diff mbox series

[meta-oe,dunfell] openjpeg: Whitelist CVE-2020-27844 and CVE-2015-1239

Message ID 20220516072323.27316-1-sanakazisk19@gmail.com
State Under Review
Delegated to: Armin Kuster
Headers show
Series [meta-oe,dunfell] openjpeg: Whitelist CVE-2020-27844 and CVE-2015-1239 | expand

Commit Message

Sana Kazi May 16, 2022, 7:23 a.m. UTC 
From: Sana Kazi <Sana.Kazi@kpit.com>

Whitelist CVE-2020-27844 as it is introduced by
https://github.com/uclouvain/openjpeg/commit/4edb8c83374f52cd6a8f2c7c875e8ffacccb5fa5
but the contents of this patch is not present in openjpeg_2.3.1

Link: https://security-tracker.debian.org/tracker/CVE-2020-27844

Whitelist CVE-2015-1239 as the CVE description clearly states that
j2k_read_ppm_v3 function in openjpeg is affected due to CVE-2015-1239
but in openjpeg_2.3.1 this function is not present.
Hence, CVE-2015-1239 does not affect openjpeg_2.3.1.

Signed-off-by: Sana.Kazi <Sana.Kazi@kpit.com>
Signed-off-by: Sana Kazi <sanakazisk19@gmail.com>
---
 .../recipes-graphics/openjpeg/openjpeg_2.3.1.bb    | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

Comments

Marta Rybczynska May 16, 2022, 8:25 a.m. UTC | #1 
On Mon, May 16, 2022 at 9:24 AM sana kazi <sanakazisk19@gmail.com> wrote:

> From: Sana Kazi <Sana.Kazi@kpit.com>
>
> Whitelist CVE-2020-27844 as it is introduced by
>
> https://github.com/uclouvain/openjpeg/commit/4edb8c83374f52cd6a8f2c7c875e8ffacccb5fa5
> but the contents of this patch is not present in openjpeg_2.3.1
>
> Link: https://security-tracker.debian.org/tracker/CVE-2020-27844
>
> Whitelist CVE-2015-1239 as the CVE description clearly states that
> j2k_read_ppm_v3 function in openjpeg is affected due to CVE-2015-1239
> but in openjpeg_2.3.1 this function is not present.
> Hence, CVE-2015-1239 does not affect openjpeg_2.3.1.
>
>
I agree with the analysis, thank you for looking into it! It seems that it
will be better to add that information to the NVD database. Sending the
change information right now.

Kind regards,
Marta
diff mbox series

Patch

diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.3.1.bb b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.3.1.bb
index 218dc911fe..9cf513f3f7 100644
--- a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.3.1.bb
+++ b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.3.1.bb
@@ -33,3 +33,17 @@  inherit cmake
 EXTRA_OECMAKE += "-DOPENJPEG_INSTALL_LIB_DIR=${@d.getVar('baselib').replace('/', '')}"
 
 FILES_${PN} += "${libdir}/openjpeg*"
+
+# This flaw is introduced by
+# https://github.com/uclouvain/openjpeg/commit/4edb8c83374f52cd6a8f2c7c875e8ffacccb5fa5
+# but the contents of this patch is not present in openjpeg_2.3.1
+# Hence, it can be whitelisted.
+# https://security-tracker.debian.org/tracker/CVE-2020-27844
+
+CVE_CHECK_WHITELIST += "CVE-2020-27844"
+
+# The CVE description clearly states that j2k_read_ppm_v3 function in openjpeg
+# is affected due to CVE-2015-1239 but in openjpeg_2.3.1 this function is not present.
+# Hence, CVE-2015-1239 does not affect openjpeg_2.3.1
+
+CVE_CHECK_WHITELIST += "CVE-2015-1239"