Re: [Buildroot] [PATCH 01/14] package/sox: add CVE trailer in patches

[Thomas Petazzoni via buildroot <buildroot@buildroot.org>]

Hello Thomas,

On Mon, 29 Dec 2025 10:07:06 +0100
Thomas Perale via buildroot <buildroot@buildroot.org> wrote:

> Since Buildroot commit [1] the patches that fixes a security
> vulnerability needs to reference the fixed vulnerability.
> 
> This patch adds the relevant information to the patches header.
> 
> [1] 1167d0ff3d docs/manual: mention CVE trailer
> 
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>
> ---
>  ...voc-word-width-should-never-be-0-to-avoid-division-b.patch | 2 ++
>  package/sox/0007-hcom-validate-dictsize.patch                 | 4 ++++
>  package/sox/0008-phere-avoid-integer-underflow.patch          | 1 +
>  ...formats-aiff-reject-implausibly-large-number-of-chan.patch | 2 ++
>  package/sox/0010-formats-reject-implausible-rate.patch        | 1 +
>  ...CVE-2023-32627-Filter-null-sampling-rate-in-VOC-code.patch | 1 +
>  6 files changed, 11 insertions(+)

Series applied, thanks!

Two notes:

- When you add the Upstream: header, make sure to update the
  .checkpackageignore file as well. You can run "make check-package",
  or have a Git commit hook that checks it for you.

- Also, when you add the Upstream: header, if there's already the same
  information in the patch, but in a non-machine parseable form, drop
  this additional info. For example in this series:

+CVE: CVE-2021-42260
+Upstream: https://sourceforge.net/p/tinyxml/git/merge-requests/1
 [Retrieved (and backported) from:
 https://sourceforge.net/p/tinyxml/git/merge-requests/1]

  You should drop the [Retrieved (and backported) from  ...], because
  that information is now provided by the Upstream: tag.

Thanks!

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot