Skip to content

Add CVE-2014-0160 #10

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add CVE-2014-0160 #10

wants to merge 1 commit into from

Conversation

tchatow
Copy link

@tchatow tchatow commented Nov 12, 2024

This pull request depends on patches to CVEX to add a Debian image and support for ifupdown interface configuration.

olegbck
olegbck reviewed Nov 12, 2024
View reviewed changes
CVE-2014-0160/cvex.yml Outdated
@@ -0,0 +1,8 @@
blueprint: debian7-debian7
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you need Debian only for ifupdown to configure network interfaces? Where is that in the code? Why not to use Ubuntu's /etc/netplan? If you really need Debian 7, please also provide a pull request for a new blueprint in https://github.com/ucsb-seclab/CVEX.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I will submit a corresponding pull request to the other repo. Debian doesn't support netplan since it is Ubuntu specific.

@tchatow tchatow requested a review from olegbck November 19, 2024 02:39
@olegbck
Copy link
Collaborator

olegbck commented Jan 13, 2025

I can't find any reference to Debian in the description of CVE-2014-0160. Do we really need it? I tried to run it on Ubuntu and the ./configure --prefix=/opt/vuln --with-openssl=../openssl-1.0.1f --with-http_ssl_module --without-http_rewrite_module command gives me this:

checking for OS
 + Linux 5.15.0-102-generic x86_64
checking for C compiler ... not found

./configure: error: C compiler cc is not found

I fixed the GCC installation in debian1.yml:

    - name: Update apt package index
      apt:
        update_cache: yes

    - name: Install a list of packages
      ansible.builtin.apt:
        pkg:
        - linux-kernel-headers
        - build-essential

After that, ./configure still shows me this:

./configure: error: the HTTP gzip module requires the zlib library.
You can either disable the module by using --without-http_gzip_module
option, or install the zlib library into the system, or build the zlib library
statically from the source with nginx by using --with-zlib=<path> option.

Running ./configure --prefix=/opt/vuln --with-openssl=../openssl-1.0.1f --with-http_ssl_module --without-http_rewrite_module --without-http_gzip_module works.

However, make shows this:

cms.pod around line 457: Expected text after =item, not a number
cms.pod around line 461: Expected text after =item, not a number
cms.pod around line 465: Expected text after =item, not a number
cms.pod around line 470: Expected text after =item, not a number
cms.pod around line 474: Expected text after =item, not a number
POD document had syntax errors at /usr/bin/pod2man line 69.
make[2]: *** [Makefile:641: install_docs] Error 255
make[2]: Leaving directory '/opt/openssl-1.0.1f'
make[1]: *** [objs/Makefile:1093: ../openssl-1.0.1f/.openssl/include/openssl/ssl.h] Error 2
make[1]: Leaving directory '/opt/nginx-1.6.0'
make: *** [Makefile:8: build] Error 2

Is the build Debian-specific? I am not sure.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@olegbck olegbck Awaiting requested review from olegbck

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tchatow @olegbck