From: Peter Korsgaard Date: Sat, 18 Sep 2021 16:59:46 +0000 (+0200) Subject: package/erlang: ignore Windows specific CVE-2021-29221 X-Git-Url: https://git.libre-soc.org/?a=commitdiff_plain;h=e7c2eaf92949ea20bb0882c088f76b7becb95a64;p=buildroot.git package/erlang: ignore Windows specific CVE-2021-29221 CVE-2021-29221 is a Windows specific issue: A local privilege escalation vulnerability was discovered in Erlang/OTP prior to version 23.2.3. By adding files to an existing installation's directory, a local attacker could hijack accounts of other users running Erlang programs or possibly coerce a service running with "erlsrv.exe" to execute arbitrary code as Local System. This can occur only under specific conditions on Windows with unsafe filesystem permissions. So ignore it. Signed-off-by: Peter Korsgaard Signed-off-by: Yann E. MORIN --- diff --git a/package/erlang/erlang.mk b/package/erlang/erlang.mk index 59fcdba93f..527eb15a00 100644 --- a/package/erlang/erlang.mk +++ b/package/erlang/erlang.mk @@ -16,6 +16,9 @@ ERLANG_CPE_ID_VENDOR = erlang ERLANG_CPE_ID_PRODUCT = erlang\/otp ERLANG_INSTALL_STAGING = YES +# windows specific issue: https://nvd.nist.gov/vuln/detail/CVE-2021-29221 +ERLANG_IGNORE_CVES += CVE-2021-29221 + # Remove the leftover deps directory from the ssl app # See https://bugs.erlang.org/browse/ERL-1168 define ERLANG_REMOVE_SSL_DEPS