From: Thomas Petazzoni via buildroot <buildroot@buildroot.org>
To: Roy Kollen Svendsen <roykollensvendsen@gmail.com>
Cc: Jesse Van Gavere <jesseevg@gmail.com>, buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH v2] package/qt6base: fix CVE-2024-39936
Date: Thu, 15 Aug 2024 14:52:31 +0200 [thread overview]
Message-ID: <20240815145231.500ab55e@windsurf> (raw)
In-Reply-To: <20240815092616.1201832-1-roykollensvendsen@gmail.com>
Hello Roy,
On Thu, 15 Aug 2024 11:26:14 +0200
Roy Kollen Svendsen <roykollensvendsen@gmail.com> wrote:
> Fixes:
> https://security-tracker.debian.org/tracker/CVE-2024-39936
>
> Got patch from:
> https://github.com/qt/qtbase/commit/2b1e36e183ce75c224305c7a94457b92f7a5cf58
>
> Signed-off-by: Roy Kollen Svendsen <roykollensvendsen@gmail.com>
Thanks, applied to master, after doing two tweaks. First,
package/qt6/qt6base: as the prefix in the commit title (to match the
real location of the package).
> diff --git a/package/qt6/qt6base/qt6base.mk b/package/qt6/qt6base/qt6base.mk
> index 5ab61ba3e0..71dff3e672 100644
> --- a/package/qt6/qt6base/qt6base.mk
> +++ b/package/qt6/qt6base/qt6base.mk
> @@ -10,6 +10,8 @@ QT6BASE_SOURCE = qtbase-$(QT6_SOURCE_TARBALL_PREFIX)-$(QT6BASE_VERSION).tar.xz
> QT6BASE_CPE_ID_VENDOR = qt
> QT6BASE_CPE_ID_PRODUCT = qt
>
> +QT6BASE_IGNORE_CVES += CVE-2024-39936
And second, after adding a comment above this line that clarifies why
this CVE is ignored (just mentioning the patch file name is enough).
Indeed, not all CVEs are ignored because we have patches. Sometimes, we
ignore CVEs because they are irrelevant in the Buildroot context for
example, in which case we have a comment that explains why.
Thanks!
Thomas
--
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
prev parent reply other threads:[~2024-08-15 12:52 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-15 6:28 [Buildroot] [PATCH 1/1] package/qt6base: fix CVE-2024-39936 Roy Kollen Svendsen
2024-08-15 7:47 ` Thomas Petazzoni via buildroot
2024-08-15 11:19 ` Roy Kollen Svendsen
2024-08-15 12:36 ` Thomas Petazzoni via buildroot
2024-08-15 9:26 ` [Buildroot] [PATCH v2] " Roy Kollen Svendsen
2024-08-15 12:52 ` Thomas Petazzoni via buildroot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240815145231.500ab55e@windsurf \
--to=buildroot@buildroot.org \
--cc=jesseevg@gmail.com \
--cc=roykollensvendsen@gmail.com \
--cc=thomas.petazzoni@bootlin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox