[Buildroot] [PATCH 01/14] package/sox: add CVE trailer in patches

[Buildroot] [PATCH 01/14] package/sox: add CVE trailer in patches

[Thomas Perale via buildroot]

Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.

This patch adds the relevant information to the patches header.

[1] 1167d0ff3d docs/manual: mention CVE trailer

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
 ...voc-word-width-should-never-be-0-to-avoid-division-b.patch | 2 ++
 package/sox/0007-hcom-validate-dictsize.patch                 | 4 ++++
 package/sox/0008-phere-avoid-integer-underflow.patch          | 1 +
 ...formats-aiff-reject-implausibly-large-number-of-chan.patch | 2 ++
 package/sox/0010-formats-reject-implausible-rate.patch        | 1 +
 ...CVE-2023-32627-Filter-null-sampling-rate-in-VOC-code.patch | 1 +
 6 files changed, 11 insertions(+)

diff --git a/package/sox/0006-voc-word-width-should-never-be-0-to-avoid-division-b.patch b/package/sox/0006-voc-word-width-should-never-be-0-to-avoid-division-b.patch
index 94298b7ae5..2b516fa4c3 100644
--- a/package/sox/0006-voc-word-width-should-never-be-0-to-avoid-division-b.patch
+++ b/package/sox/0006-voc-word-width-should-never-be-0-to-avoid-division-b.patch
@@ -8,6 +8,8 @@ Bug-Debian: https://bugs.debian.org/1010374
 
 This patch fixes both CVE-2021-3643 and CVE-2021-23210.
 
+CVE: CVE-2021-3643
+CVE: CVE-2021-23210
 Upstream: https://sourceforge.net/p/sox/bugs/351/
 Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
 ---
diff --git a/package/sox/0007-hcom-validate-dictsize.patch b/package/sox/0007-hcom-validate-dictsize.patch
index 722b64675b..c221f74c59 100644
--- a/package/sox/0007-hcom-validate-dictsize.patch
+++ b/package/sox/0007-hcom-validate-dictsize.patch
@@ -10,6 +10,10 @@ Bug-Debian: https://bugs.debian.org/1021134
 
 This patch fixes both CVE-2021-23159 and CVE-2021-23172.
 
+CVE: CVE-2021-23159
+CVE: CVE-2021-23172
+CVE: CVE-2023-34318
+CVE: CVE-2023-34432
 Upstream: https://sourceforge.net/p/sox/bugs/350/
 Upstream: https://sourceforge.net/p/sox/bugs/352/
 Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
diff --git a/package/sox/0008-phere-avoid-integer-underflow.patch b/package/sox/0008-phere-avoid-integer-underflow.patch
index 7c59896660..cc3cc533e7 100644
--- a/package/sox/0008-phere-avoid-integer-underflow.patch
+++ b/package/sox/0008-phere-avoid-integer-underflow.patch
@@ -7,6 +7,7 @@ Link: https://talosintelligence.com/vulnerability_reports/TALOS-2021-1434
 Bug: https://sourceforge.net/p/sox/bugs/362/
 Bug-Debian: https://bugs.debian.org/1012138
 
+CVE: CVE-2021-40426
 Upstream: https://sourceforge.net/p/sox/bugs/362/
 Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
 ---
diff --git a/package/sox/0009-formats-aiff-reject-implausibly-large-number-of-chan.patch b/package/sox/0009-formats-aiff-reject-implausibly-large-number-of-chan.patch
index fd1d210da1..0489d82601 100644
--- a/package/sox/0009-formats-aiff-reject-implausibly-large-number-of-chan.patch
+++ b/package/sox/0009-formats-aiff-reject-implausibly-large-number-of-chan.patch
@@ -6,6 +6,8 @@ Subject: [PATCH] formats+aiff: reject implausibly large number of channels
 Bug: https://sourceforge.net/p/sox/bugs/360/
 Bug-Debian: https://bugs.debian.org/1012516
 
+CVE: CVE-2022-31650
+CVE: CVE-2023-26590
 Upstream: https://sourceforge.net/p/sox/bugs/360/
 Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
 ---
diff --git a/package/sox/0010-formats-reject-implausible-rate.patch b/package/sox/0010-formats-reject-implausible-rate.patch
index 5e60b62011..0805c2f958 100644
--- a/package/sox/0010-formats-reject-implausible-rate.patch
+++ b/package/sox/0010-formats-reject-implausible-rate.patch
@@ -6,6 +6,7 @@ Subject: [PATCH] formats: reject implausible rate
 Bug: https://sourceforge.net/p/sox/bugs/360/
 Bug-Debian: https://bugs.debian.org/1012516
 
+CVE: CVE-2022-31651
 Upstream: https://sourceforge.net/p/sox/bugs/360/
 Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
 ---
diff --git a/package/sox/0011-CVE-2023-32627-Filter-null-sampling-rate-in-VOC-code.patch b/package/sox/0011-CVE-2023-32627-Filter-null-sampling-rate-in-VOC-code.patch
index b67d23c12d..7abdf54feb 100644
--- a/package/sox/0011-CVE-2023-32627-Filter-null-sampling-rate-in-VOC-code.patch
+++ b/package/sox/0011-CVE-2023-32627-Filter-null-sampling-rate-in-VOC-code.patch
@@ -10,6 +10,7 @@ bug-redhat: https://bugzilla.redhat.com/show_bug.cgi?id=2212282
 bug-debian: https://bugs.debian.org/1041112
 bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2023-32627
 
+CVE: CVE-2023-32627
 Upstream: https://sourceforge.net/p/sox/bugs/369/
 Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
 ---
-- 
2.52.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 02/14] package/x11vnc: add CVE trailer in patch

[Thomas Perale via buildroot]

Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.

This patch adds the relevant information to the patch header.

[1] 1167d0ff3d docs/manual: mention CVE trailer

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
 ...02-scan-limit-access-to-shared-memory-segments-to-curre.patch | 1 +
 1 file changed, 1 insertion(+)

diff --git a/package/x11vnc/0002-scan-limit-access-to-shared-memory-segments-to-curre.patch b/package/x11vnc/0002-scan-limit-access-to-shared-memory-segments-to-curre.patch
index 05977375d8..015a8c4c41 100644
--- a/package/x11vnc/0002-scan-limit-access-to-shared-memory-segments-to-curre.patch
+++ b/package/x11vnc/0002-scan-limit-access-to-shared-memory-segments-to-curre.patch
@@ -3,6 +3,7 @@ From: =?UTF-8?q?Gu=C3=A9nal=20DAVALAN?= <guenal.davalan@uca.fr>
 Date: Wed, 18 Nov 2020 08:40:45 +0100
 Subject: [PATCH] scan: limit access to shared memory segments to current user
 
+CVE: CVE-2020-29074
 Upstream: https://github.com/LibVNC/x11vnc/commit/69eeb9f7baa14ca03b16c9de821f9876def7a36a
 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
 ---
-- 
2.52.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 03/14] package/tinyxml: add CVE trailer in patch

[Thomas Perale via buildroot]

Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.

This patch adds the relevant information to the patch header
and adds the `Upstream` trailer.

[1] 1167d0ff3d docs/manual: mention CVE trailer

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
 .../0001-In-stamp-always-advance-the-pointer-if-p-0xef.patch    | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/package/tinyxml/0001-In-stamp-always-advance-the-pointer-if-p-0xef.patch b/package/tinyxml/0001-In-stamp-always-advance-the-pointer-if-p-0xef.patch
index ea0f6476c8..1da5ee913d 100644
--- a/package/tinyxml/0001-In-stamp-always-advance-the-pointer-if-p-0xef.patch
+++ b/package/tinyxml/0001-In-stamp-always-advance-the-pointer-if-p-0xef.patch
@@ -8,6 +8,8 @@ by two non-zero bytes. In case of malformed input (0xef should be
 the start byte of a three byte character) this leads to an infinite
 loop. (CVE-2021-42260)
 
+CVE: CVE-2021-42260
+Upstream: https://sourceforge.net/p/tinyxml/git/merge-requests/1
 [Retrieved (and backported) from:
 https://sourceforge.net/p/tinyxml/git/merge-requests/1]
 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
-- 
2.52.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 04/14] package/opusfile: add CVE trailer in patch

[Thomas Perale via buildroot]

Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.

This patch adds the relevant information to the patch header.

[1] 1167d0ff3d docs/manual: mention CVE trailer

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
 .../0001-Propagate-allocation-failure-from-ogg_sync_buffer.patch | 1 +
 1 file changed, 1 insertion(+)

diff --git a/package/opusfile/0001-Propagate-allocation-failure-from-ogg_sync_buffer.patch b/package/opusfile/0001-Propagate-allocation-failure-from-ogg_sync_buffer.patch
index 2ef08502ab..8e3be36cdf 100644
--- a/package/opusfile/0001-Propagate-allocation-failure-from-ogg_sync_buffer.patch
+++ b/package/opusfile/0001-Propagate-allocation-failure-from-ogg_sync_buffer.patch
@@ -15,6 +15,7 @@ Thanks to https://github.com/xiph/opusfile/issues/36 for reporting.
 Signed-off-by: Timothy B. Terriberry <tterribe@xiph.org>
 Signed-off-by: Mark Harris <mark.hsj@gmail.com>
 
+CVE: CVE-2022-47021
 [Retrieved from:
 https://github.com/xiph/opusfile/commit/0a4cd796df5b030cb866f3f4a5e41a4b92caddf5]
 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
-- 
2.52.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 05/14] package/lua-http: add CVE trailer in patch

[Thomas Perale via buildroot]

Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.

This patch adds the relevant information to the patch header.

[1] 1167d0ff3d docs/manual: mention CVE trailer

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
 ...01-http-h1_stream-handle-EOF-when-body_read_type-length.patch | 1 +
 1 file changed, 1 insertion(+)

diff --git a/package/lua-http/0001-http-h1_stream-handle-EOF-when-body_read_type-length.patch b/package/lua-http/0001-http-h1_stream-handle-EOF-when-body_read_type-length.patch
index fdbf5243f5..7672ff3794 100644
--- a/package/lua-http/0001-http-h1_stream-handle-EOF-when-body_read_type-length.patch
+++ b/package/lua-http/0001-http-h1_stream-handle-EOF-when-body_read_type-length.patch
@@ -8,6 +8,7 @@ then return `EPIPE`.
 This fixes a potential infinite draining loop when trying to trying to
 `:shutdown()` a stream.
 
+CVE: CVE-2023-4540
 Upstream: https://github.com/daurnimator/lua-http/commit/ddab2835c583d45dec62680ca8d3cbde55e0bae6
 Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
 ---
-- 
2.52.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 06/14] package/dovecot: add CVE trailer in patch

[Thomas Perale via buildroot]

Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.

This patch adds the relevant information to the patch header.

[1] 1167d0ff3d docs/manual: mention CVE trailer

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
 ...01-auth-Fix-handling-passdbs-with-identical-driver-args.patch | 1 +
 1 file changed, 1 insertion(+)

diff --git a/package/dovecot/0001-auth-Fix-handling-passdbs-with-identical-driver-args.patch b/package/dovecot/0001-auth-Fix-handling-passdbs-with-identical-driver-args.patch
index 04b8f5392a..99a2b83563 100644
--- a/package/dovecot/0001-auth-Fix-handling-passdbs-with-identical-driver-args.patch
+++ b/package/dovecot/0001-auth-Fix-handling-passdbs-with-identical-driver-args.patch
@@ -12,6 +12,7 @@ Fixed by moving mechanisms and username_filter from struct passdb_module
 to struct auth_passdb, which is where they should have been in the first
 place.
 
+CVE: CVE-2022-30550
 Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
 ---
  src/auth/auth-request.c |  6 +++---
-- 
2.52.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 07/14] package/avahi: add CVE trailer in patch

[Thomas Perale via buildroot]

Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.

This patch adds the relevant information to the patch header
and adds the `Upstream` trailer.

[1] 1167d0ff3d docs/manual: mention CVE trailer

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
 package/avahi/0001-Fix-NULL-pointer-crashes-from-175.patch | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/package/avahi/0001-Fix-NULL-pointer-crashes-from-175.patch b/package/avahi/0001-Fix-NULL-pointer-crashes-from-175.patch
index 7e191e8da7..98d5dbf633 100644
--- a/package/avahi/0001-Fix-NULL-pointer-crashes-from-175.patch
+++ b/package/avahi/0001-Fix-NULL-pointer-crashes-from-175.patch
@@ -9,6 +9,8 @@ Add missing NULL pointer checks to fix it.
 
 Introduced in #175 - merge commit 8f75a045709a780c8cf92a6a21e9d35b593bdecd
 
+CVE: CVE-2021-36217
+Upstream: https://github.com/lathiat/avahi/commit/9d31939e55280a733d930b15ac9e4dda4497680c
 [Retrieved from:
 https://github.com/lathiat/avahi/commit/9d31939e55280a733d930b15ac9e4dda4497680c]
 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
-- 
2.52.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 08/14] package/cups-filter: add CVE trailer in patch

[Thomas Perale via buildroot]

Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.

This patch adds the relevant information to the patch header.

[1] 1167d0ff3d docs/manual: mention CVE trailer

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
 ...-beh-backend-Use-execv-instead-of-system-CVE-2023-24805.patch | 1 +
 1 file changed, 1 insertion(+)

diff --git a/package/cups-filters/0001-beh-backend-Use-execv-instead-of-system-CVE-2023-24805.patch b/package/cups-filters/0001-beh-backend-Use-execv-instead-of-system-CVE-2023-24805.patch
index e527b20f91..fbe2bfac4a 100644
--- a/package/cups-filters/0001-beh-backend-Use-execv-instead-of-system-CVE-2023-24805.patch
+++ b/package/cups-filters/0001-beh-backend-Use-execv-instead-of-system-CVE-2023-24805.patch
@@ -32,6 +32,7 @@ In addition, done the following fixes and improvements:
 
 - Use "static volatile int" for global variable job_canceled.
 
+CVE: CVE-2023-24805
 Upstream: https://github.com/OpenPrinting/cups-filters/commit/93e60d3df358c0ae6f3dba79e1c9684657683d89
 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
 ---
-- 
2.52.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 09/14] package/libconfuse: add CVE trailer in patch

[Thomas Perale via buildroot]

Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.

This patch adds the relevant information to the patch header
and adds the `Upstream` trailer.

[1] 1167d0ff3d docs/manual: mention CVE trailer

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
 .../0001-Fix-163-unterminated-username-used-with-getpwnam.patch | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/package/libconfuse/0001-Fix-163-unterminated-username-used-with-getpwnam.patch b/package/libconfuse/0001-Fix-163-unterminated-username-used-with-getpwnam.patch
index 9ff3f5ec1c..4c2aa114aa 100644
--- a/package/libconfuse/0001-Fix-163-unterminated-username-used-with-getpwnam.patch
+++ b/package/libconfuse/0001-Fix-163-unterminated-username-used-with-getpwnam.patch
@@ -5,6 +5,8 @@ Subject: [PATCH] Fix #163: unterminated username used with getpwnam()
 
 Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
 
+CVE: CVE-2022-40320
+Upstream: https://github.com/libconfuse/libconfuse/commit/d73777c2c3566fb2647727bb56d9a2295b81669b
 [Retrieved (and backported) from:
 https://github.com/libconfuse/libconfuse/commit/d73777c2c3566fb2647727bb56d9a2295b81669b]
 Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
-- 
2.52.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 10/14] package/libtomcrypt: add CVE trailer in patch

[Thomas Perale via buildroot]

Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.

This patch adds the relevant information to the patch header.

[1] 1167d0ff3d docs/manual: mention CVE trailer

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
 package/libtomcrypt/0001-fix-CVE-2019-17362.patch | 1 +
 1 file changed, 1 insertion(+)

diff --git a/package/libtomcrypt/0001-fix-CVE-2019-17362.patch b/package/libtomcrypt/0001-fix-CVE-2019-17362.patch
index 91e2145853..adf5020049 100644
--- a/package/libtomcrypt/0001-fix-CVE-2019-17362.patch
+++ b/package/libtomcrypt/0001-fix-CVE-2019-17362.patch
@@ -6,6 +6,7 @@ Subject: [PATCH] Fixes #507
 Fix a vulnerability in der_decode_utf8_string as specified here:
 https://github.com/libtom/libtomcrypt/issues/507
 
+CVE: CVE-2019-17362
 [for import into Buildroot]
 Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
 
-- 
2.52.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 11/14] package/sdl: add CVE trailer in patch

[Thomas Perale via buildroot]

Since Buildroot commit [1] the patches that fixes a security
vulnerability needs to reference the fixed vulnerability.

This patch adds the relevant information to the patch header.

[1] 1167d0ff3d docs/manual: mention CVE trailer

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
 package/sdl/0002-SDL_x11yuv.c-fix-possible-use-after-free.patch | 1 +
 1 file changed, 1 insertion(+)

diff --git a/package/sdl/0002-SDL_x11yuv.c-fix-possible-use-after-free.patch b/package/sdl/0002-SDL_x11yuv.c-fix-possible-use-after-free.patch
index 68e66bd5a2..3624c5341f 100644
--- a/package/sdl/0002-SDL_x11yuv.c-fix-possible-use-after-free.patch
+++ b/package/sdl/0002-SDL_x11yuv.c-fix-possible-use-after-free.patch
@@ -3,6 +3,7 @@ From: Ozkan Sezer <sezeroz@gmail.com>
 Date: Sat, 18 Jun 2022 14:55:00 +0300
 Subject: [PATCH] SDL_x11yuv.c: fix possible use-after-free
 
+CVE: CVE-2022-34568
 Fixes: https://github.com/libsdl-org/SDL-1.2/issues/863
 Upstream: d7e00208738a0bc6af302723fe64908ac35b777b
 Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
-- 
2.52.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 12/14] package/sdl: fix patch reference in IGNORE_CVES

[Thomas Perale via buildroot]

Since Buildroot commit [1] the
`0003-SDL_x11yuv.c-fix-possible-use-after-free.patch` patch reference
was renamed.

This update the reference in IGNORE_CVES accordingly.

[1] 9fab7bb79d package/sdl: drop directfb support

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
 package/sdl/sdl.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package/sdl/sdl.mk b/package/sdl/sdl.mk
index 439c30b2a5..29697fe3c9 100644
--- a/package/sdl/sdl.mk
+++ b/package/sdl/sdl.mk
@@ -13,7 +13,7 @@ SDL_CPE_ID_VENDOR = libsdl
 SDL_CPE_ID_PRODUCT = simple_directmedia_layer
 SDL_INSTALL_STAGING = YES
 
-# 0003-SDL_x11yuv.c-fix-possible-use-after-free.patch
+# 0002-SDL_x11yuv.c-fix-possible-use-after-free.patch
 SDL_IGNORE_CVES += CVE-2022-34568
 
 # we're patching configure.in, but package cannot autoreconf with our version of
-- 
2.52.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 13/14] package/pixman: fix patch reference in IGNORE_CVES

[Thomas Perale via buildroot]

Since Buildroot commit [1] the
`0001-Disable-tests.patch` patch reference
was removed in favour of a build argument that disable the tests.

This update the reference in IGNORE_CVES accordingly.

[1] ba2fb599cd package/pixman: bump to version 0.44.2

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
 package/pixman/pixman.mk | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/package/pixman/pixman.mk b/package/pixman/pixman.mk
index 87d973230f..63d9ccd10b 100644
--- a/package/pixman/pixman.mk
+++ b/package/pixman/pixman.mk
@@ -26,11 +26,10 @@ PIXMAN_CONF_OPTS = \
 	-Dlibpng=disabled \
 	-Dtests=disabled
 
-# Affects only tests, and we don't build tests (see
-# 0001-Disable-tests.patch). See
-# https://gitlab.freedesktop.org/pixman/pixman/-/issues/76, which says
-# "not sure why NVD keeps assigning CVEs like this. This is just a
-# test executable".
+# Affects only tests, and we don't build tests.
+# See https://gitlab.freedesktop.org/pixman/pixman/-/issues/76, which says
+# "not sure why NVD keeps assigning CVEs like this. This is just a test
+# executable".
 PIXMAN_IGNORE_CVES += CVE-2023-37769
 
 ifeq ($(BR2_X86_CPU_HAS_MMX),y)
-- 
2.52.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 14/14] package/mupdf: add CVE-2024-2425{8, 9} to IGNORE_CVES

[Thomas Perale via buildroot]

Buildroot commit [1] removed the IGNORE_CVES entries for
CVE-2024-24258 & CVE-2024-24259 because they referenced a patches no
longer existing.

Those IGNORE_CVES entries are still required because the CVEs reference
the exact mupdf version Buildroot is using.

Re-introduce those IGNORE_CVES entries with an updated comment instead.

[1] f2e442a14d package/mupdf: remove stale IGNORE_CVES

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
 package/mupdf/mupdf.mk | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/package/mupdf/mupdf.mk b/package/mupdf/mupdf.mk
index 9eecb84232..57501ab954 100644
--- a/package/mupdf/mupdf.mk
+++ b/package/mupdf/mupdf.mk
@@ -21,6 +21,12 @@ MUPDF_DEPENDENCIES = \
 	lcms2 openjpeg \
 	zlib
 
+# Fix is in libfreeglut, but CVE applied to mupdf 1.23.9.
+# Buildroot libfreeglut is >3.4.0 then is not affected.
+MUPDF_IGNORE_CVES = \
+	CVE-2024-24258 \
+	CVE-2024-24259
+
 # mupdf doesn't use CFLAGS and LIBS but XCFLAGS and XLIBS instead.
 # with USE_SYSTEM_LIBS it will try to use system libraries instead of the bundled ones.
 MUPDF_MAKE_ENV = $(TARGET_MAKE_ENV) $(TARGET_CONFIGURE_OPTS) \
-- 
2.52.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 01/14] package/sox: add CVE trailer in patches

[Thomas Petazzoni via buildroot]

Hello Thomas,

On Mon, 29 Dec 2025 10:07:06 +0100
Thomas Perale via buildroot <buildroot@buildroot.org> wrote:

> Since Buildroot commit [1] the patches that fixes a security
> vulnerability needs to reference the fixed vulnerability.
> 
> This patch adds the relevant information to the patches header.
> 
> [1] 1167d0ff3d docs/manual: mention CVE trailer
> 
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>
> ---
>  ...voc-word-width-should-never-be-0-to-avoid-division-b.patch | 2 ++
>  package/sox/0007-hcom-validate-dictsize.patch                 | 4 ++++
>  package/sox/0008-phere-avoid-integer-underflow.patch          | 1 +
>  ...formats-aiff-reject-implausibly-large-number-of-chan.patch | 2 ++
>  package/sox/0010-formats-reject-implausible-rate.patch        | 1 +
>  ...CVE-2023-32627-Filter-null-sampling-rate-in-VOC-code.patch | 1 +
>  6 files changed, 11 insertions(+)

Series applied, thanks!

Two notes:

- When you add the Upstream: header, make sure to update the
  .checkpackageignore file as well. You can run "make check-package",
  or have a Git commit hook that checks it for you.

- Also, when you add the Upstream: header, if there's already the same
  information in the patch, but in a non-machine parseable form, drop
  this additional info. For example in this series:

+CVE: CVE-2021-42260
+Upstream: https://sourceforge.net/p/tinyxml/git/merge-requests/1
 [Retrieved (and backported) from:
 https://sourceforge.net/p/tinyxml/git/merge-requests/1]

  You should drop the [Retrieved (and backported) from  ...], because
  that information is now provided by the Upstream: tag.

Thanks!

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 01/14] package/sox: add CVE trailer in patches

[Thomas Perale via buildroot]

Hi,

In reply of:
> Hello Thomas,
> 
> On Mon, 29 Dec 2025 10:07:06 +0100
> Thomas Perale via buildroot <buildroot@buildroot.org> wrote:
> 
> > Since Buildroot commit [1] the patches that fixes a security
> > vulnerability needs to reference the fixed vulnerability.
> > 
> > This patch adds the relevant information to the patches header.
> > 
> > [1] 1167d0ff3d docs/manual: mention CVE trailer
> > 
> > Signed-off-by: Thomas Perale <thomas.perale@mind.be>
> > ---
> >  ...voc-word-width-should-never-be-0-to-avoid-division-b.patch | 2 ++
> >  package/sox/0007-hcom-validate-dictsize.patch                 | 4 ++++
> >  package/sox/0008-phere-avoid-integer-underflow.patch          | 1 +
> >  ...formats-aiff-reject-implausibly-large-number-of-chan.patch | 2 ++
> >  package/sox/0010-formats-reject-implausible-rate.patch        | 1 +
> >  ...CVE-2023-32627-Filter-null-sampling-rate-in-VOC-code.patch | 1 +
> >  6 files changed, 11 insertions(+)
> 
> Series applied, thanks!
> 
> Two notes:
> 
> - When you add the Upstream: header, make sure to update the
>   .checkpackageignore file as well. You can run "make check-package",
>   or have a Git commit hook that checks it for you.
> 
> - Also, when you add the Upstream: header, if there's already the same
>   information in the patch, but in a non-machine parseable form, drop
>   this additional info. For example in this series:
> 
> +CVE: CVE-2021-42260
> +Upstream: https://sourceforge.net/p/tinyxml/git/merge-requests/1
>  [Retrieved (and backported) from:
>  https://sourceforge.net/p/tinyxml/git/merge-requests/1]
> 
>   You should drop the [Retrieved (and backported) from  ...], because
>   that information is now provided by the Upstream: tag.

Thanks for giving it a look. I will take your notes into account.

PERALE Thomas

> 
> Thanks!
> 
> Thomas
> -- 
> Thomas Petazzoni, CTO, Bootlin
> Embedded Linux and Kernel engineering
> https://bootlin.com
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot


_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 07/14] package/avahi: add CVE trailer in patch

[Arnout Vandecappelle via buildroot]

In reply of:
> Since Buildroot commit [1] the patches that fixes a security
> vulnerability needs to reference the fixed vulnerability.
> 
> This patch adds the relevant information to the patch header
> and adds the `Upstream` trailer.
> 
> [1] 1167d0ff3d docs/manual: mention CVE trailer
> 
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>

Applied to 2025.02.x and 2025.11.x. Thanks

> ---
>  package/avahi/0001-Fix-NULL-pointer-crashes-from-175.patch | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/package/avahi/0001-Fix-NULL-pointer-crashes-from-175.patch b/package/avahi/0001-Fix-NULL-pointer-crashes-from-175.patch
> index 7e191e8da7..98d5dbf633 100644
> --- a/package/avahi/0001-Fix-NULL-pointer-crashes-from-175.patch
> +++ b/package/avahi/0001-Fix-NULL-pointer-crashes-from-175.patch
> @@ -9,6 +9,8 @@ Add missing NULL pointer checks to fix it.
>  
>  Introduced in #175 - merge commit 8f75a045709a780c8cf92a6a21e9d35b593bdecd
>  
> +CVE: CVE-2021-36217
> +Upstream: https://github.com/lathiat/avahi/commit/9d31939e55280a733d930b15ac9e4dda4497680c
>  [Retrieved from:
>  https://github.com/lathiat/avahi/commit/9d31939e55280a733d930b15ac9e4dda4497680c]
>  Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> -- 
> 2.52.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 08/14] package/cups-filter: add CVE trailer in patch

[Arnout Vandecappelle via buildroot]

In reply of:
> Since Buildroot commit [1] the patches that fixes a security
> vulnerability needs to reference the fixed vulnerability.
> 
> This patch adds the relevant information to the patch header.
> 
> [1] 1167d0ff3d docs/manual: mention CVE trailer
> 
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>

Applied to 2025.02.x and 2025.11.x. Thanks

> ---
>  ...-beh-backend-Use-execv-instead-of-system-CVE-2023-24805.patch | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/package/cups-filters/0001-beh-backend-Use-execv-instead-of-system-CVE-2023-24805.patch b/package/cups-filters/0001-beh-backend-Use-execv-instead-of-system-CVE-2023-24805.patch
> index e527b20f91..fbe2bfac4a 100644
> --- a/package/cups-filters/0001-beh-backend-Use-execv-instead-of-system-CVE-2023-24805.patch
> +++ b/package/cups-filters/0001-beh-backend-Use-execv-instead-of-system-CVE-2023-24805.patch
> @@ -32,6 +32,7 @@ In addition, done the following fixes and improvements:
>  
>  - Use "static volatile int" for global variable job_canceled.
>  
> +CVE: CVE-2023-24805
>  Upstream: https://github.com/OpenPrinting/cups-filters/commit/93e60d3df358c0ae6f3dba79e1c9684657683d89
>  Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
>  ---
> -- 
> 2.52.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 06/14] package/dovecot: add CVE trailer in patch

[Arnout Vandecappelle via buildroot]

In reply of:
> Since Buildroot commit [1] the patches that fixes a security
> vulnerability needs to reference the fixed vulnerability.
> 
> This patch adds the relevant information to the patch header.
> 
> [1] 1167d0ff3d docs/manual: mention CVE trailer
> 
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>

Applied to 2025.02.x and 2025.11.x. Thanks

> ---
>  ...01-auth-Fix-handling-passdbs-with-identical-driver-args.patch | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/package/dovecot/0001-auth-Fix-handling-passdbs-with-identical-driver-args.patch b/package/dovecot/0001-auth-Fix-handling-passdbs-with-identical-driver-args.patch
> index 04b8f5392a..99a2b83563 100644
> --- a/package/dovecot/0001-auth-Fix-handling-passdbs-with-identical-driver-args.patch
> +++ b/package/dovecot/0001-auth-Fix-handling-passdbs-with-identical-driver-args.patch
> @@ -12,6 +12,7 @@ Fixed by moving mechanisms and username_filter from struct passdb_module
>  to struct auth_passdb, which is where they should have been in the first
>  place.
>  
> +CVE: CVE-2022-30550
>  Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
>  ---
>   src/auth/auth-request.c |  6 +++---
> -- 
> 2.52.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 09/14] package/libconfuse: add CVE trailer in patch

[Arnout Vandecappelle via buildroot]

In reply of:
> Since Buildroot commit [1] the patches that fixes a security
> vulnerability needs to reference the fixed vulnerability.
> 
> This patch adds the relevant information to the patch header
> and adds the `Upstream` trailer.
> 
> [1] 1167d0ff3d docs/manual: mention CVE trailer
> 
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>

Applied to 2025.02.x and 2025.11.x. Thanks

> ---
>  .../0001-Fix-163-unterminated-username-used-with-getpwnam.patch | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/package/libconfuse/0001-Fix-163-unterminated-username-used-with-getpwnam.patch b/package/libconfuse/0001-Fix-163-unterminated-username-used-with-getpwnam.patch
> index 9ff3f5ec1c..4c2aa114aa 100644
> --- a/package/libconfuse/0001-Fix-163-unterminated-username-used-with-getpwnam.patch
> +++ b/package/libconfuse/0001-Fix-163-unterminated-username-used-with-getpwnam.patch
> @@ -5,6 +5,8 @@ Subject: [PATCH] Fix #163: unterminated username used with getpwnam()
>  
>  Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
>  
> +CVE: CVE-2022-40320
> +Upstream: https://github.com/libconfuse/libconfuse/commit/d73777c2c3566fb2647727bb56d9a2295b81669b
>  [Retrieved (and backported) from:
>  https://github.com/libconfuse/libconfuse/commit/d73777c2c3566fb2647727bb56d9a2295b81669b]
>  Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> -- 
> 2.52.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 10/14] package/libtomcrypt: add CVE trailer in patch

[Arnout Vandecappelle via buildroot]

In reply of:
> Since Buildroot commit [1] the patches that fixes a security
> vulnerability needs to reference the fixed vulnerability.
> 
> This patch adds the relevant information to the patch header.
> 
> [1] 1167d0ff3d docs/manual: mention CVE trailer
> 
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>

Applied to 2025.02.x and 2025.11.x. Thanks

> ---
>  package/libtomcrypt/0001-fix-CVE-2019-17362.patch | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/package/libtomcrypt/0001-fix-CVE-2019-17362.patch b/package/libtomcrypt/0001-fix-CVE-2019-17362.patch
> index 91e2145853..adf5020049 100644
> --- a/package/libtomcrypt/0001-fix-CVE-2019-17362.patch
> +++ b/package/libtomcrypt/0001-fix-CVE-2019-17362.patch
> @@ -6,6 +6,7 @@ Subject: [PATCH] Fixes #507
>  Fix a vulnerability in der_decode_utf8_string as specified here:
>  https://github.com/libtom/libtomcrypt/issues/507
>  
> +CVE: CVE-2019-17362
>  [for import into Buildroot]
>  Signed-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
>  
> -- 
> 2.52.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 05/14] package/lua-http: add CVE trailer in patch

[Arnout Vandecappelle via buildroot]

In reply of:
> Since Buildroot commit [1] the patches that fixes a security
> vulnerability needs to reference the fixed vulnerability.
> 
> This patch adds the relevant information to the patch header.
> 
> [1] 1167d0ff3d docs/manual: mention CVE trailer
> 
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>

Applied to 2025.02.x and 2025.11.x. Thanks

> ---
>  ...01-http-h1_stream-handle-EOF-when-body_read_type-length.patch | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/package/lua-http/0001-http-h1_stream-handle-EOF-when-body_read_type-length.patch b/package/lua-http/0001-http-h1_stream-handle-EOF-when-body_read_type-length.patch
> index fdbf5243f5..7672ff3794 100644
> --- a/package/lua-http/0001-http-h1_stream-handle-EOF-when-body_read_type-length.patch
> +++ b/package/lua-http/0001-http-h1_stream-handle-EOF-when-body_read_type-length.patch
> @@ -8,6 +8,7 @@ then return `EPIPE`.
>  This fixes a potential infinite draining loop when trying to trying to
>  `:shutdown()` a stream.
>  
> +CVE: CVE-2023-4540
>  Upstream: https://github.com/daurnimator/lua-http/commit/ddab2835c583d45dec62680ca8d3cbde55e0bae6
>  Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
>  ---
> -- 
> 2.52.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 04/14] package/opusfile: add CVE trailer in patch

[Arnout Vandecappelle via buildroot]

In reply of:
> Since Buildroot commit [1] the patches that fixes a security
> vulnerability needs to reference the fixed vulnerability.
> 
> This patch adds the relevant information to the patch header.
> 
> [1] 1167d0ff3d docs/manual: mention CVE trailer
> 
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>

Applied to 2025.02.x and 2025.11.x. Thanks

> ---
>  .../0001-Propagate-allocation-failure-from-ogg_sync_buffer.patch | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/package/opusfile/0001-Propagate-allocation-failure-from-ogg_sync_buffer.patch b/package/opusfile/0001-Propagate-allocation-failure-from-ogg_sync_buffer.patch
> index 2ef08502ab..8e3be36cdf 100644
> --- a/package/opusfile/0001-Propagate-allocation-failure-from-ogg_sync_buffer.patch
> +++ b/package/opusfile/0001-Propagate-allocation-failure-from-ogg_sync_buffer.patch
> @@ -15,6 +15,7 @@ Thanks to https://github.com/xiph/opusfile/issues/36 for reporting.
>  Signed-off-by: Timothy B. Terriberry <tterribe@xiph.org>
>  Signed-off-by: Mark Harris <mark.hsj@gmail.com>
>  
> +CVE: CVE-2022-47021
>  [Retrieved from:
>  https://github.com/xiph/opusfile/commit/0a4cd796df5b030cb866f3f4a5e41a4b92caddf5]
>  Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> -- 
> 2.52.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 13/14] package/pixman: fix patch reference in IGNORE_CVES

[Arnout Vandecappelle via buildroot]

In reply of:
> Since Buildroot commit [1] the
> `0001-Disable-tests.patch` patch reference
> was removed in favour of a build argument that disable the tests.
> 
> This update the reference in IGNORE_CVES accordingly.
> 
> [1] ba2fb599cd package/pixman: bump to version 0.44.2
> 
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>

Applied to 2025.02.x and 2025.11.x. Thanks

> ---
>  package/pixman/pixman.mk | 9 ++++-----
>  1 file changed, 4 insertions(+), 5 deletions(-)
> 
> diff --git a/package/pixman/pixman.mk b/package/pixman/pixman.mk
> index 87d973230f..63d9ccd10b 100644
> --- a/package/pixman/pixman.mk
> +++ b/package/pixman/pixman.mk
> @@ -26,11 +26,10 @@ PIXMAN_CONF_OPTS = \
>  	-Dlibpng=disabled \
>  	-Dtests=disabled
>  
> -# Affects only tests, and we don't build tests (see
> -# 0001-Disable-tests.patch). See
> -# https://gitlab.freedesktop.org/pixman/pixman/-/issues/76, which says
> -# "not sure why NVD keeps assigning CVEs like this. This is just a
> -# test executable".
> +# Affects only tests, and we don't build tests.
> +# See https://gitlab.freedesktop.org/pixman/pixman/-/issues/76, which says
> +# "not sure why NVD keeps assigning CVEs like this. This is just a test
> +# executable".
>  PIXMAN_IGNORE_CVES += CVE-2023-37769
>  
>  ifeq ($(BR2_X86_CPU_HAS_MMX),y)
> -- 
> 2.52.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 11/14] package/sdl: add CVE trailer in patch

[Arnout Vandecappelle via buildroot]

In reply of:
> Since Buildroot commit [1] the patches that fixes a security
> vulnerability needs to reference the fixed vulnerability.
> 
> This patch adds the relevant information to the patch header.
> 
> [1] 1167d0ff3d docs/manual: mention CVE trailer
> 
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>

Applied to 2025.02.x and 2025.11.x. Thanks

> ---
>  package/sdl/0002-SDL_x11yuv.c-fix-possible-use-after-free.patch | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/package/sdl/0002-SDL_x11yuv.c-fix-possible-use-after-free.patch b/package/sdl/0002-SDL_x11yuv.c-fix-possible-use-after-free.patch
> index 68e66bd5a2..3624c5341f 100644
> --- a/package/sdl/0002-SDL_x11yuv.c-fix-possible-use-after-free.patch
> +++ b/package/sdl/0002-SDL_x11yuv.c-fix-possible-use-after-free.patch
> @@ -3,6 +3,7 @@ From: Ozkan Sezer <sezeroz@gmail.com>
>  Date: Sat, 18 Jun 2022 14:55:00 +0300
>  Subject: [PATCH] SDL_x11yuv.c: fix possible use-after-free
>  
> +CVE: CVE-2022-34568
>  Fixes: https://github.com/libsdl-org/SDL-1.2/issues/863
>  Upstream: d7e00208738a0bc6af302723fe64908ac35b777b
>  Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> -- 
> 2.52.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 12/14] package/sdl: fix patch reference in IGNORE_CVES

[Arnout Vandecappelle via buildroot]

In reply of:
> Since Buildroot commit [1] the
> `0003-SDL_x11yuv.c-fix-possible-use-after-free.patch` patch reference
> was renamed.
> 
> This update the reference in IGNORE_CVES accordingly.
> 
> [1] 9fab7bb79d package/sdl: drop directfb support
> 
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>

Applied to 2025.02.x and 2025.11.x. Thanks

> ---
>  package/sdl/sdl.mk | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/package/sdl/sdl.mk b/package/sdl/sdl.mk
> index 439c30b2a5..29697fe3c9 100644
> --- a/package/sdl/sdl.mk
> +++ b/package/sdl/sdl.mk
> @@ -13,7 +13,7 @@ SDL_CPE_ID_VENDOR = libsdl
>  SDL_CPE_ID_PRODUCT = simple_directmedia_layer
>  SDL_INSTALL_STAGING = YES
>  
> -# 0003-SDL_x11yuv.c-fix-possible-use-after-free.patch
> +# 0002-SDL_x11yuv.c-fix-possible-use-after-free.patch
>  SDL_IGNORE_CVES += CVE-2022-34568
>  
>  # we're patching configure.in, but package cannot autoreconf with our version of
> -- 
> 2.52.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 01/14] package/sox: add CVE trailer in patches

[Arnout Vandecappelle via buildroot]

In reply of:
> Since Buildroot commit [1] the patches that fixes a security
> vulnerability needs to reference the fixed vulnerability.
> 
> This patch adds the relevant information to the patches header.
> 
> [1] 1167d0ff3d docs/manual: mention CVE trailer
> 
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>

Applied to 2025.02.x and 2025.11.x. Thanks

> ---
>  ...voc-word-width-should-never-be-0-to-avoid-division-b.patch | 2 ++
>  package/sox/0007-hcom-validate-dictsize.patch                 | 4 ++++
>  package/sox/0008-phere-avoid-integer-underflow.patch          | 1 +
>  ...formats-aiff-reject-implausibly-large-number-of-chan.patch | 2 ++
>  package/sox/0010-formats-reject-implausible-rate.patch        | 1 +
>  ...CVE-2023-32627-Filter-null-sampling-rate-in-VOC-code.patch | 1 +
>  6 files changed, 11 insertions(+)
> 
> diff --git a/package/sox/0006-voc-word-width-should-never-be-0-to-avoid-division-b.patch b/package/sox/0006-voc-word-width-should-never-be-0-to-avoid-division-b.patch
> index 94298b7ae5..2b516fa4c3 100644
> --- a/package/sox/0006-voc-word-width-should-never-be-0-to-avoid-division-b.patch
> +++ b/package/sox/0006-voc-word-width-should-never-be-0-to-avoid-division-b.patch
> @@ -8,6 +8,8 @@ Bug-Debian: https://bugs.debian.org/1010374
>  
>  This patch fixes both CVE-2021-3643 and CVE-2021-23210.
>  
> +CVE: CVE-2021-3643
> +CVE: CVE-2021-23210
>  Upstream: https://sourceforge.net/p/sox/bugs/351/
>  Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
>  ---
> diff --git a/package/sox/0007-hcom-validate-dictsize.patch b/package/sox/0007-hcom-validate-dictsize.patch
> index 722b64675b..c221f74c59 100644
> --- a/package/sox/0007-hcom-validate-dictsize.patch
> +++ b/package/sox/0007-hcom-validate-dictsize.patch
> @@ -10,6 +10,10 @@ Bug-Debian: https://bugs.debian.org/1021134
>  
>  This patch fixes both CVE-2021-23159 and CVE-2021-23172.
>  
> +CVE: CVE-2021-23159
> +CVE: CVE-2021-23172
> +CVE: CVE-2023-34318
> +CVE: CVE-2023-34432
>  Upstream: https://sourceforge.net/p/sox/bugs/350/
>  Upstream: https://sourceforge.net/p/sox/bugs/352/
>  Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
> diff --git a/package/sox/0008-phere-avoid-integer-underflow.patch b/package/sox/0008-phere-avoid-integer-underflow.patch
> index 7c59896660..cc3cc533e7 100644
> --- a/package/sox/0008-phere-avoid-integer-underflow.patch
> +++ b/package/sox/0008-phere-avoid-integer-underflow.patch
> @@ -7,6 +7,7 @@ Link: https://talosintelligence.com/vulnerability_reports/TALOS-2021-1434
>  Bug: https://sourceforge.net/p/sox/bugs/362/
>  Bug-Debian: https://bugs.debian.org/1012138
>  
> +CVE: CVE-2021-40426
>  Upstream: https://sourceforge.net/p/sox/bugs/362/
>  Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
>  ---
> diff --git a/package/sox/0009-formats-aiff-reject-implausibly-large-number-of-chan.patch b/package/sox/0009-formats-aiff-reject-implausibly-large-number-of-chan.patch
> index fd1d210da1..0489d82601 100644
> --- a/package/sox/0009-formats-aiff-reject-implausibly-large-number-of-chan.patch
> +++ b/package/sox/0009-formats-aiff-reject-implausibly-large-number-of-chan.patch
> @@ -6,6 +6,8 @@ Subject: [PATCH] formats+aiff: reject implausibly large number of channels
>  Bug: https://sourceforge.net/p/sox/bugs/360/
>  Bug-Debian: https://bugs.debian.org/1012516
>  
> +CVE: CVE-2022-31650
> +CVE: CVE-2023-26590
>  Upstream: https://sourceforge.net/p/sox/bugs/360/
>  Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
>  ---
> diff --git a/package/sox/0010-formats-reject-implausible-rate.patch b/package/sox/0010-formats-reject-implausible-rate.patch
> index 5e60b62011..0805c2f958 100644
> --- a/package/sox/0010-formats-reject-implausible-rate.patch
> +++ b/package/sox/0010-formats-reject-implausible-rate.patch
> @@ -6,6 +6,7 @@ Subject: [PATCH] formats: reject implausible rate
>  Bug: https://sourceforge.net/p/sox/bugs/360/
>  Bug-Debian: https://bugs.debian.org/1012516
>  
> +CVE: CVE-2022-31651
>  Upstream: https://sourceforge.net/p/sox/bugs/360/
>  Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
>  ---
> diff --git a/package/sox/0011-CVE-2023-32627-Filter-null-sampling-rate-in-VOC-code.patch b/package/sox/0011-CVE-2023-32627-Filter-null-sampling-rate-in-VOC-code.patch
> index b67d23c12d..7abdf54feb 100644
> --- a/package/sox/0011-CVE-2023-32627-Filter-null-sampling-rate-in-VOC-code.patch
> +++ b/package/sox/0011-CVE-2023-32627-Filter-null-sampling-rate-in-VOC-code.patch
> @@ -10,6 +10,7 @@ bug-redhat: https://bugzilla.redhat.com/show_bug.cgi?id=2212282
>  bug-debian: https://bugs.debian.org/1041112
>  bug-debian-security: https://security-tracker.debian.org/tracker/CVE-2023-32627
>  
> +CVE: CVE-2023-32627
>  Upstream: https://sourceforge.net/p/sox/bugs/369/
>  Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
>  ---
> -- 
> 2.52.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 03/14] package/tinyxml: add CVE trailer in patch

[Arnout Vandecappelle via buildroot]

In reply of:
> Since Buildroot commit [1] the patches that fixes a security
> vulnerability needs to reference the fixed vulnerability.
> 
> This patch adds the relevant information to the patch header
> and adds the `Upstream` trailer.
> 
> [1] 1167d0ff3d docs/manual: mention CVE trailer
> 
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>

Applied to 2025.02.x and 2025.11.x. Thanks

> ---
>  .../0001-In-stamp-always-advance-the-pointer-if-p-0xef.patch    | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/package/tinyxml/0001-In-stamp-always-advance-the-pointer-if-p-0xef.patch b/package/tinyxml/0001-In-stamp-always-advance-the-pointer-if-p-0xef.patch
> index ea0f6476c8..1da5ee913d 100644
> --- a/package/tinyxml/0001-In-stamp-always-advance-the-pointer-if-p-0xef.patch
> +++ b/package/tinyxml/0001-In-stamp-always-advance-the-pointer-if-p-0xef.patch
> @@ -8,6 +8,8 @@ by two non-zero bytes. In case of malformed input (0xef should be
>  the start byte of a three byte character) this leads to an infinite
>  loop. (CVE-2021-42260)
>  
> +CVE: CVE-2021-42260
> +Upstream: https://sourceforge.net/p/tinyxml/git/merge-requests/1
>  [Retrieved (and backported) from:
>  https://sourceforge.net/p/tinyxml/git/merge-requests/1]
>  Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> -- 
> 2.52.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 02/14] package/x11vnc: add CVE trailer in patch

[Arnout Vandecappelle via buildroot]

In reply of:
> Since Buildroot commit [1] the patches that fixes a security
> vulnerability needs to reference the fixed vulnerability.
> 
> This patch adds the relevant information to the patch header.
> 
> [1] 1167d0ff3d docs/manual: mention CVE trailer
> 
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>

Applied to 2025.02.x and 2025.11.x. Thanks

> ---
>  ...02-scan-limit-access-to-shared-memory-segments-to-curre.patch | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/package/x11vnc/0002-scan-limit-access-to-shared-memory-segments-to-curre.patch b/package/x11vnc/0002-scan-limit-access-to-shared-memory-segments-to-curre.patch
> index 05977375d8..015a8c4c41 100644
> --- a/package/x11vnc/0002-scan-limit-access-to-shared-memory-segments-to-curre.patch
> +++ b/package/x11vnc/0002-scan-limit-access-to-shared-memory-segments-to-curre.patch
> @@ -3,6 +3,7 @@ From: =?UTF-8?q?Gu=C3=A9nal=20DAVALAN?= <guenal.davalan@uca.fr>
>  Date: Wed, 18 Nov 2020 08:40:45 +0100
>  Subject: [PATCH] scan: limit access to shared memory segments to current user
>  
> +CVE: CVE-2020-29074
>  Upstream: https://github.com/LibVNC/x11vnc/commit/69eeb9f7baa14ca03b16c9de821f9876def7a36a
>  Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
>  ---
> -- 
> 2.52.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 14/14] package/mupdf: add CVE-2024-2425{8, 9} to IGNORE_CVES

[Arnout Vandecappelle via buildroot]

In reply of:
> Buildroot commit [1] removed the IGNORE_CVES entries for
> CVE-2024-24258 & CVE-2024-24259 because they referenced a patches no
> longer existing.
> 
> Those IGNORE_CVES entries are still required because the CVEs reference
> the exact mupdf version Buildroot is using.
> 
> Re-introduce those IGNORE_CVES entries with an updated comment instead.
> 
> [1] f2e442a14d package/mupdf: remove stale IGNORE_CVES
> 
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>

Applied to 2025.11.x. Thanks

> ---
>  package/mupdf/mupdf.mk | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/package/mupdf/mupdf.mk b/package/mupdf/mupdf.mk
> index 9eecb84232..57501ab954 100644
> --- a/package/mupdf/mupdf.mk
> +++ b/package/mupdf/mupdf.mk
> @@ -21,6 +21,12 @@ MUPDF_DEPENDENCIES = \
>  	lcms2 openjpeg \
>  	zlib
>  
> +# Fix is in libfreeglut, but CVE applied to mupdf 1.23.9.
> +# Buildroot libfreeglut is >3.4.0 then is not affected.
> +MUPDF_IGNORE_CVES = \
> +	CVE-2024-24258 \
> +	CVE-2024-24259
> +
>  # mupdf doesn't use CFLAGS and LIBS but XCFLAGS and XLIBS instead.
>  # with USE_SYSTEM_LIBS it will try to use system libraries instead of the bundled ones.
>  MUPDF_MAKE_ENV = $(TARGET_MAKE_ENV) $(TARGET_CONFIGURE_OPTS) \
> -- 
> 2.52.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 09/14] package/libconfuse: add CVE trailer in patch

[Baruch Siach via buildroot]

Hi Arnout,

On Wed, Jan 07 2026, Arnout Vandecappelle via buildroot wrote:
> In reply of:
>> Since Buildroot commit [1] the patches that fixes a security
>> vulnerability needs to reference the fixed vulnerability.
>> 
>> This patch adds the relevant information to the patch header
>> and adds the `Upstream` trailer.
>> 
>> [1] 1167d0ff3d docs/manual: mention CVE trailer
>> 
>> Signed-off-by: Thomas Perale <thomas.perale@mind.be>
>
> Applied to 2025.02.x and 2025.11.x. Thanks

Not in 2025.11.x as of commit e98515299 ("package/mupdf: add
CVE-2024-2425{8, 9} to IGNORE_CVES").

baruch

>
>> ---
>>  .../0001-Fix-163-unterminated-username-used-with-getpwnam.patch | 2 ++
>>  1 file changed, 2 insertions(+)
>> 
>> diff --git
>> a/package/libconfuse/0001-Fix-163-unterminated-username-used-with-getpwnam.patch
>> b/package/libconfuse/0001-Fix-163-unterminated-username-used-with-getpwnam.patch
>> index 9ff3f5ec1c..4c2aa114aa 100644
>> --- a/package/libconfuse/0001-Fix-163-unterminated-username-used-with-getpwnam.patch
>> +++ b/package/libconfuse/0001-Fix-163-unterminated-username-used-with-getpwnam.patch
>> @@ -5,6 +5,8 @@ Subject: [PATCH] Fix #163: unterminated username used with getpwnam()
>>  
>>  Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
>>  
>> +CVE: CVE-2022-40320
>> +Upstream: https://github.com/libconfuse/libconfuse/commit/d73777c2c3566fb2647727bb56d9a2295b81669b
>>  [Retrieved (and backported) from:
>>  https://github.com/libconfuse/libconfuse/commit/d73777c2c3566fb2647727bb56d9a2295b81669b]
>>  Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
>> -- 
>> 2.52.0
>> 
>> _______________________________________________
>> buildroot mailing list
>> buildroot@buildroot.org
>> https://lists.buildroot.org/mailman/listinfo/buildroot
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

-- 
                                                     ~. .~   Tk Open Systems
=}------------------------------------------------ooO--U--Ooo------------{=
   - baruch@tkos.co.il - tel: +972.52.368.4656, http://www.tkos.co.il -
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 09/14] package/libconfuse: add CVE trailer in patch

[Arnout Vandecappelle via buildroot]

On 07/01/2026 19:25, Baruch Siach wrote:
> Hi Arnout,
> 
> On Wed, Jan 07 2026, Arnout Vandecappelle via buildroot wrote:
>> In reply of:
>>> Since Buildroot commit [1] the patches that fixes a security
>>> vulnerability needs to reference the fixed vulnerability.
>>>
>>> This patch adds the relevant information to the patch header
>>> and adds the `Upstream` trailer.
>>>
>>> [1] 1167d0ff3d docs/manual: mention CVE trailer
>>>
>>> Signed-off-by: Thomas Perale <thomas.perale@mind.be>
>>
>> Applied to 2025.02.x and 2025.11.x. Thanks
> 
> Not in 2025.11.x as of commit e98515299 ("package/mupdf: add
> CVE-2024-2425{8, 9} to IGNORE_CVES").

  Applied now, thanks!

  Thomas, Titouan, I also pushed it to .pre, please make sure to pull before 
adding more commits.

  Regards,
  Arnout

> 
> baruch
> 
>>
>>> ---
>>>   .../0001-Fix-163-unterminated-username-used-with-getpwnam.patch | 2 ++
>>>   1 file changed, 2 insertions(+)
>>>
>>> diff --git
>>> a/package/libconfuse/0001-Fix-163-unterminated-username-used-with-getpwnam.patch
>>> b/package/libconfuse/0001-Fix-163-unterminated-username-used-with-getpwnam.patch
>>> index 9ff3f5ec1c..4c2aa114aa 100644
>>> --- a/package/libconfuse/0001-Fix-163-unterminated-username-used-with-getpwnam.patch
>>> +++ b/package/libconfuse/0001-Fix-163-unterminated-username-used-with-getpwnam.patch
>>> @@ -5,6 +5,8 @@ Subject: [PATCH] Fix #163: unterminated username used with getpwnam()
>>>   
>>>   Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
>>>   
>>> +CVE: CVE-2022-40320
>>> +Upstream: https://github.com/libconfuse/libconfuse/commit/d73777c2c3566fb2647727bb56d9a2295b81669b
>>>   [Retrieved (and backported) from:
>>>   https://github.com/libconfuse/libconfuse/commit/d73777c2c3566fb2647727bb56d9a2295b81669b]
>>>   Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
>>> -- 
>>> 2.52.0
>>>
>>> _______________________________________________
>>> buildroot mailing list
>>> buildroot@buildroot.org
>>> https://lists.buildroot.org/mailman/listinfo/buildroot
>> _______________________________________________
>> buildroot mailing list
>> buildroot@buildroot.org
>> https://lists.buildroot.org/mailman/listinfo/buildroot
> 

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot