From: Thomas Petazzoni via buildroot <buildroot@buildroot.org>
To: Gleb Mazovetskiy <glex.spb@gmail.com>
Cc: Samuel Martin <s.martin49@gmail.com>, buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH 1/1] package/libmodplug: update to git version
Date: Thu, 29 Dec 2022 10:27:53 +0100 [thread overview]
Message-ID: <20221229102753.56ee4586@windsurf> (raw)
In-Reply-To: <20221219173935.3085978-1-glex.spb@gmail.com>
Hello,
On Mon, 19 Dec 2022 17:39:34 +0000
Gleb Mazovetskiy <glex.spb@gmail.com> wrote:
> The libmodplug release has not been updated for over 5 years.
> The git version contains many bug fixes, including for OOB
> accesses, unaligned reads and writes, etc.
>
> This git repository is the official home of libmodplug (by the original
> author), however a new release does not seem likely anytime soon:
> there are multiple open issues in the repository asking the author to
> tag a release, all without a response.
>
> Update buildroot to the current version of libmodplug from the official
> git repository. The build system changed from autotools to cmake since
> the last version.
>
> Signed-off-by: Gleb Mazovetskiy <glex.spb@gmail.com>
> ---
> package/libmodplug/libmodplug.hash | 2 +-
> package/libmodplug/libmodplug.mk | 6 +++---
> 2 files changed, 4 insertions(+), 4 deletions(-)
I've applied, but with the following addition:
+# Our version is actually newer than this, but having this allows to
+# not have reports about CVEs for versions older than 0.8.9.0.
+LIBMODPLUG_CPE_ID_VERSION = 0.8.9.0
Indeed, with your change as-is, the results at
http://autobuild.buildroot.net/stats/master.html would have shown that
all known CVEs of libmodplug apply to our package... even though they
in fact affect older releases. This is due to the fact that with the
new version being a Git commit hash, it cannot be compared with the
stable version numbers known in the CVE database.
By making this variable value be 0.8.9.0, we allow the CVE matching
logic to exclude CVEs affecting versions older than 0.8.9.0, which we
now we are not affected by, as we have a newer code base than 0.8.9.0.
Thanks for your contribution!
Best regards,
Thomas Petazzoni
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
prev parent reply other threads:[~2022-12-29 9:28 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-19 17:39 [Buildroot] [PATCH 1/1] package/libmodplug: update to git version Gleb Mazovetskiy
2022-12-29 9:27 ` Thomas Petazzoni via buildroot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221229102753.56ee4586@windsurf \
--to=buildroot@buildroot.org \
--cc=glex.spb@gmail.com \
--cc=s.martin49@gmail.com \
--cc=thomas.petazzoni@bootlin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox