[Buildroot] [git commit branch/2021.08.x] package/erlang: ignore Windows specific CVE-2021-29221
Peter Korsgaard
peter at korsgaard.com
Wed Sep 29 18:12:01 UTC 2021
commit: https://git.buildroot.net/buildroot/commit/?id=609479270f93a86e12531aaefafe90b47607c437
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/2021.08.x
CVE-2021-29221 is a Windows specific issue:
A local privilege escalation vulnerability was discovered in Erlang/OTP
prior to version 23.2.3. By adding files to an existing installation's
directory, a local attacker could hijack accounts of other users running
Erlang programs or possibly coerce a service running with "erlsrv.exe" to
execute arbitrary code as Local System. This can occur only under specific
conditions on Windows with unsafe filesystem permissions.
So ignore it.
Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998 at free.fr>
(cherry picked from commit e7c2eaf92949ea20bb0882c088f76b7becb95a64)
Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
---
package/erlang/erlang.mk | 3 +++
1 file changed, 3 insertions(+)
diff --git a/package/erlang/erlang.mk b/package/erlang/erlang.mk
index 59fcdba93f..527eb15a00 100644
--- a/package/erlang/erlang.mk
+++ b/package/erlang/erlang.mk
@@ -16,6 +16,9 @@ ERLANG_CPE_ID_VENDOR = erlang
ERLANG_CPE_ID_PRODUCT = erlang\/otp
ERLANG_INSTALL_STAGING = YES
+# windows specific issue: https://nvd.nist.gov/vuln/detail/CVE-2021-29221
+ERLANG_IGNORE_CVES += CVE-2021-29221
+
# Remove the leftover deps directory from the ssl app
# See https://bugs.erlang.org/browse/ERL-1168
define ERLANG_REMOVE_SSL_DEPS
More information about the buildroot
mailing list