[scarthgap,2/9] libyaml: ignore CVE-2024-35326

Message ID	63445474e797967578f5e9dc9eff3642ebe44712.1723636705.git.steve@sakoman.com
State	Accepted
Delegated to:	Steve Sakoman
Headers	show Return-Path: <steve@sakoman.com> ip: 209.85.210.171, mailfrom: steve@sakoman.com) From: Steve Sakoman <steve@sakoman.com> To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 2/9] libyaml: ignore CVE-2024-35326 Date: Wed, 14 Aug 2024 05:02:02 -0700 Message-Id: <63445474e797967578f5e9dc9eff3642ebe44712.1723636705.git.steve@sakoman.com> In-Reply-To: <cover.1723636705.git.steve@sakoman.com> References: <cover.1723636705.git.steve@sakoman.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[scarthgap,1/9] cve_check: Use a local copy of the database during builds \| expand [scarthgap,1/9] cve_check: Use a local copy of the database during builds [scarthgap,2/9] libyaml: ignore CVE-2024-35326 [scarthgap,3/9] python3-certifi: Fix CVE-2024-39689 [scarthgap,4/9] ffmpeg: fix CVE-2023-50008 [scarthgap,5/9] python3-pycryptodome(x): use python_setuptools_build_meta build class [scarthgap,6/9] systemd: Mitigate /var/log type mismatch issue [scarthgap,7/9] systemd: Mitigate /var/tmp type mismatch issue [scarthgap,8/9] image_types.bbclass: Use --force also with lz4,lzop [scarthgap,9/9] u-boot.inc: Refactor do_* steps into functions that can be overridden

Message ID

63445474e797967578f5e9dc9eff3642ebe44712.1723636705.git.steve@sakoman.com

State

Accepted

Delegated to:

Steve Sakoman

Headers

From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 2/9] libyaml: ignore CVE-2024-35326
Date: Wed, 14 Aug 2024 05:02:02 -0700
Message-Id: 
 <63445474e797967578f5e9dc9eff3642ebe44712.1723636705.git.steve@sakoman.com>
In-Reply-To: <cover.1723636705.git.steve@sakoman.com>
References: <cover.1723636705.git.steve@sakoman.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[scarthgap,1/9] cve_check: Use a local copy of the database during builds | expand

Commit Message

Steve Sakoman Aug. 14, 2024, 12:02 p.m. UTC

From: Peter Marko <peter.marko@siemens.com>

This is the same problem as already ignored CVE-2024-35328.
See laso this comment in addition:
https://github.com/yaml/libyaml/issues/298#issuecomment-2167684233

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-support/libyaml/libyaml_0.2.5.bb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta/recipes-support/libyaml/libyaml_0.2.5.bb b/meta/recipes-support/libyaml/libyaml_0.2.5.bb
index 1c6a5fcb45..334d9113d2 100644
--- a/meta/recipes-support/libyaml/libyaml_0.2.5.bb
+++ b/meta/recipes-support/libyaml/libyaml_0.2.5.bb
@@ -18,6 +18,7 @@  inherit autotools
 DISABLE_STATIC:class-nativesdk = ""
 DISABLE_STATIC:class-native = ""
 
+CVE_STATUS[CVE-2024-35326] = "upstream-wontfix: Upstream thinks there is no working code that is exploitable - https://github.com/yaml/libyaml/issues/302"
 CVE_STATUS[CVE-2024-35328] = "upstream-wontfix: Upstream thinks there is no working code that is exploitable - https://github.com/yaml/libyaml/issues/302"
 
 BBCLASSEXTEND = "native nativesdk"

[scarthgap,2/9] libyaml: ignore CVE-2024-35326

Commit Message

Patch