search

Stichting-MINIX-Research-Foundation / minix

Official MINIX sources - Automatically replicated from gerrit.minix3.org
Other
2.99k stars 969 forks source link

Need confirmation for some unpatched CVE #349

Open the-Chain-Warden-thresh opened 11 months ago

the-Chain-Warden-thresh commented 11 months ago

I'm cloning this repo to make some modifications to customize. However, I've noticed that some CVEs which were confirmed and fixed do not get patched in this repo. To enhance the availability of my project as far as possible, I will appreciate it if any of the CVE below do exist in this repo as well, so that I can fix these security issue myself by applying the corresponding patch. Here are the CVEs I found in this repo unpatched, but get fixed:

CVE-2009-3720 in external/mit/expat/dist/lib/xmlparse.c's function static enum XML_Error doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end, int tok, const char *next, const char **nextPtr, XML_Bool haveMore), with patch here for your reference.

CVE-2016-6303 in crypto/external/bsd/openssl/dist/crypto/mdc2/mdc2dgst.c's function int MDC2_Update(MDC2_CTX *c, const unsigned char *in, size_t len), with patch here for your reference.

CVE-2016-2180 in crypto/external/bsd/openssl/dist/crypto/ts/ts_lib.c's function int TS_OBJ_print_bio(BIO *bio, const ASN1_OBJECT *obj), with patch here for your reference.

CVE-2016-2105 in crypto/external/bsd/openssl/dist/crypto/evp/encode.c's function void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl, const unsigned char *in, int inl), with patch here for your reference.

CVE-2016-2106 in crypto/external/bsd/openssl/dist/crypto/evp/evp_enc.c's function int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, const unsigned char *in, int inl), with patch here for your reference.

CVE-2017-11103 in crypto/external/bsd/heimdal/dist/lib/krb5/ticket.c's function int _krb5_extract_ticket(krb5_context context, krb5_kdc_rep *rep, krb5_creds *creds, krb5_keyblock *key, krb5_const_pointer keyseed, krb5_key_usage key_usage, krb5_addresses *addrs, unsigned nonce, unsigned flags, krb5_decrypt_proc decrypt_proc, krb5_const_pointer decryptarg), with patch here for your reference.

CVE-2020-8037 in external/bsd/tcpdump/dist/print-ppp.c's function static void ppp_hdlc(netdissect_options *ndo, const u_char *p, int length), with patch here for your reference.

CVE-2014-5461 in external/mit/lua/dist/src/ldo.c's function int luaD_precall (lua_State *L, StkId func, int nresults), with patch here for your reference.

petershh commented 11 months ago

Hello,

Thank you for putting together this list!

However, I think this is only the tip of the iceberg. All in-tree software is at least 6 years old at this moment. Also, Minix needs more hardening to be suitable for production environments. So, I doubt that applying the patches you've provided would be helpful.

the-Chain-Warden-thresh commented 11 months ago

That is to say, all of the 8 CVE I've listed previously do impact this repo? Thanks a lot for your reply, then I'll apply the corresponding patch in order to start my own work as soon as possible. After you update the code openssl and other project mentioned above, I'll keep up with your newer version to continue my customization.