From patchwork Sat Aug 10 15:38:26 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: akuster808 X-Patchwork-Id: 47631 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 04307C3DA4A for ; Sat, 10 Aug 2024 15:38:39 +0000 (UTC) Received: from mail-yb1-f169.google.com (mail-yb1-f169.google.com [209.85.219.169]) by mx.groups.io with SMTP id smtpd.web10.7842.1723304312185992851 for ; Sat, 10 Aug 2024 08:38:32 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=eGjtJPD3; spf=pass (domain: gmail.com, ip: 209.85.219.169, mailfrom: akuster808@gmail.com) Received: by mail-yb1-f169.google.com with SMTP id 3f1490d57ef6-e0e7b421c88so2983691276.2 for ; Sat, 10 Aug 2024 08:38:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1723304311; x=1723909111; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=GCVhgv5yqsO42PeAFCz2o7S4rXvi07+PYXqTjYm44/I=; b=eGjtJPD3V8h+A7pNBP5b5jb1Nn+AHuU6VTSokAhMJNDbEXq6ThzpnIKVAqXabbRoBU HkCFXvSgD91ncdSMgg536Ed+hwo74aXn/QDXuvTIMmCMyef3P2kbdgIGDB1IaPsz+FJE alUbPoLkYN3AUU6+eJaMxr5vDfJxozghXMkpRgaLMf+7/byxayvZNfERqhlQabY42ueT CIhKKQMEKc2Q6FYCBWYdoh0xcYI35aG/+0S7gOWNqK/tP0HFr3KcYUSKHf26UGk4nKYM kXLmEgq8m6kU0KjfOYYwwZggxxa6DRGJBuaAeK0H8PMm8esRqMWVyabexja8NPKZaOdq zktQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723304311; x=1723909111; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=GCVhgv5yqsO42PeAFCz2o7S4rXvi07+PYXqTjYm44/I=; b=b6HjOpe/TkdBAUs4/yYqgADVFSxDoNM+ScePUp+7fdgxzbH2wEQxKWPC2aWiP509xz YXfKofA6EvZYJMUXFg80or2CqtAII3Kwml/HSZ1wbROKIn2gYaFXv/VZb3yzTbOQIrBX S6uE5iQ9+kT5hTQX/9059suKx7KxvssYIHVSGNs3MtEALpoGtCU2tPX2QL1FXgPxei+Q 70hgDMFyZpPFYPg6OgLSmwL17Be8zmb4JmFlw/xnGlWX4dIMoijoSjgnKZddoWrfKHdQ n5FpQ+EFhrho8mnFhx1VI9zDFvioSMqNxl4lAMsmGw+cMN0M5t+FV1kJdl9PNUK21ZCN T3UA== X-Gm-Message-State: AOJu0YzbQn9hlHZt+3z1A15e1PQ7zdW+0gr6zeDcrw+hAlzY6h/3wN07 EQjObzRM1DdbdPXu+EOvWHhnCP+EJ8PVc9SnYChNUkhk/ktQtqwW6K4Q5Q== X-Google-Smtp-Source: AGHT+IFu+ostF9/1BBqVSt/dBTzo4yyh2NHWAYVrgOsL15rVY7+9Oimx9Y1STUb81eBdfXv+Ajs6Ow== X-Received: by 2002:a05:6902:280a:b0:e0b:d8ae:cad1 with SMTP id 3f1490d57ef6-e0eb9df989amr4214021276.57.1723304311034; Sat, 10 Aug 2024 08:38:31 -0700 (PDT) Received: from keaua.attlocal.net ([2600:1700:45dd:7000:ad:eb2b:7538:7504]) by smtp.gmail.com with ESMTPSA id 3f1490d57ef6-e0ec8c0726bsm382526276.39.2024.08.10.08.38.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 10 Aug 2024 08:38:30 -0700 (PDT) From: Armin Kuster To: openembedded-devel@lists.openembedded.org Cc: Ninette Adhikari , Khem Raj Subject: [meta-oe][scarthgap][PATCH 1/5] imagemagick: Update status for CVE Date: Sat, 10 Aug 2024 11:38:26 -0400 Message-Id: <20240810153830.900538-1-akuster808@gmail.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 10 Aug 2024 15:38:39 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/111745 From: Ninette Adhikari Update status for: CVE-2014-9804, CVE-2014-9805, CVE-2014-9806, CVE-2014-9807, CVE-2014-9808, CVE-2014-9809, CVE-2014-9810, CVE-2014-9811, CVE-2014-9812, CVE-2014-9813, CVE-2014-9814, CVE-2014-9815, CVE-2014-9816, CVE-2014-9817, CVE-2014-9818, CVE-2014-9819, CVE-2014-9820, CVE-2014-9821, CVE-2016-7531 CPE is incorrect, the current version (7.1.1) is not affected. Signed-off-by: Ninette Adhikari Signed-off-by: Khem Raj (cherry picked from commit 388b8017f9c86428d5965f8c45d64f4477984ac0) Signed-off-by: Armin Kuster --- .../imagemagick/imagemagick_7.1.1.bb | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/meta-oe/recipes-support/imagemagick/imagemagick_7.1.1.bb b/meta-oe/recipes-support/imagemagick/imagemagick_7.1.1.bb index 6ab8a61b9b..61dc1b795e 100644 --- a/meta-oe/recipes-support/imagemagick/imagemagick_7.1.1.bb +++ b/meta-oe/recipes-support/imagemagick/imagemagick_7.1.1.bb @@ -99,3 +99,23 @@ ALTERNATIVE_LINK_NAME[montage.1] = "${mandir}/man1/montage.1" ALTERNATIVE_TARGET[montage.1] = "${mandir}/man1/montage.im7.1" ALTERNATIVE_LINK_NAME[stream.1] = "${mandir}/man1/stream.1" ALTERNATIVE_TARGET[stream.1] = "${mandir}/man1/stream.im7.1" + +CVE_STATUS[CVE-2014-9804] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" +CVE_STATUS[CVE-2014-9805] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" +CVE_STATUS[CVE-2014-9806] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" +CVE_STATUS[CVE-2014-9807] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" +CVE_STATUS[CVE-2014-9808] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" +CVE_STATUS[CVE-2014-9809] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" +CVE_STATUS[CVE-2014-9810] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" +CVE_STATUS[CVE-2014-9811] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" +CVE_STATUS[CVE-2014-9812] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" +CVE_STATUS[CVE-2014-9813] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" +CVE_STATUS[CVE-2014-9814] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" +CVE_STATUS[CVE-2014-9815] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" +CVE_STATUS[CVE-2014-9816] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" +CVE_STATUS[CVE-2014-9817] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" +CVE_STATUS[CVE-2014-9818] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" +CVE_STATUS[CVE-2014-9819] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" +CVE_STATUS[CVE-2014-9820] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" +CVE_STATUS[CVE-2014-9821] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" +CVE_STATUS[CVE-2016-7531] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 7.0.1-0" From patchwork Sat Aug 10 15:38:27 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: akuster808 X-Patchwork-Id: 47633 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 195F2C52D7C for ; Sat, 10 Aug 2024 15:38:40 +0000 (UTC) Received: from mail-yb1-f170.google.com (mail-yb1-f170.google.com [209.85.219.170]) by mx.groups.io with SMTP id smtpd.web10.7843.1723304312617249761 for ; Sat, 10 Aug 2024 08:38:32 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=mKuK74i2; spf=pass (domain: gmail.com, ip: 209.85.219.170, mailfrom: akuster808@gmail.com) Received: by mail-yb1-f170.google.com with SMTP id 3f1490d57ef6-dff17fd97b3so2924574276.2 for ; Sat, 10 Aug 2024 08:38:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1723304311; x=1723909111; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=iqTq4hozs4cfEi8vCsTvmSZpov5qCU0nGMbUAz4lnHQ=; b=mKuK74i2l8k7+UcV3K+ECBudpgW18epXKe0nDoHUPdOKO2jqrIeIsGraJY0c1SnpfU YysKSTFRNZZR9vhgSDRmaAmB4oDgpozOHNPpeVcVnL9Hodq3tU98C/3HQiqXu8N+W0oQ inHn3gXG5tgXLKP7g8RCQXj6VP/pVanAIfOMy86d7WP9eNQuWHgKaxrfP7nzeHMY7bIE oMOZfLbiTxlXmNB4pFodglj8F9FLuTCqy1Cp4FavI0/92T5TIV9J0IChCcPUG7fh4dPn nnHiqrNc+3mtlCF9IATPZjDzHcdHZk2heOtr9Z7dbAPli0yddvvLWhmmvmZcK+atZwqp vTEw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723304311; x=1723909111; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=iqTq4hozs4cfEi8vCsTvmSZpov5qCU0nGMbUAz4lnHQ=; b=p2yqHUalnL8r1H9WXXXem4UmsOGpAwNJunOvGtbH5EEtdHHD+nx/pALLAJwNsK8xn+ ONxvgYu7cvClscI+KkDo0SqjTCWrmORcCgLYTAntzxPhKdLZsFwLDh2UQn+uk12/2C9r ImNUft48pLSRfAtVF1d4onvAKwwUKmAvhIDvIofut7yAXyuuIBAdqhbhsVkoZl2Ereiw J0z75JVkP9NM7uhK0lT7rqNfdcSga3Egv1ZdJRYztsOfE1Eb0c5+2RHtKLe0NW4KoZMc 6iQYIYSfm/rinp7Zjw77xNixxJfhfBXjtLJpRDlQ1yQyMoymFhawW7PQt0wPvDyQJ3PQ 2OEQ== X-Gm-Message-State: AOJu0YwH6CsdCo8Pisef6Z9cneSyd+RF9PAMT1D3YW7ZYPRjk5UOrU9Q nADKl0e6JaDDkdtQ5PQ7IpGIkI7U+9lqC/T5hpAZpYHRfvz3+/AIypUeig== X-Google-Smtp-Source: AGHT+IHZ3AEgXEXfA8vK5hPncY9aZRT3Nr0E3qy3N6F56MeJC0cD8dCislf8FYgdVhYmK1HLupqpUA== X-Received: by 2002:a05:6902:248a:b0:e0b:c297:8a1c with SMTP id 3f1490d57ef6-e0eb99436eemr5128611276.15.1723304311505; Sat, 10 Aug 2024 08:38:31 -0700 (PDT) Received: from keaua.attlocal.net ([2600:1700:45dd:7000:ad:eb2b:7538:7504]) by smtp.gmail.com with ESMTPSA id 3f1490d57ef6-e0ec8c0726bsm382526276.39.2024.08.10.08.38.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 10 Aug 2024 08:38:31 -0700 (PDT) From: Armin Kuster To: openembedded-devel@lists.openembedded.org Cc: Ninette Adhikari , Khem Raj Subject: [meta-oe][scarthgap][PATCH 2/5] imagemagick: Update status for CVE Date: Sat, 10 Aug 2024 11:38:27 -0400 Message-Id: <20240810153830.900538-2-akuster808@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240810153830.900538-1-akuster808@gmail.com> References: <20240810153830.900538-1-akuster808@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 10 Aug 2024 15:38:40 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/111746 From: Ninette Adhikari Update status for: CVE-2016-7534, CVE-2016-7535, CVE-2016-7536, CVE-2016-7537, CVE-2016-7538, CVE-2017-5506, CVE-2017-5509, CVE-2017-5510, CVE-2017-5511, CVE-2007-1667 CPE is incorrect, the current version (7.1.1) is not affected. Signed-off-by: Ninette Adhikari Signed-off-by: Khem Raj (cherry picked from commit 9f2e9daef1891d373792d5b1bcc36719349ba843) Signed-off-by: Armin Kuster --- .../recipes-support/imagemagick/imagemagick_7.1.1.bb | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/meta-oe/recipes-support/imagemagick/imagemagick_7.1.1.bb b/meta-oe/recipes-support/imagemagick/imagemagick_7.1.1.bb index 61dc1b795e..8dc3cb267b 100644 --- a/meta-oe/recipes-support/imagemagick/imagemagick_7.1.1.bb +++ b/meta-oe/recipes-support/imagemagick/imagemagick_7.1.1.bb @@ -119,3 +119,13 @@ CVE_STATUS[CVE-2014-9819] = "cpe-incorrect: The current version (7.1.1) is not a CVE_STATUS[CVE-2014-9820] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" CVE_STATUS[CVE-2014-9821] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" CVE_STATUS[CVE-2016-7531] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 7.0.1-0" +CVE_STATUS[CVE-2016-7534] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" +CVE_STATUS[CVE-2016-7535] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" +CVE_STATUS[CVE-2016-7536] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" +CVE_STATUS[CVE-2016-7537] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" +CVE_STATUS[CVE-2016-7538] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" +CVE_STATUS[CVE-2017-5506] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 7.0.4-4" +CVE_STATUS[CVE-2017-5509] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 7.0.4-4" +CVE_STATUS[CVE-2017-5510] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 7.0.4-4" +CVE_STATUS[CVE-2017-5511] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 7.0.4-3" +CVE_STATUS[CVE-2007-1667] = "cpe-incorrect: CVE should not include a CPE for imagemagick" From patchwork Sat Aug 10 15:38:28 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: akuster808 X-Patchwork-Id: 47634 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 24A41C531DC for ; Sat, 10 Aug 2024 15:38:40 +0000 (UTC) Received: from mail-yb1-f180.google.com (mail-yb1-f180.google.com [209.85.219.180]) by mx.groups.io with SMTP id smtpd.web10.7845.1723304313085497178 for ; Sat, 10 Aug 2024 08:38:33 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=DzHckFrC; spf=pass (domain: gmail.com, ip: 209.85.219.180, mailfrom: akuster808@gmail.com) Received: by mail-yb1-f180.google.com with SMTP id 3f1490d57ef6-e0ec934a1fdso537819276.0 for ; Sat, 10 Aug 2024 08:38:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1723304312; x=1723909112; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=IqnkeyVLMZ6IUrtnOoKqeH6ZO9Ug5Q0x4tDhx8zVnvQ=; b=DzHckFrC3iqDU1TTRgx5VRAhJV9RIrKaFq0ecx9j6NMWY/Hy8f/RLkr9QKf/K0xRDt DBMG3ezj4VHO9OJiKlj+wrAh7MGzE/U/+KEJ2ELt3mzyYFZGD+RiEyKqNXstyKHxaTTX 1T9xTjgs2ok90bBfm0UEmYPleiOmp37S1qfh2V7AR88N3aprdAmYY3o98MU7qun/eX5K UQ0M2DkwUBEVk/nFbCrBWuW2+6KWjYAzKk3S9qHCCvmNQkyanZ/LyjF7Htw2np1y4/i5 S0QvuiOQv8Bl0p5Yw9IU/o/cjxZ3R89Y5DVR+2zMhT/jTja1+LsdZdHDnAcMZ06rNbpK mC5g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723304312; x=1723909112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=IqnkeyVLMZ6IUrtnOoKqeH6ZO9Ug5Q0x4tDhx8zVnvQ=; b=Tzv0AP+FGC/WUf+GKIH0TM5KtUjaq5VGJI0NCFjQQMymXevK0vTIUup4jCytJjIci4 fIKBdomImB5oyo/ee0vRONgHuxkuMbQVZN2XGWchV/nszFqKeibIcNKrV4RJtshJkKAP /hPrPE29W4x4Pml7k7GaXHb7H95NSXO2ix5U4tuT3VoFR2C0YWUOISdY2EczWoM3gUPv iKtpPrRFC65Y88n+JTDwA3rIBI06APcEC1LoX319fv0x6PVJocXiFrfRULwgPCAfcZik t+sQwOARUTvi+mvs+lYAagyP/jGifRYkmRAnvRDOwh9jd9bHtEBMEY7VxWq5GuXECIUY A53Q== X-Gm-Message-State: AOJu0Yxsosmrhz6bEcInLQQmJkRUkseD3Wb3z86TfnEyNopjwHKk5hqr sZIDVvgu/s6IjV11GpwaVLMxJaH5uFiQ8sW1ZYaUqjQ0qp4leNH9Ia59ZA== X-Google-Smtp-Source: AGHT+IHXRliWKG+E8XkQuwHVY+JLX3Eb66atBR9mev1l/JSaw4mPkrFWnHVZORA8SFjDfztERdq+lw== X-Received: by 2002:a05:6902:230d:b0:e0b:ab0b:6ec6 with SMTP id 3f1490d57ef6-e0eb9946e2bmr4812577276.19.1723304312032; Sat, 10 Aug 2024 08:38:32 -0700 (PDT) Received: from keaua.attlocal.net ([2600:1700:45dd:7000:ad:eb2b:7538:7504]) by smtp.gmail.com with ESMTPSA id 3f1490d57ef6-e0ec8c0726bsm382526276.39.2024.08.10.08.38.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 10 Aug 2024 08:38:31 -0700 (PDT) From: Armin Kuster To: openembedded-devel@lists.openembedded.org Cc: Ninette Adhikari , Khem Raj Subject: [meta-oe][scarthgap][PATCH 3/5] imagemagick: Update status for CVE Date: Sat, 10 Aug 2024 11:38:28 -0400 Message-Id: <20240810153830.900538-3-akuster808@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240810153830.900538-1-akuster808@gmail.com> References: <20240810153830.900538-1-akuster808@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 10 Aug 2024 15:38:40 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/111747 From: Ninette Adhikari Update status for: CVE-2016-7532, CVE-2014-9822, CVE-2014-9823, CVE-2014-9824, CVE-2014-9825, CVE-2014-9826, CVE-2014-9827, CVE-2014-9828, CVE-2014-9829, CVE-2014-9830, CVE-2014-9831, CVE-2014-9848, CVE-2014-9852, CVE-2014-9853, CVE-2014-9854, CVE-2014-9907, CVE-2016-10062, CVE-2016-10144, CVE-2016-10145, CVE-2016-10146, CVE-2016-5118, CVE-2016-7513, CVE-2016-7514, CVE-2016-7515, CVE-2016-7516, CVE-2016-7517, CVE-2016-7518, CVE-2016-7519, CVE-2016-7520, CVE-2016-7521, CVE-2016-7522, CVE-2016-7523, CVE-2016-7524, CVE-2016-7525, CVE-2016-7526, CVE-2016-7527, CVE-2016-7528, CVE-2016-7529, CVE-2016-7530, CVE-2016-7533 CPE is incorrect, the current version is not affected. Signed-off-by: Ninette Adhikari Signed-off-by: Khem Raj (cherry picked from commit f8c70167e6a00ad1d2d8ee5675e2c84d59f2dfd5) Signed-off-by: Armin Kuster --- .../imagemagick/imagemagick_7.1.1.bb | 42 ++++++++++++++++++- 1 file changed, 41 insertions(+), 1 deletion(-) diff --git a/meta-oe/recipes-support/imagemagick/imagemagick_7.1.1.bb b/meta-oe/recipes-support/imagemagick/imagemagick_7.1.1.bb index 8dc3cb267b..5407c4e400 100644 --- a/meta-oe/recipes-support/imagemagick/imagemagick_7.1.1.bb +++ b/meta-oe/recipes-support/imagemagick/imagemagick_7.1.1.bb @@ -100,6 +100,7 @@ ALTERNATIVE_TARGET[montage.1] = "${mandir}/man1/montage.im7.1" ALTERNATIVE_LINK_NAME[stream.1] = "${mandir}/man1/stream.1" ALTERNATIVE_TARGET[stream.1] = "${mandir}/man1/stream.im7.1" +CVE_STATUS[CVE-2007-1667] = "cpe-incorrect: CVE should not include a CPE for imagemagick" CVE_STATUS[CVE-2014-9804] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" CVE_STATUS[CVE-2014-9805] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" CVE_STATUS[CVE-2014-9806] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" @@ -118,7 +119,47 @@ CVE_STATUS[CVE-2014-9818] = "cpe-incorrect: The current version (7.1.1) is not a CVE_STATUS[CVE-2014-9819] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" CVE_STATUS[CVE-2014-9820] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" CVE_STATUS[CVE-2014-9821] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" +CVE_STATUS[CVE-2014-9822] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" +CVE_STATUS[CVE-2014-9823] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" +CVE_STATUS[CVE-2014-9824] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" +CVE_STATUS[CVE-2014-9825] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" +CVE_STATUS[CVE-2014-9826] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" +CVE_STATUS[CVE-2014-9827] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" +CVE_STATUS[CVE-2014-9828] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" +CVE_STATUS[CVE-2014-9829] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" +CVE_STATUS[CVE-2014-9830] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" +CVE_STATUS[CVE-2014-9831] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" +CVE_STATUS[CVE-2014-9848] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" +CVE_STATUS[CVE-2014-9852] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" +CVE_STATUS[CVE-2014-9853] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" +CVE_STATUS[CVE-2014-9854] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" +CVE_STATUS[CVE-2014-9907] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" +CVE_STATUS[CVE-2016-10062] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 7.0.1-10" +CVE_STATUS[CVE-2016-10144] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.7-1" +CVE_STATUS[CVE-2016-10145] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.7-1" +CVE_STATUS[CVE-2016-10146] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.6-8" +CVE_STATUS[CVE-2016-5118] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 7.0.1-7" +CVE_STATUS[CVE-2016-7513] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" +CVE_STATUS[CVE-2016-7514] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 7.0.1-0" +CVE_STATUS[CVE-2016-7515] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" +CVE_STATUS[CVE-2016-7516] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" +CVE_STATUS[CVE-2016-7517] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" +CVE_STATUS[CVE-2016-7518] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" +CVE_STATUS[CVE-2016-7519] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" +CVE_STATUS[CVE-2016-7520] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" +CVE_STATUS[CVE-2016-7521] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" +CVE_STATUS[CVE-2016-7522] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" +CVE_STATUS[CVE-2016-7523] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" +CVE_STATUS[CVE-2016-7524] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" +CVE_STATUS[CVE-2016-7525] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" +CVE_STATUS[CVE-2016-7526] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" +CVE_STATUS[CVE-2016-7527] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" +CVE_STATUS[CVE-2016-7528] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" +CVE_STATUS[CVE-2016-7529] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" +CVE_STATUS[CVE-2016-7530] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" CVE_STATUS[CVE-2016-7531] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 7.0.1-0" +CVE_STATUS[CVE-2016-7532] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" +CVE_STATUS[CVE-2016-7533] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" CVE_STATUS[CVE-2016-7534] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" CVE_STATUS[CVE-2016-7535] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" CVE_STATUS[CVE-2016-7536] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 6.9.4-0" @@ -128,4 +169,3 @@ CVE_STATUS[CVE-2017-5506] = "cpe-incorrect: The current version (7.1.1) is not a CVE_STATUS[CVE-2017-5509] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 7.0.4-4" CVE_STATUS[CVE-2017-5510] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 7.0.4-4" CVE_STATUS[CVE-2017-5511] = "cpe-incorrect: The current version (7.1.1) is not affected by the CVE which affects versions at least earlier than 7.0.4-3" -CVE_STATUS[CVE-2007-1667] = "cpe-incorrect: CVE should not include a CPE for imagemagick" From patchwork Sat Aug 10 15:38:29 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: akuster808 X-Patchwork-Id: 47632 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 246A4C531DD for ; Sat, 10 Aug 2024 15:38:40 +0000 (UTC) Received: from mail-yb1-f177.google.com (mail-yb1-f177.google.com [209.85.219.177]) by mx.groups.io with SMTP id smtpd.web11.8003.1723304313586509848 for ; Sat, 10 Aug 2024 08:38:33 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=JwZSDokw; spf=pass (domain: gmail.com, ip: 209.85.219.177, mailfrom: akuster808@gmail.com) Received: by mail-yb1-f177.google.com with SMTP id 3f1490d57ef6-e0e88873825so2930565276.2 for ; Sat, 10 Aug 2024 08:38:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1723304312; x=1723909112; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=OlJ93X9srPX+i8Ry+rXLfW7/BgNR3VfXn9L+fF1rPP8=; b=JwZSDokwmLd3UuzbKldsQSCd2T5KRi0xIttd2jfxlpkv+BSqS4fVeFZGKhVuqwOsx1 ff2YOkD39TkCSKEuiSOzqN5HlI6lYAwIWmm3GV3zWzIc6UMAZflLn1BhSXmXcEfiB4sV /kFKVwJ9Tuj+fyWJ/iF9DgLYyTj229s8ArtWiaPI1l2DRUWNcaKv2zT3jfBfeyvyLtxN J1RAulLu5Gg1W6SSwBME2q5ql++QxbfCPrvFBy7/G8leDtZzUUxDeB672EouyeiBsDrY Dhrf68+8cQY1fA2H/dwyTr8ALZVPvR1qgAgnMGP5nZQXTc5BLUYG24FTK5lkTiWVEJpc ElrA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723304312; x=1723909112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=OlJ93X9srPX+i8Ry+rXLfW7/BgNR3VfXn9L+fF1rPP8=; b=WbOL2Oi4fOwf8R7cpqvlvDsGtIyaq9v/u026K+MEO4fcNkbEa6+8GIHRmpruffI728 979p2VvQFAbK4KJHPXo0f1DBCAx9QjQ6IKOlL0US+yk3o+jGMOLsls/dH1OrWqkamR5/ OdA1/T19GaA2TcEDuwaGYLP7leZXrvBQuugPYw8i8cO+MRt54lNHbUnRZkiaA2Wxo8NM VD8Ks9tb/0ZCJ14hbaYl2+Sh061u6GtXKSGoWeuaaDFXtU1kt8YBY11/uoguhtkQ7mpz BWY1+Jm4jlaBGeczW8da07WzuoEuyncEBi4fFPZf+/EAGpla40oB2KwWjmyLQ0t+hDe1 5E6Q== X-Gm-Message-State: AOJu0YyFHpFAGlA2HO+SZ+Ku8fc+l/U1su2pimbABTVohkw6jDNq6Ubb tOwk/DdrX6VJu6QG/gOWE0qKbCKA6Rd1GEVjZSu9OrDLRbgvygC8dUtksw== X-Google-Smtp-Source: AGHT+IFgtWS0OO/4ZdNU3C1o8FL79QppoJ/yvXRWClZHtFouNJLBxVEBrOOjx683VnX5xXQsB1jCYg== X-Received: by 2002:a05:6902:2012:b0:e0b:317c:4ae3 with SMTP id 3f1490d57ef6-e0eb9a33735mr4553173276.42.1723304312530; Sat, 10 Aug 2024 08:38:32 -0700 (PDT) Received: from keaua.attlocal.net ([2600:1700:45dd:7000:ad:eb2b:7538:7504]) by smtp.gmail.com with ESMTPSA id 3f1490d57ef6-e0ec8c0726bsm382526276.39.2024.08.10.08.38.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 10 Aug 2024 08:38:32 -0700 (PDT) From: Armin Kuster To: openembedded-devel@lists.openembedded.org Cc: Markus Volk , Khem Raj Subject: [meta-oe][scarthgap][PATCH 4/5] exiv2: update 0.28.0 -> 0.28.2 Date: Sat, 10 Aug 2024 11:38:29 -0400 Message-Id: <20240810153830.900538-4-akuster808@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240810153830.900538-1-akuster808@gmail.com> References: <20240810153830.900538-1-akuster808@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 10 Aug 2024 15:38:40 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/111748 From: Markus Volk - Remove outdated comment - Switch to git fetcher. Otherwise the official download location leads to: WARNING: exiv2-0.28.2-r0 do_recipe_qa: QA Issue: exiv2: SRC_URI uses unstable GitHub/GitLab archives, convert recipe to use git protocol [src-uri-bad] - Remove reproducibility hack. Theres no buildpath leakage in exiv2Config.cmake anymore. Changes from version 0.28.1 to 0.28.2 ------------------------------------- Release Notes: * https://github.com/Exiv2/exiv2/issues/2914 * https://github.com/Exiv2/exiv2/milestone/13?closed=1 This release also fixes two low-severity security issues in quicktimevideo.cpp: * [CVE-2024-24826](https://github.com/Exiv2/exiv2/security/advisories/GHSA-g9xm-7538-mq8w): out-of-bounds read in QuickTimeVideo::NikonTagsDecoder. * [CVE-2024-25112](https://github.com/Exiv2/exiv2/security/advisories/GHSA-crmj-qh74-2r36): denial of service due to unbounded recursion in QuickTimeVideo::multipleEntriesDecoder. These vulnerabilities are in a new feature (quicktime video) that was added in version 0.28.0, so earlier versions of Exiv2 are not affected. Changes from version 0.28.0 to 0.28.1 ------------------------------------- Release Notes: https://github.com/Exiv2/exiv2/issues/2813 This release also fixes [CVE-2023-44398](https://github.com/Exiv2/exiv2/security/advisories/GHSA-hrw9-ggg3-3r4r), an out-of-bounds write in `BmffImage::brotliUncompress`. The vulnerability is in new code that was added in version 0.28.0, so earlier versions of Exiv2 are not affected. Signed-off-by: Markus Volk Signed-off-by: Khem Raj (cherry picked from commit 3a9fc5ba68d8c121e70c018d4f4a782693def40b) Signed-off-by: Armin Kuster --- meta-oe/recipes-support/exiv2/exiv2_0.28.0.bb | 19 ------------------- meta-oe/recipes-support/exiv2/exiv2_0.28.2.bb | 11 +++++++++++ 2 files changed, 11 insertions(+), 19 deletions(-) delete mode 100644 meta-oe/recipes-support/exiv2/exiv2_0.28.0.bb create mode 100644 meta-oe/recipes-support/exiv2/exiv2_0.28.2.bb diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.28.0.bb b/meta-oe/recipes-support/exiv2/exiv2_0.28.0.bb deleted file mode 100644 index 958810cf7a..0000000000 --- a/meta-oe/recipes-support/exiv2/exiv2_0.28.0.bb +++ /dev/null @@ -1,19 +0,0 @@ -SUMMARY = "Exif, Iptc and XMP metadata manipulation library and tools" -LICENSE = "GPL-2.0-only" -LIC_FILES_CHKSUM = "file://COPYING;md5=625f055f41728f84a8d7938acc35bdc2" - -DEPENDS = "zlib expat brotli libinih" - -SRC_URI = "https://github.com/Exiv2/${BPN}/releases/download/v${PV}/${BP}-Source.tar.gz" -SRC_URI[sha256sum] = "89af3b5ef7277753ef7a7b5374ae017c6b9e304db3b688f1948e73e103491f3d" -# Once patch is obsolete (project should be aware due to PRs), dos2unix can be removed either -# inherit dos2unix -S = "${WORKDIR}/${BP}-Source" - -inherit cmake gettext - -do_install:append:class-target() { - # reproducibility: remove build host path - sed -i ${D}${libdir}/cmake/exiv2/exiv2Config.cmake \ - -e 's:${STAGING_DIR_HOST}::g' -} diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.28.2.bb b/meta-oe/recipes-support/exiv2/exiv2_0.28.2.bb new file mode 100644 index 0000000000..faae247998 --- /dev/null +++ b/meta-oe/recipes-support/exiv2/exiv2_0.28.2.bb @@ -0,0 +1,11 @@ +SUMMARY = "Exif, Iptc and XMP metadata manipulation library and tools" +LICENSE = "GPL-2.0-only" +LIC_FILES_CHKSUM = "file://COPYING;md5=625f055f41728f84a8d7938acc35bdc2" + +DEPENDS = "zlib expat brotli libinih" + +SRC_URI = "git://github.com/Exiv2/exiv2.git;protocol=https;branch=0.28.x" +SRCREV = "04207b9c39bf7b3b1a7144f7ed4e4f16b4f29ef6" +S = "${WORKDIR}/git" + +inherit cmake gettext From patchwork Sat Aug 10 15:38:30 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: akuster808 X-Patchwork-Id: 47630 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 01CD9C3DA7F for ; Sat, 10 Aug 2024 15:38:39 +0000 (UTC) Received: from mail-yb1-f175.google.com (mail-yb1-f175.google.com [209.85.219.175]) by mx.groups.io with SMTP id smtpd.web10.7846.1723304313960738909 for ; Sat, 10 Aug 2024 08:38:34 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=h5HamJKO; spf=pass (domain: gmail.com, ip: 209.85.219.175, mailfrom: akuster808@gmail.com) Received: by mail-yb1-f175.google.com with SMTP id 3f1490d57ef6-e0bfa0b70ceso2673851276.2 for ; Sat, 10 Aug 2024 08:38:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1723304313; x=1723909113; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=/lqq96v0Z5IszthSP3KcQyBJWzc4HSghK2/ByJyY8Lc=; b=h5HamJKOzC63zx8gL67caNEuodEaL/mM0xCgTGAcngIWZ2p/gQEKk0J5Rre8MgvR3S Eaw6lEwoHv4aU1EFOXn/uJmdrpWZ4eBQSvaeRJJuUBgg8tp+eru9SdflXgiuj9uwzGjH s+RjmXvY0oB8dpQEvVM+Om3amTOZu2lcyvlt8o7/TB9WYzL/xmO0sv2D/mtnhcJsg5kI qVysncse+hVFW07EremujtVRCxNalFgzMt5pv1pyTbRqox1AUD3STPi+6GyJVe2M2VGp 6+Gg7gZ2rsYhLwb/sk+Y29w2/GONuxRhqgsQy0sEXdY6XnSw3n0a/h7ok3zLE+FgD+ul oqNA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723304313; x=1723909113; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=/lqq96v0Z5IszthSP3KcQyBJWzc4HSghK2/ByJyY8Lc=; b=dpX3WG7EiMtTV00rODJkKW1D7ksqkrBZBoDM23UV3+Y9zYOfXRpfRcOyiaVDlDaC8x rMkf3486a8GjFB9PvFKqG5ofRFsV28TO8EwBDCY7/GxtWyxYsNQccukLrzfJHQ9+nrh8 Uxrjse/bnDOJnVwndutdTJoyV7RJX9fI2SNTgXC+M8V+xh0mxA/qKe67Kyo/hCcAPrrT y6uhmP78Kv1b/JQ0JJ1pSg4ecdyeZq9OB4CUwXkQyDagB2CFQHlc4is1aZUbkt8uL/Yx gOcEUL1R/DjAZn+N8PlosZOJ1FGAgdr9rvrnN+nXpInQv5Znf3qFY+/DKPYva5SC2m9j XXqQ== X-Gm-Message-State: AOJu0YxBhqmqlTzHbNznF3Kr92X5SRoVnrjZtb1hu+PVY7iEugB/hexW 0S9IwM+4gWeX00zXHdgws9C1S8fPd9CZKUXYCf/e2TSSXbE7816SQcjFAw== X-Google-Smtp-Source: AGHT+IFNP9NNGhgxt2fxnwJB4lLd/OeXk94NNKRMk3P6kKIMIS+6nX14nrPupmYc+qDam8UnQkPHOg== X-Received: by 2002:a05:6902:12cf:b0:e0b:db13:76bc with SMTP id 3f1490d57ef6-e0eb98e71b1mr5154710276.12.1723304313026; Sat, 10 Aug 2024 08:38:33 -0700 (PDT) Received: from keaua.attlocal.net ([2600:1700:45dd:7000:ad:eb2b:7538:7504]) by smtp.gmail.com with ESMTPSA id 3f1490d57ef6-e0ec8c0726bsm382526276.39.2024.08.10.08.38.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 10 Aug 2024 08:38:32 -0700 (PDT) From: Armin Kuster To: openembedded-devel@lists.openembedded.org Cc: alperak , Khem Raj Subject: [meta-oe][scarthgap][PATCH 5/5] exiv2: Upgrade 0.28.2 to 0.28.3 for CVE fix Date: Sat, 10 Aug 2024 11:38:30 -0400 Message-Id: <20240810153830.900538-5-akuster808@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240810153830.900538-1-akuster808@gmail.com> References: <20240810153830.900538-1-akuster808@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 10 Aug 2024 15:38:39 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/111749 From: alperak Release Notes: * https://github.com/Exiv2/exiv2/issues/3008 * https://github.com/Exiv2/exiv2/milestone/14?closed=1 This release also fixes a low-severity security issue in asfvideo.cpp: * [CVE-2024-39695](https://github.com/Exiv2/exiv2/security/advisories/GHSA-38rv-8x93-pvrh): out-of-bounds read in AsfVideo::streamProperties. This vulnerability is in a new feature (ASF video) that was added in version 0.28.0, so earlier versions of Exiv2 are not affected. Signed-off-by: alperak Signed-off-by: Khem Raj (cherry picked from commit 9f4361418d58941d058fb94a3671b9d0904b6300) Signed-off-by: Armin Kuster --- .../recipes-support/exiv2/{exiv2_0.28.2.bb => exiv2_0.28.3.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta-oe/recipes-support/exiv2/{exiv2_0.28.2.bb => exiv2_0.28.3.bb} (86%) diff --git a/meta-oe/recipes-support/exiv2/exiv2_0.28.2.bb b/meta-oe/recipes-support/exiv2/exiv2_0.28.3.bb similarity index 86% rename from meta-oe/recipes-support/exiv2/exiv2_0.28.2.bb rename to meta-oe/recipes-support/exiv2/exiv2_0.28.3.bb index faae247998..3e33ab7953 100644 --- a/meta-oe/recipes-support/exiv2/exiv2_0.28.2.bb +++ b/meta-oe/recipes-support/exiv2/exiv2_0.28.3.bb @@ -5,7 +5,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=625f055f41728f84a8d7938acc35bdc2" DEPENDS = "zlib expat brotli libinih" SRC_URI = "git://github.com/Exiv2/exiv2.git;protocol=https;branch=0.28.x" -SRCREV = "04207b9c39bf7b3b1a7144f7ed4e4f16b4f29ef6" +SRCREV = "a6a79ef064f131ffd03c110acce2d3edb84ffa2e" S = "${WORKDIR}/git" inherit cmake gettext