diff mbox series

[kirkstone] libarchive: ignore CVE-2024-37407

Message ID 20240718164219.1007660-1-peter.marko@siemens.com
State Accepted
Delegated to: Steve Sakoman
Headers show
Series [kirkstone] libarchive: ignore CVE-2024-37407 | expand

Commit Message

Peter Marko July 18, 2024, 4:42 p.m. UTC 
From: Peter Marko <peter.marko@siemens.com>

History of code changes:
* introduced: https://github.com/ilibarchive/libarchive/commit/390d83012fdba8c8db7fc9915338805882b0597a (v3.7.2-52-g390d8301)
* reverted: 6https://github.com/libarchive/libarchive/commit/2c8caf6611a7d0662d80176c4fdb40f85794699 (v3.7.2-53-g62c8caf6)
* re-introduced: 9https://github.com/libarchive/libarchive/commit/1f27004a5c88589658e38d68e46d223da6b75ca (v3.7.3-14-g91f27004)
* fixed: bhttps://github.com/libarchive/libarchive/commit/6a979481b7d77c12fa17bbed94576b63bbcb0c0 (v3.7.3-24-gb6a97948)

Since there is no release where this CVE was present, we can safely
ignore it.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta/recipes-extended/libarchive/libarchive_3.6.2.bb | 2 ++
 1 file changed, 2 insertions(+)

Comments

Marta Rybczynska July 30, 2024, 5:44 p.m. UTC | #1 
On Thu, Jul 18, 2024 at 6:43 PM Peter Marko via lists.openembedded.org
<peter.marko=siemens.com@lists.openembedded.org> wrote:

> From: Peter Marko <peter.marko@siemens.com>
>
> History of code changes:
> * introduced:
> https://github.com/ilibarchive/libarchive/commit/390d83012fdba8c8db7fc9915338805882b0597a
> (v3.7.2-52-g390d8301)
> * reverted: 6
> https://github.com/libarchive/libarchive/commit/2c8caf6611a7d0662d80176c4fdb40f85794699
> (v3.7.2-53-g62c8caf6)
> * re-introduced: 9
> https://github.com/libarchive/libarchive/commit/1f27004a5c88589658e38d68e46d223da6b75ca
> (v3.7.3-14-g91f27004)
> * fixed: bhttps://
> github.com/libarchive/libarchive/commit/6a979481b7d77c12fa17bbed94576b63bbcb0c0
> (v3.7.3-24-gb6a97948)
>
>
For further reference, the commits in the message are malformed. Likely
should be:
* introduced:
https://github.com/ilibarchive/libarchive/commit/390d83012fdba8c8db7fc9915338805882b0597a
(v3.7.2-52-g390d8301)
* reverted:
https://github.com/libarchive/libarchive/commit/62c8caf6611a7d0662d80176c4fdb40f85794699
<https://github.com/libarchive/libarchive/commit/2c8caf6611a7d0662d80176c4fdb40f85794699>
(v3.7.2-53-g62c8caf6)
* re-introduced:
https://github.com/libarchive/libarchive/commit/91f27004a5c88589658e38d68e46d223da6b75ca
<https://github.com/libarchive/libarchive/commit/1f27004a5c88589658e38d68e46d223da6b75ca>
(v3.7.3-14-g91f27004)
* fixed: https://
github.com/libarchive/libarchive/commit/b6a979481b7d77c12fa17bbed94576b63bbcb0c0
<http://github.com/libarchive/libarchive/commit/6a979481b7d77c12fa17bbed94576b63bbcb0c0>
(v3.7.3-24-gb6a97948)

Kind regards,
Marta
diff mbox series

Patch

diff --git a/meta/recipes-extended/libarchive/libarchive_3.6.2.bb b/meta/recipes-extended/libarchive/libarchive_3.6.2.bb
index c83eec9b1a..a7a3e47412 100644
--- a/meta/recipes-extended/libarchive/libarchive_3.6.2.bb
+++ b/meta/recipes-extended/libarchive/libarchive_3.6.2.bb
@@ -38,6 +38,8 @@  SRC_URI[sha256sum] = "ba6d02f15ba04aba9c23fd5f236bb234eab9d5209e95d1c4df85c44d5f
 
 # upstream-wontfix: upstream has documented that reported function is not thread-safe
 CVE_CHECK_IGNORE += "CVE-2023-30571"
+# cpe-incorrect: this vulnerability was not in any release; introduced in v3.7.3-14-g91f27004; fixed in b6a97948
+CVE_CHECK_IGNORE += "CVE-2024-37407"
 
 inherit autotools update-alternatives pkgconfig