diff mbox series

[scarthgap] libxml2: ignore CVE-2025-8732

Message ID 20250819104724.2283206-1-daniel.turull@ericsson.com
State Under Review
Delegated to: Steve Sakoman
Headers show
Series [scarthgap] libxml2: ignore CVE-2025-8732 | expand

Commit Message

Daniel Turull Aug. 19, 2025, 10:47 a.m. UTC 
From: Daniel Turull <daniel.turull@ericsson.com>

The code maintainer disputes the CVE as the issue can only be triggered with
untrusted SGML catalogs and it makes absolutely no sense to use untrusted
catalogs.

The issue triggers a crash if an invalid file is provided.
Source: https://gitlab.gnome.org/GNOME/libxml2/-/issues/958"

Signed-off-by: Daniel Turull <daniel.turull@ericsson.com>
---
 meta/recipes-core/libxml/libxml2_2.12.10.bb | 4 ++++
 1 file changed, 4 insertions(+)
diff mbox series

Patch

diff --git a/meta/recipes-core/libxml/libxml2_2.12.10.bb b/meta/recipes-core/libxml/libxml2_2.12.10.bb
index 078988286a..a155c3708e 100644
--- a/meta/recipes-core/libxml/libxml2_2.12.10.bb
+++ b/meta/recipes-core/libxml/libxml2_2.12.10.bb
@@ -32,6 +32,10 @@  SRC_URI[testtar.sha256sum] = "c6b2d42ee50b8b236e711a97d68e6c4b5c8d83e69a2be47223
 # Disputed as a security issue, but fixed in d39f780
 CVE_STATUS[CVE-2023-45322] = "disputed: issue requires memory allocation to fail"
 
+# Disputed as a security issue, if attempts to process an invalid file, it fails
+# https://gitlab.gnome.org/GNOME/libxml2/-/issues/958
+CVE_STATUS[CVE-2025-8732] = "disputed: the code maintainer explains, that the issue can only be triggered with untrusted SGML catalogs and it makes absolutely no sense to use untrusted catalogs. The issue triggers a crash if an invalid file is provided.  https://gitlab.gnome.org/GNOME/libxml2/-/issues/958"
+
 BINCONFIG = "${bindir}/xml2-config"
 
 PACKAGECONFIG ??= "python \