_CHECK_STATUSMAP key in
meta/lib/oe/cve_check.py in order to avoid following complaint from
BitBake:

  WARNING: libyaml-native-0.2.5-r0 do_create_spdx: Invalid detail "wontfix" for CVE_STATUS[CVE-2024-35328] = "wontfix: Upstream thinks there is no working code that is exploitable - yaml/libyaml#302", fallback to Unpatched

(From OE-Core rev: c66d9a2a0d197498fa21ee8ca51a4afb59f75473)

Signed-off-by: Niko Mauno <niko.maunovaisala.com>
Signed-off-by: Richard Purdie <richard.purdielinuxfoundation.org>
daregit pushed a commit to daregit/yocto-combined that referenced this issue Aug 1, 2024
@nikomauno @rpurdie
src/poky:libyaml: Amend CVE status as 'upstream-wontfix'
b7a2e75 
Use an existing defined CVE_CHECK_STATUSMAP key in
meta/lib/oe/cve_check.py in order to avoid following complaint from
BitBake:

  WARNING: libyaml-native-0.2.5-r0 do_create_spdx: Invalid detail "wontfix" for CVE_STATUS[CVE-2024-35328] = "wontfix: Upstream thinks there is no working code that is exploitable - yaml/libyaml#302", fallback to Unpatched

(From OE-Core rev: c66d9a2a0d197498fa21ee8ca51a4afb59f75473)

Signed-off-by: Niko Mauno <niko.maunovaisala.com>
Signed-off-by: Richard Purdie <richard.purdielinuxfoundation.org>
@rsbeckerca
Copy link

Other projects have experienced this spam. Mitre responded appropriately to one in curl (IIRC) but they seem to act very slowly.

@rsbeckerca
Copy link

rsbeckerca commented Aug 8, 2024
edited
Loading

I have a pull request #305 that might close out issues with #302, specifically CVE-2024-35326. Even with the reject, a little defensive coding rarely hurts.

@openmorse
Copy link

The above CVEs are REJECTED now (not security issues)
https://www.cve.org/CVERecord?id=CVE-2024-35326
https://www.cve.org/CVERecord?id=CVE-2024-35328
https://www.cve.org/CVERecord?id=CVE-2024-35329

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@perlpunk @hasufell @openmorse @rsbeckerca @zhuofeng6