Message ID | 20220516072323.27316-1-sanakazisk19@gmail.com |
---|---|
State | Under Review |
Delegated to: | Armin Kuster |
Headers | show |
Series | [meta-oe,dunfell] openjpeg: Whitelist CVE-2020-27844 and CVE-2015-1239 | expand |
On Mon, May 16, 2022 at 9:24 AM sana kazi <sanakazisk19@gmail.com> wrote: > From: Sana Kazi <Sana.Kazi@kpit.com> > > Whitelist CVE-2020-27844 as it is introduced by > > https://github.com/uclouvain/openjpeg/commit/4edb8c83374f52cd6a8f2c7c875e8ffacccb5fa5 > but the contents of this patch is not present in openjpeg_2.3.1 > > Link: https://security-tracker.debian.org/tracker/CVE-2020-27844 > > Whitelist CVE-2015-1239 as the CVE description clearly states that > j2k_read_ppm_v3 function in openjpeg is affected due to CVE-2015-1239 > but in openjpeg_2.3.1 this function is not present. > Hence, CVE-2015-1239 does not affect openjpeg_2.3.1. > > I agree with the analysis, thank you for looking into it! It seems that it will be better to add that information to the NVD database. Sending the change information right now. Kind regards, Marta
diff --git a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.3.1.bb b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.3.1.bb index 218dc911fe..9cf513f3f7 100644 --- a/meta-oe/recipes-graphics/openjpeg/openjpeg_2.3.1.bb +++ b/meta-oe/recipes-graphics/openjpeg/openjpeg_2.3.1.bb @@ -33,3 +33,17 @@ inherit cmake EXTRA_OECMAKE += "-DOPENJPEG_INSTALL_LIB_DIR=${@d.getVar('baselib').replace('/', '')}" FILES_${PN} += "${libdir}/openjpeg*" + +# This flaw is introduced by +# https://github.com/uclouvain/openjpeg/commit/4edb8c83374f52cd6a8f2c7c875e8ffacccb5fa5 +# but the contents of this patch is not present in openjpeg_2.3.1 +# Hence, it can be whitelisted. +# https://security-tracker.debian.org/tracker/CVE-2020-27844 + +CVE_CHECK_WHITELIST += "CVE-2020-27844" + +# The CVE description clearly states that j2k_read_ppm_v3 function in openjpeg +# is affected due to CVE-2015-1239 but in openjpeg_2.3.1 this function is not present. +# Hence, CVE-2015-1239 does not affect openjpeg_2.3.1 + +CVE_CHECK_WHITELIST += "CVE-2015-1239"