[meta-gnome,03/13] gimp: ignore already fixed CVEs

Message ID	20260223191850.1049304-3-skandigraun@gmail.com
State	New
Headers	show Return-Path: <skandigraun@gmail.com> ip: 209.85.221.49, mailfrom: skandigraun@gmail.com) From: Gyorgy Sarvari <skandigraun@gmail.com> To: openembedded-devel@lists.openembedded.org Subject: [meta-gnome][PATCH 03/13] gimp: ignore already fixed CVEs Date: Mon, 23 Feb 2026 20:18:40 +0100 Message-ID: <20260223191850.1049304-3-skandigraun@gmail.com> In-Reply-To: <20260223191850.1049304-1-skandigraun@gmail.com> References: <20260223191850.1049304-1-skandigraun@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[meta-oe,01/13] freerdp: patch CVE-2026-22852 \| expand [meta-oe,01/13] freerdp: patch CVE-2026-22852 [meta-oe,02/13] freerdp: ignore CVE-2026-22853 [meta-gnome,03/13] gimp: ignore already fixed CVEs [meta-gnome,04/13] gnome-shell: ignore CVE-2021-3982 [meta-oe,05/13] libcdio: mark CVE-2024-36600 fixed [meta-multimedia,06/13] minidlna: ignore CVE-2024-51442 [meta-oe,07/13] openjpeg: patch CVE-2023-39327 [meta-oe,08/13] polkit: add info about CVE-2016-2568 [meta-oe,09/13] protobuf: ignore CVE-2026-0994 [meta-oe,10/13] live555: upgrade 20210824 -> 20260112 [meta-python,11/13] python3-pillow: upgrade 12.1.0 -> 12.1.1 [meta-python,12/13] python3-werkzeug: upgrade 3.1.5 -> 3.1.6 [meta-webserver,13/13] webmin: patch CVE-2025-67738

Message ID

20260223191850.1049304-3-skandigraun@gmail.com

State

New

Headers

From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-gnome][PATCH 03/13] gimp: ignore already fixed CVEs
Date: Mon, 23 Feb 2026 20:18:40 +0100
Message-ID: <20260223191850.1049304-3-skandigraun@gmail.com>
In-Reply-To: <20260223191850.1049304-1-skandigraun@gmail.com>
References: <20260223191850.1049304-1-skandigraun@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[meta-oe,01/13] freerdp: patch CVE-2026-22852 | expand

Commit Message

Gyorgy Sarvari Feb. 23, 2026, 7:18 p.m. UTC

Details: https://nvd.nist.gov/vuln/detail/CVE-2026-0797
https://nvd.nist.gov/vuln/detail/CVE-2026-2044
https://nvd.nist.gov/vuln/detail/CVE-2026-2045
https://nvd.nist.gov/vuln/detail/CVE-2026-2047
https://nvd.nist.gov/vuln/detail/CVE-2026-2048

All these CVEs are already fixed in the recipe version, however
NVD tracks them currently without CPE info. Ignore them.

Relevant upstream commits:
CVE-2026-0797: https://gitlab.gnome.org/GNOME/gimp/-/commit/ca449c745d58daa3f4b1ed4c2030d35d401a009d
Note that the commit referenced by NVD is incorrect. This commit
was identified from the relevant upstream Gitlab issue:
https://gitlab.gnome.org/GNOME/gimp/-/issues/15555

CVE-2026-2044: https://gitlab.gnome.org/GNOME/gimp/-/commit/3b5f9ec2b4c03cf4a51a5414f2793844c26747e5
CVE-2026-2045: https://gitlab.gnome.org/GNOME/gimp/-/commit/bb896f67942557658b3fbfc67a1c073775c002c7
CVE-2026-2047: https://gitlab.gnome.org/GNOME/gimp/-/commit/5873e16f80cf4152d25a4c86b08553008a331e90
CVE-2026-2048: https://gitlab.gnome.org/GNOME/gimp/-/commit/fa69ac5ec5692f675de5c50a6df758f7d3e45117
---
 meta-gnome/recipes-gimp/gimp/gimp_3.0.8.bb | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/meta-gnome/recipes-gimp/gimp/gimp_3.0.8.bb b/meta-gnome/recipes-gimp/gimp/gimp_3.0.8.bb
index 860fb5d26b..5cbb94055a 100644
--- a/meta-gnome/recipes-gimp/gimp/gimp_3.0.8.bb
+++ b/meta-gnome/recipes-gimp/gimp/gimp_3.0.8.bb
@@ -135,4 +135,7 @@  RDEPENDS:${PN} = "mypaint-brushes-1.0 glib-networking python3-pygobject"
 
 CVE_STATUS[CVE-2007-3741] = "not-applicable-platform: This only applies for Mandriva Linux"
 CVE_STATUS[CVE-2025-8672] = "not-applicable-config: the vulnerability only affects MacOS"
-CVE_STATUS[CVE-2025-15059] = "fixed-version: The issue is fixed since v3.0.8"
+
+CVE_STATUS_GROUPS += "CVE_STATUS_FIXED_ALREADY"
+CVE_STATUS_FIXED_ALREADY[status] = "fixed-version: The issue is fixed since v3.0.8"
+CVE_STATUS_FIXED_ALREADY = "CVE-2025-15059 CVE-2026-0797 CVE-2026-2044 CVE-2026-2045 CVE-2026-2047 CVE-2026-2048"

[meta-gnome,03/13] gimp: ignore already fixed CVEs

Commit Message

Patch