[kirkstone,2/8] libarchive: ignore CVE-2025-1632

Message ID	bf7654877ba99f0b18a1cf6f83032af5ecabd01f.1743546795.git.steve@sakoman.com
State	RFC
Delegated to:	Steve Sakoman
Headers	show Return-Path: <steve@sakoman.com> ip: 209.85.214.178, mailfrom: steve@sakoman.com) From: Steve Sakoman <steve@sakoman.com> To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 2/8] libarchive: ignore CVE-2025-1632 Date: Tue, 1 Apr 2025 15:36:09 -0700 Message-ID: <bf7654877ba99f0b18a1cf6f83032af5ecabd01f.1743546795.git.steve@sakoman.com> In-Reply-To: <cover.1743546795.git.steve@sakoman.com> References: <cover.1743546795.git.steve@sakoman.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[kirkstone,1/8] zlib: fix CVE-2014-9485 \| expand [kirkstone,1/8] zlib: fix CVE-2014-9485 [kirkstone,2/8] libarchive: ignore CVE-2025-1632 [kirkstone,3/8] perl: ignore CVE-2023-47038 [kirkstone,4/8] freetype: patch CVE-2025-27363 [kirkstone,5/8] llvm : Fix CVE-2024-0151 [kirkstone,6/8] yocto-uninative: Update to 4.7 for glibc 2.41 [kirkstone,7/8] mesa: Update SRC_URI [kirkstone,8/8] glibc: Add single-threaded fast path to rand()

Message ID

bf7654877ba99f0b18a1cf6f83032af5ecabd01f.1743546795.git.steve@sakoman.com

State

RFC

Delegated to:

Steve Sakoman

Headers

From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 2/8] libarchive: ignore CVE-2025-1632
Date: Tue,  1 Apr 2025 15:36:09 -0700
Message-ID: 
 <bf7654877ba99f0b18a1cf6f83032af5ecabd01f.1743546795.git.steve@sakoman.com>
In-Reply-To: <cover.1743546795.git.steve@sakoman.com>
References: <cover.1743546795.git.steve@sakoman.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[kirkstone,1/8] zlib: fix CVE-2014-9485 | expand

Commit Message

Steve Sakoman April 1, 2025, 10:36 p.m. UTC

From: Peter Marko <peter.marko@siemens.com>

As already mentioned in [1] when backporting commit including fix for
this CVE, this vulnerability applies only from libarchive 3.7.0 commit
[2] which introduced bsdunzip which contains this vulnerability.

[1] https://git.openembedded.org/openembedded-core/commit/?h=kirkstone&id=ec837d3b21b4f8b98abac53e2833f1490ba6bf1e
[2] https://github.com/libarchive/libarchive/commit/c157e4ce8eb170a92945cc2d292fd7106bdfcce1

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-extended/libarchive/libarchive_3.6.2.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-extended/libarchive/libarchive_3.6.2.bb b/meta/recipes-extended/libarchive/libarchive_3.6.2.bb
index 4ceb0df2c0..f7e576b688 100644
--- a/meta/recipes-extended/libarchive/libarchive_3.6.2.bb
+++ b/meta/recipes-extended/libarchive/libarchive_3.6.2.bb
@@ -44,6 +44,8 @@  SRC_URI[sha256sum] = "ba6d02f15ba04aba9c23fd5f236bb234eab9d5209e95d1c4df85c44d5f
 CVE_CHECK_IGNORE += "CVE-2023-30571"
 # cpe-incorrect: this vulnerability was not in any release; introduced in v3.7.3-14-g91f27004; fixed in b6a97948
 CVE_CHECK_IGNORE += "CVE-2024-37407"
+# cpe-incorrect: bsdtar was introduced in v3.7.0, so 3.6.2 is not affected yet
+CVE_CHECK_IGNORE += "CVE-2025-1632"
 
 inherit autotools update-alternatives pkgconfig

[kirkstone,2/8] libarchive: ignore CVE-2025-1632

Commit Message

Patch