Skip to content

Commit

Permalink
feat(wrlinux): Add Wind River Linux vulnerability data (aquasecurity#177
Browse files Browse the repository at this point in the history
)

Signed-off-by: Sakib Sajal <[email protected]>
  • Loading branch information
sajal-wr authored and wlyu2 committed Nov 8, 2023
1 parent eb47fe8 commit d939e5b
Show file tree
Hide file tree
Showing 10 changed files with 629 additions and 2 deletions.
4 changes: 4 additions & 0 deletions .github/workflows/update.yml
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,10 @@ jobs:
name: CBL-Mariner Vulnerability Data
run: ./scripts/update.sh mariner "CBL-Mariner Vulnerability Data"

- if: always()
name: WindRiver CVE Tracker
run: ./vuln-list-update -target wrlinux

- if: always()
name: OSV Database
run: ./scripts/update.sh osv "OSV Database"
Expand Down
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ https://github.com/aquasecurity/vuln-list/
$ vuln-list-update -h
Usage of vuln-list-update:
-target string
update target (nvd, alpine, alpine-unfixed, redhat, redhat-oval, debian, debian-oval, ubuntu, amazon, oracle-oval, suse-cvrf, photon, arch-linux, ghsa, glad, cwe, osv, go-vulndb, mariner, kevc, wolfi, chainguard)
update target (nvd, alpine, alpine-unfixed, redhat, redhat-oval, debian, debian-oval, ubuntu, amazon, oracle-oval, suse-cvrf, photon, arch-linux, ghsa, glad, cwe, osv, go-vulndb, mariner, kevc, wolfi, chainguard, wrlinux)
-target-branch string
alternative repository branch (only glad)
-target-uri string
Expand Down
16 changes: 15 additions & 1 deletion main.go
Original file line number Diff line number Diff line change
Expand Up @@ -35,12 +35,20 @@ import (
"github.com/aquasecurity/vuln-list-update/ubuntu"
"github.com/aquasecurity/vuln-list-update/utils"
"github.com/aquasecurity/vuln-list-update/wolfi"
"github.com/aquasecurity/vuln-list-update/wrlinux"
)

const (
repoURL = "https://%[email protected]/%s/%s.git"
defaultRepoOwner = "aquasecurity"
defaultRepoName = "vuln-list"
)

var (
target = flag.String("target", "", "update target (nvd, alpine, alpine-unfixed, redhat, redhat-oval, "+
"debian, ubuntu, amazon, oracle-oval, suse-cvrf, photon, arch-linux, ghsa, glad, cwe, osv, mariner, kevc, wolfi, chainguard, k8s)")
"debian, ubuntu, amazon, oracle-oval, suse-cvrf, photon, arch-linux, ghsa, glad, cwe, osv, mariner, kevc, wolfi, chainguard, k8s, wrlinux)")
vulnListDir = flag.String("vuln-list-dir", "", "vuln-list dir")
years = flag.String("years", "", "update years (only redhat)")
targetUri = flag.String("target-uri", "", "alternative repository URI (only glad)")
targetBranch = flag.String("target-branch", "", "alternative repository branch (only glad)")
)
Expand Down Expand Up @@ -176,6 +184,12 @@ func run() error {
if err := k8s.Update(); err != nil {
return xerrors.Errorf("k8s update error: %w", err)
}
commitMsg = "Chainguard Security Data"
case "wrlinux":
if err := wrlinux.Update(); err != nil {
return xerrors.Errorf("WRLinux update error: %w", err)
}
commitMsg = "Wind River CVE Tracker"
default:
return xerrors.New("unknown target")
}
Expand Down
19 changes: 19 additions & 0 deletions wrlinux/testdata/multiple_multiline_note
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
Candidate: CVE-2012-0880
PublicDate: 2017-08-08
Description:
Apache Xerces-C++ allows remote attackers to cause a denial of
service (CPU consumption) via a crafted message sent to an XML
service that causes hash table collisions.
Notes:
note 1 line 1
note 1 line 2
note 2 line 1
note 2 line 2
Priority: high
Bugs:
LIN10-1106

Patches_xerces:
10.17.41.1_xerces: released (10.17.41.1)
10.18.44.1_xerces: ignored (will not fix)
10.19.45.1_xerces: ignored (will not fix)
19 changes: 19 additions & 0 deletions wrlinux/testdata/multiple_packages
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
Candidate: CVE-2015-8985
PublicDate: 2017-03-20
Description:
The pop_fail_stack function in the GNU C Library (aka glibc or
libc6) allows context-dependent attackers to cause a denial of
service (assertion failure and application crash) via vectors
related to extended regular expression processing.
Notes:
glibc
Priority: medium
Bugs:

Patches_glibc:
10.18.44.1_glibc: pending
10.19.45.1_glibc: pending

Patches_eglibc:
10.18.44.1_eglibc: pending
10.19.45.1_eglibc: pending
22 changes: 22 additions & 0 deletions wrlinux/testdata/multiple_references_and_notes
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
Candidate: CVE-2021-39648
PublicDate: 2021-12-15
Description:
In gadget_dev_desc_UDC_show of configfs.c, there is a possible
disclosure of kernel heap memory due to a race condition.
References:
Upstream kernel
Upstream linux
Notes:
This could lead to local information disclosure with System execution privileges needed.
User interaction is not needed for exploitation.
Priority: medium
Bugs:
LINCD-7525
LIN1021-2165
LIN1019-7478
LIN1018-8466
Patches_linux:
10.20.6.0_linux: not-affected
10.21.20.1_linux: not-affected
10.19.45.1_linux: released (10.19.45.21)
10.18.44.1_linux: released (10.18.44.25)
17 changes: 17 additions & 0 deletions wrlinux/testdata/no_references_or_notes
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
Candidate: CVE-2020-24241
PublicDate: 2020-08-25
Description:
In Netwide Assembler (NASM) 2.15rc10, there is heap use-after-free
in saa_wbytes in nasmlib/saa.c.
Priority: medium
Bugs:
LINCD-2974
LIN1019-5289
LIN1018-6614
LIN10-7689

Patches_nasm:
10.20.6.0_nasm: not-affected
10.19.45.1_nasm: pending
10.18.44.1_nasm: ignored
10.17.41.1_nasm: released (10.17.41.22)
28 changes: 28 additions & 0 deletions wrlinux/testdata/with_comments_and_line_breaks
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
Candidate: CVE-2022-3134

PublicDate: 2022-09-06

Description:
Use After Free in GitHub repository vim/vim prior to 9.0.0389.

Notes:

Priority: high

Bugs:
LINCD-10301
LIN1022-1711
LIN1021-4364
LIN1019-8796
LIN1018-9727

# fixes/patches for different WRLinux releases
# <vulnerable_release>_<package>: <status> [(<fixed_release>)]
Patches_vim:
10.20.6.0_vim: not-affected
10.22.33.1_vim: not-affected
# the following have releases have been fixed
10.21.20.1_vim: released (10.21.20.14)
10.19.45.1_vim: released (10.19.45.26)

10.18.44.1_vim: released (10.18.44.28)
Loading

0 comments on commit d939e5b

Please sign in to comment.