| Message ID | 20251015063531.1573191-4-ankur.tyagi85@gmail.com |
|---|---|
| State | New |
| Headers | show |
| Series | [meta-oe,scarthgap,1/4] mercurial: Update CVE status for CVE-2022-43410 | expand |
On Wed, 2025-10-15 at 19:35 +1300, Ankur Tyagi via lists.openembedded.org wrote: > Details https://nvd.nist.gov/vuln/detail/CVE-2025-53644 > > CVE was fixed by [1] but the change [2] which introduced CVE was not > present this version (4.9.0). > > $ git tag --no-contains 40faced6 | grep 4.9.0 > 4.9.0 > > [1] > https://github.com/opencv/opencv/commit/a39db41390de546d18962ee1278bd6dbb715f466 > [2] > https://github.com/opencv/opencv/commit/40faced6c18baa6fbc7c1fbd409d59d6ddecc74f#diff-ae9fbe252ce7879e83e7ae22e594d50b5a8d2ea8dfb4cc8e02e896902a1a8f10R2872 > > Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> > --- > meta-oe/recipes-support/opencv/opencv_4.9.0.bb | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/meta-oe/recipes-support/opencv/opencv_4.9.0.bb b/meta- > oe/recipes-support/opencv/opencv_4.9.0.bb > index cf836d3ecf..e4910553bf 100644 > --- a/meta-oe/recipes-support/opencv/opencv_4.9.0.bb > +++ b/meta-oe/recipes-support/opencv/opencv_4.9.0.bb > @@ -208,3 +208,5 @@ do_install:append() { > rm -rf ${D}${bindir}/setup_vars_opencv4.sh > fi > } > + > +CVE_STATUS[CVE-2025-53644] = "cpe-incorrect: This version (4.9.0) > doesn't contain the change which introduced CVE." Actually it looks like CPE data was revised recently to include minimum version as 4.10.0 so this should not be required now. Can you please check again? > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#120693): > https://lists.openembedded.org/g/openembedded-devel/message/120693 > Mute This Topic: https://lists.openembedded.org/mt/115766814/3616702 > Group Owner: openembedded-devel+owner@lists.openembedded.org > Unsubscribe: > https://lists.openembedded.org/g/openembedded-devel/unsub [ > anuj.mittal@intel.com] > -=-=-=-=-=-=-=-=-=-=-=-
On Thu, Oct 30, 2025 at 7:27 PM Mittal, Anuj <anuj.mittal@intel.com> wrote: > > On Wed, 2025-10-15 at 19:35 +1300, Ankur Tyagi via > lists.openembedded.org wrote: > > Details https://nvd.nist.gov/vuln/detail/CVE-2025-53644 > > > > CVE was fixed by [1] but the change [2] which introduced CVE was not > > present this version (4.9.0). > > > > $ git tag --no-contains 40faced6 | grep 4.9.0 > > 4.9.0 > > > > [1] > > https://github.com/opencv/opencv/commit/a39db41390de546d18962ee1278bd6dbb715f466 > > [2] > > https://github.com/opencv/opencv/commit/40faced6c18baa6fbc7c1fbd409d59d6ddecc74f#diff-ae9fbe252ce7879e83e7ae22e594d50b5a8d2ea8dfb4cc8e02e896902a1a8f10R2872 > > > > Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> > > --- > > meta-oe/recipes-support/opencv/opencv_4.9.0.bb | 2 ++ > > 1 file changed, 2 insertions(+) > > > > diff --git a/meta-oe/recipes-support/opencv/opencv_4.9.0.bb b/meta- > > oe/recipes-support/opencv/opencv_4.9.0.bb > > index cf836d3ecf..e4910553bf 100644 > > --- a/meta-oe/recipes-support/opencv/opencv_4.9.0.bb > > +++ b/meta-oe/recipes-support/opencv/opencv_4.9.0.bb > > @@ -208,3 +208,5 @@ do_install:append() { > > rm -rf ${D}${bindir}/setup_vars_opencv4.sh > > fi > > } > > + > > +CVE_STATUS[CVE-2025-53644] = "cpe-incorrect: This version (4.9.0) > > doesn't contain the change which introduced CVE." > > Actually it looks like CPE data was revised recently to include minimum > version as 4.10.0 so this should not be required now. Can you please > check again? > You are right about updated CPE, it is not valid anymore for v4.9.0. Thanks for looking into it. > > > > -=-=-=-=-=-=-=-=-=-=-=- > > Links: You receive all messages sent to this group. > > View/Reply Online (#120693): > > https://lists.openembedded.org/g/openembedded-devel/message/120693 > > Mute This Topic: https://lists.openembedded.org/mt/115766814/3616702 > > Group Owner: openembedded-devel+owner@lists.openembedded.org > > Unsubscribe: > > https://lists.openembedded.org/g/openembedded-devel/unsub [ > > anuj.mittal@intel.com] > > -=-=-=-=-=-=-=-=-=-=-=-
diff --git a/meta-oe/recipes-support/opencv/opencv_4.9.0.bb b/meta-oe/recipes-support/opencv/opencv_4.9.0.bb index cf836d3ecf..e4910553bf 100644 --- a/meta-oe/recipes-support/opencv/opencv_4.9.0.bb +++ b/meta-oe/recipes-support/opencv/opencv_4.9.0.bb @@ -208,3 +208,5 @@ do_install:append() { rm -rf ${D}${bindir}/setup_vars_opencv4.sh fi } + +CVE_STATUS[CVE-2025-53644] = "cpe-incorrect: This version (4.9.0) doesn't contain the change which introduced CVE."
Details https://nvd.nist.gov/vuln/detail/CVE-2025-53644 CVE was fixed by [1] but the change [2] which introduced CVE was not present this version (4.9.0). $ git tag --no-contains 40faced6 | grep 4.9.0 4.9.0 [1] https://github.com/opencv/opencv/commit/a39db41390de546d18962ee1278bd6dbb715f466 [2] https://github.com/opencv/opencv/commit/40faced6c18baa6fbc7c1fbd409d59d6ddecc74f#diff-ae9fbe252ce7879e83e7ae22e594d50b5a8d2ea8dfb4cc8e02e896902a1a8f10R2872 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> --- meta-oe/recipes-support/opencv/opencv_4.9.0.bb | 2 ++ 1 file changed, 2 insertions(+)