[poky][master][PATCH] libxml2: Whitelisted CVE patches

[poky][master][PATCH] libxml2: Whitelisted CVE patches

[saloni]

From: Saloni Jain <Saloni.Jain@kpit.com>

Below CVE patches are whitelisted as changes
are already present in source code:
1.CVE-2016-9596 (Duplicate of CVE-2016-3627)
Link: https://bugzilla.redhat.com/show_bug.cgi?id=1408302
Link: https://bugzilla.redhat.com/show_bug.cgi?id=1319829

2.CVE-2016-9598 (Duplicate of CVE-2016-4483)
Link: https://bugzilla.redhat.com/show_bug.cgi?id=1408306
Link: https://bugzilla.redhat.com/show_bug.cgi?id=1332820

Signed-off-by: Saloni.Jain <Saloni.Jain@kpit.com>
---
 meta/recipes-core/libxml/libxml2_2.9.10.bb | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb
index 4ebfb9e..80b6427 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.10.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb
@@ -25,6 +25,12 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \
            file://CVE-2020-24977.patch \
            "

+# Changes are already present in source-code, hence whitelisted.
+CVE_CHECK_WHITELIST += "\
+    CVE-2016-9596 \
+    CVE-2016-9598 \
+"
+
 SRC_URI[libtar.md5sum] = "10942a1dc23137a8aa07f0639cbfece5"
 SRC_URI[libtar.sha256sum] = "aafee193ffb8fe0c82d4afef6ef91972cbaf5feea100edc2f262750611b4be1f"
 SRC_URI[testtar.md5sum] = "ae3d1ebe000a3972afa104ca7f0e1b4a"
--
2.7.4

This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.

[poky][master][PATCH] libxml2: Whitelisted CVE patches

[saloni]

From: Saloni Jain <Saloni.Jain@kpit.com>

Below CVE patches are whitelisted as changes
are already present in source code:
1.CVE-2016-9596 (Duplicate of CVE-2016-3627)
Link: https://bugzilla.redhat.com/show_bug.cgi?id=1408302
Link: https://bugzilla.redhat.com/show_bug.cgi?id=1319829

2.CVE-2016-9598 (Duplicate of CVE-2016-4483)
Link: https://bugzilla.redhat.com/show_bug.cgi?id=1408306
Link: https://bugzilla.redhat.com/show_bug.cgi?id=1332820

Signed-off-by: Saloni.Jain <Saloni.Jain@kpit.com>
---
 meta/recipes-core/libxml/libxml2_2.9.10.bb | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb
index 90890ff..4950beb 100644
--- a/meta/recipes-core/libxml/libxml2_2.9.10.bb
+++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb
@@ -24,6 +24,11 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \
            file://CVE-2019-20388.patch \
            file://CVE-2020-24977.patch \
            "
+#Changes are already present in source-code, hence whitelisted.
+CVE_CHECK_WHITELIST += "\
+    CVE-2016-9596 \
+    CVE-2016-9598 \
+"

 SRC_URI[libtar.md5sum] = "10942a1dc23137a8aa07f0639cbfece5"
 SRC_URI[libtar.sha256sum] = "aafee193ffb8fe0c82d4afef6ef91972cbaf5feea100edc2f262750611b4be1f"
--
2.7.4

This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.

Re: [poky][master][PATCH] libxml2: Whitelisted CVE patches

[Khem Raj]

Thanks for quick response, this version looks good.

On Wed, Oct 28, 2020 at 10:41 AM Saloni.Jain <Saloni.Jain@kpit.com> wrote:
>
> From: Saloni Jain <Saloni.Jain@kpit.com>
>
> Below CVE patches are whitelisted as changes
> are already present in source code:
> 1.CVE-2016-9596 (Duplicate of CVE-2016-3627)
> Link: https://bugzilla.redhat.com/show_bug.cgi?id=1408302
> Link: https://bugzilla.redhat.com/show_bug.cgi?id=1319829
>
> 2.CVE-2016-9598 (Duplicate of CVE-2016-4483)
> Link: https://bugzilla.redhat.com/show_bug.cgi?id=1408306
> Link: https://bugzilla.redhat.com/show_bug.cgi?id=1332820
>
> Signed-off-by: Saloni.Jain <Saloni.Jain@kpit.com>
> ---
>  meta/recipes-core/libxml/libxml2_2.9.10.bb | 5 +++++
>  1 file changed, 5 insertions(+)
>
> diff --git a/meta/recipes-core/libxml/libxml2_2.9.10.bb b/meta/recipes-core/libxml/libxml2_2.9.10.bb
> index 90890ff..4950beb 100644
> --- a/meta/recipes-core/libxml/libxml2_2.9.10.bb
> +++ b/meta/recipes-core/libxml/libxml2_2.9.10.bb
> @@ -24,6 +24,11 @@ SRC_URI = "http://www.xmlsoft.org/sources/libxml2-${PV}.tar.gz;name=libtar \
>             file://CVE-2019-20388.patch \
>             file://CVE-2020-24977.patch \
>             "
> +#Changes are already present in source-code, hence whitelisted.
> +CVE_CHECK_WHITELIST += "\
> +    CVE-2016-9596 \
> +    CVE-2016-9598 \
> +"
>
>  SRC_URI[libtar.md5sum] = "10942a1dc23137a8aa07f0639cbfece5"
>  SRC_URI[libtar.sha256sum] = "aafee193ffb8fe0c82d4afef6ef91972cbaf5feea100edc2f262750611b4be1f"
> --
> 2.7.4
>
> This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.