From patchwork Tue Oct 7 21:02:12 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 71814 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9B74DCCA476 for ; Tue, 7 Oct 2025 21:02:29 +0000 (UTC) Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net [185.136.64.227]) by mx.groups.io with SMTP id smtpd.web11.1026.1759870946253920372 for ; Tue, 07 Oct 2025 14:02:27 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm2 header.b=aZlF0DVz; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.227, mailfrom: fm-256628-202510072102151c297d73420002076e-a532ji@rts-flowmailer.siemens.com) Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 202510072102151c297d73420002076e for ; Tue, 07 Oct 2025 23:02:21 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc; bh=q02cvyRuIE7cYjpX6+i1GbW4t//BB/qaypMaiasBgzs=; b=aZlF0DVzYNH5wFaMczRTYGmYI8HN5S1wrzyKHCQ3uIx8yFVoHGnKHTbPG6Gh0X6rnJaS/G RTDPJ4l5zk1ze47YrZyW4eapqmRLRy//ffiJA/hLnoPtYjBIlHMXSxroPOcrJxXaIyqMi2Jq 68BmOyMZD5tXDCsrNFe1N9drnmvYykONkLC82x3h1C0zp5aKg78wHwUjwQVu8/YhXNgQvnJz f+4ZDjATjgwZG+NYg9Iuy/vXOYZ0fa9kTvSGOJjztkRewQD6uzc8y7ekoD1fntRrdJdLURcg 59u/Md2sM8fZ3qSQnhr3vDBF5HCfgukxuvpy0wCGV0WMyodOKB2Y5ZdQ==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][scarthgap][PATCH 1/2] gstreamer1.0: ignore CVEs fixed in plugins Date: Tue, 7 Oct 2025 23:02:12 +0200 Message-Id: <20251007210213.1569226-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 07 Oct 2025 21:02:29 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/224563 From: Peter Marko All these CVEs were fixed in recent commits. Signed-off-by: Peter Marko --- .../gstreamer/gstreamer1.0_1.22.12.bb | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.22.12.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.22.12.bb index 3f28459e2d0..cfc66745e3b 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.22.12.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.22.12.bb @@ -74,17 +74,26 @@ CVE_PRODUCT = "gstreamer" CVE_STATUS[CVE-2024-0444] = "cpe-incorrect: this is patched in gstreamer1.0-plugins-bad in 1.22 branch since 1.22.9" +CVE_STATUS_GROUPS += "CVE_STATUS_PLUGINS_BAD" +CVE_STATUS_PLUGINS_BAD = " \ + CVE-2025-3887 \ +" +CVE_STATUS_PLUGINS_BAD[status] = "cpe-incorrect: this is patched in gstreamer1.0-plugins-bad" + CVE_STATUS_GROUPS += "CVE_STATUS_PLUGINS_BASE" -CVE_STATUS_PLUGINS_BASE = "CVE-2024-47538 CVE-2024-47541 CVE-2024-47542 CVE-2024-47600 CVE-2024-47607 CVE-2024-47615 CVE-2024-47835" -CVE_STATUS_PLUGINS_BASE[status] = "cpe-incorrect: this is patched ic gstreamer1.0-plugins-base" +CVE_STATUS_PLUGINS_BASE = " \ + CVE-2024-47538 CVE-2024-47541 CVE-2024-47542 CVE-2024-47600 CVE-2024-47607 CVE-2024-47615 CVE-2024-47835 \ + CVE-2025-47806 CVE-2025-47807 CVE-2025-47808 \ +" +CVE_STATUS_PLUGINS_BASE[status] = "cpe-incorrect: this is patched in gstreamer1.0-plugins-base" CVE_STATUS_GROUPS += "CVE_STATUS_PLUGINS_GOOD" CVE_STATUS_PLUGINS_GOOD = " \ CVE-2024-47537 CVE-2024-47539 CVE-2024-47540 CVE-2024-47543 CVE-2024-47544 CVE-2024-47545 \ CVE-2024-47546 CVE-2024-47596 CVE-2024-47597 CVE-2024-47598 CVE-2024-47599 CVE-2024-47601 \ CVE-2024-47602 CVE-2024-47603 CVE-2024-47613 CVE-2024-47774 CVE-2024-47775 CVE-2024-47776 \ - CVE-2024-47777 CVE-2024-47778 CVE-2024-47834 \ + CVE-2024-47777 CVE-2024-47778 CVE-2024-47834 CVE-2025-47183 CVE-2025-47219 \ " -CVE_STATUS_PLUGINS_GOOD[status] = "cpe-incorrect: this is patched ic gstreamer1.0-plugins-good" +CVE_STATUS_PLUGINS_GOOD[status] = "cpe-incorrect: this is patched in gstreamer1.0-plugins-good" PTEST_BUILD_HOST_FILES = "" From patchwork Tue Oct 7 21:02:13 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 71815 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9D601CCA470 for ; Tue, 7 Oct 2025 21:02:29 +0000 (UTC) Received: from mta-65-227.siemens.flowmailer.net (mta-65-227.siemens.flowmailer.net [185.136.65.227]) by mx.groups.io with SMTP id smtpd.web11.1027.1759870946254345660 for ; Tue, 07 Oct 2025 14:02:27 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm2 header.b=kK2y8lTZ; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.65.227, mailfrom: fm-256628-2025100721022017803eca4f00020743-ggrnab@rts-flowmailer.siemens.com) Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id 2025100721022017803eca4f00020743 for ; Tue, 07 Oct 2025 23:02:23 +0200 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=L9Ob8f5g9TIwImFXoei8ni/0BpNzRDAuuon1SeY86CM=; b=kK2y8lTZ0bXYeXzfHcnHnqD02Beac00gHewsxWT4W3ANnt1P1pb9R+8b6BiE/IkJPWwQsj MTkvuCGp9SaJoibHydd8Ubco3NvYuxonCgtUUa/dW4jchWZ3mM9bqYXT6JEeuUpDNy/DffWS YVKVuq2s8eQRmnF6YlyS6iyHmy+wyWQ6zaYOROBKRJmJyVBoCXZvTUm9kA2t1kacbcoToC+u 9DyvQrzHjGGzfUvDEEJAtGsrxxmK9JriW7wsUWuxuSdLBYLCLcb3nwt8TcbmFbWTsHUXNcSf b7niqu+0UTYpn0YB4ycfhJxYwCvnDUEaTDWPxl8cTwbkOjHZF3IPMExQ==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko , Steve Sakoman Subject: [OE-core][scarthgap][PATCH 2/2] gstreamer1.0: ignore CVE-2025-2759 Date: Tue, 7 Oct 2025 23:02:13 +0200 Message-Id: <20251007210213.1569226-2-peter.marko@siemens.com> In-Reply-To: <20251007210213.1569226-1-peter.marko@siemens.com> References: <20251007210213.1569226-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 07 Oct 2025 21:02:29 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/224562 From: Peter Marko Copy statement from [1] that it is problem of installers (non-Linux). Also [2] linked in NVD says "Fixed in 1.25.1 Gstreamer Installer". Since Yocto builds from sources into our own packages, ignore it. [1] https://security-tracker.debian.org/tracker/CVE-2025-2759 [2] https://www.zerodayinitiative.com/advisories/ZDI-25-268/ (From OE-Core rev: 99ee1df6bde2ffd4fa2ddea44c0a9b94d9d77bae) Signed-off-by: Peter Marko Signed-off-by: Steve Sakoman --- meta/recipes-multimedia/gstreamer/gstreamer1.0_1.22.12.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.22.12.bb b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.22.12.bb index cfc66745e3b..5b0ba379774 100644 --- a/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.22.12.bb +++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0_1.22.12.bb @@ -96,4 +96,6 @@ CVE_STATUS_PLUGINS_GOOD = " \ " CVE_STATUS_PLUGINS_GOOD[status] = "cpe-incorrect: this is patched in gstreamer1.0-plugins-good" +CVE_STATUS[CVE-2025-2759] = "not-applicable-platform: affects installation packages for non Linux OSes" + PTEST_BUILD_HOST_FILES = ""